NETGEAR and Auto Uplink are trademarks or registered trademarks of NETGEAR, Inc.
Microsoft, Windows, and Wi ndow s NT are registered trademar ks of Microsoft Corporation.
Other brand and product names are registered trademarks or trademarks of their respective holders. Portions of this
document are copyright Intoto, Inc.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to
make changes to the products described in this document without notice.
NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit
layout(s) described herein.
EN 55 022 Declaration of Conformance
This is to certify that the FVS328 ProSafe VPN Firewall with Dial Back-up is shielded against the generation of radio
interference in accordance with the application of Council Directive 89/336/EEC, Article 4a. Conformity is declared by
the application of EN 55 022 Class B (CISPR 22).
Certificate of the Manufacturer/Importer
It is hereby certified that the FVS328 ProSafe VPN Firewall with Dial Back-up has been suppressed in accordance with
the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for
example, test transmitters) in accordance with the regulations may, however, be subject to certain restrictions. Please
refer to the notes in the operating instructions.
The Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market
and has been granted the right to test the series for compliance with the regulations.
ii
May 2004, 202-10031-01
Bestätigung des Herstellers/Importeurs
Es wird hiermit bestätigt, daß dasFVS328 ProSafe VPN Firewall with Dial Back-up gemäß der im BMPT-AmtsblVfg
243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte
(z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der
Betriebsanleitung.
Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt
gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.
Voluntary Control Council for Interference (VCCI) Statement
This equipment is in the second category (information equipment to be used in a residential area or an adjacent area
thereto), and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing
Equipment and Electronic Office Machines, aimed at preventing radio interference in such residential areas.
When used near a radio or TV receiver , it may become the cause of radio interference.
Read instructions for correct handling.
Technical Support
Refer to the Support Information Card that shipped with your FVS328 ProSafe VPN Firewall with Dial Back-up.
World Wide Web
NETGEAR maintains a World Wide Web home page that you can access at the universal resource locator (URL)
http://www.netgear.com. A direct connection to the Internet and a Web browser such as Internet Explorer
or Netscape are required.
From the Client PC to the FVS328 ........................................................................ H-14
From the FVS328 to the Client PC ...................................... ... ... ... .... ... ... ... ... .... ... .. H-15
Monitoring the PC VPN Connection ................... ... ... .... ... ... ... .... .................................. H-15
Viewing the FVS328 VPN Status and Log Information ........................... ..................... H-16
Glossary
Index
viiiContents
May 2004, 202-10031-01
Chapter 1
About This Manual
This chapter introduces the NETGEAR FVS328 ProSafe VPN Firewall with Dial Back-up
manual.
Audience
This reference manual assumes that the reader has basic to intermediate computer and Internet
skills. However, basic computer network, Internet, firewall, and VPN technology tutorial
information is provided in the Appendices and on the NETGEAR Web site.
Scope
This manual is written for the FVS328 Firewall according to these specifications.:
Table 1- 1.Manual Specifications
Product VersionFVS328 ProSafe VPN Firewall with Dial Back-up
Firmware Version NumberVerson 1.0 Release 09
Manual Part Number202-10031-01
Manual Publication DateMay 2004
Note: Product updates are available on the NETGEAR Web site at
http://kbserver.netgear.com/products/FVS328.asp.
About This Manual1
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Typographical Conventions
This guide uses the following typographical conventions:
Table 1-2.Typographical conventions
italicsEmphasis.
bold times romanUser input.
[Enter]Named keys in text are shown enclosed in square brackets. The notation [Enter]
is used for the Enter key and the Return key.
Small CapsDOS file and directory names.
Special Message Formats
This guide uses the following formats to highlight special messages:
Note: This format is used to highlight information of importance or special interest.
2About This Manual
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
How to Use this Manual
This manual includes both PDF and HTML versions. Use the topics below to identify how to take
advantage of these document formats when you need to view or print information from this
manual.
1
2
3
Figure Preface 1-1: HTML version of this manual
1. Left pane. Use the left pane to view the Contents, Index, Search, and Favorites tabs.
To view the HTML version of the manual, you must have a version 4 or later browser with
JavaScript enabled.
2. Toolbar buttons. Use the toolbar buttons across the top to navigate, print pages, and more.
–The Show in Contents button locates the current topic in the Contents tab.
–Previous/Next buttons display the previous or next topic.
–The PDF button links to a PDF version of the full manual.
–The Print button prints the current topic. Using this button when a step-by-step
procedure is displayed will send the entire procedure to your printer—you do not
have to worry about specifying the correct range of pages.
3. Right pane. Use the right pane to view the contents of the manual. Also, each page of the
manual includes a link at the top right which links to a PDF file
containing just the currently selected chapter of the manual.
About This Manual3
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
How to Print this Manual
To print this manual you can choose one of the following several options, according to your needs.
•Printing a “How To” Sequence of Steps in the HTML View. Use the Print button on the
upper right side of the toolbar to print the currently displayed topic. Using this button when a
step-by-step procedure is displayed will send the entire procedure to your printer—you do not
have to worry about specifying the correct range of pages.
•Printing a Chapter. Use the link at the top right of any page.
–Click the “PDF of This Chapter” link at the top right of any page in the chapter you want
to print. A new browser window opens showing the PDF version of the chapter you were
viewing.
–Click the print icon in the upper left of the window.
–Tip: If your printer supports printing two pages on a single sheet of paper, you can save
paper and printer ink by selecting this feature.
•Printing the Full Manual. Use the PDF button in the toolbar at the top right of the browser
window.
–Click the PDF button. A new browser window opens showing the PDF version of the
chapter you were viewing.
–Click the print icon in the upper left side of the window.
–Tip: If your printer supports printing two pages on a single sheet of paper, you can save
paper and printer ink by selecting this feature.
4About This Manual
May 2004, 202-10031-01
Chapter 2
Introduction
This chapter describes the features of the NETGEAR FVS328 ProSafe VPN Firewall with Dial
Back-up. The FVS328 Firewall provides connection for multiple computers to the Internet through
an external broadband access device such as a cable modem or DSL modem, and supports
IPSec-based secure tunnels to IPSec-compatible VPN servers. The 8-port FVS328 with auto
fail-over connectivity through the serial port provides highly reliable Internet access for up to 253
users.
About the FVS328
The FVS328 is a complete security solution that protects your network from attacks and intrusions
and enables secure communications using Virtual Private Networks (VPN). Unlike simple Internet
sharing routers that rely on Network Address Translation (NAT) for security, the FVS328 uses
Stateful Packet Inspection for Denial of Service (DoS) attack protection and intrusion detection.
The 8-port FVS328 provides highly reliable Internet access for up to 253 users with up to 50
concurrent VPN tunnels.
Key Features
The FVS328 features are highlighted below.
Full Routing on Both the Broadband and Serial Ports
You can install, configure, and operate the FVS328 to take full advantage of a variety of routing
options on both the serial and broadband WAN ports, including:
•Internet access via either the serial or broadband port.
•Auto fail-over connectivity through an analog or ISDN modem connected to the serial port
If the broadband Internet connection fails, after a waiting for an amount of time you specify,
the FVS328 can automatically establish a backup ISDN or dial-up Internet connection via the
serial port on the firewall.
Introduction2-1
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
•Remote Access Server (RAS) allows you to log in remotely through the serial port to access a
server on your LAN, other LAN resources, or the Internet based on a user name and password
you define.
•LAN-to-LAN access between two FVS328 firewalls through the serial port with the option of
enabling auto-failover Internet access across the serial LAN-to-LAN connection.
Virtual Private Networking
The FVS328 Firewall provides a secure encrypted connection between your local network and
remote networks or clients. Its VPN features include:
•Support for up to 50 simultaneous VPN connections.
•Support for industry standard VPN protocols.
The FVS328 ProSafe VPN Firewall with Dial Back-up supports standard keying methods
(Manual or IKE), standard authentication methods (MD5 and SHA-1), and standard
encryption methods (DES, 3DES). It is compatible with many other VPN products.
•Support for up to 168 bit encryption (3DES) for maximum security.
•Support for VPN Main Mode, Aggressive mode, or Manual Keying.
•Support for Fully Qualified Domain Name (FQDN) configuration when the Dynamic DNS
feature is enabled with one of the supported service providers.
A Powerful, True Firewall
Unlike simple Internet sharing NAT routers, the FVS328 is a true firewall, using stateful packet
inspection to defend against hacker attacks. Its firewall features include:
•DoS protection
Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, LAND
Attack and IP Spoofing.
•Blocks unwanted traffic from the Internet to your LAN.
•Blocks access from your LAN to Internet locations or services that you specify as off-limits.
•Logs security incidents
The FVS328 will log security events such as blocked incoming traffic, port scans, attacks, and
administrator logins. You can configure the firewall to e-mail the log to you at specified
intervals. You can also configure the firewall to send immediate alert messages to your e-mail
address or e-mail pager whenever a significant event occurs.
2-2Introduction
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Content Filtering
With its content filtering feature, the FVS328 prevents objectionable content from reaching your
computers. The firewall allows you to control access to Internet content by screening for keywords
within Web addresses. You can configure the firewall to log and report attempts to access
objectionable Internet sites.
Configurable Auto Uplink™ Ethernet Connection
With its internal 8-port 10/100 switch, the FVS328 can connect to either a 10 Mbps standard
Ethernet network or a 100 Mbps Fast Ethernet network. Both the local LAN and the Internet W AN
interfaces are 10/100 Mbps, autosensing, and capable of full-duplex or half-duplex operation.
TM
The firewall incorporates Auto Uplink
sense whether the Ethernet cable plugged into the port should have a ‘normal’ connection such as
to a PC or an ‘uplink’ connection such as to a switch or hub. That port will then configure itself to
the correct configuration. This feature also eliminates the need to worry about crossover cables, as
Auto Uplink will accommodate either type of cable to make the right connection.
technology. Each local Ethernet port will automatically
Protocol Support
The FVS328 supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing
Information Protocol (RIP). Appendix C, “Networks, Routing, and Firewall Basics” provides
further information on TCP/IP. Supported protocols include:
•The Ability to Enable or Disable IP Address Sharing by NAT
The FVS328 allows several networked computers to share an Internet account using only a
single IP address, which may be statically or dynamically assigned by your Internet service
provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user
ISP account. This feature can also be turned off completely for using the FVS328 in settings
where you want to manage the IP address scheme of your organization.
•Automatic Configuration of Attached computers by DHCP
The FVS328 dynamically assigns network configuration information, including IP, gateway,
and domain name server (DNS) addresses, to attached computers using Dynamic Host
Configuration Protocol (DHCP). This feature greatly simplifies configuration of computers on
your local network.
Introduction2-3
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
•DNS Proxy
When DHCP is enabled and no DNS addresses are specified, the firewall provides its own
address as a DNS server to the attached computers. The firewall obtains actual DNS addresses
from the ISP during connection setup and forwards DNS requests from the LAN.
•PPP over Ethernet (PPPoE)
PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by
simulating a dial-up connection. This feature eliminates the need to run a login program such
as EnterNet or WinPOET on your computer.
•Point-to-Point Tunneling Protocol PPTP login support for European ISPs and BigPond login
for Telstra cable in Australia.
•Dynamic DNS
Dynamic DNS services allow remote users to find your network using a domain name when
your IP address is not permanently assigned. The firewall contains a client that can connect to
many popular Dynamic DNS services to register your dynamic IP address. See “Configuring
Dynamic DNS” on page 5-6.
Easy Installation and Management
You can install, configure, and operate the FVS328 within minutes after connecting it to the
network. The following features simplify installation and management tasks:
•Browser-based management
Browser-based configuration allows you to easily configure your firewall from almost any
type of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup
Wizard is provided and online help documentation is built into the browser-based Web
Management Interface.
•Smart Wizard
The firewall automatically senses the type of Internet connection, asking you only for the
information required for your type of ISP account.
•Remote management
The firewall allows you to login to the Web Management Interface from a remote location via
the Internet using secure SLL protocol. For security, you can limit remote management access
to a specified remote IP address or range of addresses, and you can choose a nonstandard port
number.
