Netgear SRXN3205 Reference Guide

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

NETGEAR, Inc.

350 East Plumeria Drive San Jose, CA 95134

202-10416-02 v1.0 January 2010

Technical Support

Please refer to the support information card that shipped with your product. By registering your product at

http://www.netgear.com/register, we can provide you with faster expert technical support and timely notices of

product and software upgrades. NETGEAR, INC. Support Information Phone: 1-888-NETGEAR, for US & Canada only. For other countries, see your Support information card. E-mail: support@netgear.com North American NETGEAR website:

http://www.netgear.com

Trademarks

NETGEAR and the NETGEAR logo are registered trademarks and ProSafe is a trademark of NETGEAR, Inc. Microsoft, Windows, and Windows NT ar e registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.

Statement of Conditions

In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice.

NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.

Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice

This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruct ions, may cause harmf ul interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

• Reorient or relocate the receiving antenna.

• Increase the separation between the equipment and receiver.

• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.

• Consult the dealer or an experienced radio/TV technician for help.

EU Regulatory Compliance Statement

The ProSafe Wireless-N VPN Firewall is compliant with the following EU Council Directives: 89/336/EEC and LVD 73/23/EEC. Compliance is verified by testing to the following standards: EN55022 Class B, EN55024 and EN60950-1.

For EU Declaration of Conformity please visit:

http://kb.netgear.com/app/answers/detail/a_id/11621/sno/0.

v1.0, January 2010

Bestätigung des Herstellers/Importeurs

Es wird hiermit bestätigt, daß das ProSafe Wireless-N VPN Firewall gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kan n jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.

Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.

Certificate of the Manufacturer/Importer

It is hereby certified that the ProSafe Wireless-N VPN Firewall has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test transmitters) in accordance with the regulations may, however, be subject to certain restrictions. Please refer to the notes in the operating instructions.

Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations.

Voluntary Control Council for Interference (VCCI) Statement

This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.

When used near a radio or TV receiver , it may become the cause of radio interference. Read instructions for correct handling.

Additional Copyrights

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. The copyright holder's name must not be used to endorse or promote any products derived from this software without his specific prior written permission.

This software is provided 'as is' with no express or implied warranties of correctness or fitness for purpose.

v1.0, January 2010

iii

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions * are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)”

4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.

5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)"

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).

License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 MessageDigest Algorithm" in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software.

v1.0, January 2010

Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University. The name of the University may not be used to endor se or promote products derived from thi s software without specific prior written permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.

Zlib zlib.h -- interface of the 'zlib' general purpose compression library version 1.1.4, March 11th,

This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

Jean-loup Gailly: jloup@gzip.org; Mark Adler: madler@alu mni.caltech.edu The data format used by the zlib library is described by RFCs (Request for Comments) 1950 to 1952 in the files ftp://ds.internic.net/rfc/rfc1950.txt and rfc1952.txt (gzip format)

(zlib format), rfc1951.txt (deflate format)

Product and Publication Details

Model Number: SRXN3205 Publication Date: January 2010 Product Family: VPN Firewall Product Name: ProSafe Wireless-N VPN Firewall Home or Business Product: Business Language: English Publication Part Number: 202-10416-02 Publication Version Number 1.0

v1.0, January 2010

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

About This Manual

Conventions, Formats, and Scope ..................................................................................xiii

How to Print this Manual ..................................................................................................xiv

Revision History ..................... ... .......................................... ... ..........................................xiv

Chapter 1 Introduction

Key Features ..................................................................................................................1-1

A Powerful, True Firewall with Content Filtering ......................................................1-2

Autosensing Ethernet Connections with Auto Uplink ...............................................1-2

Extensive Protocol Support ......................................................................................1-3

Advanced VPN Support for Both IPsec and SSL .....................................................1-3

Wireless Networking Features ............................ ... ... .... ... ... ... ....... ... ... .... ... ... ... ... .... ... ... ..1-4

Easy Installation and Management ................................................................................1-5

System Requirements .. ... .......................................... ... .......................................... ..1-5

Package Contents ..........................................................................................................1-6

Front Panel Features ......................................................................................................1-6

Rear Panel Features ......................................................................................................1-8

Default IP Address, Login Name, and Password Location ........................... .................. 1-9

Qualified Web Browsers .................................................................................................1-9

Chapter 2 Connecting to the Internet (WAN)

Understanding the Connection Steps .............................................................................2-1

Logging into the VPN Firewall ........................................................................................2-2

Navigating the Menus .....................................................................................................2-3

Configuring the Internet Connection (WAN) ........................................................... ... ... ..2-4

Automatically Detecting and Connecting ........................ .... ... ... ...............................2-4

