Version 7.00 Part No.

NN46110-601 315896-F Rev 01 February 2007 Document status: Standard 600 Technology Park Drive Billerica, MA 01821-4130

Nortel VPN Router Configuration — Firewalls, Filters, NAT, and QoS

2

Copyright © 2007 Nortel Networks. All rights reserved.
The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks. The software described in this document is furnished under a license agreement and may be used only in accordance with the terms of that license. The software license agreement is included in this document.

Trademarks
Nortel Networks, the Nortel Networks logo, and Nortel VPN Router are trademarks of Nortel Networks. Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated. Cisco and Cisco Systems are trademarks of Cisco Systems, Inc. Entrust and Entrust Authority are trademarks of Entrust Technologies, Incorporated. Java and Solaris are trademarks of Sun Microsystems. Linux and Linux FreeS/WAN are trademarks of Linus Torvalds. Microsoft, Windows, Windows NT, and MS-DOS are trademarks of Microsoft Corporation. Netscape, Netscape Communicator, Netscape Navigator, and Netscape Directory Server are trademarks of Netscape Communications Corporation. SPARC is a trademark of Sparc International, Inc. All other trademarks and registered trademarks are the property of their respective owners. The asterisk after a name denotes a trademarked item.

Restricted rights legend
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013. Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.

Statement of conditions
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the right to make changes to the products described in this document without notice. Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein. Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission.

NN46110-601

3
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties).

Nortel Networks Inc. software license agreement
This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel Networks Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping container, within 30 days of purchase to obtain a credit for the full purchase price. “Software” is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel Networks grants you a license to use the Software only in the country where you acquired the Software. You obtain no rights other than those granted to you under this License Agreement. You are responsible for the selection of the Software and for the installation of, use of, and results obtained from the Software. 1. Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable. To the extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”), Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software contains trade secrets and Customer agrees to treat Software as confidential information using the same care and discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate. Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement. Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property to Nortel Networks are beneficiaries of this provision. Upon termination or breach of the license by Customer or in the event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel Networks or certify its destruction. Nortel Networks may audit by remote polling or other reasonable means to determine Customer’s Software activation or usage levels. If suppliers of third party software included in Software require Nortel Networks to include additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks with respect to such third party software. 2. Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer, Software is provided “AS IS” without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in such event, the above exclusions may not apply. 3. Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF, OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN

Nortel VPN Router Configuration — Firewalls, Filters, NAT, and QoS

Some jurisdictions do not allow these limitations or exclusions and. Neither party may bring an action.7202 (for DoD entities). e. Customer agrees to comply with all applicable laws including all applicable export and import laws and regulations. 227. b. Sections 12. NN46110-601 . resulting from Customer’s use of the Software. Customer must either return the Software to Nortel Networks or certify its destruction. then this License Agreement is governed by the laws of the state of New York. If Customer is the United States Government. The forgoing limitations of remedies also apply to any developer and/or supplier of the Software.212 (for non-DoD entities) and 48 C. The terms and conditions of this License Agreement form the complete and exclusive agreement between Customer and Nortel Networks.R. Customer is responsible for payment of any taxes. Customer may terminate the license at any time. regardless of form. f. more than two years after the cause of the action arose.S. d.F. c. upon termination. the following paragraph shall apply: All Nortel Networks Software available under this License Agreement is commercial computer software and commercial computer software documentation and. If the Software is acquired in the United States. they may not apply. In either event. General a. in such event. in the event Software is licensed for or on behalf of the United States Government.4 ADVISED OF THEIR POSSIBILITY. 4. the respective rights to the software and software documentation are governed by Nortel Networks standard commercial license in accordance with U.R. including personal property taxes. This License Agreement is governed by the laws of the country in which Customer acquires the Software. Such developer and/or supplier is an intended beneficiary of this Section.F. Federal Regulations at 48 C. Nortel Networks may terminate the license if Customer fails to comply with the terms and conditions of this license.

