User guide

ManualsBrandsCayman Systems ManualsComputer equipment3220-H

Software User Guide

Cayman Operating System

Version 6.3

January 2002

Cayman 3000 series by Netopia

Downloaded from www.Manualslib.com manuals search engine

Summary of content (161 pages)

PAGE 1
Software User Guide Cayman Operating System Version 6.3 Cayman 3000 series by Netopia January 2002 Downloaded from www.Manualslib.
PAGE 2
Disclaimers Copyright © 2002 Netopia, Inc. All rights reserved, Printed in the USA. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for the applications of any products specified in this document.
PAGE 3
Table of Contents Disclaimers ...........................................................................................................2 Table of Contents ................................................................................................3 Introduction .........................................................................................................7 Section 1 About Cayman Documentation ............................................................................................
PAGE 4
Combination NAT Bypass Configuration ..........................................................22 Security Monitor .....................................................................................................22 Event Details ...........................................................................................................23 IP Source Address Spoofing ..........................................................................23 Source Routing ..................................................
PAGE 5
Configure a SafeHarbour VPN .............................................................................73 VPN IPSec Tunnel at the Gateway ..............................................................73 Parameter Description and Setup .................................................................74 IPSec Tunnel Parameter Setup Worksheet ..................................................76 SafeHarbour Tunnel Setup ............................................................................
PAGE 6
Default IP Gateway Settings ...................................................................................128 WAN-to-WAN Routing Settings ............................................................................129 IP-over-PPP Settings ...............................................................................................129 Static ARP Settings .................................................................................................131 Static Route Settings ..........................
PAGE 7
Section 1 About Cayman Documentation Introduction Section 1 About Cayman Documentation Netopia, Inc. provides a suite of technical information for its Cayman-series family of intelligent enterprise and consumer Gateways. It consists of: • Software User Guide • Hardware and Installation User Guide • Dedicated Quickstart booklets • Specific White Papers The documents are available in electronic form as Portable Document Format (PDF) files.
PAGE 8
Section 1 Documentation Conventions Documentation Conventions General This manual uses the following conventions to present information: Convention (Typeface) Description bold italic monospaced Menu commands and button names bold italic sans serif Web GUI page links terminal Computer display text bold terminal User-entered text Italic Italic type indicates the complete titles of manuals.
PAGE 9
Section 1 Documentation Conventions BOTH Pointing to a CLI command, refers to both DSL and Ethernet WAN interfaces for Cayman Gateways DSL Pointing to a CLI command, refers only to DSL WAN interface (used with 3220H family) ENET Pointing to a CLI command, refers only to ENET WAN interface (used with 2E-H family) Icons Icons used in the guide are: Icon Description NOTE Icon: Requests that you pay particular attention to a specified procedure or piece of information in the text.
PAGE 10
Section 1 Organization The expressions “Release 6.3.0” and “R 6.3.0” refer to the most recent generally available Cayman Operating System: COS 6.3.0R0. Organization This guide consists of six sections, three appendixes including a glossary, and an index. It is organized as follows: • Section 1, “Introduction” — Describes the Cayman document suite, the purpose of, the audience for, and structure of this guide. It presents a table of conventions.
PAGE 11
Section 2 Basic Product Structure About Cayman-series Gateways Section 2 Basic Product Structure Units from the Netopia Cayman-series Gateway family are supplied in many configurations. This presents end-users with many alternatives for Wide Area Network (WAN) interfaces and Local Area Network (LAN) interfaces. This is the current product roster that supports COS 6.3: Cayman Model No.
PAGE 12
Section 2 What’s New in Version 6.3 What’s New in Version 6.3 The new features for COS 6.3 are: New Embedded Web Server Not only is the look and feel different, but the database and the web server engine are new and more flexible. The design of the new web server is geared to make navigation easier, providing the most commonly used items first. Context-sensitive help is provided.
PAGE 13
Section 2 Capabilities Roadmap for COS 6.3 Capabilities Roadmap for COS 6.3 Cayman Gateways support a wide array of features and functionality. This roadmap points you to overview discussions and How To procedures. Capabilities Roadmap: Cayman Gateways with COS 6.3 Feature New for COS 6.
PAGE 14
Section 3 General Overview of Major Capabilities Section 3 This section describes the principal features of Cayman Operating System version 6.3. The information is grouped by usage area. General Feature Keys Certain functionality in this release is controlled through software feature keys. These keys are proprietary files with the following properties: • They are specific to the serial number of the target unit.
PAGE 15
Section 3 General Management Embedded Web Server There is no specialized client software required to configure, manage, or maintain your Cayman Gateway.
PAGE 16
Section 3 General Local Area Network DHCP (Dynamic Host Conﬁguration Protocol) Server DHCP Server functionality enables the Gateway to assign your LAN computer(s) a “private” IP address and other parameters that allow network communication. The default DHCP Server configuration of the Gateway supports up to 253 LAN IP addresses. This feature simplifies network administration because the Gateway maintains a list of IP address assignments.
PAGE 17
Section 3 General Wide Area Network DHCP (Dynamic Host Conﬁguration Protocol) Client DHCP Client functionality enables the Gateway to request an IP address from your Service Provider. DHCP servers on your Service Provider’s network reply to DHCP Client requests and assign the network parameters.
PAGE 18
Section 3 General • Your network may change address with each connection making it more difficult to attack. When you configure Instant On access, you can also configure an idle time-out value. Your Gateway monitors traffic over the Internet link and when there has been no traffic for the configured number of seconds, it disconnects the link. When new traffic that is destined for the Internet arrives at the Gateway, the Gateway will instantly re-establish the link.
PAGE 19
Section 3 General Security Password Protection Access to your Cayman device is controlled through two access control accounts, Admin or User. • The Admin, or administrative user, performs all configuration, management or maintenance operations on the Gateway. • The User account provides monitor capability only. A user may NOT change the configuration, perform upgrades or invoke maintenance functions. For the security of your connection, an Admin password must be set on the Cayman unit.
PAGE 20
Section 3 General WAN Internet Dual Ethernet Gateway LAN Ethernet Interface Ethernet Interface NAT Cable Modem NAT-protected LAN stations Embedded Admin Services: HTTP-Web Server and Telnet Server Port A similar configuration applies to a DSL WAN interface (3220 family). 1. The default setting for NAT is ON. 2. Cayman uses Port Address Translation (PAT) to implement the NAT facility. 3. NAT Pinhole traffic (discussed below) is always initiated from the WAN side.
PAGE 21
Section 3 General Pinholes This feature allows you to: • Transparently route selected types of network traffic using the port forwarding facility. – • Setup multiple pinhole paths. – • FTP requests or HTTP (Web) connections are directed to a specific host on your LAN. Up to 32 paths are supported Identify the type(s) of traffic you want to redirect by port number.
PAGE 22
Section 3 General Combination NAT Bypass Conﬁguration Specific pinholes and Default Server settings, each directed to different LAN devices, can be used together. Creating a pinhole or enabling a Default Server allows inbound access to the specified LAN station. Contact your Network Administrator for LAN security questions. Security Monitor The Security Monitor detects security related events including common types of malicious attacks and writes them to a dedicated security log file.
PAGE 23
Section 3 General Event Details Details on the eight specific event types and the information logged are: IP Source Address Spooﬁng The Gateway checks all incoming packets to see if the IP address attached is valid for the interface the packet is received through. If the address of the packet is not valid for the interface the packet is discarded.
PAGE 24
Section 3 General mentation information can also be exploited to create an illegally sized packet. Unwary hosts will often crash when the illegal fragment corrupts data outside of the “normal” packet bounds. The Cayman unit will detect and discard illegal packet fragments, and the Security Monitoring software logs the event.