Manually Configuring the Internet Connection ............................................. .... ........ 2-7

v1.0, January 2010

vii

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

Configuring the WAN Mode ...................................................................................2-11

Configuring Dynamic DNS ...........................................................................................2-12

Configuring the Advanced WAN Options (Optional) ............................................... ...... 2-14

Additional WAN Related Configuration ..................................................................2-15

Chapter 3 LAN Configuration

Using the VPN Firewall as a DHCP Server .. ... ... ... ... .... ... ... ... .... ... ... ... ....... ... ... ... .... ... ... ..3-1

Configuring the LAN Setup Options ...............................................................................3-2

Managing Groups and Hosts (LAN Groups) ...................................................................3-5

Viewing the LAN Groups Database .........................................................................3-7

Adding Devices to the LAN Groups Database ......................................................... 3-8

Changing Group Names in the LAN Groups Database ...........................................3-9

Configuring DHCP Address Reservation .................................................................3-9

Configuring Multi Home LAN IP Addresses ..................................................................3-10

Configuring Static Routes .............................................................................................3-11

Configuring Routing Information Protocol (RIP) ........................................................ ...3-13

Chapter 4 Wireless Configuration

Wireless Equipment Placement and Range Guidelines ..................................... ............4-2

Understanding the VPN Firewall Wireless Security Options ..........................................4-2

Configuring Basic Wireless Setup (Without Security) ................... ................ ..................4-4

Testing and Completing Wireless Set up (Without Security) ................... ... ... ... ....... ... ... ..4-6

Testing Wireless Connectivity (Without Security) .....................................................4-6

Configuring the Wireless Channel Settings (Without Security) ................................4-7

Wireless Security Types and Settings ............................................. ... .... ... ... ...... .... ... ... ..4-8

SSID and WEP/WPA Settings Setup Form ..............................................................4-9

Configuring WEP Security ......................................................................................4-11

Configuring WPA Security Without RADIUS ..........................................................4-12

Configuring WPA Security with RADIUS ................................................................4-13

Verifying Wireless Connectivity (With Security) .....................................................4-16

Deploying the VPN Firewall ...................................................................................4-16

Configuring Advanced Wireless Settings .....................................................................4-17

Restricting Wireless Access by MAC Address .............................................................4-18

viii

v1.0, January 2010

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

Chapter 5 Firewall Security and Content Filtering

About Firewall Security and Content Filtering ................................................................5-1

Using Rules & Services to Block or Allow Traffic ............................................................5-2

Services-Based Rules .. .......................................... ... .......................................... .....5-2

Viewing the Firewall Rules .......................................................................................5-7

Order of Precedence for Rules ................................................................................5-7

Setting the Outbound Policy ................................... .......................................... ... .....5-7

Creating a LAN WAN Outbound Services Rule .......................................................5-8

Creating a LAN WAN Inbound Services Rule ..........................................................5-9

Modifying Rules ......................................................................................................5-10

Inbound Rules Examples .......................................................................................5-11

Outbound Rules Example ............................ ... ... .......................................... .... ...... 5-14

Configuring Other Firewall Features .............................................................................5-14

Attack Checks .................... ... .... .......................................... ...................................5-14

Configuring Session Limits .....................................................................................5-17

Managing the Application Level Gateway for SIP Sessions ..................................5-18

Creating Services, QoS Profiles, and Bandwidth Profiles ............................................5-19

Adding Customized Services .................................................................................5-19

Setting Quality of Service (QoS) Priorities ............................................................. 5-21

Creating Bandwidth Profiles ...... ... ... ... ....................................................................5-21

Setting Schedules to Block or Allow Specific Traffic .................................................. ...5-24

Blocking Internet Sites (Content Filtering) ....................................................................5-25

Enabling Source MAC Filtering (Address Filtering) ...................................................... 5-28

Configuring IP/MAC Address Binding ...........................................................................5-29

Configuring Port Triggering ...........................................................................................5-31

Configuring UPnP (Universal Plug and Play) ...............................................................5-34

E-Mail Notifications of Event Logs and Alerts ......................................... ......................5-35

Administrator Tips .........................................................................................................5-36

Chapter 6 Virtual Private Networking Using IPsec

Using the VPN Wizard for Client and Gateway Configurations ...................................... 6-1

Creating Gateway to Gateway VPN Tunnels with the Wizard ........................................6-2

Creating a Client to Gateway VPN Tunnel with the Wizard ............................................6-5

Creating a VPN Client to VPN Firewall Connection ..................... ... ... .... ... ... ... ... .... ...... ..6-6

v1.0, January 2010

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

Configuring the VPN Firewall .......... ... .... ... .......................................... ... ..................6-7

