652
Prestige 652
ADSL Security Router
User's Guide
Version 3.40
August 2002
Prestige 652 ADSL Security Router
Copyright
Copyright © 2002 by ZyXEL Communications Corporation.
The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a
retrieval system, translated into any language, or transmitted in any form or by any means, electronic,
mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written
permission of ZyXEL Communications Corporation.
Published by ZyXEL Communications Corporation. All rights reserved.
Disclaimer
ZyXEL does not assume any liability arising out of the application or use of any products, or software
described herein. Neither does it convey any license under its patent rights nor the patent rights of others.
ZyXEL further reserves the right to make changes in any products described herein without notice. This
publication is subject to change without notice.
Trademarks
ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc.
Other trademarks mentioned in this publication are used for identification purposes only and may be
properties of their respective owners.
ii Copyright
Prestige 652 ADSL Security Router
Federal Communications Commission
(FCC) Interference Statement
This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions:
• This device may not cause harmful interference.
• This device must accept any interference received, including interference that may cause undesired
operations.
This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to
Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful
interference in a commercial environment. This equipment generates, uses, and can radiate radio frequency
energy, and if not installed and used in accordance with the instructions, may cause harmful interference to
radio communications.
If this equipment does cause harmful interference to radio/television reception, which can be determined by
turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of
the following measures:
1. Reorient or relocate the receiving antenna.
2. Increase the separation between the equipment and the receiver.
3. Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
4. Consult the dealer or an experienced radio/TV technician for help.
Notice 1
Changes or modifications not expressly approved by the party responsible for compliance could void the
user's authority to operate the equipment.
Certifications
Refer to the product page at www.zyxel.com.
FCC Statement iii
Prestige 652 ADSL Security Router
Information for Canadian Users
The Industry Canada label identifies certified equipment. This certification means that the equipment meets
certain telecommunications network protective operation and safety requirements. The Industry Canada
label does not guarantee that the equipment will operate to a user's satisfaction.
Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of
the local telecommunications company. The equipment must also be installed using an acceptable method
of connection. In some cases, the company's inside wiring associated with a single line individual service
may be extended by means of a certified connector assembly. The customer should be aware that
compliance with the above conditions may not prevent degradation of service in some situations.
Repairs to certified equipment should be made by an authorized Canadian maintenance facility
designated by the supplier. Any repairs or alterations made by the user to this equipment, or
equipment malfunctions, may give the telecommunications company cause to request the user to
disconnect the equipment.
For their own protection, users should ensure that the electrical ground connections of the power utility,
telephone lines, and internal metallic water pipe system, if present, are connected together. This precaution
may be particularly important in rural areas.
Caution
Users should not attempt to make such connections themselves, but should contact the
appropriate electrical inspection authority, or electrician, as appropriate.
Note
This digital apparatus does not exceed the Class A limits for radio noise emissions from digital apparatus
set out in the radio interference regulations of Industry Canada.
iv Information for Canadian Users
Prestige 652 ADSL Security Router
ZyXEL Limited Warranty
ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials
or workmanship for a period of up to two years from the date of purchase. During the warranty period, and
upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or
materials, ZyXEL will, at its discretion, repair or replace the defective products or components without
charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or
components to proper operating condition. Any replacement will consist of a new or re-manufactured
functionally equivalent product of equal value, and will be solely at the discretion of ZyXEL. This warranty
shall not apply if the product is modified, misused, tampered with, damaged by an act of God, or subjected
to abnormal working conditions.
Note
Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This
warranty is in lieu of all other warranties, express or implied, including any implied warranty of
merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect
or consequential damages of any kind of character to the purchaser.
To obtain the services of this warranty, contact ZyXEL's Service Center for your Return Material
Authorization number (RMA). Products must be returned Postage Prepaid. It is recommended that the unit
be insured when shipped. Any returned products without proof of purchase or those with an out-dated
warranty will be repaired or replaced (at the discretion of ZyXEL) and the customer will be billed for parts
and labor. All repaired or replaced products will be shipped by ZyXEL to the corresponding return address,
Postage Paid. This warranty gives you specific legal rights, and you may also have other rights that vary
from country to country.
Safety Warnings
1. To reduce the risk of fire, use only No. 26 AWG or larger telephone wire.
2. Do not use this product near water, for example, in a wet basement or near a swimming pool.
3. Avoid using this product during an electrical storm. There may be a remote risk of electric shock from
lightening.
ZyXEL Limited Waranty v
Prestige 652 ADSL Security Router
Customer Support
Please have the following information ready when you contact customer support.
• Product model and serial number.
• Information in Menu 24.2.1 – System Information.
• Warranty Information.
• Date that you received your device.
• Brief description of the problem and the steps you took to solve it.
METHOD
LOCATION
WORLDWIDE
E-MAIL
SUPPORT/SALES
support@zyxel.com.tw +886-3-578-3942 www.zyxel.com
sales@zyxel.com.tw
support@zyxel.com +1-714-632-0882
sales@zyxel.com
support@zyxel.dk +45-3955-0700 www.zyxel.dk SCANDINAVIA
sales@zyxel.dk
support@zyxel.de +49-2405-6909-0 www.zyxel.de GERMANY
sales@zyxel.de
support@zyxel.com.my +603-795-44-688 www.zyxel.com.my MALAYSIA
sales@zyxel.com.my
+886-3-578-2439 ftp.europe.zyxel.com
+1-714-632-0858 ftp.zyxel.com
+45-3955-0707 ftp.zyxel.dk
+49-2405-6909-99
TELEPHONE/FAX WEB SITE/ FTP SITE REGULAR MAIL
www.europe.zyxel.com
www.zyxel.com NORTH AMERICA
800-255-4101
+603-795-34-407
ZyXEL Communications
Corp., 6 Innovation Road II,
Science-Based Industrial
Park, Hsinchu, Taiwan 300,
R.O.C.
ZyXEL Communications Inc.,
1650 Miraloma Avenue,
Placentia, CA 92870, U.S.A.
ZyXEL Communications A/S,
Columbusvej 5, 2860
Soeborg, Denmark.