PAGE 25
Section 3 General Login Failures The Cayman software provides the means for assigning passwords to the Admin or User accounts to control access to the Gateway. Any attempts to login are given three chances to enter a valid password. The Security Monitoring software records instances where the user fails to enter a valid password.
PAGE 26
Section 3 General BreakWater Basic Firewall BreakWater delivers an easily selectable set of pre-configured firewall protection levels. These settings are readily available for simple implementation through Cayman’s embedded web server interface. BreakWater provides you and your network with: • Protection for all LAN users. • Elimination of firewall management software on individual PC’s. • Immediate protection through three pre-configured firewall levels.
PAGE 27
Section 3 General VPN IPSec Pass Through This Cayman service supports your independent VPN client software in a transparent manner. Cayman has implemented an Application Layer Gateway (ALG) to support multiple PCs running IP Security protocols. This feature has three elements: 1. On power up or reset, the address mapping function (NAT) of the Gateway’s WAN configuration is turned on by default. 2.
PAGE 28
Section 3 General SafeHarbour VPN IPSec Tunnel SafeHarbour VPN IPSec Tunnel provides a single, encrypted tunnel to be terminated on the Gateway, making a secure tunnel available for all LANconnected Users. This implementation offers the following: • Eliminates the need for VPN client software on individual PC’s. • Reduces the complexity of tunnel configuration. • Simplifies the ongoing maintenance for secure remote access.
PAGE 29
Section 4 Access the User Interface Web-based User Interface Section 4 Access the User Interface Using the embedded Web-based user interface for the Netopia Caymanseries Gateway you can configure, troubleshoot, and monitor the status of your Gateway. For COS Version 6.3 the Web-based UI has been modified: • • To accomodate multiple new features of COS 6.3. To make using the entire facility easier.
PAGE 30
Section 4 Home page Home page The Home page is the “dashboard” for your Cayman Gateway. The toolbar at the top provides links to controlling, configuring, and monitoring pages. Critical configuration and operational status is displayed in the center section. If you log on as Admin you see this page. This example screen is from the Dual Ethernet Gateway. The Home page differs slightly between DSL and Dual Ethernet Gateways. Home page - User Mode, DSL Gateway 30 Downloaded from www.Manualslib.
PAGE 31
Section 4 Home page Home page - Information The Home page’s center section contains a summary of the Gateway’s configuration settings and operational status. Summary Information Field Status and/or Description General Information Hardware Model number and summary specification Serial Number Unique serial number, located on label attached to bottom of unit Software Version Release and build number of running Cayman Operating System.
PAGE 32
Section 4 Toolbar Toolbar The toolbar is the dark blue bar at the top of the page containing the major navigation buttons. These buttons are available from almost every page, allowing you to move freely about the site. The example toolbar shown below is displayed when you log on as Admin. If you log on as User, some buttons will not be shown.
PAGE 33
Section 4 Restart Restart Button Restart Response Comment The Restart button on the toolbar allows you to restart the Gateway at any time. You will be prompted to confirm the restart before any action is taken. The Restart Confirmation message explains the consequences of and reasons for restarting the Gateway 33 Downloaded from www.Manualslib.
PAGE 34
Section 4 Link Restart Alert Symbol Response Comment The Alert symbol appears in the upper right corner under one of two circumstances: 1. a database change; one in which a change is made to the Gateway’s configuration. The Alert serves as a reminder that you must Save the changes and Restart the Gateway before the change will take effect.
PAGE 35
Section 4 Help Help Button Help Response Comment Context-sensitive Help is provided in Release 6.3. The page shown above is displayed when you are on the Home page or other transitional pages. To see a context help page example, go to Security -> Passwords, then click Help. 35 Downloaded from www.Manualslib.
PAGE 36
Section 4 Configure Conﬁgure Conﬁgure Button The Configuration options are presented in the order of likelihood you will need to use them. Quickstart is typically accessed during the hardware installation and initial configuration phase. Often, these settings should be changed only in accordance with information from your Service Provider. LAN and WAN settings are available to fine-tune your system.
PAGE 37
Section 4 Link Configure Conﬁgure -> Quickstart Setup Your Gateway using a DHCP Connection Response Comment This example screen is for a DHCP Quickstart configuration. Your Service Provider will instruct you as to whether or not the Other Quickstart Options need to be configured. If they are not needed, you should be ready to access the Internet. If required, click the Advanced link to access the Other Quickstart Options page.
PAGE 38
Section 4 Configure Some broadband cable-oriented Service Providers use the System Name as an important identification and support parameter. If your Gateway is part of this type of network, do NOT alter the System Name unless specifically instructed by your Service Provider If you need to change either of these fields, use the following procedure. Change Procedure Step 1 Enter your selected System Name. You can use the default System name or select your own.
PAGE 39
Section 4 Configure You will be returned to the Home page. A warning is displayed on this page while the Gateway restarts. 39 Downloaded from www.Manualslib.
PAGE 40
Section 4 Configure Setup Your Gateway using a PPP Connection Response Comment This example screen is the for a PPP Quickstart configuration. Your gateway authenticates with the Service Provider equipment using the ISP Username and Password. These values are given to you by your Service Provider. Step 1 Enter your ISP Username and ISP Password. Step 2 Click Submit. This turns on the Alert (“!”) button in the top right corner of the page.
PAGE 41
Section 4 Configure Setup Your Gateway using a Static IP Address If your service provider supplies you with a static IP address, your Gateway’s Quickstart page will offer the fields required to enter the appropriate information for this type of configuration. Conﬁguration Procedure The Quickstart page designed for a static IP address offers the following fields for you to supply the required information: Step 1 Enter the values provided by your Internet Service Provider in the Quickstart ﬁelds.
PAGE 42
Section 4 Step 4 Configure When you see the Save Changes page, click the Save and Restart link to restart your Cayman Gateway with its new conﬁguration settings. You will be returned to the Home page. A warning is displayed on this page while the Gateway restarts. Step 5 After your Cayman Gateway restarts, use your browser to verify that you can access the Internet.
PAGE 43
Section 4 Configure LAN Link Conﬁgure -> LAN Response Comment * Interface Enable: Enables all LAN-connected computers to shared resources and to connect to the WAN. The Interface should always be enabled unless you are instructed to disable it by your Service Provider during troubleshooting. * IP Address: The LAN IP Address of the Gateway. The IP Address you assign to your LAN interface must not be used by another device on your LAN network.
PAGE 44
Section 4 Configure WAN Link Conﬁgure -> WAN Response Comment WAN IP Interfaces Your IP interfaces are listed. Click on an interface to configure it. IP Gateway Enable Gateway: You can configure the Gateway to send packets to a default gateway if it does not know how to reach the destination host. Interface Type: If you have PPPoE enabled, you can specify that packets destined for unknown hosts will be sent to the gateway being used by the remote PPP peer..
PAGE 45
Section 4 Configure Advanced The following are links under Configure -> Advanced: Link Comment Link Advanced Selected Advanced options are discussed in the pages that follow. Many are self-explanatory or are dictated by your service provider. IP Static Routes Response Description A static route identifies a manually configured pathway to a remote network. Unlike dynamic routes, which are acquired and confirmed periodically from other routers, static routes do not time out.
PAGE 46
Section 4 Link Configure IP Static ARP Response Description Link Your Gateway maintains a dynamic Address Resolution Protocol (ARP) table to map IP addresses to Ethernet (MAC) addresses. It populates this ARP table dynamically, by retrieving IP address/MAC address pairs only when it needs them. Optionally, you can define static ARP entries to map IP addresses to their corresponding Ethernet MAC addresses. Unlike dynamic ARP table entries, static ARP table entries do not time out.