2-4Introduction
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
•Diagnostic functions
The firewall incorporates built-in diagnostic functions such as Ping, DNS lookup, and remote
reboot. These functions allow you to test Intern et connectivity and reboot the firewall. You can
use these diagnostic functions directly from the FVS328 when your are connected on the LAN
or when you are connected over the Internet via the remote management function.
•Visual monitoring
The firewall’s front panel LEDs provide an easy way to monitor its status and activity.
•Flash EPROM for firmware upgrades
Note: Product updates are available on the NETGEAR Web site at
http://kbserver.netgear.com/products/FVS328.asp.
•Regional support, including ISPs like Telstra DSL and BigPond or Deutsche Telekom.
What’s in the Box?
The product package should contain the following items:
•FVS328 ProSafe VPN Firewall with Dial Back-up
•AC power adapter
•FVS328 Resource CD (230-10041-02), including:
— This manual
— Application notes, tools, and other helpful information
•Warranty and registration card
•Support information card
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the
carton, including the original packing materials, in case you need to return the product for repair.
The Firewall’s Front Panel
The front panel of the FVS328 contains status LEDs. You can use some of the LEDs to verify
connections. Table 2-1 lists and describes each LED on the front panel of the firewall.
Introduction2-5
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
-/$%,
0RO3AFE60.&IREWALLWITH$IAL"ACKUP
"ROADBAND
072 4%34 -ODEM
).4%2.%4
,.+
!#4
,/#!,
,.+!#4
&63
Figure 2-1: FVS328 Front Panel
These LEDs are green when lit, except for the TEST LED, which is amber.These LEDs are green
when lit, except for the TEST LED, which is amber.
Table 2-1:LED Descriptions
LabelActivityDescription
POWEROnPower is supplied to the firewall.
TESTOn
Off
MODEMOn/BlinkingThe port detected a link with the Internet WAN connection or
INTERNET
100On/BlinkingThe Internet port is operating at 100 Mbps.
LINK/ACT (Activity) On/BlinkingThe port detected a link with the Internet WAN connection and is
LOCAL
100 On/BlinkingThe Local port is operating at 100 Mbps.
LINK/ACT
On/BlinkingThe Local port has detected a link with a LAN connection and is
(Link/Activity)
The system is initializing.
The system is ready and running.
Remote Access Server. Blinking indicates data transmission.
operating at 10 Mbps. Blinking indicates data transmission.
operating at 10 Mbps. Blinking indicates data transmission.
2-6Introduction
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
The Firewall’s Rear Panel
The rear panel of the FVS328 contains the connections identified below.
LOC AL
MODEM
87654321
10/100M
INTERN ET
Figure 2-2: FVS328 Rear Panel
Viewed from left to right, the rear panel contains the following elements:
•DB-9 serial port for modem connection
•Reset/Factory Default push button: push to reset; push and hold for 20 seconds to reset to
factory default settings
•Eight Local Ethernet RJ-45 ports for connecting the firewall to local computers
•Internet WAN Ethernet RJ-45 port for connecting the firewall to a cable or DSL modem
12VDC 1.2A
•12V DC 1.2A power adapter input
Introduction2-7
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
2-8Introduction
May 2004, 202-10031-01
Chapter 3
Connecting the FVS328 to the Internet
This chapter describes how to set up the firewall on your Local Area Network (LAN) and connect
to the Internet. You can perform basic configuration of your FVS328 ProSafe VPN Firewall with
Dial Back-up using the Setup Wizard, or manually configure your Internet connection.
What You Will Need Before You Begin
You need to prepare these three things before you can connect your firewall to the Internet:
1.A computer properly connected to the firewall as explained below.
2.Active Internet service such as that provided by a DSL or Cable modem account.
3.The Internet Service Provider (ISP) configuration information for your account.
LAN Hardware Requirements
The FVS328 Firewall connects to your LAN via twisted-pair Ethernet cables.
To use the FVS328 Firewall on your network, each computer must have an installed Ethernet
Network Interface Card (NIC) and an Ethernet cable. If the computer will connect to your network
at 100 Mbps, you must use a Category 5 (CAT5) cable such as the one provided with your firewall.
The broadband modem must provide a standard 10 Mbps 10BASE-T or 100 Mbps 100BASE-T
Ethernet interface.
LAN Configuration Requirements
For the initial connection to the Internet and configuration of your firewall, you will need to
connect a computer to the firewall which is set to automatically get its TCP/IP configuration from
the firewall via DHCP. The computer you use must have a Web browser such as Internet Explorer
v5 or greater or Netscape Communicator v4.7 or greater.
Note: Please refer to Appendix D, "Preparing Your Network" for assistance with DHCP
configuration.
Connecting the FVS328 to the Internet3-1
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Internet Configuration Requirements
Depending on how your ISP or IT group set up your Internet access, you will need one or more of
these configuration parameters to connect your firewall to the Internet:
•Host and Domain Names
•ISP Login Name and Password
•ISP Domain Name Server (DNS) Addresses
•Fixed or Static IP Address
Where Do I Get the Internet Configuration Parameters?
There are several ways you can gather the required Internet connection information.
•Your ISP should have provided you with all the information needed to connect to the Internet.
If you cannot locate this information, you can ask your ISP to provide it or you can try one of
the options below.
•If you have a computer already connected using the active Internet access account, you can
gather the configuration information from that computer.
•For Windows 95/98/Me, open the Network control panel, select the TCP/IP entry for the
Ethernet adapter, and click Properties.
•For Windows 2000/XP, open the Local Area Network Connection, select the TCP/IP entry
for the Ethernet adapter, and click Properties.
•For Macintosh computers, open the TCP/IP or Network control panel.
•You may also refer to the FVS328 Resource CD for the NETGEAR Router ISP Guide which
provides Internet connection information for many ISPs.
Once you locate your Internet configuration parameters, you may want to record them on the page
below according to the instructions in “Worksheet for Recording Your Internet Connection
Information” on page 3-3.
3-2Connecting the FVS328 to the Internet
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Worksheet for Recording Your Internet Connection Information
Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP).
ISP Login Name: The login name and password are case sensitive and must be entered exactly as
given by your ISP. Some ISPs use your full e-mail address as the login name. The Service Name is
not required by all ISPs. If you connect using a login name and password, then fill in the
following:
Login Name: ________________________
Password: ______________________
Service Name: ________________________
Fixed or Static IP Address: If you have a static IP address, record the following information. For
example, 169.254.141.148 could be a valid IP address.
Fixed or Static Internet IP Address: ______
.______.______.______
Subnet Mask: ______.______.______.______
Gateway IP Address: ______.______.______.______
ISP DNS Server Addresses: If you were given DNS server addresses, fill in the following:
Primary DNS Server IP Address: ______
.______.______.______
Secondary DNS Server IP Address: ______.______.______.______
Host and Domain Names: Some ISPs use a specific host or domain name like CCA7324-A or
home. If you haven’t been given host or domain names, you can use the following examples as a
guide:
•If your main e-mail account with your ISP is
aaa@yyy.com, then use aaa as your host name.
Your ISP might call this your account, user, host, computer, or system name.
•If your ISP’s mail server is
mail.xxx.yyy.com, then use xxx.yyy.com as the domain name.
ISP Host Name: __________________
ISP Domain Name: ___________________
For Serial Port Internet Access: If you use a dial-up account, record the following:
Account/User Name: ___________________
Password: ____________________
Telephone number: _________________ Alternative number: _________________
Connecting the FVS328 to the Internet3-3
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Connecting the FVS328 to Your LAN
This section provides instructions for connecting the FVS328 ProSafe VPN Firewall with Dial
Back-up to your Local Area Network (LAN).
Note: The Resource CD included with your firewall contains an animated Installation Assistant to
help you through this procedure.
How to Connect the FVS328 to Your LAN
There are three steps to connecting your firewall:
•Connect the firewall to your network.
•Log in to the firewall.
•Connect to the Internet.
Follow the steps below to connect your firewall to your network.
1. CONNECTTHEFIREWALLBETWEENYOUR PC & MODEM
a.Turn off your computer.
b.Turn off your broadband modem.
c.Connect a Cat 5 Ethernet cable from the Internet port of the FVS328 to the broadband
modem.
d.Connect the Cat 5 Ethernet cable which came with the firewall from your computer to a
Local port on the router.
Note: The FVS328 Firewall incorporates Auto Uplink
will automatically sense whether the cable plugged into the port should have a 'normal'
connection (e.g. connecting to a PC) or an 'uplink' connection (e.g. connecting to a switch
or hub). That port will then configure itself to the correct configuration. This feature also
eliminates the need to worry about crossover cables, as Auto Uplink will accommodate
either type of cable to make the right connection.
e.Securely insert one end of the Ethernet cable that came with your firewall into a Local port
on the router such as Local port 6 (C), and the other end into the Ethernet port of your
computer (D).
TM
technology. Each Ethernet port
2. RESTARTYOURNETWORKINTHECORRECTSEQUENCE
3-4Connecting the FVS328 to the Internet
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Warning: Failure to restart your network in the correct sequence could prevent you from
connecting to the Internet.
a.First, turn on the broadband modem and wait 2 minutes.
b.Now, turn on your firewall.
c.Last, turn on your computer.
Note: If software usually logs you in to the Internet, do not run that software or cancel it if
it starts automatically.
-/$%,
0RO3AFE60.&IREWALLWITH$IAL"ACKUP
"ROADBAND
072 4%34 -ODEM
).4%2.%4
,.+
!#4
,/#!,
,.+!#4
&63
Power
Test
Internet
Local Port 6
Figure 3-1: FVS328 status lights
Check the status lights and verify the following:
•Power: The power light goes on when your turn the firewall on.
•Test: The Test light turns on, blinks, then goes off solid after less than a minute.
•Internet: The Internet light on the firewall is lit. If the Internet light is not lit, make sure the
Ethernet cable is securely attached to the firewall Internet port and the powered on
modem.
•Local: A Local light on the router is lit. If no Local lights are lit, check that the Ethernet
cable connecting the powered on computer to the router is securely attached at both ends.
Connecting the FVS328 to the Internet3-5
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
3. LOGINTOTHEFIREWALL
a.From your PC, launch your Internet browser.
b.Connect to the firewall by typing http://192.168.0.1 in the address field of Internet
Explorer or Netscape
c.For security reasons, the router ha s its own user name and password. When prompted,
admin for the router user name and password for the router password, both in lower
enter
case letters.
Note: The router user name and password are not the same as any user name or password
you may use to log in to your Internet connection.
A login window like the one shown below opens:
®
Navigator.
Figure 3-2: Login window
After logging in to the router, you will see the Internet connection Smart Wizard on the
d.
settings main page.
3-6Connecting the FVS328 to the Internet
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
4. RUNTHE SMART WIZARDTOCONNECTTOTHE INTERNET
Figure 3-3: Setup Wizard
a.You are now connected to the router. If you do not see the menu above, click the Setup
Wizard link on the upper left of the main menu.
b.Choose NAT or Classical Routing. NAT automatically assigns private IP addresses
(192.168.0.x) to LAN connected devices. Classical routing lets you directly manage the IP
addresses the FVS328 uses. Classical routing should be selected only by experienced
users.
c.Click Next and follow the steps in the Setup Wizard for inputting the configuration
parameters from your ISP to connect to the Internet.
Note: If you choose not to use the Setup Wizard, you can manually configure your
Internet connection settings by following the procedure “Manually Configuring Your
Internet Connection” on page 3-14.
Unless your ISP automatically assigns your configuration automatically via DHCP, you
will need the configuration parameters from your ISP as you recorded them previously in
“Worksheet for Recording Your Internet Connection Information” on page 3-3
d.When the firewall successfully detects an active Internet service, the firewall’s Internet
LED goes on. The Setup Wizard reports which connection typ e it discovered, and displays
the appropriate configuration menu. If the Setup Wi zard finds no connection, you will be
prompted to check the physical connection between your firewall and the cable or DSL
line.
e.The Setup Wizard will report the type of connection it finds. The options are:
•Connections that require a login using protocols such as PPPoE, Telstra BigPond, or
PPTP broadband Internet connections.
