Netopia 6.3 User's Manual
Contents
1. 29 Open the Web Connection a2 crt tote e icd aiiiar arne age Rb Kaanin erred ee 29 Home pag M 30 Home page Information c cccccccscsesecsccseesssnssssecntecconcesenensnscsnsenesescesnssnensconstnesenensens 31 dele LERE EE ah EE EE AE EE ES 32 Navigating the Web Hierin RE EG GE eni ee ee ee es en tts 32 id 33 lr 35 Eonlistite EDE terre EG Meet due d See 36 Quickstart 1 ae d uif EE EE OS N 36 How to Use the Quickstart Page 252i teta fiierit battu dbi e 36 Setup Your Gateway using a DHCP Connection esses 37 Change ProcedUre P 38 Setup Your Gateway using a PPP Connection sse 40 Setup Your Gateway using a Static IP Address se See ER ER Re e 41 Configuration Procedure sse 41 DPN RE N EE EE EE OE EE 43 WAN 44 Advanced ER OR N EG dta aU Me 45 Configure Specific Pinholeg esse dis geeis iN ik ede arai eue be sed ge 47 Planning for Your PInboles sscsaicccusscsniicsscsisacsansssinstassssacsscetsnsasessancessscanssoansts 47 Example A LAN Requiring Three Pinholes eene 47 Pinhole Configuration Procedure ide retenti se BRek ER iS Re itia 49 Configure the IPMaps Peat re uec edite ei eike gegee ek eb EN cond baud 52 FAQs for the IPMaps Feature ici eke sessies tia tin toto HARE piti et be seek 52 IPMaps2. a About Passwords Access to your Gateway is controlled through two user accounts Admin and User Admin Full access to the Gateway Not allowed to configure any parameters install keys software or restart the B usar Gateway Use the fields below to change or create passwords Username Admin z Old Password Leave blank if no old password New Password Confirm Password l Password changes are automatically saved and take effect immediately Submit Use the following procedure to change existing passwords or add the User password for your Cayman Gateway Step 1 Select the password type from the Password Leve pull down list Choose from Admin or User Step2 If you assigned a password to the Cayman Gateway previously enter your current password in the O d Password field Step 3 Enter your new password in the Mew Password field Cayman s rules for a Password are 67 Section 4 Step 4 Step 5 Configure e It can have up to eight alphanumeric characters e tis case sensitive Enter your new password again in the Confirm Password field You confirm the new password to verify that you entered it correctly the first time When you are finished click the Sv6 7 f button to store your modified configuration in the Cayman unit s memory Password changes are automatically saved and take effect immediately 68 Section 4 Configure Firewall Use a Cayman Firewall
3. DSL set bridge ethernet A filters pppoe only on off Enables or disables bridging services for the specified Ethernet interface DSL set bridge interwan bridging on off Enables or disables bridging between virtual circuit connections 122 Appendix A CONFIG Commands DHCP Settings As a Dynamic Host Control Protocol DHCP server your Cayman Gateway can assign IP addresses and provide configuration information to other devices on your network dynamically A device that acquires its IP address and other TCP IP configuration settings from the Cayman Gateway can use the information for a fixed period of time called the DHCP lease set dhcp option off server relay agent Enables or disables DHCP services in the Cayman Gateway You must enable DHCP services before you can enter other DHCP settings for the Cayman Gate Way If you turn off DHCP services and save the new configuration the Cayman Gate way Clears its DHCP settings set dhcp start address o_address If you selected server specifies the first address in the DHCP address range The Cayman Gateway can reserve a sequence of up to 253 IP addresses within a subnet beginning with the specified address for dynamic assignment set dhcp end address jo adaress If you selected server specifies the last address in the DHCP address range set dhcp lease time ease time If you selected server specifies the default length for DHCP lea
4. set security ipsec tunnels name 123 IKE mode pre shared key type hex ascii hex See page 73 for details about SafeHarbour IPsec tunnel capability set security ipsec tunnels name 123 IKE mode pre shared key hex string See page 73 for details about SafeHarbour IPsec tunnel capability Example 0x1234 set security ipsec tunnels name 123 IKE mode neg method main main aggressive See page 73 for details about SafeHarbour IPsec tunnel capability Note Aggressive Mode is a little faster but it does not provide identity protection for negotiations nodes 143 Appendix A CONFIG Commands set security ipsec tunnels name 123 IKE mode DH group 1 1 2 5 See page 73 for details about SafeHarbour IPsec tunnel capability set security ipsec tunnels name 123 IKE_mode isakmp SA encrypt DES DES 3DES Blowfish CAST See page 73 for details about SafeHarbour IPsec tunnel capability set security ipsec tunnels name 123 isakmp SA hash MD5 MD5 SHA1 See page 73 for details about SafeHarbour IPsec tunnel capability set security ipsec tunnels name 123 PFS DH group off off 1 2 5 See page 73 for details about SafeHarbour IPsec tunnel capability Internet Key Exchange IKE Settings The following four IPsec parameters configure the rekeying event set security ipsec tunnels name 123 IKE mode ipsec soft mbytes 1000 1 1000000 set security ip
5. Updater file for your particular Gateway Cayman Operating System image for your particular Gateway Confirm Updater and COS Image Files The Updater and COS Image files are specific to the model and the prod uct identification PID number Confirm that you have received the appropriate Updater and COS Image files using this table Model PID Updater File eee 3220 H 07xx u8al10R0 COS c8a630R0 COS 3220 H 08xx u8j110R0 COS c8j630R0 COS 3220 H W11 08xx u8w110R0 COS c8w630R0 COS 3220 H WRF 08xx u8w110R0 COS c8w630R0 COS 2E fee Wamings X 07xx u8ellORO COS c8e630R0 COS 2E H See Warnings 07xx u8e110R0 COS c8e630R0 COS 2E H W11 09xx u8ew110R0 COS c8ew630R0 COS 2E H WRF 09xx u8ew110R0 COS c8ew630R0 COS Step2 Copy the confirmed Updater file to a convenient location on a computer on your local area network Be sure that you note the location Step3 Copy the confirmed COS 6 3 file to the same location 86 Section 4 Configure Contact Information Contact Cayman Technical Support for questions concerning the upgrade process Contact Cayman Sales for specific advanced features Use this contact information Web Access http www netopia com support Technical Support 510 814 5000 ext 1 Main Telephone 510 814 5100 Updater File Install Updater Application Code _ If you are currently running a Cayman Operating System version COS 5 90 or higher skip this Task and cont
6. BreakWater Basic Firewall BreakWater delivers an easily selectable set of pre configured firewall pro tection levels For simple implementation these settings comprised of three levels are readily available through Cayman s embedded web server interface BreakWater Basic Firewall s three settings are ClearSailing ClearSailing BreakWater s default setting supports both inbound and out bound traffic It is the only basic firewall setting that fully interoperates with all other Cayman software features SilentRunning Using this level of firewall protection allows transmission of outbound traf fic on pre configured TCP UDP ports It disables any attempt for inbound traffic to identify the Gateway This is the Internet equivalent of having an unlisted number LANdLocked The third option available turns off all inbound and outbound traffic isolat ing the LAN and disabling all WAN traffic BreakWater Basic Firewall operates independent of the NAT functionality on the Gateway Configuring for a BreakWater Setting Use these steps to establish a firewall setting Step 1 Ensue that you have enabled the BreakWater basic firewall with the appropriate feature key See Use Cayman Software Feature Keys on page 93 for reference Step2 Click the Secur ty toolbar button Step 3 Click Firewall 69 Section 4 Configure ClearSailing Provides protection against unwanted inbound traffic while securely passing ou
7. 8 To check the user status of the WAN connections when running COS 6 3 use these steps Step 1 To obtain additional information click the 77oub eshooftoolbar button From WAN Users click the S ow link E Select an option from the table below N s All Status Overview Features Memory l l Ports Ethernet Apoc e Interfaces Routes ARP l We Biss Show Disconnect Entire Page by Page Reset i Other DHCP Client DHCP Server Number of allowed concurrent WAN users 5 Number of WAN connections currently in use 1 IP VAN Users Host Name IP Address Timeout Wicrosso2 192 168 1 3 19 minutes 101 System Status The Show link provides this information e Number of allowed concurrent WAN users Number of WAN connections currently in use e Address and computer name of current LAN users e Timeout displays status of Idle Timeout Counter The current user has this amount of time from an initial 20 minute interval remaining prior to an automatic disconnect from WAN access Disconnect Current WAN Users The procedure is as follows Step1 Click the J sconnect link from the WAN Users section of the System Status page The Disconnect WAN Internet Users page appears bi You may select which internet WAN connection will be disconnected from the list below Disconnecting a WAN connection will remove that user s access to the WAN in order to make the connection available to l another user Onl
8. Compare dial in A group of key agreement algorithms that let two computers compute a key independently without exchanging the actual key It can gener ate an unbiased secret key over an insecure medium Name identifying an organization on the Internet Domain names con sists of sets of characters separated by periods dots The last set of characters identifies the type of organization GOV COM EDU or geographical location US SE Network computer that matches host names to IP addresses in response to Domain Name System DNS requests Standard method of identifying computers by name rather than by numeric IP address Digital Subscriber Line Modems on either end of a single twisted pair wire that delivers ISDN Basic Rate Access Data Terminal Equipment Network node that passes information to a DCE modem for transmission A computer or router communicating through a modem is an example of a DTE device Data Terminal Ready Circuit activated to indicate to a modem or other DCE that the computer or other DTE is ready to send and receive data Frequency with which the router sends out echo requests This toggle button is used to enable disable the configured tunnel Technique used to enclose information formatted for one protocol such as AppleTalk within a packet formatted for a different protocol such as TCP IP Encryption protocol for the tunnel session Parameter values supported include NONE or ESP The
9. Computer Names i5 Sueno rte eo ipit aO urn om vee D He E 12 Updater sneseno onasan tu eei dre D Ua 12 502 11b Wireless Update sees tent rtr tn nre rettet tite dede 12 NIST UTC Reference Signal sse ettet 12 Capabilities Roadmap for COS 6 3 cccccccccccsesssesssnsneseseseesesescecenesesssesnseseseseseeessseseanenens 13 Overview of Major Capabilities 2i iii hibet bri br Ra ER RA AME I 14 Section 3 EE AE ie 14 Feature EE EE EE EE EE EE 14 EET ei oi N N N EE N oden 15 Embedded Web Server se ee ee Ee AR GR ee AR ee ee ee ee ee EE Ge ee 15 ET Tale EER EE EE EE EE EE EE N Ee 15 Local Area NetWork AA OE EE EED eee 16 DHCP Dynamic Host Configuration Protocol Server sss 16 DHCP Dynamic Host Configuration Protocol Relay Agent 16 IE lo 16 Wide Area Network ES ee Ee Ee eg ie ee e E e ek ER ee ke gee ee Ge ER 17 DHCP Dynamic Host Configuration Protocol Client ee se ee 17 PPPoE Point to Point Protocol over Ethernet sss 17 Instant OE N N N REE 17 Static IP Addresses itte Hr eevee e ies ie esie see ade 18 MEL M 18 e etea a t a N E 19 Password Protectio sesse des seed ses ige Dee ERE ERE eg ge Ee Ee eg ese eed de Se EE 19 Network Address Translation NAT see ee ee ee ee ee ee ee ee ee R
10. ESSE setethernet MAC override option on off Enables or disables your ability to override the Ethernet MAC address associated with the WAN port on your unit You must enable the Ethernet MAC address override before you can specify a new Ethernet MAC address ESTEE setethernet MAC override address mac_address Specifies the Ethernet M AC address in hexadecimal nn nn nn nn nn nn format for your Cayman 2E H mm TO restore the default MAC address for the Cayman 2E H WAN port enter the set ethernet MAC override option off command and restart mm i your unit 124 Appendix A CONFIG Commands IP Settings You can use the command line interface to specify whether TCP IP is enabled identify a default Gateway and to enter TCP IP settings for the Cayman Gateway LAN and WAN ports If PPPoE is turned off you must specify settings for Ethernet A and B separately If PPPoE is turned on you can omit the AJB labels Basic Settings set ip option on off Enables or disables TCP IP services in the Cayman Gateway You must enable TCP IP services before you can enter other TCP IP settings for the Cayman Gate way If you turn off TCP IP services and save the new configuration the Cayman Gateway clears its TCP IP settings set ip ipsec passthrough on on off IPSec PassThrough supports VPN clients running on LAN connected computers Turn this setting off if your LAN side VPN client includes its
11. Ping of Dach 182 168 1 3 143 137 133 6 5 Fri Hay 09 16 05 73 ZOOLIUIC 65740 81 Section 4 Configure The capacity of the security log is 100 security alert messages When the log reaches capacity subsequent messages are not captured but they are noted in the log entry count is the equivalent of Greenwich Mean Time For your convenience the table below lists the time offsets for various North American time zones See Timestamp Background information on the next page for more details E Remember that the time stamp is Universal Coordinated Time UTC which Table of Time Offsets in hours from GMT Zone gt Hawaii Alaska Pacific Mountain Central Eastern Atlantic UTC GMT Standard Time 10 9 8 7 6 5 4 0 Daylight Savings N A 8 7 6 5 4 3 0 Time Take the recorded UTC GMT value and subtract the offset value to get the time that an event occurred in your system To reset this log select Zese from the Security Monitor tool bar The security log has been reset p ccc mas fh a EEN reae I When the Security Log contains no entries this is the response ee x The security log is empty Nee EE lc I Timestamp Background During bootup to provide better log information and to support improved troubleshooting a Cayman Gateway acquires the National Institute of Standards and Technology NIST Universal Coordinated Time UTC refer ence signal Once per hour the Gat
12. SafeHarbour VPN IPSec Tunnel SafeHarbour VPN IPSec Tunnel provides a single encrypted tunnel to be terminated on the Gateway making a secure tunnel available for all LAN connected Users This implementation offers the following e Eliminates the need for VPN client software on individual PC s e Reduces the complexity of tunnel configuration e Simplifies the ongoing maintenance for secure remote access A VPN tunnel is a secure link between two networks interconnected over an IP network providing a secure cost effective alternative to dedicated leased lines SafeHarbour employs VPN standards including Internet Protocol Security IPSec suite a series of protocols including encryption authentication integrity and replay protection Internet Key Exchange IKE a management protocol of IPSec Adherence to VPN standards allows seamless interoperability between a Cayman Gateway and another standards based encryptor SafeHarbour supports e Symmetric encryption protocols DES 3DES Blowfish and CAST e Hash algorithms M D5 and SHA1 e Diffie Hellman groups 1 2 and 5 Terms are defined in the Glossary and How To sections Encrypted IPSec Tunnel Tunnel Terminates Tunnel Terminates at Standards based Gateway at Cayman Gateway SafeHarbour VPN IPSec Tunnel Termination An important feature of the SafeHarbour VPN IPSec Tunnel is secure encryption of the configured circuit in both
13. The Gateway transmits traffic for high priority VCCs before it transmits traffic for low priority VCCs Bandwidth is split between VCCs of equal priority DSL set atm vccn tx max kbps 0 no limit 1 1000 Specifies the maximum upstream transmission rate of the virtual circuit mea sured in kilobytes per second Zero 0 indicates no restriction on transmission rate Bridging Settings Bridging lets the Cayman Gateway use MAC Ethernet hardware addresses to forward non TCP IP traffic from one network to another When bridging is enabled the Cayman Gateway maintains a table of up to 255 MAC addresses Entries that are not used within 10 minutes are dropped If the bridging table fills up the oldest table entries are dropped to make room for new entries Virtual circuits that use IP framing cannot be bridged set bridge option on off Enables or disables bridging services in the Cayman Gateway You must enable bridging services within the Cayman Gateway before you can enable bridging for a specific interface set bridge ethernet A B option on off Enables or disables bridging services for the Ethernet interface DSL set bridge ethernet option on off Enables or disables bridging services for the specified virtual circuit using Ethernet framing set bridge ethernet A B filters pppoe only on off Enables or disables bridging services for the specified Ethernet interface
14. as Challenge Handshake Authentication Protocol CHAP or Password Authentication Protocol PAP CHAP and PAP use a username and pass word pair to authenticate users with a PPP server A CHAP authentication process works as follows 1 The password is used to scramble a challenge string 2 The password is a shared secret known by both peers 3 The unit sends the scrambled challenge back to the peer PAP a less robust method of authentication sends a username and pass word to a PPP server to be authenticated PAP s username and password pair are not encrypted and therefore sent unscrambled Instant On PPP You can configure your Gateway for one of two types of Internet connec tions e Always On e Instant On These selections provide either an uninterrupted Internet connection or an as needed connection While an Always On connection is convenient it does leave your network permanently connected to the Internet and therefore potentially vulnera ble to attacks Cayman s Instant On technology furnishes almost all the benefits of an Always On connection while providing two additional security benefits e Your network cannot be attacked when it is not connected Section 3 General Your network may change address with each connection making it more difficult to attack When you configure Instant On access you can also configure an idle time out value Your Gateway monitors traffic over the Internet link a
15. ARP table set ip static arp ip address jo address Specifies the IP address for the static ARP entry Enter an IP address in the ip address argument in dotted decimal format The ip address argument cannot be 0 0 0 0 set ip static arp hardware address MAC address Specifies the Ethernet hardware address for the static ARP entry Enter an Ethernet hardware address in the MAC address argument in nn nn nn nn nn nn hexadecimal format 131 Appendix A CONFIG Commands Static Route Settings A static route identifies a manually configured pathway to a remote network Unlike dynamic routes which are acquired and confirmed periodically from other routers static routes do not time out Consequently static routes are useful when working with PPP since an intermittent PPP link may make maintenance of dynamic routes problematic You can configure as many as 16 static IP routes for a Cayman Gateway Use the following commands to maintain static routes to the Cayman Gateway routing table set ip static routes destination network net address Specifies the network address for the static route Enter a network address in the net address argument in dotted decimal format The net address argu ment cannot be 0 0 0 0 set ip static routes destination network net address netmask netmask Specifies the subnet mask for the IP network at the other end of the static route Enter the netmask argument in dotted decimal format The
16. Action System Contact System Location Submit The Simple Network Management Protocol SNMP lets a network administrator monitor problems on a network by retrieving settings on remote network devices The network administrator typically runs an SNMP management station program on a local host to obtain information from an SNMP agent In this case the Cayman Gateway isan SNMP agent You enter SNMP configuration information on this page Your network administrator furnishes the SNMP parameters SNMP presents you with a security issue The community facility of SNMP behaves somewhat like a password The community public is a well known community name It could be used to examine the configuration of your Gateway by your service provider or an unin vited reviewer While Cayman s SNMP implementation does not allow changes to the configuration the information can be read from the Gateway If you are strongly concerned about security you may delete the public community 60 Section 4 Configure EET Lin k Ethernet Bridge Ethermet Bridge Enable Bridging Function Always On Enable WAN to WAN Bridging Ethernet 10BT LAN Enable Bridging on Port Always On Ethernet Wireless LAN Enable Bridging on Port Always On PPP over Ethermet vcc1 WAN Enable Bridging on Port M Submit Bridges let you join two local area networks so that they appear to be part of the same physic
17. Basic Firewall BreakWater delivers an easily selectable set of pre configured firewall pro tection levels These settings are readily available for simple implementa tion through Cayman s embedded web server interface BreakWater provides you and your network with e Protection for all LAN users Elimination of firewall management software on individual PC s e Immediate protection through three pre configured firewall levels e Elimination of the complexity associated with developing firewall rules See page 69 for How To Configure BreakWater instructions includ ing a table of user tips BreakWater Settings BreakWater Basic Firewall s three settings are ClearSailing ClearSailing provides protection against network initiated inbound traffic while securely passing outbound traffic through the Gateway In conjunc tion with Network Address Translation this setting allows authorized remote diagnostic support while protecting against undesired inbound traffic SilentRunning Using this level of firewall protection allows secure transmission of out bound traffic but disables any attempt for inbound traffic to identify the Gateway This is the Internet equivalent of having an unlisted number LANdLocked The third option available turns off all inbound and outbound traffic isolat ing the LAN and disabling all WAN traffic im BreakWater Basic Firewall operates independent of the Gateway s NAT function
18. Display and reset Gateway statistics e ssue administrative commands to restart Cayman Gateway functions SHELL Prompt When you are in SHELL mode the CLI prompt is the name of the Cayman Gate way followed by a right angle bracket 2 For example if you open a CLI connec tion to the Cayman Gateway named Coconut you would see Coconut as your CLI prompt SHELL Command Shortcuts You can truncate most commands in the CLI to their shortest unique string For example you can use the truncated command q in place of the full quit com mand to exit the CLI However you would need to enter rese for the reset command since the first characters of reset are common to the restart command 107 Appendix A SHELL Commands The only command you cannot truncate is restart To prevent accidental inter ruption of communications you must enter the restart command in its entirety You can use the Up and Down arrow keysto scroll backward and forward through recent commands you have entered Alternatively you can use the command to repeat the last command you entered Platform Convention For each Shell and Config command an Index Tab shows which platform s the command supports For example arp znmnm nmm nmm nnn Both the Cayman 3220 H and 2E H platforms use this command DSL atmping vo vc segment end to end The Cayman 3220 H platform uses this command reset ppp enet B The Cayman 2E H platform use
19. IKE Pre Shared Key Type HEX ASCII Pre Shared Key Negotiation Method Main Aggressive DH Group 1 2 5 SA Encrypt Type DES 3DES CAST Blowfish SA Hash Type N A MD5 SHA1 PFS DH Group Off 1 2 5 Soft M Bytes 1 1000000 Soft Seconds 60 1000000 Hard MBytes 1 1000000 Hard Seconds 60 1000000 76 Section 4 Configure SafeHarbour Tunnel Setup Use the following tasks to configure an IPSec VPN tunnel on your Cayman Gateway Task 1 Ensure that you have SafeHarbour VPN enabled SafeHarbour is a keyed feature See page 93 for information concerning installing Cayman Software Feature Keys Task2 Complete Parameter Setup Worksheet IPSec tunnel configuration requires precise parameter set between VPN devices The Setup Worksheet facilitates setup and assures that the associ ated variables are identical Task 3 Enable IPSec IPSec must be enabled on your Gateway to allow further VPN configura tion Perform the following steps to enable IPSec Step 1 Browse to Gateway Step 2 Click the Security toolbar button Step3 Click the PSec link Step4 Check the zab e SafeHarbour IPSec checkbox Checking this box will automatically display the SafeHarbour IPSec Tunnel Entry parameters 77 Section 4 Configure Two separate mechanisms for IPSec tunnel support are provided by your Gateway e IPSec PassThrough supports VPN clients running on LAN connected computers Disable this checkbox if you
20. Illegal Packet Size Ping of Death The maximum size of an IP packet is 64K bytes but large packets must usually be fragmented into smaller pieces to travel across a network Each fragment contains some information that allows the recipient to reassem ble all of the fragments back into the original packet However the frag 23 Section 3 General mentation information can also be exploited to create an illegally sized packet Unwary hosts will often crash when the illegal fragment corrupts data outside of the normal packet bounds The Cayman unit will detect and discard illegal packet fragments and the Security Monitoring software logs the event Logged information includes IP source address IP destination address Number of attempts Time at last attempt Illegal packer size Port Scan Port scanning is the technique of probing to determine the list of TCP or UDP ports on which a host or in our case a Gateway is providing services For example the HTTP service is usually available on TCP port 80 Once hackers have your port list they can refine their attack by focusing atten tion on these ports According to the TCP IP UDP standards a host will return an ICMP Internet Control Message Protocol message stating port unreachable on all inactive ports The Security Monitoring software moni tors these circumstances and will log an alert if it appears the cause is the result of Someone running a port scan Logged i
21. On the WAN port you can enable or disable administrator access or specify that the WAN port can only be used for administrative traffic By default administrative restrictions are tumed off on both Ethernet ports meaning an administrator can open a tel net connection through either port lt If you specify admin only access for the Cayman 2E H WAN port you will turn off routing services through that port RIP and ICMP traffic is still accepted Do NOT turn on admin only access without consulting with your net work administrator 127 Appendix A CONFIG Commands set ip ethernet A B proxy arp on off Specifies whether you want the Cayman Gateway to respond when it receives an address resolution protocol for devices behind it By default proxy ARP is turned off set ip ethernet A B rip send off vi v2 vi compat v2 MD5 Specifies whether the Cayman Gateway should use Routing Information Protocol RIP broadcasts to advertise its routing tables to other routers on your network RIP Version 2 RIP 2 is an extension of the original Routing Information Protocol RIP 1 that expands the amount of useful information in the RIP packets While RIP 1 and RIP 2 share the same basic algorithms RIP 2 supports several new fea tures including inclusion of subnet masks in RIP packets and implementation of multicasting instead of broadcasting which reduces the load on hosts which do not support ro
