Avaya Business Secure Router 252 Configuration manual

Download

Page 1

Nortel Business Secure Router 252 Configuration — Basics

BSR252

Business Secure Router

Document Number: NN47923-500

Document Version: 1.2

Date: May 2007

Page 2

The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. The information in this document is proprietary to Nortel.

Trademarks

Nortel, Nortel (Logo), the Globemark, and This is the way, This is Nortel (Design mark) are trademarks of Nortel.

Microsoft, MS, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation.

All other trademarks and registered trademarks are the property of their respective owners.

NN47923-500NN47923-500

Page 3

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Hard copy technical manuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

How to get Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Getting Help from the Nortel Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Getting Help over the phone from a Nortel Solutions Center . . . . . . . . . . . . . . . . 31

Getting Help from a specialist by using an Express Routing Code . . . . . . . . . . . . 32

Getting Help through a Nortel distributor or reseller . . . . . . . . . . . . . . . . . . . . . . . 32

Chapter 1

Getting to know your Business Secure Router . . . . . . . . . . . . . . . . . . . . . 33

Introducing the Business Secure Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

Physical features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Nonphysical features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

High-speed Internet access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

ADSL standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Networking compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Multiplexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Four-Port switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Autonegotiating 10/100 Mb/s Ethernet LAN . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Autosensing 10/100 Mb/s Ethernet LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Auxiliary port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Time and date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Reset button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Nortel Business Secure Router 252 Configuration — Basics

Page 4

4 Contents

Applications for the Business Secure Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Hardware Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

IPSec VPN capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Nortel Contivity Client Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

IEEE 802.1x for network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Brute force password guessing protection . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Content filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Universal Plug and Play (UPnP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Call scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Dynamic DNS support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

IP Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

IP Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Central Network Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Traffic Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

DHCP (Dynamic Host Configuration Protocol) . . . . . . . . . . . . . . . . . . . . . . . . 40

Full network management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Logging and tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Upgrade Business Secure Router Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Embedded FTP and TFTP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Secure broadband internet access and VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Chapter 2

Introducing the WebGUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

WebGUI overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Accessing the Business Secure Router WebGUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Restoring the factory-default configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

NN47923-500

Page 5

Contents 5

Procedure to use the reset button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Uploading a configuration file through console port . . . . . . . . . . . . . . . . . . . . . . . 48

Navigating the Business Secure Router WebGUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Chapter 3

Wizard setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Wizard overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

ENET ENCAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

PPP over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

PPPoA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

RFC 1483 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Multiplexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

VC-based multiplexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

LLC-based multiplexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

VPI and VCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Wizard setup configuration: first screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

IP address and subnet mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

IP address assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

IP assignment with PPPoA or PPPoE encapsulation . . . . . . . . . . . . . . . . . . . . . . 58

IP assignment with RFC 1483 encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

IP assignment with ENET ENCAP encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . 58

Private IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Nailed-up connection (only with PPP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Wizard setup configuration: second screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

DHCP setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

IP pool setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Wizard setup configuration: third screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Wizard setup configuration: connection tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Test your Internet connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Chapter 4

User Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

General Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Nortel Business Secure Router 252 Configuration — Basics

Page 6

6 Contents

General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

VPN Client Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Advanced Router Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Setting up the router when the system has a server . . . . . . . . . . . . . . . . . . . . 75

Connecting two sites to establish a virtual private network . . . . . . . . . . . . . . . 75

Adding IP telephony to a multi-site network . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Configuring the router to act as a Nortel VPN Server (Client Termination) . . . 77

Configuring the router to connect to a Nortel VPN Server (Client Emulation) . 77

Allowing remote management of a LAN-connected BCM50 . . . . . . . . . . . . . . 78

Setting up the router for guest access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Preventing heavy data traffic from impacting telephone calls . . . . . . . . . . . . . 79

Setting Up a Remote Office with a UNIStim IP Telephone . . . . . . . . . . . . . . . 79

Inter-Operability With Third-Party Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

VPN Connections With Cisco Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Chapter 5

System screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

System overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

DNS overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Private DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Configuring General Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

DYNDNS wildcard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Configuring Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Predefined NTP time server list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Configuring Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Configuring ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

NN47923-500

Page 7

Contents 7

Chapter 6

LAN screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

LAN overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

DHCP setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

IP pool setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

DNS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

LAN TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Factory LAN defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

RIP setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Configuring IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Configuring Static DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Configuring IP Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Chapter 7

WAN screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

WAN overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

TCP/IP Priority (metric) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Configuring Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

PPPoE encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Configuring WAN ISP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Configuring WAN IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Traffic redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Configuring Traffic Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Configuring Dial Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Advanced Modem Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

AT Command Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

DTR Signal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Response Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Configuring Advanced Modem Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Chapter 8

Network Address Translation (NAT) Screens . . . . . . . . . . . . . . . . . . . . . . 129

NAT overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

NAT definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Nortel Business Secure Router 252 Configuration — Basics

Page 8

8 Contents

Using NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

SUA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Configuring SUA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Configuring Address Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Trigger Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Configuring Trigger Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

What NAT does . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

How NAT works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Port restricted cone NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

NAT application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

NAT mapping types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

SUA (Single User Account) versus NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Default server IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Port forwarding: Services and Port Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Configuring servers behind SUA (example) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Trigger Port Forwarding example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Two points to remember about Trigger Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Chapter 9

Static Route screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Static Route overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Configuring IP Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Configuring Route entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Chapter 10

Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Firewall overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Types of firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Packet filtering firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Application level firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Stateful Inspection firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Introduction to the Business Secure Router firewall . . . . . . . . . . . . . . . . . . . . . . . . . 155

Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Types of DoS attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

NN47923-500

Page 9

Contents 9

Stateful inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Stateful inspection process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Stateful inspection and the Business Secure Router . . . . . . . . . . . . . . . . . . . . . . 163

TCP security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

UDP/ICMP security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Upper layer protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Guidelines for enhancing security with your firewall . . . . . . . . . . . . . . . . . . . . . . . . . 166

Packet filtering vs. firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Packet filtering: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

When to use filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

When to use the firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Chapter 11

Firewall screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Access methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Firewall policies overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Rule logic overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Rule checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Security ramifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Key fields for configuring rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Source address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Destination address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Connection direction examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

LAN to WAN rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

WAN to LAN rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Configuring firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Configuring firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Configuring source and destination addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Configuring custom ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Example firewall rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Predefined services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189

Nortel Business Secure Router 252 Configuration — Basics

Page 10

10 Contents

Configuring attack alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Chapter 12

Content filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Introduction to content filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Restrict web features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Days and Times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Configure Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Chapter 13

VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199

Business Secure Router VPN functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

VPN screens overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

IPSec architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

IPSec algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

IPSec and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Secure Gateway Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Threshold values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Half-open sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

TCP maximum incomplete and blocking period . . . . . . . . . . . . . . . . . . . . . . 191

IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Other terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Data confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Data integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Data origin authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

VPN applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

AH (Authentication Header) protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

ESP (Encapsulating Security Payload) protocol . . . . . . . . . . . . . . . . . . . . . . . . . 204

Key management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Transport mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Tunnel mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Dynamic Secure Gateway Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

NN47923-500

Page 11

Contents 11

Summary screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Keep Alive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Nailed up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

NAT Traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

NAT Traversal configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Preshared key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Configuring Contivity Client VPN Rule Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Configuring Advanced Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

ID Type and content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

ID type and content examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

My IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Configuring Branch Office VPN Rule Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Configuring an IP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Port forwarding server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Configuring a port forwarding server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

IKE phases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Negotiation Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

Preshared key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

Diffie-Hellman (DH) Key Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Perfect Forward Secrecy (PFS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Configuring advanced Branch office setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

SA Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Global settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

VPN Client Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

VPN Client Termination IP pool summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

VPN Client Termination IP pool edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

VPN Client Termination advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Chapter 14

Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Certificates overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Advantages of certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Self-signed certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Configuration summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

My Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Nortel Business Secure Router 252 Configuration — Basics

Page 12

12 Contents

Certificate file formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Importing a certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Creating a certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

My Certificate details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Trusted CAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Importing a Trusted CA certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Trusted CA Certificate details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Trusted remote hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Verifying a certificate of a trusted remote host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Importing a certificate of a trusted remote host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

Trusted remote host certificate details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

Directory servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Add or edit a directory server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Chapter 15

Bandwidth management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Bandwidth management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Bandwidth classes and filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Proportional bandwidth allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Application based bandwidth management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Subnet based bandwidth management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Application and subnet based bandwidth management . . . . . . . . . . . . . . . . . . . . . . . 301

Configuring summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Configuring class setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Trusted remote host certificate fingerprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Reserving bandwidth for nonbandwidth class traffic . . . . . . . . . . . . . . . . . . . . . . 301

Bandwidth Manager Class Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Bandwidth management statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

Chapter 16

IEEE 802.1x. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

IEEE 802.1x overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Types of RADIUS messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

NN47923-500

Page 13

Contents 13

EAP Authentication overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Configuring 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Chapter 17

Authentication server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Introduction to Local User database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Local User database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Edit Local User Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Current split networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Current split networks edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Configuring RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Chapter 18

Remote management screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Remote management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Remote management limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Remote management and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

System timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

Introduction to HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Configuring WWW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

HTTPS example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

Internet Explorer warning messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Netscape Navigator warning messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Avoiding the browser warning messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Logon screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

SSH overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

How SSH works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

SSH implementation on the Business Secure Router . . . . . . . . . . . . . . . . . . . . . . . . 345

Requirements for using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

Configuring SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

Secure Telnet using SSH examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Example 1: Microsoft Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Example 2: Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Secure FTP using SSH example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350

Nortel Business Secure Router 252 Configuration — Basics

Page 14

14 Contents

Configuring TELNET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Configuring FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Configuring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

Configuring Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

Chapter 19

UPnP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

Universal Plug and Play overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

UPnP implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

Configuring UPnP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

Displaying UPnP port mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

Installing UPnP in Windows example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Using UPnP in Windows XP example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368

Supported MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

REMOTE MANAGEMENT: SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356

How do I know if I am using UPnP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

NAT Traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

Cautions with UPnP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

Installing UPnP in Windows Me . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Installing UPnP in Windows XP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Autodiscover Your UPnP-enabled Network Device . . . . . . . . . . . . . . . . . . . . . . . 368

WebGUI easy access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

Chapter 20

Logs Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Configuring View Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Configuring Log settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

Configuring Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Viewing Web site hits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

Viewing Protocol/Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Viewing LAN IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Reports specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

NN47923-500

Page 15

Contents 15

Chapter 21

Call scheduling screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Call scheduling introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Call schedule summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Call scheduling edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Applying Schedule Sets to a remote node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Chapter 22

Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

Maintenance overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

Status screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

System statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

DHCP Table screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Diagnostic Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

F/W Upload screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

Configuration screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Back to Factory Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Backup configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

Restore configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Restart screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Appendix A

Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

Problems Starting Up the Business Secure Router . . . . . . . . . . . . . . . . . . . . . . . . . . 411

Problems with the LAN LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Problems with the LAN interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Problems with the WAN interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

Problems with Internet access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

Problems accessing an Internet Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

Problems with the password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

Problems with the WebGUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Problems with Remote Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Allowing Pop-up Windows, JavaScript and Java Permissions . . . . . . . . . . . . . . . . . . 416

Internet Explorer Pop-up Blockers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Allowing Pop-ups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Nortel Business Secure Router 252 Configuration — Basics

Page 16

16 Contents

Appendix B

Log Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

VPN/IPSec Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440

VPN Responder IPSec Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441

Log Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450

Log Command Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

Enabling Pop-up Blockers with Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . 417

