Nortel Business Secure Router 222 — Fundamentals
BSR222
Business Secure Router
Document Number: NN47922-301
Document Version: 1.4
Date: May 2007
Download from Www.Somanuals.com. All Manuals Search And Download.
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
How to get help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
AC Power Adapter Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.1 Front panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2 Rear panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2 Checking your computer IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.1 Accessing your Business Secure Router via the WebGUI . . . . . . . . . . . . . . . 21
4.2 Using the wizard to configure for internet access . . . . . . . . . . . . . . . . . . . . . . 24
Internet connection with ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Internet connection with PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Internet connection with PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Nortel Business Secure Router 222 — Fundamentals
Download from Www.Somanuals.com. All Manuals Search And Download.
4 Contents
WAN IP address assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.3 Test your internet connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
General Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
VPN Client Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Advanced Router Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Setting up the router for guest access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Inter-Operability With Third-Party Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Chapter 6
Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
41
Problem: You cannot access the Business Secure Router from the LAN . . . . 41
Problem: You cannot ping any computer on the LAN . . . . . . . . . . . . . . . . . . . 41
Problem: You cannot get a WAN IP address from the ISP . . . . . . . . . . . . . . . 42
Problem: You cannot access the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
NN47922-301
Download from Www.Somanuals.com. All Manuals Search And Download.
5
Table 1
Table 2
Table 3
Internet account information worksheet
Front panel details
11
14
15
Rear panel details
Nortel Business Secure Router 222 — Fundamentals
Download from Www.Somanuals.com. All Manuals Search And Download.
6
NN47922-301
Download from Www.Somanuals.com. All Manuals Search And Download.
Preface
7
Preface
This Quick Start Guide provides instructions for installing and configuring your
Nortel Business Secure Router 222 as an Office Gateway for your network. After
completing this guide, you can access the Internet securely through your Nortel
Business Secure Router 222.
Before you begin
This Quick Start Guide is intended for network managers who are installing the
Nortel Business Secure Router 222 for the first time. It assumes that you are
familiar with the type of Internet connection used with your Business Secure
Router.
Text conventions
This guide uses the following text conventions:
italic text Indicates new terms, book titles, and variables in
command syntax descriptions. Where a variable is two
or more words, the words are connected by an
underscore.
Example: If the command syntax is
show at<valid_route>, valid_route is one
variable and you substitute one value for it.
Acronyms
This guide uses the following acronyms:
ADSL
DHCP
asymmetric digital subscriber line
Dynamic Host Configuration Protocol
Nortel Business Secure Router 222 — Fundamentals
Download from Www.Somanuals.com. All Manuals Search And Download.
8
Preface
DNS
ENET
IP
domain name server
Ethernet
Internet Protocol
ISP
Internet Service Provider
local area network
LAN
LLC
PPPoA
PPPoE
RFC
SUA
TCP/IP
VC
logical link control
Point-to-Point Protocol over ADSL
Point-to-Point Protocol over Ethernet
request for comment
single user account
Transmission Control Protocol/Internet Protocol
virtual channel
VCI
virtual channel identifier
virtual path identifier
wide area network
VPI
WAN
Related publications
For more information about using the Nortel Business Secure Router 222, refer to
the following publication:
•
Configuring and Troubleshooting the Nortel Business Secure Router 222
(317517-A)
NN47922-301
Download from Www.Somanuals.com. All Manuals Search And Download.
Preface
9
Hard-copy technical manuals
You can print selected technical manuals and release notes free, directly from the
need documentation. Then locate the specific category and model or version for
your hardware or software product. Use *Adobe Reader* to open the manuals and
release notes, search for the sections you need, and print them on most standard
copy of Adobe Reader.
How to get help
If you purchased a service contract for your Nortel product from a distributor or
authorized reseller, contact the technical support staff for that distributor or
reseller for assistance.
If you purchased a Nortel service program, contact Nortel Technical Support. To
obtain contact information online, go to www.nortel.com/cgi-bin/comments/
comments.cgi, then click on Technical Support.
From the Technical Support page, you can open a Customer Service Request
online or find the telephone number for the nearest Technical Solutions Center.
If you are not connected to the Internet, you can call 1-800-4NORTEL
(1-800-466-7835) to learn the telephone number for the nearest Technical
Solutions Center.