. . . . . . . . . . . . . . . . filters and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Getting help over the phone from a Nortel Solutions Center . . . . . . . . . . . . . . . . . . . . . . . 21 New in this release. . . 28 Anti-spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Getting help through a Nortel distributor or reseller . . . . . . . . . . . . . . . . . . . . . . 15 Before you begin . . . . . . . . . . . . . . . . . . . 29 Filters for access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Stateful inspection . . . . . . . . . . . . . . . . . . . . 23 Feature . . . . . . . . . . . . . . . . . . . . . . 28 Filter rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 How to get help . . and QoS . . . . . . . . 27 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Text conventions . 30 Network address translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NAT. . . . . . . . . . . . . . . . . 21 Getting help from a specialist by using an Express Routing Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 VPN Router Stateful Firewall concepts . . . . . . . .5 Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Finding the latest updates on the Nortel Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Getting help from the Nortel Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Attack detection rules . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Chapter 1 Overview of firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Nortel VPN Router Security -— Firewalls. . . . . . . . . . . . 15 Acronyms . . . . . . . . . . . . . . . . . . . . . . 17 Related publications . . . . 18 Hard-copy technical manuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Firewall Virtual ALG . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Adding a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Using Netscape on Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Using Netscape 6 . . . . . . . . . . . . . . . 44 Setting up policies . . . . . . . 49 Navigating rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Rule columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Remote system logging . . . . . . . . . . . . . . . . . . . . . . . . . 35 Using Netscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Creating a new policy . . . . . . . . . 41 Application-specific logging . . . . . . . . . . . . . . . . . . 33 Configuring prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Creating rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Rule enforcement . . . . . . . . . . . . . . 60 Verifying the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 NN46110-601 . . . . . . . . . . . . . . . . . . . . . . . . . 53 Default rules . . . . . . . . . 52 Interface-specific rules . . . . . . . . . . . . . . .6 Contents Chapter 2 Configuring the VPN Router Stateful Firewall. . . . . . . . . . . . 48 Renaming an existing policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Selecting logging options . . . . . . . 55 Header row menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Configuring malicious scan detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Copying an existing policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Implied rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Using Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Configuring a sample security policy . . . . . . . . . . . . . . . . . . . . . . 46 Creating and editing firewall policies . . . . 42 Configuring anti-spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Override rules . . . . . . . 47 Creating policies . . . . . . . . . . . . . . 47 Deleting an existing policy . . . . . . . . . . 55 Row menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Enabling firewall options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Installing Java 2 software . . . . . . . . . . . . . . . . . . . . . . . . . 55 Cell menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . Filters. . . . . . . . . . . . . . 69 Configuring next hop traffic filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Configuring Cone NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Port restricted Cone NAT . . . . . . . . . . . . . . . . . . . . 98 Nortel VPN Router Security -— Firewalls. . . . . . . . . . . . . . . . . . . . . . . . 64 Chapter 3 Configuring filters . . . . . . . 63 Residential firewall example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Restricted Cone NAT . 79 Double NAT . . . . . . . . . . . . . 67 Configuring Allow Management Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 NAT traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Adding and editing filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Contents 7 Firewall deployment examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 NAT modes . . . . . . . . . . . 86 NAT and VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . and QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 NAT Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Chapter 4 Configuring NAT. . . . . . . . . . . . 76 Dynamic many-to-many—pooled translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Interface NAT . NAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Branch office tunnel NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Dynamic routing protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Port forwarding . . . . . . . . . . . . . . . . . . . 80 IPsec-aware NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Full Cone NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Address/Port discovery . . . . . . . . . . . . . . . 75 Dynamic many-to-one—port translation . . . . . . . . . . . . . . . . . . . . . . 88 Network address port translation (NAPT) . . . . . . . . . 84 Symmetric NAT . . . . . . . 96 Configuring NAT policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Static one-to-one translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 NAT policy sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Business firewall example . . . . . . . . . . . . . . . . . . . 75 Address translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Chapter 6 Configuring QoS . . . . . . . . . . . . . . . . . . 107 NAT ALG for SIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Renaming an existing policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Branch Office NAT with OSPF . . . . . 109 Firewall SIP ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Configuring classifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Hairpinning with a STUN server . . . 104 Branch Office NAT with RIP . . . . . . 107 Application level gateways (ALG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Copying an existing policy . . . . . . . . . . . . . . . . . . . 98 Creating a new policy . . . 131 Configuring Interface shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Hairpinning with a UNIStim call server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Hairpinning with SIP . 103 Sample NAT procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Sample branch office NAT configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Deleting an existing policy . . . . . . . . . . . . . 133 Configuring bandwidth management . . . . . . . . . . . . . . . . . . 120 Proxy ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Contents Creating rules . 103 Interface NAT with OSPF . . . . . . . . . . . . . . . . . . 118 Enabling hairpinning . . . . . . . 100 Adding a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Time-outs . . . . . . . 120 Chapter 5 Configuring firewall user authentication . . . . . . . . 111 Hairpinning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Interface NAT with RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 NAT statistics . . . . . . . . . . . . . . . . 106 Configuring NAT with the VPN Router Stateful Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Configuring Firewall Virtual ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 NN46110-601 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Configuring NAT ALG for SIP . . . . . . . . . . . . . . . . . . . . . . 118 Hairpinning requirements . . . . . . . . . . . . .