22. Proxy 16 124 WAN DHCP Client 17 123 PPPoE I7 136 Multiple PPPoE Sessions Yes Static IP Address 18 41 IPM aps Multiple Static IP Addresses Yes 18 52 Pinholes 21 46 User Limits Yes 103 Security Password Protection 19 66 Network Address Translation NAT 19 Instant On PPP 17 138 Security Monitoring Log Yes 22 80 VPN IPSec Pass Through 27 73 SafeHarbour VPN IPSec Tunnel Yes 28 73 BreakWater Basic Firewall Yes 26 69 13 Section 3 General Ls Overview of Major Capabilities Section 3 This section describes the principal features of Cayman Operating System version 6 3 The information is grouped by usage area General Feature Keys Certain functionality in this release is controlled through software feature keys These keys are proprietary files with the following properties They are specific to the serial number of the target unit e Once installed and the Gateway restarted the desired enhancement is enabled which then allows full access to Configuration Operation Maintenance Administration They will not enable the desired feature on a unit with the wrong serial number They are rejected upon Restart not when the file is downloaded Enhanced capabilities requiring a feature key include e Tiered Operating System Security Monitoring Log e BreakWater Basic Firewall e SafeHarbour IPSec Tunnel Termination s Many Netopia Cayman series Gateways ship with particular feature key als Sets pr
23. Specifies the IP address of the default IP Gateway WAN to WAN Routing Settings Use the following command to configure settings for routing between WAN con nections set ip interwan routing on off Enables or disables routing between WAN connections IP over PPP Settings Usethe following commandsto configure settings for routing IP over a virtual PPP interface Many of these setting commands are designated as BOTH Note however For the 3220 H DSL platform you must identify the virtual PPP interface vccn a number from 1 to 8 This argument does not apply to the 2E H platform set ip ip ppp rcce option on off Enables or disables IP routing through the virtual PPP interface By default IP rout ing is turned off You must enable IP routing before you can enter other IP routing settings for the virtual PPP interface If you turn off IP routing and save the new configuration the Cayman Gateway clears IP routing settings set ip ip ppp rcer address p address Assigns an IP addressto the virtual PPP interface If you specify an IP address other than 0 0 0 0 your Cayman Gateway will not negotiate its IP address with the remote peer If the remote peer does not accept the IP address specified in the ip address argument as valid the link will not come up 129 Appendix A CONFIG Commands The default value for the ip_address argument is 0 0 0 0 which indicates that the virtual PPP interfa
24. WAN User Limit 425 tratti ba rtbactis tbt eei Eks pea Sit Kan be GR Eed 103 Tour Command Line Interlaer ens 104 Appendix A OVERVIEW EE EE T 104 Starting and Ending a CLI Session sess 106 Connecting from telnet 5 etienne e e pee GE Se ge eese eN ee gee e Peto ge sides 106 Connecting from the Maintenance Console Port esse ges seek se Gee sd 106 Logging IM OE EE EE N Ee 106 Ending a CLI SESSION ceret reete ke seek snak ge ee ed bk ek ge He gegee bee SES ge 107 Saving Settings seres EA AE N RE EE EG 107 Usine the CLI Help Facility EE EE N EE IR N 107 About SHELL Commands us se sesse seek gese se se see Se Gegee Se Seba e ek ER bee tenente Ke Rek AR Be ae teta ERA ee RE tet 107 SHELL Prompt EE EE eene nnne nennen 107 SHELL Commarid Shortcuts succurre cha cota teen tira etit t se ARE ae 107 Plattotm CONVENON innere iter ri nece ges eene nr iret nie det 108 SHELE Commands sessies sees ate Ue iren da ite a OO USD T DR 108 About CONFIG Commands rre tiir inti ve ek eere te Eee coton 117 CONFIG Mode Prompts 5 ron gi oie Up ERR D pierre di ei gos 117 Navigating the CONFIG Hierarchy 11 einer totth eret estricta tt Fla beta Prbk iara 117 Entering Commands in CONFIG Mode 1 sse 118 Guidelines CONFIG Commands sse 118 Displaying Current Gateway Settings u esse ee ee se gek ER ER EER ER ER ERGE Re EER Se Geek ek SR ee ee ee 119 Step Mode A CLI Configuration Technique 2 acit
25. a telnet session traceroute hostname p address Traces the route between the Cayman Gateway and the specified host The hostname argument is the name of the device you want to trace for example traceroute ftp cayman com e Theip address argument is the IP address in dotted decimal notation of the device you want to trace upload server acdress filename confirm Copies the current configuration settings of the Cayman Gateway to a TFTP Triv ial File Transfer Protocol server The TFTP server must be accessible on your Ether net network The server address argument identifies the IP address of the TFTP server on which you want to store the Cayman Gateway settings The filename argument identifies the path and name of the configuration file on the TFTP server If you include the optional con irm keyword you will not be prompted to identify a TFTP server or file name who Displays the names of the current shell users 116 Appendix A About CONFIG Commands About CONFIG Commands You reach the configuration mode of the command line interface by typing con figure or any truncation of configure such asc or config at the CLI SHELL prompt CONFIG Mode Prompt When you are in CONFIG mode the CLI prompt consists of the name of the Cay man Gateway followed by your current node in the hierarchy and two right angle brackets gt gt For example when you enter CONFIG mode by typing config at the SHEL
26. access to it With NAT On the only externally visible IP address on your network is the Gateway s WAN IP supplied by your Service Provider All traffic intended for that LAN Web server must be directed to that IP address Application 2 You want one of your LAN stations to act as the central repository for all email for all of the LAN users Application 3 One of your LAN stations is specially configured for game applications Again you want this specific LAN station to be dedicated to games A sample table to plan the desired pinholes is WAN Traffic Type Protocol Pinhole Name LAN Internal IP Address Web TCP my webserver 192 168 1 1 Email TCP my mailserver 192 168 1 2 Games UDP my games 192 168 1 3 For this example Internet protocols TCP and UDP must be passed through the NAT security feature and the Gateway s embedded Web HTTP port must be re assigned by configuring new settings on the Internal Servers page 47 Section 4 Configure N TIPS for making Pinhole Entries Ua 1 If the port forwarding feature is required for Web services ensure that the embedded Web server s port number is re assigned PRIOR to any Pin hole data entry 2 Enter data for one Pinhole at a time 3 Use a unique name for each Pinhole If you choose a duplicate name it will overwrite the previous informa tion without warning A diagram of this LAN example is my webserver 192 168 1 1 WAN Ethernet Inter
27. address is the only IP address exposed The Cayman Gateway tracks which local hosts are communicating with which remote hosts It routes packets received from remote networks to the correct computer on the LAN Ethernet A interface e When NAT is OFF a Cayman Gateway acts as a traditional TCP IP router all LAN computers devices are exposed to the Internet A diagram of a typical NAT enabled LAN is shown below Section 3 General Dual Ethernet Gateway WAN LAN Ethernet Ethernet Interface Interface Ll NAT zt NAT protected LAN stations Embedded Admin Services HTTP Web Server and Telnet Server Port A similar configuration applies to a DSL WAN interface 3220 family 1 The default setting for NAT is ON 2 Cayman uses Port Address Translation PAT to implement the NAT facility 3 NAT Pinhole traffic discussed below is always initiated from the WAN side Cayman Advanced Features for NAT Using the NAT facility provides effective LAN security However there are user applications that require methods to selectively by pass this security function for certain types of Internet traffic Cayman Gateways provide special pinhole configuration rules that enable users to establish NAT protected LAN layouts that still provide flexible by pass capabilities Some of these rules require coordination with the unit s embedded admin
28. are setting up a Cayman Gateway Displaying Current Gateway Settings You can use the view command to display the current CONFIG settings for your Cayman Gateway If you enter the view command at the top level of the CON FIG hierarchy the CU displays the settings for all enabled functions If you enter the view command at an intermediate node you see settings for that node and its subnodes Step Mode A CLI Configuration Technique The Cayman Gateway command line interface includes a step mode to automate the process of entering configuration settings When you use the CONFIG step mode the command line interface prompts you for all required and optional information You can then enter the configuration values appropriate for your site without having to enter complete CLI commands When you are in step mode the command line interface prompts you to enter required and optional settings If a setting has a default value or a current setting the command line interface displays the default value for the command in paren theses If a command has a limited number of acceptable values those values are presented in brackets with each value separated by a vertical line For example the following CLI step command indicates that the default value is o and that valid entries are limited to on and off option off on off on You can accept the default value for a field by pressing the Return key To use a different value enter it and p
29. do not support routing protocols This command is only available when address mapping for the specified virtual Circuit is turned off DSL set ip ip ppp rcer rip receive off v1 v2 v1 compat Specifies whether the 3220 H should use Routing Information Protocol RIP broadcasts to update its routing tables with information received from other rout ers on the other side of the PPP link This command is only available when address mapping for the specified virtual circuit is turned off DSL set ip ip ppp rcer flush routes on off Specifies whether the 3220 H should flush delete entries from its routing table when the specified virtual circuit is down and those routes are inaccessible This command is only available when address mapping for the specified virtual circuit is turned off Static ARP Settings Your Cayman Gateway maintains a dynamic Address Resolution Protocol ARP table to map IP addresses to Ethemet MAC addresses Your Cayman Gateway populates this ARP table dynamically by retrieving IP address M AC address pairs only when it needs them Optionally you can define static ARP entries to map IP addresses to their corresponding Ethernet MAC addresses Unlike dynamic ARP table entries static ARP table entries do not time out You can configure as many as 16 static ARP table entries for a Cayman Gateway Use the following commands to add static ARP entries to the Cayman Gateway static
30. e The Gateway will not respond to your web requests This inactivity may last for approximately 2 minutes Restart the Gateway The Restart button on the toolbar allows you to restart the Gateway at any time You will be prompted to confirm the restart before any action is taken The Restart Confirmation message explains the consequences of and reasons for restarting the Gateway 33 Section 4 Restart Alert Symbol Troubleshoot Security Install Restart Heln gt Mnfigure Save Changes The Alert symbol appears in the upper right comer under one of two cir cumstances 1 a database change one in which a change is made to the Gateway s configuration The Alert serves as a reminder that you must Save the changes and Restart the Gateway before the change will take effect You can make many changes on various pages and even leave the browser for up to 8 minutes but if the Gateway is restarted before the changes are applied they will be lost When you click on the Alert symbol the Save Changes page appears Here you can select various options to save or discard these changes Configure Troubleshoot Security Install Restart Help Home Configure Save Changes Changes have been made to the Gateway database You must save the changes and restart the Gateway in order for the changes to take effect Save Database Save Apply changes made to the database Save and Restart Apply changes and restart Gateway Ch
31. in which data bits are transmitted sequentially over a communication channel An implementation of the U S Government Secure Hash Algorithm a 160 bit authentication algorithm Serial Line Internet Protocol Predecessor to PPP that allows communi cation over serial point to point connections running TCP IP Defined in RFC 1055 Setting the Soft MBytes parameter forces the renegotiation of the IPSec Security Associations SAs at the configured Soft MByte value The value can be configured between 7 and 7 000 000 MB and refers to data traffic passed If this value is not achieved the Hard MBytes parameter is enforced Setting the Soft Seconds parameter forces the renegotiation of the IPSec Security Associations SAs at the configured Soft Seconds value The value can be configured between 60 and 1 000 000 seconds The Security Parameter Index is an identifier for the encryption and authentication algorithm and key The SPI indicates to the remote fire wall the algorithm and key being used to encrypt and authenticate a packet It should be a unique number greater than 255 The Cayman Gateway monitors and maintains the state of any network transaction In terms of network request and reply state consists of the source IP address destination IP address communication ports and data sequence The Cayman Gateway processes the stream of a network conversation rather than just individual packets It verifies that packets are sent from and
32. istration services the internal Web HTTP Port TCP 80 and the internal Telnet Server Port TCP 23 Internal Servers Related to the pinhole configuration rules is an internal port forwarding facility that enables you to Direct traffic to specific hosts computers on the LAN side of the Gate Way Eliminate conflicts with embedded administrative ports 80 and 23 20 Section 3 General Pinholes This feature allows you to Transparently route selected types of network traffic using the port for warding facility FTP requests or HTTP Web connections are directed to a specific host on your LAN Setup multiple pinhole paths Up to 32 paths are supported Identify the type s of traffic you want to redirect by port number Common TCP IP protocols and ports are FTP TCP 21 telnet TCP 23 SMTP TCP 25 HTTP TCP 80 SNMP TCP 161 UDP 161 See page 47 for How To instructions Default Server This feature allows you to Direct your Gateway to forward all externally initiated IP traffic TCP and UDP protocols only to a default host on the LAN Enable it for certain situations Where you cannot anticipate what port number or packet protocol an in bound application might use For example some network games select arbitrary port numbers when a connection is opened When you want all unsolicited traffic to go to a specific LAN host am Default Server is not available for traffic inbound v
33. k Pinholes Response To create a new pinhole entry press the Add button No pinhole entries have been defined Add bs Pinholes allow you to transparently route selected types of network traf fic such as FTP requests or HTTP Web connections to a specific host behind the Gateway Creating a pinhole allows access traffic originating from a remote connection WAN to be sent to the internal computer LAN that is specified in the Pinhole page Contact your Network Administrator for LAN security questions Pinholes are common for applications like multiplayer online games Refer to software manufacturer application documentation for specific traffic types and port numbers 46 Section 4 Configure Configure Specific Pinholes Planning for Your Pinholes Determine if any of the service applications that you want to provide on your LAN stations utilize TCP or UDP protocols If an application does then you must configure an Internal Server to implement port forwarding This is accessed from the Advanced gt Internal Servers page Example A LAN Requiring Three Pinholes The procedure on the following pages describes how you set up your NAT enabled Cayman Gateway to support three separate applications This requires passing three kinds of specific IP traffic through to your LAN Application 1 You have a Web server located on your LAN behind your Cayman Gateway and would like users on the Internet to have
34. keys in the IPSec protocol architecture SafeHarbour supports the standard Internet Key Exchange IKE Peer External IP Address The Peer External IP Address is the public or routable IP address of the remote gateway or VPN server you are establishing the tunnel with Peer Internal IP NetworkThe Peer Internal IP Network is the private or Local Area Network LAN address of the remote gateway or VPN Server you are communicating with 74 Section 4 Configure Peer Internal IP NetmaskThe Peer Internal IP Netmask is the subnet mask of the Peer Internal IP Network PFS DH Group Pre Shared Key Pre Shared Key Type Name Negotiation Method SA Encrypt Type SA Hash Type Soft M Bytes Soft Seconds Perfect Forward Secrecy PFS is used during SA renegotiation When PFS is selected a Diffie Hellman key exchange is required SafeHarbour supports PFS DH Groups 1 2 and 5 The Pre Shared Key is a parameter used for authenticating each side The value can be an ASCII or Hex and a maximum of 64 characters ASCII is case sensitive The Pre Shared Key Type classifies the Pre Shared Key SafeHarbour supports ASCII or HEX types The Name parameter refers to the name of the configured tunnel This is mainly used as an identifier for the administrator The Name parameter is an ASCII value and is limited to 31characters The tunnel name is the only IPSec parameter that does not need to match the peer gateway This parameter refers
35. observed quality of the link between peers Documented in RFC 1333 Diagnostic procedure in which data is sent from a devices s output channel and directed back to its input channel so that what was sent can be compared to what was received 152 magic number MD5 metric modem MRU MTU MULTI LAYER NAK Name NCP Negotiation Method null modem packet PAP parity Peer External IP Address Appendix B Random number generated by a router and included in packets it sends to other routers If the router receives a packet with the same magic number it is using the router sends and receives packets with new random numbers to determine if it is talking to itself A 128 bit message digest authentication algorithm used to create digital signatures It computes a secure irreversible cryptographically strong hash value for a document Less secure than variant SHA 1 Distance measured in the number of routers a packet must traverse that a packet must travel to go from a router to a remote network A route with a low metric is considered more efficient and therefore preferable to a route with a high metric See hop count Modulator demodulator Device used to convert a digital signal to an analog signal for transmission over standard telephone lines A modem at the other end of the connection converts the analog signal back to a digital signal Maximum Receive Unit The maximum packet size in bytes that a netwo
36. remote routers By default address mapping is turned on set ip ip ppp rce vj compression on off Specifies whether you want to negotiate Van Jacobson header compression for asynchronous PPP links By default TCP IP header compression is turned on When Van Jacobson header compression is turned on your Cayman Gateway allocates memory for 16 slots headers by default The number of slots may be reduced during link configuration if the remote peer can only support a lower number set ip ip ppp rce ipcp subnet on off Specifies whether you want your Cayman Gateway to negotiate allocation of an IP subnet rather than a single IP address from a remote access server You should only enable this feature if you are told to do so by your Internet Service Provider set ip ip ppp rcce rip send off v1 v2 v1 compat Specifies whether the 3220 H unit should use Routing Information Protocol RIP broadcasts to advertise its routing tables to routers on the other side of the PPP link An extension of the original Routing Information Protocol RIP 1 RIP Version 2 RIP 2 expands the amount of useful information in the packets While RIP 1 and RIP 2 share the same basic algorithms RIP 2 supports several new features 130 Appendix A CONFIG Commands For example inclusion of subnet masks in RIP packets and implementation of multicasting instead of broadcasting This last feature reduces the load on hosts which
37. restart e All users will be disconnected e You will be returned to the Home page e The Gateway will not respond to your web requests This inactivity may last for approximately 2 minutes Restart the Gateway j Step 6 Click the Fes arf the Gateway link to confirm To check your installed features Step 1 Click the 7s 2 toolbar button Step 2 Click the Z s of Features link 95 Section 4 Configure The System Status page appears with the information from the features link displayed below You can check that the feature you just installed is enabled Select an option from the table below All Status Overview Features Memory Ethernet Wireless Interfaces Routes ARP Interfaces Address Table Entire Page by Page Reset DHCP Client DHCP Server Available features Feature Mode Expiration Security Monitoring Keyed None Virtual Private Networking Disabled PPPoE Sessions Keyed None Concurrent WAN Users Keyed None BreakWater Firewall Disabled N meee N N EEEEE N N EEEEE N eee N EEEE N N EEEEE N N EEEEE n Limit 8 96 Troubleshoot Troubleshoot ET Troubleshoot This section provides some specific procedures and tips for working with important features of Cayman OS 6 3 Perform Troubleshooting on Gateways There are three major Troubleshooting capabilities you can access via your Cayman Gateway s web interface The pro cedures for using them are discussed here In the event of
38. router to a remote network See metric Another name for a repeater The hub is a critical network element that connects everything to one centralized point A hub is simply a box with multiple ports for network connections Each device on the network is attached to the hub via an Ethernet cable 151 Appendix B IKE INSPECTION interface internet address IPCP IPSEC ISAKMP ISDN she K Key Management wie L LCP LQM Link Quality Monitoring loopback test Internet Key Exchange protocol provides automated key management and is a preferred alternative to manual key management as it pro vides better security Manual key management is practical in a small static environment of two or three sites Exchanging the key is done through manual means Because IKE provides automated key exchange it is good for larger more dynamic environments The best option for Internet communications security is to have an SMLI firewall constantly inspecting the flow of traffic determining direction limiting or eliminating inbound access and verifying down to the packet level that the network traffic is only what the customer chooses The Cayman Gateway works like a network super traffic cop inspecting and filtering out undesired traffic based on your security policy and resulting configuration A connection between two devices or networks IP address A 32 bit address used to route packets on a TCP IP net work In dotted decimal not
39. subnet mask associ ated with the destination network must represent the same network class A B or C or a lower class such as a class C subnet mask for class B network number to be valid set ip static routes destination network net address interface ip address ppp Specifies the interface through which the static route is accessible If using a 3220 H platform the interface argument options are ip address ppp vccn set ip static routes destination network net address gateway address gate address Specifies the IP address of the Gateway for the static route The default Gateway must be located on a network connected to the Cayman Gateway configured interface set ip static routes destination network net_address metric nteger Specifies the metric hop count for the static route The default metric is 1 Enter anumber from 1 to 15 for the integer argument to indicate the number of rout ers actual or best guess a packet must traverse to reach the remote network You can enter a metric of 1 to indicate either e The remote network is one router away and the static route is the best way to reach it 132 Appendix A CONFIG Commands e The remote network is more than one router away but the static route should not be replaced by a dynamic route even if the dynamic route is more effi cient delete ip static routes destination network net address Deletes a static route Deleting a static route
40. the admin nr User passwords that control access to the Gateway Provides accazs to firewall settings if thes firewall Taabure has beeen purchased Provides access to configuration parameters for IPEer funrbanaktr Provides specific information about sarurity ralatad avents The Security features are available by clicking on the Security toolbar button Some items of this category do not appear when you log on as User Lin x Passwords Access to your Gateway is controlled through two user accounts Admin and User When you first power up your Gateway you create a password for the Admin account The User account does not exist by default As the Admin a password for the User account can be entered or existing passwords changed 66 Section 4 Configure Create and Change Passwords You can establish different levels of access security to protect your Cay man Gateway settings from unauthorized display or modification Admin level privileges let you display and modify all settings in the Cayman Gateway Read Write mode The Admin level password is cre ated when you first access your Gateway e User level privileges let you display but not change settings of the Cayman Gateway Read Only mode To prevent anyone from observing the password you enter characters in the old and new password fields are not displayed as you type them To display the Passwords window click the Security toolbar button on the Home page
41. 00 ma 100 ms LT l2 l22 5 145 100 na 200 ma 100 ms 18 12 123 12 183 100 m 100 me ZOO ma 19 12 124 2z 34 100 ms 100 ma z D ms J 20 192 150 0 14 3z2zD 100 me 100 mm 100 ma ba m elle Result It took 20 hops to get to the grosso com web site n n5 eee b e m N m N N EE N N NAME N N AA E EN o E 03 Step5 To use the NSLookup capability type an address domain name or IP address in the text box and click the SLookup button Example Show the IP Address for grosso com FT mm e EE RE a ER a EE EE N Servite conceal lees cayman cam Address 133 137 137 8 M Name WwW grasso com E Address 192 130 14 120 Result The DNS Server doing the lookup is displayed in the Server and Address fields If the Name Server can find your entry in its table it is displayed in the Name and Address fields 100 System Status System Status System Status provides a group of links that display status and statistics to help you manage your Gateway Managing the WAN Users is an example of the management tools available Manage a Restricted Number of WAN Users User Status On the Home page your WAN User status is prominently displayed in the center area anl HL ES KLEE EE IR EL a ee ee i WAN Status ee l IP Address 143 137 50 203 Default Gateway 143137 50 254 Netmask 255 255 255 0 DHCP Client On DHCP Lease Expires 00 00 46 14 nar on tee ENT EE NE EE a EE EE
42. 59 RIP 128 Routing Information Protocol RIP 128 S Secondary nameserver 124 Secret 139 Security log 82 Security Monitoring 22 Serial cable 106 Set bncp command 121 122 Set bridge commands 122 Set dns commands 124 Set ip static routes commands 132 Set preference more command 141 Set preference verbose command 141 Set servers command 141 Set servers telnet tcp command 142 Set snmp sysgroup location command 145 Static IP Addresses 18 Static route 132 Step mode 119 Subnet allocation 130 Subnet Broadcast Amplification 23 Subnet mask 127 133 System contact SNMP 145 System diagnostics 146 T Telnet 106 135 Telnet command 116 Telnet traffic 141 Terminal emulator 106 TFTP 135 TFTP server 110 Toolbar 32 TraceRoute 15 Set snmp traps authentification traps commandTraffic shaping 147 145 Settings 147 Set snmp traps authentification traps ip addressTrap 145 command 145 Set system diagnostic level command 146 Set system name command 145 Set system password command 146 Set trafficshape ethernet option 147 Set trafficshape ethernet rate 147 Set trafficshape option 147 SHELL Command Shortcuts 107 Commands 107 Prompt 107 SHELL level 117 SHELL mode 107 Show ppp 115 Simple Network Management Protocol SNMP 145 SMTP 135 SNMP 135 145 Source Routing 23 Trivial File Transfer Protocol 110 Truncation 117 U Universal Coordinated Time UTC 82 User name 106 User password 29 67 106 V
