IP45 Security Platform
User’s Guide
Version 4.0
Part Number: N450000261 Rev. 001
December 2006
COPYRIGHT
©2006 Nokia. All rights reserved.
Rights reserved under the copyright laws of the United States.
RESTRICTED RIGHTS LEGEND
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software,
the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the
Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
IMPORTANT NOTE TO USERS
This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not
limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall
Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or
consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or
profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort
(including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of
such damage.
Nokia reserves the right to make changes without further notice to any products herein.
TRADEMARKS
Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this document are trademarks or
registered trademarks of their respective holders.
060101
2 Nokia IP45 Security Platform User’s Guide v4.0
Nokia Contact Information
Corporate Headquarters
Web Site http://www.nokia.com
Telephone 1-888-477-4566 or
Fax 1-650-691-2170
Mail
Address
Regional Contact Information
1-650-625-2000
Nokia Inc.
313 Fairchild Drive
Mountain View, California
94043-2215 USA
Americas Nokia Inc.
Europe,
Middle East,
and Africa
Asia-Pacific 438B Alexandra Road
Nokia Customer Support
Web Site: https://support.nokia.com/
Email: tac.support@nokia.com
Americas Europe
Voi ce: 1-888-361-5030 or
Fax: 1-613-271-8782 Fax: +44 (0) 125-286-5666
Asia-Pacific
Voi ce: +65-67232999
Fax: +65-67232897
313 Fairchild Drive
Mountain View, CA 94043-2215
USA
Nokia House, Summit Avenue
Southwood, Farnborough
Hampshire GU14 ONG UK
#07-00 Alexandra Technopark
Singapore 119968
1-613-271-6721
Tel: 1-877-997-9199
Outside USA and Canada: +1 512-437-7089
email: info.ipnetworking_americas@nokia.com
Tel: UK: +44 161 601 8908
Tel: France: +33 170 708 166
email: info.ipnetworking_emea@nokia.com
Tel: +65 6588 3364
email: info.ipnetworking_apac@nokia.com
Voi ce: +44 (0) 125-286-8900
050602
Nokia IP45 Security Platform User’s Guide v4.0 3
4 Nokia IP45 Security Platform User’s Guide v4.0
Contents
About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
In this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Conventions this Guide uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Command-Line Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Menu Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
About the Nokia IP45 Security Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Nokia IP45 Tele 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Nokia IP45 Satellite 16, Satellite 32, Satellite Unlimited . . . . . . . . . . . . . . . . . . . . 22
Nokia IP45 Security Platform Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
VPN Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Diagnostics and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Network Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Nokia IP45 Security Platform Rear Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Nokia IP45 Security Platform Front Panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2 Installing the Nokia IP45 Security Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Before you Install the Nokia IP45 Security Platform. . . . . . . . . . . . . . . . . . . . . . . . . 37
Setting Up the Nokia IP45 Security Platform with
Microsoft Windows 98 or Millennium Operating Systems . . . . . . . . . . . . . . . . . . . . 38
Setting Up the Nokia IP45 Security Platform with
Microsoft Windows XP and 2000 Operating Systems . . . . . . . . . . . . . . . . . . . . . . . 43
Setting Up the Nokia IP45 Security Platform with an Apple Computer . . . . . . . . . . 47
Connecting the Nokia IP45 Security Platform to the Network . . . . . . . . . . . . . . . . 47
Installing your Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Nokia IP45 Security Platform User’s Guide v4.0 5
3 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
First-Time Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Configuring the Nokia IP45 Security Platform for Internet Connection . . . . . . . . . . 50
Making Initial Nokia IP45 Security Platform Settings . . . . . . . . . . . . . . . . . . . . . . . 51
Setting the Nokia IP45 Security Platform Time . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Registering with the Nokia Support Site. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Connecting to a Central Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Logging On to the Nokia IP45 Security Platform . . . . . . . . . . . . . . . . . . . . . . . . . 55
Accessing Nokia IP45 Securely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Logging Off from the Nokia IP45 Security Platform . . . . . . . . . . . . . . . . . . . . . . . 58
Understanding the Nokia IP45 Web GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Using the Nokia IP45 Security Platform Web-based User Interface . . . . . . . . . . 60
Graphical User Interface Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4 Accessing the Nokia IP45 Security Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Connection Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Configuration Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Connecting the Nokia IP45 Security Platform
to a Computer by Using the Console Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Using Telnet to Connect to the Nokia IP45 Security Platform . . . . . . . . . . . . . . . 68
Enabling and Disabling Telnet Access to Nokia IP45 . . . . . . . . . . . . . . . . . . . . 69
Using Secure Shell to Connect to the Nokia IP45 Security Platform . . . . . . . . . . 70
Accessing Nokia IP45 with HTTP and HTTPS. . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Managing Large Scale Deployments of Nokia IP45 . . . . . . . . . . . . . . . . . . . . . . . . 70
Deploying the Nokia IP45 Security Platform with the Nokia Horizon Manager . . 71
Deploying the Nokia IP45 Security Platform with the
Check Point SmartCenter Large Scale Manager . . . . . . . . . . . . . . . . . . . . . . . 71
Deploying Nokia IP45 with SofaWare Management Portal . . . . . . . . . . . . . . . . . 71
5 Connecting to the Internet with the Nokia IP45 Security Platform . . . . . . . . . . 73
Configuring an Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Using the Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Cable Modem Connection Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
MAC Cloning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Cloning a MAC Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Manually Configuring the Internet Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Dial-Up PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Configuring Dial-Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Using the GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Configuring Dial-up Setting by Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Multiple Dial-up Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Enabling or Disabling the Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Using Quick Internet Connect or Disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
6 Nokia IP45 Security Platform User’s Guide v4.0
Configuring a Backup Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Viewing Internet Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Detecting Dead Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
6 Managing your Local Area Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Configuring Network Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Enabling and Disabling the DHCP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Customizing DHCP Server Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Configuring a DMZ Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Configuring OfficeMode Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Tag-Based VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Configuring a VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Deleting a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Configuring DHCP Relay. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Backing Up DHCP Relay. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Backing Up DHCP Relay by Using CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Changing IP Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Configuring Network Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Configuring Static NAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Editing Static NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Viewing Static NAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Deleting Static NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Configuring DHCP Reservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Deleting Network Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Configuring Static Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Configuring Source Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Managing Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Defining the Port Link Speed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Viewing Ports Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
7 Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
About QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Using Traffic Shaper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
QoS Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Default QoS Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Enabling QoS Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Adding QoS Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Editing and Deleting QoS Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
8 Setting Up the Nokia IP45 Security Platform Security Policy . . . . . . . . . . . . . 135
VStream Embedded Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Nokia IP45 Security Platform User’s Guide v4.0 7
Features Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
VStream Antivirus Actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Enabling and Disabling VStream Antivirus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Viewing VStream Signature Database Information . . . . . . . . . . . . . . . . . . . . . . 138
Configuring VStream Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Configuring the antivirus policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Configuring the advanced settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Updating VStream Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Setting the Firewall Security Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Configuring Virtual Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Customizing the Nokia IP45 Security Platform
Security Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Creating Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Allow and Block Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Deleting and Editing Firewall Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Viewing the Rules Log for Accepted Connections . . . . . . . . . . . . . . . . . . . . . 157
Editing or Deleting an Exposed Host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
SmartDefense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
SmartDefense Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Restoring Default Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Configuring SmartDefense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
IP and ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Port Scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
HTTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Microsoft Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Peer to Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Instant Messaging Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Secure HotSpot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Enabling Secure HotSpot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
9 Configuring Network Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Changing your Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Adding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Adding Guest HotSpot Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Viewing and Editing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Deleting Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Setting Up Remote VPN Access for Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Using RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
8 Nokia IP45 Security Platform User’s Guide v4.0
RADIUS Vendor Specific Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Telnet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Configuring SSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Enabling or Disabling SSH Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
SSH Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Using SSH Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Configuring Advanced Secure Shell Server Options. . . . . . . . . . . . . . . . . . . . . . 204
Configuring Server Authentication of Users . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Configuring and Managing SSH Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Managing Authorized Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Secure Socket Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Enabling HTTPS Web Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Generating a Self-Signed Certificate and Private Key by Using the CLI. . . . . . . 207
Installing a Certificate and Private Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Viewing Certificate Fingerprint Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
10 Configuring and Monitoring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
SNMP Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
SNMP Configuration from the Nokia IP45 Security Platform . . . . . . . . . . . . . . . 209
Setting Up SNMP Access to the Nokia IP45 Security Platform. . . . . . . . . . . . . . 209
Configuring the SNMP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Configuring SNMP Parameters from the Command-Line Interface . . . . . . . . . . 212
Setting SNMP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Viewing SNMP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
11 High-Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
High-Availability Sample Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Configuring Multiple HA Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Configuring High-Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Configuring High-Availability by Using the GUI . . . . . . . . . . . . . . . . . . . . . . . . . . 216
High-Availability over VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Dual Homing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Configuring for Dual Homing ISP Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Configuring ISP Dial-Up Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Generic High-Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Advanced High-Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Route-Based VPN and BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Border Gateway Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Configuring the BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
High-Availability Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
High-Availability Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Nokia IP45 Security Platform User’s Guide v4.0 9
High-Availability Solutions with a Single Nokia IP45 Device. . . . . . . . . . . . . . 229
High-Availability Solutions with Dual Nokia IP45 Devices. . . . . . . . . . . . . . . . 229
Generic HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
HA Coupled With BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
12 Configuring Nokia IP45 Through
Out-of-Band Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Configuring OOB from the Nokia IP45
Security Platform GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Secure Shell and HTTPS Access Through Out-of-Band Dial-In . . . . . . . . . . . . . . 235
Remote Configuration Mode in the Nokia IP45 Security Platform . . . . . . . . . . . . 235
13 Configuring Device Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Host Name Configuration by Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Date and Time Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