An Express Routing Code (ERC) is available for many Nortel products and
services. When you use an ERC, your call is routed to a technical support person
who specializes in supporting that product or service. To locate an ERC for your
Nortel Business Secure Router 222 — Fundamentals
Download from Www.Somanuals.com. All Manuals Search And Download.
10 Preface
AC Power Adapter Specifications
Use only power supplies listed in the user instructions.
Phihong, Model PSA21R-180
Note: Not to remove the plug and plug into a wall outlet by itself; always attach
the plug to the power supply first before insert into the wall.
Leader, Model MU18-2180100-XX (XX can be A1, A2, A3, B2 or C5 for the
different plugs used)
NN47922-301
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 1 Introducing the Business Secure Router 11
Chapter 1
Introducing the Business Secure Router
The Nortel Business Secure Router 222 is the ideal secure gateway for all data
passing between the Internet and the LAN. By integrating Network Address
Translation (NAT), firewall and Virtual Private Network (VPN) capability, the
Nortel Business Secure Router 222 is a complete security solution that protects
your Intranet and efficiently manages data traffic on your network. The embedded
WebGUI is easy to operate and totally independent of the operating system
platform you use.
You must have an Internet account already set up and have most of the following
information.
Table 1 Internet account information worksheet
Your device WAN IP Address (if given): __________________
Subnet Mask: __________________
Remote IP Address (if given): ____________
DNS Server IP Address (if given): First __________________, Second _________________,
Third _________________
Encapsulation (select one below):
Service Type:
ꢀ
Ethernet
_______________________
Login Server IP Address:
______________
User Name: ____________
Password: ____________
Password: ____________
User Name: ____________
ꢀ
PPTP
PPTP Server IP Address: ___________
Connection ID (if required): ____________
ꢀ
PPPoE
(PPPoE) Service Name: ____________
User Name: ____________
Password: ____________
Nortel Business Secure Router 222 — Fundamentals
Download from Www.Somanuals.com. All Manuals Search And Download.
12 Chapter 1 Introducing the Business Secure Router
NN47922-301
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 2 Hardware installation 13
Chapter 2
Hardware installation
Caution: To keep the Business Secure Router operating at optimal
internal temperature, keep the bottom, sides, and rear clear of
obstructions and away from the exhaust of other equipment.
Caution: AC Power Adapter Specifications
Only use the approved Phihong Model PSA21R-180 power supply with
this device.
NOTE: Attach the appropriate plug to the power supply first before
inserting it into the power outlet.
Caution: Electro-static Discharge can disrupt the router. Use
appropriate handling precautions to avoid ESD. Avoid touching the
connectors on the router, particularly when it is in use.
Nortel Business Secure Router 222 — Fundamentals
Download from Www.Somanuals.com. All Manuals Search And Download.
14 Chapter 2 Hardware installation
2.1 Front panel
Table 2 Front panel details
LABEL
DESCRIPTION
Step 1: 1-4
Connect a computer to one of these ports with an Ethernet cable.
These ports are auto-negotiating (can connect at 10 or 100Mb/s)
and auto-sensing (automatically adjusts to the type of Ethernet
cable you use, straight-through or crossover).
Step 2
Connect your cable or DSL modem to this port with the cable that
came with your modem.
NN47922-301
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 2 Hardware installation 15
2.2 Rear panel
Table 3 Rear panel details
LABEL
DESCRIPTION
Step 3
Connect the included power adaptor (use only this adapter) to this
power socket.
POWER
After you have made the connections, connect the power cable to a power supply and
look at the front panel LEDs. The power LED blinks while performing system testing and
then stays on if the testing is successful. The Ethernet port LEDs turn on if the ports are
properly connected. Refer to Configuring and Troubleshooting the Nortel Business
Secure Router 222 for more detailed LED descriptions.
CON/AUX port, Only connect this port if you want to configure the Business Secure
CON/AUX
switch
Router using the SMT via console port. See your User's Guide for
details.
Set this switch to the CON (Console) side to use the CON/AUX port as
a console port for local device configuration and management. Connect
the 9-pin male end of the console cable to the console port of the
Business Secure Router and the other end to a serial port (COM1,
COM2 or other COM port) on your computer. Your computer must have
a terminal emulation communications program (such as
HyperTerminal) set to VT100 terminal emulation, no parity, 8 data bits,
1 stop bit, no flow control and 9600 b/s port speed.
