Lancom Systems LCOS 3.50 User Manual

Reference Manual

LANCOM LCOS 3.50

While the information in this manual has been compiled with great care, it may not be deemed an assurance of product characteristics. LANCOM shall be liable only to the degree specified in the terms of sale and delivery.

The reproduction and distribution of the documentation and software supplied with this product and the use of its contents is subject to written authorization from LANCOM. We reserve the right to make any alterations that arise as the result of technical development.

Trad emarks

Windows

, Windows NT® and Microsoft® are registered trademarks of Microsoft, Corp.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http://www.openssl.org/

The LANCOM logo and the name LANCOM are registered trademarks of LANCOM Systems GmbH. All other names mentioned may be trademarks or registered trademarks of their respective owners.

Subject to change without notice. No liability for technical errors or omissions.

LANCOM Systems GmbH Adenauertrsasse 20 / B2

D-52146 Würselen

Germany

www.lancom.de

Wuerselen, August 2004

 Contents LANCOM Reference Manual LCOS 3.50

Contents

1 Preface 10

2 System design 13

3 Configuration and management 15

3.1 Configuration tools and approaches 15

3.2 Configuration software 16

3.2.1 Configuration using LANconfig 16

3.2.2 Configuration with WEBconfig 18

3.2.3 Configuration using Telnet 19

3.2.4 Configuration using SNMP 20

3.3 Remote configuration via Dial-Up Network 20

3.3.1 This is what you need for ISDN remote configuration 21

3.3.2 The first remote connection using Dial-Up Networking21

3.3.3 The first remote connection using a PPP client and Telnet 21

3.4 LANmonitor—know what's happening 23

3.4.1 Extended display options 24

3.4.2 Monitor Internet connection 24

3.5 Trace information—for advanced users 26

3.5.1 How to start a trace 26

3.5.2 Overview of the keys 27

3.5.3 Overview of the parameters 27

3.5.4 Combination commands 28

3.5.5 Examples 29

3.6 Working with configuration files 29

3.7 New firmware with LANCOM FirmSafe 30

3.7.1 This is how LANCOM FirmSafe works 30

3.7.2 How to load new software 31

3.8 Command line interface 32

3.8.1 Command line reference 33

3.9 Scheduled Events 34

Contents

4 Management 37

4.1 N:N mapping 37

LANCOM Reference Manual LCOS 3.50  Contents

4.1.1 Application examples 38

Contents

4.1.2 Configuration 42

4.1.3 45

5 Diagnosis 46

5.1 LANmonitor—know what's happening 46

5.1.1 Extended display options 46

5.1.2 Monitor Internet connection 47

5.2 Trace information—for advanced users 48

5.2.1 How to start a trace 48

5.2.2 Overview of the keys 49

5.2.3 Overview of the parameters 49

5.2.4 Combination commands 50

5.2.5 Examples 51

6 Security 52

6.1 Protection for the configuration 52

6.1.1 Password protection 52

6.1.2 Login barring 54

6.1.3 Restriction of the access rights on the configuration 55

6.2 Protecting the ISDN connection 58

6.2.1 Identification control 58

6.2.2 Callback 60

6.3 The security checklist 61

7 Routing and WAN connections 64

7.1 General information on WAN connections 64

7.1.1 Bridges for standard protocols 64

7.1.2 What happens in the case of a request from the LAN? 64

7.2 IP routing 66

7.2.1 The IP routing table 66

7.2.2 Local routing 68

7.2.3 Dynamic routing with IP RIP 69

7.2.4 SYN/ACK speedup 73

7.3 The hiding place—IP masquerading (NAT, PAT) 74

7.3.1 Simple masquerading 74

7.3.2 Inverse masquerading 78

7.3.3 Unmasked Internet access for server in the DMZ 79

 Contents LANCOM Reference Manual LCOS 3.50

7.4 N:N mapping 80

7.4.1 Application examples 81

7.4.2 Configuration 85

7.5 Configuration of remote stations 89

7.5.1 Name list 89

7.5.2 Layer list 90

7.6 Establishing connection with PPP 91

7.6.1 The protocol 92

7.6.2 Everything o.k.? Checking the line with LCP 94

7.6.3 Assignment of IP addresses via PPP 94

7.6.4 Settings in the PPP list 96

7.7 Extended connection for flat rates—Keep-alive 97

7.8 Callback functions 98

7.8.1 Callback for Microsoft CBCP 98

7.8.2 Fast callback using the LANCOM process 99

7.8.3 Callback with RFC 1570 (PPP LCP extensions) 100

7.8.4 Overview of configuration of callback function 100

7.9 Channel bundling with MLPPP 101

8 Firewall 104

8.1 Threat analysis 104

8.1.1 The dangers 104

8.1.2 The ways of the perpetrators 105

8.1.3 The methods 105

8.1.4 The victims 106

8.2 What is a Firewall? 107

8.2.1 Tasks of a Firewall 107

8.2.2 Different types of Firewalls 108

8.3 The LANCOM Firewall 114

8.3.1 How the LANCOM Firewall inspects data packets 115

8.3.2 Special protocols 119

8.3.3 General settings of the Firewall 121

8.3.4 Parameters of Firewall rules 125

8.3.5 Alerting functions of the Firewall 131

8.3.6 Strategies for Firewall settings 134

8.3.7 Hints for setting the Firewall 137

8.3.8 Configuration of Firewall rules 141

8.3.9 Firewall diagnosis 151

Contents

LANCOM Reference Manual LCOS 3.50  Contents

8.3.10 Firewall limitations 159

Contents

8.4 Protection against break-in attempts: Intrusion Detection 160

8.4.1 Examples for break-in attempts 160

8.4.2 Configuration of the IDS 161

8.5 Protection against “Denial of Service” attacks 162

8.5.1 Examples of Denial of Service attacks 162

8.5.2 Configuration of DoS blocking 165

8.5.3 Configuration of ping blocking and Stealth mode 166

9 Quality of Service 168

9.1 Why QoS? 168

9.2 Which data packets to prefer? 168

9.2.1 Guaranteed minimum bandwidths 171

9.2.2 Limited maximum bandwidths 172

9.3 The queue concept 172

9.3.1 Queues in transmission direction 172

9.3.2 Queues for receiving direction 175

9.4 Reducing the packet length 176

9.5 QoS parameters for Voice over IP applications 178

9.6 QoS in sending or receiving direction 182

9.7 QoS configuration 183

9.7.1 Evaluating ToS and DiffServ fields 183

9.7.2 Defining minimum and maximum bandwidths 185

9.7.3 Adjusting transfer rates for interfaces 187

9.7.4 Sending and receiving direction 189

9.7.5 Reducing the packet length 189

10 Virtual LANs (VLANs) 192

10.1 What is a Virtual LAN? 192

10.2 This is how a VLAN works 192

10.2.1 Frame tagging 193

10.2.2 Conversion within the LAN interconnection 194

10.2.3 Application examples 195

10.3 Configuration of VLANs 198

10.3.1 The network table 198

10.3.2 The port table 199

10.3.3 Configuration with LANconfig 200

 Contents LANCOM Reference Manual LCOS 3.50

10.3.4 Configuration with WEBconfig or Telnet 201

11 Wireless LAN – WLAN 203

11.1 What is a Wireless LAN? 203

11.1.1 Standardized radio transmission by IEEE 203

11.1.2 Operation modes of Wireless LANs and base stations 206

11.2 Developments in WLAN security 213

11.2.1 Some basic concepts 214

11.2.2 WEP 215

11.2.3 WEPplus 219

11.2.4 EAP and 802.1x 220

11.2.5 TKIP and WPA 223

11.2.6 AES and 802.11i 230

11.2.7 Summary 231

11.3 Protecting the wireless network 232

11.4 Configuration of WLAN parameters 233

11.4.1 WLAN security 234

11.4.2 General WLAN settings 243

11.4.3 The physical WLAN interfaces 244

11.4.4 The logical WLAN interfaces 250

11.4.5 Additional WLAN functions 254

11.5 Establishing outdoor wireless networks 256

11.5.1 Geometrical layout of the transmission path 256

11.5.2 Antenna power 258

11.5.3 Emitted power and maximum distance 261

11.5.4 Transmission power reduction 264

Contents

12 Office communications with LANCAPI 265

12.1 What are the advantages of LANCAPI? 265

12.2 The client and server principle 265

12.2.1 Configuring the LANCAPI server 265

12.2.2 Installing the LANCAPI client 268

12.2.3 Configuration of the LANCAPI clients 269

12.3 How to use the LANCAPI 270

12.4 The LANCOM CAPI Faxmodem 270

LANCOM Reference Manual LCOS 3.50  Contents

13 Server services for the LAN 272

Contents

13.1 Automatic IP address administration with DHCP 272

13.1.1 The DHCP server 272

13.1.2 DHCP—'on', 'off' or 'auto'? 273

13.1.3 How are the addresses assigned? 274

13.2 DNS 277

13.2.1 What does a DNS server do? 277

13.2.2 DNS forwarding 279

13.2.3 Setting up the DNS server 280

13.2.4 URL blocking 283

13.2.5 Dynamic DNS 284

13.3 Call charge management 285

13.3.1 Charge-based ISDN connection limits 285

13.3.2 Time dependent ISDN connection limit 286

13.3.3 Settings in the charge module 287

13.4 The SYSLOG module 287

13.4.1 Setting up the SYSLOG module 288

13.4.2 Example configuration with LANconfig 288

14 Virtual Private Networks—VPN 291

14.1 What does VPN offer? 291

14.1.1 Private IP addresses on the Internet? 293

14.1.2 Secure communications via the Internet? 294

14.2 LANCOM VPN: an overview 295

14.2.1 VPN example application 295

14.2.2 Advantages of LANCOM VPN 296

14.2.3 LANCOM VPN functions 297

14.3 VPN connections in detail 298

14.3.1 LAN-LAN coupling 298

14.3.2 Dial-in connections (Remote Access Service) 299

14.4 What is LANCOM Dynamic VPN? 300

14.4.1 A look at IP addressing 300

14.4.2 This is how LANCOM Dynamic VPN works 301

14.5 Configuration of VPN connections 306

14.5.1 VPN tunnel: Connections between VPN gateways 307

14.5.2 Set up VPN connections with the Setup Wizard 308

14.5.3 Inspect VPN rules 309

14.5.4 Manually setting up VPN connections 309

 Contents LANCOM Reference Manual LCOS 3.50

14.5.5 Prepare VPN network relationships 311

14.5.6 Configuration with LANconfig 314

14.5.7 Configuration with WEBconfig 318

14.5.8 Diagnosis of VPN connections 322

14.6 Specific examples of connections 322

14.6.1 Static/static 323

14.6.2 Dynamic/static 323

14.6.3 Static/dynamic (with LANCOM Dynamic VPN) 324

14.6.4 Dynamic/dynamic (with LANCOM Dynamic VPN) 325

14.7 How does VPN work? 326

14.7.1 IPSec—The basis for LANCOM VPN 327

14.7.2 Alternatives to IPSec 328

14.8 The standards behind IPSec 329

14.8.1 IPSec modules and their tasks 329

14.8.2 Security Associations – numbered tunnels 329

14.8.3 Encryption of the packets – the ESP protocol 330

14.8.4 Authentication – the AH protocol 332

14.8.5 Key management – IKE 335

15 Appendix: Overview of functions for LANCOM models and LCOS

versions 337

Contents

16 Index 338

LANCOM Reference Manual LCOS 3.50  Chapter 1: Preface

1Preface

User’s manual and reference manual

The documentation of your device consists of two parts: The user’s manual and the reference manual.

Preface

 The hardware of the LANCOM devices is documented in the respective

user’s manuals. Apart from a description of the specific feature set of the different models, you find in the user’s manual information about interfaces and display elements of the devices, as well as instructions for basic configuration by means of the wizards.

 You are now reading the reference manual. The reference manual

describes all functions and settings of the current version of LCOS, the operating system of all LANCOM routers and LANCOM Wireless Access Points. The reference manual refers to a certain software version, but not to a special hardware.

It completes the user’s manual and describes topics in detail, which are valid for several models simultaneously. These are for example:

 Systems design of the LCOS operating system  Configuration  Management  Diagnosis  Security  Routing and WAN functions  Firewall  Quality of Service (QoS)  Virtual Private Networks (VPN)  Virtual Local Networks (VLAN)  Backup solutions  LANCAPI  Further server services (DHCP, DNS, charge management)

LCOS, the operating system of LANCOM devices

All LANCOM routers and LANCOM Wireless Access Points use the same operating system: LCOS. The operating system developed by LANCOM itself is not attackable from the outside, and thus offers high security. The consistent use of LCOS ensures a comfortable and constant operation of all LANCOM prod-

 Chapter 1: Preface LANCOM Reference Manual LCOS 3.50

ucts. The extensive feature set is available throughout all LANCOM products (provided respective support by hardware), and continuously receives further enhancements by free, regular software updates.

This reference manual applies to the following definitions of software, hardware and manufacturers:

 ’LCOS’ describes the device-independent operating system  ’LANCOM’ stands as generic term for all LANCOM routers and LANCOM

Wireless Access Points

 ’LANCOM’ stands as shortened form for the manufacturer, LANCOM Sys-

tems GmbH from Würselen, Germany

Validity

The present reference manual applies to all

LANCOM routers and LANCOM

Wireless Access Points with firmware version 3.32 or better. The functions and settings described in this reference manual are not sup-

ported by all models and/or all firmware versions. A table can be found in the appendix denoting the individual functions, from which firmware version they are supported in the respective devices (’Appendix: Overview of functions for LANCOM models and LCOS versions’ →page 337).

Illustrations of devices, as well as screenshots always represent just examples, which need not necessarily correspond to the actual firmware version.

Preface

Security settings

For a carefree use of your device, we recommend to carry out all security settings (e.g. Firewall, encryption, access protection, charge lock), which are not already activated at the time of purchase of your device. The LANconfig wizard ’Check Security Settings’ will support you accomplishing this. Further information regarding this topic can be found in chapter ’Security’ →page 52.

We ask you additionally to inform you about technical developments and actual hints to your product on our Web page www.lancom.de

, and to down-

load new software versions if necessary.

This documentation was compiled …

...by several members of our staff from a variety of departments in order to ensure you the best possible support when using your LANCOM product.

In case you encounter any errors, or just want to issue critics or enhancements, please do not hesitate to send an email directly to:

LANCOM Reference Manual LCOS 3.50  Chapter 1: Preface

info@lancom.de

Our online services ( www.lancom.de) are available to you around the clock should you have any queries regarding the topics discussed in this manual or require any further support. In addition, support from LANCOM Systems is also available to you. Telephone numbers and

Preface

contact information for LANCOM Systems support can be found on a separate insert, or at the LANCOM Systems website.

Notes symbols

Very important instructions. If not followed, damage may result.

Important instruction should be followed.

Additional instructions which can be helpful, but are not required.

Special formatting in body text

Bold Menu commands, command buttons, or text boxes

Code

Inputs and outputs for the display mode

<Value> Placeholder for a specific value

 Chapter 2: System design LANCOM Reference Manual LCOS 3.50

2 System design

The LANCOM operating system LCOS is a collection of different software modules, the LANCOM devices themselves have different interfaces to the WAN and LAN. Depending on the particular application, data packets flow through different modules on their way from one interface to another.

The following block diagram illustrates in abstract the general arrangement of LANCOM interfa ces and LCOS modul es. In the course o f this reference manual the descriptions of the individual functions will refer to this illustration to show important connections of the particular applications and to deduce the resulting consequences.

The diagram can thus explain for which data streams the firewall comes into play, or, in case of address translations (IP masquerading or N:N mapping), at which place which addresses are valid.