PAGE 47
Section 4 Configure Conﬁgure Speciﬁc Pinholes Planning for Your Pinholes Determine if any of the service applications that you want to provide on your LAN stations utilize TCP or UDP protocols. If an application does, then you must configure an Internal Server to implement port forwarding. This is accessed from the Advanced -> Internal Servers page.
PAGE 48
Section 4 Configure TIPS for making Pinhole Entries 1. If the port forwarding feature is required for Web services, ensure that the embedded Web server’s port number is re-assigned PRIOR to any Pinhole data entry. 2. Enter data for one Pinhole at a time. 3. Use a unique name for each Pinhole. If you choose a duplicate name, it will overwrite the previous information without warning. A diagram of this LAN example is: Gateway my-webserver Internet 192.168.1.1 WAN Ethernet Interface 210.219.41.
PAGE 49
Section 4 Configure Pinhole Conﬁguration Procedure Use the following steps: Step 1 From the Conﬁgure toolbar button -> Advanced link, select the Internal Servers link. Since Port Forwarding is required for this example, the Cayman embedded Web server is configured first. The two text boxes, Web (HTTP) Server Port and Telnet Sever Port, on this page refer to the port numbers of the Cayman Gateway’s embedded administration ports.
PAGE 50
Section 4 Configure Step 6 Click Add. Type your speciﬁc data into the Pinhole Entries table of this page. Click Submit. Step 7 Click on the Pinholes link in the Breadcrumb Trail to go to the Pinholes entry page. Click Add. Add the next Pinhole. Type the speciﬁc data for the second Pinhole. Step 8 Click on the Pinholes link in the Breadcrumb Trail to go to the Pinholes entry page. Click the Add. Add the next Pinhole. Type the speciﬁc data for the third Pinhole. 50 Downloaded from www.Manualslib.
PAGE 51
Section 4 Configure Note the following parameters for the “my-games” Pinhole: 1. The Protocol ID is UDP. 2. The external port is specified as a range. 3. The Internal port is specified as the lower range entry. Step 9 Click on the Pinholes link in the Breadcrumb Trail to go to the Pinholes entry page. Review your entries to be sure they are correct. Step 10 Click the Alert button.
PAGE 52
Section 4 Configure Link IPMaps Response Comment IPMaps supports one-to-one Network Address Translation (NAT) for IP addresses assigned to servers, hosts, or specific computers on the LAN side of the Cayman Gateway. A single static or dynamic (DHCP) WAN IP address must be assigned to support other devices on the LAN. These devices utilize Cayman’s default NAT/PAT capabilities.
PAGE 53
Section 4 Configure What types of servers are supported by IPMaps? IPMaps allows a Cayman Gateway to support servers behind the Gateway, for example, web, mail, FTP, or DNS servers. VPN servers are not supported at this time. Can I use IPMaps with my PPPoE or PPPoA connection? Yes. IPMaps can be assigned to the WAN interface provided they are on the same subnet. Service providers will need to ensure proper routing to all IP addresses assigned to your WAN interface.
PAGE 54
Section 4 Configure IPMaps Block Diagram The following diagram shows the IPMaps principle in conjunction with existing Cayman NAT operations: Cayman Gateway Static IP Addresses for IPMaps Applications WAN Interface LAN Interface 192.168.1.1 NAT/PAT Table 143.137.50.37 143.137.50.36 143.137.50.37 192.168.1.1 143.137.50.36 192.168.1.2 192.168.1.2 143.137.50.35 ... 192.168.1.3 ... 143.137.50.35 Static IP Addresses or DHCP/PPP Served IP Address for Cayman’s default NAT/PAT Capabilities 192.168.
PAGE 55
Section 4 Link Configure Protocol Lifetimes Response Description Link Each NAT Protocol map entry will time-out if there is no traffic of that protocol for the specified number of minutes. For example, UDP entries time-out if there is no UDP traffic after 6 (default) minutes. Default Server Response Description This feature allows you to: * Direct your Gateway to forward all externally initiated IP traffic (TCP and UDP protocols only) to a default host on the LAN.
PAGE 56
Section 4 Configure Conﬁgure a Default Server This feature allows you to direct unsolicited or non-specific traffic to a designated LAN station. With NAT “On” in the Gateway, these packets normally would be discarded. For instance, this could be application traffic where you don’t know (in advance) the port or protocol that will be utilized. Some game applications fit this profile.
PAGE 57
Section 4 Configure Typical Network Diagram A typical network utilizing the NAT Default Server looks like this: Internet Gateway LAN STN #3 192.168.1.3 WAN Ethernet Interface LAN Ethernet Interface 210.219.41.20 NAT LAN STN #2 192.168.1.2 NAT protected Embedded Web Server 210.219.41.20 (Port 80 default) NAT Pinhole NAT Default Server 192.168.1.
PAGE 58
Section 4 Link Configure DNS Response Description Your Service Provider may maintain a Domain Name server. If you have the information for the DNS servers, enter it on the DNS page. If your Gateway is configured to use DHCP to obtain its WAN IP address, the DNS information is automatically obtained from that same DHCP Server. 58 Downloaded from www.Manualslib.
PAGE 59
Section 4 Link Configure DHCP Server Response Description Your Gateway can provide network configuration information to computers on your LAN, using the Dynamic Host Configuration Protocol (DHCP). If you already have a DHCP server on your LAN, you should turn this service off. If you want the Gateway to provide this service, click the Server Mode pulldown menu, then configure the range of IP addresses that you would like the Gateway to hand out to your computers.
PAGE 60
Section 4 Link Configure SNMP Response Description The Simple Network Management Protocol (SNMP) lets a network administrator monitor problems on a network by retrieving settings on remote network devices. The network administrator typically runs an SNMP management station program on a local host to obtain information from an SNMP agent. In this case, the Cayman Gateway is an SNMP agent. You enter SNMP configuration information on this page. Your network administrator furnishes the SNMP parameters.
PAGE 61
Section 4 Link Configure Ethernet Bridge Response Description Bridges let you join two local area networks, so that they appear to be part of the same physical network. As a bridge for protocols other than TCP/IP, your Gateway keeps track of as many as 255 MAC (Media Access Control) addresses, each of which uniquely identifies an individual host on a network. Your Gateway uses this bridging table to identify which hosts are accessible through which of its network interfaces.
PAGE 62
Section 4 Link Configure System Response Description The System Name defaults to your Gateway's factory identifier combined with its serial number. Some cable-oriented Service Providers use the System Name as an important identification and support parameter. If your Gateway is part of this type of network, do NOT alter the System Name unless specifically instructed by your Service Provider. The System Name can be 1-63 characters long; it can include embedded spaces and special characters.
PAGE 63
Section 4 Link Configure Internal Servers Response Description Your Gateway ships with an embedded Web server and support for a Telnet session, to allow ease of use for configuration and maintenance. The default ports of 80 for HTTP and 23 for Telnet may be reassigned. This is necessary if a pinhole is created to support applications using port 80 or 23. See “Pinholes” on page 46 for more information on Pinhole configuration.
PAGE 64
Section 4 Link Configure Ethernet MAC Address Override Response Description Link You can override your Gateway’s Ethernet MAC address with any necessary setting. Some ISPs require your account to be identified by the MAC address, among other things. For information on setting this parameter , see “How to Use the Quickstart Page” on page 36.
PAGE 65
Section 4 Link Configure Clear Options Response Description Comment To restore the factory configuration of the Gateway, choose Clear Options. You may want to upload your configuration to a file before performing this function. Clear Options does not clear feature keys or affect the software image or BootPROM. You must restart the Gateway for Clear Options to take effect. 65 Downloaded from www.Manualslib.