43. 6 communities with the Cayman Gateway set snmp traps authentication traps on off Enables or disables SNMP trapping If SNMP trapping is enabled your Cayman Gateway sends authentication traps to all SNMP trap destinations You must enable trap authentication before you set up your trap destinations set snmp traps ip traps o address community community name Identifies the destination for SNMP trap messages The ip address argument is the IP address of the host acting as an SNMP console The optional community community name identifies the name of the Cayman Gateway community which is included in the trap message the device sends to the man agement console This name which is not used for authentication does not have to match a predefined community name set snmp sysgroup contact contact_info Identifies the system contact such as the name phone number beeper number or email address of the person responsible for the Cayman Gateway You can enter up to 256 characters for the contact_info argument You must put the contact_info argument in double quotes if it contains embedded spaces set snmp sysgroup location ocation_info Identifies the location such as the building floor or room number of the Cay man Gateway You can enter up to 256 characters for the location info argu ment You must put the location_info argument in double quotes if it contains embedded spaces System Settings You can configu
44. 7 50 37 192 168 1 1 143 137 50 36 gt 192 168 1 2 192 168 1 2 143 137 50 35 e 192 168 1 3 43 137 50 35 Static IP Addresses or d DHCP PPP Served IP Address L for Cayman s default NAT PAT 192 168 1 n Capabilities LAN stations with WAN IP traffic forwarded by Cayman s IPMaps LAN stations with WAN IP traffic forwarded by Cayman s NAT function 192 168 1 3 IPMaps One to One Multiple Address Mapping 192 168 1 n 54 Section 4 Configure EET Lin Protocol Lifetimes Protocol Lifetimes EED Each NAT Protocol map entry will time out if there is no traffic of that p protocol for the specified number of minutes For example UDP entries time out if there is no UDP traffic after 6 default minutes Link Default Server Enable Default Server v Response NAT Server IP Address 0 0 0 0 Submit EET This feature allows you to Direct your Gateway to forward all externally initiated IP traffic TCP and UDP protocols only to a default host on the LAN Enable it for certain situations Where you cannot anticipate what port number or packet protocol an in bound application might use For example some network games select arbitrary port numbers when a connection is opened When you want all unsolicited traffic to go to a specific LAN host 55 Section 4 Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Configure Configure a Default Server This feature allo
45. A Encryption Type refers to the symmetric encryption type This encryption algorithm will be used to encrypt each data packet SA Encryption Type values supported include DES 3DES CAS7 and Blow fish SA Hash Type refers to the Authentication Hash algorithm used during SA negotiation Values supported include MD5 SHA7 N A will display if NONE is chose for Auth Protocol 154 Security Association serial communication SHA 1 SLIP Soft MBytes Soft Seconds SPI STATEFUL static route subnet mask synchronous communication Appendix B From the IPSEC point of view an SA is a data structure that describes which transformation is to be applied to a datagram and how The SA specifies The authentication algorithm for AH and ESP The encryption algorithm for ESP The encryption and authentication keys Lifetime of encryption keys The lifetime of the SA Replay prevention sequence number and the replay bit table An arbitrary 32 bit number called a Security Parameters Index SPI as well as the destination host s address and the IPSEC protocol identi fier identify each SA An SPI is assigned to an SA when the SA is nego tiated The SA can be referred to by using an SPI in AH and ESP transformations SA is unidirectional SAs are commonly setup as bun dles because typically two SAs are required for communications SA management is always done on bundles setup delete relay Method of data transmission
46. AT Default Server Port 80 default f 192 168 1 1 NAT Combination Application Cayman s NAT security feature allows you to configure a sophisticated LAN layout that uses both the Pinhole and Default Server capabilities With this topology you configure the embedded administration ports as a first task followed by the Pinholes and finally the NAT Default Server When using both NAT pinholes and NAT Default Server the Gateway works with the following rules in sequence to forward traffic from the Internet to the LAN 1 If the packet is a response to an existing connection created by outbound traf fic from a LAN PC forward to that station 2 If not check for a match with a pinhole configuration and if one is found for ward the packet according to the pinhole rule 3 If there s no pinhole the packet is forwarded to the Default Server 57 Section 4 Configure If your service provider hosts a Domain Name Server you may enter the domain name and IP address associated with the server here The Primary DNS Server Address must be 0 0 0 0 if your network provides DNS information via DHCP Domain Name Primary DNS Server Address 0 0 0 0 Secondary DNS Server Address 0 0 0 0 Submit Description HE Service Provider may maintain a Domain Name server If you have the information for the DNS servers enter it on the DNS page If your Gateway is configured to use DHCP to obtain its WAN IP ad
47. Block PIE OR EE ainin inia 54 Configure a Default Server sese 56 Typical Network Diagram essent 57 NAT Combination Application sss 57 POC CUTIE cited ques aurei OE EE 66 Create and Change Passwords i1 tc doe SERS Ak ER testet ebttt rti toi shi he Ged 67 Use a Cayman Firewall ient e trt rd eer rera teer eet rr dede 69 BreakWater Basic Firewall eese 69 Configure a SafeHarbour VPN esee eee 73 VPN IPSec Tunnel at the Gateway soes eo RE EER Ee CM E ere IDEE 73 Parameter Description and Setup sse 74 IPSec Tunnel Parameter Setup Worksheet ies su sessie teas 76 SafeHarbour Tunnel Setup sss 77 Using the Security Monitoring Log sacos Pep RAI ER RUE UM gee 80 cri 83 Install Software 5 EE EE EE eter iiie iore 84 Updating Your Gateway to COS Version 6 3 sss 84 ME UR SEE 93 Use Cayman Software Feature Keys u ees eke eek ER GE ge ER ER Gee ER ER GR eke Re Rek ee be es 93 dies EC 97 Perform Troubleshooting on Gateways see 97 PY GROIN tA US quidne atm na and autetn de Ded Ia RID det 101 Manage a Restricted Number of WAN Users seen 101 User iS onsker e eae aE E EAE RA EEIE EAE EESE AEE Ra E RESES 101 Disconnect Current WAN Users ekke EER Ee Ge GER ER preria tenente 102 Exceeding the
48. Cayman Gateway has been running since it was last restarted Identical to the status command show wan users all Without the all parameter displays the number of concurrent WAN Users and the total number allowed With the all parameter specified displays information about each connected WAN User including its IP address and idle time before automatic disconnect This function is only available if the number of WAN Users is restricted and NAT is on show wireless Displays status and statistics information for the wireless interface on the Gate Way start ppp Opens a PPP link typically PPP over Ethernet 115 Appendix A SHELL Commands start ppp vccn Opens a PPP link on the specified virtual circuit DSL ES status Displays the current status of a Cayman Gateway the device s hardware and soft ware revision levels a summary of errors encountered and the length of time the Cayman Gateway has been running since it was last restarted Identical to the show status command telnet hostname p address pord Lets you open a telnet connection to the specified host through your Cayman Gateway e The hostname argument is the name of the device to which you want to connect for example telnet ftp cayman com e Theip address argument is the IP address in dotted decimal notation of the device to which you want to connect e The port argument is the number of t he port over which you want to open
49. L prompt the Coconut top gt gt prompt reminds you that you are at the top of the CONFIG hierarchy If you move to the ip node in the CONFIG hier archy by typing ip at the CONFIG prompt the prompt changes to Coconut ip gt gt to identify your current location Some CLI commands are not available until certain conditions are met For exam ple you must enable IP for an interface before you can enter IP settings for that interface Navigating the CONFIG Hierarchy e Moving from CONFIG to SHELL You can navigate from anywhere in the CONFIG hierarchy back to the SHELL level by entering quit at the CONFIG prompt and pressing RETURN Dogzilla top gt gt quit Dogzilla gt e Moving from top to a subnode You can navigate from the top node to a subnode by entering the node name or the significant letters of the node name at the CONFIG prompt and pressing RETURN For example you move to the IP subnode by entering ip and pressing RETURN Dogzilla top gt gt ip Dogzilla ip gt gt As a shortcut you can enter the significant letters of the node name in place of the full node name at the CONFIG prompt The significant characters of a node name are the letters that uniquely identify the node For example since no other CONFIG node starts with you could enter one letter i to move to the IP node e Jumping down several nodes at once You can jump down several levels in the CO
50. LL mode 107 FTP 135 View command 119 158 H Hardware address 122 hijacking 155 Home page 30 User mode 30 Home window 29 Hop count 132 How To Configure a SafeHarbour VPN 73 Configure Multiple Static IP Addresses 73 HTTP traffic 141 I ICMP Echo 111 Illegal Packet Size Ping of Death 23 Install 83 IP address 125 126 133 Default 29 IP interfaces 114 IP routes 114 IP Source Address Spoofing 23 IPCP subnet allocation 130 K Keywords CLI 118 L LCP echo request 137 Lease 113 Link Help 35 Install Software 83 Pinhole 52 Quickstart 37 43 44 SNMP 60 Local Area Network 16 Location SNMP 145 Log 114 Logging in 106 M MAC Address Spoofing 25 Magic number 137 Maintenance console port 106 Memory 115 Metric 132 N Nameserver 124 NAT 19 130 134 135 Traffic rules 57 NAT Default Server 21 Negotiation IP subnet 130 Netmask 127 133 Network Address Translation 19 Network Test Tools 15 NSLookup 15 P PAP 17 139 Password 67 Administrator 29 67 106 User 29 67 106 Password Authentication Protocol 139 Ping 15 Ping command 111 Pinholes 21 135 Planning 47 Port authentication 138 Port forwarding 20 Port renumbering 141 Port Scan 24 Port Maintenance console 106 PPP 115 PPPoE 17 Primary nameserver 124 Prompt CLI 107 117 Protocol compression 137 Proxy ARP 134 Proxy ARP 128 R Relay agent 113 Restart 113 Restart Cayman 2E 35 Restart command 108 Restart timer 138 Restrictions 130 1
51. MP echo request quit quit this shell reset reset subsystems restart restart the Gateway show display specific system information start start subsystem status display basic status of Gateway telnet telnet to a remote host traceroute send traceroute probes upload upload config file who show who is using the shell wireless execute wireless TEACH or LEARN 104 Appendix A Overview CONFIG Commands Command Status and or Description Verbs set Set configuration data define Define environment data delete Delete configuration list data view View configuration data script Print configuration data help Help command option save Save configuration data Keywords system Gateway s system options pppoe PPP over Ethernet options trafficshape Traffic shaping options dmt DMT ADSL options DSL only atm ATM options DSL only bncp Bridge CP options DSL only ip TCP IP protocol options ip maps IPMaps options dhcp Dynamic Host Configuration Protocol options nat default Network Address Translation default options dns Domain Name System options bridge Bridge options snmp Simple Network Management Protocol options ppp Peer to Peer Protocol options pinhole Pinhole options security Security options servers Internal Server options ethernet MAC Override the ethernet MAC address 2E only override validate Validate configuration settings preference Shell environment settings Command Utilities top Go to top level of configuration mode quit E
52. NFIG hierarchy by entering the complete path to a node Moving up one node You can move up through the CONFIG hierarchy one node at a time by entering the up command e Jumping to the top node You can jump to the top level from anywhere in the CONFIG hierarchy by entering the top command 117 Appendix A About CONFIG Commands e Moving from one subnode to another You can move from one subnode to another by entering a partial path that identifies how far back to climb e Moving from any subnode to any other subnode You can move from any subnode to any other subnode by entering a partial path that starts with a top level CONFIG command e Scrolling backward and forward through recent commands You can use the Up and Down arrow keys to scroll backward and forward through recent commands you have entered When the command you want appears press Enter to execute it Entering Commands in CONFIG Mode CONFIG commands consist of keywords and arguments Keywords in a CONFIG command specify the action you want to take or the entity on which you want to act Arguments in a CONFIG command specify the values appropriate to your site For example the CONFIG command set ip ethernet address p address consists of three keywords ip ethernet and address and one argument ip_address When you use the command to configure your Gateway you would replace the argument with a value appropriate to your site For example E
53. PM aps is used for applications such as Web email and FTP servers e See How To Configure for IPMaps on page 52 for more information Section 3 General Security Password Protection Access to your Cayman device is controlled through two access control accounts Admin or User The Admin or administrative user performs all configuration manage ment or maintenance operations on the Gateway e The User account provides monitor capability only A user may NOT change the configuration perform upgrades or invoke maintenance functions For the security of your connection an Admin password must be set on the Cayman unit Network Address Translation NAT The Cayman Gateway Network Address Translation NAT security feature lets you conceal the topology of a hard wired Ethernet or wireless network connected to its LAN interface from routers on networks connected to its WAN interface In other words the end computer stations on your LAN are invisible from the Internet Only a single WAN IP address is required to provide this security support for your entire LAN LAN sites that communicate through an Internet Service Provider typically enable NAT since they usually purchase only one IP address from the ISP e When NAT is ON the Cayman Gateway proxies for the end com puter stations on your network by pretending to bethe originating host for network communications from non originating networks The WAN interface
54. PP peer database peer name hostname pap password password Specifies the password associated with a PPP peer The password argument is 1 64 alphanumeric characters The password you enter for that peer must match the password that will be returned by the PPP peer when it is being authenti cated 140 Appendix A CONFIG Commands Command Line Interface Preference Settings You can set command line interface preferences to customize your environment set preference verbose on off set define verbose on off Specifies whether you want command help and prompting information dis played By default the command line interface verbose preference is turned off If you tum it on the command line interface displays help for a node when you navigate to that node set preference more ines set define more ines Specifies how many lines of information you want the command line interface to display at one time The lines argument specifies the number of lines you want to see at one time By default the command line interface shows you 16 lines of text before displaying the prompt More y n If you enter 0 for the lines argument the command line interface displays infor mation as an uninterrupted stream which is useful for capturing information to a text file Port Renumbering Settings If you use NAT pinholes to forward HTTP or telnet traffic through your Cayman Gateway to an internal host you must change the p
55. R ee ee 19 Cayman Advanced Features for NAT ue esse ee seek see EER ee Ge Re ek Se BEKER ER ER ek eek 20 oie ou AA OR EE OE HE 20 Pinlioles sex n ER oe ee Ee EE EE N ee tons 21 Defau ltServer rne ott e De GE ee Ge rae kt EEEE GESE ee 21 Combination NAT Bypass Configuration sse 22 Security MONITO sce ek sg ge ke e ERR Eosi earen O EEn EKETE OST ese e Ee Fee Se 22 Event Details teet EE eee eerie EN er ie DER 23 IP Source Address Spoofing esses 23 S rce ROUNE iese A 23 Subnet Broadcast Amplification sse 23 Ilegal Packet Size Ping of Death scientist Ua peces DEE RE 23 POLE SCAM EE E EE EE OE EE EE dest 24 Excessive PINGS EE N N kesitte tind stoiasa rer eieke koen 24 Login Failures EE EE E EEEREN 25 MAC Address Spoofing cccccccssssccssscsssessenseseeseecesenssenceneneneneseassneseaceeecenenees 25 BreakWater Basic Firewall Se Geek ER ERGER EER ER GE GE ink Se ER ette 26 BreakWater Settings iese se se sek ER ER EER ER ER ERGE ierann Ee BEKER ER ER seketer Re ek nennen 26 ear Sailing RO EE EE EE EE 26 dr Gegee 26 LANdbLocked 4 tr EE EE OE 26 VEN ae aie IE oes ees EE uma beau ttes o Ri reed Ed 27 SafeHarbour VPN IPSec Tunnel sess 28 Web based User Interface sasie sere Ego EG ce gra parre ren IRSE Gie 29 Section 4 Access Oe di oe T
56. SE setip ethernet address 192 31 222 57 Guidelines CONFIG Commands The following table provides guidelines for entering and formatting CONFIG commands Command Rules for entering CONFIG commands component Command verbs CONFIG commands must start with a command verb set view delete You can truncate CONFIG verbs to three characters set vie del CONFIG verbs are case insensitive You can enter SET Set or set Keywords Keywords are case insensitive You can enter Ethernet ETHERNET or ethernet as a keyword without changing its meaning Keywords can be abbreviated to the length that they are differentiated from other keywords Argument Text Text strings can be as many as 64 characters long unless otherwise specified Special characters are represented using backslash notation Text strings may be enclosed in double or single quote marks If the text string includes an embedded space it must be enclosed in quotes Special characters are represented using backslash notation 118 Appendix A Command component Numbers About CONFIG Commands Rules for entering CONFIG commands Enter numbers as integers IP addresses Enter IP addresses in dotted decimal notation 0 to 255 If a command is ambiguous or miskeyed the CLI prompts you to enter additional information For example you must specify which virtual circuit you are configur ing when you
57. Section 4 Configure Install Keys Link Install Keys L Browse your computer to find the feature key file or type in the full path and filename Next to install the file on your Gateway click the Install Keys button After the install has completed restart your Gateway to enable the new A features f Browse f Install Keys E You can obtain advanced product functionality by employing a soft ware Feature Key Software feature keys are specific to a Gateway s serial number Once the feature key file is installed and the Gateway is restarted the new feature s functionality becomes enabled Use Cayman Software Feature Keys Background Cayman Gateway users obtain advanced product functionality by install ing a software feature key This concept utilizes a specially constructed and distributed file referred to as a feature key to enable additional capability within the unit Software feature key properties are e Specific to a unit s serial number They will not be accepted on a platform with another serial number Once installed and the Gateway restarted the new feature s functionality becomes available This allows full access to configuration operation maintenance and administration of the new enhancement Software feature keys for COS 6 3 enable these enhancements Security Monitoring Log 93 Section 4 Configure e BreakWater Basic Firewall e BarrierReef A
58. Software User Guide Cayman Operating System Version 6 3 netopia Cayman 3000 series by Netopia January 2002 v3 Disclaimers Copyright O 2002 Netopia Inc All rights reserved Printed in the USA The information in this document is subject to change without notice The statements configurations technical data and recom mendations in this document are believed to be accurate and reliable but are presented without express or implied warranty Users must take full responsibility for the applications of any products specified in this document Portions of this software are subject to the Mozilla Public License Version 1 1 Portions created by Netscape are copyright 1994 2000 Netscape Communications Corporation You may obtain a copy of the license at http www mozilla org M PL Software distributed under the License is distributed on an as is basis WITHOUT WARRANTY OF ANY KIND either express or implied See the License for the specific language governing rights and limitations under the License Portions of this software copyright 1988 1991 by Carnegie Mellon University All rights reserved Permission to use copy modify and distribute this software and its documentation for any purpose and without fee is hereby granted provided that the above copy right notice and this permission notice appear in supporting documentation and that the name of Carnegie Mellon University not be used in advertising or publicity pertaining to dis
59. The IP address you assign to the local Ethernet interface must be unique on your net work By default the Cayman Gateway uses 192 168 1 254 as its LAN IP address 126 Appendix A CONFIG Commands set ip ethernet A B broadcast broadcast address Specifies the broadcast address for the local Ethernet interface IP hosts use the broadcast address to send messages to every host on your network simulta neously The broadcast address for most networks is the network number followed by 255 For example the broadcast address for the 192 168 1 0 network would be 192 168 1 255 set ip ethernet A B netmask 7e mask Specifies the subnet mask for the local Ethernet interface The subnet mask speci fies which bits of the 32 bit binary IP address represent network information The default subnet mask for most networks is 255 255 255 0 Class C subnet mask set ip ethernet A restrictions none admin disabled Specifies whether an administrator can open a telnet connection to the Cayman Gateway over the Ethernet interface to monitor and configure the unit set ip ethernet A B restrictions none admin disabled set ip ethernet A B restrictions none admin disabled admin only Specifies whether an administrator can open a telnet connection to the Cayman Gateway over the Ethernet interface to monitor and configure the unit On the 2E H s LAN port you can enable or disable administrator access
60. Trivial File Transfer Protocol server validates the software image and pro grams the image into the Cayman Gateway memory After you install new oper ating software you must restart the Cayman Gateway The TFTP server must be accessible on your Ethernet network The server address argument identifies the IP address of the TFTP server on which your Cayman Gateway operating software is stored The ilename argument identifies the path and name of the operating software file on the TFTP server If you include the optional con irm keyword you will not be prompted to iden tify a TFTP server or file name Your Cayman Gateway begins the software installa tion using its default boot settings log message string Adds the message in the message string argument to the Cayman Gateway diagnostic log loglevel eve Displays or modifies the types of log messages you want the Cayman Gateway to record If you enter the 1og1eve1 command without the optional level argu ment the command line interface displays the current log level setting You can enter the 1og1evel command with the level argument to specify the types of diagnostic messages you want to record All messages with a level num ber equal to or greater than the level you specify are recorded For example if you specify loglevel 3 the diagnostic log will retain high level informational mes sages level 3 warnings level 4 and failure messages level 5 Use the follow
61. Van Jacobson header compression 130 View command 119 VPN IPSec Pass Through 27 W Wide Area Network 17 160 Contact Information netopia Cayman 3000 series by Netopia Netopia Inc 2470 Mariner Square Loop Alameda CA 94501 Corporate Headquarters 510 814 5100 Corporate Fax 510 814 5020 Customer Service Tech Support 510 814 5000 ext 1 Support URL http www netopia com support January 2002
62. a Inc does not assume any liability that may occur due to the use or application of the product s or network con figurations described herein Netopia Inc Part Number 6161103 PF 01 Table of Contents Disc TICE iiia ntn di ed apibus A SG EK EG IM cabra GR GER 2 ME ROSA EE EE tad nM E Hiis EE qus ivt N R 3 Introdaction T OTT OT LIT 7 Section 1 About Cayman Documentation iese seek Se BEER ER SEER ER ER ER ERGE EER Ee GE GER ER ER REK nennen nen 7 Intended Audience 2 5 5 a a en tenti ESE EKEN E o BEKER XR aa Hp ea ERE CREE ERK Ru 7 Documentation Conventions esses eene enne ee ee ee ee ee Ge ee Ge ee ee en 8 EE EE EE EE OE 8 Internal Web Interface esses ener tnetn nennt nineteenth inneren 8 Command Line Interface sisisi ucc cae SERE te raii aioi a o aR ER ELEM Re REC 8 ICONS DERE 9 jo m 9 cuc 10 About Cayman series Gateways 42 55 ttr ti eke edge BRA e to Dek eed eg Kode n 11 Section 2 Basic Product Structure torte eet RO et Uere pee hore eg ee ge ee ee ede 11 What s New in Version 6 3 i e ee ee ee ee ee Re Ee Re Ee ee Ge ee ee ee ee ee ee ee Re Ee Re Ge ee Ee ee Ee ee Ee ee ee ee ee 12 New Embedded Web Server esses nente eene 12 Maintenance Enhancements se ee se ee ee ee ee ee ee ee ee ther tentent tnn tnnt ee ee ee ee ee 12
63. a problem with your system your Service Provider may request this information Automated Multi Layer Diagnostics Step 1 Click the 7oub esfiooftoolbar button Step 2 Click the Diagnostics link The descriptions below provide information on the links displayed on the left of the screen System Access to a variety of Gateway information including statistics and Status the system log Network Tools Specific tools to test connectivity routes and perform a NS lookup Diagnostics Troubleshooting utility to test the Gateway Step 3 Click the Aun Diagnostics link 97 Troubleshoot oom oe eee diagnose Checking Ethernet LAN Interface Check Ethernet LAN connect Check IP connect to Ethernet LAN Checking DSL WAN Interfaces Check DSL Synchronization Check ATM Cell Delineation ATM OAM Segment Ping through verl PASS PASS PASS PASS WARNING Don t worry your service provider may not support this test ATM OAM End To End Ping through vcci Don t worry your service provider may not Check Ethernet connect to AALS veel Check PPPOE connect to Ethernet vcci Check PPP connect to PPPOE vccil Check IP connect to PPP veel Pinging Gateway Checking Miscellaneous Check DNS Query for cayman com Ping DNS Server Primary IP Address TEST DONE WARNING support this test PASS PASS PASS PASS FAIL PASS PASS Each test generates on