System Logging Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Setting the Syslog Server by Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Network Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Managing the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Exporting the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Importing the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Upgrading Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Installing your Product Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Configuring DDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Resetting the Nokia IP45 Security Platform to Factory Defaults. . . . . . . . . . . . . . 247
Resetting the Nokia IP45 Security Platform by Using the Reset Button . . . . . . 248
Restarting the Nokia IP45 Security Platform by Using the GUI . . . . . . . . . . . . . . 248
14 Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Viewing Reports on the Nokia IP45 Security Platform . . . . . . . . . . . . . . . . . . . . . 249
Viewing the Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Viewing the Traffic Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Viewing Active Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Viewing Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Viewing the Diagnostics Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
15 Working with VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
About VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Setting Up the Nokia IP45 Security Platform as a VPN Server. . . . . . . . . . . . . . . 259
Configuring Remote Access VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Configuring Site-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
10 Nokia IP45 Security Platform User’s Guide v4.0
Completing Site Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Configuring Route-Based VPNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Deleting a VPN Site. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Logging On to a VPN Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Logging On from the Nokia IP45 Security Platform GUI . . . . . . . . . . . . . . . . . 272
Logging On Through my.vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Logging Off a VPN Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
VPN Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Installing a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Generating a Self-Signed Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Importing a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Installing VPN Certificates from SmartCenter . . . . . . . . . . . . . . . . . . . . . . . . . 278
Uninstalling the VPN Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Viewing VPN Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Viewing IKE Traces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Downloading the Precompiled Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
VPN Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Nokia IP45 Security Platform as a VPN Server. . . . . . . . . . . . . . . . . . . . . . . . . . 282
SecuRemote to Nokia IP45 Satellite X
(VPN Client to Gateway) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Setting Up Nokia IP45 Satellite X. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Nokia IP45 Security Platform as VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Setting Up Nokia IP45 Tele 8 as a VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Adding VPN Sites by Using Nokia IP45 Tele 8 . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Nokia IP45 Site-to-Site VPNs support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Adding VPN Sites by Using Nokia IP45 Satellite X . . . . . . . . . . . . . . . . . . . . . . . 287
Nokia IP45 Tele to IP45 Satellite X (VPN Client to Gateway) . . . . . . . . . . . . . . . . 289
Setting Up Nokia IP45 Tele 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Setting Up Nokia IP45 Satellite X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Nokia IP45 Tele 8 to Check Point FP1, FP2, FP3, NG, NG AI, NGX R60 or NGX R61
289
Setting Up Nokia IP45 Tele 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Setting Up Check Point Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Nokia IP45 Tele 8 to Check Point NG AI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Setting Up Nokia IP45 Tele 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Setting Up Check Point NG AI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Nokia Satellite X to Nokia Satellite X
(VPN Gateway-to-Gateway). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Setting Up Nokia IP45 Satellite X. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Nokia IP45 Satellite X in NAT and Bypass NAT Modes . . . . . . . . . . . . . . . . . . . 292
NAT Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Bypass NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Nokia IP45 Security Platform User’s Guide v4.0 11
Bypass Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Defining a Backup VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Nokia IP45 Satellite X to VPN-1 (Site-to-Site VPN) . . . . . . . . . . . . . . . . . . . . . . 294
Setting Up Nokia IP45 Satellite X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Nokia IP45 Satellite X to Check Point FP3 or DAIP. . . . . . . . . . . . . . . . . . . . . . 295
Setting Up Check Point FP3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Setting Up Nokia IP45 Satellite X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Nokia IP45 Satellite X to Check Point SmartCenter FP3/NG AI . . . . . . . . . . . . 296
Setting Up Check Point SmartCenter FP3/NG AI . . . . . . . . . . . . . . . . . . . . . . 296
Setting Up Nokia IP45 Satellite X
for VPN Connection with SmartCenter FP3 . . . . . . . . . . . . . . . . . . . . . . . . . 297
Setting Up Check Point SmartCenter NG AI by Using
Certificates with Smart LSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Site-to-Site VPN with Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Site-to-Site VPN with Nokia CryptoCluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Site-to-Site VPN with Cisco PIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
VPN Routing Between two Nokia IP45 Security Platforms . . . . . . . . . . . . . . . . 299
IPSec NAT Traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Mesh VPN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Enhanced MEP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
16 Using Managed Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Starting your Subscription Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Viewing Service Information from the Account Page . . . . . . . . . . . . . . . . . . . . . . 306
Refreshing your Service Center Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Configuring your Account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Disconnecting from your Service Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
SofaWare Security Management Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Web Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Selecting Categories to Block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Virus Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Enabling or Disabling Email Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Selecting Protocols for Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Temporarily Disabling Email Antivirus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Automatic and Manual Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Checking for Software Updates when Locally Managed . . . . . . . . . . . . . . . . . . 314
Checking for Software Updates when Remotely Managed . . . . . . . . . . . . . . . . 315
Managing with the Nokia Horizon Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Check Point SmartCenter LSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
17 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Debugging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Configuring Debugging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
12 Nokia IP45 Security Platform User’s Guide v4.0
Viewing Debugging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Viewing Firmware Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Resetting the IP45 Security Platform to Factory Defaults . . . . . . . . . . . . . . . . . . 326
Failsafe Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Upgrading Firmware in Failsafe Mode by Using Console . . . . . . . . . . . . . . . . . . . 327
Upgrading Firmware from Failsafe Kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Running Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Using Packet Sniffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
A Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Technical Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Safety Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
B Compliance Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Declaration of Conformity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Compliance Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
FCC Notice (US) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Nokia IP45 Security Platform User’s Guide v4.0 13
14 Nokia IP45 Security Platform User’s Guide v4.0
About this Guide
This guide provides information and procedures about how to install and configure the Nokia
IP45 security platform. This guide provides information about the new features incorporated in
the Nokia IP45. This version of the Nokia IP45 uses the SofaWare VPN-1 Embedded NG. For a
quick reference on how to configure features in the Nokia IP45, see the Nokia IP45 Security
Platform Quick Start Guide v4.0 and the Nokia IP45 Security Platform Online Help, part of the
graphical user interface (GUI) in the device.
Installation and maintenance should be performed by experienced technicians or Nokiaapproved service providers only.
This preface provides the following information:
In this Guide
Conventions this Guide uses
Related Documentation
In this Guide
This guide is organized into the following chapters and appendixes:
Chapter 1, “Introduction” provides the information you need to know before installing the
Nokia IP45 security platform.
Chapter 2, “Installing the Nokia IP45 Security Platform” describes how to install the device,
lists operating system requirements, protocols and how to establish a network connection.
Chapter 3, “Getting Started” describes how to start by using the IP45, and provides
information on first-time login and connecting to the Internet.
Chapter 4, “Accessing the Nokia IP45 Security Platform” describes different methods of
connecting to your IP45, and methods of configuring the device.
Chapter 5, “Connecting to the Internet with the Nokia IP45 Security Platform” describes
how to configure your IP45 for connecting to the Internet, and viewing and managing your
Internet connection.
Chapter 6, “Managing your Local Area Network,” describes how to configure the Nokia
IP45 features.
Chapter 7, “Quality of Service” provides information about Quality of Service (QoS) and
how to configure the QoS classes.
Nokia IP45 Security Platform User’s Guide v4.0 15
Chapter 8, “Setting Up the Nokia IP45 Security Platform Security Policy”describes methods
to define the firewall level, configure virtual servers, and create firewall rules.
Chapter 9, “Configuring Network Access,” describes the network access procedures and
usage of SSH and SSL.
Chapter 10, “Configuring and Monitoring SNMP,” describes the procedure to configure
Simple Network Management Protocol, set community strings, send and enable SNMP
traps.
Chapter 11, “High-Availability,” describes about the High Availability feature.
Chapter 12, “Configuring Nokia IP45 Through Out-of-Band Management,” describes the
method to configure the Nokia IP45 through Out of Band Management.
Chapter 13, “Configuring Device Functions,” discusses how to configure device functions
such as setting date and time, loading factory defaults and performing firmware upgrade.
Chapter 14, “Viewing Reports,” describes how to view reports such as Event Log, Active
Computers, Active Connections, and VPN Tunnels.
Chapter 15, “Working with VPNs,” describes how to configure a VPN by using the Nokia
IP45.
Chapter 16, “Using Managed Services” describes methods for enabling and using
subscription services such as Web filtering, email antivirus, automatic and manual updates.
Chapter 17, “Troubleshooting,”discusses typical problems users encounter and provides
solutions to these problems.
Appendix A, “Specifications,” describes the Nokia IP45 specifications.
Appendix B, “Compliance Information,” contains the compliance information of the Nokia
IP45 security platform.
Conventions this Guide uses
The following sections describe the conventions this guide uses, including notices, text
conventions, and command-line conventions.
Notices
Warning
Warnings advise the user that either bodily injury might occur because of a physical hazard,
or that damage to a structure, such as a room or equipment closet, might occur because of
equipment damage.
Caution
Cautions indicate potential equipment damage, equipment malfunction, loss of
performance, loss of data, or interruption of service.
16 Nokia IP45 Security Platform User’s Guide v4.0
Note
Notes provide information of special interest or recommendations.
Command-Line Conventions
This section defines the elements of commands that are available in Nokia products. You might
encounter one or more of the following elements on a command-line path.
Table 1 Command-Line Conventions
Convention Description
Command This required element is usually the product name or other short
word that invokes the product or calls the compiler or preprocessor
script for a compiled Nokia product. It might appear alone or
precede one or more options. You must spell a command exactly
as shown and use lowercase letters.
Italics Indicates a variable in a command that you must supply. For
example:
delete interface if_name
Conventions this Guide uses
Supply an interface name in place of the variable. For example:
delete interface nic1
Angle brackets < > Indicates arguments for which you must supply a value:
retry-limit <1–100>
Supply a value. For example:
retry-limit 60
Square brackets [ ] Indicates optional arguments.
delete [slot slot_num]
For example:
delete slot 3
Vertical bars, also called a
pipe
(|)
Separates alternative, mutually exclusive elements.
framing <sonet | sdh>
To complete the command, supply the value. For example:
framing sonet
or
framing sdh
Nokia IP45 Security Platform User’s Guide v4.0 17
Table 1 Command-Line Conventions (continued)
Convention Description
-flag A flag is usually an abbreviation for a function, menu, or option
.ext A filename extension, such as .ext, might follow a variable that
( . , ; + * - / ) Punctuation and mathematical notations are literal symbols that
' ' Single quotation marks are literal symbols that you must enter as
Text Conventions
Tabl e 2 describes the text conventions this guide uses.
name, or for a compiler or preprocessor argument. You must enter
a flag exactly as shown, including the preceding hyphen.
represents a filename. Type this extension exactly as shown,
immediately after the name of the file. The extension might be
optional in certain products.
you must enter exactly as shown.
shown.
Table 2 Text Conventions
Convention Description
Monospace font
Indicates command syntax, or represents computer or window
output, for example:
Log error 12453
Bold monospace font
Indicates text you enter or type, for example:
# configure nat
Key names Keys that you press simultaneously are linked by a plus sign (+):
Press Ctrl + Alt + Del.
Menu commands Menu commands are separated by a greater than sign (>):
Choose File > Open.
The words enter and type Enter indicates you type something and then press the Return or
Enter key.
Do not press the Return or Enter key when an instruction says
type.
Italics
• Emphasizes a point or denotes new terms at the place where
they are defined in the text.
• Indicates an external book title reference.
• Indicates a variable in a command:
delete interface
if_name
18 Nokia IP45 Security Platform User’s Guide v4.0
Menu Items
The Nokia IP45 menu items in procedures are separated by the greater than sign (>).
For example, Start > Programs > Nokia > Security indicates that you first click Start, then
choose the Programs menu command, then choose Nokia, and finally choose Security.
Related Documentation
In addition to this guide, documentation for this product includes the following:
Nokia IP45 Security Platform Quick Start Guide Version 4.0—describes the system features
and provides an overview of how to get your appliance up and running.
Nokia IP45 Security Platform Getting Started Guide Version 4.0—describes how to install
and configure the Nokia IP45 security platform.
Nokia IP45 Security Platform CLI Reference Guide Version 4.0—describes all the IP45
commands that are used for managing the appliance.
Nokia IP45 Security Platform Release Notes Version 4.0—describes what you should know
before you install and configure the IP45.