PAGE 66
Section 4 Configure Security Button Security Response Description Link Description The Security features are available by clicking on the Security toolbar button. Some items of this category do not appear when you log on as User. Passwords Access to your Gateway is controlled through two user accounts, Admin and User. When you first power up your Gateway, you create a password for the Admin account. The User account does not exist by default.
PAGE 67
Section 4 Configure Create and Change Passwords You can establish different levels of access security to protect your Cayman Gateway settings from unauthorized display or modification. • Admin level privileges let you display and modify all settings in the Cayman Gateway (Read/Write mode). The Admin level password is created when you first access your Gateway. • User level privileges let you display (but not change) settings of the Cayman Gateway.
PAGE 68
Section 4 Configure • • It can have up to eight alphanumeric characters. It is case-sensitive. Step 4 Enter your new password again in the Conﬁrm Password ﬁeld. You confirm the new password to verify that you entered it correctly the first time. Step 5 When you are ﬁnished, click the Submit button to store your modiﬁed conﬁguration in the Cayman unit’s memory. Password changes are automatically saved, and take effect immediately. 68 Downloaded from www.Manualslib.
PAGE 69
Section 4 Link Configure Firewall Use a Cayman Firewall BreakWater Basic Firewall BreakWater delivers an easily selectable set of pre-configured firewall protection levels. For simple implementation these settings (comprised of three levels) are readily available through Cayman’s embedded web server interface. BreakWater Basic Firewall’s three settings are: ClearSailing ClearSailing, BreakWater's default setting, supports both inbound and outbound traffic.
PAGE 70
Section 4 Configure Step 4 Click on the radio button to select the protection level you want. Click Submit. Changing the BreakWater setting does not require a restart to take effect. This makes it easy to change the setting "on the fly,” as your needs change.
PAGE 71
Section 4 Configure Basic Firewall Background As a device on the Internet, a Cayman Gateway requires an IP address in order to send or receive traffic. The IP traffic sent or received have an associated application port which is dependent on the nature of the connection request.
PAGE 72
Section 4 Configure This table shows how outbound traffic is treated. Outbound means the traffic is coming from the LAN-side computers into the LAN side of the Gateway.
PAGE 73
Section 4 Configure IPSec Link Response Your Gateway supports two mechanisms for IPSec tunnels: Description 1. IPSec PassThrough supports Virtual Private Network (VPN) clients running on LAN-connected computers. Normally, this feature is enabled. However, you can disable it if your LAN-side VPN client includes its own NAT interoperability option. 2. SafeHarbour VPN IPSec is a keyed feature that enables Gateway-terminated VPN support.
PAGE 74
Section 4 Configure A typical SafeHarbour configuration is shown below: Use these Best Practices in establishing your SafeHarbour tunnel. 1. Ensure that the configuration information is complete and accurate 2. Use the Worksheet provided on page 76. Parameter Description and Setup The following table describes SafeHarbour’s parameters that are used for an IPSec VPN tunnel configuration: Auth Protocol Authentication Protocol for IP packet header.
PAGE 75
Section 4 Configure Peer Internal IP NetmaskThe Peer Internal IP Netmask is the subnet mask of the Peer Internal IP Network. PFS DH Group Perfect Forward Secrecy (PFS) is used during SA renegotiation. When PFS is selected, a Diffie-Hellman key exchange is required. SafeHarbour supports PFS DH Groups 1, 2 and 5. Pre-Shared Key The Pre-Shared Key is a parameter used for authenticating each side. The value can be an ASCII or Hex and a maximum of 64 characters. ASCII is case-sensitive.
PAGE 76
Section 4 Configure IPSec Tunnel Parameter Setup Worksheet Parameter Cayman Peer Gateway Name Peer External IP Address Peer Internal IP Network Peer Internal IP Netmask Enable Encrypt Protocol None ESP Auth Protocol None ESP AH Key Management IKE Pre-Shared Key Type HEX ASCII Pre-Shared Key Negotiation Method Main Aggressive DH Group 1 2 5 SA Encrypt Type DES 3DES CAST Blowfish SA Hash Type N/A MD5 SHA1 PFS DH Group Off 1 2 5 Soft MBytes 1 - 1000000 Soft Seconds 60 - 1000000 Hard
PAGE 77
Section 4 Configure SafeHarbour Tunnel Setup Use the following tasks to configure an IPSec VPN tunnel on your Cayman Gateway. Task 1: Ensure that you have SafeHarbour VPN enabled. SafeHarbour is a keyed feature. See page 93 for information concerning installing Cayman Software Feature Keys. Task2: Complete Parameter Setup Worksheet IPSec tunnel configuration requires precise parameter set between VPN devices. The Setup Worksheet facilitates setup and assures that the associated variables are identical.
PAGE 78
Section 4 Configure Leave the Enable NAT over Tunnel choice as Off unless your network administrator instructs otherwise. Task 4: Make the IPSec Tunnel Entries Enter the initial group of tunnel parameters. Refer to your Setup Worksheet and the Glossary of VPN Terms as required. Perform the following steps: Step 1 Enter tunnel Name. This is the only parameter that does not have to be identical to the peer/ remote VPN device Step 2 Enter the Peer External IP Address.
PAGE 79
Section 4 Configure Step 6 Ensure that the toggle checkbox Enable, which is On by default, remains On. Step 7 Click Add. The Tunnel Details page appears. Task 5: Make the Tunnel Details entries Use the following steps: Step 1 Enter or select the required settings. Step 2 Click Update. The Alert button appears. Step 3 Click the Alert button. Step 4 Click Save and Restart. Your SafeHarbour IPSec VPN tunnel is fully configured. Tunnel sessions can only be initiated from the LAN client side.
PAGE 80
Section 4 Link Configure Security Log Response Description Security Monitoring detects security-related events, including common types of malicious attacks, and writes them to the security log file. Using the Security Monitoring Log You can view the Security Log at any time. Use the following steps: Step 1 Click the Security toolbar button. Step 2 Click the Security Log link. Step 3 Click the Show link from the Security Log tool bar. An example of the Security Log is shown on the next page.
PAGE 81
Section 4 Configure 81 Downloaded from www.Manualslib.
PAGE 82
Section 4 Configure The capacity of the security log is 100 security alert messages. When the log reaches capacity, subsequent messages are not captured, but they are noted in the log entry count. Remember that the “time stamp” is Universal Coordinated Time (UTC) which is the equivalent of Greenwich Mean Time. For your convenience, the table below lists the time offsets for various North American time zones. See Timestamp Background information on the next page for more details.
PAGE 83
Section 4 Configure Install Button Install Response Description From the Install toolbar button you can: • Install new Operating System Software • Install new Feature Keys 83 Downloaded from www.Manualslib.
PAGE 84
Section 4 Configure Install Software Link Install Software Response Comment This page allows you to install an updated release of the Cayman Operating System (COS). Updating Your Gateway to COS Version 6.3 Cayman Operating System Release 6.3 represents significantly expanded functionality for your Cayman Gateway. To deliver these important features, the COS 6.3 image is larger than earlier versions and the updating process is different from earlier procedures.
PAGE 85
Section 4 Configure Required Tasks Task # Description Page # 1 Locate and confirm the required files. 86 2 Install and verify the Updater application code. 87 3 Install and verify the COS 6.3 image. 89 Depending on your particular subscriber agreement, you may need to install other feature key files. Warnings: COS 6.3 is NOT SUPPORTED on the following models: 2E with PID of 06xx 2E or 2E-H with internal memory of 2MBytes or less COS 6.
