ZyXEL Communications P-202 User Manual

P-202H Plus v2 Support Notes

P-202H Plus v2

ISDN Internet Access Router

Support Notes

Version3.40

June. 2006

P-202H Plus v2 Support Notes

FAQ.................................................................................................................................... 6

ZyNOS FAQ.................................................................................................................. 6

1. What is ZyNOS?................................................................................................. 6

2. How do I access the P-202H Plus v2 SMT menu?.................................... 6

3. What data compression protocol does the P-202H Plus v2 support? 6

4. What is the default console port baud rate? Moreover, how do I

change it?................................................................................................................. 6

5. How do I upload the ZyNOS firmware code via console?...................... 6

6. How do I upgrade/backup the ZyNOS firmware by using TFTP client

program via LAN?.................................................................................................. 7

7. How do I upload ROMFILE via console port?............................................ 7

8. How do I backup/restore SMT configurations by using TFTP client

program via LAN?.................................................................................................. 7

9. What should I do if I forget the system password? ................................. 8

10. What is SUA? When should I use SUA?................................................... 8

11. What is the difference between NAT and SUA?..................................... 8

12. How many network users can the SUA support?................................... 9

13. How do I capture the PPP log in my P-202H Plus v2?........................... 9

14. Why do we need the input filter in menu 3.1 and call filter in menu

11.1?.......................................................................................................................... 9

15. How can I protect against IP spoofing attacks?..................................... 9

16. What is DNS proxy?...................................................................................... 10

17. What is a Nailed-up Connection and when do I need to use it?....... 11

18. What are Device filters and Protocol filters?......................................... 11

19. Why can't I configure device filters or protocol filters?.................... 11

20. The P-202H Plus v2 supports to upload the firmware and configuration files using FTP, but how do I prevent the outside user

from 'FTP' my P-202H Plus v2?........................................................................ 11

Product FAQ.............................................................................................................. 12

1. How do I collect EPA trace? Moreover, how do I read it?.................... 12

2. Can I prevent the dial-in user from occupying two channels?........... 12

3. How does 'Dial Prefix to Access Outside Line' in Menu 2 (European

firmware) work?.................................................................................................... 12

4. What supplemental phone service does P-202H Plus v2 support..... 12

5. How do I do call waiting/call hold/call retrieve?...................................... 13

6. Why doesn't call waiting work as expected?........................................... 13

7. How do I do three way calling?.................................................................... 13

8. How do I remove a party from the three-way calling?........................... 13

9. How do I do call transfer?............................................................................. 14

10. How do I blind call transfer?...................................................................... 14

11. What is call forwarding and how do I do it?........................................... 14

12. How do I suspend/resume a phone call (terminal portability)?........ 15

13. What is reminder ring?................................................................................ 15

14. Why doesn't my answering machine on POTS port stop recording?

................................................................................................................................... 15

P-202H Plus v2 Support Notes

15. What are CLIP and CLIR in Advanced Setup of Menu 2 (European

firmware)?.............................................................................................................. 15

16. Does P-202H Plus v2 support MP callback to dial-in users?............ 16

17. Does ZyNOS support IRC, Real Player, CU-SeeMe and NetMeeting?

................................................................................................................................... 16

18. What are the differences between P-202H, P-202H Plus and P-202H

Plus v2?.................................................................................................................. 16

Firewall FAQ.............................................................................................................. 17

General.................................................................................................................... 17

1. What is a network firewall?........................................................................... 17

2. What makes P-202H Plus v2 secure? ........................................................ 17

3. What are the basic types of firewalls?....................................................... 17

4. What kind of firewall is the P-202H Plus v2? ........................................... 18

5. Why do you need a firewall when your router has packet filtering and

NAT built-in? ......................................................................................................... 18

6. What is Denials of Service (DoS)attack?................................................... 18

7. What is Ping of Death attack?...................................................................... 19

8. What is Teardrop attack? .............................................................................. 19

9. What is SYN Flood attack? ........................................................................... 19

10. What is LAND attack?.................................................................................. 19

11 What is Brute-force attack?......................................................................... 19

12. What is IP Spoofing attack?....................................................................... 20

13. What are the default ACL firewall rules in P-202H Plus v2?.............. 20

14. Why static/policy route be blocked by P-202H Plus v2?.................... 20

Configuration........................................................................................................ 22

1. How do I configure the firewall?.................................................................. 22

2. How do I prevent others from configuring my firewall?....................... 23

3. Can I use a browser to configure my P-202H Plus v2?......................... 23

4. Why can't I configure my router using Telnet over WAN?................... 23

5. Why can't I upload the firmware and configuration file using FTP

over WAN?............................................................................................................. 23

6. Why can't I configure my router using Telnet over LAN?.................... 24

7. Why can't I upload the firmware and configuration file using FTP

over LAN?.............................................................................................................. 24

Log and alert ......................................................................................................... 24

1. When does the P-202H Plus v2 generate the firewall log? .................. 24

2. What does the log show to us?................................................................... 24

3. How do I view the firewall log?.................................................................... 25

4. When does the P-202H Plus v2 generate the firewall alert?................ 25

5. What does the alert show to us?................................................................. 25

6. What is the difference between the log and alert?................................. 26

IPSec Related FAQ ...................................................................................................... 27

IPSec FAQ.................................................................................................................. 27

VPN Overview ....................................................................................................... 27

1. What is VPN?.................................................................................................... 27

P-202H Plus v2 Support Notes

2. Why do I need VPN?....................................................................................... 27

3. What are most common VPN protocols?.................................................. 28

4. What is PPTP?.................................................................................................. 28

5. What is L2TP?................................................................................................... 28

6. What is IPSec? ................................................................................................. 28

8. What are the differences between 'Transport mode' and 'Tunnel

mode? ..................................................................................................................... 28