Related Documentation
Nokia IP45 Security Platform User’s Guide v4.0 19
20 Nokia IP45 Security Platform User’s Guide v4.0
1 Introduction
This chapter introduces the Nokia IP45 security platform and includes the following topics:
About the Nokia IP45 Security Platform
Nokia IP45 Security Platform Features
Network Requirements
Nokia IP45 Security Platform Front Panel
Nokia IP45 Security Platform Rear Panel
About the Nokia IP45 Security Platform
The Nokia IP45 security platform provides dependable Internet access for the remote and branch
offices of a distributed enterprise. The Nokia IP45 supports features like dial-up connection,
redundant WAN connection to headquarters, and dual homing with BGP to route return traffic
securely, over VPN. IP45 appliances are RoHS complaint.
The Nokia IP45 security platform can be integrated with an overall enterprise security policy for
maximum security. The IP45 facilitates centralized management and automatic deployment with
the security management architecture of Check Point and Nokia Horizon Manager.
The Nokia IP45 security platform is available with the following licenses:
Nokia IP45 Tele 8
Nokia IP45 Satellite 16
Nokia IP45 Satellite 32
Nokia IP45 Satellite U (Unlimited)
All these versions of the Nokia IP45 provide a Web-based interface that enables you to configure
and manage the Nokia IP45.
The Nokia IP45 security platform comes pre-installed with the license of your choice. You can
upgrade the IP45 security platform to a more advanced configuration without replacing the
hardware. For details about license upgrade, contact your local reseller.
Nokia IP45 Tele 8
Nokia IP45 Tele 8 is for home telecommuters and work extenders who also need VPN client
access. The IP45 Tele 8 supports both firewall and VPN client capabilities over an eight-node
Nokia IP45 Security Platform User’s Guide v4.0 21
1 Introduction
network. The device supports VPN client capabilities for users to connect to the central office
from their home with firewall protection, extending the enterprise network to the employees’
home offices.
IP45 Tele 8 can act as a VPN server, which allows a single user to securely access resources
protected by the device from home or while travelling.
Note
Computers that actually pass through the firewall are counted. Devices such as network
printers connected in LAN that do not normally get connected to the Internet are not
counted.
Nokia IP45 Satellite 16, Satellite 32, Satellite Unlimited
Nokia IP45 Satellite 16, IP45 Satellite 32, and IP45 Satellite Unlimited provide full firewall, and
VPN connectivity for remote and branch offices or independent, small, and medium enterprises
with sixteen, thirty-two, and unlimited node networks, respectively. Using these solutions,
remote and branch offices can securely exchange information between them with distributed
enterprises and small and medium enterprises at a low price with excellent performance.
Nokia IP45 Security Platform Features
The following section contains a summary of the Nokia IP45 security platform features.
Connectivity
Table 3 provides details about the IP45 v4.0 connectivity.
Table 3 Nokia IP45 Security Platform Connectivity
Nokia IP45 Satellite
Feature Nokia IP45 Tele 8
LAN, WAN, and console
ports
DMZ Support
Manual Ethernet port
settings
16/32/Unlimited
22 Nokia IP45 Security Platform User’s Guide v4.0
About the Nokia IP45 Security Platform
Table 3 Nokia IP45 Security Platform Connectivity (continued)
Nokia IP45 Satellite
Feature Nokia IP45 Tele 8
Dynamic routing by
using OSPF
Unnumbered PPP
Users (nodes) 8 16, 32, unlimited
PPPoE client
PPTP client
16/32/Unlimited
DHCP client
DHCP server
DHCP relay
Backup DHCP relay
DHCP reservation
Nokia IP45 Security Platform User’s Guide v4.0 23
1 Introduction
Table 3 Nokia IP45 Security Platform Connectivity (continued)
Nokia IP45 Satellite
Feature Nokia IP45 Tele 8
Customizing DHCP
Options (DNS servers,
WINS servers, NTP
servers, Domain name,
VoIP call managers,
TFTP server and TFTP
boot file name)
Stat ic IP
MAC cloning
MAC Cloning for WAN2
16/32/Unlimited
Static NAT, static routes
Dial-up Internet
connection
Routing support by
using BGP
Source routing
High-Availability
(Group ID, enhanced
interface tracking, VPN
effect, WAN Virtual IP)
Traffic Shaper
24 Nokia IP45 Security Platform User’s Guide v4.0
About the Nokia IP45 Security Platform
Table 3 Nokia IP45 Security Platform Connectivity (continued)
Nokia IP45 Satellite
Feature Nokia IP45 Tele 8
Traffic Shaper
enhancements
Traffic Monitor
Dead Connection
Detection
16/32/Unlimited
Firewall
Table 4 provides details about the IP45 security platform firewall connectivity.
Table 4 Firewall Connectivity
Feature Nokia IP45 Tele 8
Firewall Type Check Point Firewall-1
Embedded NG
Network Address
Translation (NAT)
INSPECT policy rules
User defined rules
Three levels of Preset
security policies
Nokia IP45 Satellite
(16/32/Unlimited)
Check Point Firewall-1
Embedded NG
DoS protection
Nokia IP45 Security Platform User’s Guide v4.0 25
1 Introduction
Table 4 Firewall Connectivity (continued)
Feature Nokia IP45 Tele 8
Anti-spoofing
Attack logging
Voice over IP (H.323)
support
Exposed host
Nokia IP45 Satellite
(16/32/Unlimited)
DMZ network
VLAN support
SmartDefense and
Application Intelligence
VPN Connectivity
Table 5 provides details about the IP45 security platform VPN connectivity.
26 Nokia IP45 Security Platform User’s Guide v4.0
Table 5 VPN Connectivity
Feature Nokia IP45 Tele8
IPSEC VPN remote
access server
IPSEC VPN site-to-site
gateway
IPSEC VPN remote
access client
Authentication
X.509 certificates
RSA secure ID
About the Nokia IP45 Security Platform
Nokia IP45 Satellite
16/32/Unlimited
Office Mode Network
VPN pass through
Enhanced MEP support
Advanced VPN
configuration
Encryption AES/3DES/DES AES/3DES/DES
Authentication SHA1/MD5 SHA1/MD5
SecuRemote server
Nokia IP45 Security Platform User’s Guide v4.0 27
1 Introduction
Table 5 VPN Connectivity (continued)
Nokia IP45 Satellite
Feature Nokia IP45 Tele8
L2TP VPN server
RADIUS Client
RADIUS Enhancements (vendor specific
DAIP with VPN
certificates
16/32/Unlimited
attribute (VSA), Radius
Realm support,
Radius time-out and
retries setting)
Backup VPN gateways
SmartCenter Connector
(SSC) NG AI support
Bypass NAT
Bypass Firewall
NAT Traversal
Route all traffic
28 Nokia IP45 Security Platform User’s Guide v4.0
About the Nokia IP45 Security Platform
Table 5 VPN Connectivity (continued)
Nokia IP45 Satellite
Feature Nokia IP45 Tele8
Route-Based VPN and
failover
Multiple PPP
connections
Enhanced active
tunnels display
16/32/Unlimited
Management
Table 6 provides details about the IP45 security platform management.
Table 6 Management
Feature Nokia IP45 Tele 8
Web-based
management
Access to the IP45
through OOB, SSH and
SNMP
Telnet access
HTTPS access
(local and remote)
Remote firmware
upgrades
Nokia IP45 Satellite
(16/32/Unlimited)
Nokia IP45 Security Platform User’s Guide v4.0 29
1 Introduction
Table 6 Management (continued)
Feature Nokia IP45 Tele 8
Nokia Horizon Manager
support from v1.5 SP1
onwards
Multiple administrators
Users Manager
Guest HotSpot Users
Nokia IP45 Satellite
(16/32/Unlimited)
User account expiration
Nokia CLI shell
Management systems (
Nokia Horizon Manager,
SofaWare SMP, Check
Point SmartCenter,
Check Point Smart
Update)
Check Point Smart LSM
Check Point Provider-1
Packet Sniffer
SmartDefense policy
wizard
30 Nokia IP45 Security Platform User’s Guide v4.0
About the Nokia IP45 Security Platform
Security Services
Table 7 provides details about the IP45 security platform security services.
Table 7 Security Services
Nokia IP45 Satellite
Feature Nokia IP45 Tele 8
VStream embedded
antivirus
Firewall security
updates
Software updates
Web filtering
(16/32/Unlimited)
Email antivirus
protection
Secure HotSpot
Dynamic DNS service
(When managed by
SofaWare Management
Portal (SMP) and Nokia
Horizon Manager
(NHM)).
VPN management
Centralized logging
Nokia IP45 Security Platform User’s Guide v4.0 31
1 Introduction
Table 7 Security Services (continued)
Nokia IP45 Satellite
Feature Nokia IP45 Tele 8
Customized security
policy
Protocol support for
TCP/IP, ICMP, GRE,
ESP and UDP
Certificate Finger print
display
(16/32/Unlimited)
Diagnostics and Maintenance
Table 8 provides details about the IP45 v4.0 diagnostics and maintenance.
Table 8 Diagnostics and Maintenance
Feature Nokia IP45 Tele 8
Configuration Import or
Export
Firmware upgrade
Preset configuration
Known good
configuration
Nokia IP45 Satellite
(16/32/Unlimited)
32 Nokia IP45 Security Platform User’s Guide v4.0
Table 8 Diagnostics and Maintenance (continued)
Feature Nokia IP45 Tele 8
OOB management
Diagnostic tools
(netstat, traceroute, arp,
ping, WHOIS, nslookup,
tcpdump)
Network Requirements
To set up the Nokia IP45 security platform to connect to the Internet, you need the following:
A broadband Internet connection by cable or DSL modem with Ethernet interface (RJ-45) or
a dial-up connection with a serial modem (V90 or ISDN T/A)
10Base-T or 100Base-T Ethernet switch or hub (optional)
10Base-T or 100Base-T network interface card installed on each computer
TCP/IP network protocol installed on each computer
CAT5 network cable with RJ-45 connectors for each computer
Internet Explorer 5.0 or later, or Netscape Navigator 4.5 and later
Overview
Nokia IP45 Satellite
(16/32/Unlimited)
Note
Nokia recommends that you use either Microsoft Internet Explorer 5.5 or later, or Netscape
Navigator 6.2 or later.
Overview
The following sections provide an overview of the Nokia IP45 security platform rear and front
panels.
Nokia IP45 Security Platform Rear Panel
All physical connections (network and power) to the IP45 are made through the rear panel.
Tabl e 9 explains the items on the rear panel of the Nokia IP45.
Nokia IP45 Security Platform User’s Guide v4.0 33
1 Introduction
Figure 1 Rear panel of the Nokia IP45
Table 9 Rear Panel of the IP45
Label Description
Console The console port is a 9-pin male connector that can be
connected to the serial (COM) port of your computer.
You can then use the command-line interface (CLI) to
communicate with the device.
WAN Wide area network. An Ethernet port (RJ-45) used to
connect your cable or xDSL modem.
DMZ
(WAN2)
LAN Local area network. Ethernet port (RJ-45) used to
AUX The auxiliary port or dial-in port is a 9-pin male
Demilitarized zone. Ethernet port (RJ-45) used to
connect computers or other network devices. Similar to
LAN port in operation.