Connecting the FVS328 to the Internet3-7
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
•Connections that use dynamic IP address assignment.
•Connections that use fixed IP address assignment.
The procedures for filling in the configuration menu for each type of connection follow
below.
Configuring a Wizard-Detected Login Account
If the Setup Wizard determines that your Internet service account uses a login protocol such as
PPP over Ethernet (PPPoE), you will be directed to the correct setup menu.
1.Enter your Account Name (may also be called Host Name) and Domain Name. These
parameters may be necessary to access your ISP’s services such as mail or news servers. If you
leave the Domain Name field blank, the firewall will attempt to learn the domain
automatically from the ISP. If this is not successful, you may need to enter it manually.
2.Enter the PPPoE login user name and password provided by your ISP. These fields are case
sensitive. If you want to change the login timeout, enter a new value in minutes.
Note: You will no longer need to launch the ISP’s login program on your computer in order to
access the Internet. When you start an Internet application, the firewall will automatically log
you in.
3.Enable or disable NAT (Network Address Translation). NAT allows all LAN computers to
gain Internet access via this Router, by sharing this Router's WAN IP address. In most
situations, NAT is essential for Internet access via this Router. You should only disable NAT if
you are sure you do not require it. When NAT is disabled, only standard routing is performed
by this Router.
4.Perform a DNS Lookup. A DNS (Domain Name Server) converts the Internet name (e.g.
www.netgear.com) to an IP address. If you need the IP address of a Web, FTP, Mail or other
Server on the Internet, you can do a DNS lookup to find the IP address.
Domain Name Server (DNS) Address: If you know that your ISP does not automatically
transmit DNS addresses to the firewall during login, select “Use these DNS servers” and enter
the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is
available, enter it also.
If you enter an address here, after you finish configuring the firewall, reboot your computers
so that the settings take effect.
5.Enter the Router's MAC Address. Each computer or router on your network has a unique
32-bit local Ethernet address. This is also referred to as the computer's MAC (Media Access
Control) address. Usually, select Use default address.
3-8Connecting the FVS328 to the Internet
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
If your ISP requires MAC authentication, then select either Use this Computer's MAC address
to have the router use the MAC address of the computer you are now using, or Use This MAC
Address to manually type in the MAC address that your ISP expects.
6.Click Apply to save your settings.
7.Click the Test button to test your Internet connection. If the NETGEAR Web site does not
appear within one minute, refer to Chapter 9, Troubleshooting.
Configuring a Wizard-Detected Dynamic IP Account
If the Setup Wizard determines that your Internet service account uses Dynamic IP assignment,
you will be directed to the correct setup menu.
1.Enter your Account Name (may also be called Host Name) and Domain Name. These
parameters may be necessary to access your ISP’s services such as mail or news servers. If you
leave the Domain Name field blank, the firewall will attempt to learn the domain
automatically from the ISP. If this is not successful, you may need to enter it manually.
2.If you know that your ISP does not automatically transmit DNS addresses to the firewall
during login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary
DNS Server. If a Secondary DNS Server address is available, enter it also.
A DNS server is a host on the Internet that translates Internet names (such as
www .netgear.com) to numeric IP addresses. Typically your ISP transfers the IP address of one
or two DNS servers to your firewall during login. If the ISP does not transfer an address, you
must obtain it from the ISP and enter it manually here. If you enter an address here, you should
reboot your computers after configuring the firewall.
3.The Router’s MAC Address is the Ethernet MAC address that will be used by the firewall on
the Internet port.
If your ISP allows access from only one specific computer’s Ethernet MAC address, select
“Use this MAC address.” The firewall will then capture and use the MAC address of the
computer that you are now using. You must be using the one computer that is allowed by the
ISP. Otherwise, you can ty pe in a MAC address.
Note: Some ISPs will register the Ethernet MAC address of the network interface card in your
computer when your account is first opened. They will then only accept traffic from the MAC
address of that computer. This feature allows your firewall to masquerade as that computer by
using its MAC address.
4.Click Apply to save your settings.
Connecting the FVS328 to the Internet3-9
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Click the Test button to test your Internet connection. If the NETGEAR Web site does not
5.
appear within one minute, refer to Chapter 9, Troubleshooting.
Configuring a Wizard-Detected Fixed IP (Static) Account
If the Setup Wizard determines that your Internet service account uses Fixed IP assignment, you
will be directed to the correct setup menu.
1.Enter your assigned IP Address, Subnet Mask, and the IP Address of your ISP’s gateway
router. This information should have been provided to you by your ISP. You will need the
configuration parameters from your ISP you recorded in “Worksheet for Recording Your
Internet Connection Information” on page 3-3.
2.Enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is
available, enter it also.
DNS servers are required to perform the function of translating an Internet name such as
www.netgear.com to a numeric IP address. For a fixed IP address configuration, you must
obtain DNS server addresses from your ISP and enter them manually here. You should reboot
your computers after configuring the firewall for these settings to take effect.
3.Click Apply to save the settings.
4.Click the Test button to test your Internet connection. If the NETGEAR Web site does not
appear within one minute, refer to Chapter 9, Troubleshooting.
How to Configure the Serial Port for an Internet Connection
Use the procedure below to configure an Internet connection via the serial port of your firewall.
Follow the steps below to configure a serial port Internet connection on your firewall.
1.Connect the Firewall to your ISDN or dial-up modem
a.Turn off your modem and connect the cable from the serial port of the FVS328 to the
modem.
b.Turn on the modem and wait about 30 seconds for the lights to stop blinking.
2.Configure the Serial Port of the Firewall.
a.Use a browser to log in to the firewall at http://192.168.0.1 with its default User Name of
admin and default Password of password, or using whatever Password you have set up.
3-10Connecting the FVS328 to the Internet
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
From the Setup Basic Settings menu, click Serial Port.
b.
Figure 3-4: Serial Internet Connection configuration menu
c.
Fill in the ISDN or analog ISP Internet configuration parameters as appropriate:
•For a Dial-up Account, enter the Account information. Check “Connect as required”
to enable the firewall to automatically dial the number. To enable Idle Time
disconnect, check the box and enter a time in minutes.
•To configure the Internet IP settings, fill in the address parameters your ISP provided.
d.Configure the Modem parameters.
Connecting the FVS328 to the Internet3-11
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Note: You can validate modem string settings by first connecting the modem directly to a
PC, establishing a connection to your ISP, and then copying the modem string settings
from the PC configuration and pasting them into the FVS328 Modem Properties Initial
String field. For more information on this procedure, please refer to the support area of the
NETGEAR web site.
•Select the Serial Line Speed. This is the maximum speed the modem will attempt to
use. For ISDN permanent connections, the speeds are typically 64000 or 128000 bps.
For dial-up modems, 56000 bps would be a typical setting.
•Select the Modem Type.
–For ISDN, select “Permanent connection (leased line).”
–For dial-up, select your modem from the list. “Standard Modem” should work in
most cases.
–If your modem is not on the list, select “User Defined” and enter the Modem
Properties.
Note: If you are not using modem from the pre-defined list but are using the “User
Defined” Modem Type, you must first use the Serial Port menu Modem link to fill in the
Modem Properties settings for your modem.
e.Click Apply to save your settings.
3.Connect to the Internet to test your configuration.
a.If you have a broadband connection, disconnect it.
b.From a workstation, open a browser and test your serial port Internet connection.
Note: The response time of your serial port Internet connection will be slower than a
broadband Internet connection.
3-12Connecting the FVS328 to the Internet
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Testing Your Internet Connection
After completing the Internet connection configuration, your can test your Internet connection.
Log in to the firewall, then, from the Setup Basic Settings link, click the Test button. If the
NETGEAR Web site does not appear within one minute, refer to Chapter 9, Troubleshooting.
Your firewall is now configure d to provide Internet access for your network. Your firewall
automatically connects to the Internet when one of your computers requires access. It is not
necessary to run a dialer or login application such as Dial-Up Networking or Enternet to connect,
log in, or disconnect. These functions are performed by the firewall as needed.
To access the Internet from any computer connected to your firewall, launch a browser such as
Microsoft Internet Explorer or Netscape Navigator. You should see the firewall’s Internet LED
blink, indicating communication to the ISP. The browser should begin to display a Web page.
The following chapters describe how to configure the advanced features of your firewall, and how
to troubleshoot problems that may occur.
Connecting the FVS328 to the Internet3-13
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Manually Configuring Your Internet Connection
You can manually configure your firewall using the menu below, or you can allow the Setup
Wizard to determine your configuration as described in the previous section.
ISP DoesNot Require Login
ISP Does Require Login
Figure 3-5: Browser-based configuration Basic Settings menu
3-14Connecting the FVS328 to the Internet
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
How to Manually Configure the Primary Internet Connection
Use these steps to manually configure the primary Internet connection in the Basic Settings menu.
1.Select your Internet connection type (broadband with or without login, or serial).
Note: If you are a Telstra BigPond broadband customer, or if you are in an area such as
Austria that uses broadband PPTP, login is required. If so, select BigPond or PPTP from the
Internet Service Type drop down box.
2.Enter your Account Name (may also be called Host Name) and Domain Name. These
parameters may be necessary to access your ISP’s services such as mail or news servers.
3.If needed, enter the PPPoE login user name and password provided by your ISP. These fields
are case sensitive. To change the login timeout, enter a new value in minutes.
You will no longer need to run the ISP’s login program on your PC in order to access the
Internet. When you start an Internet application, your firewall automatically logs you in.
4.If you want to disable NAT, select the Disable radio button. Before disabling NAT, back up
your current configuration settings.
Note: Disabling NAT will reboot the router and reset all the FVS328 configuration
settings to the factory default. Disable NAT only if you plan to install the FVS328 in a
setting where you will be manually administering the IP address space on the LAN side
of the router.
5.Internet IP Address: If your ISP assigned you a permanent, fixed IP address for your PC, select
“Use static IP address.” Enter the IP address your ISP assigned. Also enter the netmask and the
Gateway IP address. The Gateway is the ISP’s router to which your firewall will connect.
6.Domain Name Server (DNS) Address: If your ISP does not automatically transmit DNS
addresses to the firewall during login, select “Use these DNS servers” and enter the IP address
of your ISP’s Primary DNS Server. If a Secondary DNS Server address is available, enter it.
Note: A DNS server is a host on the Internet that translates Internet names (such as
www .netgear.com) to numeric IP addresses. Typically your ISP transfers the IP address of one
or two DNS servers to your firewall during login. If the ISP does not transfer an address, you
must obtain it from the ISP and enter it manually here. If you enter an address here, you should
reboot your PCs after configuring the firewall.
Connecting the FVS328 to the Internet3-15
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Router’s MAC Address: This section determines the Ethernet MAC address that will be used
7.
by the firewall on the Internet port. Some ISPs will register the Ethernet MAC address of the
network interface card in your PC when your account is first opened. They will then only
accept traffic from the MAC address of that PC. This feature allows your firewall to
masquerade as that PC by “cloning” its MAC address. To change the MAC address, select
“Use this Computer’s MAC address.” The firewall will then capture and use the MAC address
of the PC that you are now using. You must be using the one PC that is allowed by the ISP . Or,
select “Use this MAC address” and enter it.
8.Click Apply to save your settings.
9.Click Test to test your Internet connection. If the NETGEAR Web site does not appear within
one minute, refer to Chapter 9, Troubleshooti ng.
3-16Connecting the FVS328 to the Internet
May 2004, 202-10031-01
Chapter 4
Serial Port Configuration
This chapter describes how to configure the serial port options of your FVS328 ProSafe VPN
Firewall with Dial Back-up. The FVS328 serial port lets you share the broadband connection of
another FVS328, share resources between two LANs, and take advantage of th e routing functions
on the broadband (WAN), LAN, and serial network interfaces.