64. able oriented Service Providers use the System Name as an important identification and support parameter If your Gateway is part of this type of network do NOT alter the System Name unless specifically instructed by your Service Provider If you need to change either of these fields use the following procedure Change Procedure Enter your selected System Name You can use the default System name or select your own The System Name can be 1 32 characters long Select the 7zab e MAC Override checkbox A new field is displayed Other QuickStart Options System Name Cayman 2E 70521 3 Enable MAC Override V MAC Address oo foo foo foo foo foo Submit Enter your 12 character Ethernet MAC override address as instructed by your service provider for example 12 34 AB CD 19 64 Click Submit This turns on the Alert button in the top right corner of the page Click the 4 ert button to go to the page to save your changes Click on the Save and Festarflink 38 Section 4 Configure You will be returned to the Home page A warning is displayed on this page while the Gateway restarts Home CAYMAN Home Configure Troubleshoot Security Install Restart Help WARNING The gateway is restarting and may be unresponsive for the next minute Please wait if this message does not disappear automatically after a minute Configure Troubleshoo Security Install Hardware Serial Number Soft
65. ains a summary of the Gateway s configuration settings and operational status Summary Information Field Status and or Description Hardware Model number and summary specification Serial Number Unique serial number located on label attached to bottom of unit ale Ver Release and build number of running Cayman Operating System Product ID Refers to internal circuit board series useful in determining which software upgrade applies to your hardware type Optional Keyed BreakWater Indicates which BreakWater Basic Firewall protection level is enabled Firewalll ClearSailing SilentRunning or LANdLocked Status Wide Area Network is either Up or Down IP Address IP address assigned to the WAN port Default Gate IP address of the host to which your Gateway sends network traffic when it way can t find the destination host DHCP Client Default setting lets a WAN host configure the IP address and other network settings for the WAN interface of your Cayman Gateway NAT On or Off ON if using Network Address Translation to share the IP address across many LAN users Netmask Defines the IP subnet for the WAN DHCP Lease Displays the amount of time remaining on current lease Expires WAN Users Displays the number of users allotted and the total number available for use IP Address Intemal IP address of the Cayman Gateway Netmask Defines the IP subnet for the LAN Default is 255 255 255 0 for a Class C device DHCP Server On or Off ON if us
66. aintenance Enhancements The maintenance enhancements are Computer Names In addition to the IP address the computer name is now listed in the DHCP lease table and the WAN users table This allows users to more easily iden tify the computers in these tables The computer name is only known if using DHCP to get its IP address Updater This application Updater Version 1 1 prepares the Gateway for installation of COS 6 3 Updater V 1 1 is required for users running COS 5 6 2 or lower For complete details see page 84 of this document 802 11b Wireless Update Improved software to support 802 11b wireless base stations response to client requests made after an extended period of LAN inactivity NIST UTC Reference Signal Cayman Gateways acquire the Universal Coordinated Time reference signal from the National Institute of Standards and Technology This provides date and time information for log entries Section 2 Capabilities Roadmap for COS 6 3 Capabilities Roadmap for COS 6 3 Cayman Gateways support a wide array of features and functionality This roadmap points you to overview discussions and How To procedures Capabilities Roadmap Cayman Gateways with COS 6 3 Feature NewforCOS Outline Details 6 3 Page General Software Feature Keys Yes 14 93 Management Embedded Web Server Changed 15 29 Diagnostics 15 99 LAN DHCP Server 16 59 DHCP Relay agent 16 59 DNS
67. al network As a bridge for protocols other than TCP IP your Gateway keeps track of as many as 255 MAC Media Access Control addresses each of which uniquely identifies an individ ual host on a network Your Gateway uses this bridging table to identify which hosts are accessible through which of its network interfaces The bridging table contains the MAC address of each packet it sees along with the interface over which it received the packet Over time the Gateway learns which hosts are available through its WAN port its LAN port and or its wireless interface 61 Section 4 Response Configure System Name Cavman DSt1102043 Log Message Level High x Submit The System Name defaults to your Gateway s factory identifier com bined with its serial number Some cable oriented Service Providers use the System Name as an important identification and support parame ter If your Gateway is part of this type of network do NOT alter the System Name unless specifically instructed by your Service Provider The System Name can be 1 63 characters long it can include embed ded spaces and special characters The Log Message Level alters the severity at which messages are col lected in the Gateway s system log Do not alter this field unless instructed by your Support representative 62 Section 4 Configure Link Internal Servers EED Enter a value from 1 to 65534 Web HTTP Server Port so Tel
68. ality 26 Section 3 Corporate General VPN IPSec Pass Through This Cayman service supports your independent VPN client software in a transparent manner Cayman has implemented an Application Layer Gate way ALG to support multiple PCs running IP Security protocols This feature has three elements 1 3 On power up or reset the address mapping function NAT of the Gateway s WAN configuration is turned on by default When you use your third party VPN application the Gateway recognizes the traffic from your client and your unit It allows the packets to pass through the NAT protection layer via the encrypted IPSec tunnel The encrypted IPSec tunnel is established through the Gateway A typical VPN IPSec Tunnel pass through is diagrammed below E 4 HQ Cayman Encrypted Gateway fe D Wee Tunnel IP Network Typically no special configuration is necessary to use the IPSec pass through feature This feature may need to be disabled for special VPN clients that are designed to be supported through NAT In the diagram VPN PC clients are shown behind the Cayman Gate way and the secure server is at Corporate Headquarters across the WAN You cannot have your secure server behind the Cayman Gate Way When multiple PCs are starting IPSec sessions they must be started one at atime to allow the associations to be created and mapped 27 Section 3 HQNetOne General
69. ame then the authentication packets sent by the local peer will have blank name values This may cause authentication to fail for some PPP implementations 138 Appendix A CONFIG Commands set PPP module vccn port authentication chap name chap_name Specifies the name the Cayman Gateway sends in a CHAP response packet The chap_name argument is 1 64 alphanumeric characters The information you enter must match the CHAP username configured in the remote PPP peer s authentication database set PPP module vccn port authentication chap secret secret Specifies the CHAP secret for CHAP authentication The secret argument is 1 64 alphanumeric characters The information you enter must match the CHAP secret used by the PPP peer set PPP module vccn port authentication pap option on off Specifies whether PAP authentication is enabled for a port By default PAP authentication is turned off PAP authentication must be enabled before you can enter other PAP information If you disable PAP authentication and save the modi fied configuration your Cayman Gateway retains its PAP settings set PPP module vccn port authentication pap name pap name Specifies the name the Cayman Gateway sends in a PAP response packet The pap name argument is 1 64 alphanumeric characters The information you enter must match the PAP username configured in the PPP peer s authentication data base set PPP module port authenticatio
70. application of a specific algorithm to a data set so that anyone without the encryption key cannot understand the information 150 ESP Ethernet crossover cable ecu Foss FCS flow control fragmentation frame FTP FTP server Em bec Hard MBytes Hard Seconds hardware handshake HDLC HDSL header HMAC hop hop count hub Appendix B Encapsulation Security Payload ESP header provides confidentiality data origin authentication connectionless integrity anti replay pro tection and limited traffic flow confidentiality It encrypts the contents of the datagram as specified by the Security Association The ESP transformations encrypt and decrypt portions of datagrams wrapping or unwrapping the datagram within another IP datagram Optionally ESP transformations may perform data integrity validation and com pute an Integrity Check Value for the datagram being sent The com plete IP datagram is enclosed within the ESP payload See crossover cable Frame Check Sequence Data included in frames for error control Technique using hardware circuits or control characters to regulate the transmission of data between a computer or other DTE and a modem or other DCE Typically the modem has buffers to hold data if the buffers approach capacity the modem signals the computer to stop while it catches up on processing the data in the buffer See CTS RTS xon xoff Process of breaking a packet into smalle
71. ation each eight bits of the 32 bit number are presented as a decimal number with the four octets separated by periods Internet Protocol Control Protocol A network control protocol in PPP specifying how IP communications will be configured and operated over a PPP link A protocol suite defined by the Internet Engineering Task Force to protect IP traffic at packet level It can be used for protecting the data transmitted by any service or application that is based on IP but is commonly used for VPNs Internet Security Association and Key Management Protocol is a framework for creating connection specific parameters It is a protocol for establishing negotiating modifying and deleting SAs and pro vides a framework for authentication and key exchange ISAKMP is a part of the IKE protocol Integrated Services Digital Network A digital network with circuit and packet switching for voice and data communications at data rates up to 1 544 or 2 048 Mbps over telephone networks The Key Management algorithm manages the exchange of security keys in the IPSec protocol architecture SafeHarbour supports the standard nternet Key Exchange IKE Link Control Protocol Protocol responsible for negotiating connection configuration parameters authenticating peers on the link determin ing whether a link is functioning properly and terminating the link Documented in RFC 1331 Optional facility that lets PPP make policy decisions based on the
72. bar at the top provides links to controlling configuring and monitoring pages Critical configuration and operational status is displayed in the center sec tion If you log on as Admin you see this page This example screen is from the Dual Ethemet Gateway Home Configure Troubleshoot Security Install Home CAYMAN Restart Help General Information Hardware Cayman 2E Model 500 2 Ethernet ports Serial Number 705219 Software Version 6 3 0R0 Product ID 0921 Configure Status n IP Address 143 137 50 236 Default Gateway 143 137 50 254 Netmask DHCP Client On NAT On 255 255 255 0 DHCP Lease Expires 00 00 49 50 WAN Users Unlimited IP Address 192 168 1 254 Netmask 255 255 255 0 DHCP Server on DHCP Leases 1 out of 253 leases in use DNS 143 137 50 254 The Home page differs slightly between DSL and Dual Ethernet Gateways Home page User Mode DSL Gateway Troubleshoot Security Home General Information Hardware Cayman DSL Model 3220 H DMT ADSL Alcatel plus 4 port hub Serial Number 1724849 Software Version 6 3 0R0 Product ID 0829 WAN Status Daas Local Address 143 137 199 3 Peer Address Connection Type Always On NAT On 143 137 199 254 WAN Users Unlimited IP Address 192 168 1 254 Netmask 255 255 255 0 DHCP Server On 143 137 137 10 DHCP Leases D out of 253 leases in use 30 Section 4 Home page Home page Information The Home page s center section cont
73. c Shaping EED Traffic Shaping Enable Traffic Shaping M Enable Traffic Shaping on Port v Rate 10000006 Submit T Traffic shaping controls how much traffic can flow through an Ethernet interface by limiting the size of the Ethernet pipe This function is most suitable for Internet Service Providers Enable Traffic Shaping on Port Each Ethernet port providing traffic shaping capability is listed Enable the port to set the traffic shaping rate Rate This value in bits per second indicates the approximate speed at which traffic will flow 64 Section 4 Configure EES Lini k Clear Options Choosing the Clear Options link below will restore the Gateway s factory configuration You will be returned to Response the Restart Page because the Gateway must be restarted in order to complete the process Clear Options Options You may want to upload your configuration to a file before performing this function Description A resore the factory configuration of the Gateway choose Clear C i Clear Options does not clear feature keys or affect the software image or Boot ROM You must restart the Gateway for Clear Options to take effect 65 Section 4 Configure Security BETTE Security Homi Conigure Tenubleshaat Sacwiiy Virstall Hong anury The descriptioat below provide information on te Baks disglague d a the left of the screen Response Passwords Alinws changing
74. cally accessed during the hard ware installation and initial configuration phase Often these settings should be changed only in accordance with information from your Service Provider LAN and WAN settings are available to fine tune your system Advanced provides some special capabilities typically used for gaming or small office environments or where LAN side servers are involved E p This button will not be available if you log on as User Quickstart How to Use the Quickstart Page Quickstart is normally used immediately after the new hardware is installed When you are first configuring your Gateway Quickstart appears after you log on Once you have configured your Gateway logging on displays the Home page Thereafter if you need to use Quickstart choose it from the Config ure menu The Quickstart page you see depends on your type of Gateway and the type of connection to your service provider You may have one of the fol lowing types of connection to your service provider e DHCP without PPP see Setup Your Gateway using a DHCP Connec tion on page 37 e PPP see Setup Your Gateway using a PPP Connection on page 40 e Static IP Address Setup Your Gateway using a Static IP Address on page 41 36 Section 4 Response Configure Configure gt Quickstart Setup Your Gateway using a DHCP Connection Home Configure Troubleshoot Security Install Restart Help LI Home Configur
75. ccessfully use the following steps Step 1 Open a web connection to your Cayman Gateway from the computer on your LAN and return to the Home page For COS 6 3 you now have a new layout The screen shown below is from a Cayman 3220 H Home Comfiqere Trowhlesheot Security Install Restart Help Tamarai 1n bretir Hardeare Cayma n D8L Made 3220 H DMT ADSL alcatel alus 4 port hub Sorial Number 168470 Software Versi 5 3 6 2 freak Water Firewall Cmarsading Product Ib OT2E GET Status IP Address 41 154 886 172 Default Gay 141 154 596 161 Metmask 255 255 255 260 DHF Cli DIT DHCP Lease Expires NM NAT ni LAr IP Addres 141 154 096 172 elon ae 255 255 255 24 DHOP off ff NOTES 1 Extensive configuration and status information is now available from the Home page 2 Verify COS 6 3 Step 2 Verify that your Software Version is COS 6 3 91 Section 4 Configure Welcome to your Cayman DSL Before configuration your Gateway requires a password to protect from unauthorized access This password is unique to this Gateway It is case sensitive and should not contain embedded spaces Remember this password or keep it in a safe place After you submit your new password you must logon before continuing When you browse to your Gateway as an Administrator you enter Admin as the UserName and the password you just created in the Logon page Admin Password New Password i Confirm Password S 92
76. ce will use the IP address assigned to it by the remote peer Note that the remote peer must be configured to supply an IP address to your Cayman Gateway if you enter 0 0 0 0 for the ip address argument set ip ip ppp rcer peer address p address Specifies the IP address of the peer on the other end of the PPP link If you specify an IP address other than 0 0 0 0 your Cayman Gateway will not negotiate the remote peer s IP address If the remote peer does not accept the address in the ip address argument as its IP address typically because it has been configured with another IP address the link will not come up The default value for the ip address argument is 0 0 0 0 which indicates that the virtual PPP interface will accept the IP address returned by the remote peer If you enter 0 0 0 0 the peer system must be configured to supply this address set ip ip ppp vccr restriction admin disabled admin only none Specifies restrictions on the types of traffic the Cayman Gateway accepts over the PPP virtual circuit The admin only argument means that router traffic is ignored but that administrative commands are accepted The none argument means that all traffic is accepted set ip ip ppp rcer addr mapping on off Specifies whether you want the Cayman Gateway to use network address transla tion NAT when communicating with remote routers Network address transla tion lets you conceal details of your network from
77. ces Compare dial on demand Data Encryption Standard is a 56 bit encryption algorithm developed by the U S National Bureau of Standards now the National Institute of Standards and Technology 149 Appendix B 3DES DH Group DHCP dial in dial on demand dial out Diffie Hellman domain name domain name server Domain Name System DNS DSL DTE DTR E EN echo interval Enable encapsulation Encrypt Protocol encryption Triple DES with a 168 bit encryption key is the most accepted variant of DES Diffie Hellman is a public key algorithm used between two systems to determine and deliver secret keys used for encryption Groups 1 2 and 5 are supported Also see Diffie Hellman listing Dynamic Host Configuration Protocol A network configuration proto col that lets a router or other device assign IP addresses and supply other network configuration information to computers on your net work Port setting that specifies that other routers can initiate a connection to the local router but that the local router cannot initiate a connection to other routers A port can be set as both dial in and dial out Com pare dial out Communication circuit opened over standard telephone lines when a network connection is needed Port setting that specifies that it can initiate a connection to other routers but that other routers cannot initiate a connection to it A port can be set as both dial in and dial out
78. directions 28 Section 4 Access the User Interface Ls Web based User Interface Section 4 Access the User Interface Using the embedded Web based user interface for the Netopia Cayman series Gateway you can configure troubleshoot and monitor the status of your Gateway For COS Version 6 3 the Web based UI has been modified To accomodate multiple new features of COS 6 3 To make using the entire facility easier Open the Web Connection Step 1 Step 2 Once your Gateway is powered up you can use any recent version of the best known web browsers that support javascript and Cascading Style Sheets from any LAN attached PC or workstation The procedure is Enter the name or IP address of your Cayman Gateway in the Web browser s window and click 7 e For example you would enter 7 0792 168 1 254 if your Cayman Gateway is using its default IP address You can enter Affp cayman 2e including the final period or Aftp cayman ds if your computer has been configured to obtain its network configuration from a DHCP server If an administrator or user password has been assigned to the Cayman Gateway enter Admin or Useras the username and the appropriate password and click OK The Cayman Gateway Home page opens d X If the Gateway is not configured after logon you will see the Quickstart page 29 Section 4 Home page Home page The Home page is the dashboard for your Cayman Gateway The tool
79. dress the DNS information is automatically obtained from that same DHCP Server 58 Section 4 Configure Link DHCP Server Response ud R REEN SS NM EER IR N EE a EL DHCP Server Server Mode Sever A Starting IP Address 192 168 1 1 Ending IP Address 192 168 1 254 f Submit Lease Period d h m s 00 01 00 00 Your Gateway can provide network configuration information to com puters on your LAN using the Dynamic Host Configuration Protocol DHCP If you already have a DHCP server on your LAN you should turn this service off If you want the Gateway to provide this service click the Server Mode pulldown menu then configure the range of IP addresses that you would like the Gateway to hand out to your computers You can also specify the length of time the computers can use the con figuration information DHCP calls this period the lease time Your Service Provider may for certain services want to provide configu ration from its DHCP servers to the computers on your LANs In this case the Gateway will relay the DHCP requests from your computers to a DHCP server in the Service Provider s network Click the relay agent and enter the IP address of the Service Provider s DHCP server in the Server Address field This address is furnished by the Service Provider 59 Section 4 Configure Add Authentication Traps Enable Authentication Traps Destination IP Address Community Name
80. dvanced Firewall e SafeHarbour IPSec Tunnel at the Gateway Obtaining Software Feature Keys Contact your Service Provider to acquire a Software Feature Key Procedure Install a New Feature Key File With the appropriate feature key file resident on your LAN PC usethe steps listed below to enable a new function Step1 From the Home page click the 75 2 toolbar button Step2 Click 7s a Keys The Install Key File page appears Step3 Enter the feature key file name in the input Text Box e Browse your drive for the file or e Type the full path and file name in the Text Box Install Key File Browse your computer to find the feature key file or type in the full path and filename Next to install the file on your Gateway click the Install Keys button After the install has completed restart your Gateway to enable the new features Gandalf Users njbill Desktop license 1102043 df Browse Install Keys Step4 Click the 7s a Keys button 94 Section 4 Configure File Installation Success The file installation was successful You must restart your Gateway in order for the changes to take effect Step5 Click the Aes arftoolbar button The Confirmation screen appears Restart Gateway Restarting the Gateway is needed to enable e Changes to your Gateway database f configuration New feature keys Operating System Software Upgrades i When you
81. e Two separate mechanisms for IPSec tunnel support are provided by your Gateway e IPSec PassThrough supports VPN clients running on LAN connected computers Disable this checkbox if your LAN side VPN client includes its own NAT interoperability solution e SafeHarbour is a keyed feature that enables Gateway terminated VPN support Enable IPSec PassThrough v SafeHarbour IPSec Enable SafeHarbour IPSec Submit Your Gateway supports two mechanisms for IPSec tunnels 1 IPSec PassThrough supports Virtual Private Network VPN clients running on LAN connected computers Normally this feature is enabled However you can disable it if your LAN side VPN client includes its own NAT interoperability option 2 SafeHarbour VPN IPSec is a keyed feature that enables Gateway ter minated VPN support Configure a SafeHarbour VPN VPN IPSec Tunnel at the Gateway SafeHarbour VPN IPSec Tunnel provides a single encrypted tunnel to be terminated on the Gateway making a secure tunnel available for all LAN connected Users This implementation offers the following Eliminates the need for VPN client software on individual PC s e Reduces the complexity of tunnel configuration e Simplifies the ongoing maintenance for secure remote access 73 Section 4 Configure A typical SafeHarbour configuration is shown below Encrypted IPSec Tunnel Tunnel Terminates Tunnel Terminates at Standards based Gatewa
82. e Check Ethernet LAN Connect test fails Each test generates one of the following result codes iere D Description PASS The test was successful FAIL The test was unsuccessful SKIPPED The test was skipped because a test on which it depended failed PENDING The test timed out without producing a result Try running the test again download fw key server_address filename confirm With no flags set this command installs a file of configuration parameters into the Cayman Gateway from a TFTP Trivial File Transfer Protocol server The TFTP server must be accessible on your Ethernet network With the fw flag set downloads a new firewall text configuration to the Gate way With the key flag set downloads a new feature key to the Gateway You can include one or more of the following arguments with the download com mand If you omit arguments the console prompts you for this information e The server_address argument identifies the IP address of the TFTP server from which you want to copy the Cayman Gateway configuration file The filename argument identifies the path and name of the configuration file on the TFTP server e f you include the optional confirm keyword the download begins as soon as all information is entered 109 Appendix A SHELL Commands install server acdress filename confirm Downloads a new version of the Cayman Gateway operating software from a TFTP
83. e Handshake Authentication Protocol Security protocol in PPP that prevents unauthorized access to network services See RFC 1334 for PAP specifications Compare PAP Network node that requests services from a server Customer Premises Equipment Terminating equipment such as termi nals telephones and modems that connects a customer site to the telephone company network Central Office Typically a local telephone company facility responsible for connecting all lines in an area Operation performed on a data set that reduces its size to improve storage or transmission rate Cable that lets you connect a port on one Ethernet hub to a port on another Ethernet hub You can order an Ethernet crossover cable from network supply companies such as Black Box Channel Service Unit Data Service Unit Device responsible for con necting a digital circuit such as a T1 link with a terminal or data com munications device Clear to Send Circuit activated in hardware flow control when a modem or other DCE is ready to accept data from the computer or other DTE Compare RTS xon xoff Number of bits used to make up a character Logical grouping of information sent as a network layer unit Compare frame packet Digital Communication Equipment Device that connects the commu nication circuit to the network end node DTE A modem and a CSU DSU are examples of a DCE Communication circuit that is used exclusively to connect two network devi
84. e Quickstart CAYMAN Quickstart The basic Gateway configuration required to connect to your ISP is complete In most cases you should be ready to connect to the Internet Quickstart If you have further instructions from your Service Provider including specific configuration parameters to be set use the Quickstart Advanced link if available or go to Configure WAN to set up your specific configuration Other Quickstart Options Advanced Configure System Name and Ethernet MAC Address EE WEE AE eec ORT EE EE EC ECCE ed C i This example screen is for a DHCP Quickstart configuration Your Service Provider will instruct you as to whether or not the Other Quickstart Options need to be configured If they are not needed you should be ready to access the Internet If required click the Advanced link to access the Other Quickstart Options page The Other Quickstart Options page allows you to change the System Name or your Gateway s Ethernet MAC address System Name is your Gateway s factory identifier combined with its serial number By default this identifier is automatically captured for this field Home CAYMAN Configure Troubleshoot Security Install Restart Help Home Configure QuickStart OtherQuickStart Other QuickStart Options System Name Cayman 2E70521 3 Enable MAC Override Submit 37 Section 4 Configure Step 1 Step 2 Step 3 Step 4 Step 5 Some broadband c