Configuring the VPN Client .......................... ... ... .......................................... .... ........ 6-7

Testing the Connection ...........................................................................................6-10

Viewing VPN Firewall VPN Connection Status and Logs .............................................6-11

Managing IPsec VPN Policies ..... .... ... ... ... .... ................................................................6-12

Managing IKE Polices ............... ... ... .......................................... .............................6-12

Configuring VPN Policies .......................................................................................6-20

Assigning IP Addresses to Remote Users (Mode Config) ............................................6-27

Mode Config Operation ...... ... .... ... .......................................... ... .............................6-28

Configuring Mode Config Operation on the VPN Firewall ......................................6-28

Configuring Mode Config Operation on the VPN Client .........................................6-32

Configuring Extended Authentication (XAUTH) ............................................................6-33

Configuring XAUTH for VPN Clients ......................................................................6-34

User Database Configuration .... ... ... .......................................... .............................6-35

RADIUS Client Configuration .................................................................................6-35

Configuring Keepalives and Dead Peer Detection .......................................................6-37

Configuring Keepalives ..........................................................................................6-38

Configuring Dead Peer Detection ..........................................................................6-39

Configuring NetBIOS Bridging with VPN ......................................................................6-40

Chapter 7 Virtual Private Networking Using SSL

Understanding the Portal Options ...................................................................................7-1

Planning for SSL VPN ....................................................................................................7-2

Creating the Portal Layout ..............................................................................................7-3

Configuring Domains, Groups, and Users ......................................................................7-7

Configuring Applications for Port Forwarding ..................................... .... ... ... ... ... .... ........ 7-8

Adding Servers ................................... .......................................... ............................7-8

Adding A New Host Name ................................. .... ... ... ... .... ... ..................................7-9

Configuring the SSL VPN Client ...................................................................................7-10

Configuring the Client IP Address Range ........................................... ... ... ... .... ... ...7-11

Adding Routes for VPN Tunnel Clients ........... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ...7-12

Using Network Resource Objects to Simplify Policies ..................................................7-13

Adding New Network Resources ..........................................................................7-13

Configuring User, Group, and Global Policies ..............................................................7-15

Viewing Policies .....................................................................................................7-17

v1.0, January 2010

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

Adding a Policy ............................... ... .... ... ... .......................................... ................7-18

Chapter 8 Managing Users, Authentication, and Certificates

Adding Authentication Domains, Groups, and Users .....................................................8-1

Creating a Domain .......................... ... .... .......................................... ... .....................8-1

Creating a Group .................................... .......................................... ... .....................8-5

Creating a New User Account ... ... ... .......................................... ... ............................8-6

Setting User Login Policies .......................... ... ... .......................................... ............8-7

Changing Passwords and Other User Settings ......................... ....... ...... ...... ....... .....8-9

Managing Certificates ......................... ... ... .......................................... ..........................8-11

Viewing and Loading CA Certificates .....................................................................8-12

Viewing Active Self Certificates ..............................................................................8-13

Obtaining a Self Certificate from a Certificate Authority ......................... ... ... .... ...... 8-14

Managing your Certificate Revocation List (CRL) .. ... ... ..........................................8-17

Chapter 9 VPN Firewall and Network Management

Performance Management .................................... ... .... .......................................... ... .....9-1

Bandwidth Capacity ........................ ... .... ... .......................................... .....................9-1

Features that Reduce Traffic ....................................................................................9-2

Features that Increase Traffic ...................... ... ... .......................................... .... ........ 9-4

Using QoS to Shift the Traffic Mix ............................................................................9-7

Tools for Traffic Management ........................................................................... ... .....9-7

Changing Passwords and Administrator Settings . ... .... .......................................... ... .....9-8

Enabling Remote Management Access .........................................................................9-9

Using an SNMP Manager .............................................................................................9-12

Managing the Configuration File ...................................................................................9-14

Configuring Date and Time Service ..............................................................................9-17

Chapter 10 Monitoring System Performance

Activating Notification of Events and Alerts ..................................................................10-1

Viewing the Logs ..........................................................................................................10-4

Enabling the Traffic Meter .............................................................................................10-5

Viewing VPN Firewall Configuration and System Status ..............................................10-8

Monitoring VPN Firewall Statistics ......... ... .... ... ... ... ... .... .......................................... ... .10-10

Monitoring the WAN Port Status .................................................................................10-10

v1.0, January 2010

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

Monitoring Attached Devices ......................................................................................10-11

Viewing the DHCP Log ...............................................................................................10-13

Monitoring Active Users ................... ... ... ... .......................................... .... ....................10-14

Viewing the Port Triggering Status .............................................................................10-14

Monitoring the VPN Tunnel Connection Status ..........................................................10-15