. . . 135 Using forwarding priority . . . . . . . . . . . . . . . . . . . . . . . . . . . Filters. . . . . . . . . . . .1p mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Using RSVP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 DSCP to 802. . . . . . . 140 Index . . . . . . . . . . . . . . . . . . . . . . . . NAT. . . . . . . . . . . . . . . . . .Contents 9 Configuring Differentiated Services (DiffServ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . and QoS . . . . . . . . . . . . . . . . . . . . . . . 137 Using call admission priority . . 143 Nortel VPN Router Security -— Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

10 Contents NN46110-601 .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Nexthop filter action . . . . . . 59 Example of a basic residential firewall . . . 78 Static address translation . . . . . . . . . . 37 Syslog forwarding window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Anti-Spoofing configuration window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Network object edit window . . . . . . . . . 86 Nortel VPN Router Security -— Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Port translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 IPsec-aware NAT example . . . . . . . . . . . . 84 Port Restricted Cone NAT . . . . . . . 58 Service Object Selection window . . . . . 64 Business firewall . . . . . . . . . . . . . . . . . . . . . . . . 52 Interface-specific rules (Source rules) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Override rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Default rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Double NAT . . . . . . . . . . . . . . . . . . 81 Full Cone NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Select Policy window . . 68 Editing a filter . . . . . . . . . . . . . . . . . . . . . . 48 Implied rules . . . . . . . . 65 Adding a filter . . . . . . . . . . . 35 Download Java Runtime window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Port forwarding example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Filters. 85 Symmetric NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Dynamic pooled address translation . . . . . . . . . . . NAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 Figures Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 Figure 7 Figure 8 Figure 9 Figure 10 Figure 11 Figure 12 Figure 13 Figure 14 Figure 15 Figure 16 Figure 17 Figure 18 Figure 19 Figure 20 Figure 21 Figure 22 Figure 23 Figure 24 Figure 25 Figure 26 Figure 27 Figure 28 Figure 29 Security Warning window . . . . . 83 Restricted Cone NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Network Object Selection window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Interface-specific rules (Destination rules) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Scan Detection configuration window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . and QoS . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Example 802. . . . . 121 FWUA example . . . . . . . . . . . . 116 NAT Hairpinning . . 115 Intra-realm call with hairpinning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Hairpinning with SIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 Figures Figure 30 Figure 31 Figure 32 Figure 33 Figure 34 Figure 35 Figure 36 Figure 37 Figure 38 Figure 39 Figure 40 Figure 41 Figure 42 Figure 43 Figure 44 Figure 45 Figure 46 Figure 47 Figure 48 Figure 49 STUN . . . . . . . . . . . . . . . . . . 91 Firewall/NAT Edit window . 92 Overlapping address translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Virtual ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 SIP enabled . 95 NAT with dynamic routing example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 NAT configuration example . . . . . . . . . . . 89 Restricted Cone NAT — NAPT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Enabling or disabling Firewall Virtual ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Adding a server to the Virtual ALG . . . . . . . . . . . . . . . . . . . 94 Interface NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Proxy ARP example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 NAT and SIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Firewall/NAT window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1p to DSCP mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 FWUA configuration . . . . . . . . . . . . . . . . . . . . . . 141 NN46110-601 . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . .1p mappings . . . . . . . . . . . . . . . . . . . . NAT. . . . . . . . . . . . . . . . . . . . . . . . . . and QoS . . . . . . . . . . . . . . . . . . . . 51 Filter rule with next hop . . . . . . . . . . . . . . . . . . . . . 116 Bandwidth allocation per priority level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Filters. . 142 Nortel VPN Router Security -— Firewalls. . . .1p mappings . . . . . . . . . . . . . . . . . . . . . . 139 Default incoming 802. . . . . . . . . . . . . . . . 137 Call admission priority . . . . . . 141 Default outgoing 802. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Maximum connections per priority . . . . . . . . . . . . . . . 72 NAT entries .13 Tables Table 1 Table 2 Table 3 Table 4 Table 5 Table 6 Table 7 Table 8 Servers and corresponding configuration windows . . . . . . . . . .

