Avaya Business Secure Router 222 Configuration manual

Download

Page 1

Nortel Business Secure Router 222 Configuration — Basics

BSR222

Business Secure Router

Document Number: NN47922-500

Document Version: 1.4

Date: May 2007

Page 2

The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. The information in this document is proprietary to Nortel.

Trademarks

Nortel, Nortel (Logo), the Globemark, and This is the way, This is Nortel (Design mark) are trademarks of Nortel.

Microsoft, MS, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation.

All other trademarks and registered trademarks are the property of their respective owners.

NN47922-500NN47922-500

Page 3

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Hard copy technical manuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

How to get Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Getting Help from the Nortel Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Getting Help over the phone from a Nortel Solutions Center . . . . . . . . . . . . . . . . 31

Getting Help from a specialist by using an Express Routing Code . . . . . . . . . . . . 32

Getting Help through a Nortel distributor or reseller . . . . . . . . . . . . . . . . . . . . . . . 32

Chapter 1

Getting to know your Nortel Business Secure Router 222 . . . . . . . . . . . . 33

Introducing the Nortel Business Secure Router 222 . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Physical features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Nonphysical features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

4-Port switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Autonegotiating 10/100 Mb/s Ethernet LAN . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Autosensing 10/100 Mb/s Ethernet LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Autonegotiating 10/100 Mb/s Ethernet WAN . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Auxiliary port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Time and date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Reset button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

IPSec VPN capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Nortel Contivity Client Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Nortel Business Secure Router 222 Configuration — Basics

Page 4

4 Contents

Applications for the Nortel Business Secure Router 222 . . . . . . . . . . . . . . . . . . . . . . . 41

Hardware Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

IEEE 802.1x for network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Brute force password guessing protection . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Content filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Universal Plug and Play (UPnP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Call scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

PPTP Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Dynamic DNS support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

IP Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

IP Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Central Network Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Traffic Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

DHCP (Dynamic Host Configuration Protocol) . . . . . . . . . . . . . . . . . . . . . . . . 39

Full network management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Road Runner support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Logging and tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Upgrade Business Secure Router Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Embedded FTP and TFTP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Secure broadband internet access and VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Chapter 2

Introducing the WebGUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

WebGUI overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Accessing the Business Secure Router WebGUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Restoring the factory default configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Procedure to use the reset button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Uploading a configuration file via console port . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

NN47922-500

Page 5

Contents 5

Navigating the Business Secure Router WebGUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Chapter 3

Wizard setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Wizard overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Wizard setup: General Setup and System Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Domain Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Wizard setup: Screen 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

PPPoE Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Wizard setup: Screen 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

WAN IP address assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

IP address and Subnet Mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

DNS Server address assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

WAN MAC address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Basic Setup Complete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Chapter 4

User Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

General Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

VPN Client Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Advanced Router Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Setting up the router when the system has a server . . . . . . . . . . . . . . . . . . . . 71

Connecting two sites to establish a virtual private network . . . . . . . . . . . . . . . 71

Adding IP telephony to a multi-site network . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Configuring the router to act as a Nortel VPN Server (Client Termination) . . . 73

Configuring the router to connect to a Nortel VPN Server (Client Emulation) . 73

Allowing remote management of a LAN-connected BCM50 . . . . . . . . . . . . . . 74

Setting up the router for guest access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Nortel Business Secure Router 222 Configuration — Basics

Page 6

6 Contents

Chapter 5

System screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

System overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Configuring General Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Configuring Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Predefined NTP time server list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Configuring Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Configuring ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Preventing heavy data traffic from impacting telephone calls . . . . . . . . . . . . . 75

Setting Up a Remote Office with a UNIStim IP Telephone . . . . . . . . . . . . . . . 75

Inter-Operability With Third-Party Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

VPN Connections With Cisco Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

DNS overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Private DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

DYNDNS Wildcard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Chapter 6

LAN screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

LAN overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

DHCP setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

IP pool setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

DNS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

LAN TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Factory LAN defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

RIP setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Configuring IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Configuring Static DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Configuring IP Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

NN47922-500

Page 7

Contents 7

Chapter 7

WAN screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

WAN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

TCP/IP Priority (Metric) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Configuring Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Configuring WAN ISP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Ethernet Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

PPPoE Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

PPTP Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Service type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Configuring WAN IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Configuring WAN MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Traffic redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Configuring Traffic Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Configuring Dial Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Advanced Modem Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

AT Command Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

DTR Signal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Response Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Configuring Advanced Modem Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Chapter 8

Network Address Translation (NAT) Screens . . . . . . . . . . . . . . . . . . . . . . 131

NAT overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

NAT definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

What NAT does . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

How NAT works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Port Restricted Cone NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

NAT application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

NAT mapping types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Using NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

SUA (Single User Account) versus NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

SUA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Default server IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Port forwarding: Services and Port Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Nortel Business Secure Router 222 Configuration — Basics

Page 8

8 Contents

Configuring SUA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Configuring Address Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Trigger Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Configuring Trigger Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Chapter 9

Static Route screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Static Route overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Configuring IP Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Chapter 10

Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Firewall overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Types of firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Introduction to the Business Secure Router firewall . . . . . . . . . . . . . . . . . . . . . . . . . 157

Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Stateful inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Guidelines for enhancing security with your firewall . . . . . . . . . . . . . . . . . . . . . . . . . 168

Packet filtering vs. firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Configuring servers behind SUA (example) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Trigger Port Forwarding example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Two points to remember about Trigger Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Configuring Route entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Packet Filtering firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Application level firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Stateful Inspection firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Types of DoS attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Stateful inspection process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Stateful inspection and the Business Secure Router . . . . . . . . . . . . . . . . . . . . . . 165

TCP security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

UDP/ICMP security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Upper layer protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Packet filtering: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

When to use filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

NN47922-500

Page 9

Contents 9

Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

When to use the firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Chapter 11

Firewall screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Access methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Firewall policies overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Rule logic overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Rule checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Security ramifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Key fields for configuring rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Source address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Destination address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Connection direction examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

LAN to WAN rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

WAN to LAN rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Configuring firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Configuring firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Configuring source and destination addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Configuring custom ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Example firewall rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Predefined services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191

Configuring attack alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Threshold values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Half-open sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

TCP maximum incomplete and blocking period . . . . . . . . . . . . . . . . . . . . . . 193

Chapter 12

Content filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Introduction to content filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Restrict web features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Days and Times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Nortel Business Secure Router 222 Configuration — Basics

Page 10

10 Contents

Configure Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Chapter 13

VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201

Nortel Business Secure Router 222 VPN functions . . . . . . . . . . . . . . . . . . . . . . . . . . 201

VPN screens overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

IPSec architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

IPSec algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

IPSec and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Secure Gateway Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Summary screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Keep Alive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Nailed Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

NAT Traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Preshared key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Configuring Contivity Client VPN Rule Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Configuring Advanced Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

ID Type and content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Other terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Data confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Data integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Data origin authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

VPN applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

AH (Authentication Header) protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

ESP (Encapsulating Security Payload) protocol . . . . . . . . . . . . . . . . . . . . . . . . . 206

Key management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Transport mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Tunnel mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Dynamic Secure Gateway Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

NAT Traversal configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

ID type and content examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

NN47922-500

Page 11

Contents 11

My IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Configuring Branch Office VPN Rule Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Configuring an IP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Port forwarding server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Configuring a port forwarding server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

IKE phases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Negotiation Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Preshared key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

Diffie-Hellman (DH) Key Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

Perfect Forward Secrecy (PFS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

Configuring advanced Branch office setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

SA Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Global settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

VPN Client Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

VPN Client Termination IP pool summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

VPN Client Termination IP pool edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

VPN Client Termination advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Chapter 14

Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Certificates overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Advantages of certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Self-signed certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Configuration summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

My Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Certificate file formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Importing a certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Creating a certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

My Certificate details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Trusted CAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

Importing a Trusted CA’s certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Trusted CA Certificate details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Trusted remote hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Verifying a certificate of a trusted remote host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Trusted remote host certificate fingerprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Nortel Business Secure Router 222 Configuration — Basics

Page 12

12 Contents

Importing a certificate of a trusted remote host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Trusted remote host certificate details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

Directory servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

Add or edit a directory server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Chapter 15

Bandwidth management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Bandwidth management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Bandwidth classes and filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Proportional bandwidth allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Application based bandwidth management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Subnet based bandwidth management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Application and subnet based bandwidth management . . . . . . . . . . . . . . . . . . . . . . . 299

Configuring summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Configuring class setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

Reserving bandwidth for nonbandwidth class traffic . . . . . . . . . . . . . . . . . . . . . . 299

Bandwidth Manager Class Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Bandwidth management statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

Chapter 16

IEEE 802.1x. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

IEEE 802.1x overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Types of RADIUS messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

EAP Authentication overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Configuring 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Chapter 17

Authentication server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Introduction to Local User database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Local User database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Edit Local User Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Current split networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

Current split networks edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

NN47922-500

Page 13

Contents 13

Configuring RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Chapter 18

Remote management screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

Remote management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

Remote management limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

Remote management and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

System timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

Introduction to HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Configuring WWW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

HTTPS example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

Internet Explorer warning messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Netscape Navigator warning messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Avoiding the browser warning messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Logon screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

SSH overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

How SSH works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

SSH implementation on the Business Secure Router . . . . . . . . . . . . . . . . . . . . . . . . 343

Requirements for using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Configuring SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Secure Telnet using SSH examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

Example 1: Microsoft Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

Example 2: Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

Secure FTP using SSH example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348

Configuring TELNET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Configuring FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Supported MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

REMOTE MANAGEMENT: SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Configuring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

Configuring Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356

Nortel Business Secure Router 222 Configuration — Basics

Page 14

14 Contents

Chapter 19

UPnP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Universal Plug and Play overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

UPnP implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

Configuring UPnP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

Displaying UPnP port mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

Installing UPnP in Windows example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Using UPnP in Windows XP example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Chapter 20

Logs Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

How do I know if I am using UPnP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

NAT Traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Cautions with UPnP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

Installing UPnP in Windows Me . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Installing UPnP in Windows XP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

Autodiscover Your UPnP-enabled Network Device . . . . . . . . . . . . . . . . . . . . . . . 366

WebGUI easy access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Configuring View Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

Configuring Log settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Configuring Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

Viewing Web site hits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Viewing Protocol/Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

Viewing LAN IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Reports specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Chapter 21

Call scheduling screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Call scheduling introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Call schedule summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Call scheduling edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Applying Schedule Sets to a remote node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

NN47922-500

Page 15

Contents 15

Chapter 22

Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Maintenance overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Status screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

System statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

DHCP Table screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

F/W Upload screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

Configuration screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Back to Factory Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Backup configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Restore configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

Restart screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Appendix A

Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

Problems Starting Up the Business Secure Router . . . . . . . . . . . . . . . . . . . . . . . . . . 403

Problems with the LAN LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

Problems with the LAN interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

Problems with the WAN interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Problems with Internet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Problems accessing an internet Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

Problems with the password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

Problems with the WebGUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Problems with Remote Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Allowing Pop-up Windows, JavaScript and Java Permissions . . . . . . . . . . . . . . . . . . 408

Internet Explorer Pop-up Blockers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Allowing Pop-ups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Enabling Pop-up Blockers with Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . 409

Internet Explorer JavaScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

Internet Explorer Java Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

JAVA (Sun) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

Netscape Pop-up Blockers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Allowing Pop-ups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Enable Pop-up Blockers with Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