Viewing the VPN Logs ................................................................................................10-17

Chapter 11 Troubleshooting

Basic Functions ............................................................................................................11- 1

Power LED Not On .................................................................................................11-2

LEDs Never Turn Off ..............................................................................................11-2

LAN or WAN Port LEDs Not On .............................................................................11-2

Troubleshooting the Web Configuration Interface ........................................................11-3

Troubleshooting the ISP Connection ............................................................................11-4

Troubleshooting a TCP/IP Network Using a Ping Utility ...............................................11-5

Testing the LAN Path to Your VPN Firewall ...........................................................11-5

Testing the Path from Your PC to a Remote Device ..............................................11-6

Restoring the Default Configuration and Password ............ ... .... ... ... ... ..........................11-7

Problems with Date and Time .......................................................................................11-7

Using the Diagnostics Utilities ......................................................................................11-8

Appendix A Default Settings and Technical Specifications

Default Settings ............................................................................................................. A-1

Technical Specifications ................................................................................................. A-3

Appendix B Two Factor Authentication

Why do I need Two-Factor Authentication? ................................................................... B-1

What are the benefits of Two-Factor Authentication? ............................................. B-1

What is Two-Factor Authentication ......................................................................... B-2

NETGEAR Two-Factor Authentication Solutions ....................................................... .... B-2

Appendix C Related Documents

Index

xii

v1.0, January 2010

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

About This Manual

The NETGEAR® ProSafe™ Wireless-N VPN FirewallReference Manual describes how to configure and troubleshoot a ProSafe Wireless-N VPN Firewall. The informatio n in this manual is intended for readers with intermediate computer and networking skills.

Conventions, Formats, and Scope

The conventions, formats, and scope of this manual are described in the following paragraphs:

• Typographical Conventions. This manual uses the following typographical conventions:

Italic Emphasis, books, CDs, file and server names, extensions

Bold User input, IP addresses, GUI screen text

Fixed Command prompt, CLI text, code

italic URL links

• Formats. This manual uses the following formats to highlight special messages:

Note: This format is used to highlight information of importance or special interest.

Tip: This format is used to highlight a procedure that will save time or resources.

Warning: Ignoring this type of note may result in a malfunction or damage to the

equipment.

Danger: This is a safety warning. Failure to take heed of this notice may result in

personal injury or death.

v1.0, January 2010

xiii

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

• Scope. This manual is written for the VPN firewall according to these specifications:

Product ProSafe Wireless-N VPN Firewall Manual Publication Date January 2010

For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR website in Appendix C, “Related Documents.”.

Note: Product updates are available on the NETGEAR, Inc. website at

http://kbserver.netgear.com/products/SRXN3205.asp.

How to Print this Manual

T o print this manual, your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files. The Acrobat reader is available on the Adobe websit e at

http://www.adobe.com.

Tip: If your printer supports printing two pages on a single sheet of paper, you can save

paper and printer ink by selecting this feature.

Revision History

Manual Part Number

202-10416-01 1.0 October 2008 First publication 202-10416-02 1.0 January 2009 Added the following ne w features for the January 2010 firmware

xiv

Manual Version Number

Publication Date

Description

maintenance release:

• Connection reset and delay options on the WAN ISP Settings screen (see “Manually Configuring the Internet Connection”).

• Support for DNS 3322 in the Dynamic DNS submenu (see

“Configuring Dynamic DNS”).

v1.0, January 2010

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

202-10416-02 (continued)

1.0 January 2009 (continued)

• Support for an address range for inbound LAN rules on the Add LAN WAN Inbound Service screen (see “Inbound Rules (Port

Forwarding)” and “Creating a LAN WAN Inbound Services Rule”).

• Support for new log options such as Resolved DNS Names and VPN on the Firewall Logs & E-mail screen (see “Activating

Notification of Events and Alerts”).

In addition, made the following substantial changes to the book:

• Provided new captures for most screens and resized the existing screen captures for better viewing.

• Made global stylistic changes for consistency and clarity.