ZyXEL Deutschland GmbH.
Adenauerstr. 20/A4 D-52146
Wuerselen, Germany
Lot B2-06, PJ Industrial Park,
Section 13, Jalan Kemajuan,
46200 Petaling Jaya
Selangor Darul Ehasn,
Malaysia
vi Customer Support
Prestige 652 ADSL Security Router
Table of Contents
GETTING STARTED........................................................................................................................................I
Chapter 1 Getting To Know Your Prestige.................................................................................................1-1
1.1 Prestige 652 ADSL Security Router ..........................................................................................1-1
1.2 Features ......................................................................................................................................1-1
1.3 Applications for the Prestige 652 ...............................................................................................1-6
Chapter 2 Hardware Installation and Initial Setup..................................................................................2-1
2.1 Front Panel LEDs of the P652....................................................................................................2-1
2.2 Rear Panel and Connections.......................................................................................................2-2
2.3 Additional Installation Requirements.........................................................................................2-3
2.4 P652 with POTS.........................................................................................................................2-4
2.5 P652 with ISDN .........................................................................................................................2-6
2.6 Turning On Your Prestige..........................................................................................................2-7
2.7 Configuring Your Prestige For Internet Access.........................................................................2-7
2.8 Resetting the Prestige.................................................................................................................2-8
2.9 Navigating the SMT Interface..................................................................................................2-10
2.10 Changing the System Password ...............................................................................................2-13
Chapter 3 General Setup.............................................................................................................................3-1
3.1 System Name .............................................................................................................................3-1
3.2 Dynamic DNS ............................................................................................................................3-1
3.3 General Setup.............................................................................................................................3-2
3.4 LAN Setup .................................................................................................................................3-4
3.5 Protocol Dependent Ethernet Setup ...........................................................................................3-5
Chapter 4 Internet Access ...........................................................................................................................4-1
4.1 Factory Ethernet Defaults...........................................................................................................4-1
4.2 LANs and WANs .......................................................................................................................4-1
4.3 TCP/IP Parameters.....................................................................................................................4-2
4.4 IP Multicast ................................................................................................................................4-5
4.5 IP Policies ..................................................................................................................................4-5
4.6 IP Alias.......................................................................................................................................4-5
4.7 Route IP Setup............................................................................................................................4-8
4.8 TCP/IP Ethernet Setup and DHCP.............................................................................................4-8
4.9 VPI and VCI.............................................................................................................................4-11
4.10 Multiplexing.............................................................................................................................4-11
4.11 Encapsulation...........................................................................................................................4-11
4.12 IP Address Assignment............................................................................................................4-12
4.13 Internet Access Configuration..................................................................................................4-13
Advanced Applications .................................................................................................................................... II
Table of Contents vii
Prestige 652 ADSL Security Router
Chapter 5 Remote Node Configuration ..................................................................................................... 5-1
5.1 Remote Node Setup ...................................................................................................................5-1
5.2 Remote Node Setup ...................................................................................................................5-6
5.3 Remote Node Filter.................................................................................................................... 5-8
Chapter 6 Remote Node TCP/IP Configuration........................................................................................6-1
6.1 TCP/IP Configuration ................................................................................................................6-1
Chapter 7 Bridging Setup ...........................................................................................................................7-1
7.1 Bridging in General....................................................................................................................7-1
7.2 Bridge Ethernet Setup................................................................................................................7-1
Chapter 8 Network Address Translation (NAT)........................................................................................8-1
8.1 Introduction................................................................................................................................8-1
8.2 Using NAT.................................................................................................................................8-6
8.3 NAT Setup ................................................................................................................................. 8-8
8.4 NAT Server Sets – Port Forwarding........................................................................................8-16
8.5 General NAT Examples...........................................................................................................8-20
FIREWALL AND CONTENT FILTERS........................................................................................................ III
Chapter 9 Firewalls......................................................................................................................................9-1
9.1 What Is a Firewall?.................................................................................................................... 9-1
9.2 Types of Firewalls......................................................................................................................9-1
9.3 Introduction to ZyXEL’s Firewall ............................................................................................. 9-2
9.4 Denial of Service .......................................................................................................................9-3
9.5 Stateful Inspection .....................................................................................................................9-7
9.6 Guidelines For Enhancing Security With Your Firewall......................................................... 9-11
9.7 Packet Filtering Vs Firewall ....................................................................................................9-12
Chapter 10 Introducing the Prestige Firewall.........................................................................................10-1
10.1 Remote Management and the Firewall ....................................................................................10-1
10.2 Access Methods....................................................................................................................... 10-1
10.3 Using Prestige SMT Menus.....................................................................................................10-1
Chapter 11 Using the Prestige Web Configurator................................................................................... 11-1
11.1 Web Configurator Login and Main Menu Screens ..................................................................11-1
11.2 Enabling the Firewall............................................................................................................... 11-2
11.3 E-mail ......................................................................................................................................11-2
11.4 Attack Alert..............................................................................................................................11-6
Chapter 12 Creating Custom Rules .........................................................................................................12-1
12.1 Rules Overview........................................................................................................................12-1
12.2 Rule Logic Overview............................................................................................................... 12-1
12.3 Connection Direction...............................................................................................................12-3
12.4 Rule Summary .........................................................................................................................12-4