PAGE 86
Section 4 Configure Task 1 Required Files Upgrading to COS 6.3 requires THREE files: 1. Documentation - Software Upgrade Instructions PDF file 2. Updater file 3.
PAGE 87
Section 4 Configure Contact Information Contact Cayman Technical Support for questions concerning the upgrade process. Contact Cayman Sales for specific advanced features. Use this contact information: Web Access http://www.netopia.com/support Technical Support 510-814-5000 ext 1 Main Telephone 510-814-5100 Task 2 Updater File Install Updater Application Code If you are currently running a Cayman Operating System version COS 5.90 or higher, skip this Task and continue to page 89 for Task 3.
PAGE 88
Section 4 Configure Ethernet button on the Cayman Gateway Home page. When the Ethernet window appears, click Save. If you have previously saved your Cayman Gateway configuration, you can skip this step. Step 3 Click the Install Software button on the Cayman Gateway Home page. The Install New Cayman Software window opens. This page is from a Cayman 3220-H Gateway (DSL WAN access). The page for a Cayman 2E-H Gateway (Ethernet WAN access) is similar.
PAGE 89
Section 4 Configure Your Cayman Gateway restarts with its new image. During this step you have the following visual guide from your unit: 3220-H DSL and Status LED indicators will blink for 30 seconds or more. 2E-H WAN LED indicator will blink for 30 seconds or more.
PAGE 90
Section 4 Step 3 Configure Enter the ﬁlename into the text box by using one of these techniques: The COS file name starts with the letter “c” (for “COS”). a. Click the Browse button, select the file you want, and click Open. -orb. Enter the name and path of the software image you want to install in the text field and click Open. Step 4 Click the Install button. The Cayman Gateway copies the image file from your computer and installs it into its memory storage.
PAGE 91
Section 4 Configure Verify the COS 6.3 Image To verify that the COS 6.3 image has loaded successfully, use the following steps: Step 1 Open a web connection to your Cayman Gateway from the computer on your LAN and return to the Home page. The username admin (or user) is now a required field for logging onto the web server. In earlier releases, only the password was required. For COS 6.3 you now have a new layout. The screen shown below is from a Cayman 3220-H. 1 2 NOTES: 1.
PAGE 92
Section 4 Configure If your admin password is not set, you will be prompted to set it before you reach the Home page. This completes the UPGRADE process for COS 6.3. 92 Downloaded from www.Manualslib.
PAGE 93
Section 4 Configure Install Keys Install Keys Link Response You can obtain advanced product functionality by employing a software Feature Key. Software feature keys are specific to a Gateway's serial number. Once the feature key file is installed and the Gateway is restarted, the new feature's functionality becomes enabled. Comment Use Cayman Software Feature Keys Background Cayman Gateway users obtain advanced product functionality by installing a software feature key.
PAGE 94
Section 4 Configure • • • BreakWater Basic Firewall BarrierReef Advanced Firewall SafeHarbour IPSec Tunnel at the Gateway Obtaining Software Feature Keys Contact your Service Provider to acquire a Software Feature Key. Procedure - Install a New Feature Key File With the appropriate feature key file resident on your LAN PC, use the steps listed below to enable a new function. Step 1 From the Home page, click the Install toolbar button. Step 2 Click Install Keys The Install Key File page appears.
PAGE 95
Section 4 Configure Step 5 Click the Restart toolbar button. The Confirmation screen appears. Step 6 Click the Restart the Gateway link to conﬁrm. To check your installed features: Step 1 Click the Install toolbar button. Step 2 Click the List of Features link. 95 Downloaded from www.Manualslib.
PAGE 96
Section 4 Configure The System Status page appears with the information from the features link displayed below. You can check that the feature you just installed is enabled. 96 Downloaded from www.Manualslib.
PAGE 97
Troubleshoot Troubleshoot Button Troubleshoot This section provides some specific procedures and tips for working with important features of Cayman OS 6.3. Perform Troubleshooting on Gateways There are three major Troubleshooting capabilities you can access via your Cayman Gateway’s web interface. The procedures for using them are discussed here. In the event of a problem with your system, your Service Provider may request this information.
PAGE 98
Troubleshoot Each test generates one of the following result codes: CODE Description PASS The test was successful. FAIL The test was unsuccessful. SKIPPED The test was skipped because a test on which it depended failed, or it was not supported by the service provider equipment to which it is connected. PENDING The test timed out without producing a result. Try running the test again. WARNING The test was unsuccessful.
PAGE 99
Troubleshoot Network Tools Use these steps: Step 1 Click the Troubleshoot toolbar button. Step 2 Click the Network Tools link. Three test tools are available from this page. Step 3 • NSLookup - converts a domain name to its IP address and vice versa. • Ping - tests the “reachability” of a particular network destination by sending an ICMP echo request and waiting for a reply. • TraceRoute - displays the path to a destination by showing the number of hops and the router addresses of these hops.
PAGE 100
Troubleshoot Example: Show the path to the grosso.com site. Result: It took 20 hops to get to the grosso.com web site. Step 5 To use the NSLookup capability, type an address (domain name or IP address) in the text box and click the NSLookup button Example: Show the IP Address for grosso.com Result: The DNS Server doing the lookup is displayed in the Server: and Address: fields. If the Name Server can find your entry in its table, it is displayed in the Name: and Address: fields.
PAGE 101
System Status System Status System Status provides a group of links that display status and statistics to help you manage your Gateway. Managing the WAN Users is an example of the management tools available. Manage a Restricted Number of WAN Users User Status On the Home page your WAN User status is prominently displayed in the center area. To check the user status of the WAN connections when running COS 6.
PAGE 102
System Status The Show link provides this information: • Number of allowed concurrent WAN users • Number of WAN connections currently in use • Address and computer name - of current LAN users • Timeout - displays status of Idle Timeout Counter. The current user has this amount of time (from an initial 20 minute interval) remaining prior to an automatic disconnect from WAN access.
PAGE 103
System Status Step 3 Click the Disconnect button. If you want to disconnect all users at once, click the Disconnect All button. Step 4 A conﬁrmation message appears. You have disconnected all WAN users Exceeding the WAN User Limit If your system supports a restricted number of WAN users, web browser users who attempt to access the WAN in excess of the restricted number will receive an “intercept” message on a web page.
PAGE 104
Appendix A Overview Tour: Command Line Interface Appendix A Overview The Cayman Gateway operating software includes a command line interface (CLI) that lets you access your Cayman Gateway over a telnet or console connection. You can use the command line interface to enter and update the unit’s configuration settings, monitor its performance, and restart it. The CLI has two major command modes: SHELL and CONFIG. Summary tables that list the commands are provided below.
PAGE 105
Appendix A Overview CONFIG Commands Command Verbs Status and/or Description set Set configuration data define Define environment data delete Delete configuration list data view View configuration data script Print configuration data help Help command option save Save configuration data Keywords system Gateway’s system options pppoe PPP over Ethernet options trafficshape Traffic shaping options dmt DMT ADSL options (DSL only) atm ATM options (DSL only) bncp Bridge CP options (DSL
PAGE 106
Appendix A Starting and Ending a CLI Session Starting and Ending a CLI Session There are two ways to open a CLI session: 1. Open a telnet connection from a workstation on your network 2. Connect a terminal to the Maintenance Port located on the rear panel of the Cayman Gateway. Connecting from telnet You initiate a telnet connection by issuing the following command from an IP host that supports telnet, for example, a personal computer running a telnet application such as NCSA Telnet.
PAGE 107
Appendix A Using the CLI Help Facility When you have logged in successfully, the command line interface lists the username and the security level associated with the password you entered in the diagnostic log. Ending a CLI Session You end a command line interface session by typing quit from the SHELL node of the command line interface hierarchy. Saving Settings The save command saves the working copy of the settings to the Gateway.