• Revised the following sections in Chapter 2, “Connecting to the

Internet (WAN)”:

* “Configuring the Internet Connection (WAN)” * “Configuring Dynamic DNS”

• Revised the following sections in Chapter 3, “LAN Configuration”:

* “Using the VPN Firewall as a DHCP Server” * “Configuring the LAN Setup Options”

• Reorganized Chapter 4, “Wireless Configuration,” and revised the following sections in this chapter:

* “Understanding the VPN Firewall Wireless Security Options” * “Configuring Basic Wireless Setup (Without Security)” * “Wireless Security Types and Settings” * “Configuring Advanced Wireless Settings” * “Restricting Wireless Access by MAC Address”

• Added the “Configuring Other Firewall Features” section to

Chapter 5, “Firewall Security and Content Filtering,” and revised

the following sections in this chapter:

* “Using Rules & Services to Block or Allow Traffic” * “Creating Services, QoS Profiles, and Bandwidth Profiles” * “Setting Schedules to Block or Allow Specific Traffic” * “Blocking Internet Sites (Content Filtering)” * “Enabling Source MAC Filtering (Address Filtering)” * “Configuring IP/MAC Address Binding” * “Configuring Port Triggering” * “E-Mail Notifications of Event Logs and Alerts”

v1.0, January 2010

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

202-10416-02 (continued)

1.0 January 2009 (continued)

• Reorganized Chapter 6, “Virtual Private Networking Using IPsec, added the “Viewing VPN Firewall VPN Connection Status and

Logs,” “Configuring Keepalives and Dead Peer Detection,” and “Configuring NetBIOS Bridging with VPN” sections, and revised

the following sections in this chapter:

* “Using the VPN Wizard for Client and Gateway

Configurations”

* “Creating Gateway to Gateway VPN Tunnels with the Wizard” * “Managing IPsec VPN Policies” * “Assigning IP Addresses to Remote Users (Mode Config)” * “Configuring Extended Authentication (XAUTH)”

• Made minor changes in Chapter 7, “Virtual Private Networking

Using SSL.”

• Revised the following sections in Chapter 8, “Managing Users,

Authentication, and Certificates:

* “Adding Authentication Domains, Groups, and Users” * “Managing Certificates”

• Revised the following sections in Chapter 9, “VPN Firewall and

Network Management”:

* “Enabling Remote Management Access” * “Managing the Configuration File”

• Revised the following sections in Chapter 10, “Monitoring System

Performance”:

* “Activating Notification of Events and Alerts” * “Viewing the Logs” * “Viewing VPN Firewall Configuration and System Status” * “Monitoring the WAN Port Status” * “Monitoring Attached Devices” * “Viewing the VPN Logs”

• Revised the following sections in Chapter 11, “Troubleshooting

* “Troubleshooting the ISP Connection” * “Troubleshooting a TCP/IP Network Using a Ping Utility” * “Restoring the Default Configuration and Password”

• Added Appendix B, “Two Factor Authentication”

xvi

v1.0, January 2010

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

Chapter 1

Introduction

The ProSafe Wireless-N VPN Firewall SRXN3205 provides Internet connectivity to your local Ethernet and wireless networks via a broadband cable or DSL modem. The SRXN3205 is a complete security solution with a powerful and flexible firewall to safeguard your networks along with advanced IPsec and SSL VPN technologies for secure wired and wireless connections.

Moreover, the ProSafe Wireless-N VPN Firewall supports wireless connections over the wider range and more robust connections afforded by 802.11N and 802.11a wireless networks. The SRXN3205 also supports wireless bridging.

The Gigabit Ethernet LAN ports and WAN port ensure extremely high data transfer speeds. The SRXN3205 is a plug-and-play device that can be installed and configured within minute s. This chapter contains the following sections:

• “Key Features” on this page

• “Wireless Networking Features” on page 1-4

• “System Requirements” on page 1-5

• “Package Contents” on page 1-6

• “Front Panel Features” on page 1-6

• “Rear Panel Features” on page 1-8

• “Default IP Address, Login Name, and Password Location” on page 1-9

• “Qualified Web Browsers” on page 1-9

Key Features

The SRXN3205 provides the following key features:

• A single 10/100/1000 Mbps Gigabit Ethernet WAN port for your Internet connection.

• Built-in four-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for extremely fast data transfer between local network resources and all of the wireless clients.

• Advanced IPsec and SSL VPN support

Introduction 1-1

v1.0, January 2010

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

• Advanced stateful packet inspection (SPI) firewall with multi-NAT support

• Easy, web-based setup for installation and management

• Front panel LEDs for easy monitoring of status and activity

• Flash memory for firmware upgrade

• AC-DC power adapter for low current draw

A Powerful, True Firewall with Content Filtering

Unlike simple Internet sharing NAT routers, the SRXN3205 is a true firewall, using stateful packet inspection (SPI) to defend against hacker attacks. Its firewall features include:

• Automatically detects and thwarts denial of service (DoS) attacks such as Ping of Death and SYN Flood.

• Blocks unwanted traffic from the Internet to your LAN.

• Blocks access from your LAN to Internet locations or services that you specify as off-limits.

• Prevents objectionable content from reaching your PCs. You can control access to Internet content by screening for Web services, Web addresses, and keywords within Web addresses. You can configure the firewall to log and report attempts to access objectionable Internet sites.

• Permits scheduling of firewall policies by day and time.