RESET
Press this button for one to three seconds to restart the Business
Secure Router. Press this button for longer than three seconds to
return the Business Secure Router to the factory defaults (password is
setup, LAN IP address 192.168.1.1, terminal emulation settings as
described above; see your User's Guide for details).
Nortel Business Secure Router 222 — Fundamentals
Download from Www.Somanuals.com. All Manuals Search And Download.
16 Chapter 2 Hardware installation
NN47922-301
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 3 Setting up your computer IP address 17
Chapter 3
Setting up your computer IP address
The BSR222 is already set up to assign your computer an IP address. Use this
section to set up your computer to receive an IP address or assign it a static IP
address in the 192.168.1.34 to 192.168.1.254 range with a subnet mask of
255.255.255.0. This is necessary to ensure that your computer can communicate
with your Business Secure Router.
Your computer must have an Ethernet card and TCP/IP installed. TCP/IP must
already be installed on computers using Windows NT/2000/XP or Macintosh OS
7 and later operating systems. Instructions are provided here for configuring
Windows 2000, NT and XP operating systems. Refer to Nortel Business Secure
Router 222 Configuration — Basics (NN47922-500) and Nortel Business Secure
Router 222 Configuration — Advanced (NN47922-501) for detailed IP address
configuration for Windows 95, 98, Me and Macintosh and Linux computer
operating systems.
3.1 Static or dynamic configuration (Windows 2000/NT/XP)
1
In Windows XP, click Start, Control Panel.
In Windows 2000/NT, click Start, Settings, Control Panel.
In Windows XP, click Network Connections.
In Windows 2000/NT, click Network and Dial-up Connections.
a
2
a
3
4
Right-click Local Area Connection and then click Properties.
Select Internet Protocol (TCP/IP) (under the General tab in Windows XP)
and click Properties.
5
The Internet Protocol TCP/IP Properties screen appears (the General tab in
Windows XP).
a
To have your computer assigned a dynamic IP address, click Obtain an
IP address automatically.
b
To configure a static IP address, click Use the following IP Address and
fill in the IP address (choose one from 192.168.1.34 to 192.168.1.254),
Subnet mask (255.255.255.0), and Default gateway (192.168.1.1) fields.
Nortel Business Secure Router 222 — Fundamentals
Download from Www.Somanuals.com. All Manuals Search And Download.
18 Chapter 3 Setting up your computer IP address
Nortel recommends that you do not use a static IP address in the same
range as the Business Secure Router DHCP server address pool
(192.168.1.2 to 192.168.1.33 by default).
6
Click Advanced. Remove any previously installed gateways in the IP Settings
tab and click OK to go back to the Internet Protocol TCP/IP Properties screen.
NN47922-301
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 3 Setting up your computer IP address 19
7
Click Obtain DNS server address automatically if you do not know your
DNS server IP address(es).
a
If you know your DNS server IP addresses, click Use the following DNS
server addresses, and type them in the Preferred DNS server and
Alternate DNS server fields.
b
If you have more than two DNS servers, click Advanced, select the DNS
tab and then configure the two DNS servers using the Add button.
8
9
Click OK to close the Internet Protocol (TCP/IP) Properties window.
Click OK to close the Local Area Connection Properties window.
3.2 Checking your computer IP address
1
On your computer, click Start, (All) Programs, Accessories and then
Command Prompt.
2
In the Command Prompt window, type ipconfig and then press Enter. Your
computer IP address must be in the correct range (192.168.1.2 to
192.168.1.254), with subnet mask 255.255.255.0, in order to communicate
with the Business Secure Router.
Refer to Nortel Business Secure Router 222 Configuration — Basics
(NN47922-500) and Nortel Business Secure Router 222 Configuration —
Advanced (NN47922-501) for detailed IP address configuration for other
Windows and Macintosh computer operating systems.
Nortel Business Secure Router 222 — Fundamentals
Download from Www.Somanuals.com. All Manuals Search And Download.
20 Chapter 3 Setting up your computer IP address
NN47922-301
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 4 Configuring your Business Secure Router 21
Chapter 4
Configuring your Business Secure Router
Choose one of these methods to access and configure the Business Secure Router.
This guide shows you how to use the WebGUI wizard only. See Nortel Business
Secure Router 222 Configuration — Basics (NN47922-500) and Nortel Business
Secure Router 222 Configuration — Advanced (NN47922-501) for background
information about all Business Secure Router features and SMT configuration.