PAGE 108
Appendix A SHELL Commands The only command you cannot truncate is restart. To prevent accidental interruption of communications, you must enter the restart command in its entirety. You can use the Up and Down arrow keys to scroll backward and forward through recent commands you have entered. Alternatively, you can use the !! command to repeat the last command you entered. Platform Convention For each Shell and Config command, an “Index Tab” shows which platform(s) the command supports.
PAGE 109
Appendix A BOTH SHELL Commands conﬁgure Puts the command line interface into Configure mode, which lets you configure your Cayman Gateway with Config commands. Config commands are described starting on page 105. BOTH diagnose Runs a diagnostic utility to conduct a series of internal checks and loopback tests to verify network connectivity over each interface on your Cayman Gateway. The console displays the results of each test as the diagnostic utility runs.
PAGE 110
Appendix A BOTH SHELL Commands install [server_address] [ﬁlename] [conﬁrm] Downloads a new version of the Cayman Gateway operating software from a TFTP (Trivial File Transfer Protocol) server, validates the software image, and programs the image into the Cayman Gateway memory. After you install new operating software, you must restart the Cayman Gateway. The TFTP server must be accessible on your Ethernet network.
PAGE 111
Appendix A BOTH SHELL Commands netstat -r Displays the IP routes stored in your Cayman Gateway. BOTH nslookup { hostname | ip_address } Performs a domain name system lookup for a specified host. BOTH • The hostname argument is the name of the host for which you want DNS information; for example, nslookup klaatu. • The ip_address argument is the IP address, in dotted decimal notation, of the device for which you want DNS information.
PAGE 112
Appendix A ENET SHELL Commands reset dhcp client release { B | all } Releases the DHCP lease the Gateway is currently using to acquire the IP settings for its WAN (Ethernet B) port. DSL reset dhcp client release [ vcc-id ] Releases the DHCP lease the Cayman 3220-H is currently using to acquire the IP settings for the specified DSL port. The vcc-id identifier is a letter in the rang BI. Enter the reset dhcp client release without the variable to see the letter assigned to each virtual circuit.
PAGE 113
Appendix A DSL SHELL Commands reset ppp vccn Resets the point-to-point connection over the specified virtual circuit. This command only applies to virtual circuits that use PPP framing. BOTH reset security-log Clears the security monitoring log to make room to capture new entries. BOTH reset wan-users [all | ip-address] This function disconnects the specified WAN User to allow for other users to access the WAN. This function is only available if the number of WAN Users is restricted and NAT is on.
PAGE 114
Appendix A BOTH SHELL Commands show dhcp server store Displays the DHCP leases stored in NVRAM by your Cayman Gateway. DSL show dsl Displays DSL port statistics, such as upstream and downstream connection rates and noise levels. BOTH show enet Displays the Ethernet statistics for your Cayman Gateway. BOTH show features Show all keyed features and whether or not they are enabled. If the key is not permanent, it shows the expiration date.
PAGE 115
Appendix A BOTH SHELL Commands show memory [all] Displays memory usage information for your Cayman Gateway. If you include the optional all argument, your Cayman Gateway will display a more detailed set of memory statistics. ENET show ppp [{ stats | lcp | ipcp | lastconnect }] Displays information about open PPP links. You can display a subset of the PPP statistics by including an optional stats, lcp, ipcp, or lastconnect argument for the show ppp command.
PAGE 116
Appendix A DSL SHELL Commands start ppp vccn Opens a PPP link on the specified virtual circuit. BOTH status Displays the current status of a Cayman Gateway, the device's hardware and software revision levels, a summary of errors encountered, and the length of time the Cayman Gateway has been running since it was last restarted. Identical to the show status command. BOTH telnet { hostname | ip_address } [port] Lets you open a telnet connection to the specified host through your Cayman Gateway.
PAGE 117
Appendix A About CONFIG Commands About CONFIG Commands You reach the configuration mode of the command line interface by typing configure (or any truncation of configure, such as c or config) at the CLI SHELL prompt. CONFIG Mode Prompt When you are in CONFIG mode, the CLI prompt consists of the name of the Cayman Gateway followed by your current node in the hierarchy and two right angle brackets (>>).
PAGE 118
Appendix A About CONFIG Commands • Moving from one subnode to another — You can move from one subnode to another by entering a partial path that identifies how far back to climb. • Moving from any subnode to any other subnode — You can move from any subnode to any other subnode by entering a partial path that starts with a top-level CONFIG command.
PAGE 119
Appendix A About CONFIG Commands Command component Rules for entering CONFIG commands Numbers Enter numbers as integers. IP addresses Enter IP addresses in dotted decimal notation (0 to 255). If a command is ambiguous or miskeyed, the CLI prompts you to enter additional information. For example, you must specify which virtual circuit you are configuring when you are setting up a Cayman Gateway.
PAGE 120
Appendix A About CONFIG Commands Dogzilla (top)>> set system Stepping set mode (press Control-X to exit) ... system name (“Dogzilla”): Mycroft Diagnostic Level (High): medium Stepping mode ended. Validating Your Conﬁguration You can use the validate CONFIG command to make sure that your configuration settings have been entered correctly. If you use the validate command, the Cayman Gateway verifies that all required settings for all services are present and that settings are consistent.
PAGE 121
Appendix A CONFIG Commands CONFIG Commands This section describes the keywords and arguments for the various CONFIG commands. ATM Settings You can use the CLI to set up each ATM virtual circuit. DSL set atm option {on | off } Enables the WAN interface of 3220-H to be configured using the Asynchronous Transfer Mode (ATM) protocol. DSL set atm [vccn] option {on | off } Selects the virtual circuit for which further parameters are set.
PAGE 122
Appendix A CONFIG Commands set atm [vccn] pppoe-sessions { 1 ... 8 } DSL Select the number of PPPoE sessions to be configured for VCC n. Up to eight can be configured on the first VCC; one on the other VCCs. The total must be less than or equal to eight. set atm [vccn] tx-priority [ low | high ] DSL Select the transmission priority for vcc n. The Gateway transmits traffic for high priority VCCs before it transmits traffic for low priority VCCs. Bandwidth is split between VCCs of equal priority.
PAGE 123
Appendix A CONFIG Commands DHCP Settings As a Dynamic Host Control Protocol (DHCP) server, your Cayman Gateway can assign IP addresses and provide configuration information to other devices on your network dynamically. A device that acquires its IP address and other TCP/IP configuration settings from the Cayman Gateway can use the information for a fixed period of time (called the DHCP lease). BOTH set dhcp option { off | server | relay-agent } Enables or disables DHCP services in the Cayman Gateway.
PAGE 124
Appendix A CONFIG Commands DMT Settings set dmt type [ lite | dmt | ansi | multi ] DSL Selects the type of Discrete Multitone (DMT) asynchronous digital subscriber line (ADSL) protocol to use for the WAN interface. Domain Name System Settings Domain Name System (DNS) is an information service for TCP/IP networks that uses a hierarchical naming system to identify network domains and the hosts associated with them. You can identify a primary DNS server and one secondary server.
PAGE 125
Appendix A CONFIG Commands IP Settings You can use the command line interface to specify whether TCP/IP is enabled, identify a default Gateway, and to enter TCP/IP settings for the Cayman Gateway LAN and WAN ports. If PPPoE is turned off, you must specify settings for Ethernet A and B separately. If PPPoE is turned on, you can omit the A|B labels. Basic Settings BOTH set ip option { on | off } Enables or disables TCP/IP services in the Cayman Gateway.