Netscape Java Permissions and JavaScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

Nortel Business Secure Router 222 Configuration — Basics

Page 16

16 Contents

Appendix B

Log Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

VPN/IPSec Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432

VPN Responder IPSec Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

Log Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

Log Command Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Configuring what you want the Business Secure Router to log . . . . . . . . . . . . . . 442

Displaying Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443

NN47922-500

Page 17

Figures

Figure 1 Secure Internet Access and VPN Application . . . . . . . . . . . . . . . . . . . . . 41

Figure 2 Login screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Figure 3 Change password screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Figure 4 Replace certificate screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Figure 5 Example Xmodem Upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Figure 6 MAIN MENU Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Figure 7 Contact Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Figure 8 Wizard 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Figure 9 Wizard 2: Ethernet Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Figure 10 Wizard 2: PPTP Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Figure 11 Wizard2: PPPoE Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Figure 12 Wizard 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Figure 13 Private DNS server example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Figure 14 System general setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Figure 15 DDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Figure 16 Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Figure 17 Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Figure 18 ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Figure 19 LAN IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Figure 20 Static DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Figure 21 IP Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Figure 22 WAN: Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Figure 23 Ethernet Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Figure 24 PPPoE Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Figure 25 PPTP Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Figure 26 RR Service type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Figure 27 WAN: IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Figure 28 MAC Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Figure 29 Traffic Redirect WAN Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Nortel Business Secure Router 222 Configuration — Basics

Page 18

18 Figures

Figure 30 Traffic Redirect LAN Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Figure 31 Traffic Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Figure 32 Dial Backup Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Figure 33 Advanced Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Figure 34 How NAT works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Figure 35 Port Restricted Cone NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Figure 36 NAT application with IP Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Figure 37 Multiple servers behind NAT example . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Figure 38 SUA/NAT setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Figure 39 Address Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Figure 40 Address Mapping edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Figure 41 Trigger Port Forwarding process: example . . . . . . . . . . . . . . . . . . . . . . . 146

Figure 42 Trigger Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Figure 43 Example of Static Routing topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Figure 44 Static Route screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Figure 45 Edit IP Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Figure 46 Business Secure Router firewall application . . . . . . . . . . . . . . . . . . . . . . 158

Figure 47 Three-way handshake . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Figure 48 SYN flood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Figure 49 Smurf attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Figure 50 Stateful inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Figure 51 LAN to WAN traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Figure 52 WAN to LAN traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Figure 53 Enabling the firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Figure 54 Creating and editing a firewall rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Figure 55 Adding or editing source and destination addresses . . . . . . . . . . . . . . . 183

Figure 56 Creating or editing a custom port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Figure 57 Firewall edit rule screen example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Figure 58 Firewall rule edit IP example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Figure 59 Edit custom port example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Figure 60 MyService rule configuration example . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Figure 61 My Service example rule summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Figure 62 Attack alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Figure 63 Content filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Figure 64 Encryption and decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

NN47922-500

Page 19

Figures 19

Figure 65 IPSec architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Figure 66 Transport and Tunnel mode IPSec encapsulation . . . . . . . . . . . . . . . . . 208

Figure 67 IPSec summary fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Figure 68 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Figure 69 NAT router between VPN switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Figure 70 VPN Contivity Client rule setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Figure 71 VPN Contivity Client advanced rule setup . . . . . . . . . . . . . . . . . . . . . . . 218

Figure 72 VPN Branch Office rule setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Figure 73 VPN Branch Office — IP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Figure 74 VPN Branch Office — IP Policy - Port Forwarding Server . . . . . . . . . . . 237

Figure 75 Two phases to set up the IPSec SA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Figure 76 VPN Branch Office advanced rule setup . . . . . . . . . . . . . . . . . . . . . . . . 241

Figure 77 VPN SA Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Figure 78 VPN Global Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Figure 79 VPN Client Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Figure 80 VPN Client Termination IP pool summary . . . . . . . . . . . . . . . . . . . . . . . . 253

Figure 81 VPN Client Termination IP pool edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Figure 82 VPN Client Termination advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

Figure 83 Certificate configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Figure 84 My Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Figure 85 My Certificate Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Figure 86 My Certificate create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Figure 87 My Certificate details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Figure 88 Trusted CAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Figure 89 Trusted CA import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Figure 90 Trusted CA details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Figure 91 Trusted remote hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Figure 92 Remote host certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Figure 93 Certificate details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Figure 94 Trusted remote host import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Figure 95 Trusted remote host details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

Figure 96 Directory servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

Figure 97 Directory server add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Figure 98 Subnet based bandwidth management example . . . . . . . . . . . . . . . . . . 299

Figure 99 Bandwidth Manager: Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Nortel Business Secure Router 222 Configuration — Basics

Page 20

20 Figures

Figure 100 Bandwidth Manager: Class setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Figure 101 Bandwidth Manager: Edit class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Figure 102 Bandwidth management statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Figure 103 Bandwidth manager monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

Figure 104 EAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Figure 105 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Figure 106 Local User database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Figure 107 Local User database edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Figure 108 Current split networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

Figure 109 Current split networks edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Figure 110 RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

Figure 111 HTTPS implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

Figure 112 WWW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Figure 113 Security Alert dialog box (Internet Explorer) . . . . . . . . . . . . . . . . . . . . . . 333

Figure 114 Figure 18-4 Security Certificate 1 (Netscape) . . . . . . . . . . . . . . . . . . . . . 334

Figure 115 Security Certificate 2 (Netscape) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Figure 116 Logon screen (Internet Explorer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Figure 117 Login screen (Netscape) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Figure 118 Replace certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

Figure 119 Device-specific certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

Figure 120 Common Business Secure Router certificate . . . . . . . . . . . . . . . . . . . . . 341

Figure 121 SSH Communication Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

Figure 122 How SSH Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

Figure 123 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Figure 124 SSH Example 1: Store Host Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

Figure 125 SSH Example 2: Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

Figure 126 SSH Example 2: Log on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Figure 127 Secure FTP: Firmware Upload Example . . . . . . . . . . . . . . . . . . . . . . . . 348

Figure 128 Telnet configuration on a TCP/IP network . . . . . . . . . . . . . . . . . . . . . . . 348

Figure 129 Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Figure 130 FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Figure 131 SNMP Management Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

Figure 132 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Figure 133 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356

Figure 134 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

NN47922-500

Page 21

Figures 21

Figure 135 Configuring UPnP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

Figure 136 UPnP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

Figure 137 Add/Remove programs: Windows setup . . . . . . . . . . . . . . . . . . . . . . . . 364

Figure 138 Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

Figure 139 Network connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Figure 140 Windows optional networking components wizard . . . . . . . . . . . . . . . . . 365

Figure 141 Windows XP networking services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Figure 142 Internet gateway icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Figure 143 Internet connection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Figure 144 Internet connection properties advanced setup . . . . . . . . . . . . . . . . . . . 368

Figure 145 Service settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368

Figure 146 Internet connection icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Figure 147 Internet connection status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Figure 148 Network connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

Figure 149 My Network Places: Local network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

Figure 150 View Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

Figure 151 Log settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Figure 152 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Figure 153 Web site hits report example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

Figure 154 Protocol/Port report example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

Figure 155 LAN IP address report example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Figure 156 Call schedule summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

Figure 157 Call schedule edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Figure 158 Applying Schedule Sets to a remote node . . . . . . . . . . . . . . . . . . . . . . . 390

Figure 159 System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Figure 160 System Status: Show statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Figure 161 DHCP Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

Figure 162 Firmware upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Figure 163 Firmware Upload In Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

Figure 164 Network Temporarily Disconnected . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

Figure 165 Firmware upload error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

Figure 166 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Figure 167 Reset warning message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Figure 168 Configuration Upload Successful . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

Figure 169 Network Temporarily Disconnected . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Nortel Business Secure Router 222 Configuration — Basics

Page 22

22 Figures

Figure 170 Restart screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

Figure 171 Pop-up Blocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Figure 172 Internet Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

Figure 173 Internet options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Figure 174 Pop-up Blocker settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

Figure 175 Internet options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Figure 176 Security Settings - Java Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

Figure 177 Security Settings - Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

Figure 178 Java (Sun) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Figure 179 Allow Popups from this site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Figure 180 Netscape Search Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Figure 181 Popup Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

Figure 182 Popup Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

Figure 183 Allowed Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

Figure 184 Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

Figure 185 Scripts & Plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

Figure 186 Example VPN Initiator IPSec Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

Figure 187 Example VPN Responder IPSec Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

NN47922-500

Page 23

Tables

Table 1 Feature Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Table 2 Wizard 2: Ethernet Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Table 3 Wizard 2: PPTP Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Table 4 Wizard2: PPPoE Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Table 5 Private IP Address Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Table 6 Example of network properties for LAN servers with fixed IP addresses . 61

Table 7 Wizard 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Table 8 System general setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Table 9 DDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Table 10 Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Table 11 Default Time Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Table 12 Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Table 13 ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Table 14 LAN IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Table 15 Static DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Table 16 IP Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Table 17 WAN: Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Table 18 Ethernet Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Table 19 PPPoE Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Table 20 PPTP Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Table 21 RR Service Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Table 22 WAN: IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Table 23 Traffic Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Table 24 Dial Backup Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Table 25 Advanced Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Table 26 NAT definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Table 27 NAT mapping type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Table 28 Services and port numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Table 29 SUA/NAT setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Nortel Business Secure Router 222 Configuration — Basics

Page 24

24 Tables

Table 30 Address Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Table 31 Address Mapping edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Table 32 Trigger Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Table 33 IP Static Route summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Table 34 Edit IP Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Table 35 ICMP commands that trigger alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Table 36 Legal NetBIOS commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Table 37 Legal SMTP commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Table 38 Firewall rules summary: First screen . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Table 39 Creating and editing a firewall rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Table 40 Adding or editing source and destination addresses . . . . . . . . . . . . . . . 183

Table 41 Creating/Editing A Custom Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Table 42 Predefined services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Table 43 Attack alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Table 44 Content filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Table 45 VPN Screens overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Table 46 VPN Screens Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Table 47 AH and ESP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Table 48 VPN and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Table 49 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Table 50 VPN Contivity Client rule setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Table 51 VPN Contivity Client advanced rule setup . . . . . . . . . . . . . . . . . . . . . . . 219

Table 52 Local ID type and content fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Table 54 Matching ID type and content configuration example . . . . . . . . . . . . . . 221

Table 53 Peer ID type and content fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Table 55 Mismatching ID Type and Content Configuration Example . . . . . . . . . . 222

Table 56 VPN Branch Office rule setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Table 57 VPN Branch Office — IP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Table 58 VPN Branch Office — IP Policy - Port Forwarding Server . . . . . . . . . . . 237

Table 59 VPN Branch Office Advanced Rule Setup . . . . . . . . . . . . . . . . . . . . . . . 242

Table 60 VPN SA Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Table 61 VPN Global Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Table 62 VPN Client Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Table 63 VPN Client Termination IP pool summary . . . . . . . . . . . . . . . . . . . . . . . . 253

Table 64 VPN Client Termination IP pool edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

NN47922-500

Page 25

Tables 25

Table 65 VPN Client Termination advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Table 66 My Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Table 67 My Certificate Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Table 68 My Certificate create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

Table 69 My Certificate details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Table 70 Trusted CAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Table 71 Trusted CA import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Table 72 Trusted CA details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

Table 73 Trusted Remote Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Table 74 Trusted remote host import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