14 Tables NN46110-601 .

This guide assumes that you have experience with windowing systems or graphical user interfaces (GUI) and familiarity with the network management. Filters. Text conventions This guide uses the following text conventions: angle brackets (< >) Indicate that you choose the text to enter based on the description inside the brackets.12 bold Courier text Indicates command names and options and text that you need to enter. NAT.15 Preface This guide describes overview and configuration information for the Nortel VPN Router Stateful Firewall and VPN Router filters. Do not type the brackets when entering the command. Example: If the command syntax is ping <ip_address>. Nortel VPN Router Configuration — Firewalls.10.32. Before you begin This guide is for network managers who are responsible for setting up and configuring the VPN Router. you enter ping 192. and QoS . Example: Enter terminal paging {off | on}. Example: Use the show health command.

Indicates system output. ip_address is one variable and you substitute one value for it. Example: If the command syntax is show ntp [associations].<file_name>. brackets ([ ]) ellipsis points (. you must enter either ldap-server source external or ldap-server source internal. . Do not type the braces when entering the command. you can enter default rsvp. Example: If the command syntax is ldap-server source {external | internal}. or default rsvp token-bucket rate. Do not type the brackets when entering the command. Example: If the command syntax is default rsvp [token-bucket {depth | rate}]. you enter more and the fully qualified name of the file. the words are connected by an underscore. plain Courier text NN46110-601 . for example. . Indicate optional elements in syntax descriptions. and variables in command syntax descriptions. you can enter either show ntp or show ntp associations. but not both. ) italic text Indicates new terms. You must choose only one of the options. book titles. Example: File not found. Indicate that you repeat the last element of the command as needed..16 Preface braces ({}) Indicate required elements in syntax descriptions where there is more than one option. prompts and system messages.. default rsvp token-bucket depth. Where a variable is two or more words. Example: If the command syntax is ping <ip_address>. Example: If the command syntax is more diskn:<directory>/.

Preface 17 separator ( > ) vertical line ( | ) Shows menu paths. Example: If the command syntax is terminal paging {off | on}. Enter only one of the choices. Filters. Do not type the vertical line when entering the command. Example: Choose Status > Health Check. but not both. and QoS . NAT. Separates choices for command keywords and arguments. you enter either terminal paging off or terminal paging on.323 JRE LAN MCS NAPT NAT PAT RTCP RTP SDP SIP acknowledgement application level gateway business communications manager File Transfer Protocol firewall user authentication ITU-T specification for multimedia over IP networks of non-guaranteed QOS Java Runtime Environment local area network multimedia communications server network address port translation network address translation public address table RTP control protocol Real Time Transport Protocol Session Description Protocol Session Initiation Protocol Nortel VPN Router Configuration — Firewalls. Acronyms This guide uses the following acronyms: ACK ALG BCM FTP FWUA H.

Nortel VPN Router Configuration—Advanced Features (NN46110-502) provides instructions for configuring advanced LAN and WAN settings. T1CSU/DSU. and portal links. refer to the following publications: • Release notes provide the latest information. L2TP. networks. and SSL VPN. Nortel VPN Router Configuration—Tunneling Protocols (NN46110-503) provides configuration information for the tunneling protocols IPsec. problems fixed in this release. Nortel VPN Router Configuration—SSL VPN Services (NN46110-501) provides instructions for configuring services on the SSL VPN Module 1000. user groups. and known problems and workarounds. • • • • • NN46110-601 . and Certificates (NN46110-600) provides instructions for configuring authentication services and digital certificates. PPTP. dial services and demand services. Nortel VPN Router Security—Servers.18 Preface STUN TCP TPS UATM UDP UNIStim VOIP VPN WAN simple traversal of UDP through NAT Transmission Control Protocol terminal proxy server User Authentication Table Manager User Datagram Protocol unified networks IP stimulus protocol voice over IP virtual private networks wide area network Related publications For more information about the Nortel VPN Router. frame relay. Authentication. including brief descriptions of the new features. and L2F. PPPoE. ADSL and ATM. DLSw. PPP. Nortel VPN Router Configuration—Basic Features (NN46110-500) introduces the product and provides information about initial setup and configuration. IPX. including authentication.