12.5 Predefined Services..................................................................................................................12-6
12.6 Timeout.................................................................................................................................. 12-13
Chapter 13 Customized Services .............................................................................................................. 13-1
viii Table of Contents
Prestige 652 ADSL Security Router
13.1 Introduction..............................................................................................................................13-1
13.2 Creating/Editing A Customized Service ..................................................................................13-3
13.3 Example DHCP Negotiation and Syslog Connection from the Internet ..................................13-4
Chapter 14 Logs .........................................................................................................................................14-1
14.1 Log Screen ...............................................................................................................................14-1
Chapter 15 Content Filtering....................................................................................................................15-1
15.1 Keyword...................................................................................................................................15-1
15.2 Schedule...................................................................................................................................15-1
15.3 Trusted .....................................................................................................................................15-1
15.4 Logs..........................................................................................................................................15-1
Advanced Management...................................................................................................................................IV
Chapter 16 Filter Configuration...............................................................................................................16-1
16.1 About Filtering.........................................................................................................................16-1
16.2 Configuring a Filter Set............................................................................................................16-4
16.3 Configuring a Filter Rule .........................................................................................................16-9
16.4 Filter Types and NAT ............................................................................................................16-16
16.5 Example Filter........................................................................................................................16-16
16.6 Applying Filters and Factory Defaults...................................................................................16-19
Chapter 17 SNMP Configuration .............................................................................................................17-1
17.1 About SNMP............................................................................................................................17-1
17.2 Supported MIBs .......................................................................................................................17-2
17.3 SNMP Configuration ...............................................................................................................17-2
17.4 SNMP Traps.............................................................................................................................17-4
Chapter 18 System Information and Diagnosis.......................................................................................18-1
18.1 System Status ...........................................................................................................................18-1
18.2 System Information and Console Port Speed...........................................................................18-3
18.3 Log and Trace ..........................................................................................................................18-5
18.4 Diagnostic ................................................................................................................................18-8
18.5 Command Interpreter Mode .....................................................................................................18-9
Chapter 19 Firmware and Configuration File Maintenance..................................................................19-1
19.1 Filename Conventions..............................................................................................................19-1
19.2 Backup Configuration ..............................................................................................................19-2
19.3 Restore Configuration ..............................................................................................................19-7
19.4 Uploading Firmware and Configuration Files........................................................................19-10
Chapter 20 System Maintenance and Information .................................................................................20-1
20.1 Command Interpreter Mode .....................................................................................................20-1
20.2 Call Control Support ................................................................................................................20-2
20.3 Time and Date Setting..............................................................................................................20-4
Chapter 21 Remote Management.............................................................................................................21-1
21.1 About Telnet Configuration .....................................................................................................21-1
21.2 Telnet Under NAT ...................................................................................................................21-1
Table of Contents ix
Prestige 652 ADSL Security Router
21.3 Telnet Capabilities ................................................................................................................... 21-1
21.4 FTP ..........................................................................................................................................21-2
21.5 Web..........................................................................................................................................21-2
21.6 Remote Management...............................................................................................................21-2
21.7 Remote Management and NAT ...............................................................................................21-4
21.8 System Timeout.......................................................................................................................21-4
Chapter 22 IP Policy Routing ...................................................................................................................22-1
22.1 Introduction..............................................................................................................................22-1
22.2 Benefits.................................................................................................................................... 22-1
22.3 Routing Policy ......................................................................................................................... 22-1
22.4 IP Routing Policy Setup...........................................................................................................22-2
22.5 Applying an IP Policy.............................................................................................................. 22-5
22.6 IP Policy Routing Example......................................................................................................22-7
CALL SCHEDULING, VPN/IPSEC AND INTERNAL SPTGEN ................................................................. V
Chapter 23 Call Scheduling ...................................................................................................................... 23-1
23.1 Introduction..............................................................................................................................23-1
Chapter 24 Introduction to IPSec.............................................................................................................24-1
24.1 Introduction..............................................................................................................................24-1
24.2 IPSec Architecture................................................................................................................... 24-3
24.3 Encapsulation........................................................................................................................... 24-5
24.4 IPSec and NAT........................................................................................................................ 24-5
Chapter 25 VPN/IPSec Setup....................................................................................................................25-1
25.1 VPN/IPSec Setup..................................................................................................................... 25-1
25.2 IPSec Algorithms..................................................................................................................... 25-2
25.3 IPSec Summary........................................................................................................................25-3
25.4 IPSec Setup..............................................................................................................................25-8
25.5 IKE Setup...............................................................................................................................25-12
25.6 Manual Setup ......................................................................................................................... 25-17
Chapter 26 SA Monitor .............................................................................................................................26-1
1.1. Introduction..............................................................................................................................26-1
Chapter 27 IPSec Log................................................................................................................................27-1