Virtual LANs (VLAN)

LAN interfaces

LAN / Switch

WLAN-1

Filter

WLAN-2

Encryption:

802.11i/WPA/WEP

DMZ

PN services

VPN / PPTP

WAN interfaces

DSLoL

connection via LAN/Switch

ADSL

DSL

ISDN

DHCP client / PPP

IP masquerading

IPX over PPTP/VPN

Firewall / IDS / DoS / QoS

N:N mapping

DHCP server, RADIUS, RIP, NTP,

IP router

IP module: NetBIOS, DNS,

SNMP, SYSLOG, SMTP

Configuration & management:

Filter

WEBconfig, Telnet,

IPX router

LANCAPI

Filter

LAN bridge with “isolated mode”

System design

Notes regarding the respective modules and interfaces:

 The IP router takes care of routing data on IP connections between the

interfaces from LAN and WAN.

 The firewall (with the services “Intrusion Detection”, “Denial of Service”

and “Quality of Service”) encloses the IP router like a shield. All connections via the IP router automatically flow through the firewall as well.

 LANCOM devices provide either a separate LAN interface or an integrated

switch with multiple LAN interfaces as interfaces to the LAN.

LANCOM Reference Manual LCOS 3.50  Chapter 2: System design

 LANCOM Wireless access points resp. LANCOM routers with wireless

modules offer additionally one or, depending on the respective model, also two wireless interfaces for the connection of Wireless LANs.

 A DMZ interface enables for some models a ’demilitarized zone’ (DMZ),

which is also physically separated within the LAN bridge from other LAN interfaces.

 The LAN bridge provides a protocol filter that enables blocking of dedi-

System design

cated protocols on the LAN. Additionally, single LAN interfaces can be separated by the “isolated mode”. Due to VLAN functions, virtual LANs may be installed in the LAN bridge, which permit the operating of several logical networks on a physical cabling.

 Applications can communicate with different IP modules (NetBIOS, DNS,

DHCP server, RADIUS, RIP, NTP, SNMP, SYSLOG, SMTP) either via the IP router, or directly via the LAN bridge.

 The functions “IP masquerading” and “N:N mapping” provide suitable IP

address translations between private and public IP ranges, or also between multiple private networks.

 Provided according authorization, direct access to the configuration and

management services of the devices (WEBconfig, Telnet, TFTP) is provided from the LAN and also from the WAN side. These services are protected by filters and login barring, but do not require any processing by the firewall. Nevertheless, a direct access from WAN to LAN (or vice versa) using the internal services as a bypass for the firewall is not possible.

 The IPX router and the LANCAPI access on the WAN side only the ISDN

interface. Both modules are independent from the firewall, which controls only data traffic through the IP router.

 The VPN services (including PPTP) enable data encryption in the Internet

and thereby enable virtual private networks over public data connections.

 Depending on the specific model, either xDSL/Cable, ADSL or ISDN are

available as different WAN interfaces.

 The DSLoL interface (DSL over LAN) is no physical WAN interface, but

more a “virtual WAN interface”. With appropriate LCOS settings, it is possible to use on some models a LAN interface as an additional xDSL/Cable interface.

 Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50

3 Configuration and management

This section will show you the methods and ways you can use to access the device and specify further settings. You will find descriptions on the following topics:

 Configuration tools  Monitoring and diagnosis functions of the device and software  Backup and restoration of entire configurations  Installation of new firmware in the device

3.1 Configuration tools and approaches

LANCOM are flexible devices that support a variety of tools (i.e. software) and approaches (in the form of communication options) for their configuration. First, a look at the approaches.

You can connect to an LANCOM with three different access methods (according to the connections available).

 Through the connected network (LAN as well as WAN—inband)  Through the configuration interface (config interface) on the rear of the

router (also known as outband)

 Remote configuration via ISDN access

What is the difference between these three possibilities?

On one hand, the availability: Configuration via outband is always available. Inband configuration is not possible, however, in the event of a network fault. Remote configuration is also dependent on an ISDN connection.

On the other hand, whether or not you will need additional hardware and software: The inband configuration requires one of the computers already available in the LAN or WAN, as well as only one suitable software, such as LANconfig or WEBconfig (see following section). In addition to the configuration software, the outband configuration also requires a the computers with a serial port. The preconditions are most extensive for ISDN remote configuration: In addition to an ISDN capable LANCOM, an ISDN card is needed in the configuration PC or alternatively, access via LANCAPI to an additional LANCOM that is ISDN capable.

ment

Configuration and manage-

LANCOM Reference Manual LCOS 3.50  Chapter 3: Configuration and management

3.2 Configuration software

Situations in which the device is configured vary—as do the personal requirements and preferences of the person doing the configuration. LANCOM routers thus feature a broad selection of configuration software:

 LANconfig – nearly all parameters of the LANCOM can be set quickly and

with ease using this menu-based application. Outband, inband and remote configuration are supported, even for multiple devices simultaneously.

 WEBconfig – this software is permanently installed in the router. All that

ment

Configuration and manage-

is required on the workstation used for the configuration is a web browser. WEBconfig is thus independent of operating systems. Inband and remote configuration are supported.

 SNMP – device-independent programs for the management of IP net-

works are generally based on the SNMP protocol. It is possible to access the LANCOM inband and via remote configuration using SNMP.

 Terminal program, Telnet – an LANCOM can be configured with a ter-

minal program via the config interface (e.g. HyperTerminal) or within an IP network (e.g. Telnet).

 TFTP – the file transfer protocol TFTP can to a limited extent also be used

within IP networks (inband and remote configuration).

Please note that all procedures access the same configuration data. For example, if you change the settings in LANconfig, this will also have a direct effect on the values under WEBconfig and Telnet.

3.2.1 Configuration using LANconfig

Start LANconfig by, for example, using the Windows Start menu: Start  Programs  LANCOM  LANconfig. LANconfig will now automatically

search for devices on the local network. It will automatically launch the setup wizard if a device which has not yet been configured is found on the local area network LANconfig.

Find new devices

Click on the Find button or call up the command with Device / Find to initiate a search for a new device manually. LANconfig will then prompt for a location to search. You will only need to specify the local area network if using the inband solution, and then you're off.

 Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50

Once LANconfig has finished its search, it displays a list of all the devices it has found, together with their names and, perhaps a description, the IP address and its status.

The expanded range of functions for professionals

Two different display options can be selected for configuring the devices with LANconfig:

 The 'Simple configuration display' mode only shows the settings required

under normal circumstances.

 The 'Complete configuration display' mode shows all available configura-

tion options. Some of them should only be modified by experienced users.

Select the display mode in the View / Options menu.

Double-clicking the entry for the highlighted device and then clicking the Configure button or the Device / Configure option reads the device's current settings and displays the 'General' configuration selection.

ment

Configuration and manage-

The integrated Help function

The remainder of the program's operation is self-explanatory or you can use the online help. You can click on the 'Help' button top right in any window or right-click on an unclear term at any time to call up context-sensitive help.

LANCOM Reference Manual LCOS 3.50  Chapter 3: Configuration and management

Management of multiple devices

LANconfig supports multi device remote management. Simply select the desired devices, and LANconfig performs all actions for all selected devices then, one after the other. The only requirement: The devices must be of the same type.

In order to support an easy management, the devices can be grouped together. Therefore, ensure to enable ’Folder Tree’ in the View menu, and group the devices by ’drag an drop’ into the desired folders.

LANconfig shows only those parameters that are suitable for multi

ment

device configuration when more than one device is selected, e.g. MAC Access Control Lists for all LANCOM Wireless Access Points.

Configuration and manage-

3.2.2 Configuration with WEBconfig

You can use any web browser, even text-based, for basic setup of the device. The WEBconfig configuration application is integrated in the LANCOM. All you need is a web browser in order to access WEBconfig.

Functions with any web browser

WEBconfig offers setup wizards similar to LANconfig and has all you need for easy configuration of the LANCOM—contrary to LANconfig but under all operating systems for which a web browser exists.

A LAN or WAN connection via TCP/IP must be established to use WEBconfig. WEBconfig is accessed by any web browser via the IP address of the LANCOM, via the name of the device (if previously assigned), or via any name if the device has not been configured yet.

http://<IP address or device name>

 Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50

Secure with HTTPS

WEBconfig offers an encrypted transmission of the configuration data for secure (remote) management via HTTPS.

https://<IP address or device name>

For maximum security, please ensure to have installed the latest version of your Internet browser. For Windows 2000, LANCOM Systems recommends to use the “High Encryption Pack” or at least Internet Explorer 5.5 with Service Pack 2 or above.

3.2.3 Configuration using Telnet

Start configuration using Telnet, e.g. from the Windows command line with the command:

C:\>telnet 10.0.0.1

Telnet will then establish a connection with the device using the IP address. After entering the password (if you have set one to protect the configuration),

all configuration commands are available.

Change the language of the display.

The terminal can be set to English and German modes. The display language of your LANCOM is set to English at the factory. In the remaining documentation, all configuration commands will be provided in English. To change the display language to German, use the following commands:

Configuration tool Run (when English is the selected language)

WEBconfig Expert configuration  Setup  Config-module  Language

Tel net

TFTP

Certain functions cannot be run at all, or not satisfactorily, with Telnet. These include all functions in which entire files are transferred, for example the uploading of firmware or the saving and restoration of configuration data. In this case TFTP is used.

TFTP is available by default under the Windows 2000 and Windows NT operating systems. It permits the simple transfer of files with other devices across the network.

set /Setup/Config module/Language German

ment

Configuration and manage-

LANCOM Reference Manual LCOS 3.50  Chapter 3: Configuration and management

The syntax of the TFTP call is dependent on the operating system. With Windows 2000 and Windows NT the syntax is:

tftp -i <IP address Host> [get|put] source [target]

With numerous TFTP clients the ASCII format is preset. Therefore, for the transfer of binary data (e.g. firmware) the binary transfer must usually be explicitly selected.This example for Windows 2000 and Windows NT shows you how to achieve this by using the '-i' parameter.

Configuration and manage-

ment

3.2.4 Configuration using SNMP

The Simple Network Management Protocol (SNMP V.1 as specified in RFC

1157) allows monitoring and configuration of the devices on a network from a single central instance.

There are a number of configuration and management programs that run via SNMP. Commercial examples are Tivoli, OpenView from Hewlett-Packard, SunNet Manager and CiscoWorks. In addition, numerous programs also exist as freeware and shareware.

Your LANCOM can export a so-called device MIB file (Management Informa- tion Base) for use in SNMP programs.

Configuration tool Run

WEBconfig Get Device SNMP MIB (in main menu)

TFTP

tftp 10.0.0.1 get readmib file1

3.3 Remote configuration via Dial-Up Network

The complete section on remote configuration applies only to LANCOM with ISDN interface.

Configuring routers at remote sites is particularly easy using the remote configuration method via a Dial-Up Network from Windows. The device is accessible by the administrator immediately without any settings being made after it is switched on and connected to the WAN interface. This means that you save a lot of time and costs when connecting other networks to your network because you do not have to travel to the other network or instruct the staff on-site on configuring the router.

 Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50

You can also reserve a special calling number for remote configuration. Then the support technician can always access the router even if it is really no longer accessible due to incorrect settings.

3.3.1 This is what you need for ISDN remote configuration

 An LANCOM with an ISDN connection  A computer with a PPP client, e.g. Windows Dial-Up Network  A program for inband configuration, e.g. LANconfig or Telnet  A configuration PC with an ISDN card or access via

LANCAPI

to an

LANCOM with ISDN access.

3.3.2 The first remote connection using Dial-Up Networking

햲 In the LANconfig program select Device / New, enable 'Dial-Up connec-

tion' as the connection type and enter the calling number of the WAN interface to which the LANCOM is connected. If you wish, you can also enter the time period after which an idle connection is to be disconnected automatically.

햳 LANconfig now automatically generates a new entry in the Dial-Up Net-

work. Select a device that supports PPP (e.g. the NDIS-WAN driver included with the LANCAPI) for the connection and press OK to confirm.

ment

Configuration and manage-

햴 Then the LANconfig program will display a new device with the name

'Unknown' and the dial-up call number as the address in the device list.

When an entry in the device list is deleted, the related connection in the Windows Dial-Up Network is also deleted.

햵 You can configure the device remotely just like all other devices.

LANconfig establishes a dial-up connection enabling you to select a configuration.

3.3.3 The first remote connection using a PPP client and Telnet

햲 Establish a connection to the LANCOM with your PPP client using the fol-

lowing details:

 User name 'ADMIN'  The password selected in LANCOM  An IP address for the connection, only if required

LANCOM Reference Manual LCOS 3.50  Chapter 3: Configuration and management

햳 Open a Telnet session to the LANCOM. Use the following IP address for

this purpose:

 '172.17.17.18', if you have not defined an IP address for the PPP cli-

ent. The LANCOM automatically uses this address if no other address has been defined. The PC making the call will respond to the IP '172.17.17.17'.

 Raise the IP address of the PC by one, if you have defined an address.

Example: You have set the IP '10.0.200.123' for the PPP client, the LANCOM then responds to '10.0.200.124'. Exception: If the digits '254' are at the end of the IP address, the router responds to 'x.x.x.1'.

ment

햴 You can configure the LANCOM remotely just like all other devices.

The default layer for remote field installations

Configuration and manage-

The PPP connection of any other remote site to the router, of course, will only succeed if the device answers every call with the corresponding PPP settings. This is the case using the factory default settings because the default protocol (default layer) is set to PPP.

You may, however, want to change the default layer for LAN-to- LAN connections, for example, to a different protocol after the first configuration run. Then the device will no longer take calls on the dial-up connection using the PPP settings. The solution to this is to agree upon a special calling number for configuration access:

The administrator access for ISDN remote management

If the device receives a call on this number, it will always use PPP, regardless of any other settings made on the router. Only a specific user name which is automatically entered by the LANconfig program during call establishment will be accepted during the PPP negotiations:

 Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50

햲 Switch to the 'Security' tab in the 'Management' configuration section.

ment

Configuration and manage-

햳 Enter a number at your location which is not being used for other pur-

poses in the 'Configuration access' area.

Alternatively, enter the following command:

set /setup/config-module/Farconfig 123456

Always provide additional protection for the settings of the device by setting a password. Alternatively, enter the following command during a Telnet or terminal connection:

passwd

You will then be prompted to enter and confirm a new password.

3.4 LANmonitor—know what's happening

The LANmonitor includes a monitoring tool with which you can view the most important information on the status of your routers on your monitor at any

LANCOM Reference Manual LCOS 3.50  Chapter 3: Configuration and management

time under Windows operating systems—of all of the LANCOM routers in the network.

Many of the internal messages generated by the devices are converted to plain text, thereby helping you to troubleshoot.

You can also use LANmonitor to monitor the traffic on the router's various interfaces to collect important information on the settings you can use to optimize data traffic.

In addition to the device statistics that can also be read out during a Telnet or terminal session or using WEBconfig, a variety of other useful functions are also available in the LANmonitor, such as the enabling of an additional charge

ment

limit.

With LANmonitor you can only monitor those devices that you can

Configuration and manage-

access via IP (local or remote). With this program you cannot access a router via the serial interface.

3.4.1 Extended display options

Under View / Show Details you can activate and deactivate the following display options:

 Error messages  Diagnostic messages  System information

Many important details on the status of the LANCOM are not displayed until the display of the system information is activated. These include, for example, the ports and the charge management.Therefore, we recommend that interested users activate the display of the system information.

3.4.2 Monitor Internet connection

To demonstrate the functions of LANmonitor we will first show you the types of information LANmonitor provides about connections being established to your Internet provider.

햲 To start LANmonitor, go to Start  Programs  LANCOM 

LANmonitor. Use Device  New to set up a new device and in the fol-

lowing window, enter the IP address of the router that you would like to

 Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50

monitor. If the configuration of the device is protected by password, enter the password too.

Alternatively, you can select the device via the LANconfig and monitor it using Tools / Monitor Device.

햳 LANmonitor automatically creates a new entry in the device list and ini-

tially displays the status of the transfer channels. Start your Web browser and enter any web page you like. LANmonitor now shows a connection being established on one channel and the name of the remote site being called. As soon as the connection is established, a plus sign against the communication channel entry indicates that further information on this channel is available. Click on the plus sign or double-click such entry to open a tree structure in which you can view various information.

ment

Configuration and manage-

In this example, you can determine from the PPP protocol information the IP address assigned to your router by the provider for the duration of the connection and the addresses transmitted for the DNS and NBNS server.