Table 75 Trusted remote host details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Table 76 Directory Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Table 77 Directory server add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Table 78 Application and Subnet based Bandwidth Management Example . . . . . 299

Table 79 Bandwidth Manager: Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Table 80 Bandwidth Manager: Class Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Table 81 Bandwidth Manager: Edit class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Table 82 Services and port numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

Table 83 Bandwidth management statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Table 84 Bandwidth manager monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

Table 85 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Table 86 Local User database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Table 87 Local User database edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Table 88 Current split networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Table 89 Current split networks edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Table 90 RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

Table 91 WWW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Table 92 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Table 93 Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Table 94 FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Table 95 SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Table 96 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Table 97 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356

Table 98 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

Table 99 Configuring UPnP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

Nortel Business Secure Router 222 Configuration — Basics

Page 26

26 Tables

Table 100 UPnP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

Table 101 View Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

Table 102 Log settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

Table 103 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Table 104 Web site hits report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

Table 105 Protocol/ Port Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Table 106 LAN IP Address Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Table 107 Report Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Table 108 Call Schedule Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

Table 109 Call schedule edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

Table 110 System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Table 111 System Status: Show statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Table 112 DHCP Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

Table 113 Firmware Upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Table 114 Restore configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

Table 115 Troubleshooting the Start-Up of your Business Secure Router . . . . . . . 403

Table 116 Troubleshooting the LAN LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

Table 117 Troubleshooting the LAN Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

Table 118 Troubleshooting the WAN Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Table 119 Troubleshooting Internet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Table 120 Troubleshooting Web Site Internet Access . . . . . . . . . . . . . . . . . . . . . . . 406

Table 121 Troubleshooting the password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

Table 122 Troubleshooting the WebGUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Table 123 Troubleshooting Remote Management . . . . . . . . . . . . . . . . . . . . . . . . . 407

Table 124 System Error Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

Table 125 System Maintenance Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

Table 126 UPnP Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424

Table 127 Content Filtering Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424

Table 128 Attack Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424

Table 129 Access Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

Table 130 ACL Setting Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

Table 131 ICMP Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

Table 132 Sys log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432

Table 133 Sample IKE Key Exchange Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

Table 134 Sample IPSec Logs During Packet Transmission . . . . . . . . . . . . . . . . . 437

NN47922-500

Page 27

Tables 27

Table 135 RFC-2408 ISAKMP Payload Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438

Table 136 PKI Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438

Table 137 Certificate Path Verification Failure Reason Codes . . . . . . . . . . . . . . . . 440

Table 138 IIEEE 802.1X Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441

Table 139 Log categories and available settings . . . . . . . . . . . . . . . . . . . . . . . . . . 442

Nortel Business Secure Router 222 Configuration — Basics

Page 28

28 Tables

NN47922-500

Page 29

Preface

Before you begin

This guide assists you through the basic configuration of your Business Secure Router for its various applications.

Note: This guide explains how to use the WebGUI to configure your Business Secure Router. See Nortel Business Secure Router 222 Configuration — Advanced (NN47922-501) for how to use the System Management Terminal (SMT) or the command interpreter interface to configure your Business Secure Router. Not all features can be configured through all interfaces.

The WebGUI parts of this guide contain background information on features configurable by the WebGUI and the SMT. For features not configurable by the WebGUI, only background information is provided.

Text conventions

This guide uses the following text conventions:

Enter means type one or more characters and press the enter key. Select or Choose means use one of the predefined choices.

The SMT menu titles and labels are written in Bold Times New Roman font.

The choices of a menu choices are written in Bold Arial font.

Nortel Business Secure Router 222 Configuration — Basics

Page 30

30 Preface

A single keystroke is written in Arial font and enclosed in square brackets. For instance, [ENTER] means the Enter key; [ESC] means the escape key and [SPACE BAR] means the space bar. [UP] and [DOWN] are the up and down arrow keys.

Mouse action sequences are denoted using a comma. For example, “click the Apple icon, Control Panels and then Modem” means first click the Apple icon, then point your mouse pointer to Control Panels and then click Modem.

Related publications

For more information about using the Business Secure Router, refer to the following publications:

• Nortel Business Secure Router 222 — Fundamentals (NN47922-301)

This guide helps you get up and running right away. It contains connection information and instructions on getting started.

• Nortel Business Secure Router 222 Configuration — Advanced

(NN47922-501)

This guide covers how to use the SMT menu to configure your Business Secure Router.

• WebGUI Online Help

Embedded WebGUI help is available to provide descriptions of individual screens and supplementary information.

Hard copy technical manuals

You can print selected technical manuals and release notes free, directly from the Internet. Go to www.nortel.com/documentation. Find the product for which you need documentation. Then locate the specific category and model or version for your hardware or software product. Use Adobe Reader to open the manuals and release notes, search for the sections you need, and print them on most standard printers. Go to the Adobe Systems Web site at www.adobe.com to download a free copy of Adobe Reader.

NN47922-500

Page 31

How to get Help

This section explains how to get help for Nortel products and services.

Getting Help from the Nortel Web site

The best way to get technical support for Nortel products is from the Nortel Technical Support Web site:

www.nortel.com/support

This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products. More specifically, the site enables you to:

• download software, documentation, and product bulletins

• search the Technical Support Web site and the Nortel Knowledge Base for answers to technical issues

• sign up for automatic notification of new software and documentation for Nortel equipment

• open and manage technical support cases

Preface 31

Getting Help over the phone from a Nortel Solutions Center

If you don’t find the information you require on the Nortel Technical Support Web site, and have a Nortel support contract, you can also get help over the phone from a Nortel Solutions Center.

In North America, call 1-800-4NORTEL (1-800-466-7835).

Outside North America, go to the following Web site to obtain the phone number for your region:

www.nortel.com/callus

Nortel Business Secure Router 222 Configuration — Basics

Page 32

32 Preface

Getting Help from a specialist by using an Express Routing Code

Getting Help through a Nortel distributor or reseller

To access some Nortel Technical Solutions Centers, you can use an Express Routing Code (ERC) to quickly route your call to a specialist in your Nortel product or service. To locate the ERC for your product or service, go to:

www.nortel.com/erc

If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller.

NN47922-500

Page 33

Chapter 1 Getting to know your Nortel Business Secure Router 222

This chapter introduces the main features and applications of the Business Secure Router.

Introducing the Nortel Business Secure Router 222

The Nortel Business Secure Router 222 is an ideal secure gateway for all data passing between the Internet and the Local Area Network (LAN).

By integrating Network Address Translation (NAT), firewall and Virtual Private Network (VPN) capability, the Business Secure Router is a complete security solution that protects your Intranet and efficiently manages data traffic on your network.

Features

The embedded WebGUI assists in easy setup and management of the Business Secure Router via an Internet browser.

This section lists the key features of the Business Secure Router.

Tabl e 1 Feature Specifications

Feature Specification

Number of static routes 12

Number of NAT sessions 4096

Number of SUA servers 12

Nortel Business Secure Router 222 Configuration — Basics

Page 34

34 Chapter 1 Getting to know your Nortel Business Secure Router 222

Tabl e 1 Feature Specifications

Feature Specification

Number of address mapping rules 10

Maximum number of VPN IP Policies 60

Maximum number of VPN Tunnels (Client and/or Branch Office) 10

Maximum number of concurrent VPN IPSec Connections 60

Number of IP pools can be used to assign IP addresses to remote users for VPN client termination

Number of configurable split networks for VPN client termination 16

Number of configurable inverse split networks for VPN client termination 16

Number of configurable subnets per split network for VPN client termination

Physical features

4-Port switch

NN47922-500

A combination of switch and router makes your Nortel Business Secure Router 222 a cost effective and viable network solution. You can connect up to four computers or phones to the Business Secure Router without the cost of a switch. Use a switch to add more than four computers or phones to your LAN.

Autonegotiating 10/100 Mb/s Ethernet LAN

The LAN interfaces automatically detect if they are on a 10 or a 100 Mb/s Ethernet.

Autosensing 10/100 Mb/s Ethernet LAN

The LAN interfaces automatically adjust to either a crossover or straight through Ethernet cable.

Autonegotiating 10/100 Mb/s Ethernet WAN

The 10/100 Mb/s Ethernet WAN port attaches to the Internet via broadband modem or router and automatically detects if it is on a 10 or a 100 Mb/s Ethernet.

Page 35

Chapter 1 Getting to know your Nortel Business Secure Router 222 35

Auxiliary port

The Business Secure Router uses the same port for console management and for an auxiliary WAN backup. The AUX port can be used in reserve as a traditional dial-up connection when or if ever the broadband connection to the WAN port fails.

Time and date

Using the Business Secure Router, you can get the current time and date from an external server when you turn on your Business Secure Router. You can also set the time manually.

Reset button

The Business Secure Router reset button is built into the rear panel. Use this button to restart the Business Secure Router or restore the factory default password to PlsChgMe!, IP address to 192.168.1.1, subnet mask to

255.255.255.0, and DHCP server enabled with a pool of 126 IP addresses starting

at 192.168.1.2.

Nonphysical features

IPSec VPN capability

Establish Virtual Private Network (VPN) tunnels to connect home or office computers to your company network using data encryption and the Internet; thus providing secure communications without the expense of leased site-to-site lines. VPN is based on the IPSec standard and is fully interoperable with other IPSec-based VPN products.

Nortel Contivity Client Termination

The Business Secure Router supports VPN connections from computers using Nortel Contivity VPN Client 3.0, 5.01, 5.11, 6.01, 6.02, or 7.01 software.

Nortel Business Secure Router 222 Configuration — Basics

Page 36

36 Chapter 1 Getting to know your Nortel Business Secure Router 222

Certificates

The Business Secure Router can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. Certificates provide a way to exchange public keys for use in authentication.

SSH

The Business Secure Router uses the SSH (Secure Shell) secure communication protocol to provide secure encrypted communication between two hosts over an unsecured network.

HTTPS

HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL is a web protocol that encrypts and decrypts web sessions. Use HTTPS for secure WebGUI access to the Business Secure Router.

IEEE 802.1x for network security

NN47922-500

The Business Secure Router supports the IEEE 802.1x standard for user authentication. With the local user profile in the Business Secure Router, you can configure up 32 user profiles without a network authentication server. In addition, centralized user and accounting management is possible on an optional network authentication server.

Firewall

The Business Secure Router has a stateful inspection firewall with DoS (Denial of Service) protection. By default, when the firewall is activated, all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the LAN. The Business Secure Router firewall supports TCP/UDP inspection, DoS detection and protection, real time alerts, reports and logs.

Page 37

Chapter 1 Getting to know your Nortel Business Secure Router 222 37

Brute force password guessing protection

The Business Secure Router has a special protection mechanism to discourage brute force password guessing attacks on the Business Secure Router’s management interfaces. You can specify a wait time that must expire before you can enter a fourth password after entering three incorrect passwords.

Content filtering

The Business Secure Router can block web features such as ActiveX controls, Java applets, and cookies, as well as disable web proxies. The Business Secure Router can block specific URLs by using the keyword feature. The administrator can also define time periods and days during which content filtering is enabled.

Packet filtering

The packet filtering mechanism blocks unwanted traffic from entering or leaving your network.

Universal Plug and Play (UPnP)

Using the standard TCP/IP protocol, the Business Secure Router and other UPnP-enabled devices can dynamically join a network, obtain an IP address, and convey its capabilities to other devices on the network.

Call scheduling

Configure call time periods to restrict and allow access for users on remote nodes.