Note: If you configure the serial port of the FVS328 as the primary Internet connection, you will
not be able to configure the other serial port options. For instructions on configuring the serial port
as the primary Internet connection, please see “How to Configure the Serial Port for an Internet
Connection“ on page 3-10.
The FVS328 provides these serial port configuration options:
•Modem
Use this option to configure the serial modem settings for any of the features below.
•Auto-Rollover
Use this option to provide a backup connection for your broadband service. If the broadband
service you configured in the Basic Settings menu fails, the FVS328 will automatically
connect to the Internet through the serial port. However, you will then be accessing the
Internet at a slower speed than you would through your broadband service.
•Dial-in
Dial-in lets a single remote computer connect to the FVS328 through the serial port to gain
access to LAN resources or a remote access server.
•LAN-to-LAN
LAN-to-LAN enables direct communications between two FVS328 firewalls to:
— Share resources on the two LANs.
— Let users on one FVS328 share the Internet connection of the other FVS328.
— Let users on one FVS328 connect to the Internet through the second FVS328 in case the
broadband connection of the first FVS328 fails.
The procedures for these configuration options are presented below.
Serial Port Configuration4-1
May 2004, 202-10031-01M-10207-01, Reference Manual v2
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Configuring a Serial Port Modem
You can configure a seria l port modem for any of the features described above.
Be sure you have prepared the basic requirements listed below, then follow the ‘how to’ procedure.
Basic Requirements for Serial Port Modem Configuration
Configuring a serial port modem requires these elements:
1.A serial analog or ISDN modem.
2.A serial modem cable with a DB9 connector.
3.An active phone or ISDN line.
How to Configure a Serial Port Modem
Follow the steps below to configure a serial port modem.
1.From the main menu, click Modem in the Serial Port section.
Figure 4-1: Serial Port Modem configuration menu
2.
Select the Serial Line Speed.
This is the maximum speed the modem will attempt to use. For ISDN permanent connections,
the speeds are typically 64000 or 128000 bps. For dial-up modems, 56000 bps would be a
typical setting.
— For ISDN, select “Permanent connection (leased line).”
— For dial-up, “Standard Modem” should work in most cases. Otherwise, select your modem
from the list.
4-2Serial Port Configuration
May 2004, 202-10031-01M-10207-01, Reference Manual v2
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
— If your modem is not on the list, select “User Defined” and enter the Modem Properties.
If you are using the “User Defined” selection and configuring your own modem stings, fill
in the Modem Properties settings.
Note: Y ou can validate modem string settings by first connecting the modem directly to a
PC, establishing a connection to your ISP, and then copying the modem string settings
from the PC configuration and pasting them into the FR328S Modem Properties Initial
String field. For more information on this procedure, please refer to the support area of the
NETGEAR web site.
3.Click Apply to save your settings.
Configuring Auto-Rollover
You can configure the serial port of the FVS328 to provide an auto-rollover backup connection for
your broadband service.
Be sure you have prepared the basic requirements listed below, then follow the ‘how to’ procedure.
Basic Requirements for Auto-Rollover
Auto-Rollover requires these elements:
1.A broadband connection to the FVS328.
2.An ISDN or analog phone line with an active ISDN or dial-up ISP account
3.A serial modem properly configured and attached to the DB9 connector on the serial port.
4.The Auto-Rollover settings configured and applied to the FVS328.
How to Configure Auto-Rollover
Follow the steps below to configure a serial port auto-rollover connection.
1.Configure a serial port modem according to the instructions above.
2.From the main menu, click Auto-rollover in the Serial Port section.
Serial Port Configuration4-3
May 2004, 202-10031-01M-10207-01, Reference Manual v2
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Figure 4-2: Auto-Rollover configuration menu
Configure the Auto-Rollover settings.
3.
4.Click Apply for the changes to take effect.
Configuring Dial-in on the Serial Port
Dial-in lets a single remote computer connect to the FVS328 through the serial port to gain access
to LAN resources or a remote access server.
Be sure you have prepared the basic requirements listed below, then follow the ‘how to’ procedure.
4-4Serial Port Configuration
May 2004, 202-10031-01M-10207-01, Reference Manual v2
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Basic Requirements for Dial-in
Dial-in requires these elements:
1.A broadband connection to the FVS328.
2.An analog phone line.
3.A serial modem properly configured and attached to the DB9 connector on the serial port.
4.The Dial-in settings configured and applied to the FVS328.
How to Configure Dial-in
Follow the steps below to configure a serial port dial-in connection.
1.Configure a serial port modem according to the instructions above.
2.From the Serial Port section of the main menu, click Dial-in.
Figure 4-3: Serial Port Dial-in settings screen
3.
Configure the Dial-in settings.
4.Click Apply for the changes to take effect.
Serial Port Configuration4-5
May 2004, 202-10031-01M-10207-01, Reference Manual v2
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Configuring LAN-to-LAN Settings
LAN-to-LAN enables direct communications between two FVS328 firewalls.
Serial Connection
Firewall A
Firewall B
192.168.3.1
Figure 4-4: LAN-to-LAN network configuration
192.168.0.1
Basic Requirements for LAN-to-LAN Connections
Serial port LAN-to-LAN configurations require these elements:
1.An ISDN or analog phone line with an active ISDN or dial-up ISP account.
2.A serial modem properly configured and attached to the DB9 connector on the serial port.
3.A broadband connection to one FVS328 for LAN-to-LAN auto-rollover Internet access.
4.The LAN-to-LAN settings configured and applied to the two FVS328 firewalls.
How to Configure LAN-to-LAN Connections
Follow the steps below to configure a serial port LAN-to-LAN connection.
1.Configure a serial port modem according to the instructions above.
2.From the main menu, click LAN-to-LAN in the Serial Port section.
4-6Serial Port Configuration
May 2004, 202-10031-01M-10207-01, Reference Manual v2
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Figure 4-5: LAN-to-LAN configuration menu
Configure the LAN-to-LAN settings.
3.
Note: The LAN subnet address of each FVS328 must be different.
4.Click Apply for the changes to take effect.
Serial Port Configuration4-7
May 2004, 202-10031-01M-10207-01, Reference Manual v2
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
4-8Serial Port Configuration
May 2004, 202-10031-01M-10207-01, Reference Manual v2
Chapter 5
WAN and LAN Configuration
This chapter describes how to configure the WAN and LAN settings of your FVS328 ProSafe
VPN Firewall with Dial Back-up.
Configuring LAN IP Settings
The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and RIP. These
features can be found under the Advanced heading in the Main Menu of the browser interface.
The firewall is shipped preconfigured to use private IP addresses on the LAN side, and to act as a
DHCP server. The firewall’s default LAN IP configuration is:
•LAN IP addresses—192.168.0.1
•Subnet mask—255.255.255.0
These addresses are part of the IETF-designated private address range for use in private networks,
and should be suitable in most applications. If your network has a requirement to use a different IP
addressing scheme, you can make those changes.
The LAN TCP/IP Setup parameters are:
•IP Address
This is the LAN IP address of the firewall.
•IP Subnet Mask
This is the LAN Subnet Mask of the firewall. Combined with the IP address, the IP Subnet
Mask allows a device to know which other addresses are local to it, and which must be reached
through a gateway or router.
•RIP Direction
RIP (Router Information Protocol) allows a router to exchange routing information with other
routers. The RIP Direction selection controls how the firewall sends and receives RIP packets.
Both is the default.
— When set to Both or Out Only, the firewall will broadcast its routing table periodically.
— When set to Both or In Only, it will incorporate the RIP information that it receives.
WAN and LAN Configuration5-1
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
— When set to None, it will not send any RIP packets and will ignore any RIP packets
received.
•RIP Version
This controls the format and the broadcasting method of the RIP packets that the router sends.
It recognizes both formats when receiving. By default, this is set for RIP-1.
— RIP-1 is universally supported. RIP-1 is probably adequate for most networks, unless you
have an unusual network setup.
— RIP-2 carries more information. Both RIP-2B and RIP-2M send the routing data in RIP-2
Note: If you change the LAN IP address of the firewall while connected through the
browser, you will be disconnected. You mu st then open a new connection to the new IP
address and log in again.
Using the Router as a DHCP Server
By default, the firewall will function as a DHCP (Dynamic Host Configuration Protocol) server,
allowing it to assign IP, DNS server, and default gateway addresses to all computers connected to
the router's LAN. The assigned default gateway address is the LAN address of the firewall. IP
addresses will be assigned to the attached PCs from a pool of addresses specified in this menu.
Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN.
For most applications, the default DHCP and TCP/IP settings of the firewall are satisfactory. See
“IP Configuration by DHCP” on page C-10 for an explanation of DHCP and information about
how to assign IP addresses for your network.
If another device on your network will be the DHCP server, or if you will manually configure the
network settings of all of your computers, clear the ‘Use router as DHCP server’ check box.
Otherwise, leave it checked.
Specify the pool of IP addresses to be assigned by setting the Starting IP Address and Ending IP
Address. These addresses should be part of the same IP address subnet as the firewall’s LAN IP
address. Using the default addressing scheme, you should define a range between 192.168.0.2 and
192.168.0.253, although you may wish to save part of the range for device s with fixed addresses.
5-2WAN and LAN Configuration
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
The firewall will deliver the following parameters to any LAN device that requests DHCP:
•An IP Address from the range you have defined
•Subnet Mask
•Gateway IP Address is the firewall’s LAN IP address
•Primary DNS Server, if you entered a Primary DNS address in the Basic Settings menu;
otherwise, the firewall’s LAN IP address
•Secondary DNS Server, if you entered a Secondary DNS address in the Basic Settings menu
How to Configure LAN TCP/IP Setup Settings
1.Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user
name of
you have chosen for the firewall.
2.From the Main Menu, under Advanced, click the LAN IP Setup link to view the men u, shown
below.
admin, default password of password, or using whatever password and LAN address
Figure 5-1: LAN IP Setup Menu
WAN and LAN Configuration5-3
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Enter the LAN TCP/IP and DHCP parameters.
3.
4.Click Apply to save your changes.
How to Configure Reserved IP Addresses
When you specify a reserved IP address for a PC on the LAN, that PC will always receive the
same IP address each time it accesses the firewall’s DHCP server. Reserved IP addresses should be
assigned to servers that require permanent IP settings.
To reserve an IP address:
1.Click the Add button.
2.In the IP Address box, type the IP address to assign to the PC or server.
Choose an IP address from the router’s LAN subnet, such as 192.168.0.X.
3.Type the MAC Address of the PC or server.
Note: If the PC is already present on your network, you can copy its MAC address from the
Attached Devices menu and paste it here.
4.Click Apply to enter the reserved address into the table.
Note: The reserved address will not be assigned until the next time the PC contacts the router's
DHCP server. Reboot the PC or access its IP configuration and force a DHCP release and
renew.
To edit or delete a reserved address entry:
1.Click the button next to the reserved address you want to edit or delete.
2.Click Edit or Delete.
Configuring WAN Settings
The WAN Setup menu allows configuration of WAN services such as automatic connection, DMZ
server, enabling diagnostic PING tests on the WAN interface, setting the MTU size, and the WAN
port speed,. These features can be found under the Advanced WAN Setup heading in the Main
Menu of the browser interface.
These features are discussed below.
5-4WAN and LAN Configuration
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Connecting Automatically, as Required
Normally, this option should be Enabled, so that an Internet connection will be made
automatically , whenever Internet-bound traffic is detected. However , if this causes high connection
costs, you can disable this setting.
If disabled, you must connect manually, using the sub-screen accessed from the Connection Status
button on the Status screen.
Setting Up a Default DMZ Server
The default DMZ server feature is helpful when using some online games and videoconferencin g
applications that are incompatible with NAT. The firewall is programmed to recognize some of
these applications and to work properly with them, but there are other applications that may not
function well. In some cases, one local PC can run the application properly if that PC’s IP address
is entered as the default DMZ server.
Note: For security, you should avoid using the default DMZ server feature. When a
computer is designated as the default DMZ server, it loses much of the protection of the
firewall, and is exposed to many exploits from the Internet. If compromised, the
computer can be used to attack your network.
Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a
response to one of your local computers or a service that you have configured in the Ports menu.