• Logs security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the firewall to e-mail the log to you at specified intervals. You can also configure the firewall to send immediate alert messages to your e-mail address or e-mail pager whenever a significant event occurs.

Autosensing Ethernet Connections with Auto Uplink

With its internal 5-port 10/100/1000 Mbps switch and 10/100/1000 W AN port, the SRXN3205 can connect to either a 10 Mbps standard Ethernet network, a 100 Mbps Fast Ethernet network, or a 1000 Mbps Gigabit Ethernet network. The five LAN and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation.

The SRXN3205 incorporates Auto Uplink sense whether the Ethernet cable plugged into the port should have a “normal” connection such as to a PC or an “uplink” connection such as to a switch or hub. That port will then configure itself to the correct configuration. This feature eliminates the need to worry about crossover cables, as Auto Uplink will accommodate either type of cable to make the right connection.

1-2 Introduction

technology. Each Ethernet port will automatically

v1.0, January 2010

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

Extensive Protocol Support

The SRXN3205 supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol you can access from “TCP/IP Networking Basics” in Appendix C.

• IP Address Sharing by NAT. The SRXN3205 allows many networked PCs to share an Internet account using only a single IP address, which may be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user ISP account.

• Automatic Configuration of (Wired & Wireless) PCs by DHCP. The SRXN3205 dynamically assigns network configuration information, including IP, gateway, and domain name server (DNS) addresses, to PCs on the LAN and Wireless LAN using the Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of PCs on your local network.

• DNS Proxy. When DHCP is enabled and no DNS addresses are specified, the SRXN3205 provides its own address as a DNS server to the attached PCs. The SRXN3205 obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN.

• PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial-up connection. This feature eliminates the need to run a login program such as EnterNet or WinPOET on your PC.

• Quality of Service (QoS). Support for traffic prioritization.

(RIP). For further information about TCP/IP, see the document that

Advanced VPN Support for Both IPsec and SSL

The SRXN3205 supports IPsec and SSL virtual private network (VPN) connections.

• IPsec VPN delivers full network access between a central office and branch offices, or between a central office and telecommuters. Remote access by telecommuters requires the installation of VPN client software on the remote computer.

– IPsec VPN with broad protocol support for secure connection to other IPsec gateways and

clients.

– Bundled with the single-user license of the NETGEAR ProSafe VPN Client software

(VPN01L)

– Supports up to 5 (max) IPsec VPN tunnels (alternately, 4 IPsec VPN tunnels concurrently

with 4 SSL VPN sessions, or 5 IPsec VPN tunnels concurrently with 3 SSL VPN sessions). The total number of concurrent tunnels and sessions is not to exceed eight.

Introduction 1-3

v1.0, January 2010

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

• SSL VPN provides remote access for mobile users to selected corporate resources without requiring a pre-installed VPN client on their computers.

– Uses the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce

transactions, to provide client-free access with customizable user portals and support for a wide variety of user repositories.

– Browser based, platform-independent, remote access through a number of popular

browsers, such as Microsoft Internet Explorer or Apple Safari.

– Provides granular access to corporate resources based upon user type or group

membership.

– Supports up to 5 IPse VPN sessions and up to 5 SSL and VPN sessions.

Wireless Networking Features

• Dual Band Selection. The SRXN3205 allows you to configure the 802.11 wireless options for the 2.4 GHz band or the 5 GHz bands.

• Upgradeable Firmware. Firmware is stored in a flash memory and can be upgraded easily, using only your Web browser, and can be also upgraded remotely. In addition to using Web browser to do so, command-line interface can also be used.

• Access Control. The Access Control MAC address filtering feature can ensure that only trusted wireless stations can use the SRXN3205 to gain access to your LAN.

• Hidden Mode. The SSID is not broadcast, assuring only clients configured with the correct SSID can connect.

• Configuration Backup. Configuration settings can be backed up to a file and restored.

• Secure and Economical Operation. Adjustable power output allows more secure or economical operation.

• Autosensing Ethernet Connection with Mbps IEEE 802.3 Ethernet networks.

• LED Indicators. Power, test, LAN speed, LAN activity, and wireless activity for each radio mode are easily identified.

1-4 Introduction

Auto Uplink Interface. Connects to 10/100/1000

v1.0, January 2010

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

Easy Installation and Management

You can install, configure, and operate the SRXN3205 within minutes after connecting it to the network. The following features simplify installation and management tasks:

• Browser-Based Management. Browser-based configuration allows you to easily configure your SRXN3205 and Wireless access from almost any type of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup Wizard is provided and online help documentation is built into the browser-based Web Management Interface.