85. e enabled You can check the feature keys enabled on your Gate way in the System Status web page See System Status on page 101 Section 3 General Management Embedded Web Server There is no specialized client software required to configure manage or maintain your Cayman Gateway Web pages embedded in the operating system provide access to the following Gateway operations e Setup e System and security logs Diagnostics functions Once you have removed your Cayman Gateway from its packing container and powered the unit up use any LAN attached PC or workstation running a common web browser application to configure and monitor the Gate Way Diagnostics In addition to the Gateway s visual LED indicators you access an extensive suite of diagnostic facilities by browsing to the unit Two of the facilities are e Automated Multi Layer Test The Run Diagnostics link initiates a sequence of tests They examine the functionality of the Gateway from the physical connections OSI Layer 1 to the application traffic OSI Layer 7 Network Test Tools Three test tools to determine network reachability are available Ping teststhe reachability of a particular network destination by sending an ICM P echo request and waiting for a reply TraceRoute displays the path to a destination by showing the number of hops and the router addresses of these hops NSLookup converts a domain name to its IP addr
86. e of the following result codes a EE o eee eee m RARO m m RAO N m GO m m SO m m mEEE m m mEwE m m ME Description PASS The test was successful FAIL The test was unsuccessful SKIPPED The test was skipped because a test on which it depended failed or it was not supported by the service provider eguipment to which it is connected PENDING The test timed out without producing a result Try running the test again WARNING The test was unsuccessful The Service Provider eguipment your Gateway connects to may not support this test 98 Troubleshoot Network Tools Use these steps Step 1 Click the 7oub esfiooftoolbar button Step 2 Click the Mefwork Joo s link click on an option below NS Lookup Converts a host name into IP address or vice versa Ping Sends a ping message to an Internet Host TraceRoute Traces the path to an Internet Host Host NSLookup Ping TraceRoute Three test tools are available from this page NSLookup converts a domain name to its IP address and vice versa e Ping tests the reachability of a particular network destination by sending an ICM P echo request and waiting for a reply TraceRoute displays the path to a destination by showing the num ber of hops and the router addresses of these hops Che a EI N mm vi n es Step 3 To use the Ping capability type a destination address domain name or IP address in the t
87. e range 2000 32767 when assigning new port numbers to the Cayman Gateway telnet configuration interface Security Settings Security settings include the Firewall and IPSec parameters All of the security functionality is keyed Firewall Settings for BreakWater Firewall set ip security firewall option ClearSailing ClearSailing SilentRunning LANdLocked The 3 settings for BreakWater are discussed in detail on page 69 SafeHarbour IPSec Settings SafeHarbour VPN is a tunnel between the local network and another geographi cally dispersed network that is interconnected over the Internet This VPN tunnel provides a secure cost effective alternative to dedicated leased lines Internet Pro tocol Security IPsec is a series of services including encryption authentication integrity and replay protection Internet Key Exchange IKE is the key manage ment protocol of IPsec that establishes keys for encryption and decryption Because this VPN software implementation is built to these standards the other side of the tunnel can be either another Cayman unit or another IPsec IKE based security product For VPN you can choose to have traffic authenticated encrypted or both When connecting the Cayman unit in a telecommuting scenario the corporate VPN settings will dictate the settings to be used in the Cayman unit If a parame ter has not been specified from the other end of the tunnel choose the default unless you fully unders
88. ec tunnel show ip routes Displays the IP routes stored in your Cayman Gateway show log Displays blocks of information from the Cayman Gateway diagnostic log To see the entire log you can repeat the show log command or you can enter show log all 114 SHELL Commands show memory all Displays memory usage information for your Cayman Gateway If you include the optional a11 argument your Cayman Gateway will display a more detailed set of memory statistics show ppp f stats Icp ipcp lastconnect Displays information about open PPP links You can display a subset of the PPP statistics by including an optional stats lcp ipcp Or lastconnect argu ment for the show ppp command DSL show ppp f stats Icp ipcp lastconnect vccn Displays information about open PPP links You can display a subset of the PPP statistics by including an optional stats lcp ipcp Or lastconnect argu ment for the show ppp command The optional veen argument lets you specify the virtual circuit for which you want statistics show pppoe Displays status information for each PPP socket such as the socket state service names and host ID values show security log Displays up to 100 security related events stored in the log show status Displays the current status of a Cayman Gateway the device s hardware and soft ware revision levels a summary of errors encountered and the length of time the
89. eck Database Review Review the contents of the database Validate Validate edited database Revert Database Revert Restore to settings before edits 2 a security event is logged If you have Security Monitoring keyed you receive Alerts whenever there is an event in the log that has not been viewed When you click the Alert symbol the Security Log is displayed and the Alert clears If both types of Alert are triggered you will need to take action to clear the first type of Alert before you can see the second Alert 34 Section 4 Help Help Button i Cayman Gateway Help Your Gateway supports Context Sensitive Help Click on Help from within your page of interest and help for that page will be presented Documentation The full product documentation is provided in electronic format Documentation is also available online at http www cayman com Cayman Technical Support Cayman Technical Support can be reached at Telephone 510 814 5000 ext 1 Web www netopia com support A Close Window jJ Context sensitive Help is provided in Release 6 3 The page shown above is displayed when you are on the Home page or other transitional pages To see a context help page example go to Security Passwords then click He p 35 Section 4 Configure Configure WITTE Configure The Configuration options are presented in the order of likelihood you will need to use them Quickstart is typi
90. er seeking access to other applica tions requiring WAN connectivity such as email instant messaging remote access FTP or telnet 1 Even with limited concurrent WAN access all users have unlimited a 5 accessto all LAN resources 2 Support for multiple concurrent WAN users is available by install ing an Unlimited WAN software feature key 103 Appendix A Overview Ls Tour Command Line Interface Appendix A Overview The Cayman Gateway operating software includes a command line interface CLI that lets you access your Cayman Gateway over a telnet or console connection You can use the command line interface to enter and update the unit s configura tion settings monitor its performance and restart it The CLI has two major command modes SHELL and CONFIG Summary tables that list the commands are provided below Details of the entire command set fol low in this section SHELL Commands Command Status and or Description arp send ARP request atmping send ATM OAM loopback DSL only clear erase all stored configuration information configure set the unit s options diagnose run the automatic self test download download the config file help get more information on a command help all or help help install download and program an image into flash log add a message to the diagnostic log loglevel report or change diagnostic log level netstat show IP information nslookup send DNS query for host ping send IC
91. ere 44 Section 4 Configure Advanced The following are links under Configure Advanced Link Advanced Selected Advanced options are discussed in the pages that follow Many are self explanatory or are dictated by your service provider Link IP Static Routes Destination Network 0 0 0 0 A Netmask 0 0 0 0 EE Interface Type PPP veei sl Gateway 0 0 0 0 Metric n RIP Advertise Split Horizon v Submit work Unlike dynamic routes which are acquired and confirmed peri odically from other routers static routes do not time out Consequently static routes are useful when working with PPP since an intermittent PPP link may make maintenance of dynamic routes problematic You can configure as many as 16 static IP routes for the Gateway 45 Section 4 Configure Link IP Static ARP IP Address Hardware MAC Address ZI Te E uT ETT E Submit i Your Gateway maintains a dynamic Address Resolution Protocol ARP table to map IP addresses to Ethernet M AC addresses It populates this AFP table dynamically by retrieving IP address M AC address pairs only when it needs them Optionally you can define static ARP entries to map IP addresses to their corresponding Ethernet MAC addresses Unlike dynamic ARP table entries static ARP table entries do not time out The IP address cannot be 0 0 0 0 The Ethernet MAC address entry is in nn nn nn nn nn nn hexadecimal format ET Lini
92. ers in the format of XXX XXX XXX xxx e g 147 240 101 006 It is DNS servers that are respon sible for this text to IP Address translation DNS Servers in most cases are located at Internet Service Provider facilities They translate domain names into the desired IP address for locating an Internet website by answering DNS requests The Cayman DNS Proxy feature allows the LAN side IP address of the Gate way to be used for proxying DNS requests from hosts on the LAN to the DNS Servers configured in the gateway Thisis accomplished by having the Gateway s LAN address handed out as the DNS Server to the DHCP cli ents on the LAN am The Cayman DNS Proxy only proxies UDP DNS queries not TCP DNS queries Section 3 General Wide Area Network DHCP Dynamic Host Configuration Protocol Client DHCP Client functionality enables the Gateway to request an IP address from your Service Provider DHCP servers on your Service Provider s net work reply to DHCP Client requests and assign the network parameters PPPoE Point to Point Protocol over Ethernet The PPPoE specification incorporating the PPP and Ethernet standards allows your computer s to connect to your Service Provider s network through your Ethernet WAN connection The Netopia Cayman series Gate way supports PPPoE eliminating the need to install PPPoE client software on any LAN computers Service Providers may require the use of PPP authentication protocols such
93. es See RFC 1334 for PAP specifications Compare CHAP Method of checking the integrity of each character received over a communication channel The Peer External IP Address is the public or routable IP address of the remote gateway or VPN server you are establishing the tunnel with 153 Appendix B Peer Internal IP Network Peer Internal IP Netmask PFS DH PING PPP Pre Shared Key Pre Shared Key Type protocol PSTN repeater RFC RIP RJ 45 route routing table RTS weed S SA Encrypt Type SA Hash Type The Peer Internal IP Network is the private or Local Area Network LAN address of the remote gateway or VPN Server you are communi cating with The Peer Internal IP Netmask is the subnet mask of the Peer Internal IP Network Perfect Forward Secrecy Diffie Hellman Group PFS forces a DH negoti ation during Phase II of IKE IPSec SA exchange You can disable this or select a DH group 1 2 or 5 PFS is a security principle that ensures that any single key being compromised will permit access to only data protected by that single key In PFS the key used to protect transmis sion of data must not be used to derive any additional keys If the key was derived from some other keying material that material must not be used to derive any more keys Packet INternet Groper Utility program that uses an ICMP echo mes sage and its reply to verify that one network node can reach another Often used to verif
94. es called Competitive Access Providers or CAPs that link business network nodes World Wide Web Special characters used for software flow control to regulate commu nication between a device and a modem 156 Appendix B 157 v3 Index Symbols Command command 108 ARP 108 Ping 111 A Telnet 116 Command line interface see CLI Access the GUI 29 Community 145 Address es 134 Compression protocol 137 Address resolution table 114 CONFIG Admin Login Failures 25 Command Lise 105 Administrative restrictions 130 Administrator password 29 67 106 Arguments CLI 118 Configuration mode 117 ARP D Command 108 DB 9 106 Proxy 128 134 Default IP address 29 Authentication 138 denial of service 155 Authentication trap 145 DHCP 123 DHCP lease table 112 B DHCP relay agent lease 113 Diagnostic log 112 114 Bridging 122 Level 146 Broadcast address 125 127 133 Diagnostics 15 Network Diagnostic Capability 99 C Results Code 98 Cayman 3220 H W DNS 124 Home window 29 DNS Proxy 16 Challenge Handshake Authentication ProtocolDocumentation conventions 8 138 Domain Name System DNS 124 CHAP 138 Secret 139 E lt a d 108 Echo request 137 je Embedded Web Server 15 Arguments 118 Ethernet address 122 Command shortcuts 107 Command truncation 117 Configuration mode 117 Keywords 118 Ethernet statistics 112 114 Excessive Pings 24 Navigating 117 F Prompt 107 117 Feature Keys 14 Restart command 108 Obtaining 94 SHE
95. ess and vice versa The system log also provides diagnostic information these various diagnostic tools Individual tests may be performed at the a Your Service Provider may request information that you acquire from command line See Appendix A L 15 Section 3 General Local Area Network DHCP Dynamic Host Configuration Protocol Server DHCP Server functionality enables the Gateway to assign your LAN com puter s a private IP address and other parameters that allow network communication The default DHCP Server configuration of the Gateway supports up to 253 LAN IP addresses This feature simplifies network administration because the Gateway main tains a list of IP address assignments Additional computers can be added to your LAN without the hassle of configuring an IP address DHCP Dynamic Host Configuration Protocol Relay Agent DHCP Relay functionality enables the Gateway to forward a DHCP client request to a specified DHCP Server This assigned DHCP Server will reply to the request with an IP address and other network parameters DNS Proxy Domain Name System DNS provides end users with the ability to look for devices or web sites through the use of names rather than IP addresses For websurfers this technology allows a user to enter the URL Universal Resource Locator text string to access a desired website Each text string identifier has an associated IP address a series of numb
96. et external Enabled Disabled Disabled 23 telnet Cayman server Enabled Disabled Disabled 80 http external Enabled Disabled Disabled 80 http Cayman server Enabled Disabled Disabled 67 DHCP client Enabled Enabled Disabled 68 DHCP server Not Applicable Not Applicable Not Applicable 161 snmp Enabled Disabled Disabled ping ICM P Enabled Disabled Disabled 71 Section 4 Configure This table shows how outbound traffic is treated Outbound means the traf fic is coming from the LAN side computers into the LAN side of the Gate Way Gateway LAN Side BreakWater Setting gt gt LANdLocked SessionType mmm Port State ClearSailing SilentRunning Port 20 ftp data Enabled Enabled Disabled 21 ftp control Enabled Enabled Disabled 23 telnet external Enabled Enabled Disabled 23 telnet Cayman server Enabled Enabled Enabled 80 http external Enabled Enabled Disabled 80 http Cayman server Enabled Enabled Enabled 67 DHCP client Not Applicable Not Applicable Not Applicable 68 DHCP server Enabled Enabled Enabled 161 snmp Enabled Enabled Enabled ping ICM P Enabled Enabled TEE Disabled Local Add ress Only The Gateway s WAN DHCP client port in SilentRunning mode is enabled This mar feature allows end users to continue using DHCP served IP addresses from their Service Providers while having no identifiable presence on the Internet 72 Section 4 Configur
97. eway attempts to re acquire the NIST reference for re synchronization or initial acquisition of the UTC information Once acquired all subsequent log entries display this date and time information UTC provides the equivalent of Greenwich M ean Time GMT information If the WAN connection is not enabled the internal clocking function of the Gateway provides log timestamps based on uptime of the unit 82 Section 4 Configure Install The descriptions below provide information on the links displayed on the left of the screen Response Installation page for software keys These allow additional Install features to run on the Gateway A list of features Keys available for the Gateway can be viewed from the System Status page Install Installation page for upgrading the operating system Software software ee From the Install toolbar button you can e Install new Operating System Software e Install new Feature Keys 83 Section 4 Configure Install Software Ez Lini ca Install Software Install Operating System Software Browse your computer to find the system software file or type in the full path and filename Next to install the file on your Gateway click the i Install Software button The latest releases are available online at Cayman s website WWW Ccayman com i The install may take a few minutes After the install has completed restart your Gateway to ru
98. ext box and click the Z ng button Example Ping to grosso com Panging 132 150 14 120 from local sd remsm 141 11 7 12B A timer gran 100 ms Ping aiza 100 Ping Coune 5 ICHP echo reply from 192 150 14 120 ZOO ma ICHP echo rwply roen 192 15D 14 12ZD 100 ma Ho ping response l ICAP echo reply from 192 150 13 120 100 ma l ICHP eee E amp ply feem 192 150 14 1 20 100 m 172 150 14 120 ping xtmtimctics 5 packers rransmicred 4 packers received 204 packer loss J Result The host was reachable with four out of five packets sent Step 4 To use the TraceRoute capability type a destination address domain name or IP address in the text box and click the 7aceffoute button 99 Troubleshoot Example Show the path to the grosso com site Traceroute ro 197 150 149 120 fron address 142 137 152 8 rimer gran 100 mal 30 bops max 55 byte packers 143 137 153 2543 100 ms 100 me NO ma L43 137 50 254 100 ma Ons D ms L43 177 177 257 100 me 0 me 100 ma 151 154 356 161 One Om 100 ms 151 154 8 13 Ome 100 ms D ma 9 24 32 97T O0 m 100 ma ma F 4 24 4 225 10 ma mm 150 ma Li Qa ade 54 Fu EE cA 8 4 24 7 121 Om DO ma 100 ma 9 4d 24 7 113 O ma 100 ma C ma iD 4d 24 5 50 300 ma O ma iD ma 4 24 10 86 O ma 100 ma 10D ma ft 4 24 6 254 QU Ha i020 ma D ma ti i19 2 205 32 1353 100 ma Om 100 i4 12 124 1 122 100 ma Om 100 ms i5 12 122 2 173 100 na 100 ma 100 ms iB 12 122 2 153 ZOO na 1
99. face 210 219 41 20 LAN Ethernet Interface my mailserver 192 168 1 2 my games 192 168 1 3 48 Section 4 Configure Pinhole Configuration Procedure Use the following steps Step 1 From the Configure toolbar button gt Advanced link select the n erna Servers link Since Port Forwarding is required for this example the Cayman embedded Web server is configured first page refer to the port numbers of the Cayman Gateway s embedded admin E gt The two text boxes Web HTTP Server Port and Telnet Sever Port on this istration ports To pass Web traffic through to your LAN station s select a Web HTTP Port number that is greater than 1024 In this example you choose 8100 Step2 Type 700in the Web HTTP Server Port text box Step 3 Enter a value from 1 to 65534 Web HTTP Server Port s100 Telnet Server Port 23 Submit Step4 Click the Submit button Step5 Click Advanced Select the Pinho es link to go to the Pinhole page 49 Section 4 Configure Step6 Click Ado Type your specific data into the Pinhole Entries table of this page Click Submit P an Pinhole Name Imy webserver Protocol Select TcP v External Port Start eo External Port End so Internal IP Address 192 168 1 1 Internal Port eo Submit eee ee Step 7 Click on the 7 o es link in the Breadcrumb Trail to go to the Pinholes entry page C
100. for 30 seconds or more Verify Updater Application Code To verify that the Updater image has loaded successfully use the following steps Open a web connection to your Cayman Gateway from the computer on your LAN return to the Home page and select the Monitor button Under the General toolbar select the Overv ew link status Terminal shell v1 0 E crm Model 3220 H DMT ADSL Alcatel plus 4 port hub Multimode ADSL Funning Updater version 11 if Software built by egrosso on Thu Jan 11 13 07 04 EST 2002 Veri y completed login administrator level Serial number 1653131 CPU MPCBSOSAR firmware 2 91 PID 0728 Log message counts Boot state running in dram Uptime 00 00 16 32 Date Thu Jan 18 22 39 47 2002 UTC Low O Medium O High 54 Alerts 39 Lost 0 Total 93 This page is from a Cayman 3220 H Gateway DSL WAN access The page for a Cayman 2E H Gateway Ethernet WAN access is similar Step 9 Verify that the Cayman Gateway is running Updater version 1 1 If the Updater is not running the screen will show your COS version instead If your COS version is earlier than 5 9 return to Task 1 and retry the installation COS 6 3 Image File Step 1 Step 2 Install the COS 6 3 Image The COS installation process is similar to the Updater installation To install the COS 6 3 software in your Cayman Gateway from the Home Page use the following steps Open a web connection to your Cayman Gatewa
101. for a UNIX host To logon enter the username either admin or user and your password e Entering the administrator password lets you display and update all Cayman Gateway settings e Entering a user password lets you display but not update Cayman Gateway settings 106 Appendix A Using the CLI Help Facility When you have logged in successfully the command line interface lists the user name and the security level associated with the password you entered in the diag nostic log Ending a CLI Session You end a command line interface session by typing quit from the SHELL node of the command line interface hierarchy Saving Settings The save command saves the working copy of the settings to the Gateway The Gateway automatically validates its settings when you save and displays a warn ing message if the configuration is not correct Using the CLI Help Facility The help command lets you display on line help for SHELL and CONFIG com mands To display a list of the commands available to you from your current loca tion within the command line interface hierarchy enter help To obtain help for a specific CLI command type help lt command gt You can truncate the help command to h or a question mark when you request help for a CLI command About SHELL Commands You begin in SHELL mode when you start a CLI session SHELL mode lets you per form the following tasks with your Cayman Gateway e Monitor its performance e
102. ges e 20rmedium Medium level informational messages or greater includes sta tus messages that can help monitor network traffic e 3 orhigh High level informational messages or greater includes status mes sages that may be significant but do not constitute errors e 4 Of warning Warnings or greater includes recoverable error conditions and useful operator information e 50rfailure Failures includes messages describing error conditions that may not be recoverable ET setsystem password admin user Specifies the administrator or user password for a Cayman Gateway When you enter the set system password command you are prompted to enter the old password if any and new password You are prompted to repeat the new password to verify that you entered it correctly the first time To prevent anyone from observing the password you enter characters in the old and new passwords are not displayed as you type them A password can be as many as eight characters Passwords are case sensitive Passwords go into effect immediately You do not have to restart the Cayman Gateway for the password to take effect Assigning an administrator or user pass word to a Cayman Gateway does not affect communications through the device 146 Appendix A CONFIG Commands Traffic Shaping Settings Traffic shaping lets you control how much traffic can flow through an Ethernet interface by limiting the size of the WAN pipe This functi
103. his page while the Gateway restarts Step5 After your Cayman Gateway restarts use your browser to verify that you can access the Internet Your Cayman Gateway can now use the configured IP parameters Do NOT confuse this procedure that establishes an IP address for the Gate way s default IP traffic with configuring multiple static IP addresses used with the IPMaps feature 42 Section 4 LAN Configure Link Configure gt LAN Response LAN IP Interface Ethernet 10BT Enable Interface W l IP Address 192 168 1 254 IP Netmask 255 255 255 0 Restrictions None ry f Submit Other LAN Options Advanced Configure advanced IP settings DHCP Server Configure DHCP server options Wireless Configure Wireless Options Interface Enable Enables all LAN connected computers to shared resources and to connect to the WAN The Interface should always be enabled unless you are instructed to disable it by your Service Provider during troubleshooting IP Address The LAN IP Address of the Gateway The IP Address you assign to your LAN interface must not be used by another device on your LAN network IP Netmask Specifies the subnet mask for the TCP IP network con nected to the virtual circuit The subnet mask specifies which bits of the 32 bit binary IP address represent network information The default sub net mask for most networks is 255 255 255 0 Class C subnet mask Restrictions S
104. holes will instant messaging be active whenever ClearSailing is set Restore SilentRunning when finished 70 Section 4 Configure Basic Firewall Background Port Gateway WAN Side BreakWater Setting gt gt As a device on the Internet a Cayman Gateway requires an IP address in order to send or receive traffic The IP traffic sent or received have an associated application port which is dependent on the nature of the connection request In the IP protocol standard the following session types are common applications ICMP HTTP e FTP SNMP telnet DHCP By receiving a response to a scan from a port or series of ports which isthe expected behavior according to the IP standard hackers can identify an existing device and gain a potential opening for access to an internet con nected device To protect LAN users and their network from these types of attacks Break Water offers three levels of increasing protection The following tables indicate the state of ports associated with ses sion types both on the WAN side and the LAN side of the Gateway This table shows how inbound traffic is treated Inbound means the traffic is coming from the WAN into the WAN side of the Gateway ClearSailing SilentRunning LANdLocked SessionType Port State 20 ftp data Enabled Disabled Disabled 21 ftp control Enabled Disabled Disabled 23 teln
105. ia a SafeHarbour IPsec e tunnel See page 56 for How To instructions 21 Section 3 General Combination NAT Bypass Configuration Specific pinholes and Default Server settings each directed to different LAN devices can be used together Creating a pinhole or enabling a Default Server allows inbound access to the specified LAN station Contact your Network Administrator for LAN security questions Security Monitor The Security Monitor detects security related events including common types of malicious attacks and writes them to a dedicated security log file You view this log file from either e Cayman Web interface Text based command line interface using a telnet or serial port facility The log provides information useful in identifying a specific type of attack and tracing its origin The log maintains 100 entries and requires a manual reset once full This preserves for troubleshooting purposes the acquired information about specific attacks their frequency and tracing informa tion e See page 80 for more information about the Security Monitoring Log COS 6 3 Security Monitor software reports the following eight event types e IP Source Address Spoofing e Source Routing e Subnet Broadcast Amplification e Illegal Packet Size Ping of Death e Port Scan TCP UDP Excessive Pings e Admin Login Failure e MAC Address Spoofing 22 Section 3 General Event Details Details o