Instead of discarding this traffic, you can have it forwarded to one computer on your network. This
computer is called the Default DMZ Server.
How to Assign a Default DMZ Server
1.Click Default DMZ Server check box.
2.Type the IP address for that server.
3.Click Apply.
WAN and LAN Configuration5-5
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Responding to Ping on Internet WAN Port
If you want the firewall to respond to a 'ping' from the Internet, click the ‘Respond to Ping on
Internet WAN Port’ check box. This should only be used as a diagnostic tool, since it allows your
firewall to be discovered. Don't check this box unless you have a specific reason to do so.
How to Set the MTU Size
The normal MTU (Maximum Transmit Unit) value for most Ethernet networks is 1500 bytes or
1492 Bytes for PPPoE connections. For some ISPs you may need to reduce the MTU. But this is
rarely required, and should not be done unless you are sure it is necessary for your ISP connection.
Any packets sent through the firewall that are larger than the configured MTU size will be
repackaged into smaller packets to meet the MTU requirement.
To change the MTU size:
1.Under MTU Size, select Custom.
2.Enter a new size between 64 and 1500.
3.Click Apply to save the new configuration.
Configuring Dynamic DNS
If your network has a permanently assigned IP address, you can register a domain name and have
that name linked with your IP address by public Domain Name Servers (DNS). However, if your
Internet account uses a dynamically assigned IP address, you will not know in advance what your
IP address will be, and the address can change frequently. In this case, you can use a commercial
dynamic DNS service, which will allow you to register your domain to their IP address, and will
forward traffic directed to your domain to your frequently-changing IP address.
The firewall contains a client that can connect to a dynamic DNS service provider. To use this
feature, you must select a service provider and obtain an account with them. After you have
configured your account information in the firewall, whenever your ISP-assigned IP address
changes, your firewall will automatically contact your dynamic DNS service provider, log in to
your account, and register your new IP address.
5-6WAN and LAN Configuration
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
How to Configure Dynamic DNS
1.Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user
name of
you have chosen for the firewall.
2.From the Main Menu of the browser interface, under Advanced, click Dynamic DNS.
3.Click the radio button for the dynamic DNS service you will use. Access the We b site of the
dynamic DNS service providers whose, and register for an account.
For example, for TZO.com, go to www.TZO.com.
4.Click Apply to save your configuration.
5.Click Status to see the login in progress.
admin, default password of password, or using whatever password and LAN address
Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the
dynamic DNS service will not work because private addresses will not be routed on the
Internet.
Using Static Routes
Static Routes provide additional routing information to your firewall. Under normal
circumstances, the firewall has adequate routing information after it has been configured for
Internet access, and you do not need to configure additional static routes. You must configure
static routes only for unusual cases such as multiple routers or multiple IP subnets located on your
network.
Static Route Example
As an example of when a static route is needed, consider the following case:
•You r primary Internet access is through a cable modem to an ISP.
•You have an ISDN router on your home network for connecting to the company where
you are employed. This router’s address on your LAN is 192.168.0.100.
•You r company’s network is 134.177.0.0.
WAN and LAN Configuration5-7
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
When you first configured your firewall, two implicit static routes were created. A default route
was created with your ISP as the gateway, and a second static route was created to your local
network for all 192.168.0.x addresses. With this configuration, if you attempt to access a device on
the 134.177.0.0 network, your firewall will forward your request to the ISP. The ISP forwards your
request to the company where you are employed, and the request will likely be denied by the
company’s firewall.
In this case you must define a static route, telling your firewall that 134.177.0.0 should be accessed
through the ISDN router at 192.168.0.100. The static route would look like Figure 5-3.
In this example:
•The Destination IP Address and IP Subnet Mask fields specify that this static route applies to
all 134.177.x.x addresses.
•The Gateway IP Address fields specifies that all traffic for these addresses should be
forwarded to the ISDN router at 192.168.0.100.
•A Metric value of 1 will work since the ISDN router is on the LAN.
This represents the number of routers between your network and the des tination. This is a
direct connection so it is set to 1.
•Private is selected only as a precautionary security measure in case RIP is activated.
How to Configure Static Routes
1.Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user
name of
you have chosen for the firewall.
2.From the Main Menu of the browser interface, under Advanced, click on Static Routes to view
the Static Routes menu, shown in Figure 5-2.
Figure 5-2: Static Routes Table
To add or edit a Static Route:
3.
5-8WAN and LAN Configuration
admin, default password of password, or using whatever password and LAN address
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Click the Edit button to open the Edit Menu, shown below.
a.
Figure 5-3: Static Ro ute Entry and Edit Menu
b.
Type a route name for this static route in the Route Name box under the table.
This is for identification purpose only.
c.Select Active to make this route effective.
d.Select Private if you want to limit access to the LAN only.
The static route will not be reported in RIP.
e.Type the Destination IP Address of the final destination.
f.Type the IP Subnet Ma sk for this destination.
If the destination is a single host, type 255.255.255.255.
g.Type the Gateway IP Address, which must be a router on the same LAN segment as the
firewall.
h.Type a number between 1 and 15 as the Metric value.
This represents the number of routers between your network and the destination. Usually,
a setting of 2 or 3 works, but if this is a direct connection, set it to 1.
4.Click Apply to have the static route entered into the table.
WAN and LAN Configuration5-9
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
5-10WAN and LAN Configuration
May 2004, 202-10031-01
Chapter 6
Protecting Your Network
This chapter describes how to use the basic firewall features of the FVS328 ProSafe VPN Firewall
with Dial Back-up to protect your network.
Protecting Access to Your FVS328 Firewall
For security reasons, the firewall has its own user name and password. Also, after a period of
inactivity for a set length of time, the administrator login will automatically disconnect. You can
use the procedures below to change the firewall's password and the amount of time for the
administrator’s login timeout.
Note: The user name and password are not the same as any user name or password your may use
to log in to your Internet connection.
NETGEAR recommends that you change this password to a more secure password. The ideal
password should contain no dictionary words from any language, and should be a mixture of both
upper and lower case letters, numbers, and symbols. Your password can be up to 30 characters.
How to Change the Built-In Password
1.Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of
address you have chosen for the firewall.
2.From the main menu of the browser interface, under the Maintenance heading, select Set
Password to bring up the menu shown below.
Protecting Your Network6-1
admin, default password of password, or using whatever password and LAN
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Figure 6-1: Set Password menu
To change the password, first enter the old password, then enter the new password twice.
3.
4.Click Apply to save your changes.
Note: After changing the password, you will be required to log in again to continue the
configuration. If you have backed up the firewall settings previously, you should do a new
backup so that the saved settings file includes the new password.
How to Change the Administrator Login Timeout
For security, the administrator’s login to the firewall configuration will time out after a period of
inactivity. To change the login timeout period:
1.In the Set Password menu, type a number in ‘Administrator login times out’ field. The
suggested default value is 5 minutes.
2.Click Apply to save your changes or click Cancel to keep the current period.
Configuring Basic Firewall Services
Basic firewall services you can configure include access blocking and scheduling of firewall
security. These topics are presented below.
6-2Protecting Your Network
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Using the Block Sites Menu to Screen Content
The FVS328 allows you to restrict access based on the following categories:
•Use of a proxy server
•Type of file (Java, ActiveX, Cookie)
•Web addresses
•Web address keywords
These options are discussed below.
The Keyword Blocking menu is shown here.
Figure 6-2: Block Sites menu
T o enable filtering, click the checkbox next to the type of filtering you want to enable. The filtering
choices are:
•Proxy: blocks use of a proxy server
Protecting Your Network6-3
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
•Java: blocks use of Java applets
•ActiveX: blocks use of ActiveX components (OCX files) used by IE on Windows
•Cookies: blocks all cookies
To enable keyword blocking, check “Turn keyword blocking on”, then click Apply.
To add a keyword or domain, type it in the Keyword box, click Add Keyword, then click Apply.
To delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply.
Keyword application examples:
•If the keyword "XXX" is specified, the URL <http://www.badstuff.com/xxx.html> is blocked,
as is the newsgroup alt.pictures.XXX.
•If the keyword “.com” is specified, only Web sites with other domain suffixes (such as .edu or
.gov) can be viewed.
•If you want to block all Internet browsing access, enter the keyword “.”.
Up to 255 entries are supported in the Keyword list.
To specify a Trusted User, enter that computer’s IP address in the Trusted User box and click
Apply . You may specify one Trusted User, which is a computer that will be exempt from blocking
and logging. Since the Trusted User will be identified by an IP address, you should configure that
computer with a fixed or reserved IP address.
Services and Rules Regulate Inbound and Outbound Traffic
The FVS328 ProSafe VPN Firewall with Dial Back-up firewall lets you regulate what ports are
available to the various TCP/IP protocols. Follow these two steps to configure inbound or
outbound traffic:
1.Define a Service
2.Set up an Inbound or Outbound Rule that uses the Service
These steps are discussed below.
6-4Protecting Your Network
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Defining a Service
Services are functions performed by server computers at the request of client computers. For
example, Web servers serve We b pages, time servers serve time and date information, and game
hosts serve data about other players’ moves. When a computer on the Internet sends a request for
service to a server computer, the requested service is identified by a service or port number. This
number appears as the destination port number in the transmitted IP packets. For example, a packet
that is sent with destination port number 80 is an HTTP (Web server) request.
The service numbers for many common protocols are defined by the Internet Engineering Task
Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for other
applications are typically chosen from the range 1024 to 65535 by the authors of the application.
Although the FVS328 already holds a list of many service port numbers, you are not limited to
these choices. Use the Services menu to add additional services and applications to the list for use
in defining firewall rules. The Services menu shows a list of services that you have defined.
To define a new service, first you must determine which port number or range of numbers is used
by the application. This information can usually be determined by contacting the publisher of the
application or from user groups of newsgroups. When you have the port number information, go
the Services menu and click on the Add Custom Service button. The Add Services menu will
appear.
To add a service,
1.Enter a descriptive name for the service so that you will remember what it is.
2.Select whether the service uses TCP or UDP as its transport protocol.
If you can’t determine which is used, select both.
3.Enter the lowest port number used by the service.
4.Enter the highest port number used by the service.
If the service only uses a single port number, enter the same number in both fields.
5.Click Apply.
The new service will now appear in the Services menu, and in the Service name selection box in
the Rules menu.
Protecting Your Network6-5
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Using Inbound/Outbound Rules to Block or Allow Services
Firewall rules are used to block or allow specific traffic passing through from one side of the
firewall to the other . Inbound rules (WAN to LAN) restrict access by outsiders to private resources,
selectively allowing only specific outside users to access specific resources. Outbound rules (LAN
to WAN) determine what outside resources local users can have access to.
A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of
the FVS328 are:
•Inbound: Block all access from outside except responses to requests from the LAN side.
•Outbound: Allow all access from the LAN side to the outside.
These default rules are shown in the Rules table of the Rules menu in Figure 6-3:
Figure 6-3: Rules menu
6-6Protecting Your Network
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
You can define additional rules that will specify exceptions to the default rules. By adding custom
rules, you can block or allow access based on the service or application, source or destinat ion IP
addresses, and time of day. You can also choose to log traffic that matches or does not match the
rule you have defined.
To create a new rule, click the Add button.
To edit an existing rule, select its button on the left side of the table and click Edit.
To delete an existing rule, select its button on the left side of the table and click Delete.
To move an existing rule to a different position in the table, select its button on the left side of the
table and click Move. At the script prompt, enter the number of the desired new position and click
OK.
An example of the menu for defining or editing a rule is shown in Figure 6-4. The parameters are:
•Service. From this list, select the application or service to be allowed or blocked. The list
already displays many common services, but you are not limited to these choices. Use the
Services menu to add any additional services or applications that do not already appear.
•Action. Choose how you would like this type of traffic to be handled. You can block or allow
always, or you can choose to block or allow according to the schedule you have defined in the
Schedule menu.