• Auto Detection of ISP. The SRXN3205 automatically senses the type of Internet connection, asking you only for the information required for your type of ISP account.

• VPN Wizard. The SRXN3205 includes the NETGEAR VPN Wizard to easily configure IPsec VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC) to ensure the IPsec VPN tunnels are interoperable with other VPNC-compliant VPN firewalls and clients.

• SNMP. The SRXN3205 supports the Sim ple Network Management Protocol (SNMP) to let you monitor and manage log resources from an SNMP-compliant system manager. The SNMP system configuration lets you change the system variables for MIB2.

• Diagnostic Functions. The SRXN3205 incorporates built-in diagnostic functions such as Ping, Trace Route, DNS lookup, and remote reboot.

• Remote Management. The SRXN3205 allows you to login to the Web Management Interface from a remote location on the Internet. For security, you can limit remote management access to a specified remote IP address or range of addresses.

• Visual monitoring. The SRXN3205’s front panel LEDs provide an easy way to monitor its status and activity.

System Requirements

Before installing the SRXN3205, ensure your system meets the following requirements:

• Category 5 UTP straight through Ethernet cable with RJ-45 connectors, like the one included in the package

• A 100-240 V, 50-60 Hz AC power source

• A Web browser for configuration, such as, Microsoft Internet Explorer 5.0 or above, or Mozilla 3.0 or above

Introduction 1-5

v1.0, January 2010

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

Package Contents

The SRXN3205 product package contains the following items:

• ProSafe Wireless-N VPN Firewall SRXN3205

• Rubber feet (4) with adhesive backing

• One AC-DC power adapter (12V, 1.5A) with cord (approximately 6 ft, or 183 cm)

• Three dual-band antennas (SMA connectors): 2 dipole (long); 1 patch (square)

• One Straight through Category 5 (Cat5) Ethernet cable.

• Installation Guide, SRXN3205 ProSafe Wi reless-N VPN Firewall .

• Resource CD, including: – Application Notes and other helpful information. – ProSafe VPN Client Software – one user license.

• Warranty and Support Information Card.

If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the firewall for repair.

Front Panel Features

The SRXN3205’s front panel is shown below:

Figure 1-1

1-6 Introduction

v1.0, January 2010

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

Table 1-1. Description of Front Panel Items

Item Activity Description

PWR (Power)

TEST

n/a 5 GHz

n/g 2.4 GHz

Reset button

(Press with a sharp object)

LAN Ports

WAN Port

On Green Off

On Amber Blinking Amber

Off Off WLAN 802.11n/a (5GHz) mode is disabled. Blink (Green) Wireless data traffic in 5GHz modes. Off WLAN 802.11b/g/n (2.4 GHz) mode is disabled. Blink (Green) Wireless data traffic in 2.4 GHz modes Reboot Press once to reboot the unit. Factory Defaults Hold in for 15 seconds (until the TEST light flashes). This resets

LAN connections Four Auto MDI/MDIX, Gigabit Ethernet ports.

WAN connection One Auto MDI/MDIX, Gigabit Ethernet port.

Power is supplied to the SRXN3205. Power is not supplied to the SRXN3205.

Test mode: The system is initializing (On) or the initialization has failed (Blinking). Writing to Flash memory (during upgrading or resetting to defaults). The system has booted successfully.

the unit to factory default settings, erasing all configuration settings and restores the default password.

Left LED (status): On = Link; Blink = ACT Right LED (speed): Off = 10M; Amber = 100M; Green = 1000M

Introduction 1-7

v1.0, January 2010

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

Rear Panel Features

The rear panel of the SRXN3205 is shown below.

Figure 1-2

1. Detachable (SMA) Antennas: The SRXN3205 provides three SMA connectors for the detachable antennas (two dipole and one patch). For the best performance, attach the patch antenna to the middle connector and attach the dipole antennas to the two connectors on both corners. The three antennas can be positioned horizontally or vertically for the best coverage.

2. DC Power Jack: This jack connects to the SRXN3205 12V 1.5A AC-DC power adapter.

1-8 Introduction

v1.0, January 2010

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

IP Address

User Name

Password

Default IP Address, Login Name, and Password Location

Check the label on the bottom of the SRXN3205’s enclosure if you need a reminder of the following factory default information:

Figure 1-3

Qualified Web Browsers

To configure the SRXN3205, an administrator must use Internet Explorer 5.1 or higher, Apple Safari 1.2 or higher, or Mozilla Firefox l.x Web browser with JavaScript, cookies, and SSL enabled.

Although these web browsers are qualified for use with the SRXN3205’s Web Management Interface for configuring the SRXN3205, SSL VPN users should choose a browser that supports JavaScript, Java, cookies, SSL, and ActiveX to take advantage of the full suite of applications. Note that Java is only required for the SSL VPN portal, not the Web Management Interface.