This can be used as WAN2, secondary WAN
connection.
connect computers or other network devices.
connector. This port is used to dial in to the IP45
through a modem when the IP45 is unreachable
through other ports.
34 Nokia IP45 Security Platform User’s Guide v4.0
Table 9 Rear Panel of the IP45 (continued)
Label Description
Power A power jack used to supply power to the device.
Connect the power adapter to this jack. The device
connects to the power source.
Reset Used to reboot or reset the IP45 to its factory defaults.
Use a large flat-tipped object, such as a thick paper
clip, to press the reset button.
Short press (one second): reboots the Nokia IP45
security platform.
Long press (seven seconds): resets the IP45 to its
factory defaults. This results in loss of all security
services and passwords.
Short press during boot up: boots the IP45 in special
deployment mode. See “Resetting the Nokia IP45
Security Platform by Using the Reset Button” on page
248.
Overview
Note
Do not use a sharp pin or thin piece of metal to press the Reset button.
Nokia IP45 Security Platform Front Panel
You can monitor the IP45 operations by viewing the LEDs on the front panel.
Figure 2 Front Panel of the Nokia IP45 Security Platform
The items on the front panel of the Nokia IP45 security platform are explained in Tabl e 10 on
page 36.
Nokia IP45 Security Platform User’s Guide v4.0 35
1 Introduction
Table 10 Front Panel of the Nokia IP45
Label Description
PWR Off: Device not powered on
Green Solid: Device is on
STAT Off: Device off
Green solid: Device passed hardware test and finished booting.
Red solid: Hardware error
Amber solid: Booting
Green blinking: Device passed hardware test and is fully booted.
Device is at its default state. First-time password is not set.
Red blinking: Software error
Amber blinking: Device is performing a function such as setting
factory defaults, loading firmware or loading an exported
configuration.
LAN
DMZ
WAN
Off: No connection
Green solid: Interface connected and auto-negotiated at 10 Mbps
Amber solid: Interface connected and auto-negotiated at 100
Mbps
Amber/Green blinking: Traffic passing through the interface
36 Nokia IP45 Security Platform User’s Guide v4.0
2 Installing the Nokia IP45 Security
Platform
This chapter describes how to set up and install the Nokia IP45 security platform in a networking
environment. The chapter includes the following topics:
Before you Install the Nokia IP45 Security Platform
Setting Up the Nokia IP45 Security Platform with Microsoft Windows 98 or Millennium
Operating Systems
Setting Up the Nokia IP45 Security Platform with Microsoft Windows XP and 2000
Operating Systems
Setting Up the Nokia IP45 Security Platform with an Apple Computer
Connecting the Nokia IP45 Security Platform to the Network
Installing your Network
Before you Install the Nokia IP45 Security Platform
Before you connect and set up the Nokia IP45 security platform, you must check the following:
Whether TCP/IP is installed on your computer.
The TCP/IP settings of your computer, to ensure that it obtains its IP address automatically.
The following sections guide you through the TCP/IP setup and installation process.
Nokia IP45 Security Platform User’s Guide v4.0 37
2 Installing the Nokia IP45 Security Platform
Setting Up the Nokia IP45 Security Platform with
Microsoft Windows 98 or Millennium Operating Systems
If you are using Windows 98 or Windows ME, configure TCP/IP as follows.
To check for TCP/IP Installation
1. Choose Start > Settings > Control Panel.
The Control Panel window opens.
2. Double-click the Network icon.
The Network window opens.
38 Nokia IP45 Security Platform User’s Guide v4.0
Setting Up the Nokia IP45 Security Platform with Microsoft Windows 98 or Millennium Operating Systems
In the Network window, check if TCP/IP appears in the network components list and if it is
already configured with the Ethernet card installed on your computer.
If TCP/IP is already installed and configured on your computer, skip the following procedure
about how to install TCP/IP.
To install TCP/IP
1. In the Network window, click Add.
The Select Network Component Type window opens.
2. Choose Protocol and click Add.
Nokia IP45 Security Platform User’s Guide v4.0 39
2 Installing the Nokia IP45 Security Platform
The Select Network Protocol window opens.
3. In the Select Network Protocol window, choose Microsoft in Manufacturers and TCP/IP in
Network Protocols.
4. Click OK.
If you are prompted for original Windows installation files, provide the installation CD and
relevant path, D:\win98, D:\win95, and so on.
5. Restart your computer if prompted.
If you are connecting the IP45 to an existing LAN, consult your network manager/system
administrator for the correct configuration.
40 Nokia IP45 Security Platform User’s Guide v4.0
Setting Up the Nokia IP45 Security Platform with Microsoft Windows 98 or Millennium Operating Systems
To make TCP/IP settings
1. In the Network window, double-click the TCP/IP Service for the Ethernet card on your
computer (TCP/ IP > PCI Fast Ethernet DEC 21143 Based Adapter).
The TCP/IP Properties window opens.
2. Click the Gateway tab and delete any installed gateways.
3. Click the DNS Configuration tab and click Disable DNS.
Nokia IP45 Security Platform User’s Guide v4.0 41
2 Installing the Nokia IP45 Security Platform
4. Click the IP Address tab, and click Obtain an IP address automatically.
42 Nokia IP45 Security Platform User’s Guide v4.0
Setting Up the Nokia IP45 Security Platform with Microsoft Windows XP and 2000 Operating Systems
Note
Nokia recommends that you use DHCP to assign IP addresses instead of assigning a static
IP address to your computer. To assign a static IP address, click Specify an IP address and
enter an IP address in the range of 192.168.10.129 to 254. Enter 255.255.255.0 as the
Subnet Mask. Click OK to save the new settings.
5. Click Yes when the Do you want to restart your computer? message appears.
Your computer must restart for the new settings to take effect.
Your computer is now ready to access the IP45.
Setting Up the Nokia IP45 Security Platform with
Microsoft Windows XP and 2000 Operating Systems
Windows XP has an Internet connection firewall option. Nokia recommends that you disable the
firewall option if you are using the Nokia IP45.
To check for TCP/IP installation
1. Choose Start > Settings > Control Panel (in Windows XP Start > Control Panel from.)
The Control Panel window opens.
2. Double-click the Network and Dial-up Connections icon (in Windows XP double-click the
Network Connections icon).
Nokia IP45 Security Platform User’s Guide v4.0 43
2 Installing the Nokia IP45 Security Platform
The Network and Dial-up Connections window opens.
3. Right-click the Local Area Connection icon and select Properties from the drop-down list.
The Local Area Connection Properties window opens.
4. Check for TCP/IP in the Component list and whether it is configured with the Ethernet card
installed on your computer.
If TCP/IP does not appear in the Components list, install it as described in the section “To
install TCP/IP” on page 39. If TCP/IP is already installed, skip the next section.
44 Nokia IP45 Security Platform User’s Guide v4.0
Setting Up the Nokia IP45 Security Platform with Microsoft Windows XP and 2000 Operating Systems
To install TCP/IP
1. In the Local Area Connection Properties window, click Install.
The Select Network Component Type window opens.
2. Choose Protocol and click Add.
The Select Network Protocol window opens.
3. In the Select Network Protocol window, choose Internet Protocol (TCP/IP) and click OK.
The TCP/IP protocol is installed on your computer.
Nokia IP45 Security Platform User’s Guide v4.0 45
2 Installing the Nokia IP45 Security Platform
To make TCP/IP settings
1. In the Local Area Connection Properties window, double-click Internet Protocol (TCP/IP)
and click Properties.
The Internet Protocol (TCP/IP) Properties window opens.
2. Click Obtain an IP address automatically.
Note
Nokia recommends that you use DHCP to assign IP addresses instead of assigning a
static IP address to your computer. To assign a static IP address, select Specify an IP
address and enter an IP address in the range of 192.168.10.129 to 254. Enter
255.255.255.0 as the subnet mask. Click Ok to save the new settings.
3. Click Obtain DNS server address automatically.
4. Click OK to save the new settings.
Your computer is now ready to access your IP45.
46 Nokia IP45 Security Platform User’s Guide v4.0
Setting Up the Nokia IP45 Security Platform with an Apple Computer
Setting Up the Nokia IP45 Security Platform with an Apple
Computer
Use the following procedure to set up the TCP/IP protocol:
To make TCP/IP settings
1. Choose Apple Menus > Control Panels > TCP/IP.
The TCP/IP window opens.
2. Select Ethernet from the Connect drop-down list.
3. Select Using DHCP Server from the Configure drop-down list.
4. Close the window and save the setup.
Connecting the Nokia IP45 Security Platform to the Network
The following examples illustrate proper network cabling of the IP45 topology.
Figure 3 IP45 Topologies
Installing your Network
Plan your network and the location of the IP45 to install the network.
To install the network
1. Connect the LAN cable
a. Connect one end of the Ethernet cable to the LAN port at the rear end of the device.
b. Connect the other end of the Ethernet cable to the computer, hubs, or another network.
device.
Nokia IP45 Security Platform User’s Guide v4.0 47
2 Installing the Nokia IP45 Security Platform
2. Connect the DMZ cable
a. Connect one end of the Ethernet cable to the DMZ port at the rear end of the device.
b. Connect the other end of the Ethernet cable to the computer, hubs, or another network
device.
3. Connect the WAN cable:
a. Connect one end of the Ethernet cable to the WAN port at the rear end of the device.
b. Connect the other end of the Ethernet cable to a cable modem, xDSL modem, or a
corporate network.
4. Connect the power adapter to the power socket at the rear end of the device.
5. Plug in the AC power adapter to the electrical outlet.
48 Nokia IP45 Security Platform User’s Guide v4.0
3 Getting Started
This chapter describes the basic configurations and settings you need to perform to start using
your Nokia IP45 security platform.
This chapter includes the following topics:
First-Time Login
Configuring the Nokia IP45 Security Platform for Internet Connection
Making Initial Nokia IP45 Security Platform Settings
Logging On to the Nokia IP45 Security Platform
Accessing Nokia IP45 Securely
First-Time Login
After you connect your IP45 security platform to your network as described in “Connecting the
Nokia IP45 Security Platform to the Network” on page 47, wait for the STAT LED to turn green.
To login for the first time
1. Open your Web browser and type http://my.firewall in the location text box.
The first time login page opens, prompting for a password.
If you cannot access the GUI portal, see “Troubleshooting” on page 319 in this document.
Note
The IP45 ships without a password defined. If you are logging in for the first time, you are
prompted to define the password by entering it twice. If you logged in before, enter the
username and password you previously defined.
Nokia IP45 Security Platform User’s Guide v4.0 49
3 Getting Started
2. Type a password and re-type the password to confirm.
3. Click OK.
Note
The password must be between five and eleven alphanumeric characters. To change the
password, click Setup on the main menu, and click Password. Enter the new password and
confirm to update the change.
Configuring the Nokia IP45 Security Platform for Internet Connection
This section describes how to make the initial settings for your Nokia IP45 security platform to
connect to the Internet by using the Setup wizard.