106. ing DHCP to get IP addresses for your LAN client machines DNS IP address of the Domain Name Server Leasesin Use A lease is held by each LAN client that has obtained an IP address through DHCP 31 Section 4 Toolbar Toolbar The toolbar is the dark blue bar at the top of the page containing the major navigation buttons These buttons are available from almost every page allowing you to move freely about the site The example toolbar shown below is displayed when you log on as Admin If you log on as User some buttons will not be shown Quickstart System Status Passwords Install Keys LAN Network Firewall Install Soft Tools ware WAN Diagnostics IPSec Advanced Security Log Navigating the Web Interface n Breadcrumb Trail Configure Troubleshoot Security Install Home Configure LAN J C The breadcrumb trail is built in the light brown area beneath the toolbar As you navigate down a path within the site the trail is built from left to right To return anywhere along the path from which you came click on one of the links 32 Section 4 Restart Restart Button Restart ME N EE TE EE DR BE KA e N cud EE clas Es Response Restarting the Gateway is needed to enable j Changes to your Gateway database configuration e New feature keys e Operating System Software Upgrades When you restart e All users will be disconnected f e You will be returned to the Home page
107. ing if you do not want the Cayman Gateway to drop a PPP link to a nonresponsive peer set PPP module vccn failures max 7 eger Specifies the maximum number of Configure NAK messages the PPP module can send without having sent a Configure ACK message The integer argument can be any number between 1 and 20 set PPP module vccn configure max nfeger Specifies the maximum number of unacknowledged configuration requests that your Cayman Gateway will send The integer argument can be any number between 1 and 10 set PPP module vccn terminate max nfeger Specifies the maximum number of unacknowledged termination requests that your Cayman Gateway will send before terminating the PPP link The integer argument can be any number between 1 and 10 137 Appendix A CONFIG Commands set PPP module vccn restart timer nfeger Specifies the number of seconds the Cayman Gateway should wait before retrans mitting a configuration or termination request The integer argument can be any number between 1 and 30 set PPP module vccn connection type instant on always on Specifies whether a PPP connection is maintained by the Cayman Gateway when it is unused for extended periods If you specify always on the Cayman Gate way never shuts down the PPP link If you specify instant on the Cayman Gateway shuts down the PPP link after the number of seconds specified in the time out setting below if no traffic is moving o
108. ing values for the ieve1 argument e lorlow Low level informational messages or greater includes trivial status messages e 20rmedium Medium level informational messages or greater includes sta tus messages that can help monitor network traffic e S3orhigh High level informational messages or greater includes status messages that may be significant but do not constitute errors e A4orwarning Warnings or greater includes recoverable error conditions and useful operator information e 50rfailure Failures includes messages describing error conditions that may not be recoverable netstat i Displays the IP interfaces for your Cayman Gateway 110 Appendix A SHELL Commands netstat r Displays the IP routes stored in your Cayman Gateway nslookup Aosiname jp_address Performs a domain name system lookup for a specified host The hostname argument is the name of the host for which you want DNS information for example nslookup klaatu e Theip address argument is the IP address in dotted decimal notation of the device for which you want DNS information ping s s ze c cound hostname ip address Causes the Cayman Gateway to issue a series of ICMP Echo requests for the device with the specified name or IP address e The hostname argument is the name of the device you want to ping for example ping ftp cayman com e The ip address argument is the IP address in dotted decimal notati
109. inue to page 89 for Task 3 Use these steps to install the Updater software in your Gateway from the Home page Step 1 Open a web connection to your Gateway from a LAN computer From a web browser access the URL http cayman 2E Or http cayman dsl orhttp 192 168 1 254 Quickstart Cayman DSL Cayman DSL 1653131 derde ds DS Ethernet This Home page is from a Cayman 3220 H Gateway DSL WAN access The Home page for a Cayman 2E H Gateway Ethernet WAN access is similar Step 2 If necessary save the LAN configuration settings on your Cayman Gateway If you have not previously saved your configuration that is if you are running the factory default configuration your Cayman Gateway came with click the 87 Section 4 Step 3 Configure Ethernet button on the Cayman Gateway Home page When the Ethernet window appears click Save If you have previously saved your Cayman Gateway configuration you can skip this step Click the 75 2 Software button on the Cayman Gateway Home page The Install New Cayman Software window opens Install New Cayman Software Please select the Cayman software file that you wish to ida Once a file has been selected hit the Install button to download and save the software in your Cayman DSL The latest releases are available online at Cayman s website www cayman com The file download may take a while Please wait a moment for this transfer t
110. ld have compromised the secunty of your network Please refer to your customer documentation for a description of the logged event Numer of security lag entries Security Alee type Protacol type I IP source address Time ar LAAT BELERET Humber of ports that wers eceanned Highest port Lowest port I 1102 1103 1094 1099 1166 1157 Security alert type i IP source address IP destination addreszs I Humber of attempts Time ar LAAT attenpt Security alert rype Protocol type I IP source addreaa i Time ar LAAT arrenpr Number of ports that were scanned Highest part Lowest port I iii 473 62 si di i444 ARE 5 Pore Sean TEP 143 137 137 14 Fri Hay D4 15 17 4D zODLI UTC 8 1157 1054 1151 11860 1184 Excessive Pings 143 137 137 m2 143 137 199 686 a8 Fri Hay 04 17 52 22 ZOD1 TTC Pore Sean TCP 143 137 50 2 Fri May D4 17 51 37 ZODL TTC 241 5302 73 395 5302 i670 Only the first 1D ports are recorded Security alert type Protocol type I IP source address Time ar last acrenpt I Humber of ports that wers scanned Hightat port 1 Lowest port I 583 1 1471 3544 234133 il 5236 Pore Sean DF 143 137 50 2 Fri Hay D4 17 52 43 zODL TTC 162 5236 1 20 7CT 1467 Only the first 10 ports are recorded Security alersc Ly pe IP source address I IP destination address Hunter of attempts Time st laat mttempt i lliegal packer sire Illegal Packer Sire
111. lick Ada Add the next Pinhole Type the specific data for the second Pinhole Pinhole Entry Pinhole Name my mailserver Protocol Select Top v External Port Start s External Port End 25 Internal IP Address 152 168 1 2 Internal Port 25 Submit Step 8 Click on the 7 o es link in the Breadcrumb Trail to go to the Pinholes entry page Click the Ada Add the next Pinhole Type the specific data for the third Pinhole Pinhole Name my games Protocol Select UDP vf External Port Start 1100 External Port End 1200 Internal IP Address 152 168 1 3 Internal Port 1100 Submit 50 Section 4 Configure Note the following parameters for the my games Pinhole als 1 The Protocol ID is UDP 2 The external port is specified as a range 3 The Internal port is specified as the lower range entry Step9 Click on the 7 o es link in the Breadcrumb Trail to go to the Pinholes entry page Review your entries to be sure they are correct To create a new pinhole entry press the Add button To edit or delete a pinhole entry select the entry and press the Edit or Delete button Name my webserver Protocol TCP InsidelPAddr 182 168 001 001 Name mt mailserver Protocol TCP InsideIPAddr 192 168 001 002 Name my games Protocol UDP InsideIPAddr 192 168 001 003 add Edit Delete se eee m mo e m ee n m 0 Step 10 Click the Z e button Step 11 Select the Save and Festartli
112. n pap password password Specifies the password the Cayman Gateway sends when a PPP peer sends a PAP authentication request The password argument is 1 64 alphanumeric characters The information you enter must match the PAP password used by the PPP peer 139 Appendix A CONFIG Commands Configuring Peer Authentication You can specify that your Cayman Gateway will use PAP CHAP or both to authen ticate a remote peer as a PPP link is being completed Perform the following steps to specify how your Cayman Gateway should authenticate remote peers set PPP module vccn peer authentication chap option on off Specifies whether the Cayman Gateway will use CHAP to authenticate connec tions to PPP peers set PPP module vccn peer authentication pap option on off Specifies whether the Cayman Gateway will use PAP to authenticate connections to PPP peers set PPP peer database peer name hostname Specifies the hostname for an authorized PPP peer The hostname argument is 1 64 alphanumeric characters The information you enter must match the user name that will be returned by the PPP peer when it is being authenticated set PPP peer database peer name hostname chap secret secret Specifies the secret associated with a PPP peer The secret argument is 1 64 alpha numeric characters The information you enter must match the secret that will be returned by the PPP peer when it is being authenticated set P
113. n the eight specific event types and the information logged are IP Source Address Spoofing The Gateway checks all incoming packets to see if the IP address attached is valid for the interface the packet is received through If the address of the packet is not valid for the interface the packet is discarded Logged information includes IP source address IP destination address Number of attempts Time at last attempt IP interface Source Routing IP source routing information packets will be received and accepted by the Cayman Gateway Logging of this activity is provided in the event the source route information has been forged but appears as valid data Logged information includes IP source address IP destination address Number of attempts Time at last attempt IP interface Subnet Broadcast Amplification Distributed DoS Denial of Service attacks often use a technique known as broadcast amplification in which the attacker sends packets to a router s subnet broadcast address This causes the router to broadcast the packet to each host on the subnet These in turn become broadcast sources thereby involving many new hosts in the attack The Cayman unit detects and discards any packets that would otherwise be transmitted to a subnet broadcast address The Security Monitoring logs the event Logged information includes IP source address IP destination address Number of attempts Time at last attempt IP broadcast address
114. n the new software Browse i Install Software This page allows you to install an updated release of the Cayman Operating System COS Updating Your Gateway to COS Version 6 3 Cayman Operating System Release 6 3 represents significantly expanded functionality for your Cayman Gateway To deliver these important fea tures the COS 6 3 image is larger than earlier versions and the updating process is different from earlier procedures It requires careful attention to the instruction sequence Using the Web Page You install a new operating system image in your unit from the Cayman embedded Web server s Home page For this process the computer you are using to connect to the Cayman Gateway must be on the same local area network as the Cayman Gateway 84 Section 4 Configure Required Tasks Task Description Page 1 Locate and confirm the required files 86 2 Install and verify the Updater application code 87 3 Install and verify the COS 6 3 image 89 Warnings 85 Section 4 Configure Required Files Step 1 Upgrading to COS 6 3 requires THREE files 1 Documentation Software Uograde Instructions PDF file 2 Updater file 3 Cayman Operating System image Background When you downloaded your operating system upgrade from the Cayman website you downloaded a ZIP file containing these files Software Upgrade Instructions PDF file the document you are reading now
115. nd when there has been no traffic for the configured number of seconds it disconnects the link When new traffic that is destined for the Internet arrives at the Gateway the Gateway will instantly re establish the link Your service provider may be using a system that assigns the Internet address of your Gateway out of a pool of many possible Internet addresses The address assigned varies with each connection attempt which makes your network a moving target for any attacker Static IP Addresses If your Service Provider requires the Cayman Gateway to use Static IP addressing you must configure your Gateway for it Dynamically assigned addresses allow a service provider s customer to install their Gateway with out WAN configuration Static addresses never time out dynamic addresses time out and will be reassigned A static IP address is preferred for setting up and maintaining pinholes through the Cayman Gateway s NAT security facility Your Service Provider may not offer a static IP address option IPMaps IPM aps supports one to one Network Address Translation NAT for IP addresses assigned to servers hosts or specific computers on the LAN side of the Cayman Gateway With IPM aps a Service Provider assigned static IP address is mapped to a specific internal device This allows a LAN located device to appear public without compromising other locally attached devices The external IP addresses must be on the same subnet I
116. net Server Port 23 Submit Your Gateway ships with an embedded Web server and support for a Telnet session to allow ease of use for configuration and maintenance The default ports of 80 for HTTP and 23 for Telnet may be reassigned This is necessary if a pinhole is created to support applications using port 80 or 23 See Pinholes on page 46 for more information on Pin hole configuration Web HTTP Server Port To reassign the port number used to access the Cayman embedded Web server change this value to a value greater than 1024 When you next access the embedded Cayman Web server append the IP address with port number e g Point your browser to http 210 219 41 20 8080 Telnet Server Port To reassign the port number used to access your Cayman embedded Telnet server change this value to a value greater than 1024 When you next access the Cayman embedded Telnet server append the IP address with port number e g telnet 210 219 41 20 2323 63 Section 4 EED Configure Ethernet MAC Address Override Ethernet MAC Address Override Enable Override v MAC Address oo foo oo foo foo foo Submit You can override your Gateway s Ethernet MAC address with any neces sary setting Some ISPs require your account to be identified by the MAC address among other things For information on setting this parameter see How to Use the Quickstart Page on page 36 Link Traffi
117. network Board installed in a computer system to provide network communica tion capability to and from that computer system See subnet mask Asymmetric Digital Subscriber Line Modems attached to twisted pair copper wiring that transmit 1 5 9 Mbps downstream to the sub scriber and 16 640 kbps upstream depending on line distance The Authentication Header provides data origin authentication con nectionless integrity and anti replay protection services It protects all data in a datagram from tampering including the fields in the header that do not change in transit Does not provide confidentiality American National Standards Institute American Standard Code for Information Interchange pronounced ASK ee Code in which numbers from 0 to 255 represent individual characters such as letters numbers and punctuation marks used in text representation and communication protocols Network system that allows data to be sent at irregular intervals by preceding each octet with a start bit and following it with a stop bit Compare synchronous communication Attachment Unit Interface Connector by which a thick 802 3 Ethernet transceiver cable is attached to a networked device Authentication Protocol for IP packet header The three parameter val ues are None Encapsulating Security Payload ESP and Authentication Header AH The segment of the network used as the primary path for transporting traffic between network segment
118. new B all Renews the DHCP lease the Gateway is currently using to acquire the IP settings of its WAN Ethernet B port DSL reset dhcp client renew vcc o Releases the DHCP lease the Cayman 3220 H is currently using to acquire the IP settings for the specified DSL port The vcc id identifier is a letter in the rang B I Enter the reset dhcp client release without the variable to see the letter assigned to each virtual circuit reset dhcp server Clears the DHCP lease table in the Cayman Gateway is S reset dsl Resets any open DSL connection reset enet Resets Ethemet statistics to zero reset hosts Clears all entries in the host name table Thereafter when PCs configured as DHCP clients use the Gateway new entries will be rebuilt DHCP serving must be enabled reset ipmap Clears the IPM ap table NAT reset log Rewinds the diagnostic log display to the top of the existing Cayman Gateway diagnostic log The reset log command does not clear the diagnostic log The next show 1og command will display information from the beginning of the log file reset ppp enet B Resets the point to point connection over the WAN interface When you issue a reset ppp command the Cayman 2E H closes any PPP session including PPP over Ethernet 112 SHELL Commands DSL reset ppp veca Resets the point to point connection over the specified virtual circuit This com mand only ap
119. nformation includes Protocol type IP source address Time at last attempt Number of ports scanned Highest port Lowest port Port numbers of first 10 ports scanned Excessive Pings The PING Packet InterN et Groper Utility is used by hackers to identify prospective targets that can be attacked The Security Monitoring software will record instances where the router itself is pinged by the same host more than ten times Logged information includes IP source address IP destination address Number of attempts Time at last attempt 24 Section 3 General Login Failures The Cayman software provides the means for assigning passwords to the Admin or User accounts to control access to the Gateway Any attempts to login are given three chances to enter a valid password The Security Mon itoring software records instances where the user fails to enter a valid pass word Logged information includes IP source address Number of attempts Attempt count Time at last attempt MAC Address Spoofing A MAC Media Access Control Address Spoofing Attack can be identified based on the IP interface where the illegitimate packet came from If the interface that the spoofed packet arrives on does not have the same MAC address as the legitimate entry in the routing table then an attack is logged Logged information includes IP source address Number of attempts IP interface Time at last attempt 25 Section 3 General Break Water
120. nk to complete the entire Pinhole creation task and ensure that the parameters are properly saved mus REM EM BER When you have re assigned the port address for the ats embedded Web server you can still access this facility Use the Gateway s WAN address plus the new port number In this example it would be WAN Gateway address gt new port number or in this case 210 219 41 20 8100 51 Section 4 Configure IP Map Entry i IP Map Entry Name Internal IP Address 141 154 96 160 i External IP Address 0 0 0 0 Submit C IPMaps supports one to one Network Address Translation NAT for IP addresses assigned to servers hosts or specific computers on the LAN side of the Cayman Gateway A single static or dynamic DHCP WAN IP address must be assigned to support other devices on the LAN These devices utilize Cayman s default NAT PAT capabilities Configure the IPMaps Feature FAQs for the IPMaps Feature Before configuring an example of an IPM aps enabled network review these frequently asked questions What are IPMaps and how are they used The IPM aps feature allows multiple static WAN IP addresses to be assigned to the Cayman Gateway Static WAN IP addresses are used to support specific services like a web server mail server or DNS server This is accomplished by mapping a sepa rate static WAN IP address to a specific internal LAN IP address All traffic arriving at the Gateway i
121. ntended Audience This guide is targeted to the technical staffs of organizations such as e Incumbent Local Exchange Carriers ILEC e Competitive Local Exchange Carriers CLEC Multiple System Operators M SO e Internet Service Providers ISP These professional staffs include e System administrators Installation and configuration technicians e Customer support engineers They are responsible for planning deploying and supporting the Cus tomer Premise Equipment that are the key elements of small business or residential Local Area Networks Business and residential subscribers are encouraged to use this guide also Section 1 Documentation Conventions Documentation Conventions General This manual uses the following conventions to present information Convention Typeface Description bold italic Menu commands and button names monospaced bold italic sans serif Web GUI page links terminal Computer display text bold terminal User entered text Italic Italic type indicates the complete titles of manuals Internal Web Interface Convention Graphics Description dot dot dash rounded rect Denotes an excerpt from a Web page or angle or line the visual truncation of a Web page solid rounded rectangle with Denotes an area of emphasis on a Web an arrow page Command Line Interface Syntax conventions for the Cayman gateway command line interface are as follows Convention Description straight b
122. ntended for the static IP address is transferred to the internal device All outbound traffic from the internal device appears to originate from the static IP address Locally hosted servers are supported by a public IP address while LAN users behind the NAT enabled IP address are protected IPM aps is compatible with the use of NAT with either a statically assigned IP address or DHCP PPP served IP address for the NAT table 52 Section 4 Configure What types of servers are supported by IPMaps IPM aps allows a Cayman Gateway to support servers behind the Gateway for example web mail FTP or DNS servers VPN servers are not supported at this time Can use IPMaps with my PPPoE or PPPoA connection Yes IPM aps can be assigned to the WAN interface provided they are on the same subnet Service providers will need to ensure proper routing to all IP addresses assigned to your WAN interface Will IPMaps allow IP addresses from different subnets to be assigned to my Gateway IPM ap will support statically assigned WAN IP addresses from the same subnet WAN IP addresses from different subnets are not supported 53 Section 4 Configure IPMaps Block Diagram The following diagram shows the IPM aps principle in conjunction with existing Cayman NAT operations Cayman Gateway WAN Interface LAN Interface Static IP Addresses for IPMaps Applications 143 137 50 37 NAT PAT Table 192 168 1 1 143 137 50 36 143 13
123. o complete After the install has completed please restart your Cayman DSL to run the new software Browse Install Home This page is from a Cayman 3220 H Gateway DSL WAN access The page for a Cayman 2E H Gateway Ethernet WAN access is similar Step 4 Step 5 Step 6 Enter the Updater filename into the text window with one of these techniques The Updater file name starts with the letter u for Updater a Click the Browse button select the file you want and click Open Or b Enter the name and path of the update file you want to install in the text field Click the 75 2 button The Cayman Gateway copies the Updater file from your computer and installs it into its memory storage You see a series of dots appear on your screen as the image is copied and installed You have the following visual guide from your unit 3220 H DSL and Status LED indicators will blink 2E H WAN LED indicator will blink When the image has been installed the message successful install of file appears at the bottom of the screen When the Please Click Restart message appears click the Festart button and confirm Festart 88 Section 4 Step 7 Step 8 Configure Your Cayman Gateway restarts with its new image During this step you have the following visual guide from your unit 3220 H DSL and Status LED indicators will blink for 30 seconds or more 2E H WAN LED indicator will blink
124. on of the device you want to locate If a host using the specified name or IP address is active it returns one or more ICMP Echo replies confirming that it is acces sible from your network e The s size argument lets you specify the size of the ICM P packet e The c count argument lets you specify the number of ICM P packets gener ated for the ping request You can use the ping command to determine whether a hostname or IP address is already in use on your network You cannot use the ping command to ping the Cayman Gateway s own IP address quit Exits the Cayman Gateway command line interface reset arp Clears the Address Resolution Protocol ARP cache on your unit DSL reset atm Resets the ATM statistics to zero reset crash Clears crash dump information which identifies the contents of the Cayman Gateway registers at the point of system malfunction 111 SHELL Commands reset dhcp client release B all Releases the DHCP lease the Gateway is currently using to acquire the IP settings for its WAN Ethernet B port t4 9g ec 5 E pd N Es reset dhcp client release vcc o Releases the DHCP lease the Cayman 3220 H is currently using to acquire the IP settings for the specified DSL port The vcc id identifier is a letter in the rang B l Enter the reset dhcp client release without the variable to see the letter assigned to each virtual circuit reset dhcp client re
125. on is most suitable for Internet Service Providers or multi interface routers When you use the traffic shaping option to set the maximum speed for a router port the router will silently discard any packets that exceed the maximum port speed ESTEE settratficshape option on off Enables or disables traffic shaping in the Cayman Gateway MM settrafficshape ethernet option on off Enables or disables traffic shaping on the designated Ethernet interface EN set trafficshape ethernet rate 56000 10000000 Specifies the maximum number of bits that can be transmitted 147 Appendix B V Glossary 10Base2 10Base T ACK access rate adapter address mask ADSL AH ANSI ASCII asynchronous communication AUI Auth Protocol backbone baud rate binary Blowfish Appendix B IEEE 802 3 specification for Ethernet that uses thin coaxial cable to run at 10 Mbps Limited to 185 meters per segment 10Base5 IEEE 802 3 baseband physical layer specification for Ethernet that uses thick coaxial cable to run at 10 Mbps Limited to 500 meters per segment IEEE 802 3 specification for Ethernet that uses unshielded twisted pair UTP wiring with RJ 45 eight conductor plugs at each end Runs at 10 Mbps Acknowledgment Message sent from one network device to another to indicate that some event has occurred See NAK Transmission speed in bits per second of the circuit between the end user and the