Under the general information you can watch the transmission rates at which data is currently being exchanged with the Internet.

햴 To break the connection manually, click on the active channel with the

right mouse button. You may be required to enter a configuration password.

햵 If you would like a log of the LANmonitor output in file form, select

Device  Properties and go to the 'Logging' tab. Enable logging and

LANCOM Reference Manual LCOS 3.50  Chapter 3: Configuration and management

specify whether LANmonitor should create a log file daily, monthly, or on an ongoing basis.

3.5 Trace information—for advanced users

Trace outputs may be used to monitor the internal processes in the router during or after configuration. One such trace can be used to display the individual steps involved in negotiating the PPP. Experienced users may interpret these outputs to trace any errors occurring in the establishment of a connection. A particular advantage of this is: The errors being tracked may stem from the configuration of your own router or that of the remote site.

ment

The trace outputs are slightly delayed behind the actual event, but are always in the correct sequence. This will not usually hamper interpre-

Configuration and manage-

3.5.1 How to start a trace

tation of the displays but should be taken into consideration if making precise analyses.

Trace output can be started in a Telnet session, for example. The command to call up a trace follows this syntax:

trace [code] [parameters]

The trace command, the code, the parameters and the combination commands are all separated from each other by spaces. And what is the meaning of these codes and parameters?

 Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50

3.5.2 Overview of the keys

This code... ... in combination with the trace causes the following:

? displays a help text

+ switches on a trace output

- switches off a trace output

# switches between different trace outputs (toggle)

no code displays the current status of the trace

3.5.3 Overview of the parameters

The available traces depend individually on the particular model and can be listed by entering trace with no arguments on the command line.

This parameter... ... brings up the following display for the trace:

Status status messages for the connection

Error error messages for the connection

LANCOM LANCOM protocol negotiation

IPX-router IPX routing

PPP PPP protocol negotiation

SAP IPX Service Advertising Protocol

IPX-watchdog IPX watchdog spoofing

SPX-watchdog SPX watchdog spoofing

LCR Least-Cost Router

Script script processing

RIP IPX Routing Information Protocol

IP-router IP routing

IP-RIP IP Routing Information Protocol

ARP Address Resolution Protocol

ICMP Internet Control Message Protocol

IP masquerading processes in the masquerading module

DHCP Dynamic Host Configuration Protocol

ment

Configuration and manage-

LANCOM Reference Manual LCOS 3.50  Chapter 3: Configuration and management

This parameter... ... brings up the following display for the trace:

NetBIOS NetBIOS management

DNS Domain Name Service Protocol

Packet dump display of the first 64 bytes of a package in hexadecimal form

D-channel- dump trace on the D channel of the connected ISDN bus

ATM spoofing at the ATM packet level

ADSL ADSL connections status

VPN-Status IPSec and IKE negotiation

ment

VPN-Packet IPSec and IKE packets

SMTP-Client E-Mail processing of the integrated mail client

SNTP Simple Network Time Protocol information

Configuration and manage-

3.5.4 Combination commands

This combination command...

All all trace outputs

Display status and error outputs

Protocol LANCOM and PPP outputs

TCP-IP IP-Rt., IP-RIP, ICMP and ARP outputs

IPX-SPX IPX-Rt., RIP, SAP, IPX-Wd., SPX-Wd., and NetBIOS outputs

Time displays the system time in front of the actual trace output

Source includes a display of the protocol that has initiated the output in

Any appended parameters are processed from left to right. This means that it is possible to call a parameter and then restrict it.

... brings up the following display for the trace:

front of the trace

 Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50

3.5.5 Examples

This code... ... in combination with the trace causes the following:

trace displays all protocols that can generate outputs during the config-

trace + all switches on all trace outputs

trace + protocol display

trace + all - icmp switches on all trace outputs with the exception of the ICMP proto-

trace ppp displays the status of the PPP

trace # ipx-rt display toggles between the trace outputs for the IPX router and the dis-

trace - time switches off the system time output before the actual trace output

uration, and the status of each output (ON or OFF)

switches on the output for all connection protocols together with the status and error messages

col

play outputs

3.6 Working with configuration files

The current configuration of an LANCOM can be saved as a file and reloaded in the device (or in another device of the same type) if necessary.

Additionally, configuration files can be generated and edited offline for any LANCOM device, firmware option and software version:

ment

Configuration and manage-

Backup copies of configuration

With this function you can create backup copies of the configuration of your LANCOM. Should your LANCOM (e.g. due to a defect) lose its configuration data, you simply reload the backup copy.

LANCOM Reference Manual LCOS 3.50  Chapter 3: Configuration and management

Convenient series configuration

However, even when you are faced with the task of configuring several LANCOM of the same type, you will come to appreciate the function for saving and restoring configurations. In this case you can save a great deal of work by first importing identical parameters as a basic configuration and then only making individual settings to the separate devices.

Running function

Configuration tool Run

ment

Configuration and manage-

LANconfig Edit  Save Configuration to File

WEBconfig Save Configuration  Load Configuration (in main menu)

TFTP

Edit  Restore Configuration from File Edit  New Configuration File Edit  Edit Configuration File Edit  Print Configuration File

tftp 10.0.0.1 get readconfig file1 tftp

10.0.0.1 put file1 writeconfig

3.7 New firmware with LANCOM FirmSafe

The software for devices from LANCOM is constantly being further developed. We have fitted the devices with a flash ROM which makes child's play of updating the operating software so that you can enjoy the benefits of new features and functions. No need to change the EPROM, no need to open up the case: simply load the new release and you're away.

3.7.1 This is how LANCOM FirmSafe works

LANCOM FirmSafe makes the installation of the new software safe: The used firmware is not simply overwritten but saved additionally in the device as a second firmware.

Of the two firmware versions saved in the device only one can ever be active. When loading a new firmware version the active firmware version is not overwritten. You can decide which firmware will be activated after the upload:

 'Immediate': The first option is to load the new firmware and activate it

immediately. The following situations can result:

 The new firmware is loaded successfully and works as desired. Then

all is well.

 Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50

 The device no longer responds after loading the new firmware. If an

error occurs during the upload, the device automatically reactivates the previous firmware version and reboots the device.

 'Login': To avoid problems with faulty uploads there is the second option

with which the firmware is uploaded and also immediately booted.

 In contrast to the first option, the device will wait for five minutes until

it has successfully logged on. Only if this login attempt is successful does the new firmware remain active permanently.

 If the device no longer responds and it is therefore impossible to log

in, it automatically loads the previous firmware version and reboots the device with it.

 'Manual': With the third option you can define a time period during which

you want to test the new firmware yourself. The device will start with the new firmware and wait for the preset period until the loaded firmware is manually activated and therefore becomes permanently effective.

3.7.2 How to load new software

There are various ways of carrying out a firmware upload, all of which produce the same result:

 LANconfig  WEBconfig  Terminal program  TFTP

All settings will remain unchanged by a firmware upload. All the same you should save the configuration first for safety's sake (with Edit  Save Con- figuration to File if using LANconfig, for example).

If the newly installed release contains parameters which are not present in the device's current firmware, the device will add the missing values using the default settings.

ment

Configuration and manage-

LANconfig

When using LANconfig, highlight the desired device in the selection list and click on Edit  Firmware Management  Upload New Firmware, or click directly on the Firmware Upload button. Then select the directory in which the new version is located and mark the corresponding file.

LANCOM Reference Manual LCOS 3.50  Chapter 3: Configuration and management

LANconfig then tells you the version number and the date of the firmware in the description and offers to upload the file. The firmware you already have installed will be replaced by the selected release by clicking Open.

You also have to decide whether the firmware should be permanently activated immediately after loading or set a testing period during which you will activate the firmware yourself. To activate the firmware during the set test period, click on Edit  Firmware Management . After upload, start the new firmware in test mode.

WEBconfig

ment

Start WEBconfig in your web browser. On the starting page, follow the Perform a Firmware Upload link. In the next window you can browse the folder

system to find the firmware file and click Start Upload to start the installation.

Configuration and manage-

Terminal program (e.g. Telix or Hyperterminal in Windows)

If using a terminal program, you should first select the 'set mode-firmsafe' command on the 'Firmware' menu and select the mode in which you want the new firmware to be loaded (immediately, login or manually). If desired, you can also set the time period of the firmware test under 'set Timeout-firmsafe'.

Select the 'Firmware-upload' command to prepare the router to receive the upload. Now begin the upload procedure from your terminal program:

 If you are using Telix, click on the Upload button, specify 'XModem' for

the transfer and select the desired file for the upload.

 If you are using Hyperterminal, click on Transfer  Send File, select the

file, specify 'XModem' as the protocol and start the transfer with OK.

TFTP

TFTP can be used to install new firmware on LANCOM. This can be done with the command (or target) writeflash. For example, to install new firmware in a LANCOM with the IP address 10.0.0.1, enter the following command under Windows 2000 or Windows NT:

tftp -i 10.0.0.1 put Lc_16xxu.282 writeflash

3.8 Command line interface

The LANCOM command line interface is always structured as follows:

 Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50

 Status

Contains all read-only statistics of the individual SW modules

 Setup

Contains all configurable parameters of all SW modules of the device

 Firmware

Contains all firmware-management relevant actions and tables

 Other

Contains dialling, boot, reset and upload actions

3.8.1 Command line reference

Navigating the command line can be accomplished by DOS and UNIX style commands as follows:

Command Description

cd <directory> Change the current directory. Certain abbreviations exists,

del <name> rm <name>

dir [<directory>] list[<directory>] ls [<directory>] ll [<directory>]

do <name> [<parameters>] Execute the action <name> in the current directory.

exit/quit/x Close the console session

feature <code> Unlock the feature with the specified feature code

passwd change password

ping [IP address] Issues an ICMP echo request to the specified IP address

readconfig Displays the complete configuration of the device in

readmib display SNMP Management Information Base

repeat <VALUE> <command> repeats command every VALUE seconds until terminated

stop stop ping

set <name> <value(s)> Set a configuration item to the specified value. If the item

e.g. ”cd ../..” can be abbreviated to ”cd ...” etc.

Delete the table entry with the index <name>

Display the contents of a directory

Parameters can be specified

”readconfig” syntax

by new input

is a table entry, multiple values must be given (one for each table column). A ”*” as a value indicates that the column in question should be left at its previous value.

ment

Configuration and manage-

LANCOM Reference Manual LCOS 3.50  Chapter 3: Configuration and management

Command Description

set [<name>] ? Show which values are allowed for a configuration item. If

show <options> Shows internal data. Run show ? for a list of available

sysinfo Shows basic system information

trace […] Configures the trace output system for several modules,

ment

writeconfig Accept a new configuration in ”readconfig” syntax. All

writeflash load new firmware via TFTP

<name> is empty, this is displayed for each item in the current directory.

items, e.g. boot history, firewall filter rules, vpn rules and memory usage

see

’How to start a trace’ →page 26

subsequent lines are interpreted as configuration values until two blank lines in a row are encountered

Configuration and manage-

 All commands and directory/item names may be abbreviated as long as

no ambiguity exists. For example, it is valid to shorten the ”sysinfo” command to ”sys” or a ”cd Management” to ”c ma”. Not allowed would be ”cd /s”, since that could mean either ”cd /Setup” or ”cd /Status”.

 Names with blanks in them must be enclosed in double quotes.  Additionally, there is a command-specific help function available by call-

ing functions with a question mark as the argument, i.e. entering “ping ?” displays the options for the built-in PING command.

 A complete listing of available commands for a particular device is avail-

able by entering ’?’ from the command line.

3.9 Scheduled Events

Regular Execution of Commands

This feature is intended to allow the device to execute predefined commands in a telnet-like environment, at times defined by the user. The functionality is equivalent to the UNIX cron service. Subject of execution can be any LANCOM command line command. Therefore, the full feature set of all LANCOM devices can be controlled by this facility.

Application examples include:

 scheduled connections  time-dependant firewall rules

 Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50

 regular firmware or configuration updates

Configuration Tool Run

WEBconfig

Ter min al/ Telnet

Expert-Configuration

setup/config-module/cron-table

 Config-module  Cron-table

The data is stored in a table with the following layout:

Entry Description

Index Unambiguously identifies this entry in the table

Base The Base field rules whether the time check is done against the device's

Minute Hour DayOfWeek Day Month

Command The command itself may be a list of command line commands, separated by

operation time or the real time. Rules based on real time are only executed if the device has acquired the current time, e.g. via NTP. For real-time based rules, all four columns have a meaning, while operation- time based rules only take the minute/hour fields into account.

The entries Minute to Month form a mask that lets the user define at which times a command will be executed. Entries in the mask field may be blank to mark that the respective component shall not be part of the compare operation; otherwise, a field may contain a list of comma-separated items that may either be a single number or a number range, given as minimum and maximum concatenated with a hyphen. For the DayOfWeek field, the usual cron interpretation applies: 0 Sunday 1 Monday 2 Tuesday 3 Wednesday 4 Thursday 5 Friday 6 Saturday

semicolons.

ment

Configuration and manage-

For example, the entry given below would connect the device each weekday at 6 PM with a remote site ’HEADQUARTERS’

Base Realtime

Minute Hour DayOfWeek Day Month

Command do /o/man/con HEADQUARTERS

18 1,2,3,4,5,

LANCOM Reference Manual LCOS 3.50  Chapter 3: Configuration and management

Time-controlled rules will not necessarily be executed at precisely zero seconds of real time, but at some indeterminate point of time in the minute in question.

ment

Configuration and manage-

 Chapter 4: Management LANCOM Reference Manual LCOS 3.50

4 Management

4.1 N:N mapping

Network Address Translation (NAT) can be used for several different matters:

 for better utilizing the IP4 addresses ever becoming scarcer  for coupling of networks with same (private) address ranges  for producing unique addresses for network management

In the first application the so-called N:1 NAT, also known as IP masquerading (’The hiding place—IP masquerading (NAT, PAT)’ →page 74) is used. All addresses (“N”) of the local network are mapped to only one (“1”) public address. This clear assignment of data streams to the respective internal PCs is generally made available by the ports of the TCP and UDP protocols. That’s why this is also called NAT/PAT (Network Address Translation/Port Address Translation).

Due to the dynamic assignment of ports, N:1 masquerading enables only those connections, which have been initiated by the internal network. Exception: an internal IP address is staticly exposed on a certain port, e.g. to make a LAN server accessible from the outside. This process is called “inverse masquerading” (’Inverse masquerading’ →page 78).

A N:N mapping is used for network couplings with identical address ranges. This transforms unambiguously multiple addresses (“N”) of the local network to multiple (“N”) addresses of another network. Thereby, an address conflict can be resolved.

Rules for this address translation are defined in a static table in the LANCOM. Thereby new addresses are assigned to single stations, parts of the network, or the entire LAN, by which the stations can contact other networks then.

Some protocols (FTP, H.323) exchange parameters during their protocol negotiation, which can have influence on the address translation for the N:N mapping. For a correct functioning of the address translation, the connection information of these protocols are tracked appropriately by functions of the firewall in a dynamic table, and are additionally considered to the entries of the static table.

Management

LANCOM Reference Manual LCOS 3.50  Chapter 4: Management

the defined translation range. An “inbound” address mapping, whereby the source address is translated (instead of the destination address), needs to be realized by an appropriate “outbound” address translation on the remote side.

4.1.1 Application examples

The following typical applications are described in this section:

 Coupling of private networks utilizing the same address range  Central remote monitoring by service providers

Network coupling

An often appearing scenario is the coupling of two company networks which internally use the same address range (e. g. 10.0.0.x). This is often the case,

Management

when one company should get access to one (or more) server(s) of the other one:

Network of firm A:

10.0.0.x

N:N mapping to 192.168.2.x

N:N mapping to 192.168.1.x

Network of firm B:

10.0.0.x

Gateway

VPN tunnel

Target: 192.168.2.1

Server_A1: 10.0.0.1 Server_A2: 10.0.0.2

Gateway

Server_B1: 10.0.0.1 Server_B2: 10.0.0.2

In this example network servers of company A and B should have access over a VPN tunnel to the respective other network. All stations of the LAN should have access to the server of the remote network. For the time being, there is no access possible to the other network, because both networks use the same address range. If one station of the network of company A wants to access server 1 of company B, the addressee (with an address from the 10.0.0.x network) will be searched within the own local network, and the inquiry even does not reach the gateway.