Internet Explorer JavaScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

Internet Explorer Java Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

JAVA (Sun) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422

Netscape Pop-up Blockers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

Allowing Pop-ups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424

Enable Pop-up Blockers with Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

Netscape Java Permissions and JavaScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

Configuring what you want the Business Secure Router to log . . . . . . . . . . . . . . 450

Displaying Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

NN47923-500

Page 17

Figures

Figure 1 Secure Internet Access and VPN Application . . . . . . . . . . . . . . . . . . . . . 42

Figure 2 Login screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Figure 3 Change password screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Figure 4 Replace certificate screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Figure 5 Example Xmodem Upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Figure 6 MAIN MENU Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Figure 7 Contact Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Figure 8 Wizard Screen 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Figure 9 Internet connection with PPPoA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Figure 10 Internet connection with RFC 1483 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Figure 11 Internet connection with ENET ENCAP . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Figure 12 Internet connection with PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Figure 13 Wizard Screen 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Figure 14 Wizard: LAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Figure 15 Wizard Screen 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Figure 16 Private DNS server example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Figure 17 System general setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Figure 18 DDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Figure 19 Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Figure 20 Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Figure 21 ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Figure 22 LAN IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Figure 23 Static DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Figure 24 IP Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Figure 25 WAN: Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Figure 26 WAN: WAN ISP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Figure 27 WAN: IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Figure 28 Traffic Redirect WAN Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Figure 29 Traffic Redirect LAN Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Nortel Business Secure Router 252 Configuration — Basics

Page 18

18 Figures

Figure 30 Traffic Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Figure 31 Dial Backup Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Figure 32 Advanced Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Figure 33 How NAT works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Figure 34 Port Restricted Cone NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Figure 35 NAT application with IP Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Figure 36 Multiple servers behind NAT example . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Figure 37 SUA/NAT setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Figure 38 Address Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Figure 39 Address Mapping edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Figure 40 Trigger Port Forwarding process: example . . . . . . . . . . . . . . . . . . . . . . . 144

Figure 41 Trigger Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Figure 42 Example of Static Routing topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Figure 43 Static Route screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Figure 44 Edit IP Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Figure 45 Business Secure Router firewall application . . . . . . . . . . . . . . . . . . . . . . 156

Figure 46 Three-way handshake . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Figure 47 SYN flood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Figure 48 Smurf attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Figure 49 Stateful inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Figure 50 LAN to WAN traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Figure 51 WAN to LAN traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Figure 52 Enabling the firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Figure 53 Creating and editing a firewall rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Figure 54 Adding or editing source and destination addresses . . . . . . . . . . . . . . . 181

Figure 55 Creating or editing a custom port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Figure 56 Firewall edit rule screen example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Figure 57 Firewall rule edit IP example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Figure 58 Edit custom port example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Figure 59 MyService rule configuration example . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Figure 60 My Service example rule summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Figure 61 Attack alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Figure 62 Content filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Figure 63 Encryption and decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Figure 64 IPSec architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

NN47923-500

Page 19

Figures 19

Figure 65 Transport and Tunnel mode IPSec encapsulation . . . . . . . . . . . . . . . . . 206

Figure 66 IPSec summary fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Figure 67 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Figure 68 NAT router between IPSec routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Figure 69 VPN Contivity Client rule setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Figure 70 VPN Contivity Client advanced rule setup . . . . . . . . . . . . . . . . . . . . . . . 217

Figure 71 VPN Branch Office rule setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Figure 72 VPN Branch Office — IP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Figure 73 VPN Branch Office — IP Policy - Port Forwarding Server . . . . . . . . . . . 237

Figure 74 Two phases to set up the IPSec SA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Figure 75 VPN Branch Office advanced rule setup . . . . . . . . . . . . . . . . . . . . . . . . 242

Figure 76 VPN SA Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Figure 77 VPN Global Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Figure 78 VPN Client Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Figure 79 VPN Client Termination IP pool summary . . . . . . . . . . . . . . . . . . . . . . . . 253

Figure 80 VPN Client Termination IP pool edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Figure 81 VPN Client Termination advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

Figure 82 Certificate configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Figure 83 My Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Figure 84 My Certificate Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Figure 85 My Certificate create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

Figure 86 My Certificate details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Figure 87 Trusted CAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Figure 88 Trusted CA import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Figure 89 Trusted CA details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

Figure 90 Trusted remote hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Figure 91 Remote host certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Figure 92 Certificate details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Figure 93 Trusted remote host import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

Figure 94 Trusted remote host details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Figure 95 Directory servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Figure 96 Directory server add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Figure 97 Subnet based bandwidth management example . . . . . . . . . . . . . . . . . . 301

Figure 98 Bandwidth Manager: Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Figure 99 Bandwidth Manager: Class setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Nortel Business Secure Router 252 Configuration — Basics

Page 20

20 Figures

Figure 100 Bandwidth Manager: Edit class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

Figure 101 Bandwidth management statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Figure 102 Bandwidth manager monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Figure 103 EAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Figure 104 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

Figure 105 Local User database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Figure 106 Local User database edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

Figure 107 Current split networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Figure 108 Current split networks edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

Figure 109 RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

Figure 110 HTTPS implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

Figure 111 WWW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Figure 112 Security Alert dialog box (Internet Explorer) . . . . . . . . . . . . . . . . . . . . . . 335

Figure 113 Figure 18-4 Security Certificate 1 (Netscape) . . . . . . . . . . . . . . . . . . . . . 336

Figure 114 Security Certificate 2 (Netscape) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Figure 115 Logon screen (Internet Explorer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

Figure 116 Login screen (Netscape) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

Figure 117 Replace certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Figure 118 Device-specific certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

Figure 119 Common Business Secure Router certificate . . . . . . . . . . . . . . . . . . . . . 343

Figure 120 SSH Communication Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Figure 121 How SSH Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Figure 122 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

Figure 123 SSH Example 1: Store Host Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Figure 124 SSH Example 2: Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Figure 125 SSH Example 2: Log on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Figure 126 Secure FTP: Firmware Upload Example . . . . . . . . . . . . . . . . . . . . . . . . 350

Figure 127 Telnet configuration on a TCP/IP network . . . . . . . . . . . . . . . . . . . . . . . 350

Figure 128 Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Figure 129 FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

Figure 130 SNMP Management Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Figure 131 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356

Figure 132 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

Figure 133 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Figure 134 Configuring UPnP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

NN47923-500

Page 21

Figures 21

Figure 135 UPnP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

Figure 136 Add/Remove programs: Windows setup . . . . . . . . . . . . . . . . . . . . . . . . 366

Figure 137 Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Figure 138 Network connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Figure 139 Windows optional networking components wizard . . . . . . . . . . . . . . . . . 367

Figure 140 Windows XP networking services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368

Figure 141 Internet gateway icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Figure 142 Internet connection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Figure 143 Internet connection properties advanced setup . . . . . . . . . . . . . . . . . . . 370

Figure 144 Service settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

Figure 145 Internet connection icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

Figure 146 Internet connection status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

Figure 147 Network connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

Figure 148 My Network Places: Local network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

Figure 149 View Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Figure 150 Log settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

Figure 151 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

Figure 152 Web site hits report example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Figure 153 Protocol/Port report example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Figure 154 LAN IP address report example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

Figure 155 Call schedule summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

Figure 156 Call schedule edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Figure 157 Applying Schedule Sets to a remote node . . . . . . . . . . . . . . . . . . . . . . . 392

Figure 158 System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Figure 159 System Status: Show statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Figure 160 DHCP Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

Figure 161 Diagnostic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Figure 162 Firmware upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

Figure 163 Firmware Upload In Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

Figure 164 Network Temporarily Disconnected . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

Figure 165 Firmware upload error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

Figure 166 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Figure 167 Reset warning message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

Figure 168 Configuration Upload Successful . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Figure 169 Network Temporarily Disconnected . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Nortel Business Secure Router 252 Configuration — Basics

Page 22

22 Figures

Figure 170 Restart screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

Figure 171 Pop-up Blocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Figure 172 Internet Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

Figure 173 Internet options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

Figure 174 Pop-up Blocker settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

Figure 175 Internet options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

Figure 176 Security Settings - Java Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

Figure 177 Security Settings - Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422

Figure 178 Java (Sun) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

Figure 179 Allow Popups from this site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424

Figure 180 Netscape Search Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424

Figure 181 Popup Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

Figure 182 Popup Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

Figure 183 Allowed Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

Figure 184 Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

Figure 185 Scripts & Plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

Figure 186 Example VPN Initiator IPSec Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441

Figure 187 Example VPN Responder IPSec Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

NN47923-500

Page 23

Tables

Table 1 Feature specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Table 2 Wizard Screen 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Table 3 Internet connection with PPPoA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Table 4 Internet connection with RFC 1483 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Table 5 Internet connection with ENET ENCAP . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Table 6 Internet connection with PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Table 7 Wizard: LAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Table 8 System general setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Table 9 DDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Table 10 Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Table 11 Default Time Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Table 12 Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Table 13 ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Table 14 LAN IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Table 15 Static DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Table 16 IP Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Table 17 WAN: Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Table 18 WAN: WAN ISP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Table 19 WAN: IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Table 20 Traffic Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Table 21 Dial Backup Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Table 22 Advanced Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Table 23 NAT definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Table 24 NAT mapping type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Table 25 Services and port numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Table 26 SUA/NAT setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Table 27 Address Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Table 28 Address Mapping edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Table 29 Trigger Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Nortel Business Secure Router 252 Configuration — Basics

Page 24

24 Tables

Table 30 IP Static Route summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Table 31 Edit IP Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Table 32 Common IP ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Table 33 ICMP commands that trigger alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Table 34 Legal NetBIOS commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Table 35 Legal SMTP commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Table 36 Firewall rules summary: First screen . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Table 37 Creating and editing a firewall rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Table 38 Adding or editing source and destination addresses . . . . . . . . . . . . . . . 181

Table 39 Creating/Editing A Custom Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Table 40 Predefined services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Table 41 Attack alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Table 42 Content filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Table 43 VPN Screens overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Table 44 VPN Screens Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Table 45 AH and ESP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Table 46 VPN and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Table 47 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Table 48 VPN Contivity Client rule setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Table 49 VPN Contivity Client advanced rule setup . . . . . . . . . . . . . . . . . . . . . . . 217

Table 50 Local ID type and content fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Table 51 Peer ID type and content fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Table 52 Matching ID type and content configuration example . . . . . . . . . . . . . . 220

Table 53 Mismatching ID Type and Content Configuration Example . . . . . . . . . . 220

Table 54 VPN Branch Office rule setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Table 55 VPN Branch Office — IP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Table 56 VPN Branch Office — IP Policy - Port Forwarding Server . . . . . . . . . . . 237

Table 57 VPN Branch Office Advanced Rule Setup . . . . . . . . . . . . . . . . . . . . . . . 242

Table 58 VPN SA Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Table 59 VPN Global Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Table 60 VPN Client Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Table 61 VPN Client Termination IP pool summary . . . . . . . . . . . . . . . . . . . . . . . . 253

Table 62 VPN Client Termination IP pool edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Table 63 VPN Client Termination advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Table 64 My Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

NN47923-500

Page 25

Tables 25

Table 65 My Certificate Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Table 66 My Certificate create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Table 67 My Certificate details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Table 68 Trusted CAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Table 69 Trusted CA import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Table 70 Trusted CA details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Table 71 Trusted Remote Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Table 72 Trusted remote host import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

Table 73 Trusted remote host details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

Table 74 Directory Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Table 75 Directory server add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Table 76 Application and Subnet based Bandwidth Management Example . . . . . 301

Table 77 Bandwidth Manager: Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Table 78 Bandwidth Manager: Class Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Table 79 Bandwidth Manager: Edit class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

Table 80 Services and port numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