•Source Address. Specify traffic originating on the LAN (outbound) or the WAN (inbound),
and choose whether you would like the traffic to be restricted by source IP address. You can
select Any, a Single address, or a Range. If you select a range of addresses, enter the range in
the start and finish boxes. If you select a single address, enter it in the start box.
•Destination Address.The Destination Address will be assumed to be from the opposite (LAN
or WAN) of the Source Address. As with the Source Address, you can sele ct Any, a Single
address, or a Range unless NAT is enabled and the destination is the LAN. In that case, you
must enter a Single LAN address in the start box.
•Log. You can select whether the traffic will be logged. The choices are:
–Never - no log entries will be made for this service.
–Match - traffic of this type which matches the parameters and action will be logged.
Protecting Your Network6-7
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Examples of Using Services and Rules to Regulate Traffic
Use the examples to see how you combine Services and Rules to regulate how the TCP/IP
protocols are used on your firewall to enable either blocking or allowing specific Internet traffic on
your firewall.
Inbound Rules (Port Forwarding)
Because the FVS328 uses Network Address Translation (NAT), your network presents only one IP
address to the Internet, and outside users cannot directly address any of your local computers.
However, by defining an inbound rule, also known as port forwarding, you can make a local server
(for example, a Web server or game server) visible and available to the Internet. The rule tells the
router to direct inbound traffic for a particular service to one local server based on the destination
port number. This is also known as port forwarding.
Note: Some home broadband accounts do not allow you to run any server processes
(such as a Web or FTP server). Your ISP may check for servers and suspend your
account if it discovers active servers at your location. If you are unsure, refer to the
Acceptable Use Policy of your ISP.
Follow these guidelines when setting up port forwarding inbound rules:
•If your external IP address is assigned dynamically by your ISP, the IP address may change
periodically as the DHCP lease expires. Consider using the Dynamic DNS feature in the
Advanced menus so that external users can always find your network.
•If the IP address of the local server computer is assigned by DHCP, it may change when the
computer is rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu
to keep the computer’s IP address constant.
•Local computers must access the local server using the local LAN address of the computer.
Attempts by local computers to access the server using the external WAN IP address will fail.
Remember that allowing inbound services opens holes in your FVS328 Firewall. Only enable
those ports that are necessary for your network. Following are two application examples of
inbound rules:
6-8Protecting Your Network
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Example: Port Forwarding to a Local Public Web Server
If you host a public W eb ser ver on your local network, you can define a rule to allow inbound Web
(HTTP) requests from any outside IP address to the IP address of your Web server any time of day.
Figure 6-4: Rule example: A Local Public Web Server
This rule is shown in Figure 6-4.
Example: Port Forwarding for Videoconferencing
If you want to allow incoming videoconferencing to be initiated from a restricted range of outside
IP addresses, such as from a branch office, you can create an inbound rule. In the example shown
in Figure 6-5, CU-SeeMe is a predefined service and its connections are allowed only from a
Protecting Your Network6-9
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
specified range of external IP addresses. In this case, we have also specified logging of any
incoming CU-SeeMe requests that do not match the allowed parameters.
Figure 6-5: Rule example: Videoconference from Restrict ed Addresses
Example: Port Forwarding for VPN Tunnels when NAT is Off
If you want to allow incoming VPN IPSec tunnels to be initiated from outside IP addresses
anywhere on the Internet when NAT is off, first create a service and then an inbound rule.
Figure 6-6: Service example: port forwarding for VPN when NAT is Off
In the example shown in Figure 6-6, UDP port 500 connections are defined as the IPSec service.
6-10Protecting Your Network
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Figure 6-7: Inbound rule example:
VPN IPSec when NAT is off
In the example shown in Figure 6-7, VPN IPSec connections are allowed any internal LAN IP
address.
Outbound Rules (Service Blocking or Port Filtering)
The FVS328 allows you to block the use of certain Internet services by computers on your
network. This is called service blocking or port filtering. You can define an outbound rule to block
Internet access from a local computer based on:
•IP address of the local computer (source address)
•IP address of the Internet site being contacted (destination address)
•Time of day
•Type of service being requested (service port number)
Protecting Your Network6-11
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Outbound Rule Example: Blocking Instant Messaging
If you want to block Instant Messenger usage by employees during working hours, you can create
an outbound rule to block that application from any internal IP address to any external address
according to the schedule that you have created in the Schedule menu. Y ou can also have the router
log any attempt to use Instant Messenger during that blocked period.
The order of precedence of rules is determined by the position of the rule on a list of many rules.
Also, there are optional Rules settings you can configure. These topics are presented here.
Order of Precedence for Rules
As you define new rules, they are added to the tables in the Rules menu. For any traffic attempting
to pass through the firewall, the packet information is subjected to the rules in the order of the
entries in the Rules T able, beginning at the top and proceeding to the default rules at the bottom. In
some cases, the order of precedence of two or more rules may be important in determining the
disposition of a packet. The Move button allows you to relocate a defined rule to a new position in
the table.
6-12Protecting Your Network
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Rules Menu Options
Use the Options checkboxes to enable the following:
•Enable VPN Passthrough (IPSec, PPTP, L2TP)
If LAN users need to use VPN (Virtual Private Networking) software on their computer, and
connect to remote sites or servers, enable this checkbox. This will allow the VPN protocols
(IPSec, PPTP, L2TP) to be used. If this checkbox is not checked, these protocols are blocked.
•Drop fragmented IP packets
If checked, all fragmented IP pack ets wil l be dropped (discarded). Normally, this should NOT
be checked.
•Block TCP flood
If checked, when a TCP flood attack is detected, the port used will be closed, and no traffic
will be able to use that port.
•Block UDP flood
If checked, when a UDP flood attack is detected, all traffic from that IP address will be
blocked.
•Block non-standard packets
If checked, only known packet types will be accepted; other packets will be blocked. The
known packet types are TCP, UDP, ICMP, ESP, and GRE. Note that these are packet types, not
protocols.
Setting Times and Scheduling Firewall Services
The FVS328 Firewall uses the Network Time Protocol (NTP) to obtain the current time and date
from one of several Network Time Servers on the Internet. In order to localize the time for your
log entries, you must select your Time Zone from the list.
Protecting Your Network6-13
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
How to Set Your Time Zone
In order to localize the time for your log entries, you must specify your Time Zone:
1.Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of
address you have chosen for the firewall.
2.Click Schedule on the Security menu to display menu shown below.
admin, default password of password, or using whatever password and LAN
Figure 6-9: Schedule Services menu
3.
Select your Time Zone. Use this setting for the blocking schedule according to your
local time zone and for time-stamping log entries. At power-up, the clock is set to
Saturday 01/01/2001 00:00:00.
Check the Daylight Savings Time box if your time zone is currently in daylight savings time.
6-14Protecting Your Network
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Note: If your region uses Daylight Savings Time, you must manually check Adjust for
Daylight Savings Time on the first day of Daylight Savings Time, and uncheck it at the end.
Enabling Daylight Savings Time will cause one hour to be added to the standard time.
4.Choose your NTP server. The firewall uses Netgear NTP servers by default. If you would
prefer to use a particular NTP server as the primary server, enter its IP address under Use this
NTP Server. The fixed NTP query interval is 2 hours.
5.Click Apply to save your settings.
How to Schedule Firewall Services
If you enabled services blocking in the Block Services menu or Port forwarding in the Ports menu,
you can set up a schedule for when blocking occurs or when access isn't restricted.
1.Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of
address you have chosen for the firewall.
2.Click Schedule on the Security menu to display the Schedule Services menu.
3.T o block Internet services based on a schedule, select Every Day or select one or more days. If
you want to limit access completely for the selected days, select All Day. Otherwise, to limit
access during certain times for the selected days, enter Start Blocking and End Blocking times.
admin, default password of password, or using whatever Password and LAN
Note: Enter the values as 24-hour time. For example, 10:30 am would be 10 hours and 30
minutes and 10:30 pm would be 22 hours and 30 minutes.
4.Click Apply to save your changes.
Protecting Your Network6-15
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
6-16Protecting Your Network
May 2004, 202-10031-01
Chapter 7
Virtual Private Networking
This chapter describes how to use the virtual private networking (VPN) features of the FVS328
Firewall. VPN tunnels provide secure, encrypted communications between your local network and
a remote network or computer.
Overview of FVS328 Policy-Based VPN Configuration
The FVS328 uses state-of-the-art firewall and security technology to facilitate controlled and
actively monitored VPN connectivity . Since the FVS328 strictly conforms to Internet Engineering
Task Force (IETF) standards, it is interoperable with devices from major network equipment
vendors.
Telecommuter with
client software
VPN tunnels
encrypt data
VPN FirewallVPN Firewall
Figure 7-1: Secure access through FVS328 VPN routers
Using Policies to Manage VPN Traffic
You create policy definitions to manage VPN traffic on the FVS328. There are two kinds of
policies:
Virtual Private Networking7-1
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
•IKE Policies: Define the authentication scheme and automatically generate the encryption
keys. As an alternative option, to further automate the process, you can create an Internet Key
Exchange (IKE) policy which uses a trusted certificate authority to provide the authentication
while the IKE policy still handles the encryption.
•VPN Policies: Apply the IKE policy to specific traffic which requires a VPN tunnel. Or, you
can create a VPN policy which does not use an IKE policy but in which you manually enter all
the authentication and key parameters.
Since the VPN Auto policies require IKE policies, you must define the IKE policy first. The
FVS328 also allows you to manually input the authentication scheme and encryption key values.
VPN Manual policies manage the keys according to settings you select and do not use IKE
policies.
In order to establish secure communication over the Internet with the remote site you need to
configure matching VPN parameters on both the local and remote sites. The outbound VPN
parameters on one end must match to the inbound VPN parameters on other end, and vice versa.
When the network traffic enters into the FVS328 from the LAN network interface, if there is no
VPN policy found for a type of network traffic, then that traffic passes through without any
change. However, if the traffic is selected by a VPN policy, then the Internet Protocol security
IPSec authentication and encryption rules will be applied to it as defined in the VPN policy.
By default, a new VPN policy is added with the least priority, that is, at the end of the VPN policy
table. You can change the priority by selecting the VPN policy from the policy table and clicking
Move.
Using Automatic Key Management
The most common configuration scenarios will use IKE policies to automatically manage the
authentication and encryption keys. Based on the IKE policy, so me parameters for the VPN tunnel
are generated automatically. The IKE protocols perform negotiations between the two VPN
endpoints to automatically generate required parameters.
Some organizations will use an IKE policy with a Certificate Authority (CA) to perform
authentication. Typically, CA authentication is used in large organizations which maintain their
own internal CA server. This requires that each VPN gateway have a certificate and trust
certificate root from the CA. Using CAs reduces the amount of data entry required on each VPN
endpoint.
7-2Virtual Private Networking
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
IKE Policies’ Automatic Key and Authentication Management
Click the IKE Policies link from the VPN section of the main menu, and then click the Add button
of the IKE Policies screen to display the IKE Policy Configuration menu shown in Figure 7-2.
Figure 7-2: IKE - Policy Configuration Menu
Virtual Private Networking7-3
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
The IKE Policy Configuration fields are defined in the following table.
Table 7-1.IKE Policy Configuration Fields
Field Description
General
Policy Name
Direction/Type
Exchange Mode
Local
These settings identify this policy and determine its major characteristics.
The descriptive name of the IKE policy. Each policy should have a unique
policy name. This name is not supplied to the remote VPN endpoint. It is
only used to help you identify IKE policies.
This setting is used when determining if the IKE policy matches the current
traffic. The drop-down menu includes the following:
• Initiator – Outgoing connections are allowed, but incoming are blocked.
• Responder – Incoming connections are allowed, but outgoing are
blocked.
• Both Directions – Both outgoing and incoming connections are allowed.
• Remote Access – This is to allow only incoming client connections,
where the IP address of the remote clie n t is un known.
If Remote Access is selected, the “Exchange Mode” MUST be
“Aggressive,” and the ‘Identities’ below (both Local and Remote) MUST
be “Name.” On the matching VPN Policy, the IP address of the remote
VPN endpoint should be set to 0.0.0.0.