PPPoE

PPPoE facilitates the interaction of a host with an Internet modem to achieve access to high-speed data networks via a familiar dial-up networking user interface.

Nortel Business Secure Router 222 Configuration — Basics

Page 38

38 Chapter 1 Getting to know your Nortel Business Secure Router 222

PPTP Encapsulation

Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using a TCP/IP-based network.

PPTP supports on-demand, multiprotocol, and virtual private networking over public networks, such as the Internet. The Business Secure Router supports one PPTP server connection at any given time.

Dynamic DNS support

With Dynamic DNS (Domain Name System) support, you can have a static host name alias for a dynamic IP address, so the host is more easily accessible from various locations on the Internet. You must register for this service with a Dynamic DNS service provider.

IP Multicast

The Business Secure Router can use IP multicast to deliver IP packets to a specific group of hosts. IGMP (Internet Group Management Protocol) is the protocol used to support multicast groups. The Business Secure Router supports versions 1 and

NN47922-500

IP Alias

Using IP Alias, you can partition a physical network into logical networks over the same Ethernet interface. The Business Secure Router supports three logical LAN interfaces via its single physical Ethernet LAN interface with the Business Secure Router itself as the gateway for each LAN network.

Central Network Management

With Central Network Management (CNM), an enterprise or service provider network administrator can manage your Business Secure Router. The enterprise or service provider network administrator can configure your Business Secure Router, perform firmware upgrades, and do troubleshooting for you.

Page 39

Chapter 1 Getting to know your Nortel Business Secure Router 222 39

SNMP

SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your Business Secure Router supports SNMP agent functionality, which means that a manager station can manage and monitor the Business Secure Router through the network. The Business Secure Router supports SNMP versions 1 and 2 (SNMPv1 and SNMPv2).

Network Address Translation (NAT)

NAT (Network Address Translation — NAT, RFC 1631) translate multiple IP addresses used within one network to different IP addresses known within another network.

Traffic Redirect

Traffic Redirect forwards WAN traffic to a backup gateway when the Business Secure Router cannot connect to the Internet, thus acting as an auxiliary backup when your regular WAN connection fails.

Port Forwarding

Use this feature to forward incoming service requests to a server on your local network. You can enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server.

DHCP (Dynamic Host Configuration Protocol)

With DHCP (Dynamic Host Configuration Protocol), individual client computers can obtain the TCP/IP configuration at start-up from a centralized DHCP server. The Business Secure Router has built in DHCP server capability, enabled by default, which means it can assign IP addresses, an IP default gateway, and DNS servers to all systems that support the DHCP client. The Business Secure Router can also act as a surrogate DHCP server, where it relays IP address assignment from another DHCP server to the clients.

Nortel Business Secure Router 222 Configuration — Basics

Page 40

40 Chapter 1 Getting to know your Nortel Business Secure Router 222

Full network management

The embedded web configurator is an all platform, web based utility that you can use to easily manage and configure the Business Secure Router. Most functions of the Business Secure Router are also software configurable via the SMT (System Management Terminal) interface. The SMT is a menu driven interface that you can access from a terminal emulator through the console port or over a Telnet connection.

Road Runner support

In addition to standard cable modem services, the Business Secure Router supports Time Warner’s Road Runner Service.

Logging and tracing

The Business Secure Router supports the following logging and tracing functions to help with management:

• Built in message logging and packet tracing

• Unix syslog facility support

NN47922-500

Upgrade Business Secure Router Firmware

The firmware of the Business Secure Router can be upgraded via the console port or the LAN.

Embedded FTP and TFTP Servers

The Business Secure Router’s embedded FTP and TFTP Servers enable fast firmware upgrades, as well as configuration file backups and restoration.

Page 41

Chapter 1 Getting to know your Nortel Business Secure Router 222 41

Applications for the Nortel Business Secure Router 222

Secure broadband internet access and VPN

You can connect a cable, DSL, or other modem to the Nortel Business Secure Router 222 via Ethernet WAN port for broadband Internet access. The Business Secure Router also provides IP address sharing and a firewall protected local network with traffic management.

VPN is an ideal, cost effective way to connect branch offices and business partners over the Internet without the need (and expense) of leased lines between sites. The LAN computers can share the VPN tunnels for secure connections to remote computers.

Figure 1 Secure Internet Access and VPN Application

Business Secure Router

Nortel Business Secure Router 222 Configuration — Basics

Page 42

42 Chapter 1 Getting to know your Nortel Business Secure Router 222

Hardware Setup

Refer to Nortel Business Secure Router 222 — Fundamentals (NN47922-301) for hardware connection instructions.

Note: To keep the Business Secure Router operating at optimal internal temperature, keep the bottom, sides, and rear clear of obstructions and away from the exhaust of other equipment.

After installing your Nortel Business Secure Router 222, continue with the rest of this guide for configuration instructions.

NN47922-500

Page 43

Chapter 2 Introducing the WebGUI

This chapter describes how to access the Business Secure Router WebGUI and provides an overview of its screens.

WebGUI overview

The WebGUI is an HTML based management interface that a user can use for easy setup and management of the Business Secure Router via an Internet browser.

Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions. The recommended screen resolution is 1 024 by 768 pixels.

In order to use the WebGUI you need to allow:

• Web browser pop-up windows from your device. Web pop-up blocking is enabled by default in Windows XP SP (Service Pack) 2.

• JavaScripts (enabled by default).

• Java permissions (enabled by default).

See “Allowing Pop-up Windows, JavaScript and Java Permissions” on page 408 if you want to make sure these functions are allowed in Internet Explorer.

Accessing the Business Secure Router WebGUI

Make sure your Business Secure Router hardware is properly connected and prepare your computer and computer network to connect to the Business Secure Router. Refer to the Nortel Business Secure Router 222 — Fundamentals (NN47922-301).

Nortel Business Secure Router 222 Configuration — Basics

Page 44

44 Chapter 2 Introducing the WebGUI

1 Launch your web browser.

2 Type 192.168.1.1 as the URL.

3 Type the user name (nnadmin is the default) and the password (PlsChgMe! is

the default) and click Login. Click Reset to clear any information you have entered in the Username and Password fields.

Figure 2 Login screen

NN47922-500

4 A screen asking you to change your password (highly recommended) appears

and is shown in Figure 3. Type a new password (and retype it to confirm) and click Apply or click Ignore.

Page 45

Chapter 2 Introducing the WebGUI 45

Figure 3 Change password screen

5 Click Apply in the Replace Certificate screen to create a certificate using

your Business Secure Router’s MAC address that is specific to this device.

Figure 4 Replace certificate screen

Nortel Business Secure Router 222 Configuration — Basics

Page 46

46 Chapter 2 Introducing the WebGUI

The MAIN MENU screen appears.

Note: The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes). Simply log back on to the Business Secure Router if this happens to you.

Restoring the factory default configuration settings

If you just want to restart the Business Secure Router, press the rear panel RESET button for one to three seconds.

If you forget your password or cannot access the SMT menu, you must reload the factory default configuration file or use the RESET button the back of the Business Secure Router to restore the factory default configuration. Uploading this configuration file replaces the current configuration file with the factory default configuration file. All previous configurations are lost, and the speed of the console port is reset to the default of 9 600 bp/s with 8 data bit, no parity, one stop bit and flow control set to none. The password is also reset to PlsChgMe!.

Procedure to use the reset button

Uploading a configuration file via console port

NN47922-500

Press the rear panel RESET button for longer than three seconds to return the Business Secure Router to the factory defaults.

1 Download the default configuration file from the Nortel FTP site, unzip it and

save it in a folder.

2 Turn off the Business Secure Router, begin a terminal emulation software

session and turn on the Business Secure Router again. When you see the message Press Any key to enter Debug Mode within 3 seconds, press any key to enter debug mode.

3 Enter y at the prompt to go into debug mode.

4 Enter atlc after the Enter Debug Mode message displays.

Page 47

Chapter 2 Introducing the WebGUI 47

5 Wait for the Starting XMODEM upload message before activating Xmodem

upload on your terminal. Figure 5 is an example of an Xmodem configuration upload using HyperTerminal.

6 Click Transfer, then Send File to display the screen illustrated in Figure 5.

Figure 5 Example Xmodem Upload

7 After the firmware uploads successfully, enter atgo to restart the router.

Navigating the Business Secure Router WebGUI

Follow the instructions in the MAIN MENU screen or click the help icon (located in the top right corner of most screens) to view online help.

Note: The help icon does not appear in the MAIN MENU screen.

Nortel Business Secure Router 222 Configuration — Basics

Page 48

48 Chapter 2 Introducing the WebGUI

Figure 6 MAIN MENU Screen

NN47922-500

Click the Contact link to display the customer support contact information. Figure 7 is a sample of what displays.

Page 49

Figure 7 Contact Support

Chapter 2 Introducing the WebGUI 49

Nortel Business Secure Router 222 Configuration — Basics

Page 50

50 Chapter 2 Introducing the WebGUI

NN47922-500

Page 51

Chapter 3 Wizard setup

This chapter provides information on the Wizard screens in the WebGUI.

Wizard overview

The setup wizard in the WebGUI helps you configure your device to access the Internet. The second screen has three variations, depending on which encapsulation type you use. Refer to your ISP checklist in the Nortel Business Secure Router 222 — Fundamentals (NN47922-301) to know what to enter in each field. Leave a field blank if you do not have the required information.

Wizard setup: General Setup and System Name

General Setup contains administrative and system related information. System Name is for identification purposes. However, because some ISPs check this

name, you must enter your Computer Name.

In Windows 95/98, click Start, Settings, Control Panel, Network. Click the Identification tab, note the entry for the Computer Name field and enter it as the System Name.

In Windows 2000, click Start, Settings, Control Panel and then double-click System. Click the Network Identification tab and then the Properties button. Note the entry for the Computer name field and enter it as the System Name.

In Windows XP, click Start, My Computer, View system information and then click the Computer Name tab. Note the entry in the Full computer name field and enter it as the Business Secure Router System Name.

Nortel Business Secure Router 222 Configuration — Basics

Page 52

52 Chapter 3 Wizard setup

Domain Name

The Domain Name entry is what is propagated to the DHCP clients on the LAN. If you leave this blank, the domain name obtained by DHCP from the ISP is used. While you must enter the host name (System Name) on each individual computer, the domain name can be assigned from the Business Secure Router via DHCP.

Click Next to configure the Business Secure Router for Internet access.

Figure 8 Wizard 1

Wizard setup: Screen 2

The Business Secure Router offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE.

NN47922-500

Page 53

Ethernet

Choose Ethernet when the WAN port is used as a regular Ethernet.

Figure 9 Wizard 2: Ethernet Encapsulation

Chapter 3 Wizard setup 53

Nortel Business Secure Router 222 Configuration — Basics

Page 54

54 Chapter 3 Wizard setup

Table 2 describes the fields in Figure 9.

Tabl e 2 Wizard 2: Ethernet Encapsulation

Label Description

PPTP

Encapsulation You must choose the Ethernet option when the WAN port is used

Service Type Choose from Standard, RR-Telstra (Telstra authentication

User Name Type the user name given to you by your ISP.

Password Type the password associated with the user name above.

Next Click Next to continue.

Back Click Back to return to the previous screen.

as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection.

method), RR-Manager (Road Runner Manager authentication method) or RR-Toshiba (Road Runner Toshiba authentication method).

For ISPs (such as Telstra) that send UDP-heartbeat packets to verify that the customer is still online, create a WAN-to-WAN/ Business Secure Router firewall rule that allows access for port 1026 (UDP).