Table 81 Bandwidth management statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Table 82 Bandwidth manager monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Table 83 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

Table 84 Local User database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Table 85 Local User database edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Table 86 Current split networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Table 87 Current split networks edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

Table 88 RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

Table 89 WWW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Table 90 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

Table 91 Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Table 92 FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

Table 93 SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

Table 94 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356

Table 95 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

Table 96 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Table 97 Configuring UPnP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Table 98 UPnP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

Table 99 View Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Nortel Business Secure Router 252 Configuration — Basics

Page 26

26 Tables

Table 100 Log settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Table 101 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

Table 102 Web site hits report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Table 103 Protocol/ Port Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Table 104 LAN IP Address Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

Table 105 Report Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Table 106 Call Schedule Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

Table 107 Call schedule edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390

Table 108 System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Table 109 System Status: Show Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Table 110 DHCP Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

Table 111 Diagnostic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Table 112 Firmware Upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

Table 113 Restore configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Table 114 Troubleshooting the Start-Up of your Business Secure Router . . . . . . . 411

Table 115 Troubleshooting the LAN LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Table 116 Troubleshooting the LAN interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Table 117 Troubleshooting the WAN Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

Table 118 Troubleshooting Internet access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

Table 119 Troubleshooting Web Site Internet Access . . . . . . . . . . . . . . . . . . . . . . . 414

Table 120 Troubleshooting the password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

Table 121 Troubleshooting the WebGUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Table 122 Troubleshooting Remote Management . . . . . . . . . . . . . . . . . . . . . . . . . 415

Table 123 System Error Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

Table 124 System Maintenance Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

Table 125 UPnP Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432

Table 126 Content Filtering Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432

Table 127 Attack Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432

Table 128 Access Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

Table 129 ACL Setting Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

Table 130 ICMP Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

Table 131 Sys log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440

Table 132 Sample IKE Key Exchange Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443

Table 133 Sample IPSec Logs During Packet Transmission . . . . . . . . . . . . . . . . . 445

Table 134 RFC 2408 ISAKMP Payload Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

NN47923-500

Page 27

Tables 27

Table 135 PKI Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

Table 136 Certificate Path Verification Failure Reason Codes . . . . . . . . . . . . . . . . 448

Table 137 IEEE 802.1X Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

Table 138 Log categories and available settings . . . . . . . . . . . . . . . . . . . . . . . . . . 450

Nortel Business Secure Router 252 Configuration — Basics

Page 28

28 Tables

NN47923-500

Page 29

Preface

Before you begin

This guide assists you through the basic configuration of your Business Secure Router for its various applications.

Note: This guide explains how to use the WebGUI to configure your Business Secure Router. See Nortel Business Secure Router 252 Configuration — Advanced (NN47923-501) for how to use the System Management Terminal (SMT) or the command interpreter interface to configure your Business Secure Router. Not all features can be configured through all interfaces.

The WebGUI parts of this guide contain background information on features configurable by the WebGUI and the SMT. For features not configurable by the WebGUI, only background information is provided.

Text conventions

This guide uses the following text conventions:

Enter means type one or more characters and press the enter key. Select or Choose means use one of the predefined choices.

The SMT menu titles and labels are written in Bold Times New Roman font.

The choices of a menu choices are written in Bold Arial font.

Nortel Business Secure Router 252 Configuration — Basics

Page 30

30 Preface

A single keystroke is written in Arial font and enclosed in square brackets. For instance, [ENTER] means the Enter key; [ESC] means the escape key and [SPACE BAR] means the space bar. [UP] and [DOWN] are the up and down arrow keys.

Mouse action sequences are denoted using a comma. For example, “click the Apple icon, Control Panels and then Modem” means first click the Apple icon, then point your mouse pointer to Control Panels and then click Modem.

Related publications

For more information about using the Business Secure Router, refer to the following publications:

• Nortel Business Secure Router 252 — Fundamentals (NN47923-301)

This guide helps you get up and running right away. It contains connection information and instructions on getting started.

• Nortel Business Secure Router 252 Configuration — Advanced

(NN47923-501)

This guide covers how to use the SMT menu to configure your Business Secure Router.

• WebGUI Online Help

Embedded WebGUI help is available to provide descriptions of individual screens and supplementary information.

Hard copy technical manuals

You can print selected technical manuals and release notes free, directly from the Internet. Go to www.nortel.com/documentation. Find the product for which you need documentation. Then locate the specific category and model or version for your hardware or software product. Use Adobe Reader to open the manuals and release notes, search for the sections you need, and print them on most standard printers. Go to the Adobe Systems Web site at www.adobe.com to download a free copy of Adobe Reader.

NN47923-500

Page 31

How to get Help

This section explains how to get help for Nortel products and services.

Getting Help from the Nortel Web site

The best way to get technical support for Nortel products is from the Nortel Technical Support Web site:

www.nortel.com/support

This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products. More specifically, the site enables you to:

• download software, documentation, and product bulletins

• search the Technical Support Web site and the Nortel Knowledge Base for answers to technical issues

• sign up for automatic notification of new software and documentation for Nortel equipment

• open and manage technical support cases

Preface 31

Getting Help over the phone from a Nortel Solutions Center

If you don’t find the information you require on the Nortel Technical Support Web site, and have a Nortel support contract, you can also get help over the phone from a Nortel Solutions Center.

In North America, call 1-800-4NORTEL (1-800-466-7835).

Outside North America, go to the following Web site to obtain the phone number for your region:

www.nortel.com/callus

Nortel Business Secure Router 252 Configuration — Basics

Page 32

32 Preface

Getting Help from a specialist by using an Express Routing Code

Getting Help through a Nortel distributor or reseller

To access some Nortel Technical Solutions Centers, you can use an Express Routing Code (ERC) to quickly route your call to a specialist in your Nortel product or service. To locate the ERC for your product or service, go to:

www.nortel.com/erc

If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller.

NN47923-500

Page 33

Chapter 1 Getting to know your Business Secure Router

This chapter introduces the main features and applications of the Business Secure Router.

Introducing the Business Secure Router

The Business Secure Router is an ideal secure gateway for all data passing between the Internet and the Local Area Network (LAN).

Your Business Secure Router integrates high-speed 10/100 Megabits per second (Mb/s) autonegotiating LAN interfaces and a high-speed Asymmetrical Digital Subscriber Line Plus (ADSL2+) port into a single package. The Business Secure Router is ideal for high-speed Internet browsing and making LAN-to-LAN connections to remote networks. By integrating Digital Subscriber Line (DSL) and Network Address Translation (NAT), the Business Secure Router provides easy installation and Internet access. By integrating firewall and Virtual Private Network (VPN) capabilities, the Business Secure Router is a complete security solution that protects your Intranet and efficiently manages data traffic on your network.

Using the embedded WebGUI, you can easily set up and manage the Business Secure Router using an Internet browser.

Nortel Business Secure Router 252 Configuration — Basics

Page 34

34 Chapter 1 Getting to know your Business Secure Router

Features

This section lists the key features of the Business Secure Router.

Tabl e 1 Feature specifications

Feature Specification

Number of static routes 12

Number of NAT sessions 4096

Number of SUA (Single User Account) servers 12

Number of address mapping rules 10

Maximum number of VPN IP Policies 60

Maximum number of VPN Tunnels (Client and/or Branch Office) 10

Maximum number of concurrent VPN IPSec Connections 60

Number of IP pools that can be used to assign IP addresses to remote users for VPN client termination

Number of configurable split networks for VPN client termination 16

Number of configurable inverse split networks for VPN client termination 16

Number of configurable subnets per split network for VPN client termination

Physical features

NN47923-500

High-speed Internet access

Your Business Secure Router supports ADSL2+ (Asymmetrical Digital Subscriber Line) for high transmission speeds and long connection distances.

ADSL standards

• Multimode standard (ANSI (American National Standards Institute) T1.413, Issue 2; G.dmt (G.992.1 Discrete Multitone Modulation)

• EOC (Embedded Operations Channel) specified in ITU-T (Telecommunication Standardization Sector of the International Telecommunications Union) G.992.1

• ADSL2 G.dmt.bis (G.992.3)

• ADSL2+ (G.992.5)

Page 35

Chapter 1 Getting to know your Business Secure Router 35

• Extended-reach ADSL (ER ADSL)

• SRA (Seamless Rate Adaptation)

• Autonegotiating rate adaptation

• ADSL physical connection ATM (Asynchronous Transfer Mode) AAL5 (Adaptation Layer type 5)·

• Multiprotocol over AAL5 (Request For Comments (RFC) 2684/1483)

• Support Point-to-Point-Protocol over ATM AAL5 (PPPoA) (RFC 2364)

• PPP over Ethernet support for DSL (Digital Subscriber Line) connection (RFC 2516)

• Support Virtual Circuit (VC) based and LLC (Logical Link Control) based multiplexing

• Support OAM (Operational, Administration and Maintenance) VC Hunt

• I.610 F4/F5 OAM

Networking compatibility

Your Business Secure Router is compatible with the major ADSL Digital Subscriber Line Access Multiplexer (DSLAM) providers, making configuration as simple as possible.

Multiplexing

The Business Secure Router supports VC-based and LLC-based multiplexing.

Encapsulation

The Business Secure Router supports PPPoA (RFC 2364 - PPP over ATM Adaptation Layer 5), RFC 1483 encapsulation over ATM, MAC (Media Access Control) encapsulated routing (ENET encapsulation) as well as PPP over Ethernet (RFC 2516).

Four-Port switch

A combination of switch and router makes your Business Secure Router a cost-effective and viable network solution. You can connect up to four computers or phones to the Business Secure Router without the cost of a switch. Use a switch to add more than four computers or phones to your LAN.

Nortel Business Secure Router 252 Configuration — Basics

Page 36

36 Chapter 1 Getting to know your Business Secure Router

Autonegotiating 10/100 Mb/s Ethernet LAN

The LAN interfaces automatically detect if they are on a 10 or a 100 Mb/s Ethernet.

Autosensing 10/100 Mb/s Ethernet LAN

The LAN interfaces automatically adjust to either a crossover or straight through Ethernet cable.

Auxiliary port

The Business Secure Router uses the same port for console management and for an auxiliary WAN backup. The AUX port can be used in reserve as a traditional dial-up connection when or if ever the broadband connection to the WAN port fails.

Time and date

Using the Business Secure Router, you can get the current time and date from an external server when you turn on your Business Secure Router. You can also set the time manually.

Nonphysical features

NN47923-500

Reset button

The Business Secure Router reset button is built into the rear panel. Use this button to restart the Business Secure Router or restore the factory default password to setup, IP address to 192.168.1.1, subnet mask to 255.255.255.0, and DHCP server enabled with a pool of 126 IP addresses starting at 192.168.1.2.

IPSec VPN capability

Establish Virtual Private Network (VPN) tunnels to connect home or office computers to your company network using data encryption and the Internet; thus providing secure communications without the expense of leased site-to-site lines. VPN is based on the IPSec standard and is fully interoperable with other IPSec-based VPN products.

Page 37

Chapter 1 Getting to know your Business Secure Router 37

Nortel Contivity Client Termination

The Business Secure Router supports VPN connections from computers using Nortel Contivity VPN Client 3.0, 5.01, 5.11, 6.01, 6.02, or 7.01 software.

Certificates

The Business Secure Router can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. Certificates provide a way to exchange public keys for use in authentication.

SSH

The Business Secure Router uses the SSH (Secure Shell) secure communication protocol to provide secure encrypted communication between two hosts over an unsecured network.

HTTPS

HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL is a web protocol that encrypts and decrypts web sessions. Use HTTPS for secure WebGUI access to the Business Secure Router.