9. What is SA?....................................................................................................... 29

10. What is IKE? ................................................................................................... 29

11. What is Pre-Shared Key? ............................................................................ 29

12. What are the differences between IKE and manual key VPN?.......... 29

1. How do I configure P-202H Plus v2 VPN?................................................. 30

2. How many VPN connections does P-202H Plus v2 support?............. 30

3. What VPN protocols are supported by P-202H Plus v2 VPN? ............ 30

4. What types of encryption does P-202H Plus v2 VPN support?.......... 30

5. What types of authentication does P-202H Plus v2 VPN support? ... 30

6. I am planning my P-202H Plus v2-to-P-202H Plus v2 VPN

configuration. What do I need to know?........................................................ 30

7. Does P-202H Plus v2 support dynamic secure gateway IP?............... 31

8. What VPN gateway that has been tested with P-202H Plus v2

successfully?........................................................................................................ 31

9. What VPN software that has been tested with P-202H Plus v2

successfully?........................................................................................................ 32

10.Will ZyXEL support Secure Remote Management?.............................. 32

11. Does P-202H Plus v2 VPN support NetBIOS broadcast?................... 32

12. What are the difference between the 'My IP Address' and 'Secure

Gateway IP Address' in Menu 27.1.1?............................................................ 32

13. Is the host behind NAT allowed to use IPSec?..................................... 32

14. Why does VPN throughput decrease when staying in SMT menu

24.1?........................................................................................................................ 33

15. How do I configure P-202H Plus v2 with NAT for internal servers? 33

SSH Sentinel FAQ.................................................................................................... 33

1. What is SSH Sentinel VPN client? .............................................................. 34

2. Why do I need to use Sentinel?................................................................... 34

3. Does SSH Sentinel work with the PPP over Ethernet (PPPoE)

protocol, which is used by the ADSL Network Adapter cards?.............. 34

4. How to configure Pre-IPSec filter? ............................................................. 34

5. What is "Acquire virtual IP address" for? Should I check this box? 34

6. What is "Extended Authentication"? Should I check this box?......... 34

7. Does Sentinel support IP range?................................................................ 35

8. Does Sentinel support 2 VPN connections at the same time? ........... 35

9. What is this option, “Attach the selected values to proposal only” for?

................................................................................................................................... 35

10. How to initiate a VPN tunnel from Sentinel?

.......................................... 35

11. Can P-202H Plus v2 be the initiator of VPN tunnel to Sentinel? ...... 35

P-202H Plus v2 Support Notes

12. How can I verify if the VPN connection is up in Sentinel?................. 35

13. I am using EnterNet 300, a PPPoE dial up software. Any concern? 35

Application Notes......................................................................................................... 35

General Application Notes .................................................................................... 36

1. Internet Access................................................................................................ 36

2. SUA Applications............................................................................................. 38

4. Dial-in User Setup............................................................................................ 53

5. Filter.................................................................................................................... 57

6. UNIX syslog Setup........................................................................................... 88

7. ISDN Leased Line Setup................................................................................ 92

8. Supplemental Service .................................................................................... 95

9. Using NetCAPI.................................................................................................. 98

10. Using RADIUS.............................................................................................. 103

11. Using CLID Callback................................................................................... 105

13. Using Multi-NAT........................................................................................... 116

IPSec VPN................................................................................................................ 139

1. Using IPSec VPN............................................................................................ 139

2. P-202H Plus v2 vs 3rd Party VPN Gateway ............................................ 159

3. P-202H Plus v2 vs 3rd Party VPN Software............................................ 208

4. Configure NAT for Internal Servers.......................................................... 346

5. VPN Routing between Branch Offices..................................................... 347

Support Tool............................................................................................................ 362

1. Using ZyXEL ISDN D Channel Analyzer, EPA........................................ 362

2. Using ZyXEL PPP Analyzer ........................................................................ 366

3. LAN/WAN Packet Trace ............................................................................... 370

4. Using TFTP to upload/download ZyNOS via LAN ................................ 381

5. Using FTP to Upload Firmware and Configuration Files.................... 385

CI Command List.................................................................................................... 388

Troubleshooting..................................................................................................... 389

1. Internet Connection...................................................................................... 389

2. Remote Node/Dial-in User Connection.................................................... 394

3. IP Routing........................................................................................................ 401

4. Reset to default configuration file............................................................. 404

Reference................................................................................................................. 406

1. ISDN Disconnection Cause......................................................................... 406

2. PPP Numbers.................................................................................................. 408

3. Port Numbers.................................................................................................. 421

4. Protocol Numbers ......................................................................................... 424

5. System Error Code........................................................................................ 427

P-202H Plus v2 Support Notes

FAQ

ZyNOS FAQ

1. What is ZyNOS?

ZyNOS is ZyXEL's proprietary Network Operating System. It is the platform on all P-202H Plus v2 routers that delivers network services and applications. It is designed in a modular fashion so it is easy for developers to add new features. New ZyNOS software upgrades can be easily downloaded from our FTP sites as they become available.

2. How do I access the P-202H Plus v2 SMT menu? The SMT interface is a menu driven interface, which can be accessed via a

RS232 console or a Telnet connection. To access the P-202H Plus v2 via SMT console port, a computer equipped with communication software such as HyperTerminal must be configured to the following parameters.

• VT100 terminal emulation

• 9600bps baud rate

• N81 data format (No Parity, 8 data bits, 1 stop bit)

The default console port baud rate is 9600bps. You can change it to 115200bps in Menu 24.2.2 to speed up access of the SMT.

3. What data compression protocol does the P-202H Plus v2 support?

The P-202H Plus v2 supports STAC compression. Please note that STAC is not enabled in the P-202H Plus v2 by default. You can enable it in Remote Node setup (SMT menu 11.2, Edit PPP Option).