27.1 IPSec Logs...............................................................................................................................27-1
Chapter 28 Internal SPTGEN ..................................................................................................................28-1
28.1 The Configuration Text File Format........................................................................................ 28-1
28.2 Internal SPTGEN FTP Download Example ............................................................................28-3
28.3 Internal SPTGEN FTP Upload Example .................................................................................28-4
ADDITIONAL INFORMATION ...................................................................................................................VI
Chapter 29 Troubleshooting......................................................................................................................29-1
29.1 Problems Starting Up the Prestige ........................................................................................... 29-1
29.2 Problems with the LAN LED...................................................................................................29-1
29.3 Problems with the DSL LED ................................................................................................... 29-2
x Table of Contents
Prestige 652 ADSL Security Router
29.4 Problems with the LAN Interface ............................................................................................29-2
29.5 Problems with the WAN Interface ...........................................................................................29-2
29.6 Problems with Internet Access.................................................................................................29-3
29.7 Problems with the Password ....................................................................................................29-3
29.8 Problems with the Web Configurator.......................................................................................29-4
29.9 Problems with Remote Management .......................................................................................29-4
Table of Contents xi
Prestige 652 ADSL Security Router
List of Figures
Figure 1-1 Internet Access Application...........................................................................................................1-7
Figure 1-2 Firewall Application......................................................................................................................1-8
Figure 1-3 LAN-to-LAN Application.............................................................................................................1-8
Figure 1-4 VPN Application...........................................................................................................................1-9
Figure 2-1 Front Panel ....................................................................................................................................2-1
Figure 2-2 Rear Panel .....................................................................................................................................2-2
Figure 2-3 Connecting a POTS Splitter .......................................................................................................... 2-5
Figure 2-4 Connecting a Microfilter ...............................................................................................................2-6
Figure 2-5 P652 with ISDN............................................................................................................................2-6
Figure 2-6 Power-On Display.........................................................................................................................2-7
Figure 2-7 Login Screen .................................................................................................................................2-8
Figure 2-8 SMT Menu Overview .................................................................................................................2-10
Figure 2-9 SMT Main Menu.........................................................................................................................2-12
Figure 2-10 Menu 23 — System Password ..................................................................................................2-13
Figure 3-1 Menu 1 — General Setup..............................................................................................................3-2
Figure 3-2 Configure Dynamic DNS..............................................................................................................3-3
Figure 3-3 Menu 3 — Ethernet Setup.............................................................................................................3-5
Figure 3-4 Menu 3.1 — LAN Port Filter Setup..............................................................................................3-5
Figure 4-1 LAN & WAN IPs ..........................................................................................................................4-2
Figure 4-2 Physical Network .......................................................................................................................... 4-6
Figure 4-3 Partitioned Logical Networks .......................................................................................................4-6
Figure 4-4 Menu 3.2 — TCP/IP and DHCP Ethernet Setup ..........................................................................4-6
Figure 4-5 Menu 3.2.1 — IP Alias Setup........................................................................................................4-7
Figure 4-6 Menu 1 — General Setup..............................................................................................................4-8
Figure 4-7 Menu 3.2 — TCP/IP and DHCP Ethernet Setup ...........................................................................4-9
List of Figures xii
Prestige 652 ADSL Security Router
Figure 4-8 Example of Traffic Shaping........................................................................................................ 4-15
Figure 4-9 Internet Access Setup ................................................................................................................. 4-15
Figure 5-1 Menu 11 — Remote Node Setup.................................................................................................. 5-2
Figure 5-2 Menu 11.1 — Remote Node Profile............................................................................................. 5-4
Figure 5-3 Remote Node Network Layer Options ......................................................................................... 5-7
Figure 5-4 Menu 11.5 — Remote Node Filter ............................................................................................... 5-9
Figure 5-5 Menu 11.5 — Remote Node Filter (PPPoE or PPPoA Encapsulation) ....................................... 5-9
Figure 6-1 Menu 11.6 for RFC-1483 or ENET ENCAP with VC-based Multiplexing.................................. 6-2
Figure 6-2 Menu 11.6 for LLC-based Multiplexing or PPPoA or PPPoE Encapsulation.............................. 6-2
Figure 6-3 Sample IP Addresses for a TCP/IP LAN-to-LAN Connection..................................................... 6-3
Figure 6-4 Remote Node Network Layer Options ......................................................................................... 6-5
Figure 6-5 Sample Static Routing Topology .................................................................................................. 6-7
Figure 6-6 Menu 12 — Static Route Setup.................................................................................................... 6-8
Figure 6-7 Menu 12.1 — IP Static Route Setup............................................................................................. 6-8
Figure 6-8 Edit IP Static Route ...................................................................................................................... 6-9
Figure 7-1 Menu 11.3 — Remote Node Bridging Options ............................................................................ 7-2
Figure 7-2 Menu 12.3.1 — Edit Bridge Static Route..................................................................................... 7-3
Figure 8-1 How NAT Works .......................................................................................................................... 8-3
Figure 8-2 NAT Application With IP Alias .................................................................................................... 8-4
Figure 8-3 Menu 4 — Applying NAT for Internet Access ............................................................................. 8-7
Figure 8-4 Menu 11.3 — Applying NAT to the Remote Node ...................................................................... 8-8
Figure 8-5 Menu 15 — NAT Setup................................................................................................................ 8-9
Figure 8-6 Menu 15.1 — Address Mapping Sets ........................................................................................... 8-9
Figure 8-7 Menu 15.1.255 — SUA Address Mapping Rules ........................................................................8-11
Figure 8-8 Menu 15.1.1 — First Set ............................................................................................................ 8-12
Figure 8-9 Menu 15.1.1.1 — Editing/Configuring an Individual Rule in a Set........................................... 8-15
Figure 8-10 Menu 15.2 — NAT Server Setup.............................................................................................. 8-18
xiii List of Figures
Prestige 652 ADSL Security Router
Figure 8-11 Menu 15.2.1 — NAT Server Setup ...........................................................................................8-18
Figure 8-12 Multiple Servers Behind NAT Example....................................................................................8-19
Figure 8-13 NAT Example 1......................................................................................................................... 8-20
Figure 8-14 Menu 4 — Internet Access & NAT Example ............................................................................8-21
Figure 8-15 NAT Example 2......................................................................................................................... 8-22
Figure 8-16 Menu 15.2.1 — Specifying an Inside Server ............................................................................8-23
Figure 8-17 NAT Example 3......................................................................................................................... 8-25