50 Nokia IP45 Security Platform User’s Guide v4.0
Making Initial Nokia IP45 Security Platform Settings
To connect to the Internet from the Nokia IP45 security platform
1. After you set the administrator password, you are prompted to make the initial settings from
the Setup wizard.
The wizard guides you through making an Internet connection, setting the device time,
registering for support services, and performing other basic configurations.
2. Click OK to continue.
3. The Internet Connection Method dialog box appears.
For more information about how to connect to the Internet, see “To configure an Internet
connection by using the setup wizard” on page 74.
Making Initial Nokia IP45 Security Platform Settings
When you exit the Internet Connection Method wizard, you are prompted to set the device time.
This section describes how to use the Setup wizard to set the device time, and how to make the
initial Nokia IP45 security platform settings.
Nokia IP45 Security Platform User’s Guide v4.0 51
3 Getting Started
Setting the Nokia IP45 Security Platform Time
Use the following procedure to set the time of the Nokia IP45 security platform.
To set the time
1. When the IP45 Set Time wizard opens, check the appropriate setting.
If you check Your computer’s clock, the IP45 automatically updates with the time settings
of your computer.
If you check Keep the current time, the IP45 retains its current time settings. No changes
are made.
If you check Use a time Server, the Time Servers window opens
Enter the IP Addresses for the Primary and Secondary time servers.
Select the time zone
Click Next
Click Finish.
Note
To edit the IP addresses of the time servers, click Clear next to the Primary and Secondary
servers, enter the new IP address.
52 Nokia IP45 Security Platform User’s Guide v4.0
Making Initial Nokia IP45 Security Platform Settings
The IP45 automatically applies the time settings.
If you check Specify date and time, the Specify Date and Time window opens.
You can manually update the IP45 time settings.
2. Click Next to change your IP45 time settings:
If you choose to use a time server by clicking Use a Time Server, the Time Servers
window opens.
3. Specify the IP addresses of the Primary and Secondary servers, to use as NTP time servers.
Select time zone from the Time Zone drop down list.
4. Click Next.
Nokia IP45 Security Platform User’s Guide v4.0 53
3 Getting Started
The IP45 Set Time Wizard Date and Time Updated dialog box appears, indicating that time
settings are changed successfully.
5. Click Finish to exit the Set Time wizard.
Registering with the Nokia Support Site
You can register with the Nokia Support Site when you make your time settings.
The IP45 Setup Wizard begins when you exit the Set Time wizard.
Check the I want to register my product check box, and click Next.
You are automatically taken to Nokia Support Web site:
https://support.nokia.com/agreement/SOHOregister.shtml.
Use the instructions on the Web site to complete the registration process and gain access to
support Web resources and software updates.
54 Nokia IP45 Security Platform User’s Guide v4.0
Making Initial Nokia IP45 Security Platform Settings
Connecting to a Central Management Server
When you are registered for support, the Service Center window opens.
This window allows you to define the central management server that the IP45 connects to.
The IP45 can connect to a central management server to allow central management of the
firewall and VPN policies. Central management can also allow the IP45 to subscribe to
additional services such as antivirus and URL filtering. The central server can be either a Check
Point Smart Center, Smart Center Pro, or SofaWare Management Portal.
If your IP45 is centrally managed by any of these servers, check Connect to a service center and
enter the IP address of the central management server in the Specified IP text box, then click
Next. You are then prompted to enter the authentication information that allows the IP45 to
communicate with the management server where you previously defined the IP45 object.
If your IP45 is not managed by a central management server, check Connect to a service center,
and click Next.
For information connecting to service centers, see “Managing Large Scale Deployments of
Nokia IP45” on page 70. For information about how to use subscription services, see “Using
Managed Services” on page 303.
Logging On to the Nokia IP45 Security Platform
When you exit the Setup wizard, the IP45 Welcome page opens.
Nokia IP45 Security Platform User’s Guide v4.0 55
3 Getting Started
To access the graphical user interface of the Nokia IP45 security platform
1. Open your Web browser, and enter http://my.firewall in the address bar.
The Login page opens.
2. Enter the password for the IP45 Tele 8 license.
For IP45 Satellite X licenses, enter the username and password. If you are logging on for the
first time, use admin as the username.
Note
The default user name for all Nokia IP45 licenses is admin. For the IP45 Satellite X licenses,
you can define additional users. These additional users have separate usernames and
passwords. For the IP45 Tele 8 license, you can only log on with the username admin.
However, you can change the password. The password in all cases should be five to eleven
alphanumeric characters.
You need to define your password in two instances:
At the initial login
When you reset the device to defaults
56 Nokia IP45 Security Platform User’s Guide v4.0
Making Initial Nokia IP45 Security Platform Settings
After the initial login, the Welcome page opens.
The Welcome page displays the license type of your device (Tele 8 or Satellite X).
Accessing Nokia IP45 Securely
You can access the IP45 graphical user interface (GUI) through HTTPS either remotely or
locally (from your internal network). For information about how to access through HTTPS from
a remote location, see “Enabling HTTPS Web Access” on page 206.
Note
First configure HTTPS to access the IP45 GUI from a remote location.
To access the Nokia IP45 security platform through HTTPS from the Internet
1. To access the IP45 locally, enter https://my.firewall in the address bar of your browser
Note
The URL starts with HTTPS, not HTTP.
The Welcome page opens.
To access the Nokia IP45 security platform from a remote location
1. Enter https://<external IP address of IP45>:981 in the address bar of your browser.
Note
The URL starts with HTTPS, not HTTP.
Nokia IP45 Security Platform User’s Guide v4.0 57
3 Getting Started
2. Click Yes to install the security certificate of the IP45 that you are trying to access. If you are
If you are accessing the Nokia IP45 security platform for the first time, the security
certificate in the IP45 is not yet known to the browser, so a security alert appears.
using Internet Explorer 5.0 or later, do the following:
a. Click View Certificate.
The Certificate information page opens, with the General tab displayed.
b. Click Install Certificate.
The Certificate Import Wizard appears.
c. Click Next.
The Certificate Store appears.
Select Automatically select the Certificate Store based on the type of certificate.
d. Click Next.
Completing the Certificate Import Wizard message appears.
e. Click Finish.
The Root certificate Store message appears.
f. Click Yes.
The certificate is installed.
Logging Off from the Nokia IP45 Security Platform
Logging off terminates the Nokia IP45 security platform session. To connect to the IP45 again,
enter the password.
To log off from IP45, perform one of the following procedures:
If you are connected locally, click Logout.
58 Nokia IP45 Security Platform User’s Guide v4.0
Understanding the Nokia IP45 Web GUI
The Logout page opens.
If you are connected through HTTPS, close the browser window.
For information about connecting to your device through HTTPS, see “Accessing Nokia IP45
Securely” on page 57.
Understanding the Nokia IP45 Web GUI
When you log on to the Nokia IP45 security platform by using HTTP or HTTPS, you can
configure the device by using the following methods:
Quick Setup Wizard—configures the most common settings required for the IP45 to be up
and running. The Web-based graphical user interface (GUI) automatically guides you
through this wizard after your initial login.
Advanced GUI—configures the various advanced features of the IP45.
For a configuration to take effect, click Submit.
For a brief description of the main components of the IP45 GUI, see the following sections.
When you are familiar with these components, you are ready to make advanced configuration
changes to the IP45 security platform.
Nokia IP45 Security Platform User’s Guide v4.0 59
3 Getting Started
Using the Nokia IP45 Security Platform Web-based User Interface
Table 11 provides a summary of the web-based GUI.
Tabl e 11 Summary of the main components of the Nokia IP45 GUI
Component Description
Navigation bar Used to access various feature sets in the IP45 security
platform
Tab bar Used to access and configure all features in the IP45
security platform
Wizard Used to configure common settings
Status bar Provides status after a specific configuration
Help Online help to assist you in configuring the IP45
60 Nokia IP45 Security Platform User’s Guide v4.0
Understanding the Nokia IP45 Web GUI
Graphical User Interface Details
This section provides details about Nokia IP45 v4.0 graphical user interface (GUI).
Figure 4 Main Components of the Nokia IP45 Security Platform GUI
Tab bar
Service center connection status
Navigation bar
Internet connection status
Click for online help
Setup wizard
Note
The Nokia IP45 Tele 8 license does not support all of the features described in Table 12. For
information on features supported by the Tele configuration, see “Nokia IP45 Security
Platform Features” on page 22.
Nokia IP45 Security Platform User’s Guide v4.0 61
3 Getting Started
Table 12 provides information about the name and functionality of each element in the Nokia
IP45 GUI.
Table 12 Names and Functions of the Nokia IP45 GUI Elements
Main Tab Secondary Tabs Description
Welcome Displays Welcome and configuration information.
Reports Event Log Displays the last 100 events in four different
categories: Blue, Red, Orange, and Green.
Traffic Monitor Allows you to visualize the network traffic(in
graphical representation)
Active Computers Allows you to view computers on your network.
Active
Connections
VPN Tunnels Displays a list of established VPN tunnels.
Security Firewall Allows you to control firewall security level.
Servers Allows you to selectively allow incoming traffic
Rules Allows you to customize your security policy.
SmartDefense Allows you to deal with application-level attacks.
HotSpot Allows you to access the network from a public
Exposed Host Allows you to define a Demilitarized Zone, i.e. a
Antivirus Antivirus Allows you to enable or disable the antivirus
Policy Allows you to add new rules and edit existing
Advanced Allows you to select the file types to scan and
Allows you to view current connections between
your network and the external world.
from known applications and Internet services.
place on authentication
computer not protected by firewall.
settings
rules of antivirus policy
block and also to define various other advanced
settings such as archiving files, defining nested
levels and compression ratio etc.
Services Account Provides information on services available in
your service plan, and allows you to manage
security services.
Network Internet Displays information on network setup and
activity.
62 Nokia IP45 Security Platform User’s Guide v4.0
Understanding the Nokia IP45 Web GUI
Table 12 Names and Functions of the Nokia IP45 GUI Elements (continued)
Main Tab Secondary Tabs Description
My Network Allows you to configure network settings.
Ports Allows you to manage ports and view ports
status.
Traffic Shaper Allows you to define QoS classes.
Network Objects Allows you to configure network objects.
Routes Allows you to configure and edit routes
Setup Firmware Displays current firmware version and details
High Availability Allows you to configure high availability feature.
Logging Enables you to specify syslog server and syslog
port.
Management Allows you to specify the protocols and
accessing information for the IP45.
Tools Comprises several tools to effectively manage
your IP45.
Users Internal Users Allows you to view, add, edit, and delete list of
the IP45 users.
RADIUS Allows you to change your RADIUS settings.
VPN VPN Server Allows you to enable or disable a VPN server.
VPN Sites Allows you to view and edit a list of the
configured VPN sites.
VPN Login Enables you to manually log in to a VPN site.
Certificate Allows you to control certificates for site-to-site
VPN usage.
Help Online Help.
Logout Logs you out of the IP45.