 Chapter 4: Management LANCOM Reference Manual LCOS 3.50

With the help of N:N mapping, all addresses of the LAN can be translated to a new address range for the coupling with the other network. The network of company A e. g. will be translated to 192.168.1.x, the network of company B to 192.168.2.x. Under these new addresses the two LANs are now reachable for the respective other network. The station from the network of company A is now addressing server 1 of company B under the address 192.168.2.1. The addressee does not reside anymore within the own network, the inquiry is now passed on to the gateway, and the routing to the other network is working as desired.

Remote monitoring and remote control of networks

Remote maintenance and control of networks become more and more importance because of the possibilities given by VPN. With the use of the nearly ubiquitous broadband Internet connections, the administrator of such management scenarios is no longer dependent of the different data communication technologies or expensive leased lines.

Management

LANCOM Reference Manual LCOS 3.50  Chapter 4: Management

Gateway, e.g.

10.1.2.1

Management

Customer C:

172.16.10.x, 255.255.255.0

Customer A, office 1:

10.1.2.x, 255.255.255.0

VPN tunnel

Customer A, office 2:

10.1.3.x, 255.255.255.0

Hot Spot, e.g.

172.16.10.11

Service provider:

172.16.10.x,

255.255.255.0

Customer A, headquarters:

10.1.x.x, 255.255.0.0

Internet

Customer B, office 1:

10.1.2.x, 255.255.255.0

Customer B, headquarters:

10.1.x.x, 255.255.0.0

Gateway

tun

VPN

GatewayGateway

Gateway, e.g.

80.123.123.123 (public) and 172.16.10.11 (intern)

Customer B, office 2:

10.1.3.x, 255.255.255.0

Customer D:

172.16.10.x,

255.255.255.0

In this example, a service provider monitors the networks of different clients out of a central control. For this purpose, the SNMP-capable devices should send the respective traps of important events automatically to the SNMP trap addressee (e. g. LANmonitor) of the network of the service provider. So the LAN administrator of the service provider has an up-to-date view of the state of the devices at any time.

The individual networks can be structured very differently: Clients A and B integrate their branches with own networks via VPN connections to their LAN, client C operates a network with several public WLAN base stations as hot spots, and client D has got an additional router for ISDN dial-up accesses in his LAN.

 Chapter 4: Management LANCOM Reference Manual LCOS 3.50

The networks of client A and B use different address ranges in the respective head office and the connected branches. A standard network coupling via VPN is therefore possible between these networks.

In order to avoid the effort to building up its own VPN tunnel to each individual subnetwork of the clients A and B, the service provider makes only one VPN connection to the head office, and uses the existing VPN lines between head office and branches for communication with the branches.

Traps from the networks report to the service provider whether e. g. a VPN tunnel has been build up or cut, if an user has been tried to log in three times with a wrong password, if an user has been applied for a hot spot, or if somewhere a LAN cable has been pulled out of a switch.

A complete list of all SNMP traps supported by LANCOM can be found in the appendix of this reference manual (’SNMP traps’ →page 287).

Routing of these different networks reaches very fast its limiting factors, if two or more clients use same address ranges. Additionally, if some clients use the same address range as the service provider as well, further address conflicts are added. In this example, one of the hot spots of client C has got the same address as the gateway of the service provider.

There are two different variants to resolve these address conflicts:

Loopback: decentralized 1:1 mapping

 In the decentralized variant, alternative IP addresses for communicating

with the SNMP addressee are assigned to each of the monitored devices by means of an 1:1 mapping. This address is in technical language also known as “loopback address”, the method accordingly as “loopback method”.

Management

Alternative: central N:N mapping

The loopback addresses are valid only for communication with certain remote stations on the connections belonging to them. Thus a LANCOM is not generally accessible via this IP address.

 Even more appealing is the solution of a central mapping: instead of con-

figuring each single gateway in the branch networks, the administrator configures solely one central address translation in the gateway of the head office. On this occasion, also all subnetworks located “behind” the head office are supplied with the needed new IP addresses.

In this example, the administrator of the service provider selects 10.2.x.x as central address translation for the network of client B, so that both networks

LANCOM Reference Manual LCOS 3.50  Chapter 4: Management

with actual same address range looks like two different networks for the gateway of the service provider.

The administrator selects the address ranges 192.168.2.x and 192.168.3.x for client C and D, so that the addresses of these networks do differ from the own network of the service provider.

In order to enable the gateway of the provider to monitor the networks of clients C and D, the administrator sets up an address translation to 192.168.1.x also for the own network.

4.1.2 Configuration

Setting up address translation

Configuration of N:N mapping succeeds with only few information. Since a LAN can be coupled with several other networks via N:N, different destinati-

Management

ons can have also different address translations for a source IP range. The NAT table can contain 64 entries at maximum, including the following information:

 Index: Unambiguous index of the entry.  Source address: IP address of the workstation or network that should

get an alternative IP address.

 Source mask: Netmask of source range.  Remote station: Name of the remote station over that the remote net-

work is reachable.

 New network address: IP address or address range that should be used

for the translation.

For the new network address, the same netmask will be used as the source address already uses. For assignment of source and mapping addresses the following hints apply:

 Source and mapping can be assigned arbitrarily for the translation of sin-

gle addresses. Thus, for example, it is possible to assign the mapping address 192.168.1.88 to a LAN server with the IP address 10.1.1.99.

 For translation of entire address ranges, the station-related part of the IP

address will be taken directly, only appended to the network-related part of the mapping address. Therefore, in an assignment of 10.0.0.0/

255.255.255.0 to 192.168.1.0, a server of the LAN with IP address

10.1.1.99 will get assigned the mapping address 192.168.1.99.

 Chapter 4: Management LANCOM Reference Manual LCOS 3.50

The address range for translation must be at minimum as large as the source address range.

Please notice that the N:N mapping functions are only effective when the firewall has been activated. (’Firewall/QoS enabled’ →page 121)!

Additional configuration hints

By setting up address translation in the NAT table, the networks and workstations become only visible under another address at first in the higher network compound. But for a seamless routing of data between the networks some further settings are still necessary:

 Entries in the routing tables for packets with new addresses to find the

way to their destination.

 DNS forwarding entries, in order that inquiries about certain devices in the

respective other networks can be resolved into mapped IP addresses (’DNS forwarding’ →page 279).

 The firewall rules of the gateways must be adjusted such that (if neces-

sary) authorized stations resp. networks from the outside are permitted to set up connections.

 VPN rules for loopback addresses in order to transmit the newly assigned

IP addresses through an according VPN tunnel.

Management

The IP address translation takes place in the LANCOM between firewall and IP router on one hand, and the VPN module on the other hand. All rules related to the own network use therefore the “unmap-

LANCOM Reference Manual LCOS 3.50  Chapter 4: Management

ped” original addresses. The entries of the remote network use the “mapped” addresses of the remote side, valid on the VPN connection.

Target address

Source address

WAN interface,

e.g. ISDN

WAN interface,

e.g. ADSL

WAN interface,

e.g. Ethernet

VPN module

IP masquerading

N:N mapping

Firewall / IDS / DoS

IP router

LAN bridge

LAN

WLAN

DMZ

Management

Configuration with different tools

LANconfig

With LANconfig you adjust the address translation for the configuration range ’IP router’ on register card 'N:N-Mapping':

 Chapter 4: Management LANCOM Reference Manual LCOS 3.50

WEBconfig, Telnet

4.1.3

Under WEBconfig and Telnet you find the NAT table for configuration of N:N mapping at the following positions of the menu tree:

Configuration tool Run

WEBconfig Expert configuration / Setup / IP router / NAT table

Terminal/Telnet Setup / IP router module / NAT table

When starting a new entry under WEBconfig, the NAT table shows up as follows:

Management

LANCOM Reference Manual LCOS 3.50  Chapter 5: Diagnosis

5 Diagnosis

5.1 LANmonitor—know what's happening

The LANmonitor includes a monitoring tool with which you can view the most important information on the status of your routers on your monitor at any time under Windows operating systems—of all of the LANCOM routers in the network.

Many of the internal messages generated by the devices are converted to plain text, thereby helping you to troubleshoot.

You can also use LANmonitor to monitor the traffic on the router's various interfaces to collect important information on the settings you can use to optimize data traffic.

In addition to the device statistics that can also be read out during a Telnet or terminal session or using WEBconfig, a variety of other useful functions are

Diagnosis

also available in the LANmonitor, such as the enabling of an additional charge limit.

With LANmonitor you can only monitor those devices that you can access via IP (local or remote). With this program you cannot access a router via the serial interface.

5.1.1 Extended display options

Under View / Show Details you can activate and deactivate the following display options:

 Error messages  Diagnostic messages  System information

 Chapter 5: Diagnosis LANCOM Reference Manual LCOS 3.50

5.1.2 Monitor Internet connection

To demonstrate the functions of LANmonitor we will first show you the types of information LANmonitor provides about connections being established to your Internet provider.

햲 To start LANmonitor, go to Start  Programs  LANCOM 

LANmonitor. Use Device  New to set up a new device and in the fol-

lowing window, enter the IP address of the router that you would like to monitor. If the configuration of the device is protected by password, enter the password too.

Alternatively, you can select the device via the LANconfig and monitor it using Tools / Monitor Device.

햳 LANmonitor automatically creates a new entry in the device list and ini-

Diagnosis

LANCOM Reference Manual LCOS 3.50  Chapter 5: Diagnosis

Under the general information you can watch the transmission rates at which data is currently being exchanged with the Internet.

햴 To break the connection manually, click on the active channel with the

right mouse button. You may be required to enter a configuration password.

햵 If you would like a log of the LANmonitor output in file form, select

Device  Properties and go to the 'Logging' tab. Enable logging and specify whether LANmonitor should create a log file daily, monthly, or on an ongoing basis.

5.2 Trace information—for advanced users

Diagnosis

outputs to trace any errors occurring in the establishment of a connection. A particular advantage of this is: The errors being tracked may stem from the configuration of your own router or that of the remote site.

The trace outputs are slightly delayed behind the actual event, but are always in the correct sequence. This will not usually hamper interpretation of the displays but should be taken into consideration if making precise analyses.

5.2.1 How to start a trace

Trace output can be started in a Telnet session, for example. The command to call up a trace follows this syntax:

trace [code] [parameters]

The trace command, the code, the parameters and the combination commands are all separated from each other by spaces. And what is the meaning of these codes and parameters?

 Chapter 5: Diagnosis LANCOM Reference Manual LCOS 3.50

5.2.2 Overview of the keys

This code... ... in combination with the trace causes the following:

? displays a help text

+ switches on a trace output

- switches off a trace output

# switches between different trace outputs (toggle)

no code displays the current status of the trace

5.2.3 Overview of the parameters

The available traces depend individually on the particular model and can be listed by entering trace with no arguments on the command line.

This parameter... ... brings up the following display for the trace:

Status status messages for the connection

Error error messages for the connection

LANCOM LANCOM protocol negotiation

IPX-router IPX routing

PPP PPP protocol negotiation

SAP IPX Service Advertising Protocol

IPX-watchdog IPX watchdog spoofing

SPX-watchdog SPX watchdog spoofing

LCR Least-Cost Router

Script script processing

RIP IPX Routing Information Protocol

IP-router IP routing

IP-RIP IP Routing Information Protocol

ARP Address Resolution Protocol

ICMP Internet Control Message Protocol

IP masquerading processes in the masquerading module

DHCP Dynamic Host Configuration Protocol

Diagnosis

LANCOM Reference Manual LCOS 3.50  Chapter 5: Diagnosis

This parameter... ... brings up the following display for the trace:

NetBIOS NetBIOS management

DNS Domain Name Service Protocol

Packet dump display of the first 64 bytes of a package in hexadecimal form

D-channel- dump trace on the D channel of the connected ISDN bus

ATM spoofing at the ATM packet level

ADSL ADSL connections status

VPN-Status IPSec and IKE negotiation

VPN-Packet IPSec and IKE packets

SMTP-Client E-Mail processing of the integrated mail client

SNTP Simple Network Time Protocol information

5.2.4 Combination commands

Diagnosis

This combination command...

All all trace outputs

Display status and error outputs

Protocol LANCOM and PPP outputs

TCP-IP IP-Rt., IP-RIP, ICMP and ARP outputs

IPX-SPX IPX-Rt., RIP, SAP, IPX-Wd., SPX-Wd., and NetBIOS outputs

Time displays the system time in front of the actual trace output

Source includes a display of the protocol that has initiated the output in

... brings up the following display for the trace:

front of the trace

Any appended parameters are processed from left to right. This means that it is possible to call a parameter and then restrict it.

 Chapter 5: Diagnosis LANCOM Reference Manual LCOS 3.50

5.2.5 Examples

This code... ... in combination with the trace causes the following:

trace displays all protocols that can generate outputs during the config-

trace + all switches on all trace outputs

trace + protocol display

trace + all - icmp switches on all trace outputs with the exception of the ICMP proto-

trace ppp displays the status of the PPP

trace # ipx-rt display toggles between the trace outputs for the IPX router and the dis-

trace - time switches off the system time output before the actual trace output

uration, and the status of each output (ON or OFF)

switches on the output for all connection protocols together with the status and error messages

col

play outputs

Diagnosis

LANCOM Reference Manual LCOS 3.50  Chapter 6: Security

6 Security

You certainly would not like any outsider to have easy access to or to be able to modify the data on your computer. Therefore this chapter covers an important topic: safety. The description of the security settings is divided into the following sections:

 Protection for the configuration

 Password protection  Login barring  Access verification

 Securing ISDN access

At the end of the chapter you will find the most important security settings as a checklist. It ensures that your LANCOM is excellently protected.

Some further LCOS features to enhance the data security are described in separate chapters:

Security

 ’Firewall’ →page 104  ’The hiding place—IP masquerading (NAT, PAT)’ →page 74  ’Virtual LANs (VLANs)’ →page 192

6.1 Protection for the configuration

A number of important parameters for the exchange of data are established in the configuration of the device. These include the security of your network, monitoring of costs and the authorizations for the individual network users.

Needless to say, the parameters that you have set should not be modified by unauthorized persons. The LANCOM thus offers a variety of options to protect the configuration.

6.1.1 Password protection

The simplest option for the protection of the configuration is the establishment of a password.

As long as a password hasn't been set, anyone can change the configuration of the device. For example, your Internet account information could be stolen, or the device could be reconfigured in a way that the protection-mechanisms for the local network could by bypassed.

 Chapter 6: Security LANCOM Reference Manual LCOS 3.50

Note: If a password has not been set, the Power LED flashes, until the devices have been configured correctly.

Tips for proper use of passwords

We would like to give you a few tips here for using passwords:

 Keep a password as secret as possible.

Never write down a password. For example, the following are popular but completely unsuitable: Notebooks, wallets and text files in computers. It sounds trivial, but it can't be repeated often enough: don't tell anyone your password. The most secure systems surrender to talkativeness.

 Only transmit passwords in a secure manner.

A selected password must be reported to the other side. To do this, select the most secure method possible. Avoid: Non-secure e-mail, letter, or fax. Informing people one-on-one is preferable. The maximum security is achieved when you personally enter the password at both ends.

 Select a secure password.

Use random strings of letters and numbers. Passwords from common language usage are not secure. Special characters such as '&“?#-*+_:;,!°' make it difficult for potential attackers to guess your password and increase the security of the password.

 Never use a password twice.

If you use the same password for several purposes, you reduce its security effect. If the other end is not secure, you also endanger all other connections for which you use this password at once.

 Change the password regularly.