IEEE 802.1x for network security

The Business Secure Router supports the IEEE 802.1x standard for user authentication. With the local user profile in the Business Secure Router, you can configure up to 32 user profiles without a network authentication server. In addition, centralized user and accounting management is possible on an optional network authentication server.

Firewall

The Business Secure Router has a stateful inspection firewall with DoS (Denial of Service) protection. By default, when the firewall is activated, all incoming traffic from the WAN (Wide Area Network) to the LAN is blocked unless it is initiated from the LAN. The Business Secure Router firewall supports TCP/UDP inspection, DoS detection and protection, real time alerts, reports and logs.

Nortel Business Secure Router 252 Configuration — Basics

Page 38

38 Chapter 1 Getting to know your Business Secure Router

Brute force password guessing protection

The Business Secure Router has a special protection mechanism to discourage brute force password guessing attacks on the Business Secure Router management interfaces. You can specify a wait time that must expire before you can enter a fourth password after entering three incorrect passwords.

Content filtering

The Business Secure Router can block web features such as ActiveX controls, Java applets, and cookies, as well as disable web proxies. The Business Secure Router can block specific URLs by using the keyword feature. The administrator can also define time periods and days during which content filtering is enabled.

Packet filtering

The packet filtering mechanism blocks unwanted traffic from entering or leaving your network.

Universal Plug and Play (UPnP)

NN47923-500

Using the standard TCP/IP protocol, the Business Secure Router and other UPnP-enabled devices can dynamically join a network, obtain an IP address, and convey its capabilities to other devices on the network.

Call scheduling

Configure call time periods to restrict and allow access for users on remote nodes.

PPPoE

PPPoE facilitates the interaction of a host with an Internet modem to achieve access to high-speed data networks through a familiar dial-up networking user interface.

Page 39

Chapter 1 Getting to know your Business Secure Router 39

Dynamic DNS support

With Dynamic DNS (Domain Name System) support, you can have a static host name alias for a dynamic IP address, so the host is more easily accessible from various locations on the Internet. You must register for this service with a Dynamic DNS service provider.

IP Multicast

The Business Secure Router can use IP multicast to deliver IP packets to a specific group of hosts. IGMP (Internet Group Management Protocol) is the protocol used to support multicast groups. The Business Secure Router supports versions 1 and

IP Alias

Using IP Alias, you can partition a physical network into logical networks over the same Ethernet interface. The Business Secure Router supports three logical LAN interfaces through its single physical Ethernet LAN interface with the Business Secure Router itself as the gateway for each LAN network.

Central Network Management

With Central Network Management (CNM), an enterprise or service provider network administrator can manage your Business Secure Router. The enterprise or service provider network administrator can configure your Business Secure Router, perform firmware upgrades, and do troubleshooting for you.

SNMP

SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your Business Secure Router supports SNMP agent functionality, which means that a manager station can manage and monitor the Business Secure Router through the network. The Business Secure Router supports SNMP versions 1 and 2 (SNMPv1 and SNMPv2).

Nortel Business Secure Router 252 Configuration — Basics

Page 40

40 Chapter 1 Getting to know your Business Secure Router

Network Address Translation (NAT)

NAT (Network Address Translation — NAT, RFC 1631) translate multiple IP addresses used within one network to different IP addresses known within another network.

Traffic Redirect

Traffic Redirect forwards WAN traffic to a backup gateway when the Business Secure Router cannot connect to the Internet, thus acting as an auxiliary backup when your regular WAN connection fails.

Port Forwarding

Use this feature to forward incoming service requests to a server on your local network. You can enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server.

DHCP (Dynamic Host Configuration Protocol)

NN47923-500

With DHCP (Dynamic Host Configuration Protocol), individual client computers can obtain the TCP/IP configuration at start-up from a centralized DHCP server. The Business Secure Router has built in DHCP server capability, enabled by default, which means it can assign IP addresses, an IP default gateway, and DNS servers to all systems that support the DHCP client. The Business Secure Router can also act as a surrogate DHCP server, where it relays IP address assignment from another DHCP server to the clients.

Full network management

The embedded web configurator is an all platform, web based utility that you can use to easily manage and configure the Business Secure Router. Most functions of the Business Secure Router are also software configurable through the SMT (System Management Terminal) interface. The SMT is a menu driven interface that you can access from a terminal emulator through the console port or over a Telnet connection.

Page 41

Chapter 1 Getting to know your Business Secure Router 41

Logging and tracing

The Business Secure Router supports the following logging and tracing functions to help with management:

• Built in message logging and packet tracing

• Unix syslog facility support

Upgrade Business Secure Router Firmware

The firmware of the Business Secure Router can be upgraded through the console port or the LAN.

Embedded FTP and TFTP Servers

The embedded FTP and TFTP servers enable fast firmware upgrades, as well as configuration file backups and restoration.

Applications for the Business Secure Router

Secure broadband internet access and VPN

The Business Secure Router provides broadband Internet access through ADSL. The Business Secure Router also provides IP address sharing and a firewall protected local network with traffic management.

The Business Secure Router VPN is an ideal, cost effective way to connect branch offices and business partners over the Internet without the need (and expense) of leased lines between sites. The LAN computers can share the VPN tunnels for secure connections to remote computers.

Nortel Business Secure Router 252 Configuration — Basics

Page 42

42 Chapter 1 Getting to know your Business Secure Router

Figure 1 Secure Internet Access and VPN Application

Business Secure Router

Hardware Setup

Refer to Nortel Business Secure Router 252 — Fundamentals (NN47923-301) for hardware connection instructions.

Note: To keep the Business Secure Router operating at optimal internal temperature, keep the bottom, sides, and rear clear of obstructions and away from the exhaust of other equipment.

After installing your Business Secure Router, continue with the rest of this guide for configuration instructions.

Caution: Electro-static Discharge can disrupt the router. Use appropriate handling precautions to avoid ESD. Avoid touching the connectors on the router, particularly when it is in use.

NN47923-500

Page 43

Chapter 1 Getting to know your Business Secure Router 43

Note: Please use only No. 26 AWG (American Wire Gauge) or larger telecommunication line cord.

Nortel Business Secure Router 252 Configuration — Basics

Page 44

44 Chapter 1 Getting to know your Business Secure Router

NN47923-500

Page 45

Chapter 2 Introducing the WebGUI

This chapter describes how to access the Business Secure Router WebGUI and provides an overview of its screens.

WebGUI overview

The WebGUI is an HTML based management interface that a user can use for easy setup and management of the Business Secure Router through an Internet browser.

Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions. The recommended screen resolution is 1 024 by 768 pixels.

In order to use the WebGUI you need to allow:

• Web browser pop-up windows from your device. Web pop-up blocking is enabled by default in Windows XP SP (Service Pack) 2.

• JavaScripts (enabled by default).

• Java permissions (enabled by default).

See “Allowing Pop-up Windows, JavaScript and Java Permissions” on page 416 if you want to make sure these functions are allowed in Internet Explorer.

Accessing the Business Secure Router WebGUI

Make sure your Business Secure Router hardware is properly connected and prepare your computer and computer network to connect to the Business Secure Router. Refer to Nortel Business Secure Router 252 — Fundamentals (NN47923-301).

Nortel Business Secure Router 252 Configuration — Basics

Page 46

46 Chapter 2 Introducing the WebGUI

1 Launch your web browser.

2 Type 192.168.1.1 as the URL.

3 Type the username (“nnadmin” is the default) and the password

(“PlsChgMe!” is the default) and click Login. Click Reset to clear any information you have entered in the Username and Password fields.

Figure 2 Login screen

NN47923-500

4 A screen asking you to change your password (highly recommended) appears

and is shown in Figure 3. Type a new password (and retype it to confirm) and click Apply or click Ignore.

Page 47

Chapter 2 Introducing the WebGUI 47

Figure 3 Change password screen

5 Click Apply in the Replace Certificate screen to create a certificate using

your Business Secure Router MAC address that is specific to this device.

Figure 4 Replace certificate screen

Nortel Business Secure Router 252 Configuration — Basics

Page 48

48 Chapter 2 Introducing the WebGUI

The MAIN MENU screen appears.

Note: The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes). Simply log back on to the Business Secure Router if this happens to you.

Restoring the factory-default configuration settings

If you just want to restart the Business Secure Router, press the rear panel RESET button for one to three seconds.

If you forget your password or cannot access the SMT menu, you will need to reload the factory-default configuration file or use the RESET button the back of the Business Secure Router to restore the factor-default configuration. Uploading this configuration file replaces the current configuration file with the factory-default configuration file. This means that you will lose all configurations that you had previously and the speed of the console port will be reset to the default of 9600bps with 8 data bit, no parity, one stop bit and flow control set to none. The password will be reset to “PlsChgMe!”, also.

Procedure to use the reset button

Uploading a configuration file through console port

NN47923-500

Press the rear panel RESET button for longer than three seconds to return the Business Secure Router to the factory defaults.

6 Reset Button on the Router; LineFeed. Press the RESET button for longer

than three seconds to return the Business Secure Router to the factory defaults.

1 Download the default configuration file from the Nortel FTP site, unzip it and

save it in a folder.

2 Turn off the Business Secure Router, begin a terminal emulation software

session and turn on the Business Secure Router again. When you see the

Page 49

Chapter 2 Introducing the WebGUI 49

message Press Any key to enter Debug Mode within 3 seconds, press any key to enter debug mode.

3 Enter y at the prompt to go into debug mode.

4 Enter atlc after the Enter Debug Mode message displays.

5 Wait for the Starting XMODEM upload message before activating Xmodem

upload on your terminal. Figure 5 is an example of an Xmodem configuration upload using HyperTerminal.

6 Click Transfer, then Send File to display the screen illustrated in Figure 5.

Figure 5 Example Xmodem Upload

7 After the firmware uploads successfully, enter atgo to restart the router.

Navigating the Business Secure Router WebGUI

Follow the instructions in the MAIN MENU screen or click the help icon (located in the top right corner of most screens) to view online help.

Note: The help icon does not appear in the MAIN MENU screen.

Nortel Business Secure Router 252 Configuration — Basics

Page 50

50 Chapter 2 Introducing the WebGUI

Figure 6 MAIN MENU Screen

NN47923-500

Click the Contact link to display the customer support contact information. Figure 7 is a sample of what displays.

Page 51

Figure 7 Contact Support

Chapter 2 Introducing the WebGUI 51

Nortel Business Secure Router 252 Configuration — Basics

Page 52

52 Chapter 2 Introducing the WebGUI

NN47923-500

Page 53

Chapter 3 Wizard setup

This chapter provides information on the Wizard screens in the WebGUI.

Wizard overview

The setup wizard in the WebGUI helps you configure your device to access the Internet. The second screen has three variations, depending on which encapsulation type you use. Refer to your ISP checklist in the Nortel Business Secure Router 252 — Fundamentals (NN47923-301) to know what to enter in each field. Leave a field blank if you do not have the required information.

Encapsulation

Be sure to use the encapsulation method required by your ISP. The Business Secure Router supports the following methods.

ENET ENCAP

The MAC Encapsulated Routing Link Protocol (ENET ENCAP) is only implemented with the IP network protocol. IP packets are routed between the Ethernet interface and the WAN interface and then formatted so that they can be understood in a bridged environment. For instance, the Business Secure Router encapsulates routed Ethernet frames into bridged ATM cells. ENET ENCAP requires that you specify a gateway IP address in the ENET ENCAP Gateway field in the second wizard screen. You can get this information from your ISP.

Nortel Business Secure Router 252 Configuration — Basics

Page 54

54 Chapter 3 Wizard setup

PPP over Ethernet

PPP over Ethernet (PPPoE) provides access control and billing functionality in a manner similar to dial-up services using PPP. The Business Secure Router bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your computer to an ATM (Asynchronous Transfer Mode) PVC (Permanent Virtual Circuit), which connects to an ADSL Access Concentrator where the PPP session terminates. One PVC can support any number of PPP sessions from your LAN. For more information about PPPoE, see the PPPoE appendix in the Nortel Business Secure Router 252 Configuration — Advanced guide.