Click the WebGUI online help for screen-specific web help.
4.1 Accessing your Business Secure Router via the WebGUI
1
Launch your web browser. Enter 192.168.1.1 as the web site address.
2
The default username (admin) and password (setup) are already in the
password field (in non-readable format). Click Login to proceed to a screen
that will let you to change your password. Click Reset if you want to clear any
information you have entered in the Username and Password fields.
Nortel Business Secure Router 222 — Fundamentals
Download from Www.Somanuals.com. All Manuals Search And Download.
22 Chapter 4 Configuring your Business Secure Router
3
Nortel recommends you change the default password! Enter a new password,
retype it to confirm it and click Apply. Alternatively click Ignore to proceed
to the main menu if you do not want to change the password now.
NN47922-301
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 4 Configuring your Business Secure Router 23
4
Click Apply in the Replace Factory Default Certificate screen to create a
certificate using your Business Secure Router MAC address, which will be
specific to this device.
5
The WebGUI MAIN MENU screen appears.
•
Select WIZARD if you want help configuring your Business Secure Router
for the first time.
•
•
Select a link under MAIN MENU in the navigation panel to configure a
Business Secure Router feature.
Select MAINTENANCE in the navigation panel to view Business Secure
Router performance statistics, upload firmware and back up information or
restore or upload a configuration file.
•
Click LOGOUT when you have finished a Business Secure Router
management session. The Business Secure Router automatically logs you off
if the session is left idle for five minutes. Click ENTER to display the Login
screen again and then log back on. This idle timeout timer is one of the many
Business Secure Router features that you can edit using the WebGUI.
Nortel Business Secure Router 222 — Fundamentals
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 4 Configuring your Business Secure Router 25
System Name is for identification purposes. Enter the name of your computer in
the System Name field, to easily identify your computer.
The Domain Name entry defines the domain name that is passed on to the DHCP
clients on the LAN. If you leave this field blank, the domain name obtained by
DHCP from the ISP is used. Click Next to continue.
2
The second wizard screen has three variations, depending on the
encapsulation type you use. Use the information in Internet Account
Information to fill in the fields.
Nortel Business Secure Router 222 — Fundamentals
Download from Www.Somanuals.com. All Manuals Search And Download.
26 Chapter 4 Configuring your Business Secure Router
Internet connection with ethernet
This variation is shown when the WAN port is used as a regular Ethernet. Choose
either Standard or a Road Runner ISP version. You need your User Name,
Password and Login Server IP Address for some Road Runner ISP versions.
NN47922-301
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 4 Configuring your Business Secure Router 27
Internet connection with PPPoE
Point-to-Point Protocol over Ethernet (PPPoE) also functions as a dial-up
connection. Therefore, you also need a username and password and possibly the
PPPoE service name (from ISP).
Select Nailed-Up Connection when you want your connection active all the time.
The Business Secure Router tries to bring up the connection automatically if it is
disconnected.
Nortel Business Secure Router 222 — Fundamentals
Download from Www.Somanuals.com. All Manuals Search And Download.
28 Chapter 4 Configuring your Business Secure Router
Internet connection with PPTP
Choose PPTP if your service provider uses a DSL terminator with PPTP log on.
The Business Secure Router must have a static IP address in this case. You need a
log on name, associated password, the PPTP server IP address, and a connection
ID.
Type the subnet mask assigned to you by your ISP (if given).
Type the (static) IP address assigned to you by your ISP.
The connection ID or name is optional, depending on your ISP’s requirements. If
you have a connection ID from your ISP, enter it in C:ID format, where ID is the
id given to you by your ISP. For example, C:12. If you have a connection name
from your ISP, enter it in N:Name format where Name is the connection name
given to you by your ISP. For example, N:MyISP.
NN47922-301
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 4 Configuring your Business Secure Router 29
Click Next to continue.
Fill in the fields and click Finish to save and complete the wizard setup.
3
WAN IP address assignment
Select Get automatically from ISP if your ISP did not assign you a fixed IP
address. Select Use fixed IP address if the ISP assigned a fixed IP address, and
then enter your IP address and subnet mask in the next two fields. Enter the
gateway IP address in the Remote IP Address field (if provided) when you select
Use Fixed IP Address.
Nortel Business Secure Router 222 — Fundamentals
Download from Www.Somanuals.com. All Manuals Search And Download.