Main Mode or Aggressive Mode. This setting must match the setting used
on the remote VPN endpoint.
• Main Mode is slower but more secure.
• Aggressive Mode is faster but less secure.
These parameters apply to the Local FVS328 firewall.
Local Identity Type
Local Identity Data
Remote
Use this field to identify the local FVS328. You can choose one of the
following four options from the drop-down list:
• By its Internet (WAN) port IP address.
• By its Fully Qualified Domain Name (FQDN) – your domain name.
• By a Fully Qualified User Name – your name, E-mail address, or
other ID.
• By DER ASN.1 DN – the binary Distinguished Encoding Rules (DER)
encoding of your ASN.1 X.500 Distinguished Name.
This field lets you identify the local FVS328 by name.
These parameters apply to the target remote FVS328 firewall, VPN
gateway, or VPN client.
7-4Virtual Private Networking
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Table 7-1.IKE Policy Configuration Fields
Field Description
Remote Identity Type
Remote Identity Data
IKE SA Parameters
Encryption Algorithm
Authentication Algorithm
Authentication Method
Pre-Shared Key
Use this field to identify the remote FVS328. You can choose one of the
following four options from the drop-down list:
• By its Internet (WAN) port IP address.
• By its Fully Qualified Domain Name (FQDN) – your domain name.
• By a Fully Qualified User Name – your name, E-mail address, or
other ID.
• By DER ASN.1 DN – the binary DER encoding of your ASN.1 X.500
Distinguished Name.
This field lets you identify the target remote FVS328 by name.
These parameters determine the properties of the IKE Security
Association.
Choose the encryption algorithm for this IKE policy:
•DES
• 3DES is more secure and is the default
If you enable Authentication Headers (AH), this menu lets you select from
these authentication algorithms:
• MD5 –- the default
• SHA-1 – more secure
Y ou can select Pre-Shared Key or R SA Signature.
Specify the key according to the requirements of the Authentication
Algorithm you selected.
• For MD5, the key length should be 16 bytes.
• For SHA-1, the key length should be 20 bytes.
RSA Signature
Diffie-Hellman (DH) Group
SA Life Time
RSA Signature requires a certificate.
The Diffie-Hellman groups are MODP Oakley Groups 1 and 2. The DH
Group setting determines the size of the key used in the key exchange.
This must match the value used on the remote VPN gateway or client.
Select Group 1 (768 bit) or Group 2 (1024 bit).
The amount of time in seconds before the Security Association expires;
over an hour (3600) is common.
Virtual Private Networking7-5
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
VPN Policy Configuration for Auto Key Negotiation
An already defined IKE policy is required for VPN - Auto Policy configuration. From the VPN
Policies section of the main menu, you can navigate to the VPN - Auto Policy configuration menu.
Figure 7-3: VPN - Auto Policy Menu
7-6Virtual Private Networking
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
The VPN Auto Policy fields are defined in the following table.
Table 7-1.VPN Auto Policy Configuration Fields
Field Description
General
Policy NameThe descriptive name of the VPN policy. Each policy should have a unique
IKE PolicyThe existing IKE policies are presented in a drop-down list.
Remote VPN Endpoint The address used to locate the remote VPN firewall or client to which you want
SA Life TimeThe duration of the Security Association before it expires.
IPSec PFS
PFS Key GroupIf PFS is enabled, this setting determines the DH group bit size used in the key
These settings identify this policy and determine its major characteristics.
policy name. This name is not supplied to the remote VPN endpoint. It is only
used to help you identify VPN policies.
Note: Create the IKE policy BEFORE creating a VPN - Auto policy.
to connect. The remote VPN endpoint must have this FVS328’s Local Identity
Data entered as its “Remote VPN Endpoint”:
• By its IP Address.
• By its Fully Qualified Domain Name (FQDN) – your domain name.
• Seconds - the amount of time before the SA expires. Over an hour is common
(3600).
• Kbytes - the amount of traffic before the SA expires.
One of these can be set without setting the other.
If enabled, security is enhanced by ensuring that the key is changed at regular
intervals. Also, even if one key is broken, subsequent keys are no easier to
break. Each key has no relationship to the previous key.
exchange. This must match the value used on the remote gateway. Select
Group 1 (768 bit) or Group 2 (1024 bit).
Traffic SelectorThese settings determine if and when a VPN tunnel will be established. If
network traffic meets all criteria, then a VPN tunnel will be created.
Virtual Private Networking7-7
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Table 7-1.VPN Auto Policy Configuration Fields
Field Description
Local IPThe drop-down menu allows you to configure the source IP address of the
outbound network traffic for which this VPN policy will provide security.
Usually, this address will be from your network address space. The choices are:
• ANY for all valid IP addresses in the Internet address space
Note: Choosing ANY sends all traffic through the tunnel, which will eliminate
activities such as Web access.
• Single IP Address
• Range of IP Addresses
• Subnet Address
Remote IP The drop-down menu allows you to configure the destination IP address of the
outbound network traffic for which this VPN policy will provide security. Usually,
this address will be from the remote site's corporate network address space.
The choices are:
• ANY for all valid IP addresses in the Internet address space
Note: Choosing ANY sends all traffic to the WAN through the tunnel,
preventing for example, remote management or response to ping.
• Single IP Address
• Range of IP Addresses
• Subnet Address
Authenticating Header
(AH) Configuration
Enable AuthenticationUse this check box to enable or disable AH for this VPN policy.
Authentication
Algorithm
Encapsulated Security
Payload (ESP)
Configuration
Enable EncryptionUse this check box to enable or disable ESP Encryption.
Encryption
Algorithm
Enable AuthenticationUse this check box to enable or disable ESP transform for this VPN policy.
AH specifies the authentication protocol for the VPN header. These settings
must match the remote VPN endpoint.
If you enable AH, then select the authentication algorithm:
MD5 – the default, or SHA1 - more secure
ESP provides security for the payload (data) sent through the VPN tunnel.
Generally, you will want to enable both Encryption and Authentication. Two ESP
modes are available:
Plain ESP encryption or ESP encryption with authentication
These settings must match the remote VPN endpoint.
If you enable ESP encryption, then select the encryption algorithm:
DES – the default, or 3DES - more secure
7-8Virtual Private Networking
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Table 7-1.VPN Auto Policy Configuration Fields
Field Description
Authentication
Algorithm
NetBIOS EnableCheck this if you want NetBIOS traffic to be forwarded over the VPN tunnel.
If you enable AH, then use this menu to select which authentication algorithm
will be employed. The choices are:
MD5 – the default, or SHA1 – more secure
The NetBIOS protocol is used by Microsoft Networking for such features as
Network Neighborhood.
VPN Policy Configuration for Manual Key Exchange
With Manual Key Management, you will not use an IKE policy. Y ou must manually type in all the
required key information. Click the VPN Policies link from the VPN section of the main menu to
display the menu shown below.
Virtual Private Networking7-9
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Figure 7-4: VPN - Manual Policy Menu
7-10Virtual Private Networking
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
The VPN Manual Policy fields are defined in the following table.
Table 7-1.VPN Manual Policy Configuration Fields
Field Description
General
Policy NameThe name of the VPN policy. Each policy should have a unique policy name.
Remote VPN EndpointThe WAN Internet IP address or Fully Qualified Domain Name of the remote
Traffic SelectorThese settings determine if and when a VPN tunnel will be established. If
Local IPThe drop-down menu allows you to configure the source IP address of the
Remote IP The drop-down menu allows you to configure the destination IP address of the
These settings identify this policy and determine its major characteristics.
This name is not supplied to the remote VPN Endpoint. It is used to help you
identify VPN policies.
VPN firewall or client to which you want to connect. The remote VPN endpoint
must have this FVS328’s WAN Internet IP address entered as its “Remote
VPN Endpoint.”
network traffic meets all criteria, then a VPN tunnel will be created.
outbound network traffic for which this VPN policy will provide security.
Usually, this address will be from your network address space. The choices
are:
• ANY for all valid IP addresses in the Internet address space
Note: Choosing ANY sends all traffic through the tunnel, which will eliminate
activities such as Web access.
• Single IP Address
• Range of IP Addresses
• Subnet Address
outbound network traffic for which this VPN policy will provide security.
Usually, this address will be from the remote site's corporate network address
space. The choices are:
• ANY for all valid IP addresses in the Internet address space
Note: Choosing ANY sends all traffic to the WAN through the tunnel,
preventing for example, remote management or response to ping.
• Single IP Address
• Range of IP Addresses
• Subnet Address
Virtual Private Networking7-11
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Table 7-1.VPN Manual Policy Configuration Fields
Field Description
Authenticating Header
(AH) Configuration
SPI - Incoming
SPI - OutgoingEnter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote
Enable AuthenticationUse this check box to enable or disable AH. Authentication is often not used,
Authentication
Algorithm
Key - In
AH specifies the authentication protocol for the VPN header. These settings
must match the remote VPN endpoint.
Note: The Incoming settings must match the Outgoing settings on the remote
VPN endpoint, and the Outgoing settings must match the Incoming settings on
the remote VPN endpoint.
Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote
VPN endpoint has the same value in its "Outgoing SPI" field.
VPN endpoint has the same value in its "Incoming SPI" field.
so you can leave the check box unselected.
If you enable AH, then select the authentication algorithm:
• MD5 – the default
• SHA1 – more secure
Enter the keys in the fields provided. For MD5, the keys should be 16
characters. For SHA-1, the keys should be 20 characters.
Enter the keys.
• For MD5, the keys should be 16 characters.
• For SHA-1, the keys should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - Out" field.
Key - OutEnter the keys in the fields provided.
• For MD5, the keys should be 16 characters.
• For SHA-1, the keys should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - In" field.
Encapsulated Security
Payload (ESP)
Configuration
SPI - Incoming
ESP provides security for the payload (data) sent through the VPN tunnel.
Generally, you will want to enable both encryption and authentication. when
you use ESP. Two ESP modes are available:
• Plain ESP encryption
• ESP encryption with authentication
These settings must match the remote VPN endpoint.
Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote
VPN endpoint has the same value in its "Outgoing SPI" field.
7-12Virtual Private Networking
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Table 7-1.VPN Manual Policy Configuration Fields
Field Description
SPI - OutgoingEnter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote
VPN endpoint has the same value in its "Incoming SPI" field.
Enable EncryptionUse this check box to enable or disable ESP Encryption.
Encryption
Algorithm
Key - In
Key - OutEnter the key in the fields provided.
Enable AuthenticationUse this check box to enable or disable ESP authentication for this VPN policy.
Authentication
Algorithm
Key - In
If you enable ESP Encryption, then select the Encryption Algorithm:
• DES - the default
• 3DES -more secure
Enter the key in the fields provided.
• For DES, the key should be 8 characters.
• For 3DES, the key should be 24 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Encryption Algorithm "Key - Out" field.
• For DES, the key should be 8 characters.
• For 3DES, the key should be 24 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Encryption Algorithm "Key - In" field.
If you enable authentication, then use this menu to select the alg orithm:
• MD5 – the default
• SHA1 – more secure
Enter the key.
• For MD5, the key should be 16 characters.
• For SHA-1, the key should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - Out" field.
Key - OutEnter the key in the fields provided.
• For MD5, the key should be 16 characters.
• For SHA-1, the key should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - In" field.
NetBIOS EnableCheck this if you want NetBIOS traffic to be forwarded over the VPN tunnel.
The NetBIOS protocol is used by Microsoft Networking for such features as
Network Neighborhood.
Virtual Private Networking7-13
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Using Digital Certificates for IKE Auto-Policy Authentication
Digital certificates are character strings generated using encryption and authentication schemes
which cannot be duplicated by anyone without access to the different values used in the production
of the string. They are issued by Certification Authorities (CAs) to authenticate a person or a
workstation uniquely. The CAs are authorized to issue these certificates by Policy Certification
Authorities (PCAs), who are in turn certified by the Internet Policy Registration Authority (IPRA).
The FVS328 is able to use certificates to authenticate users at the endpoints during the IKE key
exchange process.