Passwords should be changed as frequently as possible. This requires effort, however considerably increases the security of the password.

 Change the password immediately if you suspect someone else

knows it.

If an employee with access to a password leaves the company, it is high time to change this password. A password should also always be changed when there is the slightest suspicion of a leak.

If you comply with these simple rules, you will achieve the highest possible degree of security.

Security

Entering the password

You will find the box to enter the password in LANconfig in the configuration area 'Management' on the 'Security' tab. Under WEBconfig you run the wiz-

LANCOM Reference Manual LCOS 3.50  Chapter 6: Security

ard Security Settings. In a terminal or Telnet session you set or change the password with the command

Configuration tool Run

LANconfig Management  Security  Configuration password

WEBconfig Security settings

Ter min al/ Telnet

passwd

Protecting the SNMP access

At the same time you should also protect the SNMP read access with a password. For SNMP the general configuration password is used.

Configuration tool Run

Security

LANconfig Management  Security  Password required for SNMP read

WEBconfig

Ter min al/ Telnet

permission

Expert Configuration  Setup  SNMP-module required-for-SNMP-read-access

setup/SNMP module/password-required

 Password-

6.1.2 Login barring

The configuration in the LANCOM is protected against “brute force attacks“ by barring logins. A brute-force attack is the attempt by an unauthorized person to crack a password to gain access to a network, a computer or another device. To achieve this, a computer can, for example, go through all the possible combinations of letters and numbers until the right password is found.

As a measure of protection against such attacks, the maximum allowed number of unsuccessful attempts to login can be set. If this limit is reached, access will be barred for a certain length of time.

If barring is activated on one port all other ports are automatically barred too. The following entries are available in the configuration tools to configure login

barring:

 Lock configuration after (

)

 Chapter 6: Security LANCOM Reference Manual LCOS 3.50

 Lock configuration for (

Configuration tool Run

LANconfig Management  Security

WEBconfig Expert Configuration  Setup  Config-module

Ter min al/ Telnet

Lock-minutes

Setup/Config module

)

6.1.3 Restriction of the access rights on the configuration

Access to the internal functions of the devices can be restricted separately for each access method as follows:

 ISDN administrative account  Network

 LAN  WAN

For network-based configuration access further restrictions can be made, e.g. that solely specified IP addresses or dedicated LANCAPI clients are allowed to do so. Additionally, all internal functions are separately selectable.

The term ’internal function’ denotes configuration sessions via LANconfig (TFTP), WEBconfig (HTTP, HTTPS), SNMP or Terminal/Telnet.

Restrictions on the ISDN administrative account

Security

This paragraph applies only to models with ISDN interface.

LANCOM Reference Manual LCOS 3.50  Chapter 6: Security

햲 Change to the register card 'Security in the 'Management' configuration

area:

Security

햳 Enter as call number within 'configuration access' a call number of your

connection, which is not used for other purposes.

Enter alternatively the following instruction:

set /setup/config-module/farconfig-(EAZ-MSN) 123456

The ISDN administrative account is excluded as only configuration method from in the following described restrictions of network access methods. I.e. all on the Admin MSN incoming connections are not limited by the access restrictions of remote networks

If you want to completely switch off the ISDN remote management, leave the field with Admin MSN empty.

Limit the network configuration access

The access to the internal functions can be controlled separately for accesses from the local or from distant networks - for all configuration services sepa-

 Chapter 6: Security LANCOM Reference Manual LCOS 3.50

rately. The configuration access can generally be permitted or forbidden, a pure read access or - if your model is equipped with VPN - also can be permitted only over VPN.

If you want to remove the network access to the router over the WAN completely, set the configuration access from distant nets for all methods to 'denied'.

Restriction of the network configuration access to certain IP addresses

With a special filter list the access to the internal functions of the devices can be limited to certain IP addresses:

Security

LANCOM Reference Manual LCOS 3.50  Chapter 6: Security

By default, this table does not contain entries. Thus the device can be accessed over TCP/IP from computers with arbitrary IP addresses. With the first entry of a IP address (as well as the associated net mask) the filter is activated, and solely the IP addresses contained in this entry are entitled to use the internal functions then. With further entries, the number of the entitled ones can be extended. The filter entries can designate both individual computers and whole networks.

Configuration tool Run

LANconfig TCP/IP  General  Access list

WEBconfig Expert Configuration  Setup / TCP-IP- module

Access-list

Ter min al/ Telnet

/setup/TCP-IP-module/access-list

6.2 Protecting the ISDN connection

For a device with an ISDN connection basically any ISDN subscriber can dial

Security

into your LANCOM. To prevent undesired intruders, you must therefore pay particular attention to the protection of the ISDN connection.

The protection functions of the ISDN connection can be divided into two groups:

 Identification control

 Access protection using name and password  Access protection via caller ID

 Callback to defined call numbers

6.2.1 Identification control

For identification monitoring either the name of the remote site or the socalled caller ID can be used. The caller ID is the telephone number of the caller that is normally transmitted to the remote site with the call with ISDN.

Which “Identifier” is to be used to identify the caller is set in the following list:

Configuration Tool Run

LANconfig Communication  Call accepting

WEBconfig Expert Configuration  Setup  WAN- module  Protect

Ter min al/ Telnet

setup/WAN-module/protect

 Chapter 6: Security LANCOM Reference Manual LCOS 3.50

You have a choice of the following:

 all: Calls are accepted from any remote station.  by number: Only calls from those remote stations whose Calling Line Iden-

tification number (CLIP) is entered in the number list are accepted.

 by approved number: Only calls from those remote stations whose Calling

Line Identification number (CLIP) is entered in the name list and whose number is approved by the Central Office.

It is an obvious requirement for identification that the corresponding information is sent by the caller.

Verification of name and password

In the case of PPP, a user name (and in conjunction with PAP, CHAP or MSCHAP, a password) is sent to the remote station during connection establishment. When a computer dials into the LANCOM, the communications software, for example Windows Dial-Up Network, prompts the user for the user name and password to be transferred.

If the router establishes the connection itself, for instance, to an ISP, it is using the user name and password from the PPP list. If no user name is listed there, the device name is used in its place.

The PPP list can be found as follows:

Security

Configuration tool Run

LANconfig Communication  Protocols  PPP list

WEBconfig Expert Configuration  Setup  WAN- module  PPP-list

Ter min al/ Telnet

/setup/WAN-module/PPP-list

In addition, the PPP protocol also permits the caller to require an authentication from the remote station. The caller then requests a user or device name and password from the remote station.

Of course you will not need to use the PAP, CHAP or MS CHAP security procedures if you are using the LANCOM to dial up an Internet service provider yourself, for example.You will probably not be able to persuade the ISP to respond to a request for a password...

LANCOM Reference Manual LCOS 3.50  Chapter 6: Security

Checking the number

When a call is placed over an ISDN line, the caller's number is normally sent over the D channel before a connection is even made (CLI – Calling Line Iden- tifier).

Access to your own network is granted if the call number appears in the number list, or the caller is called back if the callback option is activated. If the LANCOM is set to provide security using the telephone number, any calls from remote stations with unknown numbers are denied access.

You can use call numbers as a security measure with any B-channel protocol (layers).

6.2.2 Callback

Th e ca llb ack fun cti on of fer s a s pec ial for m of acce ss p riv ile ge: Thi s re qui res the 'Callback' option to be activated in the name list for the desired caller and the call number to be specified, if required.

Configuration tool Run

Security

LANconfig Communications  Remote site  Name list (ISDN)

WEBconfig Expert configuration  Setup  WAN module 

Ter min al/ Telnet

ISDN-name- list

/Setup/WAN-module/Name list

Using the settings in the name and number list and the selection of the protocol (LANCOM or PPP), you can control the callback behaviour of your router

 The router can refuse to call back.  It can call back using a preset call number.  First the name can be checked and then a preset telephone number can

be called back.

 The caller can opt to specify the call number to be used for callback.

And all the while you can use the settings to dictate how the cost of the connection is to be apportioned. The router accepts all unit charges, except for the unit required to send the name, if call back 'With name' is set in the name list. The caller also accepts a unit if the caller is not identified via CLIP (Calling Line Identifier Protocol). On the other hand, the caller incurs no costs if identification of the caller's number is possible and is accepted (callback via the D channel).

 Chapter 6: Security LANCOM Reference Manual LCOS 3.50

An especially effective callback method is the fast-callback procedure (patent pending). This speeds up the callback procedure considerably. The procedure only works if it is supported by both stations. All current LANCOM routers are capable of fast callback.

Additional information on callback can be found in section ’Callback functions’ →page 98.

6.3 The security checklist

In the following checklist you will find an overview of the most important security functions. That way you can be quite sure not to have overlooked anything important during the security configuration of your LANCOM.

 Have you assigned a password for the configuration?

The simplest option for the protection of the configuration is the establishment of a password. As long as a password hasn't been set, anyone can change the configuration of the device. The box for entering the password is located in LANconfig in the 'Management' configuration area on the 'Security' tab. It is particularly advisable to assign a password to the configuration if you want to allow remote configuration.

 Have you permitted remote configuration?

If you do not require remote configuration, then deactivate it. If you require remote configuration, then be sure to assign a password protection for the configuration (see previous section). The field for deactivating the remote configuration is also contained in LANconfig in the 'Management' configuration area on the 'Security' tab.

 Have you assigned a password to the SNMP configuration?

Also protect the SNMP configuration with a password. The field for protection of the SNMP configuration with a password is also contained in LANconfig in the 'Management' configuration area on the 'Security' tab.

 Have you allowed remote access?

If you do not require remote access, deactivate call acceptance by deactivating a call acceptance 'by number' and leaving the number list blank in LANconfig in the 'Communication' configuration area on the 'Call accepting' tab.

 Have you activated the callback options for remote access and is

CLI activated?

Security

LANCOM Reference Manual LCOS 3.50  Chapter 6: Security

When a call is placed over an ISDN line, the caller's number is normally sent over the D channel before a connection is even made (CLI – Calling Line Identifier). Access to your own network is granted if the call number appears in the number list, or the caller is called back if the callback option is activated (this callback via the D channel is not supported by the Windows Dial-Up Network). If the LANCOM is set to provide security using the telephone number, any calls from remote stations with unknown numbers are denied access.

 Have you activated the Firewall?

The Stateful Inspection Firewall of the LANCOM ensures that your local network cannot be attacked from the outside . The Firewall can be enabled in LANconfig under ’Firewall/QoS’ on the register card ’General’.

 Do you make use of a ’Deny All’ Firewall strategy?

For maximum security and control you prevent at first any data transfer through the Firewall. Only those connections, which are explicitly desired have to allowed by the a dedicated Firewall rule then. Thus ’Trojans’ and certain Email viruses loose their communication way back. The Firewall

Security

rules are summarized in LANconfig under ’Firewall/Qos’ on the register card ’Rules’. A guidance can be found under ’Set-up of an explicit "Deny All" strategy’ →page 138.

 Have you activated the IP masquerading?

IP masquerading is the hiding place for all local computers for connection to the Internet. Only the router module of the unit and its IP address are visible on the Internet. The IP address can be fixed or assigned dynamically by the provider. The computers in the LAN then use the router as a gateway so that they themselves cannot be detected. The router separates Internet and intranet, as if by a wall. The use of IP masquerading is set individually for each route in the routing table. The routing table can be found in the LANconfig in the 'IP router' configuration section on the 'Routing' tab.

 Have you excluded certain stations from access to the router?

Access to the internal functions of the devices can be restricted using a special filter list. Internal functions in this case are configuration sessions via LANconfig, WEBconfig, Telnet or TFTP. This table is empty by default and so access to the router can therefore be obtained by TCP/IP using Telnet or TFTP from computers with any IP address. The filter is activated when the first IP address with its associated network mask is entered and from that point on only those IP addresses contained in this initial entry

 Chapter 6: Security LANCOM Reference Manual LCOS 3.50

will be permitted to use the internal functions. The circle of authorized users can be expanded by inputting further entries. The filter entries can describe both individual computers and whole networks. The access list can be found in LANconfig in the 'TCP/IP' configuration section on the 'General' tab.

 Is your saved LANCOM configuration stored in a safe place?

Protect the saved configurations against unauthorized access in a safe place. A saved configuration could otherwise be loaded in another device by an unauthorized person, enabling, for example, the use of your Internet connections at your expense.

Security

LANCOM Reference Manual LCOS 3.50  Chapter 7: Routing and WAN connections

7 Routing and WAN connections

This chapter describes the most important protocols and configuration entries used for WAN connections. It also shows ways to optimize WAN connections.

7.1 General information on WAN connections

WAN connections are used for the following applications.

 Internet access  LAN to LAN coupling  Remote access

7.1.1 Bridges for standard protocols

WAN connections differ from direct connections (for example, via the LANCAPI) in that the data in the WAN are transmitted via standardized network protocols also used in the LAN. Direct connections, on the other hand, operate with proprietary processes that have been specially developed for point-to-point connections.

Via WAN connections a LAN is extended, and with direct connections only one individual PC establishes a connection to another PC. WAN connections form

connections

Routing and WAN

a kind of bridge for the communication between networks (or for connecting individual computers to the LAN).

Close cooperation with router modules

Characteristic of WAN connections is the close cooperation with the router modules in the LANCOM. The router modules (IP and IPX) take care of connecting LAN and WAN. They make use of the WAN modules to fulfil requests from PCs within the LAN for external resources.

7.1.2 What happens in the case of a request from the LAN?

Initially the router modules only determine the remote station to which a data packet is to be sent. The various parameters for all required connections must be arranged so that a given connection can be selected and established as required. These parameters are stored in a variety of lists, the interaction of which permits the correct connections.

 Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50

A simplified example will clarify this process. Here we assume that the IP address of the computer being searched for is known in the Internet.

Data packet with IP target address

LANCOM

IP routing tab. IP address

Name-list Remote station Îinterface, connection parame-

PPP-list Terminal

Internet user's PC

DSL/ISDN/

ADSL

Î remote station name

ters (ISDN: telephone number), communications layer

Î user name and password

햲 Selecting the correct route

A data packet from a computer initially finds the path to the Internet through the IP address of the receiver. The computer sends the packet with this address over the LAN to the router. The router determines the remote station in its IP routing table via which the target IP address can be reached, e.g. 'Provider_A'.

햳 Connection data for the remote station

Using these names, the router checks the names list and finds the necessary connection data for provider A. Included in these connection data are, for instance, the WAN interface (DSL, ISDN) through which the provider is connected to, protocol information, or the necessary number for an ISDN call connection. The router also obtains the user name and password required for login from the PPP list.

Internet

Provider

connections

Routing and WAN

햴 Establishing the WAN connection

The router can then establish a connection to provider via a WAN interface. It authenticates itself with a user name and password.

LANCOM Reference Manual LCOS 3.50  Chapter 7: Routing and WAN connections

햵 Transmission of data packets

As soon as the connection is established, the router can send the data packet to the Internet.

7.2 IP routing

An IP router works between networks which use TCP/IP as the network protocol. This only allows data transmissions to destination addresses entered in the routing table. This section explains the structure of the IP routing table of an LANCOM router, as well as the additional functions available to support IP routing.

7.2.1 The IP routing table

The IP routing table is used to tell the router which remote station (which other router or computer) it should send the data for particular IP addresses or IP address ranges to. This type of entry is also known as a “route“ since it is used to describe the path of the data packet. This procedure is also called “static routing” since you make these entries yourself and they remain unchanged until you either change or delete them yourself. Naturally, “dynamic routing” also exists. The routers use the routes in this way to exchange data between themselves and continually update it automatically.

connections

Routing and WAN

The static routing table can hold up to 256 entries, the dynamic table can hold

128. The IP router looks at both tables when the IP RIP is activated. You also use the IP routing table to tell the router the length of this route's

path so that it can select the most suitable route in conjunction with IP RIP where there are several routes to the same destination. The default setting for the distance to another router is 2, i.e. the router can be reached directly. All devices which can be reached locally, such as other routers in the same LAN or workstation computers connected via proxy ARP are entered with the distance 0. The “quality level” of this route will be reduced if the entry addressed has a higher distance (up to 14). “Unfavourable” routes like this will only be used if no other route to the remote station in question can be found.

 Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50

Configuration of the routing table

Configuration tool Run

LANconfig IP router  Routing  Routing table

WEBconfig Expert Configuration  Setup  IP-router-module 

Ter min al/ Telnet

IP-routing-table

cd /setup/IP-router/IP-routing-table

An IP routing table can, for example, look like this:

IP address IP netmask Router Distance Masquerading

192.168.120.0 255.255.255.0 MAIN 2 Off

192.168.125.0 255.255.255.0 NODE1 3 Off

192.168.130.0 255.255.255.0 191.168.140.123 0 Off

What do the various entries on the list mean?

 IP addresses and netmasks

This is the address of the destination network to which data packets may be sent and its associated network mask. The router uses the network mask and the destination IP address of the incoming data packets to check whether the packet belongs to the destination network in question.

The route with the IP address '255.255.255.255' and the network mask '0.0.0.0' is the default route. All data packets that cannot be routed by other routing entries are sent over this route.

 Router

The router transmits the appropriate data packets to the IP address and network mask to this remote station. A name is entered at this point if the remote station is a router in another network or an individual workstation computer. This is where the IP address of another router which knows the path to the destination network is entered if the router on the network cannot address the remote station itself.

The router name indicates what should happen with the data packets that match the IP address and network mask.

Routes with the router name '0.0.0.0' identify exclusion routes. Data packets for this “zero route“ are rejected and are not routed any further.

connections

Routing and WAN

LANCOM Reference Manual LCOS 3.50  Chapter 7: Routing and WAN connections

That way routes which are forbidden on the Internet (private address spaces, e.g. '10.0.0.0'), for example, are excluded from transmission.

If an IP address is input as router name, this is a locally available router, which is responsible for transfer of the relevant data packets.

 Distance

Number of routers between your own and the destination router. This value is often equated with the cost of the transmission and used to distinguish between inexpensive and expensive call paths for wide-area connections. The distance values entered are propagated as follows:

 All networks which can be reached while a connection exists to a des-

tination network are propagated with a distance of 1.

 All non-connected networks are propagated with the distance

entered in the routing table (but with a minimum distance of 2) as long as a free transmitting channel is still available.

 The remaining networks are propagated with a distance of 16

(= unreachable) if there are no longer any channels available.

 Remote stations connected using proxy ARP are an exception to this.

These “proxy hosts“ are not propagated at all.

 Masquerading

connections

Routing and WAN

Use the 'Masquerade' option in the routing table to inform the router which IP addresses to use when transferring packets from local networks.

For further information see the section ’The hiding place—IP masquerading (NAT, PAT)’ →page 74.

7.2.2 Local routing

You know the following behaviour of a workstation within a local network: The computer searches for a router to assist with transmitting a data packet to an IP address which is not on its own LAN. This router is normally introduced to the operating system with an entry as standard router or standard gateway. It is often only possible to enter one default router which is supposed to be able to reach all the IP addresses which are unknown to the workstation computer if there are several routers in a network. Occasionally, however, this default router cannot reach the destination network itself but does know another router which can find this destination.

 Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50

How can you assist the workstation computer now?

By default, the router sends the computer a response with the address of the router which knows the route to the destination network (this response is known as an ICMP redirect). The workstation computer then accepts this address and sends the data packet straight to the other router.

Certain computers, however, do not know how to handle ICMP redirects. To ensure that the data packets reach their destination anyway, use local routing. In this way you instruct the router itself in your device to send the data packet to other routers. In addition, in this case no more ICMP redirects will be sent. The setting is made under:

Configuration tool Run

LANconfig IP router  General  Forward packets within the local network

WEBconfig Expert Configuration  Setup  IP-router-module 

Ter min al/ Telnet

Loc.-routing

set /setup/IP-router-module/Loc. routing on

Local routing can be very helpful in isolated cases, however, it should also only be used in isolated cases. For local routing leads to a doubling of all data packets to the desired target network. The data is first sent to the default router and is then sent on from here to the router which is actually responsible in the local network.

connections

Routing and WAN

7.2.3 Dynamic routing with IP RIP

In addition to the static routing table, LANCOM routers also have a dynamic routing table containing up to 128 entries. Unlike the static table, you do not fill this out yourself, but leave it to be dealt with by the router itself. It uses the Routing Information Protocol (RIP) for this purpose. All devices that support RIP use this protocol to exchange information on the available routes.

What information is propagated by IP RIP?

A router uses the IP RIP information to inform the other routers in the network of the routes it finds in its own static table. The following entries are ignored in this process:

 Rejected routes with the '0.0.0.0' router setting.  Routes referring to other routers in the local network.  Routes linking individual computers to the LAN by proxy ARP.

LANCOM Reference Manual LCOS 3.50  Chapter 7: Routing and WAN connections

Although the entries in the static routing table are set manually, this information changes according to the connection status of the router and so do the RIP packets transmitted.

 If the router has established a connection to a remote station, it propa-

gates all the networks which can be reached via this route in the RIPs with the distance '1'. Other routers in the LAN are thus informed by these means that a connection to the remote station has been established on this router which they can use. The establishment of additional connections by routers with dial-up connections can be prevented, thus reducing connection costs.

 If this router cannot establish a further connection to another remote sta-

tion, all other routes are propagated with the distance '1 6' i n th e RI Ps. The '16' stands for “This route is not available at the moment”. A router may be prevented from establishing a connection in addition to the present one may be due to one of the following causes:

 Another connection has already been established on all the other

channels (also via the LANCAPI).

 Y connections for the S

port have been explicitly excluded in the

interface table.

 The existing connection is using all B channels (channel bundling).

connections

Routing and WAN

 The existing connection is a leased-line connection. Only a few ISDN

providers enable a dial-up connection to be established on the second B channel in addition to a permanent connection on the first B channel.

Which information does the router take from received IP RIP packets?

When the router receives such IP RIP packets, it incorporates them in its dynamic routing table, which looks something like this:

IP address IP netmask Time Distance Router

192.168.120.0 255.255.255.0 1 2 192.168.110.1

192.168.130.0 255.255.255.0 5 3 192.168.110.2

192.168.140.0 255.255.255.0 1 5 192.168.110.3

What do the entries mean?

IP address and network mask identify the destination network, the distance shows the number of routers between the transmitter and receiver, the last

 Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50

column shows which router has revealed this route. This leaves the 'Time'. The dynamic table thus shows how old the relevant route is. The value in this column acts as a multiplier for the intervals at which the RIP packets arrive. A '1', therefore, stands for 30 seconds, a '5' for about 2.5 minutes and so on. New information arriving about a route is, of course, designated as directly reachable and is given the time setting '1'. The value in this column is automatically incremented when the corresponding amount of time has elapsed. The distance is set to '16' after 3.5 minutes (route not reachable) and the route is deleted after 5.5 minutes.

Now if the router receives an IP RIP packet, it must decide whether or not to incorporate the route contained into its dynamic table. This is done as follows:

 The route is incorporated if it is not yet listed in the table (as long as there

is enough space in the table).

 The route exists in the table with a time of '5' or '6'. The new route is then

used if it indicates the same or a better distance.

 The route exists in the table with a time of '7' to '10' and thus has the dis-

tance '16'. The new route will always be used.

 The route exists in the table. The new route comes from the same router

which notified this route, but has a worse distance than the previous entry. If a device notifies the degradation of its own static routing table in this way (e.g. releasing a connection increases the distance from 1 to 2, see below), the router will believe this and include the poorer entry in its dynamic table.

connections

Routing and WAN

RIP packets from the WAN will be ignored and will be rejected immediately. RIP packets from the LAN will be evaluated and will not be propagated in the LAN.

The interaction of static and dynamic tables

The router uses the static and dynamic tables to calculate the actual IP routing table it uses to determine the path for data packets. In doing so, it includes the routes from the dynamic table which it does not know itself or which indicate a shorter distance than its own (static) route with the routes from its own static table.

Routers without IP RIP support

Routers which do not support the Routing Information Protocol are also occasionally present on the local network. These routers cannot recognize the RIP

LANCOM Reference Manual LCOS 3.50  Chapter 7: Routing and WAN connections

packets and look on them as normal broadcast or multicast packets. Connections are continually established by the RIPs if this router holds the default route to a remote router. This can be prevented by entering the RIP port in the filter tables.

Scaling with IP RIP

If you use several routers in a local network with IP RIP, you can represent the routers outwardly as one large router. This procedure is also known as “scaling”. As a result of the constant exchange of information between the routers, such a router theoretically has no limits to the transmission options available to it.

Configuration of IP-RIP function

Configuration tool Menu/table

LANconfig IP router  General  RIP options

WEBconfig Expert Configuration  Setup  IP-router-module 

Ter min al/ Telnet

RIP-config

setup/IP-router-module/RIP-config

Routing and WAN

connections

 In the field 'RIP support' (or 'RIP type') the following selection is possible:

 'off': IP-RIP is not used (default).  'RIP-1': RIP-1 and RIP-2 packets are received but only RIP-1 packets

are sent.

 'RIP-1 compatible': RIP-1 and RIP- 2 packets are received. RIP-2 pack-

ets are sent as an IP broadcast.

 'RIP-2': Similar to 'RIP-1 compatible', except that all RIP packets are

sent to the IP multicast address 224.0.0.9.

 The entry under 'RIP-1 mask' (or 'R1 mask') can be set to the following

values:

 'class' (default): The network mask used in the RIP packet is derived

direc tly from the IP ad dress class, i. e. the following network masks are used for the network classes:

Class A 255.0.0.0

Class B 255.255.0.0

Class C 255.255.255.0

 Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50

 'address': The network mask is derived from the first bit that is set in

the IP address entered. This and all high-order bits within the network mask are set. Thus, for example, the address 127.128.128.64 yields the IP network mask 255.255.255.192.

 'class + address': The network mask is formed from the IP address

class and a part attached after the address procedure. Thus, the above-mentioned address and the network mask 255.255.0.0 yield the IP network mask 255.128.0.0.

Routers with RIP capabilities dispatch the RIP packets approximately every 30 seconds.The router is only set up to send and receive RIPs if it has a unique IP address.The IP RIP module is deselected in the default setting using the IP address xxx.xxx.xxx.254.

7.2.4 SYN/ACK speedup

The SYN/ACK speedup method is used to accelerate IP data traffic. With SYN/ ACK speedup IP check characters (SYN for synchronization and ACK for acknowledge) a given preference within the transmission buffer over simple data packets. This prevents the situation that check characters remain in the transmission queue for a longer time and the remote station stop sending data as a result.

The greatest effect occurs with SYN/ACK speedup with fast connections when data quantities are simultaneously transferred in both directions at high speed.

The SYN/ACK speedup is activated at the factory.

connections

Routing and WAN

Switching off in case of problems

Due to the preferred handling of individual packets, the original packet order is changed. Although TCP/IP does not ensure a certain packet order, problems may result in a few isolated applications. This only concerns applications that

LANCOM Reference Manual LCOS 3.50  Chapter 7: Routing and WAN connections

assume a certain order that differs from the protocol standard. In this case the SYN/ACK speedup can be deactivated:

Configuration tool Menu/table

LANconfig IP router  General  Pass on TCP SYN and ACK packets prefer-

WEBconfig Expert Configuration  Setup  IP-router-module 

Ter min al/ Telnet

entially

Routing-method  SYN/ACK-speedup

cd /setup/IP-router-module/routingmethod set SYN/ACK-speedup OFF

7.3 The hiding place—IP masquerading (NAT, PAT)

One of today's most common tasks for routers is connecting the numerous workstation computers in a LAN to the network of all networks, the Internet. Everyone should have the potential to access, for example, the WWW from his workstation and be able to fetch bang up-to- date information for his work.

7.3.1 Simple masquerading

IP masquerading provides a hiding place for every computer while connected with the Internet. Only the router module of the LANCOM and its IP address

connections

Routing and WAN

are visible on the Internet. The IP address can be fixed or assigned dynamically by the provider. The computers in the LAN then use the router as a gateway so that they themselves cannot be detected. Thereby, the router separates Internet and Intranet.

How does IP masquerading work?

Masquerading makes use of a characteristic of TCP/IP data transmission, which is to use port numbers for destination and source as well as the source and destination addresses. When the router receives a data packet for transfer it now notes the IP address and the sender's port in an internal table. It then gives the packet its unique IP address and a new port number, which could be

 Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50

any number. It also enters this new port on the table and forwards the packet with the new information.

Source: 10.0.0.100 Target: 80.123.123.123

Source: 80.146.74.146, Port 3456

Target: 80.123.123.123

Internet

internal IP: 10.0.0.1 public IP: 80.146.74.146

IP: 10.0.0.100

Source IP Port

10.0.0.100 3456

The response to this new packet is now sent to the IP address of the router with the new sender port number. The entry in the internal table allows the router to assign this response to the original sender again.

Source: 80.123.123.123 Target: 10.0.0.100

connections

Routing and WAN

Source: 80.123.123.123

Target: 80.146.74.146, Port 3456

Internet

Source IP Port

10.0.0.100 3456

IP: 10.0.0.100

internal IP: 10.0.0.1 public IP: 80.146.74.146

LANCOM Reference Manual LCOS 3.50  Chapter 7: Routing and WAN connections

Which protocols can be transmitted using IP masquerading?

IP masquerading for all IP protocols that are based on TCP, UDP, or ICMP and communicate exclusively through ports. One example of this type of uncomplicated protocol is the one the World Wide Web is based on: HTTP.

Individual IP protocols do use TCP or UDP, but do not, however communicate exclusively through ports. This type of protocol calls for a corresponding special procedure for IP masquerading. Among the group of protocols supported by IP masquerading in the LANCOM are:

 FTP (using the standard ports)  H.323 (to the same extent as used by Microsoft Netmeeting)  PPTP  IPSec  IRC

Configuration of IP masquerading

The use of IP masquerading is set individually for each route in the routing table. The routing table can be reached as follows:

Configuration tool Run

connections

Routing and WAN

LANconfig IP router  Routing  Routing table

WEBconfig Expert Configuration  Setup  IP-router-module

IP-routing-table

Ter min al/ Telnet

/setup/IP-router-module/IP-routing-table

Multiple addresses for the router

Masquerading pits two opposing requirements of the router against one another: While it must have an IP address which is valid on the local network, it must also have an address valid on the Internet. Since these two addresses may not in principle be located on the same logical network, there is only one solution: two IP addresses are required. Therefore, most standard Internet connections assign the router’s Internet IP address dynamically during the PPP negotiation.

 Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50

On the local side, the router supports two different networks: The Intranet and the DMZ (’de-militarized zone’). The DMZ marks a distinct, separate local network, usually for servers, that must be accessible from the Internet.

Intranet (LAN)

public IP:

80.146.74.146

LAN IP:

10.0.0.1

DMZ IP:

192.168.2.1

DMZ

The routing table’s Masquerading entry informs the router module whether local Intranet or DMZ addresses should be hidden behind the router’s Internet IP address or not:

 IP Masquerading switched off: No masquerading.

This variant is intended for Internet access with multiple static IP addresses (to be entered under DMZ network address and DMZ netmask). Examples would be to connect servers to the Internet, or to connect two Intranet subnets via VPN.

 masking Intranet and DMZ (default): This setting masks all local

addresses. Additionally to the Intranet, a second local network (DMZ) with private IP addresses can be connected to the Internet as well.

 masking Intranet only: This setting is ideally suited for Internet access

with multiple static IP addresses. Other than with ’IP Masquerading switched off’: Additionally to the DMZ, an Intranet with private IP addresses is supported simultaneously.

The DMZ and Intranet address assignment of the LANCOM can be entered at the following places:

connections

Routing and WAN

Configuration tool Run

LANconfig TCP/IP  General

WEBconfig Expert Configuration  Setup  TCP-IP-- Module

Ter min al/ Telnet

/Setup/TCP-IP-Module

LANCOM Reference Manual LCOS 3.50  Chapter 7: Routing and WAN connections

7.3.2 Inverse masquerading

This masking operates in both directions: The local network behind the IP address of the router is masked if a computer from the LAN sends a packet to the Internet (simple masquerading).