30 Chapter 4 Configuring your Business Secure Router
System DNS servers
Select From ISP if your ISP dynamically assigns DNS server information (and
the Business Secure Router's WAN IP address). The right field displays the
(read-only) DNS server IP address that the ISP assigns. If you chose From ISP,
but the Business Secure Router has a fixed WAN IP address, From ISP changes to
None after you click Apply. If you chose From ISP for the second or third DNS
server, but the ISP does not provide a second or third IP address, From ISP
changes to None after you click Apply.
Select User-Defined if you have the IP address of a DNS server. Enter the DNS
server's IP address in the field to the right. If you chose User-Defined, but leave
the IP address set to 0.0.0.0, User-Defined changes to None after you click
Apply. If you set a second choice to User-Defined, and enter the same IP address,
the second User-Defined changes to None after you click Apply.
Select None if you do not want to configure DNS servers. If you do not configure
a system DNS server, you must use IP addresses when configuring VPN, DDNS
and the timeserver.
WAN MAC address
Select Factory Default to use the factory assigned default MAC address.
Alternatively, select Spoof this Computer's MAC address - IP Address and
enter the IP address of the computer on the LAN whose MAC address you are
cloning.
4.3 Test your internet connection
program such as Dial-Up Networking. Internet access is just the beginning. Refer
to the Nortel Business Secure Router 222 Configuration — Basics
(NN47922-500) and Nortel Business Secure Router 222 Configuration —
Advanced (NN47922-501) for more detailed information about the complete
range of Nortel Business Secure Router 222 features.
NN47922-301
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 5 User Notes 31
Chapter 5
User Notes
General Notes
There are some router functions that, although performing as expected, might
cause some confusion. These are summarized below.
General
1
Default Address Mapping Rules When First Enable NAT Full Feature.
When NAT Full Feature is first enabled, two address mapping rules are added to
the address mapping table. This is done to facilitate programming, and matches
the default SUA rule. The rules can be deleted.
2
Response to Invalid User ID or Password
When the wrong user ID or password is entered into the router login screen, no
error message is displayed. Instead, the login screen is simply displayed again.
3
First DHCP Address Reserved for BCM50
The first address of the DHCP Address Pool is reserved for a BCM50 in the
subnet, and will not be assigned to any other equipment. Once assigned to a
BCM50, it is reserved for that BCM50, and will not be assigned to any other. If
the BCM50 is changed, the following command must be used to enable the router
to assign the first address to a different BCM50:
ip dhcp enif0 server m50mac clear
4
Login Requires Reboot
If the Administrator Timeout is set to 0, and an administration session is
terminated without logging off, the router needs to be rebooted in order for the
administrator to log in to the WebGUI again. Alternatively, the administrator can
log in using a TelNet session, if TelNet access has been enabled in the Remote
Management menu.
Nortel Business Secure Router 222 — Fundamentals
Download from Www.Somanuals.com. All Manuals Search And Download.
32 Chapter 5 User Notes
5
Clicking Sound
The Business Secure Router will click once every two minutes until an ADSL line
is connected.
Firewall
1
Address Range Validation
In the firewall rules, the router does not confirm when given an address range, that
the second address is higher than the first. If this type of address range is entered,
the range is ignored.
2
Automatic Firewall Programming
Configurations to various areas of the router, such as remote management or
adding a SUA Server, do not automatically add the appropriate rules to the
Firewall, to enable the traffic to pass through the router. These need to be added
separately.
Note: Firewall rules do not apply to IPSec tunnels.
NAT
1
Deleting NAT Rule Does Not Drop an Existing Connection
If a NAT rule is deleted, the router must be rebooted to apply the change to
existing service connections. This is already noted in the GUI.
2
NAT Traversal Status
If NAT Traversal is enabled, but is not needed (because the client is not behind a
NAT router), it will be shown as 'inactive' in the VPN Client Monitor. This may
confuse some users.
VPN Client Termination
1
Change of User Account Does Not Drop Existing Connections
NN47922-301
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 5 User Notes 33
If a VPN Client user account is de-activated, deleted, or changed, and that user is
currently connected, the connection is not automatically dropped. To drop the
connection, the administrator needs to disconnect the user using the 'Disconnect'
function in the VPN/SA Monitor GUI. This is consistent with other Nortel
Contivity products.
2
User Name Restrictions
User names are limited to a maximum length of 63 characters.