PAGE 126
Appendix A CONFIG Commands . DSL set ip dsl vccn restriction { admin-disabled | admin-only| none } Specifies restrictions on the types of traffic the 3220-H accepts over the DSL virtual circuit. The admin-disable argument means that router traffic is accepted but that administrative commands are ignored. The admin-only argument means that router traffic is ignored by that administrative commands are accepted. The none argument means that all traffic is accepted. RIP and ICMP traffic is still accepted.
PAGE 127
Appendix A BOTH CONFIG Commands set ip ethernet [ A | B ] broadcast broadcast_address Specifies the broadcast address for the local Ethernet interface. IP hosts use the broadcast address to send messages to every host on your network simultaneously. The broadcast address for most networks is the network number followed by 255. For example, the broadcast address for the 192.168.1.0 network would be 192.168.1.255.
PAGE 128
Appendix A CONFIG Commands . BOTH set ip ethernet [ A | B ] proxy-arp { on | off } Specifies whether you want the Cayman Gateway to respond when it receives an address resolution protocol for devices behind it. By default, proxy ARP is turned off. BOTH set ip ethernet [ A | B ] rip-send { off | v1 | v2 | v1-compat | v2-MD5 } Specifies whether the Cayman Gateway should use Routing Information Protocol (RIP) broadcasts to advertise its routing tables to other routers on your network.
PAGE 129
Appendix A DSL CONFIG Commands set ip gateway interface { ip-address | ppp-vccn} Specifies whether the Gateway is reached using a fixed IP address or through a PPP virtual circuit. BOTH set ip gateway default ip_address Specifies the IP address of the default IP Gateway. WAN-to-WAN Routing Settings Use the following command to configure settings for routing between WAN connections. BOTH set ip interwan-routing { on | off } Enables or disables routing between WAN connections.
PAGE 130
Appendix A CONFIG Commands The default value for the ip_address argument is 0.0.0.0, which indicates that the virtual PPP interface will use the IP address assigned to it by the remote peer. Note that the remote peer must be configured to supply an IP address to your Cayman Gateway if you enter 0.0.0.0 for the ip_address argument. BOTH set ip ip-ppp [vccn] peer-address ip_address Specifies the IP address of the peer on the other end of the PPP link. If you specify an IP address other than 0.0.0.
PAGE 131
Appendix A CONFIG Commands For example, inclusion of subnet masks in RIP packets and implementation of multicasting instead of broadcasting. This last feature reduces the load on hosts which do not support routing protocols. This command is only available when address mapping for the specified virtual circuit is turned “off”.
PAGE 132
Appendix A CONFIG Commands Static Route Settings A static route identifies a manually configured pathway to a remote network. Unlike dynamic routes, which are acquired and confirmed periodically from other routers, static routes do not time out. Consequently, static routes are useful when working with PPP, since an intermittent PPP link may make maintenance of dynamic routes problematic. You can configure as many as 16 static IP routes for a Cayman Gateway.
PAGE 133
Appendix A CONFIG Commands • BOTH The remote network is more than one router away but the static route should not be replaced by a dynamic route, even if the dynamic route is more efficient. delete ip static-routes destination-network net_address Deletes a static route. Deleting a static route removes all information associated with that route. WAN Settings Many of these setting commands are designated as BOTH.
PAGE 134
Appendix A BOTH CONFIG Commands set ip wan [vccn] restrictions { admin-disabled | admin-only | none } Specifies whether an administrator can open a telnet connection to the Cayman Gateway over the WAN Ethernet interface [or specified VCC interface] to monitor and configure the Cayman Gateway. The admin-only argument means that router traffic is ignored but that administrative commands are accepted. The none argument means that all traffic is accepted.
PAGE 135
Appendix A CONFIG Commands Network Address Translation (NAT) Default Settings NAT default settings let you specify whether you want your Cayman Gateway to forward NAT traffic to a default server when it doesn’t know what else to do with it. The NAT default host function is useful in situations where you cannot create a specific NAT pinhole for a traffic stream because you cannot anticipate what port number an application might use.
PAGE 136
Appendix A BOTH CONFIG Commands set pinhole protocol-select { tcp | udp | icmp | pptp | other } Specifies the type of protocol being redirected. BOTH set pinhole numerical-protocol [ 0 - 65535 ] If you select other, specifies the number of the protocol you want to translate. BOTH set pinhole external-port-start [ 0 - 65535 ] Specifies the first port number in the range being translated. BOTH set pinhole external-port-end [ 0 - 65535 ] Specifies the last port number in the range being translated. .
PAGE 137
Appendix A CONFIG Commands Conﬁguring Basic PPP Settings Many of these setting commands are designated as BOTH. Note however: For the 3220-H (DSL platform) you must identify the virtual PPP interface [vccn], a number from 1 to 8. This argument does not apply to the 2E-H platform. BOTH set PPP module [vccn] option { on | off } Enables or disables PPP on the Cayman Gateway. BOTH set PPP module [vccn] mru integer Specifies the Maximum Receive Unit (MRU) for the PPP interface.
PAGE 138
Appendix A BOTH CONFIG Commands set PPP module [vccn] restart-timer integer Specifies the number of seconds the Cayman Gateway should wait before retransmitting a configuration or termination request. The integer argument can be any number between 1 and 30. BOTH set PPP module [vccn] connection-type { instant-on | always-on } Specifies whether a PPP connection is maintained by the Cayman Gateway when it is unused for extended periods.
PAGE 139
Appendix A BOTH CONFIG Commands set PPP module [vccn] port-authentication chap-name chap_name Specifies the name the Cayman Gateway sends in a CHAP response packet. The chap_name argument is 1-64 alphanumeric characters. The information you enter must match the CHAP username configured in the remote PPP peer's authentication database. BOTH set PPP module [vccn] port-authentication chap-secret secret Specifies the CHAP secret for CHAP authentication. The secret argument is 1-64 alphanumeric characters.
PAGE 140
Appendix A CONFIG Commands Conﬁguring Peer Authentication You can specify that your Cayman Gateway will use PAP, CHAP, or both to authenticate a remote peer as a PPP link is being completed. Perform the following steps to specify how your Cayman Gateway should authenticate remote peers. BOTH set PPP module [vccn] peer-authentication chap-option { on | off } Specifies whether the Cayman Gateway will use CHAP to authenticate connections to PPP peers.
PAGE 141
Appendix A CONFIG Commands Command Line Interface Preference Settings You can set command line interface preferences to customize your environment. BOTH set preference verbose { on | off } set deﬁne verbose { on | off } Specifies whether you want command help and prompting information displayed. By default, the command line interface verbose preference is turned off. If you turn it on, the command line interface displays help for a node when you navigate to that node.
PAGE 142
Appendix A BOTH CONFIG Commands set servers telnet-tcp [ 0 - 32767 ] Specifies the port number for telnet (CLI) communication with the Cayman Gateway. Because port numbers in the range 0-1024 are used by other protocols, you should use numbers in the range 2000-32767 when assigning new port numbers to the Cayman Gateway telnet configuration interface. Security Settings Security settings include the Firewall and IPSec parameters. All of the security functionality is keyed.
PAGE 143
Appendix A BOTH CONFIG Commands set security ipsec tunnels name "123" tun-enable (on) {on | off} This enables this particular tunnel. Currently, one tunnel is supported. BOTH set security ipsec tunnels name "123" dest-ext-address ip-address Specifies the IP address of the destination gateway. BOTH set security ipsec tunnels name "123" dest-int-network ip-address Specifies the IP address of the destination computer or internal network.