4. What is the default console port baud rate? Moreover, how do I change it? The default console port baud rate is 9600bps. When configuring the SMT,

please make sure that terminal baud rate is also 9600bps. You can change the console baud rate from 9600bps to 57600 to speed up SMT access, by using SMT menu 24.2.2.

5. How do I upload the ZyNOS firmware code via console?

P-202H Plus v2 Support Notes

The procedure for uploading via console is as follows.

a. Enter debug mode when powering on the P-202H Plus v2 using a terminal

emulator b. Enter 'ATUR' to start the uploading c. Use X-modem protocol to transfer the ZyNOS code d. Enter 'ATGO' to restart the P-202H Plus v2

6. How do I upgrade/backup the ZyNOS firmware by using TFTP client program via LAN?

The P-202H Plus v2 allows you to transfer the firmware from/to P-202H Plus v2 by using TFTP program via LAN. The procedure for uploading via TFTP is as follows.

a. Use the TELNET client program in your PC to login to your P-202H Plus

v2, and use Menu 24.8 to enter CI command 'sys stdio 0' to disable

console idle timeout. b. To upgrade firmware, use TFTP client program to put firmware in file 'ras'

in the P-202H Plus v2. c. When the data transfer is finished, the P-202H Plus v2 will program the

upgraded firmware into FLASH ROM and reboot itself. d. To backup your firmware, use the TFTP client program to get file 'ras'

from the P-202H Plus v2.

7. How do I upload ROMFILE via console port? In some situations, such as losing the system password or the need of resetting

SMT to factory default you may need to upload the ROMFILE. The procedure for uploading via the console port is as follows.

a. Enter debug mode when powering on the P-202H Plus v2 using a terminal

emulator b. Enter 'ATUR3' to start the uploading c. Use X-modem protocol to transfer ROMFILE d. Enter 'ATGO' to restart the P-202H Plus v2

8. How do I backup/restore SMT configurations by using TFTP client program via LAN?

a. Use the TELNET client program in your PC to login to your P-202H Plus

v2, and use Menu 24.8 to enter CI command 'sys stdio 0' to disable

console idle timeout

P-202H Plus v2 Support Notes

b. To backup the SMT configurations, use TFTP client program to get file

'rom-0' from the P-202H Plus v2. c. To restore the SMT configurations, use the TFTP client program to save

your configuration in file 'rom-0' in the P-202H Plus v2.

9. What should I do if I forget the system password? In case you forget the system password, you can upload ROMFILE to reset the

SMT to factory default. After uploading ROMFILE, the default system password is '1234'.

10. What is SUA? When should I use SUA? SUA (Single User Account) is a unique feature supported by P-202H Plus v2

router which allows multiple people to access Internet concurrently for the cost of a single user account.

When P-202H Plus v2 acting as SUA receives a packet from a local client destined for the outside Internet, it replaces the source address in the IP packet header with its own address and the source port in the TCP or UDP header with another value chosen out of a local pool. It then recomputes the appropriate header checksums and forwards the packet to the Internet as if it is originated from P-202H Plus v2 using the IP address assigned by ISP. When reply packets from the external Internet are received by P-202H Plus v2, the original IP source address and TCP/UDP source port numbers are written into the destination fields of the packet (since it is now moving in the opposite direction), the checksums are recomputed, and the packet is delivered to its true destination. This is because SUA keeps a table of the IP addresses and port numbers of the local systems currently using it.

11. What is the difference between NAT and SUA? NAT is a generic name defined in RFC 1631 'The IP Network Address Translator

(NAT)'. SUA (Internet Single User Account) is ZyXEL's implementation and trade name for functioning PAT (Port Address Translation) which is a specific type of NAT. SUA( or PAT for NAT) translates address into port mapping.

The primary motivation for RFC 1631 is that there is not enough IP address to go around. In addition, great many corporations simply did not bother to obtain legal (globally unique) IP addresses for their networks and now finding themselves unable to connect to the Internet.

Basically, NAT is a process of translating one address to another. A NAT implementation can be as simple as substituting an IP address with another. This

P-202H Plus v2 Support Notes

allows a network to rectify the illegal address problem mentioned above without going through each and every host.

The aim of ZyXEL's SUA is to minimize the Internet access cost in a small office environment by using a single IP address to represent the multiple hosts inside. It does more than IP address translation, it also enables hosts on the LAN can access the Internet at the same time.

12. How many network users can the SUA support? The fixed-size translation table limits the number of simultaneous. A reasonable

number will be less than 20 users. Beyond that, the limited modem bandwidth would probably become the bottleneck and any increase in the translation table size will not help.

13. How do I capture the PPP log in my P-202H Plus v2? The procedure to capture the PPP log in P-202H Plus v2 is as following. To enable the capture of PPP log before a connection is established:

a. Enter SMT Menu 24.8, the CI command mode b. Enter 'sys trcl cl' command c. Enter 'sys trcl sw on' command d. Enter 'sys trcp sw on' command

To display the PPP log after a connection is disconnected:

a. Enter 'sys trcl sw off' command b. Enter 'sys trcp sw off' command c. Enter 'sys trcl disp' command

14. Why do we need the input filter in menu 3.1 and call filter in menu 11.1? Two factory default filter sets have been optimized for Internet connection. They

are configured in menu 21 and applied to menu 3.1 and menu 11.5 to prevent NETBIOS triggering the call. You can remove it if you do not need it.