Nokia IP45 Security Platform User’s Guide v4.0 63
3 Getting Started
Table 13 provides information about the elements in Status Bar.
Table 13 Status Bar
Field Description
Internet Your Internet connection status.
Service Center Displays your subscription services status.
You have different fields under Internet status. They are:
• Connected: your IP45 device is connected to the Internet
• Not Connected: your IP45 device is not connected to the
Internet
• Establishing Connection: your IP45 device is connecting to the
Internet.
• Contacting Gateway: your IP45 device is trying to contact the
Internet default gateway.
• Disabled: The Internet connection has been disabled, manually.
You can configure both primary and secondary Internet
connections. When both the connections are configured, the
Status bar shows this status.
Your Service Center offer various subscription services like firewall
services, and optional services such as Web filtering, and email
antivirus.
The service center status can be one of the following:
• Not Subscribed: you are not subscribe to security services
• Connection Failed: your IP45 device failed to connect to the
service center.
• Connecting: your IP45 device is connecting to the service center
• Connected: you are connected to the service center, and the
security services are active.
Note
You can view help information about a field by pointing to the help icon in the right corner of
the IP45 GUI screens. The Help icon is visible only for those fields that have further
information available. For information about other fields, please see related sections in the
IP45 Security Platform User’s Guide Version 4.0 or choose Help from the main menu.
64 Nokia IP45 Security Platform User’s Guide v4.0
4 Accessing the Nokia IP45 Security
Platform
This chapter discusses the methods for accessing and configuring the Nokia IP45 security
platform. This chapter also provides an introduction to centrally managing large scale
deployments of Nokia IP45 by using Nokia Horizon Manager, SmartCenter Large Scale
Manager, and the SofaWare Security Management Portal.
The main topics for this chapter include:
Connection Methods
Configuration Methods
Connecting the Nokia IP45 Security Platform to a Computer by Using the Console Port
Using Telnet to Connect to the Nokia IP45 Security Platform
Enabling and Disabling Telnet Access to Nokia IP45
Accessing Nokia IP45 with HTTP and HTTPS
Managing Large Scale Deployments of Nokia IP45
Connection Methods
You can connect to your Nokia IP45 security platform locally through LAN, WAN, DMZ, or
console ports for Inband management. You can also connect from a remote location by using
modem dial-in for out-of-band management (OOB).
For information about how to use OOB to configure your device, see “Configuring Nokia IP45
Through Out-of-Band Management” on page 233.
Typically the WAN port for your device is connected to your Internet service provider (ISP),
while the LAN port is connected to your computer, or to a hub, if you are using the IP45 between
your computer network and the outside world. You can connect your computer to the console
port of your IP45 to manage the device by using the command-line interface (CLI).
Configuration Methods
The Nokia IP45 security platform supports the following configuration methods:
Command-line interface (CLI) by using console, Telnet, Secure Shell (SSH)
Nokia IP45 Security Platform User’s Guide v4.0 65
4 Accessing the Nokia IP45 Security Platform
Web-based graphical user interface (GUI) by using HTTP, and HTTPS.
Connecting the Nokia IP45 Security Platform to a Computer by Using the Console Port
Your Nokia IP45 security platform has a console serial port. Connect the RS-232 cable (that is
shipped along with the device) from the serial port of your computer to the console port of the
IP45. You can then manage the device by using a terminal emulation program such as Hyper
Term inal.
To connect to Nokia IP45 with HyperTerminal
1. To start the HyperTerminal program, choose: Start > Programs > Accessories >
Communications > HyperTerminal.
The Connection Description window opens.
2. Assign a name for your connection, such as IP45, and click OK.
3. Select the serial port that you will use: COM1 or COM2, and click OK.
66 Nokia IP45 Security Platform User’s Guide v4.0
Configuration Methods
4. When you select the serial port, the COM1 (or COM2) Properties window opens.
Select the following port settings:
Bits per second: 9600
Data bits: 8
Parity: None
Stop bits: 1
Flow control: None
5. Click Ok to continue.
6. The login prompt is displayed by default.
Nokia IP45 Security Platform User’s Guide v4.0 67
4 Accessing the Nokia IP45 Security Platform
The IP45 ships without a password defined. If you are logging in for the first time, you are
prompted to define the password by entering it twice. If you logged in before, enter the
username and password you previously defined.
For more information about CLI commands, see the Nokia IP45 Security Platform CLI
Reference Guide, Version 4.0.
Using Telnet to Connect to the Nokia IP45 Security Platform
You can access the command-line interface through a Telnet session.
Telnet access is disabled by default. You can allow Telnet access from the LAN, and WAN by
configuring separate user rules. (No LAN or WAN access is available until it is configured)
Note
Before you start Telnet, ensure that the Telnet program is installed on your computer, and
that you can access the IP45 by using Telnet. The method for starting Telnet differs between
operating systems. You can use the method given here to start a Telnet session from
Windows 2000.
To connect to the IP45 security platform by using Telnet
1. Choose Start > Run
2. In the command window that opens, type telnet followed by the IP address of your IP45
security platform.
If your device IP address is 192.168.10.1, the run window opens as follows:
3. Click OK.
68 Nokia IP45 Security Platform User’s Guide v4.0
Configuration Methods
The Telnet command window opens with a login prompt.
4. Enter your username and password.You can now manage your IP45 security platform by
using simple commands.
5. Press the tab key to view a list of useful, simple commands to start managing your IP45. For
more information, see the Nokia IP45 Security Platform CLI Reference Guide Version 4.0.
Enabling and Disabling Telnet Access to Nokia IP45
Telnet access is disabled by default.
Use the following command from the IP45 CLI to enable Telnet access to the device:
set acl service telnet enable
Use the following command to disable Telnet:
set acl service telnet disable
This command disables Telnet access from the WAN, LAN, and DMZ ports.
Nokia IP45 Security Platform User’s Guide v4.0 69
4 Accessing the Nokia IP45 Security Platform
Using Secure Shell to Connect to the Nokia IP45 Security Platform
You can use Secure Shell (SSH) to access your IP45 security platform, securely. SSH is an
application protocol and software suite that allows secure network services over an insecure
network such as the Internet.
Note
By default, SSH access is allowed from LAN, and DMZ.
To access your Nokia IP45 security platform with SSH
1. Install an SSH client that allows you to make SSH connections to your IP45.
2. Provide the following information to connect to the device:
IP Address of the device
username
Authentication method, whether Password or Public Key
For more information about SSH, see “Configuring Network Access” on page 191.
Accessing Nokia IP45 with HTTP and HTTPS
You can access and manage your IP45 through a user-friendly GUI. For more information, see
Logging On to the Nokia IP45 Security Platform on page 55.
Managing Large Scale Deployments of Nokia IP45
You can centrally manage the Nokia IP45 security platform by using the following applications:
Nokia Horizon Manager
Check Point SmartCenter LSM
SofaWare Management Portal
These centralized management applications allow you to manage large-scale deployments.
For an overview of how to manage your device, see “Using Managed Services” on page 303.
70 Nokia IP45 Security Platform User’s Guide v4.0
Managing Large Scale Deployments of Nokia IP45
Deploying the Nokia IP45 Security Platform with the Nokia Horizon Manager
You can manage the Nokia IP45 security platform by using the Nokia Horizon Manager.
Nokia Horizon Manager is a software application designed to manage, and configure a large
number of Nokia IP security platforms (devices) that reside on a corporate enterprise, managed
service provider (MSP), or hosted applications service provider network (ASP).
You can use Nokia Horizon Manager to perform software inventory, configuration, and image
management operations.
Deploying the Nokia IP45 Security Platform with the Check Point SmartCenter Large Scale Manager
The Check Point SmartCenter Large Scale Manager (LSM) allows you to manage many Check
Point Remote Office/Branch Office (ROBO) gateways from a single SmartCenter Server.
For additional information on installing and configuring LSM, see Check Point SmartCenter
LSM documentation.
Deploying Nokia IP45 with SofaWare Management Portal
The SofaWare Security Management Portal (SMP) is a security platform that enables centralized
management of a large number of firewalls embedded in broadband access devices or gateways.
You can use the SofaWare SMP for both policy and configuration management.
Note
Configure the management servers by using SofaWare Management Portal before you can
use subscription services such as Web filtering, email antivirus, and software updates by
Nokia IP45.
Using the Sofaware Management Portal, you can:
Update security policies and user interface files.
Configure and fine-tune SofaWare management services like Web filtering, email antivirus,
and software updates.
Nokia IP45 Security Platform User’s Guide v4.0 71
4 Accessing the Nokia IP45 Security Platform
72 Nokia IP45 Security Platform User’s Guide v4.0
5 Connecting to the Internet with the
Nokia IP45 Security Platform
This chapter explains how to configure the Internet to make a secure connection by using the
Nokia IP45 security platform.
This chapter includes the following topics:
Using the Setup Wizard
Manually Configuring the Internet Setting
Enabling or Disabling the Internet Connection
Using Quick Internet Connect or Disconnect
Configuring a Backup Internet Connection
Detecting Dead Connections
Configuring an Internet Connection
You can configure an Internet connection by using one of the following setup tools:
Setup Wizard—guides you through the configuration process, step by step.
Advanced Setup—provides advanced setup options.
Note
You must configure the Internet connection on initial operation, and reset to defaults
operations.
Using the Setup Wizard
You can use the Setup Wizard to configure the Internet connection for the Nokia IP45 security
platform through the graphical user interface (GUI). The Setup Wizard guides you through the
configuration process, step by step.
You can connect to the Internet using any of the following broadband connection methods:
PPPoE (PPP over Ethernet)
PPTP
Nokia IP45 Security Platform User’s Guide v4.0 73
5 Connecting to the Internet with the Nokia IP45 Security Platform
Cable Modem
Static IP
DHCP (Dynamic IP)
Note
The IP45 Setup wizard, which you can use for basic configuration of the device, is always
accessible from Setup > Firmware.
To configure an Internet connection by using the setup wizard
1. Choose Network from the main menu.
The Internet page opens.
2. Click Internet Wizard at the bottom of the page.
The IP45 Internet Wizard appears.
74 Nokia IP45 Security Platform User’s Guide v4.0
Configuring an Internet Connection
3. Click Next to proceed.
4. The Internet Connection Method window opens.
5. Select the Internet connection method, and click Next.
You can choose between the following modes of broadband connection:
PPPoE (PPP over Ethernet)
PPTP
Cable Modem
Static IP
DHCP (Dynamic IP)
Note
If you select to connect by PPTP or PPPoE dialer, do not use dial-up software to
connect to the Internet. The IP45 does the PPPoE negotiation.
6. Follow the wizard instructions until the Connected message appears.
Nokia IP45 Security Platform User’s Guide v4.0 75
5 Connecting to the Internet with the Nokia IP45 Security Platform
7. Click Finish.
You are now connected to the Internet.
The wizard prompts you to register and set up your subscription options, which vary from
product to product.
For information about configuring device time, registering with Nokia Support Center and
subscribing to additional services with the Setup wizard, see “Getting Started” on page 49.