VPN Client Account Password Restrictions
3
The password for a VPN Client user cannot contain the single- or double-quote
characters.
4
IP Pool Address Overlap
When defining multiple VPN Client Termination IP pools, the router uses the IP
Subnet mask, and not the pool size, to determine if the pools are overlapping. The
subnet mask of each pool should be appropriate for the size of the VPN Client
Termination IP pool.
5
VPN Client Termination - Failure In Specific Addressing Situation
If the Client has an assigned IP address that is the same as the IP address assigned
for the Client Tunnel, the connection will fail to be established.
6
VPN Client Termination - Configuration Restrictions
This router has some restrictions when compared to larger Contivity Routers
(1000 Series and above). In particular,
VPN Clients cannot be added to the LAN subnet. They must have addresses
outside of the LAN subnet.
VPN Clients can have dynamically assigned IP addresses, or they can have a
statically assigned addresses. However, the router does not support both
modes at once. All addresses must either be dynamically assigned, or they
must all be statically assigned.
7
Establishing a Client Tunnel From One Business Secure Router to Another
Nortel Business Secure Router 222 — Fundamentals
Download from Www.Somanuals.com. All Manuals Search And Download.
34 Chapter 5 User Notes
When defining a Client Termination account for another Business Secure Router
that will connect using Contivity Client Emulation, the following configuration is
required:
•
Encryption must be Triple DES with SHA1 integrity, or Triple DES with
MD5 integrity.
•
•
IKE Encryption must be Triple DES with Diffie-Hellman Group 2.
Perfect Forward Secrecy (PFS) must be enabled.
Security
1
Exporting or Saving Self-Signed Certificate
To export or save a self-signed certificate, click details (the icon that looks like a
paper note), then click 'Export' or copy the PEM text into the clipboard, and paste
into a file.
Routing
1
RIP Version Advertisement Control
To change the version of generated RIP advertisements, the following CLI
command needs to be used
ip rip mode [enif0|enif1] [in|out] [0|1|2|3]
where:
'enif0' is the LAN side, and 'enif1' is the WAN side
'in' affects recognition of received advertisements, and
'out' applies to generated advertisements
The number controls the operating mode:
None (disabled)
RIP-1 only
RIP-2 only
NN47922-301
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 5 User Notes 35
Both RIP-1 and RIP-2
Advanced Router Configuration
The following notes are intended to help with advanced router configuration.
Setting up the router when the system has a server
1
2
If you are using a Full-Feature NAT configuration, first, do the following...
a
In SUA/NAT / Address Mapping, add a 'Server' rule, specifying the
'Public' IP address of the server.
For both SUA-Only and Full-Feature NAT configurations, do the following...
a
In SUA/NAT : SUA Server, add server private IP address and port
number(s) to the SUA/NAT Server table.
b
c
In FIREWALL, add a WAN-to-LAN rule
If the service is not in the list of available services, add it as a 'Custom
Port'.
d
Add the rule, selecting the service, and entering the server IP address as
the destination IP address.
Connecting two sites to establish a virtual private network
The recommended method to do this is through a branch-to-branch IPSec tunnel.
1
In VPN / Summary, add a new tunnel by editing an unused rule. Create an
Active, Branch Office tunnel.
a
b
Select 'Nailed Up' if the tunnel should not be closed while not in use.
Enter the authentication information, with either a pre-shared key or an
imported certificate.
c
Enter the IP Address assigned to the router WAN port. This should be a
static address, or a dynamic DNS name, and the IP address of the remote
router.
d
e
Select the encryption and authentication algorithms.
Add an IP policy, by specifying the IP address ranges of the local and
remote hosts that will use the tunnel.
Nortel Business Secure Router 222 — Fundamentals
Download from Www.Somanuals.com. All Manuals Search And Download.
36 Chapter 5 User Notes
2
Repeat these steps at the other end of the branch.
Note: If VPN Client Termination is used on these sites, the client termination
address range will need to be included in the tunnel policies in order for the
VPN clients to see the other site.
Adding IP telephony to a multi-site network
Scenario 1: A BCM50 in the primary site acting as the gateway for
both sites
1
Ensure that the DHCP Server in the BCM50 is disabled, that the BCM50 is
connected to the router, and both have booted.
2
3
4
Add the IP phones to the primary site as per BCM50 installation guide.
Create a tunnel to the remote site, as described above.