PAGE 144
Appendix A BOTH CONFIG Commands set security ipsec tunnels name "123" IKE-mode DH-group (1) { 1 | 2 | 5} See page 73 for details about SafeHarbour IPsec tunnel capability. BOTH set security ipsec tunnels name "123" IKE_mode isakmp-SA-encrypt (DES) {DES | 3DES | Blowﬁsh | CAST} See page 73 for details about SafeHarbour IPsec tunnel capability. BOTH set security ipsec tunnels name "123" isakmp-SA-hash (MD5) {MD5 | SHA1} See page 73 for details about SafeHarbour IPsec tunnel capability.
PAGE 145
Appendix A CONFIG Commands SNMP Settings The Simple Network Management Protocol (SNMP) lets a network administrator monitor problems on a network by retrieving settings on remote network devices. The network administrator typically runs an SNMP management station program on a local host to obtain information from an SNMP agent such as the Cayman Gateway. BOTH set snmp community name Adds the specified name to the list of communities associated with the Cayman Gateway.
PAGE 146
Appendix A CONFIG Commands you have assigned a name to your Cayman Gateway, you can enter that name in the Address text field of your browser to open a connection to your Cayman Gateway. Some broadband cable-oriented Service Providers use the System Name as an important identification and support parameter. If your Gateway is part of this type of network, do NOT alter the System Name unless specifically instructed by your Service Provider .
PAGE 147
Appendix A CONFIG Commands Trafﬁc Shaping Settings Traffic shaping lets you control how much traffic can flow through an Ethernet interface by limiting the size of the WAN “pipe.” This function is most suitable for Internet Service Providers or multi-interface routers. When you use the traffic-shaping option to set the maximum speed for a router port, the router will silently discard any packets that exceed the maximum port speed.
PAGE 148
Appendix B Glossary Appendix B IEEE 802.3 specification for Ethernet that uses thin coaxial cable to run at 10 Mbps. Limited to 185 meters per segment. 10Base5 IEEE 802.3 baseband physical layer specification for Ethernet that uses thick coaxial cable to run at 10 Mbps. Limited to 500 meters per segment. IEEE 802.3 specification for Ethernet that uses unshielded twisted pair (UTP) wiring with RJ-45 eight-conductor plugs at each end. Runs at 10 Mbps.
PAGE 149
Appendix B bps BRI bridge broadcast broadcast address buffer Bits per second. A measure of data transmission speed. Basic Rate Interface. ISDN standard for provision of low-speed ISDN services (two B channels (64 kbps each) and one D channel (16 kbps)) over a single wire pair. Device that passes packets between two network segments according to the packets' destination address. Message sent to all nodes on a network. Special IP address reserved for simultaneous broadcast to all network nodes.
PAGE 150
Appendix B 3DES DH Group DHCP dial in dial on demand dial out DiffieHellman domain name domain name server Domain Name System (DNS) DSL DTE DTR Triple DES, with a 168 bit encryption key, is the most accepted variant of DES. Diffie-Hellman is a public key algorithm used between two systems to determine and deliver secret keys used for encryption. Groups 1, 2 and 5 are supported. Also, see Diffie-Hellman listing. Dynamic Host Configuration Protocol.
PAGE 151
Appendix B ESP Ethernet crossover cable -----F----FCS flow control fragmentation frame FTP FTP server Encapsulation Security Payload (ESP) header provides confidentiality, data origin authentication, connectionless integrity, anti-replay protection, and limited traffic flow confidentiality. It encrypts the contents of the datagram as specified by the Security Association. The ESP transformations encrypt and decrypt portions of datagrams, wrapping or unwrapping the datagram within another IP datagram.
PAGE 152
Appendix B -----I----IKE INSPECTION interface internet address IPCP IPSEC ISAKMP ISDN -----K----Key Management Internet Key Exchange protocol provides automated key management and is a preferred alternative to manual key management as it provides better security. Manual key management is practical in a small, static environment of two or three sites. Exchanging the key is done through manual means. Because IKE provides automated key exchange, it is good for larger, more dynamic environments.
PAGE 153
Appendix B -----M----Random number generated by a router and included in packets it sends to other routers. If the router receives a packet with the same magic number it is using, the router sends and receives packets with new random numbers to determine if it is talking to itself. A 128-bit, message-digest, authentication algorithm used to create digital signatures. It computes a secure, irreversible, cryptographically strong hash value for a document. Less secure than variant SHA-1.
PAGE 154
Appendix B The Peer Internal IP Network is the private, or Local Area Network (LAN) address of the remote gateway or VPN Server you are communicating with. Peer Internal IP Netmask The Peer Internal IP Netmask is the subnet mask of the Peer Internal IP Network. PFS-DH Perfect Forward Secrecy Diffie Hellman Group. PFS forces a DH negotiation during Phase II of IKE-IPSec SA exchange. You can disable this or select a DH group 1, 2, or 5.
PAGE 155
Appendix B Security Association serial communication SHA-1 SLIP Soft MBytes Soft Seconds SPI STATEFUL static route subnet mask synchronous communication From the IPSEC point of view, an SA is a data structure that describes which transformation is to be applied to a datagram and how.
PAGE 156
Appendix B -----T----Digital transmission link capable of speeds up to 1544 kilobits per second. Terminal adaptor. Device that connects a network or terminal to an ISDN network. IP protocol that lets a user on one host establish and use a virtual terminal connection to a remote host. Cable consisting of two copper strands twisted around each other. The twisting provides protection against electromagnetic interference. T1 link TA telnet twisted pair -----U----- Unshielded twisted pair cable.
PAGE 157
Appendix B 157 Downloaded from www.Manualslib.
PAGE 158
Index Symbols !! command 108 A Access the GUI 29 Address mapping 134 Address resolution table 114 Admin Login Failures 25 Administrative restrictions 130 Administrator password 29, 67, 106 Arguments, CLI 118 ARP Command 108 Proxy 128, 134 Authentication 138 Authentication trap 145 Command ARP 108 Ping 111 Telnet 116 Command line interface (see CLI) Community 145 Compression, protocol 137 CONFIG Command List 105 Configuration mode 117 D DB-9 106 Default IP address 29 denial of service 155 DHCP 123 DHCP l
PAGE 159
H Hardware address 122 hijacking 155 Home page 30 User mode 30 Home window 29 Hop count 132 How To Configure a SafeHarbour VPN 73 Configure Multiple Static IP Addresses 73 HTTP traffic 141 I ICMP Echo 111 Illegal Packet Size (Ping of Death) 23 Install 83 IP address 125, 126, 133 Default 29 IP interfaces 114 IP routes 114 IP Source Address Spoofing 23 IPCP subnet allocation 130 K Keywords, CLI 118 L LCP echo request 137 Lease 113 Link Help 35 Install Software 83 Pinhole 52 Quickstart 37, 43, 44 SNMP 60 Lo
PAGE 160
RIP 128 Routing Information Protocol (RIP) 128 S Static IP Addresses 18 Static route 132 Step mode 119 Subnet allocation 130 Subnet Broadcast Amplification 23 Subnet mask 127, 133 System contact, SNMP 145 System diagnostics 146 Secondary nameserver 124 Secret 139 Security log 82 Security Monitoring 22 Serial cable 106 T Set bncp command 121, 122 Telnet 106, 135 Set bridge commands 122 Telnet command 116 Set dns commands 124 Telnet traffic 141 Set ip static-routes commands 132 Terminal emulator 106 Set pr
PAGE 161
Contact Information Cayman 3000 series by Netopia Netopia, Inc. 2470 Mariner Square Loop Alameda, CA 94501 Corporate Headquarters: 510-814-5100 Corporate Fax: 510-814-5020 Customer Service/Tech Support: 510-814-5000 ext 1. Support URL: http://www.netopia.com/support January, 2002 Downloaded from www.Manualslib.