Figure 8-18 Example 3: Menu 11.3 ..............................................................................................................8-26
Figure 8-19 Example 3: Menu 15.1.1.1........................................................................................................8-26
Figure 8-20 Example 3: Final Menu 15.1.1..................................................................................................8-27
Figure 8-21 NAT Example 4......................................................................................................................... 8-29
Figure 8-22 Example 4: Menu 15.1.1.1 — Address Mapping Rule.............................................................. 8-29
Figure 8-23 Example 4: Menu 15.1.1 — Address Mapping Rules ..............................................................8-30
Figure 9-1 Prestige Firewall Application........................................................................................................9-3
Figure 9-2 Three-Way Handshake ..................................................................................................................9-5
Figure 9-3 SYN Flood ....................................................................................................................................9-5
Figure 9-4 Smurf Attack .................................................................................................................................9-6
Figure 9-5 Stateful Inspection.........................................................................................................................9-8
Figure 10-1 Menu 21 — Filter and Firewall Setup.......................................................................................10-1
Figure 10-2 Menu 21.2 — Firewall Setup....................................................................................................10-2
Figure 10-3 Example Firewall Log...............................................................................................................10-2
Figure 11-1 Enabling the Firewall ................................................................................................................ 11-2
Figure 11-2 E-mail Screen............................................................................................................................ 11-3
Figure 11-3 E-mail Log ................................................................................................................................ 11-6
Figure 11-4 Attack Alert ............................................................................................................................... 11-8
Figure 12-1 LAN to WAN Traffic.................................................................................................................12-3
Figure 12-2 WAN to LAN Traffic.................................................................................................................12-4
List of Figures xiv
Prestige 652 ADSL Security Router
Figure 12-3 Firewall Rules Summary — First Screen................................................................................. 12-5
Figure 12-4 Creating/Editing A Firewall Rule ........................................................................................... 12-10
Figure 12-5 Adding/Editing Source and Destination Addresses ................................................................ 12-12
Figure 12-6 Timeout Screen....................................................................................................................... 12-13
Figure 13-1 Customized Services ................................................................................................................ 13-1
Figure 13-2 Creating/Editing A Customized Service ................................................................................... 13-3
Figure 13-3 Configure Source IP................................................................................................................. 13-5
Figure 13-4 Customized Service for Syslog................................................................................................. 13-6
Figure 13-5 Syslog Rule Configuration ....................................................................................................... 13-7
Figure 13-6 Example Rule Summary........................................................................................................... 13-8
Figure 14-1 Log Screen................................................................................................................................ 14-1
Figure 16-1 Outgoing Packet Filtering Process ........................................................................................... 16-2
Figure 16-2 Filter Rule Process.................................................................................................................... 16-3
Figure 16-4 Menu 21 — Filter and Firewall Setup...................................................................................... 16-4
Figure 16-5 Menu 21.1 — Filter Set Configuration..................................................................................... 16-5
Figure 16-6 NetBIOS_WAN Filter Rules Summary ....................................................................................16-6
Figure 16-7 NetBIOS _LAN Filter Rules Summary.................................................................................... 16-6
Figure 16-8 PPPoE Filter Rules Summary................................................................................................... 16-7
Figure 16-9 TEL_FTP_WEB_SNM Filter Rules Summary ........................................................................ 16-7
Figure 16-10 Menu 21.1.7.1 — TCP/IP Filter Rule................................................................................... 16-10
Figure 16-11 Executing an IP Filter ........................................................................................................... 16-13
Figure 16-12 Menu 21.1.5.1 — Generic Filter Rule .................................................................................. 16-14
Figure 16-13 Protocol and Device Filter Sets ............................................................................................ 16-16
Figure 16-14 Sample Telnet Filter.............................................................................................................. 16-17
Figure 16-15 Sample Filter — Menu 21.1.9.1 ........................................................................................... 16-18
Figure 16-16 Sample Filter Rules Summary — Menu 21.1.9.................................................................... 16-19
Figure 16-17 Filtering Ethernet Traffic...................................................................................................... 16-20
xv List of Figures
Prestige 652 ADSL Security Router
Figure 16-18 Filtering Remote Node Traffic ..............................................................................................16-22
Figure 16-19 Filtering Remote Node Traffic with PPPoE ..........................................................................16-22
Figure 17-1 SNMP Management Model.......................................................................................................17-1
Figure 17-2 Menu 22 — SNMP Configuration ............................................................................................17-3
Figure 18-1 Menu 24 — System Maintenance.............................................................................................18-1
Figure 18-2 Menu 24.1 — System Maintenance — Status...........................................................................18-2
Figure 18-3 Menu 24.2 — System Information and Console Port Speed.....................................................18-3
Figure 18-4 Menu 24.2.1 — System Maintenance — Information .............................................................. 18-4
Figure 18-5 Menu 24.2.2 — System Maintenance — Change Console Port Speed..................................... 18-5
Figure 18-6 Menu 24.3 — System Maintenance — Log and Trace .............................................................18-5
Figure 18-7 Sample Error and Information Messages..................................................................................18-6
Figure 18-8 Menu 24.3.2 — System Maintenance — Syslog and Accounting ............................................18-6
Figure 18-9 Menu 24.4 — System Maintenance — Diagnostic ................................................................... 18-8
Figure 18-10 Command Mode......................................................................................................................18-9
Figure 19-1 Telnet in Menu 24.5 .................................................................................................................. 19-3
Figure 19-2 FTP Session Example................................................................................................................19-4
Figure 19-3 System Maintenance — Backup Configuration........................................................................19-6
Figure 19-4 System Maintenance — Starting Xmodem Download Screen..................................................19-7
Figure 19-5 Backup Configuration Example................................................................................................19-7
Figure 19-6 Successful Backup Confirmation Screen .................................................................................. 19-7
Figure 19-7 Telnet into Menu 24.6 ...............................................................................................................19-8
Figure 19-8 Restore Using FTP Session Example........................................................................................19-9
Figure 19-9 System Maintenance — Restore Configuration........................................................................ 19-9
Figure 19-10 System Maintenance — Starting Xmodem Download Screen................................................19-9
Figure 19-11 Restore Configuration Example ............................................................................................19-10
Figure 19-12 Successful Restoration Confirmation Screen........................................................................19-10
Figure 19-13 Telnet Into Menu 24.7.1 — Upload System Firmware .........................................................19-11
List of Figures xvi
Prestige 652 ADSL Security Router
Figure 19-14 Telnet Into Menu 24.7.2 — System Maintenance .................................................................19-11
Figure 19-15 FTP Session Example of Firmware File Upload .................................................................. 19-12