PPPoA

A Point to Point Protocol over ATM Adaptation Layer 5 (PPPoA) connection functions like a dial-up Internet connection. The Business Secure Router encapsulates the PPP session based on RFC 1483 and sends it through an ATM PVC (Permanent Virtual Circuit) to the Internet Service Provider (ISP) DSLAM (Digital Subscriber Line Access Multiplexer). For more information about PPPoA, refer to RFC 2364. For more information about PPP, refer to RFC 1661.

RFC 1483

RFC 1483 describes two methods for Multiprotocol Encapsulation over ATM Adaptation Layer 5 (AAL5). Using the first method, you can multiplex multiple protocols over a single ATM virtual circuit (LLC-based multiplexing). The second method assumes that each protocol is carried over a separate ATM virtual circuit (VC-based multiplexing). For more detailed information, see RFC 1483.

Multiplexing

There are two conventions to identify which protocols the virtual circuit (VC) carries. Be sure to use the multiplexing method required by your ISP.

NN47923-500

Page 55

VC-based multiplexing

In this case, by prior mutual agreement, each protocol is assigned to a specific virtual circuit; for example, VC1 carries IP. VC-based multiplexing can be dominant in environments where dynamic creation of large numbers of ATM VCs is fast and economical.

LLC-based multiplexing

In this case, one VC carries multiple protocols with protocol-identifying information being contained in each packet header. Despite the extra bandwidth and processing overhead, this method can be advantageous if it is not practical to have a separate VC for each carried protocol, for example, if charging heavily depends on the number of simultaneous VCs.

VPI and VCI

Be sure to use the correct Virtual Path Identifier (VPI) and Virtual Channel Identifier (VCI) numbers assigned to you. The valid range for the VPI is 0 to 255 and 32 to 65535 for the VCI (0 to 31 is reserved for local management of ATM traffic).

Chapter 3 Wizard setup 55

Wizard setup configuration: first screen

In the Site Map screen, click Wizard Setup to display the first wizard screen.

Nortel Business Secure Router 252 Configuration — Basics

Page 56

56 Chapter 3 Wizard setup

Figure 8 Wizard Screen 1

Table 2 describes the fields in Figure 8.

Tabl e 2 Wizard Screen 1

Label Description

NN47923-500

Mode From the Mode drop-down list box, select Routing (default) if your ISP

allows multiple computers to share an Internet account. Otherwise, select Bridge.

Encapsulation Select the encapsulation type your ISP uses from the Encapsulation

drop-down list box. Choices vary depending on what you select in the Mode field.

If you select Bridge in the Mode field, select either PPPoA or RFC

1483. If you select Routing in the Mode field, select PPPoA, RFC 1483, ENET

ENCAP, or PPPoE.

Multiplex Select the multiplexing method used by your ISP from the Multiplex

drop-down list box, either VC-based or LLC-based.

Virtual Circuit IDVPI (Virtual Path Identifier) and VCI (Virtual Channel Identifier) define a

virtual circuit.

VPI Enter the VPI assigned to you. This field can already be configured.

VCI Enter the VCI assigned to you. This field can already be configured.

Next Click this button to go to the next wizard screen. The next wizard screen

you see depends on which encapsulation you chose above.

Page 57

IP address and subnet mask

Similar to the way houses on a street share a common street name, so too do computers on a LAN share one common network number.

Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.

If the ISP did not explicitly give you an IP network number, you most likely have a single user account and the ISP assigns you a dynamic IP address when the connection is established. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; do not use any other number unless you are told otherwise. For example, you select 192.168.1.0 as the network number; which covers 254 individual addresses from 192.168.1.1 to

192.168.1.254 (0 and 255 are reserved). In other words, the first three numbers

specify the network number while the last number identifies an individual computer on that network.

Chapter 3 Wizard setup 57

After you select the network number, pick an IP address that is easy to remember, for instance, 192.168.1.1, for your Business Secure Router. Make sure that no other device on your network is using that IP address.

The subnet mask specifies the network number portion of an IP address. Your Business Secure Router computes the subnet mask automatically based on the IP address that you entered. You do not need to change the subnet mask computed by the Business Secure Router unless you are instructed to do so.

IP address assignment

A static IP is a fixed IP that your ISP gives you. A dynamic IP is not fixed; the ISP assigns you a different one each time. The Single User Account feature can be enabled or disabled if you have either a dynamic or static IP. However, the encapsulation method assigned influences your choices for IP address and ENET ENCAP gateway.

Nortel Business Secure Router 252 Configuration — Basics

Page 58

58 Chapter 3 Wizard setup

IP assignment with PPPoA or PPPoE encapsulation

If you have a dynamic IP, the IP Address and ENET ENCAP Gateway fields are not applicable (N/A). If you have a static IP, then you only need to fill in the IP Address field and not the ENET ENCAP Gateway field.

IP assignment with RFC 1483 encapsulation

In this case, the IP address assignment must be static with the same requirements for the IP Address and ENET ENCAP Gateway fields as stated above.

IP assignment with ENET ENCAP encapsulation

In this case, you can have either a static or dynamic IP. For a static IP, you must fill in all the IP Address and ENET ENCAP Gateway fields as supplied by your ISP. However, for a dynamic IP, the Business Secure Router acts as a DHCP client on the WAN and so the IP Address and ENET ENCAP Gateway fields are not applicable (N/A) as the DHCP server assigns them to the Business Secure Router.

Private IP addresses

NN47923-500

Every machine on the Internet must have a unique address. If your networks are isolated from the Internet, for example, only between your two branch offices, you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks:

• 10.0.0.0 — 10.255.255.255

• 172.16.0.0 — 172.31.255.255

• 192.168.0.0 — 192.168.255.255

Page 59

You can obtain your IP address from the IANA, from an ISP, or it can be assigned from a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, consult your network administrator for the appropriate IP addresses.

Note: Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information about address assignment, refer to Address Allocation for Private

Internets (RFC 1597) and Guidelines for Management of IP Address Space (RFC 1466).

Nailed-up connection (only with PPP)

A nailed-up connection is a dial-up line where the connection is always up regardless of traffic demand. The Business Secure Router does two things when you specify a nailed-up connection. First, idle timeout is disabled. Second, the Business Secure Router tries to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be expensive if you are billed by your Internet connection usage time.

Chapter 3 Wizard setup 59

Do not specify a nailed-up connection unless your telephone company offers flat-rate service or you need a constant connection and the cost is of no concern

NAT

Network Address Translation (NAT) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network to a different IP address known within another network.

Wizard setup configuration: second screen

The second wizard screen varies depending on which mode and encapsulation type you use. All screens shown use the routing mode. Configure the fields and click Next to continue.

Nortel Business Secure Router 252 Configuration — Basics

Page 60

60 Chapter 3 Wizard setup

Figure 9 Internet connection with PPPoA

Table 3 describes the fields in Figure 9.

NN47923-500

Tabl e 3 Internet connection with PPPoA

Label Description

User Name Enter the logon name your ISP gave you.

Password Enter the password associated with the username above.

IP Address This option is available if you select Routing in the Mode field.

A static IP address is a fixed IP that your ISP gives you. A dynamic IP address is not fixed; the ISP assigns you a different one each time you connect to the Internet. The Single User Account feature can be used with either a dynamic or static IP address.

Click Obtain an IP Address Automatically if you have a dynamic IP address; otherwise click Static IP Address and type your ISP-assigned IP address in the IP Address text box below.

Page 61

Tabl e 3 Internet connection with PPPoA (continued)

Label Description

Chapter 3 Wizard setup 61

Connection Select Connect on Demand if you do not want the connection up all

Network Address Translation

Back Click Back to go back to the first wizard screen.

Next Click Next to continue to the next wizard screen.

the time and specify an idle time-out (in seconds) in the Max. Idle Timeout field. The default setting selects Connection on Demand with 0 as the idle time-out, which means the Internet session does not timeout.

Select Nailed-Up Connection if you want your connection up all the time. The Business Secure Router tries to bring up the connection automatically if it is disconnected.

The schedule rules in SMT menu 26 has priority over your Connection settings.

This option is available if you select Routing in the Mode field. Select None, SUA Only, or Full Feature from the drop-down list box.

For more details, see Chapter 8, “Network Address Translation (NAT)

Screens,” on page 129.

Figure 10 Internet connection with RFC 1483

Table 4 describes the fields in Figure 10.

Tabl e 4 Internet connection with RFC 1483

Label; Description

IP Address This field is available if you select Routing in the Mode field.

Type your ISP-assigned IP address in this field.

Nortel Business Secure Router 252 Configuration — Basics

Page 62

62 Chapter 3 Wizard setup

Tabl e 4 Internet connection with RFC 1483 (continued)

Network Address Translation

Back Click Back to go back to the first wizard screen.

Next Click Next to continue to the next wizard screen.

Select None, SUA Only, or Full Feature from the drop-down list box. For more details, see Chapter 8, “Network Address Translation (NAT)

Screens,” on page 129.

Figure 11 Internet connection with ENET ENCAP

Table 5 describes the fields in Figure 11.

NN47923-500

Tabl e 5 Internet connection with ENET ENCAP

Label Description

IP Address

Subnet Mask Enter a subnet mask in dotted decimal notation.

Select Obtain an IP Address Automatically if you have a dynamic IP address; otherwise select Static IP Address and type your ISP-assigned IP address in the IP Address text box below.

If you are implementing subnetting, see the IP subnetting appendix in

Nortel Business Secure Router 252 Configuration — Advanced

the guide.

Page 63

Chapter 3 Wizard setup 63

Tabl e 5 Internet connection with ENET ENCAP (continued)

Label Description

ENET ENCAP Gateway

Network Address Translation

Back Click Back to go back to the first wizard screen.

Next Click Next to continue to the next wizard screen.

You must specify a gateway IP address (supplied by your ISP) when you use ENET ENCAP in the Encapsulation field in the previous screen.

Select None, SUA Only, or Full Feature from the drop-down list box. For more details, see Chapter 8, “Network Address Translation (NAT)

Screens,” on page 129.

Figure 12 Internet connection with PPPoE

Nortel Business Secure Router 252 Configuration — Basics

Page 64

64 Chapter 3 Wizard setup

Table 6 describes the fields in Figure 12.

Tabl e 6 Internet connection with PPPoE

Label Description

Service Name Type the name of your PPPoE service here.

User Name Enter the username exactly as your ISP assigned. If assigned a name in

Password Enter the password associated with the username above.

IP Address A static IP address is a fixed IP that your ISP gives you. A dynamic IP

Connection Select Connect on Demand if you do not want the connection up all the

Network Address Translation

Back Click Back to go back to the first wizard screen.

Next Click Next to continue to the next wizard screen.

the form user@domain enter both components exactly as given.

address is not fixed; the ISP assigns you a different one each time you connect to the Internet. The Single User Account feature can be used with either a dynamic or static IP address.

Select Obtain an IP Address Automatically if you have a dynamic IP address; otherwise select Static IP Address and type your ISP-assigned IP address in the IP Address text box below.

time and specify an idle time-out (in seconds) in the Max. Idle Timeout field. The default setting selects Connection on Demand with 0 as the idle time-out, which means the Internet session does not timeout.

Select Nailed-Up Connection if you want your connection up all the time. The Business Secure Router tries to bring up the connection automatically if it is disconnected.

The schedule rules in SMT menu 26 has priority over your Connection settings.

Select None, SUA Only, or Full Feature from the drop-down list box. For more details, see Chapter 8, “Network Address Translation (NAT)

Screens,” on page 129.