Introduction 1-9

v1.0, January 2010

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

1-10 Introduction

v1.0, January 2010

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

Chapter 2

Connecting to the Internet (WAN)

The initial Internet configuration of the ProSafe Wireless-N VPN Firewall SRXN3205 is described in this chapter.

This chapter contains the following sections:

• “Understanding the Connection Steps” on this page

• “Logging into the VPN Firewall” on page 2-2

• “Navigating the Menus” on page 2-3

• “Configuring the Internet Connection (WAN)” on page 2-4

• “Configuring Dynamic DNS” on page 2-12

• “Configuring the Advanced WAN Options (Optional)” on page 2-14

Understanding the Connection Steps

Typically, six steps are required to complete the basic Internet connection of your VPN firewall.

1. Connect the firewall to your network. Connect the cables and restart your network according to the instructions in the printed installation guide included in the product package. A PDF of the FVX338 ProSafe VPN Fir ewall 200 Installation Guide is on the product CD and on the NETGEAR website at http://kbserver.netgear.com.

2. Log in to the VPN firewall. After logging in, you are ready to set up and configure your VPN firewall. You can also change your password and enable remote management at this time. See

“Logging into the VPN Firewall” on page 2-2.

3. Configure the Internet connection to your ISP. During this phase, you will connect to your ISP. See “Configuring the Internet Connection (WAN)” on page 2-4.

4. Configure the WAN mode. Select either Network Address Translation (NAT) or Classical Routing. See “Configuring the WAN Mode” on page 2-11.

5. Configure dynamic DNS on the WAN port (optional). Configure your fully qualified domain name (FQDN) during this phase (if required). See “Configuring Dynamic DNS” on

page 2-12.

Connecting to the Internet (WAN) 2-1

v1.0, January 2010

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

6. Configure the WAN options (optional). Optionally, you can enable each WAN port to respond to a ping, and you can change the factory default MTU size and port speed. However , these are advanced features and changing them is not usually required. See “Configuring the

Advanced WAN Options (Optional)” on page 2-14.

Each of these tasks is detailed separately in this chapter. The configuration of wireless, firewall, and VPN features are described in later chapters.

Logging into the VPN Firewall

To connect to the VPN firewall, your computer needs to be configured to get an IP address automatically from the VPN firewall by DHCP. For instructions on how to configure your computer for DHCP, see the “Preparing Your Network” document that you can access from

Appendix C, “Related Documents.”

To log in to the VPN firewall, follow these steps:

1. Open a browser, and enter https://192.168.1.1 in the address field. The login window displays in the browser.

Figure 2-1

2. Enter admin in lower case for the User Name and password for the Password.

3. Click Login. The W eb Configuration Manager appears, displaying the Router S tatus screen as

the default screen (see Figure 2-2 on page 2-3).

2-2 Connecting to the Internet (WAN)

v1.0, January 2010

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

Figure 2-2

Navigating the Menus

The Web Configuration Manager menus are organized in a layered structure of main categories and submenus:

• Main menu. The horizontal orange bar near the top of the screen is the main menu, containing the primary configuration categories. Clicking on a primary category changes the contents of the submenu bar.

• Submenu. The horizontal grey bar immediately below the main menu is the submenu, containing subcategories of the currently selected primary category.

Connecting to the Internet (WAN) 2-3

v1.0, January 2010

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

• Tab. Immediately below the submenu bar, at the top of the menu active window, are one or more tabs, further subdividing the currently selected subcategory if necessary.

• Option arrow . To the right of the tabs on some menus are one or more blue dots with an arrow in the center . Clicking an option arrow brings up either a popup window or an ad vanced option menu.

Tip: In the instructions in this guide, we may refer to a menu using the notation

primary > subcategory, such as Network Configuration > WAN Settings. In this example, Network Configuration is the selected primary category (in the main menu) and WAN Settings is the selected subcategory (in the submenu).

You can now proceed to the first configuration task, configuring the VPN firewall’s Internet connections.

Configuring the Internet Connection (WAN)

To set up your VPN firewall for secure Internet connections, you configure the WAN port. The Web Configuration Manager offers two connectio n configuration options:

• Automatic detection and configuration of the network connection.

• Manual configuration of the network connection.

Each option is detailed in the following sections.

Automatically Detecting and Connecting

To automatically configure the WAN port for connection to the Internet:

1. Select Network Configuration > WAN Settings from the menu/submenu. The WAN tabs appear on screen with the WAN ISP Settings screen in view (see Figure 2-3 on

page 2-5).

2-4 Connecting to the Internet (WAN)

v1.0, January 2010

+ 228 hidden pages