15. How can I protect against IP spoofing attacks? The P-202H Plus v2's filter sets provide a means to protect against IP spoofing

attacks. The basic scheme is as follows: For the incoming data filter:

P-202H Plus v2 Support Notes

• Deny packets from the outside that claim to be from the inside

• Allow everything that is not spoofing us

Filter rule setup:

• Filter type =TCP/IP Filter Rule

• Active =Yes

• Source IP Addr =a.b.c.d

• Source IP Mask =w.x.y.z

• Action Matched =Drop

• Action Not Matched =Forward

Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask: For the outgoing data filters:

• Deny bounceback packet

• Allow packets that originate from us

Filter rule setup:

• Filter Type =TCP/IP Filter Rule

• Active =Yes

• Destination IP Addr =a.b.c.d

• Destination IP Mask =w.x.y.z

• Action Matched =Drop

• Action No Matched =Forward

Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask.

16. What is DNS proxy? If enabled, DNS Proxy allows the P-202H Plus v2 to act as the DNS server for

the local network. The P-202H Plus v2 gets the IP address of the actual DNS server from the remote site via IPCP negotiation. Note this feature only works if the remote site supports RFC 1877.

How do I turn on DNS Proxy? DNS Proxy is enabled only if the selection of the DHCP field under DHCP Setup

in Menu 3.2 is Server and the Primary DNS Server is set to 0.0.0.0. (this is the factory default). If the DNS Proxy is enabled, the P-202H Plus v2 will assign its IP address as the Primary DNS in the responses to DHCP requests on the local network.

P-202H Plus v2 Support Notes

How do I set DNS other than P-202H Plus v2 IP address?

The P-202H Plus v2 assigns the values entered in Primary DNS server and Secondary DNS server fields in Menu 3.2 to the responses to the DHCP requests on the local network if the DHCP Server function is enabled.

17. What is a Nailed-up Connection and when do I need to use it? A Nailed-up Connection, when enabled, emulates a leased line connection even

though the physical line is a dial-up connection. The P-202H Plus v2 dials and holds up a connection, without any traffic requesting it.

When you want the link to be always up, you need to use it.

18. What are Device filters and Protocol filters? In ZyNOS, the filters have been separated into two groups. One group is called

'device filter group', and the other is called 'protocol filter group'. Generic filters belong to the 'device filter group', TCP/IP and IPX filters belong to the 'protocol filter group'.

19. Why can't I configure device filters or protocol filters? In ZyNOS, you can not mix different filter groups in the same filter set.

20. The P-202H Plus v2 supports to upload the firmware and configuration files using FTP, but how do I prevent the outside user from 'FTP' my P-202H Plus v2?

The P-202H Plus v2 supports to upload the firmware and configuration files using FTP connections via LAN and WAN. So, this becomes unsecure that anyone can make a FTP connection over the Internet to your P-202H Plus v2. To prevent from outside users connecting to your P-202H Plus v2 via FTP, you can configure a filter to block the FTP connection from WAN.

P-202H Plus v2 Support Notes

Product FAQ

1. How do I collect EPA trace? Moreover, how do I read it?

• Enable the trace in Menu 24.8 by the following CI command:

isdn fw ana on

• Make a call to remote node or ISP by:

dev dial N (N is the remote node number)

• Drop the call by:

dev channel drop bri0|bri1 (bri0 for B1 channel, bri1 for B2 channel)

• Display the trace by:

isdn fw ana off isdn fw ana disp

2. Can I prevent the dial-in user from occupying two channels? Yes. You can use a CI command to prevent the dial-in user from occupying two

channels. Please enter to menu 24.8 and type the CI command:

ppp lcp mpin off (or on to allow two channels)

3. How does 'Dial Prefix to Access Outside Line' in Menu 2 (European firmware) work?

This prefix will be placed in front of the outgoing call phone numbers when you make an outgoing call.

4. What supplemental phone service does P-202H Plus v2 support The P-202H Plus v2 supports the following supplementary phone features on

both of its POTS ports.

 Call Waiting  Three Way Calling

P-202H Plus v2 Support Notes

 Call Transfer  Call Forwarding  Reminder Ring  Terminal Portability(Suspend/Resume)

Most supplementary services are not free, please check with your telephone company for the services they offer.

5. How do I do call waiting/call hold/call retrieve?

• Put your current call on hold and answer the incoming call - after hearing

the call waiting tone, press and immediately release the Flash button on

your telephone.

• Put your current call on hold and switch to another call - press and

immediately release the Flash button on your telephone.

• Hang up your current call before answering the incoming call - hang up

the phone and wait for answering the incoming call.

• Hang up the current active call and switch back to the other call - hang up

and wait for the phone to ring. Then pick up the phone to return to the

other call.

6. Why doesn't call waiting work as expected? An incoming caller will receive a busy signal if:

• You have two calls active (one active and one on hold; or both active by

using Three-Way Calling).

• You are dialing a number on the B channel the incoming caller is

attempting to reach, but have not yet established a connection.

If no action is taken to answer the call (call waiting indicator tone is ignored), the call waiting tones will disappear after about 20 seconds.

7. How do I do three way calling?

• Press the Flash key to put the existing call on hold and receive a dial tone.

• Dial the third party's phone number.

• When you are ready to conference the call together, press the Flash key

again to establish a three way conference call.

8. How do I remove a party from the three-way calling? Simply press the Flash key. The last call that was added to the conference is

dropped.

P-202H Plus v2 Support Notes

If you hang up your telephone during a three-way call and the two other callers remain on the line, the ISDN network will do an implicit transfer to directly connect the two remaining callers together.

9. How do I do call transfer? Call Transfer allows you to transfer an active call to a third party. This service

must be subscribed from your telephone company. Transferring an active call to a third party:

• Once you have an active call (Caller A), press Flash key to put Caller A

on hold and receive a dial tone.

• Dial the third party's phone number (Caller B).

• When you are ready to conference the two calls together, press Flash key

to a Three-Way Conference call.

• Hang up the phone. The ISDN network does an implicit transfer to directly

connect Caller A with Caller B.