Figure 19-16 Menu 24.7.1 as seen using the Console Port ........................................................................ 19-14
Figure 19-17 Example Xmodem Upload ................................................................................................... 19-14
Figure 19-18 Menu 24.7.2 as seen using the Console Port ........................................................................ 19-15
Figure 19-19 Example Xmodem Upload ................................................................................................... 19-16
Figure 20-1 Command Mode in Menu 24.................................................................................................... 20-1
Figure 20-2 Valid Commands ...................................................................................................................... 20-2
Figure 20-3 Call Control.............................................................................................................................. 20-2
Figure 20-4 Budget Management................................................................................................................. 20-3
Figure 20-5 Menu 24 — System Maintenance ............................................................................................ 20-4
Figure 20-6 Menu 24.10 System Maintenance — Time and Date Setting ................................................... 20-4
Figure 21-1 Telnet Configuration on a TCP/IP Network ............................................................................. 21-1
Figure 21-2 Menu 24.11 – Remote Management Control............................................................................ 21-3
Figure 22-1 IP Routing Policy Setup ........................................................................................................... 22-2
Figure 22-2 Menu 25.1 — Sample IP Routing Policy Setup ....................................................................... 22-3
Figure 22-3 IP Routing Policy ..................................................................................................................... 22-4
Figure 22-4 Menu 3.2 — TCP/IP and DHCP Ethernet Setup ...................................................................... 22-6
Figure 22-5 Menu 11.3 — Remote Node Network Layer Options.............................................................. 22-6
Figure 22-6 Example of IP Policy Routing.................................................................................................. 22-7
Figure 22-7 IP Routing Policy Example ...................................................................................................... 22-8
Figure 22-8 IP Routing Policy ..................................................................................................................... 22-9
Figure 22-9 Applying IP Policies................................................................................................................. 22-9
Figure 23-1 Menu 26 - Schedule Setup........................................................................................................ 23-1
Figure 23-2 Schedule Set Setup ................................................................................................................... 23-2
Figure 23-3 Applying Schedule Set(s) to a Remote Node (PPPoE)............................................................. 23-4
Figure 24-1 Encryption and Decryption....................................................................................................... 24-2
xvii List of Figures
Prestige 652 ADSL Security Router
Figure 24-2 VPN Application.......................................................................................................................24-3
Figure 24-3 IPSec Architecture.....................................................................................................................24-4
Figure 24-4 Transport and Tunnel Mode IPSec Encapsulation.....................................................................24-5
Figure 25-1 VPN SMT Menu Tree ...............................................................................................................25-1
Figure 25-2 Menu 27 — VPN/IPSec Setup..................................................................................................25-2
Figure 25-3 IPSec Summary Fields..............................................................................................................25-3
Figure 25-4 Telecommuter’s Prestige Configuration....................................................................................25-5
Figure 25-5 Headquarters Prestige Configuration ........................................................................................25-5
Figure 25-6 Menu 27.1 — IPSec Summary..................................................................................................25-6
Figure 25-7 Menu 27.1.1 — IPSec Setup.....................................................................................................25-9
Figure 25-8 Two Phases to set up the IPSec SA ......................................................................................... 25-13
Figure 25-9 Menu 27.1.1.1 — IKE Setup...................................................................................................25-15
Figure 25-10 Menu 27.1.1.2 — Manual Setup ...........................................................................................25-18
Figure 26-1 Menu 27.2 — SA Monitor ........................................................................................................26-1
Figure 27-1 Example VPN Initiator IPSec Log ............................................................................................27-1
Figure 27-2 Example VPN Responder IPSec Log........................................................................................27-2
Figure 28-1 Configuration Text File Format — Column Descriptions.........................................................28-2
Figure 28-2 Invalid Parameter Entered — Command Line Example...........................................................28-3
Figure 28-3 Valid Parameter Entered — Command Line Example..............................................................28-3
Figure 28-4 Internal SPTGEN FTP Download Example.............................................................................. 28-3
Figure 28-5 Internal SPTGEN FTP Upload Example...................................................................................28-4
List of Diagrams
Diagram 1 Single-PC per Router Hardware Configuration .............................................................................. A
Diagram 2 Prestige as a PPPoE Client.............................................................................................................. B
Diagram 3 Virtual Circuit Topology ................................................................................................................. C
Diagram 4 Option to Enter Debug Mode.......................................................................................................... D
List of Figures xviii
Prestige 652 ADSL Security Router
Diagram 5 Boot Module Commands ................................................................................................................ E
xix List of Figures
Prestige 652 ADSL Security Router
List of Tables
Table 2-1 Front Panel LED Description......................................................................................................... 2-1
Table 2-2 Main Menu Commands................................................................................................................ 2-11
Table 2-3 Main Menu Summary .................................................................................................................. 2-12
Table 3-1 General Setup Menu Fields............................................................................................................ 3-2
Table 3-2 Configure Dynamic DNS Menu Fields.......................................................................................... 3-4
Table 4-1 IP Alias Setup Menu Fields ............................................................................................................ 4-7
Table 4-2 DHCP Ethernet Setup Menu Fields................................................................................................ 4-9
Table 4-3 TCP/IP Ethernet Setup Menu Fields ............................................................................................ 4-10
Table 4-4 Internet Account Information....................................................................................................... 4-13
Table 4-5 Internet Access Setup Menu Fields.............................................................................................. 4-16
Table 5-1 Remote Node Profile Menu Fields................................................................................................. 5-4
Table 5-2 Remote Node Network Layer Options........................................................................................... 5-7
Table 6-1 TCP/IP-Related Fields in Menu 11.1 — Remote Node Profile......................................................6-3
Table 6-2 TCP/IP Remote Node Configuration .............................................................................................6-5
Table 6-3 Edit IP Static Route Menu Fields................................................................................................... 6-9
Table 7-1 Remote Node Bridge Options........................................................................................................ 7-2
Table 7-2 Edit Bridge Static Route Menu Fields............................................................................................7-3
Table 8-1 NAT Definitions............................................................................................................................. 8-1
Table 8-2 NAT Mapping Types ...................................................................................................................... 8-5
Table 8-3 Applying NAT in Menus 4 & 11.3 ................................................................................................. 8-8
Table 8-4 SUA Address Mapping Rules....................................................................................................... 8-11
Table 8-5 Fields in Menu 15.1.1 ..................................................................................................................8-13
Table 8-6 Menu 15.1.1.1 — Editing/Configuring an Individual Rule in a Set.............................................8-15
Table 8-7 Services & Port Numbers............................................................................................................. 8-16