The following fields are not applicable (N/A) for the Standard service type.

Type the authentication server IP address here if your ISP gave you one.

Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables transfers of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.

NN47922-500

PPTP supports on-demand, multiprotocol, and virtual private networking over public networks, such as the Internet.

Note: The Business Secure Router supports one PPTP server connection at any given time

Page 55

Figure 10 Wizard 2: PPTP Encapsulation

Chapter 3 Wizard setup 55

Table 3 describes the fields in Figure 10.

Tabl e 3 Wizard 2: PPTP Encapsulation

Label Description

ISP Parameters for Internet Access

Encapsulation Select PPTP from the drop-down list.

User Name Type the username given to you by your ISP.

Password Type the password associated with the username above.

Nailed Up Connection

Idle Timeout Type the time, in seconds, that elapses before the router

Select Nailed Up Connection if you do not want the connection to time out.

automatically disconnects from the PPTP server. The default is 45 seconds.

Nortel Business Secure Router 222 Configuration — Basics

Page 56

56 Chapter 3 Wizard setup

Tabl e 3 Wizard 2: PPTP Encapsulation

Label Description

PPTP Configuration

My IP Address Type the (static) IP address assigned to you by your ISP.

My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given).

Server IP Address Type the IP address of the PPTP server.

Connection ID/ Name

Next Click Next to continue.

Back Click Back to return to the previous screen.

PPPoE Encapsulation

Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet Engineering Task Force) draft standard specifying how a host personal computer interacts with a broadband modem (for example, DSL, cable, or wireless) to achieve access to high-speed data networks. It preserves the existing Microsoft Dial-Up Networking experience and requires no new learning or procedures.

Enter the connection ID or connection name in this field. It must follow the c:id and n:name format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your ISP.

NN47922-500

For the service provider, PPPoE offers an access and authentication method that works with existing access control systems (for instance, Radius). For the user, PPPoE provides a logon and authentication method that the existing Microsoft Dial-Up Networking software can activate, and therefore requires no new learning or procedures for Windows users.

One of the benefits of PPPoE is the ability to let end users access one of multiple network services, a function known as dynamic service selection. This means the service provider can easily create and offer new IP services for specific users.

Operationally, PPPoE saves significant effort for both the subscriber and the ISP or carrier, as it requires no specific configuration of the broadband modem at the subscriber site.

Page 57

Chapter 3 Wizard setup 57

By implementing PPPoE directly on the Business Secure Router (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the Business Secure Router does that part of the task. Furthermore, with NAT, all the computers on the LAN have Internet access.

Figure 11 Wizard2: PPPoE Encapsulation

Table 4 describes the fields in Figure 11.

Tabl e 4 Wizard2: PPPoE Encapsulation

Label Description

Encapsulation Select PPP over Ethernet from the drop-down list.

Service Name Type the name of your service provider.

User Name Type the username given to you by your ISP.

Password Type the password associated with the username above.

Nortel Business Secure Router 222 Configuration — Basics

Page 58

58 Chapter 3 Wizard setup

Tabl e 4 Wizard2: PPPoE Encapsulation

Nailed Up Connection

Idle Timeout Type the time, in seconds, that elapses before the router automatically

Next Click Next to continue.

Back Click Back to return to the previous screen.

Select Nailed Up Connection if you do not want the connection to time out.

disconnects from the PPPoE server. The default time is 100 seconds.

Wizard setup: Screen 3

Using the third screen you can configure WAN IP address assignment, DNS server address assignment, and the WAN MAC address.

WAN IP address assignment

Every computer on the Internet must have a unique IP address. If your networks are isolated from the Internet, for instance, it only connects your two branch offices, you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved three blocks of IP addresses specifically for private networks.

NN47922-500

Tabl e 5 Private IP Address Ranges

10.0.0.0 - 10.255.255.255

172.16.0.0 - 172.31.255.255

192.168.0.0 - 192.168.255.255

Page 59

You can obtain your IP address from the IANA, from an ISP, or have it assigned by a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. If you are part of a much larger organization, consult your network administrator for the appropriate IP addresses.

Note: Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information about address assignment, refer to Address Allocation for Private

Internets (RFC 1597), and Guidelines for Management of IP Address Space (RFC 1466).

IP address and Subnet Mask

Similar to the way houses on a street share a common street name, computers on a LAN share one common network number.

Where you obtain your network number depends on your particular situation. If your ISP or network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.

Chapter 3 Wizard setup 59

If your ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. If this is the case, Nortel recommends that you select a network number from 192.168.0.0 to 192.168.255.0 and you must enable the Network Address Translation (NAT) feature of the Business Secure Router. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; do not use any other number unless you are told otherwise. For example, select 192.168.1.0 as the network number; which covers 254 individual addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In other words, the first three numbers specify the network number, while the last number identifies an individual computer on that network.

Once you have decided on the network number, pick an IP address that is easy to remember, for instance, 192.168.1.1, for your Business Secure Router, but make sure that no other device on your network is using that IP address.

Nortel Business Secure Router 222 Configuration — Basics

Page 60

60 Chapter 3 Wizard setup

The subnet mask specifies the network number portion of an IP address. Your Business Secure Router computes the subnet mask automatically based on the IP address that you enter. You do not need to change the subnet mask computed by the Business Secure Router unless you are instructed to do otherwise.

DNS Server address assignment

Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for instance, the IP address of www.nortel.com is

47.249.48.20. The DNS server is extremely important because without it, you

must know the IP address of a computer before you can access it.

The Business Secure Router can get the DNS server addresses in the following ways:

• The ISP tells you the DNS server addresses, usually in the form of an

information sheet, when you sign up. If your ISP gives you DNS server addresses, enter them in the DNS Server fields in DHCP Setup.

• If the ISP did not give you DNS server information, leave the DNS Server

fields in DHCP Setup set to 0.0.0.0 for the ISP to dynamically assign the DNS server IP addresses.

WAN MAC address

NN47922-500

Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.

You can configure the MAC address of the WAN port by either using the factory default or cloning the MAC address from a computer on your LAN. Once the MAC address of the WAN port is successfully configured, the address is copied to the rom file (configuration file) and does not change unless you change the setting or upload a different rom file.

Page 61

Chapter 3 Wizard setup 61

The WAN port of your Business Secure Router is set at half-duplex mode, as most cable or DSL modems only support half-duplex mode. Make sure your modem is in half-duplex mode. Your Business Secure Router supports full duplex mode on the LAN side.

Tabl e 6 Example of network properties for LAN servers with fixed IP addresses

Choose an IP address 192.168.1.2-192.168.1.32; 192.168.1.65-192.168.1.254.

Subnet mask 255.255.255.0

Gateway (or default route) 192.168.1.1(Business Secure Router LAN IP)

The third wizard screen varies according to the type of encapsulation that you select in the second wizard screen.

Nortel Business Secure Router 222 Configuration — Basics

Page 62

62 Chapter 3 Wizard setup

Figure 12 Wizard 3

NN47922-500

Table 7 describes the fields in Figure 12.

Tabl e 7 Wizard 3

Label Description

WAN IP Address Assignment

Get automatically from ISP

Use fixed IP address Select this option If the ISP assigned a fixed IP address.

IP Address Enter your WAN IP address in this field if you select Use

Select this option If your ISP did not assign you a fixed IP address. This is the default selection.

Fixed IP Address.

Page 63

Tabl e 7 Wizard 3

Label Description

Chapter 3 Wizard setup 63

IP Subnet Mask Enter the IP subnet mask in this field if you select Use Fixed

Gateway IP Address Enter the gateway IP address in this field if you select Use

DNS Server Address Assignment

Get automatically from ISP

Use fixed IP address DNS Server IP Address

IP Address. This field is not available when you select PPPoE encapsulation in the previous wizard screen.

Fixed IP Address. This field is not available when you select PPPoE encapsulation in the previous wizard screen.

DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. For example, the IP address of www.nortel.com is 47.249.48.20. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it.

Select this option if your ISP does not give you DNS server addresses. This option is selected by default.

Select this option If your ISP provides you a DNS server address.

System DNS Servers (if applicable) DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The Business Secure Router uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server.

Nortel Business Secure Router 222 Configuration — Basics

Page 64

64 Chapter 3 Wizard setup

Tabl e 7 Wizard 3

Label Description

First DNS Server

Second DNS Server

Third DNS Server

WAN MAC Address In the MAC Address field, you can configure the MAC

Factory Default Select this option to use the factory assigned default MAC

Spoof this Computer's MAC address - IP Address

Back Click Back to return to the previous screen.

Finish Click Finish to complete and save the wizard setup.

Select From ISP if your ISP dynamically assigns DNS server information (and the Business Secure Router’s WAN IP address). The field to the right displays the (read-only) DNS server IP address that the ISP assigns. If you chose From ISP, but the Business Secure Router has a fixed WAN IP address, From ISP changes to None after you click Finish. If you chose From ISP for the second or third DNS server, but the ISP does not provide a second or third IP address, From ISP changes to None after you click Finish.

Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right.

Select None if you do not want to configure DNS servers. If you do not configure a system DNS server, you must use IP addresses when configuring VPN, DDNS and the time server.

Select Private DNS if the DNS server has a private IP address and is located behind a VPN peer. Enter the DNS server's IP address in the field to the right.

With a private DNS server, you must also configure the first DNS server entry in the LAN IP screen to use DNS Relay.

You must also configure a VPN branch office rule since the Business Secure Router uses a VPN tunnel when it relays DNS queries to the private DNS server. One of the rule’s IP policies must include the LAN IP address of the Business Secure Router as a local IP address and the IP address of the DNS server as a remote IP address.

A Private DNS entry with the IP address set to 0.0.0.0 changes to None after you click Apply. A duplicate Private DNS entry changes to None after you click Apply.

address of the WAN port by either using the factory default or cloning the MAC address from a computer on your LAN.

Address.

Select this option and enter the IP address of the computer on the LAN whose MAC you are cloning. After it is successfully configured, the address is copied to the rom file (configuration file). It does not change unless you change the setting or upload a different rom file. It is advisable to clone the MAC address from a computer on your LAN even if your ISP does not presently require MAC address authentication.

NN47922-500

Page 65

Basic Setup Complete

Well done! You have successfully set up your Business Secure Router to operate on your network and access the Internet.

Chapter 3 Wizard setup 65

Nortel Business Secure Router 222 Configuration — Basics

Page 66

66 Chapter 3 Wizard setup

NN47922-500

Page 67

Chapter 4 User Notes

General Notes

There are some router functions that, although performing as expected, might cause some confusion. These are summarized below.

General

1 Default Address Mapping Rules When First Enable NAT Full Feature.

When NAT Full Feature is first enabled, two address mapping rules are added to the address mapping table. This is done to facilitate programming, and matches the default SUA rule. The rules can be deleted.

2 Response to Invalid User ID or Password

When the wrong user ID or password is entered into the router login screen, no error message is displayed. Instead, the login screen is simply displayed again.

3 First DHCP Address Reserved for BCM50

The first address of the DHCP Address Pool is reserved for a BCM50 in the subnet, and will not be assigned to any other equipment. Once assigned to a BCM50, it is reserved for that BCM50, and will not be assigned to any other. If the BCM50 is changed, the following command must be used to enable the router to assign the first address to a different BCM50:

ip dhcp enif0 server m50mac clear

4 Login Requires Reboot

Nortel Business Secure Router 222 Configuration — Basics

Page 68

68 Chapter 4 User Notes

If the Administrator Timeout is set to 0, and an administration session is terminated without logging off, the router needs to be rebooted in order for the administrator to log in to the WebGUI again. Alternatively, the administrator can log in using a TelNet session, if TelNet access has been enabled in the Remote Management menu.