10. How do I blind call transfer?

• Once you have an active call (Caller A), press Flash key to put the

existing call on hold and receive a dial tone.

• Dial the third party's phone number (Caller B).

• Before Caller B picks up the call, you can transfer the call by pressing the

Flash key. The call is automatically transferred.

11. What is call forwarding and how do I do it? The call forwarding means the switch will ring another number at a place where

you will be when sometime dials your directory number. There are two methods to active call forwarding, either method should work fine and you can use whichever one you are most comfortable.

 The first is exactly the same as on an analog line, i.e., you pick up the

handset and dial the access code assign by your telephone company and

the number that you want the calls forwarded. Check with your telephone

company for this access code.

 The second is with the 'phone flash' commands where you pick up the

handset and press the flash key before dialing the following:

Command Meaning *20*forward-number# Active CFB (Call Forwarding Busy) *21*forward-number# Active CFU (Call Forwarding

P-202H Plus v2 Support Notes

Unconditional) *22*forward-number# Active CFNR (Call Forwarding No Reply #20# Deactive CFB #21# Deactive CFU #22# Deactive CFNR

12. How do I suspend/resume a phone call (terminal portability)? The Terminal Portability service allows you to suspend a phone call temporarily.

You can then resume this call later, at another location if you so wish.

To suspend an active phone call:

• Press the flash key twice.

• Dial *3n*#, where n is any number from 1 to 9.

To resume your phone call:

• Reconnect at a (n) (ISDN) telephone that is linked to the same S/T

interface (Network Terminator-1, NT1) where you suspended the call.

• Pick up the handset and press the Flash key

• Dial #3n#, where n is any number from 1 to 9, but should be identical to

that used above.

13. What is reminder ring? The P-202H Plus v2 sends a single short ring to your telephone every time a call

has been forwarded(US switches only).

14. Why doesn't my answering machine on POTS port stop recording? Most answering machines stop recording when a busy tone is detected. But

some may not. Some answering machine only recongnize that a calling party has hung up after a period of silence. In this case, if such an answering machine is attched to the POTS port of P-202H Plus v2 you need to configure the 'Hangup Silence Time(sec)=' in SMT menu 2.1 to determine the silence time period. By doing so, once P-202H Plus v2 receives busy tones from the switch it sends the silence tone to the answering machine on POTS meanwhile.

15. What are CLIP and CLIR in Advanced Setup of Menu 2 (European firmware)?

CLIP or CLIR refers to CLID Presented or Restricted. The P-202H Plus v2 can set the CLIP/CLIR bit at SETUP message to request the Switch, to include the

P-202H Plus v2 Support Notes

calling party number or not when the switch sends the SETUP message to the called party. You need subscribe to it first (see supplemental services)

16. Does P-202H Plus v2 support MP callback to dial-in users? No, P-202H Plus v2 only supports single link PPP to dial-in users.

17. Does ZyNOS support IRC, Real Player, CU-SeeMe and NetMeeting? Yes. For the detail of the settings please refer to the Tested SUA Applications

page.

18. What are the differences between P-202H, P-202H Plus and P-202H Plus v2?

The differences between P-202H, P-202H Plus and P-202H Plus v2 are listed in the following table.

Feature / Model P-202H P-202H Plus P-202H Plus v2 Ethernet Port 1 10/100M 4 10/100M 4 10/100M a/b adapter 2 - Remote Access

Server (Dial-in user suppport)

RADIUS Y Y Y LAN-to-LAN

Connection SNMP Y(ZyNOS 2.50) Y Y FTP firmware

upload IP Policy Routing Y(ZyNOS 2.50) Y Y Mega Bundle Y(ZyNOS 2.50) Y Y IP Alias Y(ZyNOS 2.50) Y Y Firewall - Y Y VPN - Y Y

Y(ZyNOS V2.41) Y Y

Y Y Y

P-202H Plus v2 Support Notes

Firewall FAQ

General

1. What is a network firewall?

A firewall is a system or group of systems that enforces an access-control policy between two networks. It may also be defined as a mechanism used to protect a trusted network from an untrusted network. The firewall can be thought of two mechanisms. One to block the traffic, and the other to permit traffic.

2. What makes P-202H Plus v2 secure? The P-202H Plus v2 is pre-configured to automatically detect and thwart Denial

of Service (DoS) attacks such as Ping of Death, SYN Flood, LAND attack, IP Spoofing, etc. It also uses stateful packet inspection to determine if an inbound connection is allowed through the firewall to the private LAN. The P-202H Plus v2supports Network Address Translation (NAT), which translates the private local addresses to one or multiple public addresses. This adds a level of security since the clients on the private LAN are invisible to the Internet.

3. What are the basic types of firewalls? Conceptually, there are three types of firewalls:

1. Packet Filtering Firewall

2. Application-level Firewall

3. Stateful Inspection Firewall

Packet Filtering Firewalls generally make their decisions based on the header information in individual packets. These header information include the source, destination addresses and ports of the packets.

Application-level Firewalls generally are hosts running proxy servers, which permit no traffic directly between networks, and which perform logging and auditing of traffic passing through them. A proxy server is an application gateway or circuit-level gateway that runs on top of general operating system such as UNIX or Windows NT. It hides valuable data by requiring users to communicate with secure systems by mean of a proxy. A key drawback of this device is performance.

Stateful Inspection Firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP address and protocol. They also 'inspect' the session data to assure the integrity of the connection and to adapt to dynamic protocols. The flexible nature of Stateful

P-202H Plus v2 Support Notes

Inspection firewalls generally provides the best speed and transparency, however, they may lack the granular application level access control or caching that some proxies support.

