Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
31323334353637383940
Chapter 4 Troubleshooting Routers and Embedded Systems VPN-1/FireWall-1 configuration for a Nortel (Bay Networks) BayRS router
Advanced Technical Reference Guide 4.1 June 2000 32
Does SynDefenser work on Nortel (Bay) router?
See the SecureKnowledge Solution (ID: 36.0.764381.2490623) in the Check Point Technical Services site
To configure a Nortel router with VPN-1/FireWall-1
Do the following
1. Perform a regular installation of the router (boot bn/asn/arn.exe ti.cfg,andthen
install.bat), or use a predefined non-FireWalled configuration, if you have one. The important thing
is that the router is configured so that communication from Nortel's Site Manager to the router is enabled.
2. Through the Configuration Manager (a GUI for controlling several routers), make sure that all the non-
FireWalled details (like IP Circuits, protocols, etc.) are configured the way you would like them to be.
3. In Configuration Manager, perform the following steps:
1) Select Platform FireWall Create and press the OK button in the displayed pop-up window.
2) Select Platform FireWall Parameters, specify the host to which you would like to send Logs
(VPN-1/FireWall-1 Management station) and the local host address (the router's main address). You
may also configure a secondary and tertiary backup log servers that will be used in case of failure to
communicate with the main one.
3) Select Platform FireWall Interfaces and press the OK button in the displayed pop-up window.
4) Select File Save As, and save the file as any name you like (fw.cfg, for instance).
5. On the router's console type the command:
fwputkey <password> <FireWall-1 Management IP>.
On the VPN-1/FireWall-1 Management station, type the command:
fw putkey -p <password> <router IP>.
Repeat these commands with the secondary and tertiary log servers IPs
6. On the router's console type the command:
boot asn.exe fw.cfg - for ASN routers, or
boot arn.exe fw.cfg - for ARN, or
boot bn.exe fw.cfg - for BLN or "larger" routers.
7. Through the VPN-1/FireWall-1 GUI, define the router as a Network Object by selecting Router from the
pull-down menu. In General tab select Bay Networks for the Type field, check the Internal checkbox, and
the VPN-1/FireWall-1 Installed checkbox. Note that you cannot issue SNMP Fetch at this stage, since a
default policy, which allows only FireWall communication between the management and the router, is
installed on the router. You should also specify the external interface of the router, and the license mode
(i.e., how many nodes can the router protect). Having defined the above, you should be able to install
policies on the router, as if it were a regular inspection module (which it is).
8. Configuring Anti-spoofing is a little trickier. To do that perform, the following steps:
1) Install a policy, which enables SNMP from the FireWall Management to the router, on the router.
2) Create SNMP Fetch for the router.
3) Manually change the fetched interface names (E121, E22, etc.) to lin if the router image version is
until 13.10 (including), or pol for versions 13.20 and above.
4) Define anti-spoofing as usual.
Controlling the FireWall
Bay routers only run VPN-1/FireWall-1 Inspection Module. You must have a Management Station to control it.