, where domain identifies a service name, then

NN47923-500

Page 65

DHCP setup

Using Dynamic Host Configuration Protocol (DHCP), individual clients can obtain TCP/IP configuration from a server. You can configure the Business Secure Router as a DHCP server. When configured as a server, the Business Secure Router provides the TCP/IP configuration for the clients. If you turn DHCP service off, you must have another DHCP server on your LAN, or else the computer must be manually configured. DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132)

IP pool setup

The Business Secure Router is preconfigured with a pool of IP addresses for the client machines.

Wizard setup configuration: third screen

1 Verify the settings in the following screen. To change the LAN information on

the Business Secure Router, click Change LAN Configurations. Otherwise click Save Settings to save the configuration and skip to “Test your Internet

connection” on page 69.

Chapter 3 Wizard setup 65

Nortel Business Secure Router 252 Configuration — Basics

Page 66

66 Chapter 3 Wizard setup

Figure 13 Wizard Screen 3

NN47923-500

2 To change your Business Secure Router LAN settings, click Change LAN

Configuration to display the following screen.

Note: If you change the Business Secure Router LAN IP address, you must use the new IP address to access the WebGUI again.

Page 67

Figure 14 Wizard: LAN configuration

Chapter 3 Wizard setup 67

Table 7 describes the fields in Figure 14.

Tabl e 7 Wizard: LAN configuration

Label Description

LAN IP Address Enter the IP address of your Business Secure Router in dotted

LAN Subnet Mask Enter a subnet mask in dotted decimal notation.

DHCP

decimal notation, for example, 192.168.1.1 (factory default).

Nortel Business Secure Router 252 Configuration — Basics

Page 68

68 Chapter 3 Wizard setup

Tabl e 7 Wizard: LAN configuration (continued)

Label Description

DHCP With DHCP (Dynamic Host Configuration Protocol, RFC 2131

Client IP Pool Starting Address

Size of Client IP Pool This field specifies the size or count of the IP address pool.

DHCP Server Address

First DNS Server Second DNS Server Third DNS Server

Back Click Back to go back to the previous screen.

Finish Click Finish to save the settings and proceed to the next wizard

and RFC 2132) individual clients (workstations) can obtain TCP/ IP configuration at startup from a server. Unless you are instructed by your ISP, leave this field set to Server. When configured as a server, the Business Secure Router provides TCP/IP configuration for the clients. When set as a server, fill in the IP Pool Starting Address and Pool Size fields.

Select Relay to have the Business Secure Router forward DHCP requests to another DHCP server. When set to Relay, fill in the DHCP Server Address field.

Select None to stop the Business Secure Router from acting as a DHCP server. When you select None, you must have another DHCP server on your LAN, or else the computers must be manually configured.

This field specifies the first of the contiguous addresses in the IP address pool.

Type the IP address of the DHCP server in dotted decimal notation (like 192.168.1.5).

Select Obtained From ISP if your ISP dynamically assigns DNS server information (and the Business Secure Router WAN IP address). The field to the right displays the (read-only) DNS server IP address that the ISP assigns.

Select UserDefined if you have the IP address of a DNS server. Enter the DNS server IP address in the field to the right.

Select DNS Relay to have the Business Secure Router act as a DNS proxy. The Business Secure Router LAN IP address displays in the field to the right (read-only). The Business Secure Router tells the DHCP clients on the LAN that the Business Secure Router itself is the DNS server. When a computer on the LAN sends a DNS query to the Business Secure Router, the Business Secure Router forwards the query to the Business Secure Router system DNS server (configured in the SYSTEM General screen) and relays the response back to the computer. You can only select DNS Relay for one of the three servers;

Select None if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP addresses of devices or web sites in order to access them.

screen.

NN47923-500

Page 69

Chapter 3 Wizard setup 69

Wizard setup configuration: connection tests

The Business Secure Router automatically tests the connection to the computers connected to the LAN ports. To test the connection from the Business Secure Router to the ISP and the connected LAN devices, click Start Diagnose. Otherwise click Finish to go back to the site map screen.

Figure 15 Wizard Screen 4

Test your Internet connection

Launch your Web browser and navigate to www.nortel.com. Internet access is just the beginning. For more detailed information on the complete range of features for the Business Secure Router, see the rest of this guide. If you cannot access the Internet, open the WebGUI again to confirm that the Internet settings you configured in the Wizard Setup are correct.

Nortel Business Secure Router 252 Configuration — Basics

Page 70

70 Chapter 3 Wizard setup

NN47923-500

Page 71

Chapter 4 User Notes

General Notes

There are some router functions that, although performing as expected, might cause some confusion. These are summarized below.

General

1 Default Address Mapping Rules When First Enable NAT Full Feature.

When NAT Full Feature is first enabled, two address mapping rules are added to the address mapping table. This is done to facilitate programming, and matches the default SUA rule. The rules can be deleted.

2 Response to Invalid User ID or Password

When the wrong user ID or password is entered into the router login screen, no error message is displayed. Instead, the login screen is simply displayed again.

3 First DHCP Address Reserved for BCM50

The first address of the DHCP Address Pool is reserved for a BCM50 in the subnet, and will not be assigned to any other equipment. Once assigned to a BCM50, it is reserved for that BCM50, and will not be assigned to any other. If the BCM50 is changed, the following command must be used to enable the router to assign the first address to a different BCM50:

ip dhcp enif0 server m50mac clear

4 Login Requires Reboot

Nortel Business Secure Router 252 Configuration — Basics

Page 72

72 Chapter 4 User Notes

If the Administrator Timeout is set to 0, and an administration session is terminated without logging off, the router needs to be rebooted in order for the administrator to log in to the WebGUI again. Alternatively, the administrator can log in using a TelNet session, if TelNet access has been enabled in the Remote Management menu.

5 Clicking Sound

The Business Secure Router will click once every two minutes until an ADSL line is connected.

Firewall

1 Address Range Validation

In the firewall rules, the router does not confirm when given an address range, that the second address is higher than the first. If this type of address range is entered, the range is ignored.

2 Automatic Firewall Programming

NN47923-500

Configurations to various areas of the router, such as remote management or adding a SUA Server, do not automatically add the appropriate rules to the Firewall, to enable the traffic to pass through the router. These need to be added separately.

Note: Firewall rules do not apply to IPSec tunnels.

NAT

1 Deleting NAT Rule Does Not Drop an Existing Connection

If a NAT rule is deleted, the router must be rebooted to apply the change to existing service connections. This is already noted in the GUI.

2 NAT Traversal Status

If NAT Traversal is enabled, but is not needed (because the client is not behind a NAT router), it will be shown as 'inactive' in the VPN Client Monitor. This may confuse some users.

Page 73

Chapter 4 User Notes 73

VPN Client Termination

1 Change of User Account Does Not Drop Existing Connections

If a VPN Client user account is de-activated, deleted, or changed, and that user is currently connected, the connection is not automatically dropped. To drop the connection, the administrator needs to disconnect the user using the 'Disconnect' function in the VPN/SA Monitor GUI. This is consistent with other Nortel Contivity products.

2 User Name Restrictions

User names are limited to a maximum length of 63 characters.

3 VPN Client Account Password Restrictions

The password for a VPN Client user cannot contain the single- or double-quote characters.

4 IP Pool Address Overlap

When defining multiple VPN Client Termination IP pools, the router uses the IP Subnet mask, and not the pool size, to determine if the pools are overlapping. The subnet mask of each pool should be appropriate for the size of the VPN Client Termination IP pool.

5 VPN Client Termination - Failure In Specific Addressing Situation

If the Client has an assigned IP address that is the same as the IP address assigned for the Client Tunnel, the connection will fail to be established.

6 VPN Client Termination - Configuration Restrictions

This router has some restrictions when compared to larger Contivity Routers (1000 Series and above). In particular,

VPN Clients cannot be added to the LAN subnet. They must have addresses outside of the LAN subnet.

Nortel Business Secure Router 252 Configuration — Basics

Page 74

74 Chapter 4 User Notes

VPN Clients can have dynamically assigned IP addresses, or they can have a statically assigned addresses. However, the router does not support both modes at once. All addresses must either be dynamically assigned, or they must all be statically assigned.

7 Establishing a Client Tunnel From One Business Secure Router to Another

When defining a Client Termination account for another Business Secure Router that will connect using Contivity Client Emulation, the following configuration is required:

• Encryption must be Triple DES with SHA1 integrity, or Triple DES with MD5 integrity.

• IKE Encryption must be Triple DES with Diffie-Hellman Group 2.

• Perfect Forward Secrecy (PFS) must be enabled.

Security

1 Exporting or Saving Self-Signed Certificate

To export or save a self-signed certificate, click details (the icon that looks like a paper note), then click 'Export' or copy the PEM text into the clipboard, and paste into a file.

NN47923-500

Routing

1 RIP Version Advertisement Control

To change the version of generated RIP advertisements, the following CLI command needs to be used

ip rip mode [enif0|enif1] [in|out] [0|1|2|3]

where:

'enif0' is the LAN side, and 'enif1' is the WAN side

'in' affects recognition of received advertisements, and

'out' applies to generated advertisements

Page 75

The number controls the operating mode:

None (disabled)

RIP-1 only

RIP-2 only

Both RIP-1 and RIP-2

Advanced Router Configuration

The following notes are intended to help with advanced router configuration.

Setting up the router when the system has a server

1 If you are using a Full-Feature NAT configuration, first, do the following...

a In SUA/NAT / Address Mapping, add a 'Server' rule, specifying the

'Public' IP address of the server.

Chapter 4 User Notes 75

2 For both SUA-Only and Full-Feature NAT configurations, do the following...

a In SUA/NAT : SUA Server, add server private IP address and port

number(s) to the SUA/NAT Server table.

b In FIREWALL, add a WAN-to-LAN rule

c If the service is not in the list of available services, add it as a 'Custom

Port'.

d Add the rule, selecting the service, and entering the server IP address as

the destination IP address.

Connecting two sites to establish a virtual private network

The recommended method to do this is through a branch-to-branch IPSec tunnel.

1 In VPN / Summary, add a new tunnel by editing an unused rule. Create an

Active, Branch Office tunnel.

a Select 'Nailed Up' if the tunnel should not be closed while not in use.

Nortel Business Secure Router 252 Configuration — Basics

Page 76

76 Chapter 4 User Notes

b Enter the authentication information, with either a pre-shared key or an

imported certificate.

c Enter the IP Address assigned to the router WAN port. This should be a

static address, or a dynamic DNS name, and the IP address of the remote router.

d Select the encryption and authentication algorithms.

e Add an IP policy, by specifying the IP address ranges of the local and

remote hosts that will use the tunnel.

2 Repeat these steps at the other end of the branch.

Note: If VPN Client Termination is used on these sites, the client termination address range will need to be included in the tunnel policies in order for the VPN clients to see the other site.

Adding IP telephony to a multi-site network

Scenario 1: A BCM50 in the primary site acting as the gateway for both sites

NN47923-500

1 Ensure that the DHCP Server in the BCM50 is disabled, that the BCM50 is

connected to the router, and both have booted.

2 Add the IP phones to the primary site as per BCM50 installation guide.

3 Create a tunnel to the remote site, as described above.

4 In the remote site, set the S1 and S2 addresses to the IP address of the

BCM50, which is identified in the router DHCP table or in the BCM50. This is done with a CLI command.