4. What kind of firewall is the P-202H Plus v2?

1. The P-202H Plus v2's firewall inspects packets contents and IP headers. It is applicable to all protocols, that understands data in the packet is intended for other layers, from network layer up to the application layer.

2. The P-202H Plus v2's firewall performs stateful inspection. It takes into account the state of connections it handles so that, for example, a legitimate incoming packet can be matched with the outbound request for that packet and allowed in. Conversely, an incoming packet masquerading as a response to a nonexistent outbound request can be blocked.

3. The P-202H Plus v2's firewall uses session filtering, i.e., smart rules, that enhance the filtering process and control the network session rather than control individual packets in a session.

4. The P-202H Plus v2's firewall is fast. It uses a hashing function to search the matched session cache instead of going through every individual rule for a packet.

5. The P-202H Plus v2's firewall provides email service to notify you for routine reports and when alerts occur.

5. Why do you need a firewall when your router has packet filtering and NAT built-in?

With the spectacular growth of the Internet and online access, companies that do business on the Internet face greater security threats. Although packet filter and NAT restrict access to particular computers and networks, however, for the other companies this security may be insufficient, because packets filters typically cannot maintain session state. Thus, for greater security, a firewall is considered.

6. What is Denials of Service (DoS)attack? Denial of Service (DoS) attacks are aimed at devices and networks with a

connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.

There are four types of DoS attacks:

1. Those that exploits bugs in a TCP/IP implementation such as Ping of Death and Teardrop.

2. Those that exploits weaknesses in the TCP/IP specification such as SYN Flood and LAND Attacks.

P-202H Plus v2 Support Notes

3. Brute-force attacks that flood a network with useless data such as Smurf attack.

4. IP Spoofing

7. What is Ping of Death attack? Ping of Death uses a 'PING' utility to create an IP packet that exceeds the

maximum 65535 bytes of data allowed by the IP specification. The oversize packet is then sent to an unsuspecting system. Systems may crash, hang, or reboot.

8. What is Teardrop attack? Teardrop attack exploits weakness in the reassemble of the IP packet fragments.

As data is transmitted through a network, IP packets are often broken up into smaller chunks. Each fragment looks like the original packet except that it contains an offset field. The Teardrop program creates a series of IP fragments with overlapping offset fields. When these fragments are reassembled at the destination, some systems will crash, hang, or reboot.

9. What is SYN Flood attack? SYN attack floods a targeted system with a series of SYN packets. Each packet

causes the targeted system to issue a SYN-ACK response, While the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue. SYN-ACKs are moved off the queue only when an ACK comes back or when an internal timer (which is set a relatively long intervals) terminates the TCP three-way handshake. Once the queue is full , the system will ignore all incoming SYN requests, making the system unavailable for legitimate users.

10. What is LAND attack? In a LAN attack, hackers flood SYN packets to the network with a spoofed source

IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself.

11 What is Brute-force attack? A Brute-force attack, such as 'Smurf' attack, targets a feature in the IP

specification known as directed or subnet broadcasting, to quickly flood the target network with useless data. A Smurf hacker flood a destination IP address of each packet is the broadcast address of the network, the router will broadcast the ICMP echo request packet to all hosts on the network. If there are numerous

P-202H Plus v2 Support Notes

hosts, this will create a large amount of ICMP echo request packet, the resulting ICMP traffic will not only clog up the 'intermediary' network, but will also congest the network of the spoofed source IP address, known as the 'victim' network. This flood of broadcast traffic consumes all available bandwidth, making communications impossible.

12. What is IP Spoofing attack? Many DoS attacks also use IP Spoofing as part of their attack. IP Spoofing may

be used to break into systems, to hide the hacker's identity, or to magnify the effect of the DoS attack. IP Spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the trusted network. To engage in IP Spoofing, a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall.

13. What are the default ACL firewall rules in P-202H Plus v2? There are two default ACLs pre-configured in the P-202H Plus v2, one allows all

connections from LAN to WAN and the other blocks all connections from WAN to LAN except of the DHCP packets.

14. Why static/policy route be blocked by P-202H Plus v2? P-202H Plus v2 is an ideal secure gateway for all data passing between the

Internet and the LAN/DMZ. For some reasons (load balance or backup line), users may want traffic to be re-routed to another Internet access devices while still be protected by P-202H Plus v2. In such case, the network topology is the most important issue. Here is a common example that people mis-deploy the static route.

P-202H Plus v2 Support Notes

The above figure indicates the "triangle route" topology. It works fine if you turn off firewall function on P-202H Plus v2 box. However, if you turn on firewall, your connection will be blocked by firewall because of the following reason.

Step 1. Being the default gateway of PC, P-202H Plus v2 will receive all

"outgoing" traffic from PC.

Step 2. And because of Static route/Policy Routing, P-202H Plus v2

forwards the traffic to another gateway (ISDN/Router) which is in the same segment as P-202H Plus v2's LAN.

Step 3. However the return traffic won't go back to P-202H Plus v2, in stead,

the "another gateway (ISDN/Router)" will send back the traffic to PC directly. Because the gateway (say, P201) and the PC are in the same segment.

When firewall is turned on, P-202H Plus v2 will check the outgoing traffic by ACL and create dynamic sessions to allow return traffic to go back. To achieve AntiDoS, P-202H Plus v2 will send RST packets to the PC and the peer since it never receives the TCP SYN/ACK packet. Thus the connection will always be reset by P-202H Plus v2.

Solutions. (A) Deploying your second gateway in IP alias segment is a better solution. In

this way, your connection can be always under control of firewall. And thus there won't be Triangle Route problem.

P-202H Plus v2 Support Notes

(B) Deploying your second gateway on WAN side.

(C) To resolve this conflict, we add an option for users to allow/disallow such Triangle Route topology in both CI command and Web configurator . You can issue this command, "sys firewall ignore triangle all on" , to allow firewall bypass triangle route checking. In Web GUI, you can find this option in firewall setup page.