The certificates can be obtained from a certificate server an organization might maintain internally
or from the established public CAs. The certificates are produced by providing the particulars of
the user being identified to the CA. The information provided may include the user's name, e-mail
ID, domain name, etc.
A CA is part of a trust chain. A CA has a public key which is signed. The combination of the
signed public key and the private key enables the CA process to eliminate ‘man in the middle’
security threats. A ‘self’ certificate has your public key and the name of your CA, and relies on the
CA’s certificate to authenticate. Each CA has its own certificate. The certificates of a CA are added
to the FVS328 and can then be used to form IKE policies for the user. Once a CA certificate is
added to the FVS328 and a certificate is created for a user, the corresponding IKE policy is added
to the FVS328. Whenever the user tries to send traffic through the FVS328, the certificates are
used in place of pre-shared keys during initial key exchange as the authentication and key
generation mechanism. Once the keys are established and the tunnel is set up the connection
proceeds according to the VPN policy.
Certificate Revocation List (CRL)
Each Certification Authority (CA) maintains a list of the revoked certificates. The list of these
revoked certificates is known as the Certificate Revocation List (CRL).
Whenever an IKE policy receives the certificate from a peer, it checks for this certificate in the
CRL on the FVS328 obtained from the corresponding CA. If the certificate is not present in the
CRL it means that the certificate is not revoked. IKE can then use this certificate for
authentication. If the certificate is present in the CRL it means that the certificate is revoked, and
the IKE will not authenticate the client.
You must manually update the FVS328 CRL regularly in order for the CA-based authentication
process to remain valid.
7-14Virtual Private Networking
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
How to Use the VPN Wizard to Configure a VPN Tunnel
Note: If you have turned NAT off, before configuring VPN IPSec tunnels you must first
open UDP port 500 for inbound traffic as explained in “Example: Port Forwarding for
VPN Tunnels when NAT is Off” on page 6-10.
Follow this procedure to configure a VPN tunnel using the VPN Wizard.
Note: The LAN IP address ranges of each VPN endpoint must be different. The connection will
fail if both are using the NETGEAR default address range of 192.168.0.x.
1.Log in to the FVS318 on LAN A at its default LAN address of http://192.168.0.1 with its
default user name of
main menu to display this screen. Click Next to proceed.
admin and password of password. Click the VPN Wizard link in the
Figure 7-5: VPN Wizard Start Screen
2.
Fill in the Connection Name, pre-shared key, and select the type of target end point, and click
Next to proceed.
Virtual Private Networking7-15
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Figure 7-6: Connection Name and Remote IP Type
3. Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next.
Figure 7-7: Remote IP
4. Identify the IP addresses at the target endpoint which can use this tunnel, and click Next.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
The Summary screen below displays.
Figure 7-9: VPN Wizard Summary
To view the VPNC recommended authentication and encryption Phase 1 and Phase 2 settings
the VPN Wizard used, click the “here” link.
5.Click Done to complete the configuration procedure. The VPN Settings menu displays
showing that the new tunnel is enabled
T o view or modify the tunnel settings, select the radio button next to the tunnel entry and click
Edit.
Walk-Through of Configuration Scenarios
There are a variety of configurations you might implement with the FVS328. The scenarios listed
below illustrate typical configurations you might use in your organization.
Virtual Private Networking7-17
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
In order to help make it easier to set up an IPsec system, the following two scenarios are provided.
These scenarios were developed by the VPN Consortium (http://www.vpnc.org). The goal is to
make it easier to get the systems from different vendors to interoperate. NETGEAR is providing
you with both of these scenarios in the following two formats:
•VPN Consortium Scenarios without any product implementation details
•VPN Consortium Scenarios based on the FVS328 user interface
The purpose of providing these two versions of the same scenarios is to help you determine where
the two vendors use different vocabulary. Seeing the examples presented in these different ways
will reveal how systems from different vendors do the same thing. See Appendix E, “Virtual
Private Networking” for a full discussion of VPN and the configuration templates NETGEAR
developed for publishing multi-vendor VPN integration configuration case studies.
Note: See Appendix F, “NETGEAR VPN Configuration FVS318 or FVM318 to
FVS328 for a detailed procedure for configuring VP N co mmunications between a
NETGEAR FVS318 and a FVS328. NETGEAR publishes additional interoperability
scenarios with various gateway and client software products. Look on the NETGEAR
Web site at www.netgear.com/support/main.asp for more details.
VPNC Scenario 1: Gateway-to-Gateway with Preshared Secrets
The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication.
10.5.6.0/24
Gateway A
10.5.6.1
Figure 7-10: VPN Consortium Scenario 1
14.15.16.1722.23.24.25
Internet
Gateway B
Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has
the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17.
7-18Virtual Private Networking
May 2004, 202-10031-01
172.23.9.0/24
172.23.9.1
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet)
interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used
for testing IPsec but is not needed for configuring Gateway A.
Note: The /24 after the IP address refers to the full range of IP addresses. For example, 10.5.6.0/24
refers to IP address 10.5.6.0 with the netmask 255.255.255.0.
The IKE Phase 1 parameters used in Scenario 1 are:
•Main mode
•TripleDES
•SHA-1
•MODP group 2 (1024 bits)
•pre-shared secret of "hr5xb84l6aa9r6"
•SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying
The IKE Phase 2 parameters used in Scenario 1 are:
•TripleDES
•SHA-1
•ESP tunnel mode
•MODP group 2 (1024 bits)
•Perfect forward secrecy for rekeying
•SA lifetime of 3600 seconds (one hour) with no kbytes rekeying
•Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4
subnets
Virtual Private Networking7-19
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
FVS328 Scenario 1: How to Configure the IKE and VPN Policies
Note: This scenario assumes all ports are open on the FVS328. You can verify this by reviewing
the security settings as seen in the “Using Inbound/Outbound Rules to Block or Allow Services”
on page 6-6.
Use this scenario illustration and configuration screens as a model to build your configuration.
WAN I P
Scenario 1
Gateway B
WAN I P
FVS328
Gateway A
14.15.16.1722.23.24.25
LAN IP
Figure 7-11: LAN to LAN VPN access from an FVS328 to an FVS328
1. Log in to the FVS328 labeled Gateway A as in the illustration.
Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user
name of
admin and default password of password, or using whatever Password and LAN
address you have chosen for the firewall.
2. Configure the WAN (Internet) and LAN IP addresses of the FVS328.
a.From the main menu Setup section, click the Basic Settings link.
WAN IP
addresses
ISP provides
these addresses
172.23.9.1/2410.5.6.1/24
LAN IP
Figure 7-12: FVS328 Internet IP Address menu
7-20Virtual Private Networking
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Select whether enable or disable NAT (Network Address Translation). NAT allows all
b.
LAN computers to gain Internet access via this Router, by sharing this Router's WAN IP
address. In most situations, NAT is essential for Internet access via this Router. Y ou should
only disable NAT if you are sure you do not require it. When NAT is disabled, only
standard routing is performed by this Router.
c.Configure the WAN Internet Address according to the settings in Figure 7-11 above and
click Apply to save your settings. For more information on configuring the WAN IP
settings in the Basic Setup topics, please see “Manually Configuring Your Internet
Connection” on page 3-14.
d.From the main menu Advanced section, click the LAN IP Setup link.
e.Configure the LAN IP address according to the settings in Figure 7-11 above and click
Apply to save your settings. For more information on LAN TCP/IP setup topics, please
see “How to Configure LAN TCP/IP Setup Settings” on page 5-3.
Virtual Private Networking7-21
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Note: After you click Apply to change the LAN IP address settings, your workstation will
be disconnected from the FVS328. You will have to log on with http://10.5.6.1 which is
now the address you use to connect to the built-in Web-based configuration manager of
the FVS328.
3.Set up the IKE Policy illustrated below on the FVS328.
a.From the main menu VPN section, click the IKE Policies link, and then click the Add
button to display the screen below.
Figure 7-13: Scenario 1 IKE Policy
b.
Configure the IKE Policy according to the settings in the illustration above and click
Apply to save your settings. For more information on IKE Policy topics, please see “IKE
Policies’ Automatic Key and Authentication Management” on page 7-3.
7-22Virtual Private Networking
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
4. Set up the FVS328 VPN -Auto Policy illustrated below.
a.From the main menu VPN section, click the VPN Policies link, and then click the Add
Auto Policy button.
Figure 7-14: Scenario 1 VPN - Auto Policy
b.
Configure the IKE Policy according to the settings in the illustration above and click
Apply to save your settings. For more information on IKE Policy topics, please see “IKE
Policies’ Automatic Key and Authentication Management” on page 7-3.
Virtual Private Networking7-23
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
5. After applying these changes, you will see a table entry like the one below.
Figure 7-15: VPN Policies table
Now all traffic from the range of LAN IP addresses specified on FVS328 A and FVS328 B
will flow over a secure VPN tunnel.
How to Check VPN Connections
You can test connectivity and vie w VPN status information on the FVS328.
1.To test connectivity between the Gateway A FVS328 LAN and the Gateway B LAN, follow
these steps:
a.Using our example, from a computer attached to the FVS328 on LAN A, on a Windows
computer click the Start button on the taskbar and then click Run.
b.Type ping -t172.23.9.1, and then click OK.
c.This will cause a continuous ping to be sent to the LAN interface of Gateway B. After
between several seconds and two minutes, the ping response should change from “timed
out” to “reply.”
d.At this point the connection is established.
7-24Virtual Private Networking
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
T o test connectivity between the FVS328 Gateway A and Gateway B WAN ports, follow these
2.
steps:
a.Using our example, log in to the FVS328 on LAN A, go to the main menu Maintenance
section and click the Diagnostics link.
b.To test connectivity to the WAN port of Gateway B, enter 22.23.24.25, and then click
Ping.
c.This will cause a ping to be sent to the WAN interface of Gateway B. After between
several seconds and two minutes, the ping response should change from “timed out” to
“reply.” You may have to run this test several times before you get the “reply” message
back from the target FVS328.
d.At this point the connection is established.
Note: If you want to ping the FVS328 as a test of network connectivity, be sure the FVS328 is
configured to respond to a ping on the Internet WAN port. However, to preserve a high degree
of security, you should turn off this feature when you are finished with testing.
3.To view the FVS328 event log and status of Security Associations, follow these steps:
a.Go to the FVS328 main menu VPN section and click the VPN Status link.
b.The log screen will display a history of the VPN connections, and the IPSec SA and IKE
SA tables will report the status and data transmission statistics of the VPN tunnels for each
policy.
FVS328 Scenario 2: Authenticating with RSA Certificates
The following is a typical gateway-to-gateway VPN that uses Public Key Infrastructure X.509
(PKIX) certificates for authentication. The network setup is identical to the one given in Scenario
1. The IKE Phase 1 and Phase 2 parameters are identical to the ones given in Scenario 1, with the
exception that the identification is done with signatures authenticated by PKIX certificates.
Note: Before completing this configuration scenario, make sure the correct Time Zone is set on the
FVS328. For instructions on this topic, please see, “How to Set Your Time Zone” on page 6-14.
1. Obtain a root certificate.
a.Obtain the root certificate (which includes the CA’s public key) from a Certificate
Authority (CA).
Virtual Private Networking7-25
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Note: The procedure for obtaining certificates differs between a CA like Verisign and a
CA such as a Windows 2000 certificate server, which an organization operates for
providing certificates for its members. For example, an administrator of a Windows 2000
certificate server might provide it to you via e-mail.
b.Save the certificate as a text file called trust.txt.
2. Install the trusted CA certificate for the Trusted Root CA.
a.Log in to the FVS328.
b.From the main menu VPN section, click the CAs link.
c.Click Add to add a CA.
d.Click Browse to locate the trust.txt file.
e.Click Upload.
Figure 7-16: Certificate Authorities table
You will now see a screen such as the one above showing that the Certificate Authority is
now registered with the FVS328.
3. Create a certificate request for the FVS328.
a.From the main menu VPN section, click the Certificates link.
7-26Virtual Private Networking
May 2004, 202-10031-01
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.