TELNET or SSH to the router. This needs TELNET or SSH enabled on that router. Select menu 24, select menu 8, and enter the commands:

ip dhcp enif0 server voipserver 1 <BCM50_IP_Address> 7000 1

ip dhcp enif0 server voipserver 2 <BCM50_IP_Address> 7000 1

5 Add the IP phones to the remote site, configured for full DHCP client mode.

Page 77

Chapter 4 User Notes 77

Scenario 2: A BCM50 in each site, each acting as the backup call server for the other site

1 At each site,

a Ensure that the DHCP Server in the BCM50 is disabled, that the BCM50

is connected to the router, and both have booted.

b Add the IP phones to the site as per BCM50 installation guide.

c At each router, change the S2 address to the IP address of the remote

BCM50, using TELNET or SSH, and the CLI command,

ip dhcp enif0 server voipserver 2 <Remote_BCM50_IP_Address> 7000 1

2 Create a tunnel between the sites, as described above.

3 Create an H.323 trunk between the BCM50s, as per the BCM50 User Guide.

Configuring the router to act as a Nortel VPN Server (Client Termination)

1 Under VPN / Client Termination,

a Enable Client Termination.

b Select authentication type and the encryption algorithms supported.

c If the clients are assigned IP addresses from a pool, define the pool, and

enable it.

2 Assuming a Local User Database is used for authentication,

a Add user name and password to the local user database as an IPSec user,

and activate it. If the hosts will be assigned a static IP address, enter the address that will be assigned to the user.

Configuring the router to connect to a Nortel VPN Server (Client Emulation)

1 Go to VPN / Summary, and select 'Edit'.

2 Select a connection type of Contivity Client, and fill in the web page with the

relevant data.

3 If Group authentication or On-Demand Client Tunnels are needed, click the

'Advanced' button to configure this.

Nortel Business Secure Router 252 Configuration — Basics

Page 78

78 Chapter 4 User Notes

Allowing remote management of a LAN-connected BCM50

1 Create the appropriate NAT server rules to add the BCM50.

Go to SUA/NAT / SUA Server, and create two server rules for HTTPS and Element Manager access:

One named BCM_HTTPS, with port number 443, and the IP address of the BCM50

One named BCM_EM, with the port number 5989, and the IP address of the BCM50

Note: In DHCP Server mode, the BCM50 IP address will be the lowest address in the pool.

2 Create the appropriate Firewall rules to add BCM50 access.

Go to FIREWALL / Summary, and create two WAN-to-LAN firewall rules:

One rule allowing access from allowed remote computer IP addresses, to the BCM50 IP address, for service type HTTPS(TCP:443)

NN47923-500

One rule allowing access from allowed remote computer IP addresses, to the BCM50 IP address, for custom port TCP:5989

Setting up the router for guest access

The recommended approach to provide guest access is by creating an IP Alias, and using static addressing for the corporate equipment, to make it a member of the defined Alias subnet. Then use firewall rules to restrict access of the guest equipment. NOTE: if a BCM50 is used, it will also need to be assigned a static IP address.

1 Go to LAN / IP Alias, and Enable IP Alias 1.

2 Define a subnet for the corporate equipment.

3 Statically assign addresses to the corporate equipment that are within the IP

Alias subnet.

4 Set up LAN / IP to enable DHCP Server, with an address range that will be

used for guest equipment.

Page 79

Chapter 4 User Notes 79

5 In the FIREWALL, set up a LAN-to-LAN rule to block traffic between the

guest subnet (DHCP Pool) and the corporate subnet (IP Alias subnet).

Note: If branch tunnels are being used, the policies on these tunnels should exclude the guest subnet.

Preventing heavy data traffic from impacting telephone calls

To ensure voice quality during heavy data traffic, bandwidth needs to be reserved for voice traffic.

1 Determine your actual WAN up-stream bandwidth by connecting to a web site

such as http://myvoipspeed.visualware.com/.

2 On BANDWIDTH MANAGEMENT / Summary, activate WAN bandwidth

management, and fill in your actual uplink speed in the WAN Speed field..

3 On BANDWIDTH MANAGEMENT / Class Setup, add a WAN subclass, and

reserve sufficient bandwidth based on the number of telephones, for Protocol ID 17 (UDP Traffic).

The amount of bandwidth should be based on a reasonable peak number of simultaneous calls, and the data rate needed by the IP telephony CODECs.

Setting Up a Remote Office with a UNIStim IP Telephone

For a remote office with a PC, and a UNIStim IP telephone behind a Business Secure Router, Client Emulation is the recommended method to connect to the main office.

1 At the main office Contivity Client Server, establish two user accounts - one

for the telephone, and one for the PC.

2 On the remote office Business Secure Router, do the following:

Under WAN / WAN IP, ensure that Network Address Translation is set to SUA Only (default). Also ensure that the Gateway IP address is set (not

0.0.0.0).

Under VPN / Summary, create an entry for the IP telephone client tunnel. (Contivity Client, Active, Keep Alive). Fill in the IP address of the Contivity Client Server, and the name and password of the telephone set user account.

Nortel Business Secure Router 252 Configuration — Basics

Page 80

80 Chapter 4 User Notes

Under VPN / Global Setting, enable Exclusive Mode, and fill in the MAC address of the telephone set.

Under Bandwidth Management, set up WAN bandwidth management to reserve 110 kbps of bandwidth for UDP traffic (protocol ID 17). See the preceding section titled, “Preventing heavy data traffic from impacting

telephone calls.

3 Provision the IP set with the corporate call server address.

4 On the PC, install Contivity Client Software, and configure it with the PC user

account information.

Inter-Operability With Third-Party Routers

VPN Connections With Cisco Routers

When establishing a VPN Client tunnel or Branch Office Tunnel between the Business Secure Router and a Cisco router, the following configuration rules should be followed:

NN47923-500

1 Ensure that the WAN IP of the BSR222/252 router and the Cisco router are

not in the same subnet.

2 Configure the connection to use DES Encryption and MD5 Authentication.

Page 81

Chapter 5 System screens

This chapter provides information on the System screens.

System overview

This section provides background information on features that you cannot configure in the Wizard.

DNS overview

There are three places where you can configure DNS (Domain Name System) setup on the Business Secure Router.

Use the System General screen to configure the Business Secure Router to use a DNS server to resolve domain names for Business Secure Router system features like VPN, DDNS, and the time server.

Use the LAN IP screen to configure the DNS server information that the Business Secure Router sends to the DHCP client devices on the LAN.

Use the Remote Management DNS screen to configure the Business Secure Router to accept or discard DNS queries.

Private DNS server

In cases where you want to use domain names to access Intranet servers on a remote private network that has a DNS server, you must identify that DNS server. You cannot use DNS servers on the LAN or from the ISP because these DNS servers cannot resolve domain names to private IP addresses on the remote private network.

Nortel Business Secure Router 252 Configuration — Basics

Page 82

82 Chapter 5 System screens

Figure 16 depicts an example where three VPN tunnels are created from Business

Secure Router A; one to branch office 2, one to branch office 3, and another to headquarters (HQ). In order to access computers that use private domain names on the HQ network, the Business Secure Router at branch office 1 uses the Intranet DNS server in headquarters.

Figure 16 Private DNS server example

Note: If you do not specify an Intranet DNS server on the remote

network, then the VPN host must use IP addresses to access the computers on the remote private network.

Configuring General Setup

Click SYSTEM to open the General screen.

NN47923-500

Page 83

Figure 17 System general setup

Table 8 describes the fields in Figure 17.

Chapter 5 System screens 83

Tabl e 8 System general setup

Label Description

System Name Choose a descriptive name for identification purposes. Nortel

Domain Name Enter the domain name (if you know it) here. If you leave this field

Administrator Inactivity Timer

Apply Click Apply to save your changes to the Business Secure Router.

Reset Click Reset to begin configuring this screen afresh.

recommends that you enter your computer name in this field. This name can be up to 30 alphanumeric characters long. Spaces, dashes (-) and underscores (_) are accepted.

blank, the ISP assigns a domain name through DHCP. The domain name entered by you is given priority over the

ISP-assigned domain name.

Type how many minutes a management session (either through the WebGUI or SMT) can be left idle before the session times out. The default is 5 minutes. After it times out you have to log in with your password again. Very long idle timeouts can have security risks. A value of 0 means a management session never times out, no matter how long it has been left idle (not recommended).

Nortel Business Secure Router 252 Configuration — Basics

Page 84

84 Chapter 5 System screens

Tabl e 8 System general setup

Label Description

System DNS Servers (if applicable)

First DNS Server

Second DNS Server

Third DNS Server

DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The Business Secure Router uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server.

Select From ISP if your ISP dynamically assigns DNS server information (and the Business Secure Router WAN IP address). The field to the right displays the (read-only) DNS server IP address that the ISP assigns. If you chose From ISP, but the Business Secure Router has a fixed WAN IP address, From ISP changes to None after you click Apply. If you chose From ISP for the second or third DNS server, but the ISP does not provide a second or third IP address, From ISP changes to None after you click Apply.

Select User-Defined if you have the IP address of a DNS server. The IP address can be public or a private address on your local LAN. Enter the DNS server's IP address in the field to the right.

A User-Defined entry with the IP address set to 0.0.0.0 changes to None after you click Apply. A duplicate User-Defined entry changes to None after you click Apply.

Select None if you do not want to configure DNS servers. If you do not configure a system DNS server, you must use IP addresses when configuring VPN, DDNS and the time server.

Select Private DNS if the DNS server has a private IP address and is located behind a VPN peer. Enter the DNS server's IP address in the field to the right.

With a private DNS server, you must also configure the first DNS server entry in the LAN IP screen to use DNS Relay.

You must also configure a VPN branch office rule since the Business Secure Router uses a VPN tunnel when it relays DNS queries to the private DNS server. The rule must also have an IP policy that includes the LAN IP address of the Business Secure Router as a local IP address and the IP address of the DNS server as a remote IP address.

A Private DNS entry with the IP address set to 0.0.0.0 changes to None after you click Apply. A duplicate Private DNS entry changes to None after you click Apply.

NN47923-500

Page 85

Dynamic DNS

With Dynamic DNS, you can update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (as in NetMeeting or CU-SeeMe). You can also access your FTP server or Web site on your own computer using a domain name (for instance, myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect. Your friends or relatives can always call you even if they don't know your IP address.

First of all, you must register a dynamic DNS account with, for example www.dyndns.org. This is for people with a dynamic IP from their ISP or DHCP server that still wants a domain name. The Dynamic DNS service provider gives you a password or key.

DYNDNS wildcard

Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to use, for example, www.yourhost.dyndns.org and still reach your host name.

Chapter 5 System screens 85

Configuring Dynamic DNS

Note: If you have a private WAN IP address, you cannot use Dynamic

DNS.

To change the DDNS settings, click SYSTEM, then the DDNS tab. The screen illustrated in Figure 18 appears.

Nortel Business Secure Router 252 Configuration — Basics

Page 86

86 Chapter 5 System screens

Figure 18 DDNS

NN47923-500

Table 9 describes the fields in Figure 18.

Tabl e 9 DDNS

Label Description

Active Select this check box to use dynamic DNS.

Service Provider Select the name of your Dynamic DNS service provider.

DDNS Type Select the type of service that you are registered for from your

Dynamic DNS service provider.

Host Names 1~3 Enter the host names in the three fields provided. You can

specify up to two host names in each field separated by a comma (,).

User Enter your username (up to 31 characters).

Page 87

Tabl e 9 DDNS

Label Description

Chapter 5 System screens 87

Password Enter the password associated with your username (up to 31

Enable Wildcard Select the check box to enable DYNDNS Wildcard.

Off Line This option is available when CustomDNS is selected in the

IP Address Update Policy:

DDNS Server Auto Detect IP Address

Use Specified IP Address

Use IP Address Enter the IP address if you select the User Specify option.

Apply Click Apply to save your changes to the Business Secure

Reset Click Reset to return to the previously saved settings.

characters).

DDNS Type field. Check with your Dynamic DNS service provider to have traffic redirected to a URL (that you can specify) while you are off line.