5 Clicking Sound

The Business Secure Router will click once every two minutes until an ADSL line is connected.

Firewall

1 Address Range Validation

In the firewall rules, the router does not confirm when given an address range, that the second address is higher than the first. If this type of address range is entered, the range is ignored.

2 Automatic Firewall Programming

NN47922-500

Configurations to various areas of the router, such as remote management or adding a SUA Server, do not automatically add the appropriate rules to the Firewall, to enable the traffic to pass through the router. These need to be added separately.

Note: Firewall rules do not apply to IPSec tunnels.

NAT

1 Deleting NAT Rule Does Not Drop an Existing Connection

If a NAT rule is deleted, the router must be rebooted to apply the change to existing service connections. This is already noted in the GUI.

2 NAT Traversal Status

If NAT Traversal is enabled, but is not needed (because the client is not behind a NAT router), it will be shown as 'inactive' in the VPN Client Monitor. This may confuse some users.

Page 69

Chapter 4 User Notes 69

VPN Client Termination

1 Change of User Account Does Not Drop Existing Connections

If a VPN Client user account is de-activated, deleted, or changed, and that user is currently connected, the connection is not automatically dropped. To drop the connection, the administrator needs to disconnect the user using the 'Disconnect' function in the VPN/SA Monitor GUI. This is consistent with other Nortel Contivity products.

2 User Name Restrictions

User names are limited to a maximum length of 63 characters.

3 VPN Client Account Password Restrictions

The password for a VPN Client user cannot contain the single- or double-quote characters.

4 IP Pool Address Overlap

When defining multiple VPN Client Termination IP pools, the router uses the IP Subnet mask, and not the pool size, to determine if the pools are overlapping. The subnet mask of each pool should be appropriate for the size of the VPN Client Termination IP pool.

5 VPN Client Termination - Failure In Specific Addressing Situation

If the Client has an assigned IP address that is the same as the IP address assigned for the Client Tunnel, the connection will fail to be established.

6 VPN Client Termination - Configuration Restrictions

This router has some restrictions when compared to larger Contivity Routers (1000 Series and above). In particular,

VPN Clients cannot be added to the LAN subnet. They must have addresses outside of the LAN subnet.

Nortel Business Secure Router 222 Configuration — Basics

Page 70

70 Chapter 4 User Notes

VPN Clients can have dynamically assigned IP addresses, or they can have a statically assigned addresses. However, the router does not support both modes at once. All addresses must either be dynamically assigned, or they must all be statically assigned.

7 Establishing a Client Tunnel From One Business Secure Router to Another

When defining a Client Termination account for another Business Secure Router that will connect using Contivity Client Emulation, the following configuration is required:

• Encryption must be Triple DES with SHA1 integrity, or Triple DES with MD5 integrity.

• IKE Encryption must be Triple DES with Diffie-Hellman Group 2.

• Perfect Forward Secrecy (PFS) must be enabled.

Security

1 Exporting or Saving Self-Signed Certificate

To export or save a self-signed certificate, click details (the icon that looks like a paper note), then click 'Export' or copy the PEM text into the clipboard, and paste into a file.

NN47922-500

Routing

1 RIP Version Advertisement Control

To change the version of generated RIP advertisements, the following CLI command needs to be used

ip rip mode [enif0|enif1] [in|out] [0|1|2|3]

where:

'enif0' is the LAN side, and 'enif1' is the WAN side

'in' affects recognition of received advertisements, and

'out' applies to generated advertisements

Page 71

The number controls the operating mode:

None (disabled)

RIP-1 only

RIP-2 only

Both RIP-1 and RIP-2

Advanced Router Configuration

The following notes are intended to help with advanced router configuration.

Setting up the router when the system has a server

1 If you are using a Full-Feature NAT configuration, first, do the following...

a In SUA/NAT / Address Mapping, add a 'Server' rule, specifying the

'Public' IP address of the server.

Chapter 4 User Notes 71

2 For both SUA-Only and Full-Feature NAT configurations, do the following...

a In SUA/NAT : SUA Server, add server private IP address and port

number(s) to the SUA/NAT Server table.

b In FIREWALL, add a WAN-to-LAN rule

c If the service is not in the list of available services, add it as a 'Custom

Port'.

d Add the rule, selecting the service, and entering the server IP address as

the destination IP address.

Connecting two sites to establish a virtual private network

The recommended method to do this is through a branch-to-branch IPSec tunnel.

1 In VPN / Summary, add a new tunnel by editing an unused rule. Create an

Active, Branch Office tunnel.

a Select 'Nailed Up' if the tunnel should not be closed while not in use.

Nortel Business Secure Router 222 Configuration — Basics

Page 72

72 Chapter 4 User Notes

b Enter the authentication information, with either a pre-shared key or an

imported certificate.

c Enter the IP Address assigned to the router WAN port. This should be a

static address, or a dynamic DNS name, and the IP address of the remote router.

d Select the encryption and authentication algorithms.

e Add an IP policy, by specifying the IP address ranges of the local and

remote hosts that will use the tunnel.

2 Repeat these steps at the other end of the branch.

Note: If VPN Client Termination is used on these sites, the client termination address range will need to be included in the tunnel policies in order for the VPN clients to see the other site.

Adding IP telephony to a multi-site network

Scenario 1: A BCM50 in the primary site acting as the gateway for both sites

NN47922-500

1 Ensure that the DHCP Server in the BCM50 is disabled, that the BCM50 is

connected to the router, and both have booted.

2 Add the IP phones to the primary site as per BCM50 installation guide.

3 Create a tunnel to the remote site, as described above.

4 In the remote site, set the S1 and S2 addresses to the IP address of the

BCM50, which is identified in the router DHCP table or in the BCM50. This is done with a CLI command.

TELNET or SSH to the router. This needs TELNET or SSH enabled on that router. Select menu 24, select menu 8, and enter the commands:

ip dhcp enif0 server voipserver 1 <BCM50_IP_Address> 7000 1

ip dhcp enif0 server voipserver 2 <BCM50_IP_Address> 7000 1

5 Add the IP phones to the remote site, configured for full DHCP client mode.

Page 73

Chapter 4 User Notes 73

Scenario 2: A BCM50 in each site, each acting as the backup call server for the other site

1 At each site,

a Ensure that the DHCP Server in the BCM50 is disabled, that the BCM50

is connected to the router, and both have booted.

b Add the IP phones to the site as per BCM50 installation guide.

c At each router, change the S2 address to the IP address of the remote

BCM50, using TELNET or SSH, and the CLI command,

ip dhcp enif0 server voipserver 2 <Remote_BCM50_IP_Address> 7000 1

2 Create a tunnel between the sites, as described above.

3 Create an H.323 trunk between the BCM50s, as per the BCM50 User Guide.

Configuring the router to act as a Nortel VPN Server (Client Termination)

1 Under VPN / Client Termination,

a Enable Client Termination.

b Select authentication type and the encryption algorithms supported.

c If the clients are assigned IP addresses from a pool, define the pool, and

enable it.

2 Assuming a Local User Database is used for authentication,

a Add user name and password to the local user database as an IPSec user,

and activate it. If the hosts will be assigned a static IP address, enter the address that will be assigned to the user.

Configuring the router to connect to a Nortel VPN Server (Client Emulation)

1 Go to VPN / Summary, and select 'Edit'.

2 Select a connection type of Contivity Client, and fill in the web page with the

relevant data.

3 If Group authentication or On-Demand Client Tunnels are needed, click the

'Advanced' button to configure this.

Nortel Business Secure Router 222 Configuration — Basics

Page 74

74 Chapter 4 User Notes

Allowing remote management of a LAN-connected BCM50

1 Create the appropriate NAT server rules to add the BCM50.

Go to SUA/NAT / SUA Server, and create two server rules for HTTPS and Element Manager access:

One named BCM_HTTPS, with port number 443, and the IP address of the BCM50

One named BCM_EM, with the port number 5989, and the IP address of the BCM50

Note: In DHCP Server mode, the BCM50 IP address will be the lowest address in the pool.

2 Create the appropriate Firewall rules to add BCM50 access.

Go to FIREWALL / Summary, and create two WAN-to-LAN firewall rules:

One rule allowing access from allowed remote computer IP addresses, to the BCM50 IP address, for service type HTTPS(TCP:443)

NN47922-500

One rule allowing access from allowed remote computer IP addresses, to the BCM50 IP address, for custom port TCP:5989

Setting up the router for guest access

The recommended approach to provide guest access is by creating an IP Alias, and using static addressing for the corporate equipment, to make it a member of the defined Alias subnet. Then use firewall rules to restrict access of the guest equipment. NOTE: if a BCM50 is used, it will also need to be assigned a static IP address.

1 Go to LAN / IP Alias, and Enable IP Alias 1.

2 Define a subnet for the corporate equipment.

3 Statically assign addresses to the corporate equipment that are within the IP

Alias subnet.

4 Set up LAN / IP to enable DHCP Server, with an address range that will be

used for guest equipment.

Page 75

Chapter 4 User Notes 75

5 In the FIREWALL, set up a LAN-to-LAN rule to block traffic between the

guest subnet (DHCP Pool) and the corporate subnet (IP Alias subnet).

Note: If branch tunnels are being used, the policies on these tunnels should exclude the guest subnet.

Preventing heavy data traffic from impacting telephone calls

To ensure voice quality during heavy data traffic, bandwidth needs to be reserved for voice traffic.

1 Determine your actual WAN up-stream bandwidth by connecting to a web site

such as http://myvoipspeed.visualware.com/.

2 On BANDWIDTH MANAGEMENT / Summary, activate WAN bandwidth

management, and fill in your actual uplink speed in the WAN Speed field..

3 On BANDWIDTH MANAGEMENT / Class Setup, add a WAN subclass, and

reserve sufficient bandwidth based on the number of telephones, for Protocol ID 17 (UDP Traffic).

The amount of bandwidth should be based on a reasonable peak number of simultaneous calls, and the data rate needed by the IP telephony CODECs.

Setting Up a Remote Office with a UNIStim IP Telephone

For a remote office with a PC, and a UNIStim IP telephone behind a Business Secure Router, Client Emulation is the recommended method to connect to the main office.

1 At the main office Contivity Client Server, establish two user accounts - one

for the telephone, and one for the PC.

2 On the remote office Business Secure Router, do the following:

Under WAN / WAN IP, ensure that Network Address Translation is set to SUA Only (default). Also ensure that the Gateway IP address is set (not

0.0.0.0).

Under VPN / Summary, create an entry for the IP telephone client tunnel. (Contivity Client, Active, Keep Alive). Fill in the IP address of the Contivity Client Server, and the name and password of the telephone set user account.

Nortel Business Secure Router 222 Configuration — Basics

Page 76

76 Chapter 4 User Notes

Under VPN / Global Setting, enable Exclusive Mode, and fill in the MAC address of the telephone set.

Under Bandwidth Management, set up WAN bandwidth management to reserve 110 kbps of bandwidth for UDP traffic (protocol ID 17). See the preceding section titled, “Preventing heavy data traffic from impacting

telephone calls.

3 Provision the IP set with the corporate call server address.

4 On the PC, install Contivity Client Software, and configure it with the PC user

account information.