But we would like to notify that if you allow Triangle Route, any traffic will be easily injected into the protected network through the unprotected gateway. In fact, it's a security hole in protected your network.

Configuration

1. How do I configure the firewall?

P-202H Plus v2 supports a embedded web server so that you can use the web brower to configure it from any OS platform.

P-202H Plus v2 Support Notes

2. How do I prevent others from configuring my firewall?

There are several ways to protect others from touching the settings of your firewall.

1. Change the default password since it is required when setting up the firewall using Telnet, Console or Web browser.

2. Limit who can Telnet to your router. You can enter the IP address of the secured LAN host in SMT Menu 24.11 to allow Telnet to your P-202H Plus v2. The default value in this field is 0.0.0.0, which means you do not care which host is trying to Telnet your P-202H Plus v2.

3. Can I use a browser to configure my P-202H Plus v2? Yes, you can use a web browser to configure the P-202H Plus v2.

4. Why can't I configure my router using Telnet over WAN? There are three reasons that Telnet from WAN is blocked.

1. When the firewall is turned on, all connections from WAN to LAN are blocked by the default ACL rule. To enable Telnet from WAN, you must turn the firewall off (Menu 21.2) or create a firewall rule to allow Telnet connection from WAN. The WAN-to-LAN ACL summary will look like as shown below.

Source IP= Telnet host Destination IP= router' WAN IP Service= TCP/23 Action=Forward

2. You have disabled Telnet service in Menu 24.11.

3. Telnet service is enabled but your host IP is not the secured host entered in Menu 24.11. In this case, the error message 'Client IP is not allowed!' is appeared on the Telnet screen.

4. The default filter rule 3 (Telnet_FTP_WAN) is applied in the Input Protocol field in menu 11.5.

5. The console port is in use.

5. Why can't I upload the firmware and configuration file using FTP over WAN?

1. When the firewall is turned on, all connections from WAN to LAN are

blocked by the default ACL rule. To enable FTP from WAN, you must turn the

P-202H Plus v2 Support Notes

firewall off (Menu 21.2) or create a firewall rule to allow FTP connection from WAN. The WAN-to-LAN ACL summary will look like as shown below.

Source IP= FTP host Destination IP= P-202H Plus v2's WAN IP Service= FTP TCP/21, TCP/20 Action=Forward

2. You have disabled FTP service in Menu 24.11.

3. The default filter rule 3 (Telnet_FTP_WAN) is applied in the Input Protocol

field in menu 11.5.

6. Why can't I configure my router using Telnet over LAN?

1. You have disabled Telnet service in Menu 24.11.

2. Telnet service is enabled but your host IP is not the secured host entered in Menu 24.11. In this case, the error message 'Client IP is not allowed!' is appeared on the Telnet screen.

3. The default filter rule 3 (Telnet_FTP_LAN) is applied in the Input Protocol field in menu 3.1.

4. The console port is in use.

7. Why can't I upload the firmware and configuration file using FTP over LAN?

1. 1. You have disabled FTP service in Menu 24.11.

2. The default filter rule 3 (Telnet_FTP_LAN) is applied in the Input Protocol field in menu 3.1.

Log and alert

1. When does the P-202H Plus v2 generate the firewall log?

The P-202H Plus v2 generates the log immediately when the packet match, doesn't match (or both) a firewall rule. The log for Default Permit (LAN to WAN, WAN to LAN) is generated automatically. To generate the log for custom rules, the Log option in Web Configurator must be set to Not Match, Match, or Both. The Reason column for the default permit shown in the log will be 'default permit, <1, 00> or <2, 00>'. Here <1, 00> means the LAN-to-WAN default ACL set, <2, 00> means the WAN-to-LAN default ACL set.

2. What does the log show to us?

P-202H Plus v2 Support Notes

The log supports up to 128 entries. There are 2 rows and 5 columns for each entry. Please see the example shown below.

# Time Packet Information Reason Action 127|Mar 15 0 |From:192.168.1.34 To:202.132.155.93 |default permit |forward

| 03:03:54|ICMP type:00008 code:00000 |<1,00> | Where <X,Y> stands for <Set number, Rule number>. X=1,2 ; Y=00~10. There

are two policy sets, set 1 for rules checking connections from LAN to WAN and set 2 for rules checking connections from WAN to LAN. So, X=1 means set 1 and X=2 means set 2.

Y means the rule in the set. Because we can configure up to 10 rules in a set, so Y can be from 1 to 10. If the rule number shows 00, it means the Default Rule.

3. How do I view the firewall log? The log keeps 128 entries, the new entries will overwrite the old entries when the

log has over 128 entries. There are three ways to view the firewall log:

1. View the log from SMT Menu 21.3-View Firewall Log

2. View the log using CI command-sys firewall display

3. View the log from Web Configurator

4. When does the P-202H Plus v2 generate the firewall alert? The P-202H Plus v2 generates the alert when an attack is detected by the

firewall and sends it via Email. So, to send the alert you must configure the mail server and Email address using Web Configurator. You can also specify how frequently you want to receive the alert via Web Configurator.

5. What does the alert show to us? The alert shown in the Email is actually the evens of the attack. So, the Reason

column shows Attack and the attack type. Please see the example shown below.

# Time Packet Information Reason Action 127|Mar 15 0 |From:192.168.1.1 To:192.168.1.1 |attack |block

| 03:04:54|ICMP type:00008 code:00000 |land |

P-202H Plus v2 Support Notes

6. What is the difference between the log and alert?

A log entry is just added to the log inside the P-202H Plus v2 and e-mailed together with all other log entries at the scheduled time as configured. An alert is e-mailed immediately after an attacked is detected.