Table 9-1 Common IP Ports........................................................................................................................... 9-4
Table 9-2 ICMP Commands That Trigger Alerts ...........................................................................................9-6
xx List of Tables
Prestige 652 ADSL Security Router
Table 9-3 Legal NetBIOS Commands............................................................................................................9-7
Table 9-4 Legal SMTP Commands ................................................................................................................9-7
Table 10-1 View Firewall Log......................................................................................................................10-3
Table 11-1 E-mail ......................................................................................................................................... 11-4
Table 11-2 SMTP Error Messages................................................................................................................ 11-5
Table 11-3 Attack Alert................................................................................................................................. 11-9
Table 12-1 Firewall Rules Summary — First Screen................................................................................... 12-5
Table 12-2 Predefined Services....................................................................................................................12-7
Table 12-3 Creating/Editing A Firewall Rule ............................................................................................. 12-10
Table 12-4 Adding/Editing Source and Destination Addresses..................................................................12-12
Table 12-5 Timeout Menu ..........................................................................................................................12-14
Table 13-1 Customized Services ..................................................................................................................13-2
Table 13-2 Creating/Editing A Custom Port................................................................................................. 13-3
Table 14-1 Log Screen .................................................................................................................................14-2
Table 16-1 Filter Rules Summary Menu Abbreviations ...............................................................................16-8
Table 16-2 Rule Abbreviations Used............................................................................................................16-8
Table 16-3 TCP/IP Filter Rule Menu Fields...............................................................................................16-10
Table 16-4 Generic Filter Rule Menu Fields .............................................................................................. 16-15
Table 16-5 Filter Sets Table........................................................................................................................ 16-20
Table 17-1 SNMP Configuration Menu Fields............................................................................................. 17-3
Table 17-2 SNMP Traps ...............................................................................................................................17-4
Table 17-3 Ports and Permanent Virtual Circuits .........................................................................................17-4
Table 18-1 System Maintenance — Status Menu Fields..............................................................................18-2
Table 18-2 Fields in System Maintenance....................................................................................................18-4
Table 18-3 System Maintenance Menu — Syslog Parameters.....................................................................18-7
Table 18-4 System Maintenance Menu — Diagnostic.................................................................................18-9
Table 19-1 Filename Conventions................................................................................................................19-2
Table 19-2 General Commands for GUI-based FTP Clients........................................................................19-4
List of Diagrams xxi
Prestige 652 ADSL Security Router
Table 19-3 General Commands for GUI-based TFTP Clients .....................................................................19-6
Table 20-1 Budget Management .................................................................................................................. 20-3
Table 20-2 Time and Date Setting Fields..................................................................................................... 20-5
Table 21-1 Menu 24.11 – Remote Management Control ............................................................................. 21-3
Table 22-1 IP Routing Policy Setup............................................................................................................. 22-3
Table 22-2 IP Routing Policy....................................................................................................................... 22-4
Table 23-1 Schedule Set Setup Fields.......................................................................................................... 23-2
Table 24-1 VPN and NAT ............................................................................................................................ 24-6
Table 25-1 AH and ESP ............................................................................................................................... 25-3
Table 25-2 Telecommuter and Headquarters Configuration Example ......................................................... 25-4
Table 25-3 Menu 27.1 — IPSec Summary................................................................................................... 25-6
Table 25-4 Menu 27.1.1 — IPSec Setup...................................................................................................... 25-9
Table 25-5 Menu 27.1.1.1 — IKE Setup.................................................................................................... 25-15
Table 25-6 Active Protocol — Encapsulation and Security Protocol......................................................... 25-17
Table 25-7 Menu 27.1.1.2 — Manual Setup .............................................................................................. 25-18
Table 26-1 Menu 27.2 — SA Monitor ......................................................................................................... 26-1
Table 27-1 Sample IKE Key Exchange Logs............................................................................................... 27-2
Table 27-2 Sample IPSec Logs During Packet Transmission ...................................................................... 27-4
Table 27-3 RFC-2408 ISAKMP Payload Types........................................................................................... 27-4
Table 29-1 Troubleshooting the LAN LED.................................................................................................. 29-1
Table 29-2 Troubleshooting the DSL LED .................................................................................................. 29-2
Table 29-3 Troubleshooting the LAN Interface ........................................................................................... 29-2
Table 29-4 Troubleshooting the WAN Interface .......................................................................................... 29-2
Table 29-5 Troubleshooting Internet Access................................................................................................ 29-3
Table 29-6 Troubleshooting the Password ................................................................................................... 29-3
Table 29-7 Troubleshooting the Web Configurator...................................................................................... 29-4
Table 29-8 Troubleshooting Remote Management ...................................................................................... 29-4
xxii List of Tables
Prestige 652 ADSL Security Router
Preface
Congratulations on your purchase of the Prestige 652 ADSL Router with VPN and Firewall.
There are two Prestige 652 models, one for ADSL over POTS (Plain Old Telephone System) and one for
ADSL over ISDN (Integrated Synchronous Digital System). Both models are discussed together in this
guide.
The Prestige 652 is an ADSL router used for Internet/LAN access via an ADSL line. The P652 can run
maximum upstream transmission rates of up to 832Kbps and maximum downstream transmission rates of
8Mbps. The actual rate depends on the copper category of your telephone wire, distance from the central
office and the type of ADSL service subscribed to. See the What is DSL section for more background
information on DSL and ADSL.
The P652's 10/100M auto-negotiating LAN interface enables fast data transfer of either 10Mbps or
100Mbps in either half-duplex or full-duplex mode depending on your Ethernet network.
Your Prestige is easy to install and configure. All functions of the Prestige are software configurable via the
SMT (System Management Terminal) and web configurator. Advanced users may configure the Prestige
using CLI (Command Line Interface) commands.
Register your Prestige online at www.zyxel.com for free future product updates
and information.
About This User's Guide
This User's Guide covers all aspects of the Prestige 652 operations and shows you how to use the SMT to
get the best out of its multiple advanced features. It is designed to guide you through the correct
configuration of your Prestige 652 for various applications.
Related Documentation
Supporting Disk
More detailed information and examples can be found in our included disk (as well as on the
zyxel.com web site). This disk contains information on configuring your Prestige for Internet
Access, general and advanced FAQs, Application Notes, Troubleshooting, a reference for CI
Commands and bundled software.
Read Me First
Our Read Me First is designed to help you get up and running right away. It contains a detailed
easy-to-follow connection diagram, default settings, handy checklists and information on setting
up your network and configuring for Internet access.
ZyXEL Web Site and Glossary
Preface xxiii
Prestige 652 ADSL Security Router
Please refer to www.zyxel.com for an online glossary of networking terms and additional support
documentation
Syntax Conventions
• “Enter” means for you to type one or more characters and press the carriage return. “Select” or
“Choose” means for you to select one from the predefined choices.