If, on the other hand, a computer sends a packet from the Internet to, for example, an FTP server on the LAN (’exposed host’), from the point of view of this computer the router appears to be the FTP server. The router reads the IP address of the FTP server in the LAN from the entry in the service table. The packet is forwarded to this computer. All packets that come from the FTP server in the LAN (answers from the server) are hidden behind the IP address of the router.

Source: 80.123.123.123

Target: 80.146.74.146, Port 21

IP: 10.0.0.10

Routing and WAN

connections

Ports Target IP

20 to 21 10.0.0.10

The only small difference is that:

 Access to a service (port) in the intranet from outside must be defined in

advance by specifying a port number. The destination port is specified with the intranet address of, for example, the FTP server, in a service table to achieve this.

 When accessing the Internet from the LAN, on the other hand, the router

itself makes the entry in the port and IP address information table. The table concerned can hold up to 2048 entries, that is it allows 2048

simultaneous transmissions between the masked and the unmasked network.

After a specified period of time, the router, however, assumes that the entry is no longer required and deletes it automatically from the table.

 Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50

Configuration of the inverse masquerading

Configuration tool Run

LANconfig IP router  Masq.  Service list

WEBconfig Expert Configuration  Setup  IP-router-module 

Masquerading  Service-table

Ter min al/ Telnet

/setup/IP-router-module/masquerading/ service-table

Stateful Inspection and inverse masquerading

If in the Masquerading module a port is exposed (i.e. all packets received on this port should be forwarded to a server in the local area network), then this requires with a Deny All Firewall strategy an additional entry in the Stateful Inspection Firewall, which enables the access of all stations to the respective server.

7.3.3 Unmasked Internet access for server in the DMZ

While the inverse masquerading described in the proceeding paragraph allows to expose at least one service of each type (e.g. one Web, Mail and FTP server), this method is bound to some restrictions.

 The masquerading module must support and ’understand’ the particular

server service of the ’exposed host’. For instance, several VoIP servers use proprietary, non- standard ports for extended signalling. Thus such server could be used on unmasked connections solely.

 From a security point of view, it must be considered that the ’exposed

host’ resides within the LAN. When the host is under control of an attacker, it could be misused as a starting point for further attacks against machines in the local network.

connections

Routing and WAN

In order to prevent attacks from a cracked server to the local network, some LANCOM provide a dedicated DMZ interface (LANCOM 7011 VPN) or are able to separate their LAN ports on Ethernet level by hardware (LANCOM 821 ADSL/ISDN and LANCOM 1621 ADSL/ISDN with the Switch set to ’Private Mode’).

Two local networks - operating servers in a DMZ

This feature requires an Internet access with multiple static IP addresses. Please contact you ISP for an appropriate offer.

LANCOM Reference Manual LCOS 3.50  Chapter 7: Routing and WAN connections

Example: You are assigned the IP network address 123.45.67.0 with the netmask 255.255.255.248 by your provider. Then you can assign the IP addresses as follows:

Routing and WAN

connections

DMZ IP address

123.45.67.0 network address

123.45.67.1 LANCOM as a gateway for the Intranet

123.45.67.2 Device in the LAN which is to receive unmasked access to the Internet, e.g.

123.45.67.3 broadcast address

Meaning/use

web server connected at the DMZ port

All computers and devices in the Intranet have no public IP address, and therefore appear with the IP address of the LANCOM (123.45.67.1) on the Internet.

Separation of Intranet and DMZ

Although Intranet and DMZ may be already separated on a Ethernet level by distinct interfaces, an appropriate Firewall rules must be set up in any case so that the DMZ is being separated from the LAN on the IP level as well. Thereby, the server service shall be available from the Internet and from the Intranet, but any IP traffic from the DMZ towards the Intranet must be prohibited. For the above example, this reads as follows:

 With a ’Allow All’ strategy (default): Deny access from 123.45.67.2 to “All

stations in local network“

 With a ’Deny All’ strategy (see ’Set-up of an explicit "Deny All" strategy’

→page 138): Allow access from "All stations in local network" to

123.45.67.2

7.4 N:N mapping

Network Address Translation (NAT) can be used for several different matters:

 for better utilizing the IP4 addresses ever becoming scarcer  for coupling of networks with same (private) address ranges  for producing unique addresses for network management

 Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50

connections

Routing and WAN

The address translation is made “outbound”, i.e. the source address is translated for outgoing data packets and the destination address for incoming data packets, as long as the addresses are located within the defined translation range. An “inbound” address mapping, whereby the source address is translated (instead of the destination address), needs to be realized by an appropriate “outbound” address translation on the remote side.

7.4.1 Application examples

The following typical applications are described in this section:

 Coupling of private networks utilizing the same address range  Central remote monitoring by service providers

LANCOM Reference Manual LCOS 3.50  Chapter 7: Routing and WAN connections

Network coupling

An often appearing scenario is the coupling of two company networks which internally use the same address range (e. g. 10.0.0.x). This is often the case, when one company should get access to one (or more) server(s) of the other one:

Network of firm A:

10.0.0.x

N:N mapping to 192.168.2.x

N:N mapping to 192.168.1.x

Network of firm B:

10.0.0.x

Routing and WAN

connections

Gateway

VPN tunnel

Target: 192.168.2.1

Server_A1: 10.0.0.1 Server_A2: 10.0.0.2

Gateway

Server_B1: 10.0.0.1 Server_B2: 10.0.0.2

With the help of N:N mapping, all addresses of the LAN can be translated to a new address range for the coupling with the other network. The network of company A e. g. will be translated to 192.168.1.x, the network of company B to 192.168.2.x. Under these new addresses the two LANs are now reachable for the respective other network. The station from the network of company A is now addressing server 1 of company B under the address 192.168.2.1. The addressee does not reside any more within the own network, the inquiry is now passed on to the gateway, and the routing to the other network is working as desired.

 Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50

Remote monitoring and remote control of networks

Gateway, e.g.

10.1.2.1

Customer C:

172.16.10.x, 255.255.255.0

Customer A, office 1:

10.1.2.x, 255.255.255.0

VPN tunnel

Customer A, office 2:

10.1.3.x, 255.255.255.0

Hot Spot, e.g.

172.16.10.11

Service provider:

172.16.10.x,

255.255.255.0

Customer A, headquarters:

10.1.x.x, 255.255.0.0

Internet

Customer B, office 1:

10.1.2.x, 255.255.255.0

Customer B, headquarters:

10.1.x.x, 255.255.0.0

Gateway

tun

VPN

GatewayGateway

Gateway, e.g.

80.123.123.123 (public) and 172.16.10.11 (intern)

Customer B, office 2:

10.1.3.x, 255.255.255.0

Customer D:

172.16.10.x,

255.255.255.0

connections

Routing and WAN

The individual networks can be structured very differently: Clients A and B integrate their branches with own networks via VPN connections to their LAN,

LANCOM Reference Manual LCOS 3.50  Chapter 7: Routing and WAN connections

client C operates a network with several public WLAN base stations as hot spots, and client D has got an additional router for ISDN dial-up accesses in his LAN.

The networks of client A and B use different address ranges in the respective head office and the connected branches. A standard network coupling via VPN is therefore possible between these networks.

A complete list of all SNMP traps supported by LANCOM can be found in the appendix of this reference manual (’SNMP traps’ →page 287).

Routing of these different networks reaches very fast its limiting factors, if two

connections

Routing and WAN

or more clients use same address ranges. Additionally, if some clients use the same address range as the service provider as well, further address conflicts are added. In this example, one of the hot spots of client C has got the same address as the gateway of the service provider.

There are two different variants to resolve these address conflicts:

Loopback: decentralized 1:1 mapping

 In the decentralized variant, alternative IP addresses for communicating

Alternative: central N:N mapping

The loopback addresses are valid only for communication with certain remote stations on the connections belonging to them. Thus a LANCOM is not generally accessible via this IP address.

 Even more appealing is the solution of a central mapping: instead of con-

figuring each single gateway in the branch networks, the administrator configures solely one central address translation in the gateway of the

 Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50

head office. On this occasion, also all subnetworks located “behind” the head office are supplied with the needed new IP addresses.

In this example, the administrator of the service provider selects 10.2.x.x as central address translation for the network of client B, so that both networks with actual same address range looks like two different networks for the gateway of the service provider.

The administrator selects the address ranges 192.168.2.x and 192.168.3.x for client C and D, so that the addresses of these networks do differ from the own network of the service provider.

In order to enable the gateway of the provider to monitor the networks of clients C and D, the administrator sets up an address translation to 192.168.1.x also for the own network.

7.4.2 Configuration

Setting up address translation

Configuration of N:N mapping succeeds with only few information. Since a LAN can be coupled with several other networks via N:N, different destinations can have also different address translations for a source IP range. The NAT table can contain 64 entries at maximum, including the following information:

 Index: Unambiguous index of the entry.  Source address: IP address of the workstation or network that should

get an alternative IP address.

 Source mask: Netmask of source range.  Remote station: Name of the remote station over that the remote net-

work is reachable.

 New network address: IP address or address range that should be used

for the translation.

For the new network address, the same netmask will be used as the source address already uses. For assignment of source and mapping addresses the following hints apply:

 Source and mapping can be assigned arbitrarily for the translation of sin-

gle addresses. Thus, for example, it is possible to assign the mapping address 192.168.1.88 to a LAN server with the IP address 10.1.1.99.

 For translation of entire address ranges, the station-related part of the IP

address will be taken directly, only appended to the network-related part

connections

Routing and WAN

LANCOM Reference Manual LCOS 3.50  Chapter 7: Routing and WAN connections

of the mapping address. Therefore, in an assignment of 10.0.0.0/

255.255.255.0 to 192.168.1.0, a server of the LAN with IP address

10.1.1.99 will get assigned the mapping address 192.168.1.99.

The address range for translation must be at minimum as large as the source address range.

Please notice that the N:N mapping functions are only effective when the firewall has been activated. (’Firewall/QoS enabled’ →page 121)!

Additional configuration hints

 Entries in the routing tables for packets with new addresses to find the

way to their destination.

 DNS forwarding entries, in order that inquiries about certain devices in the

respective other networks can be resolved into mapped IP addresses (’DNS forwarding’ →page 279).

connections

Routing and WAN

 The firewall rules of the gateways must be adjusted such that (if neces-

sary) authorized stations resp. networks from the outside are permitted to set up connections.

 VPN rules for loopback addresses in order to transmit the newly assigned

IP addresses through an according VPN tunnel.

The IP address translation takes place in the LANCOM between firewall and IP router on one hand, and the VPN module on the other hand. All rules related to the own network use therefore the “unmapped” original addresses. The entries of the remote network

 Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50

use the “mapped” addresses of the remote side, valid on the VPN connection.

Target address Source address

Virtual LANs (VLAN)

LAN interfaces

LAN / Switch

WLAN-1

Filter

WLAN-2

Encryption:

802.11i/WPA/WEP

DMZ

connections

Routing and WAN

PN services

VPN / PPTP

WAN interfaces

DSLoL

connection via LAN/Switch

ADSL

DSL

ISDN

DHCP client / PPP

IP masquerading

IPX over PPTP/VPN

Firewall / IDS / DoS / QoS

N:N mapping

IP module: NetBIOS, DNS,

DHCP server, RADIUS, RIP,

NTP, SNMP, SYSLOG, SMTP

Configuration & management:

Filter

WEBconfig, Telnet,

IP router

IPX router

LANCAPI

Filter

LAN bridge with “isolated mode”

LANCOM Reference Manual LCOS 3.50  Chapter 7: Routing and WAN connections

Configuration with different tools

LANconfig

With LANconfig you adjust the address translation for the configuration range ’IP router’ on register card 'N:N-Mapping':

connections

Routing and WAN

WEBconfig, Telnet

Under WEBconfig and Telnet you find the NAT table for configuration of N:N mapping at the following positions of the menu tree:

Configuration tool Run

WEBconfig Expert configuration / Setup / IP router / NAT table

Terminal/Telnet Setup / IP router module / NAT table

 Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50

When starting a new entry under WEBconfig, the NAT table shows up as follows:

7.5 Configuration of remote stations

Remote stations are configured in two tables:

 In the name list(s) all information is set that applies individually to only

one remote station.

 Parameters for the lower protocol levels (below IP or IPX) are defined in

the communication layer table.

The configuration of the authentication (protocol, user name, password) is not covered in this section.Information on authentication is contained in the section ’Establishing connection with PPP’

→page 91.

connections

Routing and WAN

7.5.1 Name list

The available remote stations are created in the name list with a suitable name and additional parameters.

Configuration tool Menu/table

LANconfig Communication  Remote sites  Name list

WEBconfig Expert configuration  Setup  WAN module  Name-list

Ter min al/ Telnet

cd /Setup/WAN module set name list[...]

LANCOM Reference Manual LCOS 3.50  Chapter 7: Routing and WAN connections

7.5.2 Layer list

With a layer, a collection of protocol settings are defined, which should be used when connecting to specific remote stations. The list of the communication layers can be found under:

Configuration tool List

LANconfig Communication  General  Communication layers

WEBconfig Expert Configuration  Setup  WAN- module  Layer-list

Ter min al/ Telnet

In the communication layer list the common protocol combinations are already predefined. Changes or additions should only be made when remote stations are incompatible to the existing layers. The possible options are contained in the following list.

Please note that the parameters located in LANCOM depend upon the functionality of the unit. It is possible that your unit does not offer all of the options described here.

cd /setup/WAN module/ set layer-list [...]

Routing and WAN

connections

Parameter Meaning

Layer name The layer is selected in the name list under this name.

Encapsulation Additional encapsulations can be set for data packets.

'Transparent' No additional encapsulations.

'Ethernet' Encapsulation in the form of ethernet frames.

'LLC-MUX' Multiplexing via ATM with LLC/SNAP encapsulation

'VC-MUX' Multiplexing with ATM by establishing additional VCs

according to RFC 2684. Several protocols can be transmitted over the same VC (Virtual Channel).

according to RFC 2684.

 Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50

Parameter Meaning

Layer-3 The following options are available for the switching layer or network layer:

'Transparent' No additional header is inserted.

'PPP' The connection is established according to the PPP proto-

'AsyncPPP' Like 'PPP', only the asynchronous mode is used. This

'... with script'

'DHCP' Assignment of the network parameters via DHCP.

col (in the synchronous mode, i.e. bit-oriented). The configuration data are taken from the PPP table.

means that PPP functions character- oriented.

All options can be run with their own script if desired. The script is specified in the script list.

Layer-2 In this field the upper section of the security layer (Data Link Layer) is con-

Options Here you can activate the compression of the data to be transmitted and

Layer-1 In this field the lower section of the security layer (Data Link Layer) is con-

figured. The following options are available:

'Transparent' No additional header is inserted.

'PPPoE' Encapsulation of the PPP protocol information in ethernet

'PPPoE' The PPP negotiation runs via Ethernet. The PPP packets are

the bundling of channels. The selected option only becomes active when it is supported by both the ports used and the selected Layer-2 and Layer- 3 protocols. For further information see section ’Channel bundling with MLPPP’ →page 101.

figured. The following options are available:

'AAL-5' ATM adaptation layer

'ETH-10' Transparent Ethernet as per IEEE 802.3.

'HDLC' Securing and synchronization of the data transfer as per

'V.110' Transmission as per V.110 with a maximum of 38,400 bps.

Modem Modem transmission (requires Fax Modem option)

frames.

encapsulated in Ethernet frames for this purpose. This process is frequently used for DSL connections.

HDLC (in the 7 or 8-bit mode).

7.6 Establishing connection with PPP

connections

Routing and WAN

LANCOM routers also support the point-to- point protocol (PPP). PPP is a generic term for a whole series of WAN protocols which enable the interaction

LANCOM Reference Manual LCOS 3.50  Chapter 7: Routing and WAN connections

of routers made by different manufacturers since this protocol is supported by practically all manufacturers.