Cable Modem Connection Settings
If you select cable modem connection through the procedure “To configure an Internet
connection by using the setup wizard” on page 74, the Identification window opens.
Type the Host name and MAC Clone address if they are required by the ISP. For more details on
cloning MAC address, see “To configure for cable modem connection” on page 77.
76 Nokia IP45 Security Platform User’s Guide v4.0
To configure for cable modem connection
1. Type the Host name in the Identification window.
This field is optional. It might be required by your ISP and if so the ISP provides it.
2. Click Next.
The Confirmation message appears.
3. Click Next.
The device attempts to connect to the Internet.
At the end of the connection process, the Connected message appears. When you are
connected, the wizard prompts you to register your details and set up your subscription
options, which vary from product to product.
4. Follow the instructions until the wizard is done, and then click Finish.
MAC Cloning
Some ISPs require that you register any MAC addresses of the computer behind the cable
modem before you establish an Internet connection.
MAC Cloning
Nokia IP45 takes the place of the computer behind the cable modem and you can use MAC
cloning to enter the original computer MAC address without contacting the ISP to change that
information.
Cloning a MAC Address
A MAC address is a 12-digit identifier assigned to every network device. If your ISP restricts
connections to specific, recognized MAC addresses, you must clone a MAC address.
IP45 v4.0 supports MAC cloning for WAN2 (DMZ).
To clone a MAC address
1. Choose Network from the main menu.
The Internet page opens.
2. To clone the MAC address, click the Edit next to the interface.
The Internet Setup page opens.
3. Click Show Advanced Settings.
Nokia IP45 Security Platform User’s Guide v4.0 77
5 Connecting to the Internet with the Nokia IP45 Security Platform
The Internet Setup page now displays the MAC cloning option.
4. Select MAC Cloning. Do one of the following:
a. Click This Computer to automatically clone the MAC address of your computer to the
IP45.
or
b. If the ISP requires authentication by using the MAC address of a different computer, type
the MAC address in the Cloned MAC Address field.
5. Click Apply.
78 Nokia IP45 Security Platform User’s Guide v4.0
To connect by using a PPPoE connection
1. Select PPPoE from the Internet Connection Method window.
The PPP Configuration window opens.
2. Type the following:
a. Your username, and password and confirm the password.
MAC Cloning
b. The service name. This field is optional.
3. Click Next.
The system attempts to connect to the Internet through the PPPoE connection. At the end of
the connection process, the Connected message appears.
To connect by using the PPTP connection
1. Select PPTP from the Internet Connection Method window.
The PPP Configuration window opens.
2. Type the following information:
Username and Password, and confirm the password.
Nokia IP45 Security Platform User’s Guide v4.0 79
5 Connecting to the Internet with the Nokia IP45 Security Platform
Service name.
IP address of the PPTP modem in the Server IP text box.
Local IP address required for accessing the PPTP modem in the Internal IP text box.
Subnet Mask of the PPTP modem.
3. Click Next.
The Connecting message appears while the system attempts to connect to the Internet
through the PPTP connection. At the end of the connection process, the Connected message
appears.
To connect by using a static IP connection
1. Select Static IP from the Internet Connection Method window.
The Static IP Configuration window opens.
2. Type the following information:
Static IP address of the Nokia IP45 appliance.
Subnet Mask that applies to the static IP address.
IP address of the Default Gateway of your Internet service provider.
IP address of the Primary DNS Server
IP address of the Secondary DNS Server. This field is optional.
IP address of the WINS Server. This field is optional.
3. Click Next.
The Connecting message appears while the system attempts to connect to the Internet
through the static IP connection. At the end of the connection process, the Connected
message appears.
80 Nokia IP45 Security Platform User’s Guide v4.0
Manually Configuring the Internet Setting
To connect using a DHCP connection
1. Select DHCP (Dynamic IP) from the Internet Connection Method window.
2. Click Next.
The Confirmation message appears.
3. Click Next.
The Connecting message appears while the system attempts to connect to the Internet
through the DHCP connection. At the end of the connection process, the Connected message
appears.
Manually Configuring the Internet Setting
You can configure the Internet settings for your IP45 manually.
To configure the Internet connection
1. Proceed as per steps 1 and 2 in “Using the Setup Wizard” on page 73 to connect using PPTP
and PPPoE.
2. Click Cancel on the Internet Setup wizard.
Nokia IP45 Security Platform User’s Guide v4.0 81
5 Connecting to the Internet with the Nokia IP45 Security Platform
The Welcome page is displayed.
3. Choose Network from the main menu.
The Internet page opens.
4. Click Edit next to Primary.
The Internet Setup page with a list of connection type options appears.
5. Select the Connection Type.
The display changes according to the connection type you select. Perform the following
procedures in accordance with the connection type you choose.
To use a LAN connection
The following steps provide details about the LAN connection.
1. Select LAN connection from the Internet Setup page at Connection Type.
2. Click Show Advanced Settings.
82 Nokia IP45 Security Platform User’s Guide v4.0
The following page opens.
Manually Configuring the Internet Setting
3. Select the Port: WAN, WAN2, Serial, None.
4. If you do not want the IP45 to obtain an IP address automatically by using DHCP, do the
following:
a. Uncheck the Obtain IP address automatically (using DHCP) check box.
b. Type the IP address that your service provider provides.
c. Select the subnet mask from the drop-down list that applies to the IP address you Typed.
d. Type the IP address of the default gateway of your service provider.
5. To assign an IP address automatically by using DHCP, but not configure DNS servers
automatically, do the following:
a. Uncheck the Obtain DNS Servers automatically check box.
b. Type the Primary DNS server IP address.
c. Type the Secondary DNS server IP address.
d. Type the WINS Server IP address.
6. Select the Shape Upstream and Shape Downstream to enable traffic shaper.
7. Type the Upstream Link Rate value in kbps.
8. Type the Downstream Link Rate value in kbps, slightly lower than the Upstream Link Rate
value.
Nokia IP45 Security Platform User’s Guide v4.0 83
5 Connecting to the Internet with the Nokia IP45 Security Platform
9. Click Show Advanced Settings.
10. Type the maximum transmission unit (MTU-1500)
11. Ty pe th e Hos t Nam e.
This field is optional: some ISPs might require it, and they provide the host name.
12. Click Apply.
To use a cable modem connection
1. Select Cable Modem type from the Internet Setup page at Connection Type.
2. Click Show Advanced Settings.
The Internet Setup page opens.
3. Enter the Host Name.
This field is optional: some ISPs might require it, and they provide the host name.
4. Complete the remaining fields as per the information provided in the procedure “To use a
LAN connection” on page 82.
5. Click Apply.
To use a PPPoE connection
1. Choose PPPoE from the Internet Setup page at Connection Type.
2. Click Show Advanced Settings.
84 Nokia IP45 Security Platform User’s Guide v4.0
The following page opens:
Manually Configuring the Internet Setting
3. Enter the following information:
Enter your Username and Password, and confirm the Password.
Enter the service name as given by your service center
Note
If your service center did not provide you with a service name, leave this text box empty.
You can set the maximum transmission unit size (MTU). Nokia recommends that you leave
this field empty. However, to modify the default MTU, consult with your service provider.
4. If you are not using automatic configuration of DNS servers, do the following:
Uncheck the Obtain Domain Name Servers automatically check box
Enter the Primary DNS server IP address.
Enter the Secondary DNS server IP address.
Enter the WINS Server IP address.
Nokia IP45 Security Platform User’s Guide v4.0 85
5 Connecting to the Internet with the Nokia IP45 Security Platform
The following page opens:
5. Click Apply.
To use a PPTP connection
1. Choose PPTP Internet Setup page at Connection Type.
2. Click Show Advanced Settings.
86 Nokia IP45 Security Platform User’s Guide v4.0
The following page opens:
Manually Configuring the Internet Setting
3. Enter the following information:
a. Your username and password, and confirm the password.
b. The service name as given by your service provider.
c. The IP address of the PPTP server as given by your service provider.
d. The IP address of the PPTP client as given by your service provider.
e. Select the PPTP client subnet as given by your service provider.
You can configure the MTU size. Nokia recommends that you leave this field empty.
Consult your service provider to modify the default MTU.
4. If you are not using automatic configuration of DNS servers, do the following:
a. Clear the Obtain DNS servers automatically check box.
The Internet page with DNS server options appears.
b. Enter the Primary DNS server IP address.
c. Enter the Secondary DNS server IP address.
Nokia IP45 Security Platform User’s Guide v4.0 87
5 Connecting to the Internet with the Nokia IP45 Security Platform
5. Click Apply.
Table 14 Internet Connection Fields
Field Action
Host Name Type the hostname for authentication.
If your ISP has not provided you with a host name, leave this field
blank. Most ISPs do not require a specific hostname.
Port Type of port you want to use for connecting to the Internet.
Options:
• WAN: configuring an ethernet-based connection through WAN
port.
• WAN2: configuring an ethernet-based connection through DMZ/
WAN2 port.
• Serial: to configure a dial-up connection.
• None: To configure none.
Username Type your user name.
Password Type your password.
Confirm
password
Service Type your service name.
Server IP IP address of the server.
Internal IP Local IP address.
Obtain IP
address
automatically
(Using DHCP)
Obtain Domain
Name Servers
automatically
IP Address Type the static IP address of your IP45 device.
Re type your password to confirm.
If your ISP has not provided you with a service name, leave this
field empty.
If you selected PPTP, type the IP address of the PPTP server as
given by your ISP.
If you selected PPTP, type the local IP address required for
accessing the PPTP modem.
Clear this option if you do not want the Nokia IP45
device to obtain an IP address automatically.
Clear this option if you do not want the Nokia IP45
device to obtain an IP address automatically.
Subnet Mask Select the subnet mask that applies to the static IP
address of your device.
88 Nokia IP45 Security Platform User’s Guide v4.0
Table 14 Internet Connection Fields (continued)
Field Action
Manually Configuring the Internet Setting
Default Gateway.
Primary DNS
Server
Secondary
DNS Server
WINS Server
Shape
Upstream
Link Rate
Shape
Downstream
Link Rate
Type the IP address of your ISP’s default gateway.
Type the primary DNS server IP address.
Type the secondary DNS server IP address.
Type the WINS server IP address.
Select this option to enable traffic shaper for outgoing traffic. Type
a rate (in kilobits/second) slightly lower than
lower than the
maximum measured upstream speed of your Internet
connection,
Try different rates in order to determine which one provides the
best results.
For information on using traffic shaper, see “Using Traffic Shaper”
on page 127.
Select this option to enable Traffic Shaper for incoming traffic.
Then type a rate (in kilobits/second) slightly lower than
in the field provided.
lower than
the maximum measured downstream speed of your Internet
connection.
You may try different rates in order to determine which one
provides the best results.
Note
Traffic Shaper cannot control the number or type of packets it
receives from the Internet; it can only affect the rate of incoming
traffic by dropping inbound traffic less accurate than the shaping of
outbound traffic. It is therefore recommended to enable traffic
shaping for incoming traffic only if necessary.