P-202H Plus v2 Support Notes

IPSec Related FAQ

IPSec FAQ

VPN Overview

1. What is VPN?

A VPN gives users a secure link to access corporate network over the Internet or other public or private networks without the expense of lease lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.

2. Why do I need VPN? There are some reasons to use a VPN. The most common reasons are because

of security and cost. Security

1). Authentication With authentication, VPN receiver can verify the source of packets and

guarantee the data integrity.

2). Encryption With encryption, VPN guarantees the confidentiality of the original user data. Cost

1). Cut long distance phone charges Because users typically dial the their local ISP for VPN, thus, long distance

phone charge is reduced than making a long direct connection to the remote office.

2).Reducing number of access lines Many companies pay monthly charges for two types access lines: (1) high-speed

links for their Internet access and (2) frame relay, ISDN Primary Rate Interface or T1 lines to carry data. A VPN may allow a company to carry the data traffic over its Internet access lines, thus reducing the need for some installed lines.

P-202H Plus v2 Support Notes

3. What are most common VPN protocols?

There are currently three major tunneling protocols for VPNs. They are Point-toPoint Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP) and Internet Protocol Security (IPSec).

4. What is PPTP? PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets

to be encapsulated within Internet Protocol (IP) packets and forwarded over any IP network, including the Internet itself. The PPTP is supported in Windows NT and Windows 98 already. For Windows 95, it needs to be upgraded by the DialUp Networking 1.2 upgrade.

5. What is L2TP? Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point

Tunneling Protocol (PPTP) used by an Internet service provider (ISP) to enable the operation of a virtual private network (VPN) over the Internet.

6. What is IPSec? IPSec is a set of IP extensions developed by IETF (Internet Engineering Task

Force) to provide security services compatible with the existing IP standard (IPv.4) and also the upcoming one (IPv.6). In addition, IPSec can protect any protocol that runs on top of IP, for instance TCP, UDP, and ICMP. The IPSec provides cryptographic security services. These services allow for authentication, integrity, access control, and confidentiality. IPSec allows for the information exchanged between remote sites to be encrypted and verified. You can create encrypted tunnels (VPNs), or just do encryption between computers. Since you have so many options, IPSec is truly the most extensible and complete network security solution.

7. What secure protocols does IPSec support? There are two protocols provided by IPSec, they are AH (Authentication Header,

protocol number 51) and ESP (Encapsulated Security Payload, protocol number

50).

8. What are the differences between 'Transport mode' and 'Tunnel mode? The IPSec protocols (AH and ESP) can be used to protect either an entire IP

payload or only the upper-layer protocols of an IP payload. Transport mode is mainly for an IP host to protect the data generated locally, while tunnel mode is

P-202H Plus v2 Support Notes

for security gateway to provide IPSec service for other machines lacking of IPSec capability.

In this case, Transport mode only protects the upper-layer protocols of IP payload (user data). Tunneling mode protects the entire IP payload including user data.

There is no restriction that the IPSec hosts and the security gateway must be separate machines. Both IPSec protocols, AH and ESP, can operate in either transport mode and tunnel mode.

9. What is SA? A Security Association (SA) is a contract between two parties indicating what

security parameters, such as keys and algorithms they will use.

10. What is IKE? IKE is short for Internet Key Exchange. Key Management allows you to

determine whether to use IKE (ISAKMP) or manual key configuration to set up a VPN.

There are two phases in every IKE negotiation- phase 1 (Authentication) and phase 2 (Key Exchange). Phase 1 establishes an IKE SA and phase 2 uses that SA to negotiate SAs for IPSec.

11. What is Pre-Shared Key? A pre-shared key identifies a communicating party during a phase 1 IKE

negotiation. It is called 'Pre-shared' because you have to share it with another party before you can communicate with them over a secure connection.

12. What are the differences between IKE and manual key VPN? The only difference between IKE and manual key is how the encryption keys and

SPIs are determined.

• For IKE VPN, the key and SPIs are negotiated from one VPN gateway to

the other. Afterward, two VPN gateways use this negotiated keys and SPIs to send packets between two networks.

• For manual key VPN, the encryption key, authentication key (if needed),

and SPIs are predetermined by the administrator when configuring the security association.

P-202H Plus v2 Support Notes

IKE is more secure than manual key, because IKE negotiation can generate new keys and SPIs randomly for the VPN connection.

P-202H Plus v2 VPN

1. How do I configure P-202H Plus v2 VPN?

You can configure P-202H Plus v2 for VPN using SMT or Web configurator. P202H Plus v2 1 supports Web only.

2. How many VPN connections does P-202H Plus v2 support? One P-202H Plus v2 202H Plus supports 2 VPN connections.

3. What VPN protocols are supported by P-202H Plus v2 VPN?

All P-202H Plus v2 series support ESP (protocol number 50) and AH (protocol number 51).

4. What types of encryption does P-202H Plus v2 VPN support?

P-202H Plus v2 supports 56-bit DES and 168-bit 3DES.

5. What types of authentication does P-202H Plus v2 VPN support? VPN vendors support a number of different authentication methods. P-202H Plus

v2 VPN supports both SHA1 and MD5. AH provides authentication, integrity, and replay protection (but not

confidentiality). Its main difference with ESP is that AH also secures parts of the IP header of the packet (like the source/destination addresses), but ESP does not.

ESP can provide authentication, integrity, replay protection, and confidentiality of the data (it secures everything in the packet that follows the header). Replay protection requires authentication and integrity (these two go always together). Confidentiality (encryption) can be used with or without authentication/integrity. Similarly, one could use authentication/integrity with or without confidentiality.

6. I am planning my P-202H Plus v2-to-P-202H Plus v2 VPN configuration. What do I need to know?

+ 404 hidden pages