Inter-Operability With Third-Party Routers

VPN Connections With Cisco Routers

When establishing a VPN Client tunnel or Branch Office Tunnel between the Business Secure Router and a Cisco router, the following configuration rules should be followed:

NN47922-500

1 Ensure that the WAN IP of the BSR222/252 router and the Cisco router are

not in the same subnet.

2 Configure the connection to use DES Encryption and MD5 Authentication.

Page 77

Chapter 5 System screens

This chapter provides information on the System screens.

System overview

This section provides background information on features that you cannot configure in the Wizard.

DNS overview

There are three places where you can configure DNS (Domain Name System) setup on the Business Secure Router.

Use the System General screen to configure the Business Secure Router to use a DNS server to resolve domain names for Business Secure Router system features like VPN, DDNS, and the time server.

Use the LAN IP screen to configure the DNS server information that the Business Secure Router sends to the DHCP client devices on the LAN.

Use the Remote Management DNS screen to configure the Business Secure Router to accept or discard DNS queries.

Private DNS server

In cases where you want to use domain names to access Intranet servers on a remote private network that has a DNS server, you must identify that DNS server. You cannot use DNS servers on the LAN or from the ISP because these DNS servers cannot resolve domain names to private IP addresses on the remote private network.

Nortel Business Secure Router 222 Configuration — Basics

Page 78

78 Chapter 5 System screens

Figure 13 depicts an example where three VPN tunnels are created from Business

Secure Router A; one to branch office 2, one to branch office 3, and another to headquarters (HQ). In order to access computers that use private domain names on the HQ network, the Business Secure Router at branch office 1 uses the Intranet DNS server in headquarters.

Figure 13 Private DNS server example

Note: If you do not specify an Intranet DNS server on the remote

network, then the VPN host must use IP addresses to access the computers on the remote private network.

Configuring General Setup

Click SYSTEM to open the General screen.

NN47922-500

Page 79

Figure 14 System general setup

Table 8 describes the fields in Figure 14.

Chapter 5 System screens 79

Tabl e 8 System general setup

Label Description

System Name Choose a descriptive name for identification purposes. Nortel

Domain Name Enter the domain name (if you know it) here. If you leave this field

Administrator Inactivity Timer

Apply Click Apply to save your changes to the Business Secure Router.

Reset Click Reset to begin configuring this screen afresh.

recommends that you enter your computer name in this field. This name can be up to 30 alphanumeric characters long. Spaces, dashes (-) and underscores (_) are accepted.

blank, the ISP assigns a domain name via DHCP. The domain name entered by you is given priority over the

ISP-assigned domain name.

Type how many minutes a management session (either via the WebGUI or SMT) can be left idle before the session times out. The default is 5 minutes. After it times out you have to log in with your password again. Very long idle timeouts can have security risks. A value of 0 means a management session never times out, no matter how long it has been left idle (not recommended).

Nortel Business Secure Router 222 Configuration — Basics

Page 80

80 Chapter 5 System screens

Tabl e 8 System general setup

Label Description

System DNS Servers (if applicable)

First DNS Server

Second DNS Server

Third DNS Server

DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The Business Secure Router uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server.

Select From ISP if your ISP dynamically assigns DNS server information (and the Business Secure Router’s WAN IP address). The field to the right displays the (read-only) DNS server IP address that the ISP assigns. If you chose From ISP, but the Business Secure Router has a fixed WAN IP address, From ISP changes to None after you click Apply. If you chose From ISP for the second or third DNS server, but the ISP does not provide a second or third IP address, From ISP changes to None after you click Apply.

Select User-Defined if you have the IP address of a DNS server. The IP address can be public or a private address on your local LAN. Enter the DNS server's IP address in the field to the right.

A User-Defined entry with the IP address set to 0.0.0.0 changes to None after you click Apply. A duplicate User-Defined entry changes to None after you click Apply.

Select None if you do not want to configure DNS servers. If you do not configure a system DNS server, you must use IP addresses when configuring VPN, DDNS and the time server.

Select Private DNS if the DNS server has a private IP address and is located behind a VPN peer. Enter the DNS server's IP address in the field to the right.

With a private DNS server, you must also configure the first DNS server entry in the LAN IP screen to use DNS Relay.

A Private DNS entry with the IP address set to 0.0.0.0 changes to None after you click Apply. A duplicate Private DNS entry changes to None after you click Apply.

NN47922-500

Page 81

Dynamic DNS

With Dynamic DNS, you can update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (as in NetMeeting or CU-SeeMe). You can also access your FTP server or Web site on your own computer using a domain name (for instance, myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect. Your friends or relatives can always call you even if they don't know your IP address.

First of all, you must register a dynamic DNS account with, for example www.dyndns.org. This is for people with a dynamic IP from their ISP or DHCP server that still wants a domain name. The Dynamic DNS service provider gives you a password or key.

DYNDNS Wildcard

Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to use, for example, www.yourhost.dyndns.org and still reach your host name.

Chapter 5 System screens 81

Configuring Dynamic DNS

Note: If you have a private WAN IP address, you cannot use Dynamic

DNS.

To change your Business Secure Router’s DDNS, click SYSTEM, then the DDNS tab. The screen illustrated in Figure 15 appears.

Nortel Business Secure Router 222 Configuration — Basics

Page 82

82 Chapter 5 System screens

Figure 15 DDNS

NN47922-500

Table 9 describes the fields in Figure 15.

Tabl e 9 DDNS

Label Description

Active Select this check box to use dynamic DNS.

Service Provider Select the name of your Dynamic DNS service provider.

DDNS Type Select the type of service that you are registered for from your

Dynamic DNS service provider.

Host Names 1~3 Enter the host names in the three fields provided. You can

specify up to two host names in each field separated by a comma (,).

User Enter your username (up to 31 characters).

Page 83

Tabl e 9 DDNS

Label Description

Chapter 5 System screens 83

Password Enter the password associated with your username (up to 31

Enable Wildcard Select the check box to enable DYNDNS Wildcard.

Off Line This option is available when CustomDNS is selected in the

IP Address Update Policy:

DDNS Server Auto Detect IP Address

Use Specified IP Address

Use IP Address Enter the IP address if you select the User Specify option.

Apply Click Apply to save your changes to the Business Secure

Reset Click Reset to return to the previously saved settings.

characters).

DDNS Type field. Check with your Dynamic DNS service provider to have traffic redirected to a URL (that you can specify) while you are off line.

Select this option only when there are one or more NAT routers between the Business Secure Router and the DDNS server. This feature has the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address.

Note: The DDNS server not be able to detect the proper IP address if there is an HTTP proxy server between the Business Secure Router and the DDNS server.

Select this option to update the IP address of the host names to the IP address specified below. Use this option if you have a static IP address.

Router.

Configuring Password

To change the password of your Business Secure Router (recommended), click SYSTEM, then the Password tab. The screen illustrated in Figure 16 appears. In this screen, you can change password of the Business Secure Router.

Nortel Business Secure Router 222 Configuration — Basics

Page 84

84 Chapter 5 System screens

Figure 16 Password

NN47922-500

Table 1 0 describes the fields in Figure 16.

Tabl e 1 0 Password

Label Description

Administrator Setting The administrator can access and configure all of the Business

Secure Router's features.

Old Password Type your existing system administrator password (PlsChgMe! is

the default password).

New Password Type your new system password (up to 31 characters). Note that

as you type a password, the screen displays a (*) for each character you type.

Retype to Confirm Retype your new system password for confirmation.

Page 85

Tabl e 1 0 Password

Label Description

Chapter 5 System screens 85

Client User Setting The client user is the person who uses the Business Secure

User Name Type a username for the client user (up to 31 characters).

New Password Type a password for the client user (up to 31 characters). Note

Retype to Confirm Retype the client user password for confirmation.

Apply Click Apply to save your changes to the Business Secure

Reset Click Reset to begin configuring this screen afresh.

Router's Contivity Client VPN tunnel.

The client user can do the following:

• Configure the WAN ISP and IP screens.

• Configure the VPN Contivity Client settings (except the Advanced screen’s exclusive use mode for client tunnel and MAC address allowed settings).

• View the SA monitor.

• Configure the VPN Global Setting screen.

• View logs.

• View the Maintenance Status screen.

• Use the Maintenance F/W Upload and Restart screens.

that as you type a password, the screen displays a (*) for each character you type.

Router.

Predefined NTP time server list

The Business Secure Router uses the predefined list of NTP time servers listed in

Table 11 if you do not specify a time server or if it cannot synchronize with the

time server you specified.

The Business Secure Router can use this predefined list of time servers regardless of the Time Protocol you select.

Nortel Business Secure Router 222 Configuration — Basics

Page 86

86 Chapter 5 System screens

When the Business Secure Router uses the predefined list of NTP time servers, it randomly selects one server and tries to synchronize with it. If the synchronization fails, then the Business Secure Router goes through the rest of the list in order from the first one tried until either it is successful or all the predefined NTP time servers have been tried.

Tabl e 11 Default Time Servers

a.ntp.alphazed.net

ntp1.cs.wisc.edu

ntp1.gbg.netnod.se

ntp2.cs.wisc.edu

tock.usno.navy.mil

ntp3.cs.wisc.edu

ntp.cs.strath.ac.uk

ntp1.sp.se

time1.stupi.se

tick.stdtime.gov.tw

tock.stdtime.gov.tw

time.stdtime.gov.tw

Configuring Time and Date

To change your Business Secure Router’s time and date, click SYSTEM, and then Time and Date. The screen in Figure 17 appears. Use this screen to configure the

Business Secure Router’s time based on your local time zone.

NN47922-500

Page 87

Figure 17 Time and Date

Chapter 5 System screens 87

Nortel Business Secure Router 222 Configuration — Basics

Page 88

88 Chapter 5 System screens

Table 1 2 describes the fields in Figure 17.

Tabl e 1 2 Time and Date

Label Description

Current Time and Date

Current Time This field displays the time on your Business Secure Router.

Current Date This field displays the date on your Business Secure Router.

Time and Date Setup

Manual Select this radio button to enter the time and date manually. If you

New Time (hh:mm:ss)

New Date (yyyy-mm-dd)

Get from Time Server

Time Protocol Select the time service protocol that your time server sends when

Time Server Address Enter the IP address or URL of your time server. Check with your

Synchronize Now Click this button to have the Business Secure Router get the time

Each time you reload this page, the Business Secure Router synchronizes the time with the time server.

Each time you reload this page, the Business Secure Router synchronizes the date with the time server.

configure a new time and date, time zone and daylight saving at the same time, the new time and date you entered has priority and the Time Zone and Daylight Saving settings do not affect it.

This field displays the last updated time from the time server or the last time configured manually. After you set Time and Date Setup to Manual, enter the new time in this field and then click Apply.

This field displays the last updated date from the time server or the last date configured manually. After you set Time and Date Setup to Manual, enter the new date in this field and then click Apply.

Select this radio button to have the Business Secure Router get the time and date from the time server that you specified.

you turn on the Business Secure Router. Not all time servers support all protocols, so you need to check with your ISP or network administrator or use trial and error to find a protocol that works.

The main difference between the protocols is the format. Daytime (RFC 867) format is day/month/year/time zone of the server. Time (RFC 868) format displays a 4-byte integer giving the total number of seconds since 1970/1/1 at 0:0:0. The default, NTP (RFC 1305), is similar to Time (RFC 868).

ISP or network administrator if you are unsure of this information.

and date from a time server (see the Time Server Address field). This also saves your changes (including the time server address).