126. ort numbers the Cayman Gateway uses for its own configuration traffic For example if you set up a NAT pinhole to forward network traffic on Port 80 HTTP to another host you would have to tell the Cayman Gateway to listen for configuration connection requests on a port number other than 80 such as 6080 After you have changed the port numbers the Cayman Gateway uses for its con figuration traffic you must use those port numbers instead of the standard num bers when configuring the Cayman Gateway For example if you move the router s Web service to port 6080 on a box with a DNS name of superbox you would enter the URL http superbox 6080 in a Web browser to open the Cayman Gateway graphical user interface Similarly you would have to configure your telnet application to use the appropriate port when opening a configuration connection to your Cayman Gateway set servers web http 0 32767 Specifies the port number for HTTP web communication with the Cayman Gateway Because port numbers in the range 0 1024 are used by other protocols you should use numbers in the range 2000 32767 when assigning new port numbers to the Cayman Gateway web configuration interface 141 Appendix A CONFIG Commands set servers telnet tcp 0 32767 Specifies the port number for telnet CLI communication with the Cayman Gate way Because port numbers in the range 0 1024 are used by other protocols you should use numbers in th
127. oup of SA Encrypt Type DES SA Hash Type MDS v Soft MBytes ooo Soft Seconds e2200 l Hard MBytes zoo Hard Seconds e6400 Update Delete Task 5 Make the Tunnel Details entries Step 1 Step 2 Step 3 Step 4 Use the following steps Enter or select the required settings Click Update The A ert button appears Click the 4 erf button Click Save and Restart Your SafeHarbour IPSec VPN tunnel is fully configured ars Tunnel sessions can only be initiated from the LAN client side 79 Section 4 Configure Security Log Ee TAT ed Fi ed re Show Reset P Security Statistics Firewall SafeHarbor Security Monitoring detects security related events ide COMMON NAN types of malicious attacks and writes them to the security log file Using the Security Monitoring Log You can view the Security Log at any time Use the following steps Step1 Click the Security too bar button Step 2 Click the Security Log link Step 3 Click the Sow link from the Security Log tool bar An example of the Security Log is shown on the next page Step 4 When a new security event is detected you will see the 4 ert button The Security Alert remains until you view the information Clicking the Alert button will take you directly to a page showing the log 80 Section 4 h Configure Your Cayman Gateway has detected and successfully blocked an event that cou
128. own NAT interopera bility solution DSL Settings set ip dsl vccn option on off Specifies whether virtual circuit n on 3220 H is active where n is a number in the range 1 8 You must enable a virtual circuit before you can enter other settings for it set ip dsl vccn address p adaress Assigns an IP address to the virtual circuit Enter 0 0 0 0 if you want the virtual cir cuit to obtain its IP address from a remote DHCP server set ip dsl vccn broadcast broadcast address Specifies the broadcast address for the TCP IP network connected to the virtual circuit IP hosts use the broadcast address to send messages to every host on your network simultaneously The broadcast address for most networks is the network number followed by 255 For example the broadcast address for the 192 168 1 0 network would be 192 168 1 255 DSL set ip dsl vccn netmask netmask Specifies the subnet mask for the TCP IP network connected to the virtual circuit The subnet mask specifies which bits of the 32 bit binary IP address represents network information The default subnet mask for most networks is 255 255 255 0 Class C subnet mask 125 Appendix A CONFIG Commands DSL set ip dsl vccr restriction admin disabled admin only none Specifies restrictions on the types of traffic the 3220 H accepts over the DSL vir tual circuit The admin disable argument means that router traffic is accepted but that adminis
129. pecifies whether an administrator can open a Telnet connection to the Gateway over the LAN interface in order to monitor and configure the Gateway On the LAN Interface you can enable or dis able administrator access By default administrative restrictions are turned off meaning an administrator can open a Telnet connection through the LAN Interface 43 Section 4 Configure WAN Link Configure gt WAN Response Enable Gateway Option v Interface Type IP Address v Default Gateway 141 154 96 161 Submit ATM Set up ATM circuits comment WAN IP Interfaces Your IP interfaces are listed Click on an interface to configure it IP Gateway Enable Gateway You can configure the Gateway to send packets to a default gateway if it does not know how to reach the destina tion host Interface Type If you have PPPoE enabled you can specify that packets destined for unknown hosts will be sent to the gateway being used by the remote PPP peer If you select ip address you must enter the IP address of a host on a local or remote net work to receive the traffic Default Gateway The IP Address of the default gateway Other WAN Options PPPoE You can enable PPPoE and the number of PPPoE Sessions The IP Interface s should be reconfigured after changing this set ting ATM You can configure the ATM circuits and the number of Sessions The IP Interface s should be reconfigured after making changes h
130. plies to virtual circuits that use PPP framing reset security log Clears the security monitoring log to make room to capture new entries reset wan users all jo address This function disconnects the specified WAN User to allow for other users to access the WAN This function is only available if the number of WAN Users is restricted and NAT is on Use the all parameter to disconnect all users If you logon as Admin you can disconnect any or all users If you logon as User you can only disconnect yourself restart seconds Restarts your Cayman Gateway If you include the optional seconds argument your Cayman Gateway will restart when the specified number of seconds have elapsed You must enter the complete restart command to initiate a restart N E show atm all Displays ATM statistics for 3220 H unit The optional a11 argument displays a more detailed set of ATM statistics show bridge interfaces Displays bridge interfaces maintained by the Cayman Gateway show bridge table Displays the bridging table maintained by the Cayman Gateway show crash Displays the most recent crash information if any for your Cayman Gateway show dhcp agent Displays the DHCP relay agent leases being administered by your Cayman Gate way show dhcp client Displays the DHCP address information being used by your Cayman Gateway for each WAN interface show dhcp server leases used free Display
131. r LAN side VPN client includes its own NAT interoperability solution e SafeHarbour is a keyed feature that enables Gateway terminated VPN support l Enable IPSec PassThrough v Enable SafeHarbour IPSec v Enable NAT Over Tunnel J Submit Peer External IP Encryption Authentication Key Address Protocol Protocol Management I o 0 0 0 esp esp zi IKE On Name Leave the Enable NAT over Tunne choice as Off unless your network administrator instructs otherwise Task 4 Make the IPSec Tunnel Entries Enter the initial group of tunnel parameters Refer to your Setup Work sheet and the Glossary of VPN Terms as required Perform the following steps Step 1 Enter tunnel Mare ma This isthe only parameter that does not have to be identical to the peer as remote VPN device Step2 Enter the Peer External P Address Step3 Select Encryption Protoco from the pulldown menu Step4 Select Authentication Profoco trom the pulldown menu Step5 Select Key Managementtrom the pulldown menu 78 Section 4 Step 6 Step 7 Configure Ensure that the toggle checkbox 7a5 e which is O7 by default remains On Click Ada The Tunnel Details page appears N Tunnel Details Name telework Peer Internal Network o 0 0 0 Peer Internal Netmask 255 255 255 0 Negotiation Method Main E Pre shared Key Type Hex gt Pre Shared Key D DPA DH Group 3 x PFS DH Gr
132. r units so that they can be sent over a network medium that cannot transmit the complete packet as a unit Logical grouping of information sent as a link layer unit Compare datagram packet File Transfer Protocol Application protocol that lets one IP node trans fer files to and from another node Host on network from which clients can transfer files Setting the Hard MBytes parameter forces the renegotiation of the IPSec Security Associations SAs at the configured Hard MByte value The value can be configured between 1 and 1 000 000 MB and refers to data traffic passed Setting the Hard Seconds parameter forces the renegotiation of the IPSec Security Associations SAs at the configured Hard Seconds value The value can be configured between 60 and 1 000 000 seconds Method of flow control using two control lines usually Request to Send RTS and Clear to Send CTS High level Data Link Control High data rate Digital Subscribe Line Modems on either end of one or more twisted pair wires that deliver T1 or El speeds T1 requires two lines and El requires three Compare ADSL SDSL The portion of a packet preceding the actual data containing source and destination addresses and error checking fields Hash based Message Authentication Code A unit for measuring the number of routers a packet has passed through when traveling from one network to another Distance measured in the number of routers to be traversed from a local
133. rackets in cmd line Optional command arguments curly brackets with values Alternative values for an argument are separated with vertical bars presented in curly brackets with values separated with vertical bars bold terminal type face User entered text italic terminal type Variables for which you supply your face own values Section 1 Documentation Conventions BOTH Pointing to a CLI command refers to both DSL and Ethernet WAN interfaces for Cayman Gateways DSL Pointing to a CLI command refers only to DSL WAN interface used with 3220 H family ENET Pointing to a CLI command refers only to ENET WAN interface used with 2E H family Icons Icons used in the guide are Icon Description i NOTE Icon Regueststhat you pay particular attention to a specified procedure or piece of information in the text The NOTE message has a regular type style CAUTION Icon Suggest you review the referenced details and heed the instructions offered The CAUTION message has a bold type style COMPASS Icon Points the user to additional information concerning the topic under discussion The COMPASS message has a regular type style It is used also to denote a Roadmap table WARNING Icon Demands that you observe the actions given in the text The WARNING message has a bold italic type style Text The words Cayman Gateway and Gateway refer to a standard unit from the Ne
134. re system settings to assign a name to your Cayman Gateway and to specify what types of messages you want the diagnostic log to record set system name name Specifies the name of your Cayman Gateway Each Cayman Gateway is assigned a name as part of its factory initialization The default name for a Cayman Gate way consists of the word Cayman 2E and the serial number of the device for example Cayman 2E810700 A system name can be 1 64 characters long Once 145 Appendix A CONFIG Commands you have assigned a name to your Cayman Gateway you can enter that name in the Address text field of your browser to open a connection to your Cayman Gate Way Some broadband cable oriented Service Providers use the System Name as an important identification and support parameter If your Gateway is part of this type of network do NOT alter the System Name unless specifically instructed by your Service Provider EO set system diagnostic level eve Specifies the types of log messages you want the Cayman Gateway to record All messages with a level number equal to or greater than the level you specify are recorded For example if you specify set system diagnostic level 3 the diagnostic log will retain high level informational messages level 3 warnings level 4 and failure messages level 5 Use the following values for the Level argument e 1 Fr low Low level informational messages or greater includes trivial status messa
135. received by the proper IP addresses along the proper communication ports in the correct order and that no imposter packets interrupt the packet flow Packet filtering monitors only the ports involved while the Cayman Gateway analyzes the con tinuous conversation stream preventing session hijacking and denial of service attacks Route entered manually in a routing table A 32 bit address mask that identifies which bits of an IP address rep resent network address information and which bits represent node identifier information Method of data communication requiring the transmission of timing signals to keep PPP peers synchronized in sending and receiving blocks of data 155 Appendix B T1 link TA telnet twisted pair UTP VJ WAN WWW xon xoff Digital transmission link capable of speeds up to 1544 kilobits per second Terminal adaptor Device that connects a network or terminal to an ISDN network IP protocol that lets a user on one host establish and use a virtual ter minal connection to a remote host Cable consisting of two copper strands twisted around each other The twisting provides protection against electromagnetic interference Unshielded twisted pair cable Van Jacobson Abbreviation for a compression standard documented in RFC 1144 Wide Area Network Private network facilities usually offered by public telephone companies but increasingly available from alternative access providers sometim
136. removes all information associated with that route WAN Settings Many of these setting commands are designated as BOTH Note however For the 3220 H DSL platform you must identify the virtual PPP interface vccn a number from 1 to 8 This argument does not apply to the 2E H platform Also note that the 3220 H refers to the specified VCC interface while the 2E refers to the WAN Ethernet port set ip wan vccn option on off Enables or disables communications through the WAN Ethernet port or specified VCC Interface in the Cayman Gateway You must enable TCP IP or BNCP func tions for the WAN port before you can configure its network settings set ip wan vccn address jo address Assigns an IP address to the Cayman Gateway on the WAN or specified VCC interface The IP address you assign must be unique on your network set ip wan vccn broadcast broadcast address Specifies the broadcast address for the TCP IP network connected to the WAN Ethernet port or specified VCC interface IP hosts use the broadcast address to send messages to every host on your network simultaneously The broadcast address for most networks is the network number followed by 255 For example the broadcast address for the 192 168 1 0 network would be 192 168 1 255 set ip wan vccn netmask netmask Specifies the subnet mask for the TCP IP network connected to the WAN Ethernet port or specified VCC interface The
137. ress Return You can enter the CONFIG step mode by entering set from the top node of the CONFIG hierarchy You can enter step mode for a particular service by entering set service_name For example 119 Appendix A About CONFIG Commands Dogzilla top gt gt set system Stepping set mode press Control X lt Return Enter gt to exit system name Dogzilla Mycroft Diagnostic Level High medium Stepping mode ended Validating Your Configuration You can use the validate CONFIG command to make sure that your configura tion settings have been entered correctly If you use the validate command the Cayman Gateway verifies that all required settings for all services are present and that settings are consistent Dogzilla top gt gt validate Error Subnet mask is incorrect Global Validation did not pass inspection You can use the validate command to verify your configuration settings at any time Your Cayman Gateway automatically validates your configuration any time you save a modified configuration 120 Appendix A CONFIG Commands CONFIG Commands This section describes the keywords and arguments for the various CONFIG com mands ATM Settings You can use the CLI to set up each ATM virtual circuit DSL set atm option on off Enables the WAN interface of 3220 H to be configured using the Asynchronous Transfer Mode ATM protocol DSL set atm vccn option on off Selects
138. ries Gateways Section 2 Basic Product Structure Units from the Netopia Cayman series Gateway family are supplied in many configurations This presents end users with many alternatives for Wide Area Network WAN interfaces and Local Area Network LAN inter faces This is the current product roster that supports COS 6 3 LAN Wireless Option Cayman LAN Wired LAN Wired WAN Interface Model No Ethernet Hub Options 3220 H Full Rate Discrete M ulti Four ports Tone DMT Asynchronous 10 BaseT Digital Subscriber Line ADSL 3220 H W11 ADSL Four ports 802 11b 10 BaseT Protocol 3220 H WRF ADSL Four ports HomeRF 10 BaseT Protocol 2E Ethernet One port 10 BaseT 2E H Ethernet Eight ports 10 BaseT 2E H W11 Ethernet Eight ports 802 11b 10 BaseT Protocol 2E H WRF Ethernet Eight ports HomeRF 10 BaseT Protocol 3445 ADSL Four ports 10 HPNA PCMCIA 100 Ethernet 802 11b Protocol 3543 ADSL Four ports 10 100 Ethernet 3485 Ethernet Four ports 10 HPNA PCMCIA 100 Ethernet 802 11b Protocol 3583 Ethernet Four ports 10 100 Ethernet 11 Section 2 What s New in Version 6 3 What s New in Version 6 3 The new features for COS 6 3 are New Embedded Web Server Not only is the look and feel different but the database and the web server engine are new and more flexible The design of the new web server is geared to make navigation easier pro viding the most commonly used items first Context sensitive help is pro vided M
139. rk interface will accept Maximum Transmission Unit The maximum packet size in bytes that can be sent over a network interface The Open System Interconnection OSI model divides network traffic into seven distinct levels from the Physical hardware layer to the Application software layer Those in between are the Presentation Session Transport Network and Data Link layers Simple first and second generation firewall technologies inspect between 1 and 3 lay ers of the 7 layer model while our SMLI engine inspects layers 2 through 7 Negative acknowledgment See ACK The Name parameter refers to the name of the configured tunnel This is mainly used as an identifier for the administrator The Name param eter is an ASCII and is limited to 31characters The tunnel name is the only IPSec parameter that does not need to match the peer gateway Network Control Protocol This parameter refers to the method used during the Phase key exchange or IKE process SafeHarbour supports Main or Aggressive Mode Main mode requires 3 two way message exchanges while Aggressive mode only requires 3 total message exchanges Cable or connection device used to connect two computing devices directly rather than over a network Logical grouping of information that includes a header and data Compare frame datagram Password Authentication Protocol Security protocol within the PPP protocol suite that prevents unauthorized access to network servic
140. rtt SPEK ee SA seg SEE Ga Eed 119 Validating Your Configuration sse tentent 120 CONFIG Command assess uero nei redet mereri e n i spade n e ee UR I oa rene tee Rede 121 ATM Ee 121 Bridging Settings scene renim ente HEISE RI titi IEEE RH EE HH HERI He 122 DHCP ui c M e 123 DMT Settings EE EE N EE IH HERR Eee eti Freier ie EE TE 124 Domain Name System Settings sse tenentes 124 Ethernet MAC Address Settings ous essere i ligue pee eite o quiae 124 IP SEUSS 1 EE NE EE EE EO iniecit led N eei 125 Basic oo EE RE OO OE OE EE HOA 125 SE EE OR N RE EE NE 125 Fihermme t Settings RE nin eie n I Ert EN HERR 126 Default IP Gateway Settings ese AR ee Re Re ee Re ee Re AR ee Re Re ee Re ee 128 WAN to WAN Routing Settings ees ea ee se Re RA RA Re ee enne 129 TP over PPP Settings iese sesse see AR ee Re ee Re Re iess desees aes Re ee Re ee ee ee 129 Static ARP Settings cene eei eie nette ie ER Se GE DE Eed eee 131 Static Route Settings ese Re RA RA Re Re Re Re nne nnne 132 EE iet cen EE OE EE N ERE ieee 133 AE VEG eie RE N EE EE EE ee M 134 Network Address Translation NAT Default Settings sss 135 Network Address Translation NAT Pinhole Settings sesse esse ee sss 135 id dels li EE LR EE EG 136 Configuring Basic PPP Settings esse ea ee ee Re Re RA Re ee Re AR ee Re Re ee ee ee 137 Configuring Port Au
141. s Unit of signaling speed equal to the number of number of times per second a signal in a communications channel varies between states Baud is synonymous with bits per second bps if each signal repre sents one bit Numbering system that uses only zeros and ones A 64 bit block cipher contains a variable length key of maximum 448 bits 148 bps BRI bridge broadcast broadcast address buffer carrier CAST CCITT CD CHAP client CPE CO compression crossover cable CSU DSU CTS data bits datagram DCE dedicated line DES Appendix B Bits per second A measure of data transmission speed Basic Rate Interface ISDN standard for provision of low speed ISDN services two B channels 64 kbps each and one D channel 16 kbps over a single wire pair Device that passes packets between two network segments according to the packets destination address Message sent to all nodes on a network Special IP address reserved for simultaneous broadcast to all network nodes Storage area used to hold data until it can be forwarded Signal suitable for transmission of information Encryption algorithm using variable key length of maximum 128 bits Comit Consultatif International T l graphique et T l phonique or Consultative Committee for International Telegraph and Telephone An international organization responsible for developing telecommu nication standards Carrier Detect Challeng
142. s to a specific host behind the Cayman Gateway transparently To set up NAT pinholes you identify the type s of traffic you want to redirect by port number and you specify the internal host to which each specified type of traffic should be directed The following list identifies protocol type and port number for common TCP IP protocols e FTP TCP 21 e telnet TCP 23 e SMTP TCP 25 e TFTP UDP 69 e SNMP TCP 161 UDP 161 EO set pinhole name name Specifies the identifier for the entry in the router s pinhole table You can name pinhole table entries sequentially 1 2 3 by port number 21 80 23 by proto col or by some other naming scheme 135 CONFIG Commands set pinhole protocol select tcp udp icmp pptp other Specifies the type of protocol being redirected set pinhole numerical protocol 0 65535 If you select other specifies the number of the protocol you want to translate set pinhole external port start 0 65535 Specifies the first port number in the range being translated set pinhole external port end 0 65535 Specifies the last port number in the range being translated set pinhole internal ip 7 erna jp Specifies the IP address of the internal host to which traffic of the specified type should be transferred set pinhole internal port 7 erna port Specifies the port number your Cayman Gateway should use when forwarding traffic of the
143. s the DHCP leases stored in RAM by your Cayman Gateway You can include the used argument to see the list of DHCP leases that are in use or that have been used since your Cayman Gateway was restarted You can include the free argument to see the list of DHCP leases that are available for use 113 Appendix A SHELL Commands show dhcp server store Displays the DHCP leases stored in NVRAM by your Cayman Gateway Jg N L show dsl Displays DSL port statistics such as upstream and downstream connection rates and noise levels show enet Displays the Ethernet statistics for your Cayman Gateway show features Show all keyed features and whether or not they are enabled If the key is not per manent it shows the expiration date show hosts Displays the IP address and computer host name in the host name table for each LAN side computer The host name table is built by the Gateway as its DHCP server serves IP addresses to LAN side computers trying to access the WAN through the Gateway show ip arp Displays the Ethernet address resolution table stored in your Cayman Gateway show ip firewall Shows statistics for the BreakWater Firewall show ip igmp Displays the contents of the IGMP Group Address table and the IGMP Report table maintained by your Cayman Gateway show ip interfaces Displays the IP interfaces for your Cayman Gateway show ip ipsec Shows statistics for the SafeHarbour IPS
144. s this command SHELL Commands arp 77n nmu nnm NNN Sends an Address Resolution Protocol ARP request to match the nnn nnn nnn nnn IP address to an Ethernet hardware address DSL atmping vo vc segment end to end Lets you check the ATM connection reachability and network connectivity This command sends five Operations Administration and Maintenance OAM loop back calls to the specified vpi vci destination There is a five second total timeout interval Use the segment argument to ping a neighbor switch Use the end to end argument to ping a remote end node clear yes Clears the configuration settings in a Cayman Gateway If you do not use the optional yes qualifier you are prompted to confirm the clear command 108 Appendix A SHELL Commands configure Puts the command line interface into Configure mode which lets you configure your Cayman Gateway with Config commands Config commands are described starting on page 105 diagnose Runs a diagnostic utility to conduct a series of internal checks and loopback tests to verify network connectivity over each interface on your Cayman Gateway The console displays the results of each test as the diagnostic utility runs If one test is dependent on another the diagnostic utility indents its entry in the console win dow For example the diagnostic utility indents the Check IP connect to Ethernet LAN entry since that test will not run if th
145. sec tunnels name 123 IKE mode ipsec soft seconds 82800 60 1000000 set security ipsec tunnels name 123 IKE mode ipsec hard mbytes 1200 1 1000000 set security ipsec tunnels name 123 IKE mode ipsec hard seconds 86400 60 1000000 e The soft parameters designate when the system negotiates a new key For example after 82800 seconds 23 hours or 1 Gbyte has been transferred whichever comes first the key will be renegotiated e The hard parameters indicate that the renegotiation must be complete or the tunnel will be disabled For example 86400 seconds 24 hours means that the renegotiation must be complete within one day Both ends of the tunnel set parameters and typically they will be the same If they are not the same the rekey event will happen when the longest time period expires or when the largest amount of data has been sent 144 Appendix A CONFIG Commands SNMP Settings The Simple Network Management Protocol SNMP lets a network administrator monitor problems on a network by retrieving settings on remote network devices The network administrator typically runs an SNMP management station program on a local host to obtain information from an SNMP agent such as the Cayman Gateway set snmp community name Adds the specified name to the list of communities associated with the Cayman Gateway By default the Cayman Gateway is associated with the public commu nity You can associate as many as 1
146. ses issued by the Cayman Gateway Enter lease time in dd hh mm ss day hour minute sec ond format set dhcp relay agent jo address If you selected relay agent specifies the IP address in the remote DHCP server to which your Cayman Gateway relays DHCP requests 123 Appendix A CONFIG Commands DMT Settings DSL set dmt type lite dmt ansi multi Selects the type of Discrete Multitone DMT asynchronous digital subscriber line ADSL protocol to use for the WAN interface Domain Name System Settings Domain Name System DNS is an information service for TCP IP networks that uses a hierarchical naming system to identify network domains and the hosts associated with them You can identify a primary DNS server and one secondary server set dns domain name domain name Specifies the default domain name for your network When an application needs to resolve a host name it appends the default domain name to the host name and asks the DNS server if it has an address for the fully qualified host name set dns primary address jo address Specifies the IP address of the primary DNS name server set dns secondary address p adaress Specifies the IP address of the secondary DNS name server Enter 0 0 0 0 if your network does not have a secondary DNS name server Ethernet MAC Address Settings You can use the CLI to change the Ethemet M AC address associated with the WAN port on your Cayman 2E H