In the remote site, set the S1 and S2 addresses to the IP address of the
BCM50, which is identified in the router DHCP table or in the BCM50. This
is done with a CLI command.
TELNET or SSH to the router. This needs TELNET or SSH enabled on that
router. Select menu 24, select menu 8, and enter the commands:
ip dhcp enif0 server voipserver 1 <BCM50_IP_Address> 7000 1
ip dhcp enif0 server voipserver 2 <BCM50_IP_Address> 7000 1
5
Add the IP phones to the remote site, configured for full DHCP client mode.
Scenario 2: A BCM50 in each site, each acting as the backup call
server for the other site
1
At each site,
a
Ensure that the DHCP Server in the BCM50 is disabled, that the BCM50
is connected to the router, and both have booted.
b
c
Add the IP phones to the site as per BCM50 installation guide.
At each router, change the S2 address to the IP address of the remote
BCM50, using TELNET or SSH, and the CLI command,
ip dhcp enif0 server voipserver 2 <Remote_BCM50_IP_Address> 7000 1
NN47922-301
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 5 User Notes 37
2
3
Create a tunnel between the sites, as described above.
Create an H.323 trunk between the BCM50s, as per the BCM50 User Guide.
Configuring the router to act as a Nortel VPN Server (Client
Termination)
1
Under VPN / Client Termination,
a
b
c
Enable Client Termination.
Select authentication type and the encryption algorithms supported.
If the clients are assigned IP addresses from a pool, define the pool, and
enable it.
2
Assuming a Local User Database is used for authentication,
a
Add user name and password to the local user database as an IPSec user,
and activate it. If the hosts will be assigned a static IP address, enter the
address that will be assigned to the user.
Configuring the router to connect to a Nortel VPN Server (Client
Emulation)
1
2
Go to VPN / Summary, and select 'Edit'.
Select a connection type of Contivity Client, and fill in the web page with the
relevant data.
3
If Group authentication or On-Demand Client Tunnels are needed, click the
'Advanced' button to configure this.
Allowing remote management of a LAN-connected BCM50
1
Create the appropriate NAT server rules to add the BCM50.
Go to SUA/NAT / SUA Server, and create two server rules for HTTPS and
Element Manager access:
One named BCM_HTTPS, with port number 443, and the IP address of the
BCM50
One named BCM_EM, with the port number 5989, and the IP address of the
BCM50
Nortel Business Secure Router 222 — Fundamentals
Download from Www.Somanuals.com. All Manuals Search And Download.
38 Chapter 5 User Notes
Note: In DHCP Server mode, the BCM50 IP address will be the lowest
address in the pool.
2
Create the appropriate Firewall rules to add BCM50 access.
Go to FIREWALL / Summary, and create two WAN-to-LAN firewall rules:
One rule allowing access from allowed remote computer IP addresses, to the
BCM50 IP address, for service type HTTPS(TCP:443)
One rule allowing access from allowed remote computer IP addresses, to the
BCM50 IP address, for custom port TCP:5989
Setting up the router for guest access
The recommended approach to provide guest access is by creating an IP Alias,
and using static addressing for the corporate equipment, to make it a member of
the defined Alias subnet. Then use firewall rules to restrict access of the guest
equipment. NOTE: if a BCM50 is used, it will also need to be assigned a static IP
address.
1
2
3
Go to LAN / IP Alias, and Enable IP Alias 1.
Define a subnet for the corporate equipment.
Statically assign addresses to the corporate equipment that are within the IP
Alias subnet.
4
5
Set up LAN / IP to enable DHCP Server, with an address range that will be
used for guest equipment.
In the FIREWALL, set up a LAN-to-LAN rule to block traffic between the
guest subnet (DHCP Pool) and the corporate subnet (IP Alias subnet).
Note: If branch tunnels are being used, the policies on these tunnels should
exclude the guest subnet.
Preventing heavy data traffic from impacting telephone calls
To ensure voice quality during heavy data traffic, bandwidth needs to be reserved
for voice traffic.
NN47922-301
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 5 User Notes 39
1
2
3
Determine your actual WAN up-stream bandwidth by connecting to a web site
On BANDWIDTH MANAGEMENT / Summary, activate WAN bandwidth
management, and fill in your actual uplink speed in the WAN Speed field..
On BANDWIDTH MANAGEMENT / Class Setup, add a WAN subclass, and
reserve sufficient bandwidth based on the number of telephones, for Protocol
ID 17 (UDP Traffic).