NN47922-500

Page 89

Chapter 5 System screens 89

Tabl e 1 2 Time and Date

Label Description

Time Zone Setup

Time Zone Choose the time zone of your location. This will set the time

difference between your time zone and Greenwich Mean Time (GMT).

Enable Daylight Saving

Start Date Configure the day and time when Daylight Saving Time starts if

End Date Configure the day and time when Daylight Saving Time ends if you

Apply Click Apply to save your changes to the Business Secure Router.

Reset Click Reset to begin configuring this screen afresh.

Daylight Saving Time is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening.

Select this option if you use Daylight Saving Time.

you select Enable Daylight Saving. The o'clock field uses the 24-hour format. Here are a couple of examples:

Daylight Saving Time starts in most parts of the United States on the first Sunday of April. Each time zone in the United States starts using Daylight Saving Time at 2 a.m. local time. So, in the United States, select First, Sunday, April and type 2 in the o'clock field.

Daylight Saving Time starts in the European Union on the last Sunday of March. All of the time zones in the European Union start using Daylight Saving Time at the same moment (1 a.m. GMT or UTC). So, in the European Union, select Last, Sunday, March. The time you type in the o'clock field depends on your time zone. In Germany, for instance, type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1).

select Enable Daylight Saving. The o'clock field uses the 24-hour format. Here are a couple of examples:

Daylight Saving Time ends in the United States on the last Sunday of October. Each time zone in the United States stops using Daylight Saving Time at 2 a.m. local time. So, in the United States, select Last, Sunday, October and type 2 in the o'clock field.

Daylight Saving Time ends in the European Union on the last Sunday of October. All of the time zones in the European Union stop using Daylight Saving Time at the same moment (1 a.m. GMT or UTC). So, in the European Union, select Last, Sunday, October. The time you type in the o'clock field depends on your time zone. In Germany for instance, type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1).

Nortel Business Secure Router 222 Configuration — Basics

Page 90

90 Chapter 5 System screens

ALG

With Application Layer Gateway (ALG), applications can pass through NAT and the firewall. You must also configure NAT and firewall rules depending upon the type of access you want to allow.

Note: You must enable the FTP, H.323 or SIP ALG in order to use bandwidth management on that application.

Configuring ALG

To change the ALG settings of your Business Secure Router, click SYSTEM and then ALG. The screen appears as shown in Figure 18.

Figure 18 ALG

NN47922-500

Page 91

Table 1 3 describes the labels in Figure 18.

Tabl e 1 3 ALG

Label Description

Chapter 5 System screens 91

Enable FTP ALG

Enable H.323 ALG

Enable SIP ALG Select this check box to allow SIP (Session Initiation Protocol)

Apply Click Apply to save your changes to the Business Secure Router.

Reset Click Reset to begin configuring this screen afresh.

Select this check box to allow FTP (File Transfer Protocol) to send and receive files through the Business Secure Router.

Select this check box to allow applications using H.323 to go through the Business Secure Router.

H.323 is an application layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet. H.323 is used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol.

The H.323 ALG does not support H.323 Gatekeeper.

applications to go through the Business Secure Router. The Session Initiation Protocol (SIP) is an application layer control

(signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet. SIP is used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol.

To avoid retranslating the SIP device's IP address, do not use the SIP ALG with a SIP device that is using STUN (Simple Traversal of User Datagram Protocol (UDP) through NAT).

Nortel Business Secure Router 222 Configuration — Basics

Page 92

92 Chapter 5 System screens

NN47922-500

Page 93

Chapter 6

LAN screens

This chapter describes how to configure LAN settings.

LAN overview

Local Area Network (LAN) is a shared communication system to which many computers are attached. The LAN screens can help you configure a LAN DHCP server, manage IP addresses, configure RIP and multicast settings, and partition your physical network into logical networks.

DHCP setup

Using DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132), individual clients can obtain TCP/IP configuration at start-up from a server. You can configure the Business Secure Router as a DHCP server or disable it. When configured as a server, the Business Secure Router provides the TCP/IP configuration for the clients. If DHCP service is disabled, you must have another DHCP server on your LAN, or else the computer must be configured manually.

IP pool setup

The Business Secure Router is preconfigured with a pool of IP addresses for the DHCP clients (DHCP Pool). Do not assign static IP addresses from the DHCP pool to your LAN computers.

Nortel Business Secure Router 222 Configuration — Basics

Page 94

94 Chapter 6 LAN screens

DNS servers

Use the LAN IP screen to configure the DNS server information that the Business Secure Router sends to the DHCP client devices on the LAN.

LAN TCP/IP

The Business Secure Router has built in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability.

Factory LAN defaults

The LAN parameters of the Business Secure Router are preset in the factory with the following values:

• IP address of 192.168.1.1 with subnet mask of 255.255.255.0 (24 bits)

• DHCP server enabled with 126 client IP addresses starting from 192.168.1.2.

RIP setup

NN47922-500

These parameters work for the majority of installations. If your ISP gives you explicit DNS server addresses, read the embedded WebGUI help regarding which fields need to be configured.

RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers. RIP Direction controls the sending and receiving of RIP packets. When set to Both or Out Only, the Business Secure Router broadcasts its routing table periodically. When set to Both or In Only, it incorporates the RIP information that it receives; when set to None, it does not send any RIP packets and ignores any RIP packets received.

RIP Version controls the format and the broadcasting method of the RIP packets that the Business Secure Router sends (it recognizes both formats when receiving). RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.

Page 95

Both RIP-2B and RIP-2M send routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on nonrouter machines since they generally do not listen to the RIP multicast address and so do not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also.

By default, RIP Direction is set to Both and RIP Version to RIP-1.

Multicast

Traditionally, IP packets are transmitted in one of two ways—Unicast (1 sender-1 recipient) or Broadcast (1 sender-everybody on the network). Multicast delivers IP packets to a group of hosts on the network—not everybody and not just 1.

IGMP (Internet Group Multicast Protocol) is a network layer protocol used to establish membership in a Multicast group—it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you want to read more detailed information about interoperability between IGMP version 2 and version 1, see sections 4 and 5 of Internet Group Management Protocol (RFC 2236). The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the

224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group.

Chapter 6 LAN screens 95

The Business Secure Router supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2). At start up, the Business Secure Router queries all directly connected networks to gather group membership. After that, the Business Secure Router periodically updates this information. IP multicasting can be enabled or disabled on the Business Secure Router LAN, WAN or both interfaces in the WebGUI (LAN; WAN ). Select None to disable IP multicasting on these interfaces.

Nortel Business Secure Router 222 Configuration — Basics

Page 96

96 Chapter 6 LAN screens

Configuring IP

Click LAN to open the IP screen.

Figure 19 LAN IP

NN47922-500

Page 97

Table 1 4 describes the fields in Figure 19.

Tabl e 1 4 LAN IP

Label Description

Chapter 6 LAN screens 97

DHCP Server With DHCP (Dynamic Host Configuration Protocol, RFC

IP Pool Starting Address This field specifies the first of the contiguous addresses in

Pool Size This field specifies the size, or count, of the IP address pool.

DNS Servers Assigned by DHCP Server

2131 and RFC 2132) individual clients (workstations) can obtain TCP/IP configuration at startup from a server. Unless you are instructed by your ISP, leave this field set to Server. When configured as a server, the Business Secure Router provides TCP/IP configuration for the clients. When set as a server, fill in the IP Pool Starting Address and Pool Size fields.

Select Relay to have the Business Secure Router forward DHCP requests to another DHCP server. When set to Relay, fill in the DHCP Server Address field.

Select None to stop the Business Secure Router from acting as a DHCP server. When you select None, you must have another DHCP server on your LAN, or else the computers must be manually configured.

the IP address pool. The default is 192.168.1.2.

The default is 126.

The Business Secure Router passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. The Business Secure Router only passes this information to the LAN DHCP clients when you select the DHCP Server check box. When you clear the DHCP Server check box, DHCP service is disabled and you must have another DHCP sever on your LAN, or else the computers must have their DNS server addresses manually configured.

Nortel Business Secure Router 222 Configuration — Basics

Page 98

98 Chapter 6 LAN screens

Tabl e 1 4 LAN IP

Label Description

First DNS Server Second DNS Server Third DNS Server

LAN TCP/IP

IP Address Type the IP address of your Business Secure Router in

IP Subnet Mask The subnet mask specifies the network number portion of

RIP Direction With RIP (Routing Information Protocol, RFC 1058 and

Select From ISP if your ISP dynamically assigns DNS server information (and the Business Secure Router's WAN IP address). The field to the right displays the (read-only) DNS server IP address that the ISP assigns.

Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right.

Select DNS Relay to have the Business Secure Router act as a DNS proxy. The Business Secure Router's LAN IP address displays in the field to the right (read-only). The Business Secure Router tells the DHCP clients on the LAN that the Business Secure Router itself is the DNS server. When a computer on the LAN sends a DNS query to the Business Secure Router, the Business Secure Router forwards the query to the Business Secure Router's system DNS server (configured in the SYSTEM General screen) and relays the response to the computer. You can only select DNS Relay for one of the three servers.

Select None if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.

dotted decimal notation (192.168.1.1 (factory default).

an IP address. Your Business Secure Router automatically calculates the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the Business Secure Router

255.255.255.0.

RFC 1389) a router can exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from

Both/In Only/Out Only/None. When set to Both or Out Only, the Business Secure Router broadcasts its routing

table periodically. When set to Both or In Only, it incorporates the RIP information that it receives; when set to None, it does not send any RIP packets and ignores any RIP packets received. None is the default.

NN47922-500

Page 99

Tabl e 1 4 LAN IP

Label Description

Chapter 6 LAN screens 99

RIP Version The RIP Version field controls the format and the

Multicast Select IGMP V-1 or IGMP V-2 or None. IGMP (Internet

Windows Networking (NetBIOS over TCP/IP)

Allow between LAN and WAN

Apply Click Apply to save your changes to the Business Secure

Reset Click Reset to begin configuring this screen afresh.

broadcasting method of the RIP packets that the Business Secure Router sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on nonrouter machines since they generally do not listen to the RIP multicast address and so does not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, RIP direction is set to Both and the Version set to RIP-1.

Group Multicast Protocol) is a network layer protocol used to establish membership in a Multicast group—it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you want to read more detailed information about interoperability between IGMP version 2 and version 1, see sections 4 and 5 of

Management Protocol

Select this check box to forward NetBIOS packets from the LAN to the WAN and from the WAN to the LAN. If your firewall is enabled with the default policy set to block WAN to LAN traffic, you also need to enable the default WAN to LAN firewall rule that forwards NetBIOS traffic.

Clear this check box to block all NetBIOS packets going from the LAN to the WAN and from the WAN to the LAN.

This field does the same as the Allow between WAN and LAN field in the WAN IP screen. Enabling one automatically enables the other.

Router.

(RFC 2236).

Internet Group

Nortel Business Secure Router 222 Configuration — Basics

Page 100

100 Chapter 6 LAN screens

Configuring Static DHCP

With Static DHCP, you can assign IP addresses on the LAN to specific individual computers based on their MAC Addresses.

Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.

To change your Business Secure Router’s Static DHCP settings, click LAN, then the Static DHCP tab. The screen appears as shown in Figure 20.

Figure 20 Static DHCP

NN47922-500

Table 1 5 describes the fields in Figure 20.

Tabl e 1 5 Static DHCP

Label Description

# This is the index number of the Static IP table entry (row).

MAC Address Type the MAC address (with colons) of a computer on your LAN.