Select this option only when there are one or more NAT routers between the Business Secure Router and the DDNS server. This feature has the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address.

Note: The DDNS server not be able to detect the proper IP address if there is an HTTP proxy server between the Business Secure Router and the DDNS server.

Select this option to update the IP address of the host names to the IP address specified below. Use this option if you have a static IP address.

Router.

Configuring Password

To change the password of your Business Secure Router (recommended), click SYSTEM, then the Password tab. The screen illustrated in Figure 19 appears. In this screen, you can change password of the Business Secure Router.

Nortel Business Secure Router 252 Configuration — Basics

Page 88

88 Chapter 5 System screens

Figure 19 Password

NN47923-500

Table 1 0 describes the fields in Figure 19.

Tabl e 1 0 Password

Label Description

Administrator Setting The administrator can access and configure all of the Business

Secure Router's features.

Old Password Type your existing system administrator password (“PlsChgMe!”

is the default password).

New Password Type your new system password (up to 31 characters). Note that

as you type a password, the screen displays a (*) for each character you type.

Retype to Confirm Retype your new system password for confirmation.

Page 89

Tabl e 1 0 Password

Label Description

Chapter 5 System screens 89

Client User Setting The client user is the person who uses the Business Secure

User Name Type a username for the client user (up to 31 characters).

New Password Type a password for the client user (up to 31 characters). Note

Retype to Confirm Retype the client user password for confirmation.

Apply Click Apply to save your changes to the Business Secure

Reset Click Reset to begin configuring this screen afresh.

Router's Contivity Client VPN tunnel. The client user can do the following:

• Configure the WAN ISP and IP screens.

• Configure the VPN Contivity Client settings (except the Advanced screen exclusive use mode for client tunnel and MAC address allowed settings).

• View the SA monitor.

• Configure the VPN Global Setting screen.

• View logs.

• View the Maintenance Status screen.

• Use the Maintenance F/W Upload and Restart screens.

that as you type a password, the screen displays a (*) for each character you type.

Router.

Predefined NTP time server list

The Business Secure Router uses the predefined list of NTP time servers listed in

Table 11 if you do not specify a time server or if it cannot synchronize with the

time server you specified.

The Business Secure Router can use this predefined list of time servers regardless of the Time Protocol you select.

Nortel Business Secure Router 252 Configuration — Basics

Page 90

90 Chapter 5 System screens

When the Business Secure Router uses the predefined list of NTP time servers, it randomly selects one server and tries to synchronize with it. If the synchronization fails, then the Business Secure Router goes through the rest of the list in order from the first one tried until either it is successful or all the predefined NTP time servers have been tried.

Tabl e 11 Default Time Servers

a.ntp.alphazed.net

ntp1.cs.wisc.edu

ntp1.gbg.netnod.se

ntp2.cs.wisc.edu

tock.usno.navy.mil

ntp3.cs.wisc.edu

ntp.cs.strath.ac.uk

ntp1.sp.se

time1.stupi.se

tick.stdtime.gov.tw

tock.stdtime.gov.tw

time.stdtime.gov.tw

Configuring Time and Date

To change the time and date of your Business Secure Router, click SYSTEM, and then Time and Date. The screen in Figure 20 appears. Use this screen to configure the time based on your local time zone.

NN47923-500

Page 91

Figure 20 Time and Date

Chapter 5 System screens 91

Nortel Business Secure Router 252 Configuration — Basics

Page 92

92 Chapter 5 System screens

Table 1 2 describes the fields in Figure 20.

Tabl e 1 2 Time and Date

Label Description

Current Time and Date

Current Time This field displays the time on your Business Secure Router.

Current Date This field displays the date on your Business Secure Router.

Time and Date Setup

Manual Select this radio button to enter the time and date manually. If you

New Time (hh:mm:ss)

New Date (yyyy-mm-dd)

Get from Time Server

Time Protocol Select the time service protocol that your time server sends when

Time Server Address Enter the IP address or URL of your time server. Check with your

Synchronize Now Click this button to have the Business Secure Router get the time

Each time you reload this page, the Business Secure Router synchronizes the time with the time server.

Each time you reload this page, the Business Secure Router synchronizes the date with the time server.

configure a new time and date, time zone and daylight saving at the same time, the new time and date you entered has priority and the Time Zone and Daylight Saving settings do not affect it.

This field displays the last updated time from the time server or the last time configured manually. After you set Time and Date Setup to Manual, enter the new time in this field and then click Apply.

This field displays the last updated date from the time server or the last date configured manually. After you set Time and Date Setup to Manual, enter the new date in this field and then click Apply.

Select this radio button to have the Business Secure Router get the time and date from the time server that you specified.

you turn on the Business Secure Router. Not all time servers support all protocols, so you need to check with your ISP or network administrator or use trial and error to find a protocol that works.

The main difference between the protocols is the format. Daytime (RFC 867) format is day/month/year/time zone of the server. Time (RFC 868) format displays a 4-byte integer giving the total number of seconds since 1970/1/1 at 0:0:0. The default, NTP (RFC 1305), is similar to Time (RFC 868).

ISP or network administrator if you are unsure of this information.

and date from a time server (see the Time Server Address field). This also saves your changes (including the time server address).

NN47923-500

Page 93

Chapter 5 System screens 93

Tabl e 1 2 Time and Date

Label Description

Time Zone Setup

Time Zone Choose the time zone of your location. This will set the time

difference between your time zone and Greenwich Mean Time (GMT).

Enable Daylight Saving

Start Date Configure the day and time when Daylight Saving Time starts if

End Date Configure the day and time when Daylight Saving Time ends if you

Apply Click Apply to save your changes to the Business Secure Router.

Reset Click Reset to begin configuring this screen afresh.

Daylight Saving Time is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening.

Select this option if you use Daylight Saving Time.

you select Enable Daylight Saving. The o'clock field uses the 24-hour format. Here are a couple of examples:

Daylight Saving Time starts in most parts of the United States on the first Sunday of April. Each time zone in the United States starts using Daylight Saving Time at 2 a.m. local time. So, in the United States, select First, Sunday, April and type 2 in the o'clock field.

Daylight Saving Time starts in the European Union on the last Sunday of March. All of the time zones in the European Union start using Daylight Saving Time at the same moment (1 a.m. GMT or UTC). So, in the European Union, select Last, Sunday, March. The time you type in the o'clock field depends on your time zone. In Germany, for instance, type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1).

select Enable Daylight Saving. The o'clock field uses the 24-hour format. Here are a couple of examples:

Daylight Saving Time ends in the United States on the last Sunday of October. Each time zone in the United States stops using Daylight Saving Time at 2 a.m. local time. So, in the United States, select Last, Sunday, October and type 2 in the o'clock field.

Daylight Saving Time ends in the European Union on the last Sunday of October. All of the time zones in the European Union stop using Daylight Saving Time at the same moment (1 a.m. GMT or UTC). So, in the European Union, select Last, Sunday, October. The time you type in the o'clock field depends on your time zone. In Germany for instance, type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1).

Nortel Business Secure Router 252 Configuration — Basics

Page 94

94 Chapter 5 System screens

ALG

With Application Layer Gateway (ALG), an application can pass through NAT and the firewall. You must also configure NAT and firewall rules depending upon the type of access you want to allow.

Note: You must enable the FTP, H.323 or SIP ALG in order to use bandwidth management on that application.

Configuring ALG

To change the ALG settings of your Business Secure Router, click SYSTEM and then ALG. The screen appears as shown in Figure 21.

Figure 21 ALG

NN47923-500

Page 95

Table 1 3 describes the labels in Figure 21.

Tabl e 1 3 ALG

Label Description

Chapter 5 System screens 95

Enable FTP ALG

Enable H.323 ALG

Enable SIP ALG Select this check box to allow SIP (Session Initiation Protocol)

Apply Click Apply to save your changes to the Business Secure Router.

Reset Click Reset to begin configuring this screen afresh.

Select this check box to allow FTP (File Transfer Protocol) to send and receive files through the Business Secure Router.

Select this check box to allow applications using H.323 to go through the Business Secure Router.

H.323 is an application layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet. H.323 is used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol.

The H.323 ALG does not support H.323 Gatekeeper.

applications to go through the Business Secure Router. The Session Initiation Protocol (SIP) is an application layer control

(signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet. SIP is used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol.

To avoid retranslating the SIP device's IP address, do not use the SIP ALG with a SIP device that is using STUN (Simple Traversal of User Datagram Protocol (UDP) through NAT).

Nortel Business Secure Router 252 Configuration — Basics

Page 96

96 Chapter 5 System screens

NN47923-500

Page 97

Chapter 6

LAN screens

This chapter describes how to configure LAN settings.

LAN overview

Local Area Network (LAN) is a shared communication system to which many computers are attached. The LAN screens can help you configure a LAN DHCP server, manage IP addresses, configure RIP and multicast settings, and partition your physical network into logical networks.

DHCP setup

Using DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132), individual clients can obtain TCP/IP configuration at start-up from a server. You can configure the Business Secure Router as a DHCP server or disable it. When configured as a server, the Business Secure Router provides the TCP/IP configuration for the clients. If DHCP service is disabled, you must have another DHCP server on your LAN, or else the computer must be configured manually.

IP pool setup

The Business Secure Router is preconfigured with a pool of IP addresses for the DHCP clients (DHCP Pool). Do not assign static IP addresses from the DHCP pool to your LAN computers.

Nortel Business Secure Router 252 Configuration — Basics

Page 98

98 Chapter 6 LAN screens

DNS servers

Use the LAN IP screen to configure the DNS server information that the Business Secure Router sends to the DHCP client devices on the LAN.

LAN TCP/IP

The Business Secure Router has built in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability.

Factory LAN defaults

The LAN parameters of the Business Secure Router are preset in the factory with the following values:

• IP address of 192.168.1.1 with subnet mask of 255.255.255.0 (24 bits)

• DHCP server enabled with 126 client IP addresses starting from 192.168.1.2.

RIP setup

NN47923-500

These parameters work for the majority of installations. If your ISP gives you explicit DNS server addresses, read the embedded WebGUI help regarding which fields need to be configured.

RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers. RIP Direction controls the sending and receiving of RIP packets. When set to Both or Out Only, the Business Secure Router broadcasts its routing table periodically. When set to Both or In Only, it incorporates the RIP information that it receives; when set to None, it does not send any RIP packets and ignores any RIP packets received.

RIP Version controls the format and the broadcasting method of the RIP packets that the Business Secure Router sends (it recognizes both formats when receiving). RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.

Page 99

Both RIP-2B and RIP-2M send routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on nonrouter machines since they generally do not listen to the RIP multicast address and so do not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also.

By default, RIP Direction is set to Both and RIP Version to RIP-1.

Multicast

Traditionally, IP packets are transmitted in one of two ways—Unicast (1 sender-1 recipient) or Broadcast (1 sender-everybody on the network). Multicast delivers IP packets to a group of hosts on the network—not everybody and not just 1.

IGMP (Internet Group Multicast Protocol) is a network layer protocol used to establish membership in a Multicast group—it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you want to read more detailed information about interoperability between IGMP version 2 and version 1, see sections 4 and 5 of Internet Group Management Protocol (RFC 2236). The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the

224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group.

Chapter 6 LAN screens 99

The Business Secure Router supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2). At start up, the Business Secure Router queries all directly connected networks to gather group membership. After that, the Business Secure Router periodically updates this information. IP multicasting can be enabled or disabled on the Business Secure Router LAN, WAN or both interfaces in the WebGUI (LAN; WAN ). Select None to disable IP multicasting on these interfaces.

Nortel Business Secure Router 252 Configuration — Basics

Page 100

100 Chapter 6 LAN screens

Configuring IP

Click LAN to open the IP screen.

Figure 22 LAN IP

NN47923-500