For information on using Traffic Shaper, see“Using Traffic Shaper”
on page 127.
Do not
connect if this
gateway is in
passive state
If you are using High Availability, select this option to configure
WAN high availability. The gateway connects to the Internet only if
it is the active gateway in the high availability cluster.
This field is only enabled if high availability is configured.
For information on high availability, see “High-Availability” on page
213.
Nokia IP45 Security Platform User’s Guide v4.0 89
5 Connecting to the Internet with the Nokia IP45 Security Platform
Table 14 Internet Connection Fields (continued)
Field Action
External IP If you selected PPTP, type the IP address of the PPTP client as
given by your ISP.
If you selected PPPoE, this field is optional, and you
need not enter this value unless specified by your ISP.
MTU This field allows you to control the maximum transmission unit
size.
As a general recommendation you should leave this
field empty. To modify the default MTU value, it is recommended
that you consult with your ISP first and use MTU values between
1300 and 1500.
Dial-Up PPP
You can connect the Nokia IP45 security platform to the Internet by using a dial-up connection.
The device can establish a PPP connection to an ISP by using an external modem connected to
an auxiliary port. The modem can be an analog modem or an ISDN terminal adapter.
You can use the following modems:
Analog modem 56 Kbps (DTE speed: up to 115200)
ISDN TA (using PPP) 64 Kbps (DTE speed: up to 230400)
ISDN TA (using MLPPP) 128 Kbps (DTE speed: up to 460800)
Configuring Dial-Up
You can configure the dial-up option using either the GUI or the command-line interface (CLI).
Using the GUI
The following sections provide details about how to configure dial-up connections on the Nokia
IP45 security platform by using the GUI:
90 Nokia IP45 Security Platform User’s Guide v4.0
To configure dial-up settings using the GUI
1. Choose Network from the main menu.
The Internet page opens.
Dial-Up PPP
2. Click Edit next to the Primary Internet connection.
The Internet Setup page opens.
3. Select Serial from the drop-down list next to Port.
4. Select Dialup from the drop-down list next to Connection Type.
The following page opens.
5. Click Apply.
Dialup is configured.
Nokia IP45 Security Platform User’s Guide v4.0 91
5 Connecting to the Internet with the Nokia IP45 Security Platform
Configuring Dial-up Setting by Using the CLI
To configure the dial-up by using the command line interface, log in through the console port.
Dial-up mode can be enabled by using the following options available in the CLI:
Disable—WAN connection is established regardless of any interesting traffic.
Immediate—WAN connection is established only when no other higher priority connection
(primary) exists, regardless of any interesting traffic. This connection becomes inactive
when primary becomes active.
Note
Any traffic that goes to the Internet through LAN is called interesting traffic.
Activity—WAN connection is established only when interesting traffic is initiated from
internal network to WAN and when no other higher priority connection (primary) exists. The
dialup connection terminates if another higher priority connection becomes active or if there
is no traffic for 1 minute.
Note
Dial-up connection option (always on, demand dialing) and other parameters (number,
username, password, and so on) can be configured by using CLI.
Use the following commands to configure the dialup profile:
set interface wan mode dialup connectondemand <disable |immediate |
activity>
set interface wan2 mode dialup connectondemand <disable
activity>
For more information about dial-up commands, see the Nokia IP45 Security Platform CLI
Reference Guide Version 4.0.
CLI Wizard
Use the following command to configure dial-up by using the CLI wizard:
wizard dialup
For more information about how to use other dialup commands, see the Nokia IP45 Security
Platform CLI Reference Guide, Version 4.0.
Multiple Dial-up Profiles
The Nokia IP45 security platform supports 10 dial-up profiles. A round-robin mechanism is
used to choose the profiles for connecting to the Internet. By default, the first dial-up profile is
used. On failure of the first dial-up, the device attempts to use the successive profiles for
successful Internet connection.
|immediate |
92 Nokia IP45 Security Platform User’s Guide v4.0
Enabling or Disabling the Internet Connection
Either dial-up or an out-of-band management (OOB) instance alone can exist on the device at
any given time.
Note
You can configure ten dial-up profiles. Only one profile will be active at a time.You cannot
configure dial-up for both primary and secondary Internet connections.
Enabling or Disabling the Internet Connection
You can enable or disable the Internet connection by using the following procedure.
To enable or disable the Internet connection
1. Choose Network from the main menu.
The Internet page opens.
2. Next to the Internet connection, do one of the following:
a. To enable the connection, click the adjacent sign (x) mark
The button changes to a check mark, and the connection is enabled.
b. To disable the connection, click the adjacent check mark.
The button changes to sign (x) mark, and the connection is disabled.
Using Quick Internet Connect or Disconnect
By using connect or disconnect (depending on the connection status) on the Internet page, you
can establish a quick Internet connection by using the currently selected connection type. In the
same manner, you can terminate the active connection.
The Internet connection retains its connected or not connected status until the Nokia IP45 is
rebooted. The IP45 then connects to the Internet if the connection is enabled. For information on
how to enable the Internet connection, see “Enabling or Disabling the Internet Connection” on
page 93.
Configuring a Backup Internet Connection
You can configure both a primary and a secondary Internet connection for the Nokia IP45
security platform. The secondary connection acts as a backup, so that even if the primary
connection fails, the IP45 remains connected to the Internet.
You can configure different DNS servers for the two connections. The IP45 device acts as a DNS
relay and routes requests from computers within the network to the appropriate DNS server for
the active Internet connection.
Nokia IP45 Security Platform User’s Guide v4.0 93
5 Connecting to the Internet with the Nokia IP45 Security Platform
The two connections can be of different types. But they both cannot be LAN, and DHCP
connections.
To set up backup Internet connection
1. Choose Networks from the main menu.
The Internet page opens.
2. Click Edit next to Primary, and Secondary connection types to configure a backup Internet
connection.
For basic topology illustrations, see “Connecting the Nokia IP45 Security Platform to the
Network” on page 47.
Note
To physically connect multiple WAN devices to Nokia IP45, you must have a switch,
connected to the WAN port.
Viewing Internet Information
To view the status, duration, and activity information, choose Network from the main menu. The
Internet page opens.
Table 15 displays the Internet connection information.
Table 15 Internet Connection Information
Field Description
Status Indicates the connection status.
Duration Indicates the connection duration, if active. The duration is given in
the format hh:mm:ss, where:
hh = hours
mm = minutes
ss = seconds
IP Address Your IP address
Enabled Indicates whether or not the connection is enabled.
WAN MAC
Address
Cloned MAC
Address
MAC address of IP45.
Cloned MAC address.
94 Nokia IP45 Security Platform User’s Guide v4.0
Table 15 Internet Connection Information (continued)
Field Description
Detecting Dead Connections
Received
Packets
Sent Packets Number of data packets sent in the active connection.
Number of data packets received in the active connection.
Detecting Dead Connections
The Nokia IP45 security platform v4.0 supports dead internet connection detection. If the
Internet connection is identified to be inactive, a failover is performed to the secondary Internet
connection to insure continuous connectivity.
You can detect dead connection by using the methods as described in the following procedure.
To configure dead connection detection
1. Choose Internet from the main menu.
2. Click Edit next to the type of connection to choose. For example Primary LAN.
The following page opens.
3. Click Show Advanced Settings.
The following page opens displaying the dead connection configuration details.
Nokia IP45 Security Platform User’s Guide v4.0 95
5 Connecting to the Internet with the Nokia IP45 Security Platform
4. To automatically detect the loss of connectivity to the default gateway, select Probe Next
Hop.
5. Select probing method from the options provided in Connection Probing Method drop-down
list.
6. Choose the values for the option selected by using the information provided in Tab le 16.
7. Click Apply.
96 Nokia IP45 Security Platform User’s Guide v4.0
Table 16 Dead Connection Detection
Field Description
Detecting Dead Connections
Probe Next
Hop
Connection
Probing
Method
Select this option to automatically detect loss of connectivity to the
default gateway. If the default gateway does not respond and the
Internet connection is considered to be down, a failover is
performed to the second Internet connection, (if configured) to
ensure continuous Internet connectivity.
By default, this option is selected.
Select the method for probing by using this option. The probing
methods available are:
• None (default value)—does not perform Internet connection
probing. Next hop probing is still used, if the Probe Next Hop
check box is selected. This is the default value
• Ping Addresses—ping anywhere from one to three servers
specified by IP address or DNS name in the 1, 2, and 3 fields. If
no response is received for 45 seconds from the defined
servers, the Internet connection is considered to be inactive.
Use this method if you have reliable servers that can be pinged.
• Probe DNS Servers—probes the primary and secondary DNS
servers. If no response is received for 45 seconds from any of
the gateways, the Internet connection is considered to be
inactive.
• Probe VPN Gateway (RDP)—sends RDP echo requests to up to
three Check Point VPN gateways specified by IP address or
DNS name in the 1, 2, and 3 fields. If no response is received for
45 seconds from any of the defined gateways, the Internet
connection is considered to be inactive.
For information about how to configure dead connection detection by using the CLI, see the
Nokia IP45 Security Platform CLI Reference Guide Version 4.0.
Nokia IP45 Security Platform User’s Guide v4.0 97
5 Connecting to the Internet with the Nokia IP45 Security Platform
98 Nokia IP45 Security Platform User’s Guide v4.0
6 Managing your Local Area Network
This chapter provides detailed information to manage your local area network by using the
Nokia IP45 security platform.
You can manage and configure your network connection and settings, and view the connections
information on the connection in terms of status, connection duration, and activity.
This chapter includes the following topics:
Configuring Network Settings
Enabling and Disabling the DHCP Server
Changing IP Addresses
Configuring Network Objects
Configuring DHCP Reservation
OSPF
Viewing Ports Status
Configuring Source Routes
Defining the Port Link Speed
Configuring Network Settings
Caution
Network settings are advanced settings. Nokia recommends that these settings not be
changed unless it is necessary and you are qualified to do so. Changing network
settings might result in losing the connection to the device.
If you change the network settings to incorrect values, and you are unable to correct the error,
reset the IP45 to its factory settings.
To reset the Nokia IP45 security platform to its factory default settings, choose Setup >
Firmware > Tools > Factory Settings. You can also press the Reset button at the rear panel of the
device.
Nokia IP45 Security Platform User’s Guide v4.0 99
6 Managing your Local Area Network
Note
To set the device to factory defaults by using the Reset button, press the Reset button for a
minimum of seven seconds.
Enabling and Disabling the DHCP Server
The Nokia IP45 security platform has a built-in Dynamic Host Configuration Protocol (DHCP)
server that is enabled by default. This allows the IP45 to configure all the devices on your
network automatically.
If you have another DHCP server configured in your network, you must disable the DHCP
server in your IP45 before you connect the IP45 to the network.
To enable or disable the DHCP server
1. Choose Network from the main menu.
The Internet page opens.
2. Click My Network.
The My Network page opens.
3. To configure the DHCP server for LAN/DMZ settings, click Edit next to LAN/DMZ.
100 Nokia IP45 Security Platform User’s Guide v4.0
Loading...