and print them on most standard printers. Nortel VPN Router Using the Command Line Interface (NN46110-507) provides syntax. provides troubleshooting information and inter operability considerations.nortel. Nortel VPN Router Configuration — Firewalls. descriptions. and client address redistribution (CAR).com/documentation. Nortel VPN Router Configuration—TunnelGuard (NN46110-307) provides information about configuring and using the TunnelGuard feature. routing policy services. search for the sections you need. Hard-copy technical manuals You can print selected technical manuals and release notes free. find the product for which you need documentation. then locate the specific category and model or version for your hardware or software product. RIP. as well as instructions for configuring ECMP. Go to the Adobe Web site at www. and instructions for monitoring VPN Router status and performance. and upgrading software.com to download a free copy of the Adobe Reader.Preface 19 • • • • Nortel VPN Router Configuration—Routing (NN46110-504) provides instructions for configuring BGP. NAT. and examples for the commands that you can use from the command line interface.adobe. OSPF. and VRRP. directly from the Internet. Nortel VPN Router Troubleshooting (NN46110-602) provides information about system administrator tasks such as backup and recovery. Use Adobe Reader to open the manuals and release notes. file management. Also. and QoS . Go to www. Filters.

20 Preface How to get help This section explains how to get help for Nortel products and services.nortelnetworks. From this site.com/cgi-bin/eserv/cs/ main. To check for updates to the latest documentation and software for the VPN Router.jsp?cscat=DOCUMENTATION&resetFilter= 1&poid=12325 Getting help from the Nortel Web site The best way to get technical support for Nortel products is from the Nortel Technical Support Web site: www.jsp?cscat=SOFTWARE&resetFilter=1&poid =12325 Latest documentation Nortel page for VPN Router documentation located at: www130. documentation. Finding the latest updates on the Nortel Web site The content of this documentation was current at the time the product was released.com/support This site provides quick access to software.nortel. documentation. and tools to address issues with Nortel products. click one of the following links: Link to Latest software Takes you directly to the Nortel page for VPN Router software located at: www130. you can: • • download software.com/cgi-bin/eserv/cs/ main.nortelnetworks. bulletins. and product bulletins search the Technical Support Web site and the Nortel Knowledge Base for answers to technical issues NN46110-601 .

com/callus Getting help from a specialist by using an Express Routing Code To access some Nortel Technical Solutions Centers. Nortel VPN Router Configuration — Firewalls. contact the technical support staff for that distributor or reseller.com/erc Getting help through a Nortel distributor or reseller If you purchased a service contract for your Nortel product from a distributor or authorized reseller. and you have a Nortel support contract. NAT. To locate the ERC for your product or service.nortel.Preface 21 • • sign up for automatic notification of new software and documentation for Nortel equipment open and manage technical support cases Getting help over the phone from a Nortel Solutions Center If you do not find the information you require on the Nortel Technical Support Web site. Outside North America. you can use an Express Routing Code (ERC) to quickly route your call to a specialist in your Nortel product or service. call 1-800-4NORTEL (1-800-466-7835). go to the following web site to obtain the phone number for your region: www. you can also get help over the phone from a Nortel Solutions Center. In North America. Filters. go to: www. and QoS .nortel.

22 Preface NN46110-601 .

Filter. Feature See the following section for information about feature changes: Firewall Virtual ALG A Virtual ALG is a syntax-independent application level gateway (ALG) for firewall traversal that works for both encrypted and nonencrypted UNIStim signaling. A Virtual ALG works only with UNIStim signaling. For more information about Virtual Alg. Continuous communication implies that the call server trusts the endpoint and that the call server would not communicate constantly with the endpoint device if the endpoint device was not authorized to send media through the firewall. and QoS . Nortel VPN Router Configuration — Firewalls.0. and that continuous detection of signaling traffic between the phone and the call server allows media to or from the phone to traverse the firewall. NAT. The controlling entity does not acknowledge any requests from unauthorized devices. Virtual ALG is based on a trust model that assumes that the phone authenticates itself with the call server. which is a Voice over Internet Protocol (VoIP).23 New in this release The following section details what is new in Nortel VPN Router Security — Firewalls. Filters. see “Configuring Firewall Virtual ALG” on page 111. and QoS for Release 7. NAT.