147. specified type Under most circumstances you would use the same number for the external and intemal port PPPoE Settings You can use the following commands to configure basic settings port authentica tion settings and peer authentication settings for PPP interfaces on your Cayman Gateway set pppoe on off Enables or disables PPP over Ethernet on your 2E H unit You must enable PPPoE before you can enter other PPP settings 136 Appendix A CONFIG Commands Configuring Basic PPP Settings Many of these setting commands are designated as BOTH Note however For the 3220 H DSL platform you must identify the virtual PPP interface vccn a number from 1 to 8 This argument does not apply to the 2E H platform set PPP module vccn option on off Enables or disables PPP on the Cayman Gateway set PPP module vccn mru feger Specifies the M aximum Receive Unit M RU for the PPP interface The integer argument can be any number between 128 and 2048 set PPP module vccn magic number on off Enables or disables LCP magic number negotiation set PPP module vccn protocol compression on off Specifies whether you want the Cayman Gateway to compress the PPP Protocol field when it transmits datagrams over the PPP link set PPP module vccn Icp echo requests on off Specifies whether you want your Cayman Gateway to send LCP echo requests You should turn off LCP echo
148. subnet mask specifies which bits of the 32 bit binary IP address represent network information The default subnet mask for most networks is 255 255 255 0 Class C subnet mask 133 Appendix A CONFIG Commands set ip wan vccn restrictions admin disabled admin only none Specifies whether an administrator can open a telnet connection to the Cayman Gateway over the WAN Ethernet interface or specified VCC interface to monitor and configure the Cayman Gateway The admin only argument means that router traffic is ignored but that administrative commands are accepted The none argument means that all traffic is accepted Do NOT turn on admin only access without consulting with your net work administrator If you specify admin only access for the Cayman Gateway WAN port you will turn off routing services through that port or interface set ip wan vccn addr mapping off on Specifies whether network address translation NAT is enabled for the WAN port or specified VCC interface on the Cayman Gateway set ip wan vccn proxy arp on off Specifies whether you want the Cayman Gateway to respond when it receives an address resolution protocol for devices behind it By default proxy ARP is turned off IPMaps Settings set ip maps name lt name gt internal ip lt p address gt Specifies the name and static ip address of the LAN device to be mapped set ip maps name lt name gt ex
149. tand the ramifications of your parameter choice set security ipsec nat enable off on off This enables Network Address Translation NAT over the SafeHarbour tunnel set security ipsec option off on off Turns on the SafeHarbour IPsec tunnel capability set security ipsec tunnels name 123 The name of the tunnel can be quoted to allow special characters and embedded spaces 142 CONFIG Commands set security ipsec tunnels name 123 tun enable on on off This enables this particular tunnel Currently one tunnel is supported set security ipsec tunnels name 123 dest ext address jp address Specifies the IP address of the destination gateway set security ipsec tunnels name 123 dest int network jp address Specifies the IP address of the destination computer or internal network set security ipsec tunnels name 123 dest int netmask netmask Specifies the subnet mask of the destination computer or internal network The subnet mask specifies which bits of the 32 bit IP address respresents network information The default subnet mask for most networks is 255 255 255 0 class C subnet mask set security ipsec tunnels name 123 encrypt protocol ESP ESP none See page 73 for details about SafeHarbour IPsec tunnel capability set security ipsec tunnels name 123 auth protocol ESP AH ESP none See page 73 for details about SafeHarbour IPsec tunnel capability
150. tbound traffic through the Gateway and allowing authorized connections for remote diagnostic support SilentRunning Using this level of firewall protection allows secure transmission of outbound traffic but disables any attempt for inbound traffic to identify the Gateway This is the Internet equivalent of having an unlisted number LANdlocked This option turns off all inbound and outbound traffic isolating the LAN and disabling all WAN traffic BreakWat N Option id ClearSailing C SilentRunning C LANdLocked BreakWater changes are automatically saved and take effect immediately Submit Step 4 Click on the radio button to select the protection level you want Click Submit Changing the BreakWater setting does not require a restart to take effect This makes it easy to change the setting on the fly as your needs change ie 3 TIPS for making your BreakWater Basic Firewall Selection Application Select this Level Other Considerations Typical Internet usage SilentRunning browsing e mail Multi player online gaming ClearSailing Set Pinholes once defined pinholes will be active whenever ClearSailing is set Restore SilentRunning when finished Going on vacation LAN dLocked Protects your connection while your away Finished online use for the LANdLocked This protects you instead of disconnecting day your Gateway connection Chatting online or using ClearSailing Set Pinholes once defined pin
151. ternal ip lt p address gt Specifies the name and static ip address of the WAN device to be mapped Up to 253 mapped static IP addresses are supported 134 Appendix A CONFIG Commands Network Address Translation NAT Default Settings NAT default settings let you specify whether you want your Cayman Gateway to forward NAT traffic to a default server when it doesn t know what else to do with it The NAT default host function is useful in situations where you cannot create a specific NAT pinhole for a traffic stream because you cannot anticipate what port number an application might use For example some network games select arbi trary port numbers when a connection is being opened By identifying your com puter or another host on your network as a NAT default server you can specify that NAT traffic that would otherwise be discarded by the Cayman Gateway should be directed to a specific hosts SEM setnat default option off on Specifies whether you want your Cayman Gateway to forward NAT traffic to a default server when it doesn t know what else to do with it set nat default address p address Specifies the IP address of the NAT default server Network Address Translation NAT Pinhole Settings NAT pinholes let you pass specific types of network traffic through the NAT inter faces on the Cayman Gateway NAT pinholes allow you to route selected types of network traffic such as FTP requests or HTTP Web connection
152. the virtual circuit for which further parameters are set Up to eight VCCs are supported the maximum number is dependent on your Cayman Operating System tier and the capabilities that your Service Provider offers DSL set atm vccn vpi 0 255 Select the virtual path identifier vpi for VCC n Your Service Provider will indicate the required vpi number set atm vccn vci 0 65535 Select the virtual channel identifier vci for VCC n Your Service Provider will indicate the required vci number set atm vccn encap ppp vc ppp llc ether vcmux ether llc ip vcmux ip llc ppoe vcmux pppoe llc Select the encapsulation mode for VCC n The options are ppp vc PPP over ATM VC muxed ppp llc PPP over ATM LLC SNAP ether vcmux RFC 1483 bridged Ethernet VC muxed ether llc RFC 1483 bridged Ethernet LLC SNAP ip vcmux RFC 1483 routed IP VC muxed ip llc RFC 1483 routed IP LLC SNAP pppoe vcmux PPP over Ethernet VC muxed pppoe llc PPP over Ethernet LLC SNAP Your Service Provider will indicate the reguired encapsulation mode 121 Appendix A CONFIG Commands DSL set atm vccn pppoe sessions 1 8 Select the number of PPPoE sessions to be configured for VCC n Up to eight can be configured on the first VCC one on the other VCCs The total must be less than or equal to eight DSL set atm vccn tx priority low high Select the transmission priority for vcc n
153. thentication iese ea ee RR RA Re ee Re AR ee AR ee Re 138 Configuring Peer Authentication 0 cccccecceesccesceseceseeseeesecseeeeecseeesesseeeeeeeeeeenseeas 140 Command Line Interface Preference Settings 77 sse 141 Port Renumbering Settings sse eene nennen 141 ee dle ie Aardt tee 142 Firewall Settings for Break Water Firewall iese sesse ee essere 142 SafeHarbour IPSec Settings stesse dieere bee EG RR ee HERREN 142 Internet Key Exchange IKE Settings oes os iese ee tiva dq 144 SNMP Settmps seiten rre e EE EE N RS 145 SEE Pe Ede io EE M 145 Trade Shaping Settings ao GEE cere EE MM MEE ee Gee EE 147 eic 148 Appendix B T deX onse Hnc EE ER OE E PEN E EE M E LM M UA ED TE 158 Section 1 About Cayman Documentation v3 Introduction Section 1 About Cayman Documentation Netopia Inc provides a suite of technical information for its Cayman series family of intelligent enterprise and consumer Gateways It consists of Software User Guide Hardware and Installation User Guide e Dedicated Quickstart booklets Specific White Papers The documents are available in electronic form as Portable Document For mat PDF files They are viewed and printed from Adobe Acrobat Reader Exchange or any other application that supports PDF files They are downloadable from Cayman s website http www cayman com I
154. tion Configuration Procedure The Quickstart page designed for a static IP address offers the following fields for you to supply the required information WAN IP Address ooi WAN IP Netmask 255 255 255 0 Default Gateway o o0 8 l Domain Name EE Primary DNS Server Address ooo Secondary DNS Server Address Optional 0 0 0 0 Submit Step 1 Enter the values provided by your Internet Service Provider in the Quickstart fields Complete the following fields Field Description WAN IP Address The IP address assigned to your Cayman Gateway WAN IP Netmask Defines the IP subnet mask for the WAN network connected to your Gateway Default Gateway IP address of the host to which the Cayman Gateway should send net work traffic when it can t find the destination host Domain Name The domain name supplied by your service provider Primary DNS The IP address of the primary DNS name server for your network Server Address Secondary DNS The IP address of the backup DNS name server for your network Server Address Step 2 Click the Submit button to save the modified configuration Step 3 The A es button appears Click the 4 ert button 41 Section 4 Configure Step 4 When you see the Save Changes page click the Save and Restart link to restart your Cayman Gateway with its new configuration settings You will be returned to the Home page A warming is displayed on t
155. to the method used during the Phase key exchange or IKE process SafeHarbour supports Main or Aggressive Mode Main mode requires 3 two way message exchanges while Aggressive mode only requires 3 total mes sage exchanges SA Encryption Type refers to the symmetric encryption type This encryption algo rithm will be used to encrypt each data packet SA Encryption Type values sup ported include DES 3DES CAST and Blowfish SA Hash Type refers to the Authentication Hash algorithm used during SA negoti ation Values supported include M D5 and SHA1 N A will display if NONE is cho sen for Auth Protocol Setting the Soft M Bytes parameter forces the renegotiation of the IPSec Security Associations SAs at the configured Soft M Byte value The value can be config ured between 1 and 1 000 000 MB and refers to data traffic passed If this value is not achieved the Hard MBytes parameter is enforced Setting the Soft Seconds parameter forces the renegotiation of the IPSec Security Associations SAs at the configured Soft Seconds value The value can be config ured between 60 and 1 000 000 seconds 75 Section 4 Configure IPSec Tunnel Parameter Setup Worksheet Parameter Cayman Peer Gateway Name Peer External IP Address Peer Intemal IP Network Peer Internal IP Netmask Enable Encrypt Protocol None ESP Auth Protocol None ESP AH Key Management
156. topia Cayman 3000 Series product families Section 1 Organization The expressions Release 6 3 0 and R 6 3 0 refer to the most recent generally available Cayman Operating System COS 6 3 0RO Organization This guide consists of six sections three appendixes including a glossary and an index It is organized as follows Section 1 Introduction Describes the Cayman document suite the purpose of the audience for and structure of this guide It presents a table of conventions Section 2 About Cayman Gateways Presents a product descrip tion and overview of the extensive features of your Cayman gateway including a listing of new capabilities that are included with Cayman Operating System COS 6 3 A Roadmap of features and How To top ics is Shown Section 3 Overview of Major Capabilities Itemizes Local Area Network Wide Area Network Security Management and Software Feature Keys features and functionalities Section 4 Web based User Interface Organized in the same way as the web UI is organized As you go through each section func tions and procedures are discussed in detail Appendix A Tour of the Command Line Interface Describes all the current text based commands for both the SHELL and CONFIG modes A summary table and individual command examples for each mode is provided Appendix B Glossary Index Section 2 Basic Product Structure v3 About Cayman se
157. trative commands are ignored The admin only argument means that router traffic is ignored by that administrative commands are accepted The none argument means that all traffic is accepted RIP and ICMP traffic is still accepted DSL set ip dsl vccn addr mapping on off Specifies whether you want the 3220 H to use network address translation NAT when communicating with remote routers Address mapping lets you conceal details of your network from remote routers It also permits all LAN devices to share a single IP address By default address mapping is turned On DSL set ip dsl vccn proxy arp on off Specifies whether you want the 3220 H to respond when it receives an address resolution protocol for devices behind it By default proxy ARP is turned Off Ethernet Settings set ip ethernet A B option on off Enables or disables communications through the designated Ethernet port in the Gateway You must enable TCP IP functions for and Ethernet port before you can configure it network settings Many of these setting commands are designated as BOTH Note however For the 2E H ENET platform you have the option of selecting the A or B ethernet port within the line command For the 3220 H DSL platform you are specifying the A port your local LAN only set ip ethernet A B address o_adoress Assigns an IP address to the Cayman Gateway on the local area network
158. tribution of the software without specific written prior permission CARNEGIE M ELLON UNIVERSITY DISCLAIM S ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IM PLIED WAR RANTIES OF MERCHANTABILITY AND FITNESS IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL INDIRECT OR CONSE QUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE DATA OR PROFITS WHETHER IN AN ACTION OF CONTRACT NEGLIGENCE OR OTHER TORTIOUS ACTION ARISING OUT OF ORIN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE The information in this document is proprietary to Netopia Inc Trademarks Cayman Systems is a registered trademark of Cayman Systems a division of Netopia Inc SWIFT IP SafetyNet Zero Configuration SafeHarbour VPN IPsec Tunnel and the Cayman Systems logo are trademarks of Netopia Inc Ethernet is a registered trademark of Xerox Corporation Microsoft and Windows are registered trademarks of Microsoft Corporation All other trademarks are the property of their respective owners Mention of third party products is for informational purposes only and constitutes neither an endorsement nor a recommendation Cayman assumes no responsibility with regard to the performance or use of these products Statement of Conditions In the interest of improving intemal design operational function and or reliability Netopia Inc reserves the right to make changes to the products described in this document without notice Netopi
159. uting protocols RIP 2 with MD5 authentication is an extension of RIP 2 that increases security by requiring an authentication key when routes are advertised Depending on your network needs you can configure your Cayman Gateway to support RIP 1 RIP 2 or both set ip ethernet A B rip receive off vi v2 vi compat v2 MD5 Specifies whether the Cayman Gateway should use Routing Information Protocol RIP broadcasts to update its routing tables with information received from other routers on your network set ip ethernet B addr mapping off on Specifies whether Network Address Translation NAT is enabled for the WAN Ethernet B port on the Cayman Gateway Default IP Gateway Settings set ip gateway option on off Specifies whether the Cayman Gateway should send packets to a default Gateway if it does not know how to reach the destination host set ip gateway interface ip address ppp Specifies how the Cayman 2E H should route information to the default Gateway If you select ip address you must enter the IP address of a host on a local or remote network If you specify ppp the Cayman unit uses the default gateway being used by the remote PPP peer 128 Appendix A CONFIG Commands set ip gateway interface ip address ppp vccn Specifies whether the Gateway is reached using a fixed IP address or through a PPP virtual circuit DSL ES set ip gateway default p address
160. ver the circuit set PPP module vccn time out nfeger If you specified a connection type of instant on specifies the number of seconds in the range 30 600 the Cayman Gateway should wait for communication activ ity before terminating the PPP link Configuring Port Authentication You can use the following commands to specify how your Cayman Gateway should respond when it receives an authentication request from a remote peer The settings for port authentication on the local Cayman Gateway must match the authentication that is expected by the remote peer For example if the remote peer requires CHAP authentication and has a name and CHAP secret for the Cayman Gateway you must enable CHAP and specify the same name and secret on the Cayman Gateway before the link can be established set PPP module vccn port authentication chap option on off Specifies whether CHAP authentication is enabled CHAP authentication must be enabled before you can enter other CHAP information If CHAP is tumed on it will be the first authentication method offered to the remote peer during link negotiation If you turn port authentication off and peer authentication on the PPP software still uses the port authentication chap name and pap name for authentication As a result the port authentication names for PAP and CHAP must be identical to the peer names for your Cayman Gateway on the remote peer If you do not config ure a chap name or pap n
161. ware Version Product ID Status IP Address Default Gateway DHCP Client NAT IP Address Netmask Cayman 2E Model 500 2 Ethernet ports 705219 6 3 0921 143 137 50 203 143 137 50 254 Netmask On DHCP Lease Expires On WAN Users LAN 192 168 1 254 255 255 255 0 or an error is displayed try hitting your browser s Refresh button General Information 255 255 255 0 00 00 46 14 Unlimited 39 Section 4 Response Configure Setup Your Gateway using a PPP Connection Configure Troubleshoot Security Install Restart Help Home Configure QuickStart Quick Start ISP Username ISP Password Submit gateway authenticates with the Service Provider equipment using the ISP Step 1 Step 2 Step 3 Step 4 Username and Password These values are given to you by your Service Provider Enter your ISP Username and ISP Password Click Submit This turns on the Alert button in the top right corner of the page Click the 4 ert button to go to the page to save your changes Click on the Save and Restart link You will be returned to the Home page A warning is displayed on this page while the Gateway restarts 40 Section 4 Configure Setup Your Gateway using a Static IP Address If your service provider supplies you with a static IP address your Gate way s Quickstart page will offer the fields required to enter the appropri ate information for this type of configura
162. ws you to direct unsolicited or non specific traffic to a des ignated LAN station With NAT On in the Gateway these packets nor mally would be discarded For instance this could be application traffic where you don t know in advance the port or protocol that will be utilized Some game applications fit this profile Use the following steps to setup a NAT default server to receive this infor mation Select the Configure toolbar button then Advanced then the Default Server link Check the zab e Default Server checkbox The NAT Server IP Address field appears Default Server Enable Default Server M NAT Server IP Address o 0 0 0 Submit Determine the IP address of the LAN computer you have chosen to receive the unexpected or unknown traffic Enter this address in the NAT Server IP Address field Click the Submit button Click the Z e button Click the Save and Hesfarflink to confirm d NAT Default Server capability is not available over SafeHarbour IPsec amm 56 Section 4 Configure Typical Network Diagram A typical network utilizing the NAT Default Server looks like this a Th HHP Gateway l AE LAN STN 8 192 168 1 3 WAN Ethernet Interface 210 219 41 20 LAN Ethernet Interface ar E CHAT LAN STN 42 192 168 1 2 1 NN NAT protected vu E Embedded NAT Pinhole Web Server 210 219 41 20 N
163. xit from configuration mode return to shell mode exit Exit from configuration mode return to shell mode 105 Appendix A Starting and Ending a CLI Session Starting and Ending a CLI Session There are two ways to open a CLI session 1 Open a telnet connection from a workstation on your network 2 Connect a terminal to the Maintenance Port located on the rear panel of the Cayman Gateway Connecting from telnet You initiate a telnet connection by issuing the following command from an IP host that supports telnet for example a personal computer running a telnet application such as NCSA Telnet SEM telnet p address gt You must know the IP address of the Cayman Gateway before you can make a tel net connection to it By default your Cayman Gateway uses 192 168 1 254 as the IP address for its LAN interface You can use a Web browser or the mainte nance console to configure the Cayman Gateway IP address Connecting from the Maintenance Console Port You can connect a terminal or terminal emulator to the maintenance console port on the Cayman Gateway to configure administer and monitor your Cayman Gateway The settings for your terminal emulator are e Speed 9600 bps e Parity None e Databits 8 e Stopbits 1 e Duplex Full e Flow Control None The console interface uses the same command line interface as the telnet inter face Logging In The command line interface log in process emulates the log in process
164. y at Cayman Gateway SafeHarbour VPN IPSec Tunnel Termination Use these Best Practices in establishing your SafeHarbour tunnel 1 Ensure that the configuration information is complete and accurate 2 Use the Worksheet provided on page 76 Parameter Description and Setup The following table describes SafeHarbour s parameters that are used for an IPSec VPN tunnel configuration Auth Protocol DH Group Enable Encrypt Protocol Hard MBytes Hard Seconds Key Management Authentication Protocol for IP packet header The three parameter values are None Encapsulating Security Payload ESP and Authentication Header AH Diffie Hellman is a public key algorithm used between two systems to determine and deliver secret keys used for encryption Groups 1 2 and 5 are supported This toggle button is used to enable disable the configured tunnel Encryption protocol for the tunnel session Parameter values supported include NONE or ESP Setting the Hard M Bytes parameter forces the renegotiation of the IPSec Security Associations SAs at the configured Hard M Byte value The value can be configured between 1 and 1 000 000 MB and refers to data traf fic passed Setting the Hard Seconds parameter forces the renegotiation of the IPSec Security Associations SAs at the configured Hard Seconds value The value can be config ured between 60 and 1 000 000 seconds The Key Management algorithm manages the exchange of security
165. y from the computer on your LAN Click the 75 2 Software button on the Cayman Gateway Home page The Install New Cayman Software window opens 89 Section 4 Step 3 Step 4 Step 5 Configure Enter the filename into the text box by using one of these techniques The COS file name starts with the letter c for COS a Click the Browse button select the file you want and click Open Or b Enter the name and path of the software image you want to install in the text field and click Oper Click the 75 2 button The Cayman Gateway copies the image file from your computer and installs it into its memory storage You see a series of dots appear on your screen as the image is copied and installed You have the following visual guide from your unit 3220 H DSL and Status LED indicators will blink 2E H WAN LED indicator will blink When the image has been installed the message successful install of file appears at the bottom of the screen When the Please Click Restart message appears click the Restart button and confirm Restart Your Cayman Gateway restarts with its new image During this step you receive the following visual guide from your unit 3220 H DSL and Status LED indicators will blink for 30 seconds or more 2E H WAN LED indicator will blink for 30 seconds or more 90 Section 4 Configure Verify the COS 6 3 Image To verify that the COS 6 3 image has loaded su
166. y that two hosts can communicate over a network Point to Point Protocol Provides a method for transmitting datagrams over serial router to router or host to network connections using synchronous or asynchronous circuits The Pre Shared Key is a parameter used for authenticating each side The value can be an ASCII or Hex and a maximum of 64 characters The Pre Shared Key Type classifies the Pre Shared Key SafeHarbour supports ASC or 7EXtypes Formal set of rules and conventions that specify how information can be exchanged over a network Public Switched Telephone Network Device that regenerates and propagates electrical signals between two network segments Also known as a hub Request for Comment Set of documents that specify the conventions and standards for TCP IP networking Routing Information Protocol Protocol responsible for distributing information about available routes and networks from one router to another Eight pin connector used for 10BaseT twisted pair Ethernet net works Path through a network from one node to another A large internet work can have several alternate routes from a source to a destination Table stored in a router or other networking device that records avail able routes and distances for remote network destinations Request to Send Circuit activated in hardware flow control when a computer or other DTE is ready to transmit data to a modem or other DCE See CTS xon xoff S
167. y users which you are allowed to disconnect will be displayed below Please note that your Gateway supports an uniimited number of Local Area Network LAN users Current WAN Users Myself at 192 168 1 1 l EGrosso2 at 192 158 1 3 Disconnect Disconnect All The Admin and User level password accounts have different privileges regarding the Disconnect WAN Users function They are listed below e Admin level privileges allow the Admin to disconnect any and all LAN users from WAN access e User level privileges only allow the User to disconnect itself from WAN access Step 2 Select the user from the scrolling list 102 System Status Step3 Click the D sconnecf button If you want to disconnect all users at once click the Disconnect A button Step 4 A confirmation message appears me me me es You have disconnected all WAN users b lay tay DTI EE SE SEL TEE Exceeding the WAN User Limit If your system supports a restricted number of WAN users web browser users who attempt to access the WAN in excess of the restricted number will receive an intercept message on a web page Configured WAN Internet User Limit Exceeded Your Gateway is currently configured as a 5 WANY JInternet User Version Please contact your Service Provider if you require additional concurrent WAN Internet users Note Your Gateway supports unlimited Local Area Network LAN use No message will be displayed to a us
Download Pdf Manuals
Related Search