Due to the increasing importance of this protocol family and the fact that PPP is not associated with any specific operating mode of the routers, we will be introducing the functions of the devices associated with the PPP here in a separate section.

7.6.1 The protocol

What is PPP?

The point-to- point protocol was developed specifically for network connections via serial channels and has asserted itself as the standard for connections between routers. It implements the following functions:

 Password protection according to PAP, CHAP or MS CHAP  Callback functions  Negotiation of the network protocol to be used over the connection

established (IP or IPX, for example). Included in this are any parameters necessary for these protocols, for example IP addresses. This process is carried out using IPCP (IP Control Protocol).

 Verification of the connection through the LCP (Link Control Protocol)

connections

Routing and WAN

 Combining several ISDN channels (MultiLink PPP)

PPP is the standard used by router connections for communication between devices or the WAN connection software of different manufacturers. Connection parameters are negotiated and a common denominator is agreed using standardized control protocols (e.g. LCP, IPCP, CCP) which are contained in PPP, in order to ensure successful data transfer where possible.

What is PPP used for?

It is best to use the point-to-point protocol in the following applications:

 for reasons of compatibility when communicating with external routers,

for example

 remote access from remote workstations with ISDN cards  Internet access (when sending addresses)

The PPP which is implemented by LANCOM can be used synchronously or asynchronously not only via a transparent HDLC connection, but also via an X.75 connection.

 Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50

The phases of PPP negotiation

Establishment of a connection using PPP always begins with a negotiation of the parameters to be used for the connection. This negotiation is carried out in four phases which should be understood for the sake of configuration and troubleshooting.

 Establish phase

Once a connection has been made at the data communication level, negotiation of the connection parameters begins through the LCP.

This ascertains whether the remote site is also ready to use PPP, and the packet sizes and authentication protocol (PAP, CHAP, MS-CHAP or none) are determined. The LCP then switches to the opened state.

 Authenticate phase

Passwords will then be exchanged, if necessary. The password will only be sent once if PAP is being used for the authentication process. An encrypted password will be sent periodically at adjustable intervals if CHAP or MS CHAP is being used.

Perhaps a callback is also negotiated in this phase via CBCP (Callback Control Protocol).

 Network phase

LANCOM, supports the protocols IPCP and IPXCP.

After the password has been successfully transmitted, the IPCP and/or IPXCP network layer can be established.

IP and/or IPS packets can be transferred from the router modules to the opened line if the negotiation of parameters is successful for at least one of the network layers.

 Terminate phase

In the final phase the line is cleared, when the logical connections for all protocols are cleared.

connections

Routing and WAN

PPP negotiation in the LANCOM

The progress of a PPP negotiation is logged in the devices' PPP statistics and the protocol packets listed in detail there can be used for checking purposes in the event of an error.

The PPP trace outputs offer a further method of analysis. You can use the command

trace + ppp

LANCOM Reference Manual LCOS 3.50  Chapter 7: Routing and WAN connections

to begin output of the PPP protocol frames exchanged during a terminal session. You can perform a detailed analysis once the connection has been broken if this terminal session has been logged in a log file.

7.6.2 Everything o.k.? Checking the line with LCP

The devices involved in the establishment of a connection through PPP negotiate a common behaviour during data transfer. For example, they first decide whether a connection can be made at all using the security procedure, names and passwords specified.

The reliability of the line can be constantly monitored using the LCP once the connection has been established. This is achieved within the protocol by the LCP echo request and the associated LCP echo reply. The LCP echo request is a query in the form of a data packet which is transferred to the remote station along with the data. The connection is reliable and stable if a valid response to this request for information is returned (LCP echo reply). This request is repeated at defined intervals so that the connection can be continually monitored.

What happens when there is no reply? First a few retries will be initiated to exclude the possibility of any short-term line interference. The line will be dropped and an alternative route sought if all the retries remain unanswered.

connections

Routing and WAN

If, for example, the high-speed connection refuses to work, an existing ISDN port can open the way to the Internet as a backup.

During remote access of individual workstations with Windows operating systems, we recommend switching off the regular LCP requests since these operating systems do not reply to LCP echo requests.

The LCP request behaviour is configured in the PPP list for each individual connection. The intervals at which LCP requests should be made are set by the entries in the 'Time' and 'Retr.' fields, along with the number of retries that should be initiated without a response before the line can be considered faulty. LCP requests can be switched off entirely by setting the time at '0' and the retries at '0'.

7.6.3 Assignment of IP addresses via PPP

In order to connect computers using TCP/IP as the network protocol, all participating computers require a valid and unique IP address. If a remote station does not have its own IP address (such as the individual workstation of a

 Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50

telecomputer), the LANCOM assigns it an IP address for the duration of the connection, enabling communications to take place.

This type of address assignment is carried out during PPP negotiation and implemented only for connections via WAN. In contrast, the assignment of addresses via DHCP is (normally) used within a local network.

Assignment of an IP address will only be possible if the LANCOM can identify the remote station by its call number or name when the call arrives, i.e. the authentication process has been successful.

Examples

 Remote access

Address assignment is made possible by a special entry in the IP routing table. 255.255.255.255 is specified as the network mask as the IP address to be assigned to the remote site in the 'Router- name' field. In this case, the router name is the name, with which the remote site must identify itself to the LANCOM.

In addition to the IP address, the addresses of the DNS and NBNS servers (Domain Name Server and NetBIOS Name Server) including the backup server from the entries in the TCP/IP module are transmitted to the remote station during this configuration.

So that everything functions properly, the remote site must also be adjusted in such a way that it can obtain the IP address and the name server from the LANCOM. This can be accomplished with Windows dialup networking through the settings in the 'TCP settings' under 'IP address' and 'DNS configuration'. This is where the options 'IP address assigned by server' and 'Specify name server addresses' are activated.

 Internet access

If Internet access for a local network is realized via the LANCOM, the assignment of IP addresses can occur in a reverse manner. Configurations are possible in which the LANCOM does not have a valid IP address in the Internet and is assigned one by the Internet provider for the duration of the connection. In addition to the IP address, the LANCOM also receives information via the DNS server of the provider during the PPP negotiation.

In the local network, the LANCOM is only known by its internal valid intranet address. All workstations in the local network can then access the same Internet account and also reach e.g. the DNS server.

connections

Routing and WAN

LANCOM Reference Manual LCOS 3.50  Chapter 7: Routing and WAN connections

Windows users are able to view the assigned addresses via LANmonitor. In addition to the name of the remote station, the current IP address as well as the addresses of DNS and NBNS servers can be found there. Options such as channel bundling or the duration of the connection are also displayed.

7.6.4 Settings in the PPP list

You can specify a custom definition of the PPP negotiation for each of the remote sites that contact your net.

Configuration tool List

LANconfig Communication  Protocols  PPP list

WEBconfig Expert Configuration  Setup  WAN- module 

Ter min al/ Telnet

The PPP list may have up to 64 entries and contain the following values:

PPP-list

cd /setup/WAN module set PPP-list [...]

Routing and WAN

connections

In this column of

...enter the following values:

the PPP list...

Remote site (device name)

User name The name with which your router logs onto the remote site. The

Password Password transferred by your router to the remote site

Auth. Security method used on the PPP connection ('PAP', 'CHAP' or

Name the remote site uses to identify itself to your router.

device name of your router is used if nothing is specified here.

(if demanded). An asterisk (*) in the list indicates that an entry is present.

'none'). Your own router demands that the remote site observes this procedure. Not the other way round. This means that 'PAP', 'CHAP' security is not useful when connecting to Internet service providers, who may not wish to provide a password. Select 'none' as the security attribute for connections such as these.

 Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50

In this column of

...enter the following values:

the PPP list...

Time Time between two checks of the connection with LCP (see the fol-

Retr. Number of retries for the check attempt. You can eliminate the

Conf, Fail, Term These parameters are used to affect the way in which PPP is imple-

lowing section). This is specified in multiples of 10 seconds (i.e. 2 for 20 seconds, for instance). The value is simultaneously the time between two verifications of the connection to CHAP. Enter this time in minutes. The time must be set to '0' for remote sites using a Windows operating system.

effect of short-term line interference by selecting multiple retries. The connection will only be dropped if all attempts are unsuccessful. The time interval between two retries is 1/10 of the time interval between two checks. Simultaneously the number of the “Configure requests“ that the router maximum sends before it assumes a line error and clears the connection itself.

mented. The parameters are defined in RFC 1661 and are not described in greater detail here. You will find troubleshooting instructions in this RFC in connection with the router's PPP statistics if you are unable to establish any PPP connections. The default settings should generally suffice. These parameters can only be modified via LANconfig, SNMP or TFTP!

7.7 Extended connection for flat rates—Keep-alive

The term flat rate is used to refer to all-inclusive connection rates that are not billed according to connection times, but instead as a flat fee for fixed periods. With flat rates, there is no longer any reason to disconnect. On the contrary: New e-mails should be reported directly to the PC, the home workplace is to be continuously connected to the company network and users want to be able to reach friends and colleagues via Internet messenger services (ICQ etc.) without interruption. This means it is desirable to continuously maintain connections.

With the LANCOM the Keep-alive function ensures that connections are always established when the remote station has disconnected them.

connections

Routing and WAN

Configuration of Keep-alive function

The keep alive procedure is configured in the name list. If the holding time is set to 0 seconds, a connection is not actively discon-

nected by the LANCOM. The automatic disconnection of connections over which no data has been transmitted for a longer time is deactivated with a

LANCOM Reference Manual LCOS 3.50  Chapter 7: Routing and WAN connections

holding time of 0 seconds then. However, connections interrupted by the remote site are not automatically re-established with this setting.

With a holding time of 9,999 seconds the connection is always re-established after any disconnection. Additionally, the connection is re-established after a reboot of the device (’auto reconnect’).

7.8 Callback functions

The LANCOM supports automatic callback via its ISDN port. In addition to callback via the D channel, the CBCP (Callback Control Protocol)

specified by Microsoft and callback via PPP as per RFC 1570 (PPP LCP extensions) are also offered. There is also the option of a particularly fast callback using a process developed by LANCOM. PCs with Windows operating system can be called back only via the CBCP.

7.8.1 Callback for Microsoft CBCP

With Microsoft CBCP, the callback number can be determined in various ways.

 The party called does not call back.  The party called allows the caller to specify the callback number itself.  The party called knows the callback numbers and only calls these back.

connections

Routing and WAN

Via CBCP, it is possible to establish connection to the LANCOM from a PC with Windows operating system and also to be called back by this PC. Three possible settings are selected in the name list via the callback entry as well as the calling number entry.

 Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50

No callback

For this setting, the callback entry must be set to 'off' when configuring via WEBconfig or in the console.

Callback number specified by caller

For this setting the callback entry must be set to 'Call back the remote site after name verification' (or must have the value 'Name' in WEBconfig or in the console). In the name list no telephone number may be specified.

After the Authentication an input window appears on the caller's screen in Windows that requests the ISDN telephone number of the PC.

The calling number is determined in the LANCOM

For this setting the callback entry must be set to 'Call back the remote site after name verification' (or must be set to the value 'Name' in WEBconfig or in the console). In the name list one telephone number must be specified.

Some Windows versions (especially Windows 98) prompt the user to confirm the callback to the telephone number stored in the LANCOM ('Administrator Specified') with an input window. Other Windows versions only inform the user that the PC is waiting for the callback from the LANCOM.

The callback to a Windows workstation occurs approx. 15 seconds after the first connection has been dropped. This time setting cannot be decreased since it is a Windows default setting.

7.8.2 Fast callback using the LANCOM process

This fast, LANCOM-specific process is ideal if two LANCOM are to communicate with one another via callback.

 The caller who may wish to be called back can activate the function 'Wait

for callback from remote site' in the name list (or 'Looser' when configuring via WEBconfig, terminal program or Telnet).

connections

Routing and WAN

LANCOM Reference Manual LCOS 3.50  Chapter 7: Routing and WAN connections

 The callback party selects 'Call back the remote site (fast procedure)' in

the name list and enters the calling number ('LANCOM' when configuring via WEBconfig, terminal program or Telnet).

For fast callback using the LANCOM method, the number list for answering calls must be kept up to date at both ends.

7.8.3 Callback with RFC 1570 (PPP LCP extensions)

The callback as per 1570 is the standard method for calling back routers of other manufacturers. This protocol extension describes five possibilities for requesting a callback. All versions are recognized by LANCOM. All versions will be processed in the same way, however:

The LANCOM drops the connection after authenticating the remote station and then calls back the station a few seconds later.

Configuration

For callback as per PPP you select the option 'Call back the remote site' in LANconfig or 'Auto' with configuration via WEBconfig, terminal program or Tel net .

Routing and WAN

connections

100

For callback as per PPP the number list for answering calls in the LANCOM must be up to date.

7.8.4 Overview of configuration of callback function

The following options are available in the name list under WEBconfig and terminal program/telnet for the callback function:

With this entry ...

'Off' No callback occurs.

'Auto' (not for Windows operating systems, see below)

... you set up the callback in this manner:

The remote station will be called back if so specified in the name list. At first, the call is denied and as soon as the channel is clear again, it is called back (duration is approx. 8 seconds). If the remote station is not found in the numerical list, it is first accepted as the DEFAULT remote station, and the callback is negotiated during the protocol negotiation. A charge of one unit is incurred for this.

Lancom Systems LCOS 3.50 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

1Preface

2 System design

3 Configuration and management

3.1 Configuration tools and approaches

3.2 Configuration software

3.2.1 Configuration using LANconfig

3.2.2 Configuration with WEBconfig

3.2.3 Configuration using Telnet

3.2.4 Configuration using SNMP

3.3 Remote configuration via Dial-Up Network

3.3.1 This is what you need for ISDN remote configuration

3.3.2 The first remote connection using Dial-Up Networking

3.3.3 The first remote connection using a PPP client and Telnet

3.4.1 Extended display options

3.4.2 Monitor Internet connection

3.5.1 How to start a trace

3.5.2 Overview of the keys

3.5.3 Overview of the parameters

3.5.4 Combination commands

3.5.5 Examples

3.6 Working with configuration files

3.7 New firmware with LANCOM FirmSafe

3.7.1 This is how LANCOM FirmSafe works

3.7.2 How to load new software

3.8 Command line interface

3.8.1 Command line reference

3.9 Scheduled Events

4 Management

4.1 N:N mapping

4.1.1 Application examples

4.1.2 Configuration

4.1.3

5 Diagnosis

5.1.1 Extended display options

5.1.2 Monitor Internet connection

5.2.1 How to start a trace

5.2.2 Overview of the keys

5.2.3 Overview of the parameters

5.2.4 Combination commands

5.2.5 Examples

6 Security

6.1 Protection for the configuration

6.1.1 Password protection

6.1.2 Login barring

6.1.3 Restriction of the access rights on the configuration

6.2 Protecting the ISDN connection

6.2.1 Identification control

6.2.2 Callback

6.3 The security checklist

7 Routing and WAN connections

7.1 General information on WAN connections

7.1.1 Bridges for standard protocols

7.1.2 What happens in the case of a request from the LAN?

7.2 IP routing

7.2.1 The IP routing table

7.2.2 Local routing

7.2.3 Dynamic routing with IP RIP

7.2.4 SYN/ACK speedup

7.3.1 Simple masquerading

7.3.2 Inverse masquerading

7.3.3 Unmasked Internet access for server in the DMZ

7.4 N:N mapping

7.4.1 Application examples

7.4.2 Configuration

7.5 Configuration of remote stations

7.5.1 Name list

7.5.2 Layer list

7.6 Establishing connection with PPP

7.6.1 The protocol

7.6.2 Everything o.k.? Checking the line with LCP

7.6.3 Assignment of IP addresses via PPP

7.6.4 Settings in the PPP list

7.8 Callback functions

7.8.1 Callback for Microsoft CBCP

7.8.2 Fast callback using the LANCOM process

7.8.3 Callback with RFC 1570 (PPP LCP extensions)