• The SMT menu titles and labels are in Bold Times New Roman font. Predefined field choices are in
Bold Arial font. Command and arrow keys are enclosed in square brackets. [ENTER] means the
Enter, or carriage return key; [ESC] means the Escape key and [SPACE BAR] means the Space Bar.
• For brevity’s sake, we will use “e.g.,” as a shorthand for “for instance”, and “i.e.,” for “that is” or “in
other words” throughout this manual.
• The Prestige 652 ADSL Router with VPN and Firewall may be referred to as the P652 or the Prestige
in this User’s Guide.
The following section offers some background information on DSL. Skip it if you
wish to begin working with your router right away.
xxiv Preface
Prestige 652 ADSL Security Router
What is DSL?
DSL (Digital Subscriber Line) technology enhances the data capacity of the existing twisted-pair wire that
runs between the local telephone company switching offices and most homes and offices. While the wire
itself can handle higher frequencies, the telephone switching equipment is designed to cut off signals above
4,000 Hz to filter noise off the voice line, but now everybody is searching for ways to get more bandwidth
to improve access to the Web - hence DSL technologies.
There are actually seven types of DSL service, ranging in speeds from 16 Kbits/sec to 52 Mbits/sec. The
services are either symmetrical (traffic flows at the same speed in both directions), or asymmetrical (the
downstream capacity is higher than the upstream capacity). Asymmetrical services (ADSL) are suitable for
Internet users because more information is usually downloaded than uploaded. For example, a simple
button click in a web browser can start an extended download that includes graphics and text.
As data rates increase, the carrying distance decreases. That means that users who are beyond a certain
distance from the telephone company’s central office may not be able to obtain the higher speeds.
A DSL connection is a point-to-point dedicated circuit, meaning that the link is always up and there is no
dialing required.
What is ADSL?
It is an asymmetrical technology, meaning that the downstream data rate is much higher than the upstream
data rate. As mentioned, this works well for a typical Internet session in which more information is
downloaded, for example, from Web servers, than is uploaded. ADSL operates in a frequency range that is
above the frequency range of voice services, so the two systems can operate over the same cable.
What is DSL? xxv
Getting Started
PPaarrtt II::
GETTING STARTED
This part is structured as a step-by-step guide to help you connect, install and set up your
Prestige to operate on your network and to access the Internet. Described are Key Features and
Applications, Hardware Installation, Initial Setup and Internet Access.
I
Prestige 652 ADSL Security Router
Chapter 1
Getting To Know Your Prestige
This chapter describes the key features and applications of your Prestige
1.1 Prestige 652 ADSL Security Router
Your Prestige integrates a high-speed 10/100Mbps auto-negotiating LAN interface and a high-speed ADSL
port into a single package. The Prestige is ideal for high-speed Internet browsing and making LAN-to-LAN
connections to remote networks.
The Prestige provides not only ease of installation and high-speed Internet access, but also a complete
security solution. The Prestige 652 combines an ADSL router with a robust firewall and VPN capability.
The web browser-based Graphical User Interface provides easy management and is totally independent of
the operating system platform you use.
1.2 Features
Your Prestige is packed with a number of features that give it the flexibility to provide a complete
networking solution for almost any user.
z High Speed Internet Access
Your Prestige can support downstream transmission rates of up to 8Mbps and upstream transmission rates
of 832 Kbps. Your Prestige also supports rate management; rate management allows ADSL subscribers to
select an Internet access speed that best suits their needs and budgets.
z IPSec VPN Capability
Establish a Virtual Private Network (VPN) to connect with business partners and branch offices using data
encryption and the Internet to provide secure communications without the expense of leased site-to-site
lines. The Prestige’s VPN is based on the IPSec standard and is fully interoperable with other IPSec-based
VPN products.
.
Firewall
•
The Prestige is a stateful inspection firewall with DoS (Denial of Service) protection. By default, when the
firewall is activated, all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the
LAN. The Prestige firewall supports TCP/UDP inspection, DoS detection and prevention, real time alerts,
reports and logs.
Getting To Know Your Prestige 1-1
Prestige 652 ADSL Security Router
You can configure most features of the Prestige via SMT but we recommend you
configure the firewall and content filters using the Prestige Web Configurator.
Content Filtering
•
The Prestige can block specific URLs by using the keyword blocking feature.
z Internal SPTGEN
Internal SPTGEN (System Parameter Table Generator) lets you configure, save and upload multiple menus
at the same time using just one configuration text file - eliminating the need to navigate and configure
individual SMT menus for each Prestige.
Dynamic DNS Support
•
With Dynamic DNS support, you can have a static hostname alias for a dynamic IP address, allowing the
host to be more easily accessible from various locations on the Internet. You must register for this service
with a Dynamic DNS client to use this service.
Packet Filtering
•
The Packet Filtering mechanism blocks unwanted traffic from entering/leaving your network.
z PPPoE Support (RFC2516)
PPPoE (Point-to-Point Protocol over Ethernet) emulates a dial-up connection. It allows your ISP to use their
existing network configuration with newer broadband technologies such as ADSL. The PPPoE driver on the
Prestige is transparent to the computers on the LAN, which see only Ethernet and are not aware of PPPoE
thus saving you from having to manage PPPoE clients on individual computers.
z Network Address Translation (NAT)
NAT (Network Address Translation - NAT, RFC 1631) allows the translation of multiple IP addresses used
within one network to different IP addresses known within another network. This feature allows multipleuser Internet access for the cost of a single IP account. NAT supports popular Internet applications such as
MS traceroute, CuSeeMe, IRC, RealPlayer, VDOLive, Quake, and PPTP. No configuration is needed to
support these applications.
z 10/100M Auto-negotiation Ethernet/Fast Ethernet Interface
This auto-negotiation feature allows the Prestige to detect the speed of incoming transmissions and adjust
appropriately without manual intervention. It allows data transfer of either 10 Mbps or 100 Mbps in either
half-duplex or full-duplex mode depending on your Ethernet network.
z Multiple PVC (Permanent Virtual Circuits) Support
Your Prestige supports up to 8 PVCs.
1-2 Getting To Know Your Prestige
Loading...