The amount of bandwidth should be based on a reasonable peak number of
simultaneous calls, and the data rate needed by the IP telephony CODECs.
Setting Up a Remote Office with a UNIStim IP Telephone
For a remote office with a PC, and a UNIStim IP telephone behind a BCM50a
Integrated Router, Client Emulation is the recommended method to connect to the
main office.
1
2
At the main office Contivity Client Server, establish two user accounts - one
for the telephone, and one for the PC.
On the remote office BCM50a Integrated Router, do the following:
Under WAN / WAN IP, ensure that Network Address Translation is set to
SUA Only (default). Also ensure that the Gateway IP address is set (not
0.0.0.0).
Under VPN / Summary, create an entry for the IP telephone client tunnel.
(Contivity Client, Active, Keep Alive). Fill in the IP address of the Contivity
Client Server, and the name and password of the telephone set user account.
Under VPN / Global Setting, enable Exclusive Mode, and fill in the MAC
address of the telephone set.
Under Bandwidth Management, set up WAN bandwidth management to
reserve 110 kbps of bandwidth for UDP traffic (protocol ID 17). See the
preceding section titled, “Preventing heavy data traffic from impacting
telephone calls.
3
4
Provision the IP set with the corporate call server address.
On the PC, install Contivity Client Software, and configure it with the PC user
account information.
Nortel Business Secure Router 222 — Fundamentals
Download from Www.Somanuals.com. All Manuals Search And Download.
40 Chapter 5 User Notes
Inter-Operability With Third-Party Routers
VPN Connections With Cisco Routers
When establishing a VPN Client tunnel or Branch Office Tunnel between the
Business Secure Router and a Cisco router, the following configuration rules
should be followed:
1
2
Ensure that the WAN IP of the BSR222/252 router and the Cisco router are
not in the same subnet.
Configure the connection to use DES Encryption and MD5 Authentication.
NN47922-301
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 6 Troubleshooting 41
Chapter 6
Troubleshooting
Problem: None of the LEDs turn on when you turn on the
Business Secure Router
Make sure that you have the correct power adapter connected to the Business
Secure Router and that it is plugged in to an appropriate power source. Check all
cable connections.
If the LEDs still do not turn on, you may have a hardware problem. In this case,
contact your local vendor.
Problem: You cannot access the Business Secure Router from
the LAN
Check the cable connection between the Business Secure Router and your
computer or hub. Refer to the Rear Panel section for details.
Ping the Business Secure Router (the default IP address is 192.168.1.1) from a
LAN computer. Make sure your computer Ethernet card is installed and
functioning properly.
If the LAN LEDs are off, check the cable connections between the Business
Secure Router and your LAN computers.
Verify that the IP address and subnet mask of the Business Secure Router and the
LAN computers are in the same IP address range. See “3.1 Static or dynamic
configuration (Windows 2000/NT/XP)” on page 17 for details about how to
change your computer’s IP address with Windows 2000, NT and XP operating
systems. Refer to Configuring and Troubleshooting the Nortel Business Secure
Router 222 for detailed IP address configuration for Windows 95, 98, Me and
Macintosh and Linux computer operating systems.
Nortel Business Secure Router 222 — Fundamentals
Download from Www.Somanuals.com. All Manuals Search And Download.
42 Chapter 6 Troubleshooting
Problem: You cannot get a WAN IP address from the ISP
The WAN IP is provided after the ISP verifies the MAC address, hostname or user
ID.
Find out the verification method used by your ISP and configure the
corresponding fields.
If the ISP checks the WAN MAC address, clone the MAC address from a LAN
computer. Click WAN and then the MAC tab, select Spoof this Computer's
MAC address - IP Address and enter the IP address of the computer on the LAN
whose MAC address you are cloning.
If the ISP checks the host name, enter your computer's name (refer to the Wizard
Setup section in the Configuring and Troubleshooting the Business Secure Router
SOHO Internet Security Gateway) in the System Name field in the first screen of
the Wizard.
If the ISP checks the user ID, click WAN and then the ISP tab. Check your service
type, user name, and password.
Problem: You cannot access the Internet
Check the Business Secure Router connection to the cable or DSL device.
Check whether your cable or DSL device requires a crossover or straight-through
cable.
Click WAN to verify your settings.
NN47922-301
Download from Www.Somanuals.com. All Manuals Search And Download.
|