24 New in this release NN46110-601 .

the Stateful Firewall examines both incoming and outgoing packets and compares them to a common security policy. the VPN Router performs a variety of secure routing functions. assuring the highest level of network security. Security rules do not filter packets directly. you can configure the VPN Router to securely route non-tunneled traffic from its private interface. but the Stateful Firewall services base how to process the packets on the defined security policy. The VPN Router provides the following firewall solutions: • • VPN Router Stateful Firewall VPN Router Interface Filters With the VPN Router Stateful Firewall. Nortel VPN Router Configuration — Firewalls. With this configuration. The VPN Router Stateful Firewall provides a high level of security. and out its public interface. The VPN Router interface filters provide a cost-effective level of protection. The VPN Router Stateful Firewall achieves optimum performance as a result of advanced memory management techniques and optimized packet inspection. filters and NAT The VPN Router designs integrated firewall solutions to meet the needs of a variety of customers. NAT. For example. All service rules are interpreted based on IP conversations (not packets) and are fully stateful. You can disable the interface filters only when the VPN Router Stateful Firewall is enabled. To do this. through the firewall. depending on how you set up the routing capabilities. The Stateful Firewall delivers full firewall capabilities. Filters. dedicated router. the fastest runtime. and QoS .25 Chapter 1 Overview of firewalls. users on the VPN Router’s private network can access the Internet without requiring a separate. and the flexibility to define the rules to fit your environment.

you can configure the firewall to log some or all significant events. such as the Internet. determines the appropriate actions to take • In addition. firewall status changes. The VPN Router Stateful Firewall public address table information is not related to network address translation (NAT) or network address port translation (NAPT). filters and NAT Because no routing protocols (such as RIP) run on untrusted interfaces.26 Chapter 1 Overview of firewalls. The firewall does the following: • • protects your network and the information on your network from unauthorized intrusion from external networks provides a line of defense to allow acceptable traffic. When you disable the firewall. the IP public address table (PAT) provides the routing information to route packets to the appropriate trusted interfaces. PAT applies only to packets received on a public interface. This includes all connections over the network. because the latter two provide better policy-based security. PAT is disabled when either the VPN Router Stateful Firewall or VPN Router Interface Filter is enabled. PAT does not limit the packets from any of those trusted sources. as defined by your organization. For packets coming from any address that is not in the trusted source list. such as all e-mail transactions. and system failures. NN46110-601 . and to drop all unacceptable traffic before it enters or leaves the network monitors packets and sessions and. which is often referred to as port address translation. The IP PAT limits unauthorized sources. PAT has a list of trusted sources that includes the remote client or branch office tunnel end point. You can use the logged information to help enhance network security or track unauthorized use. PAT applies a rate limit (6 packet/10 second) based on the source address. remote Radius/CMP/CRL server address (if on the public side). based on established rules. VPN Router Stateful Firewall concepts The VPN Router Stateful Firewall provides a secure access point between an internal network and an external network.

The following applications are inspected: • • • • • • FTP TFTP RCMD SQLNET VDOLive RealAudio All unique end-to-end communication creates a conversation. Stateful inspection of each application is unique. with both data and control packets flowing back and forth. All of this traffic is part of the same conversation. for example.Chapter 1 Overview of firewalls. Traffic on that port then passes through the firewall for the duration of the FTP session. Stateful inspection of TCP verifies the consistency of the TCP header and prevents some well-known TCP attacks. Filters. In File Transfer Protocol (FTP). Packets are inspected at the application layer to determine the port used by the data connection. and QoS . You need stateful inspection to allow an FTP data connection through a firewall without leaving a large number of open ports. filters and NAT 27 Stateful inspection Some protocols are difficult to securely allow through a firewall using traditional filtering mechanisms. but the data connection is over a random port. NAT. the control connection is typically created using a known port. TCP sequence numbers are randomized to prevent sequence number guessing. an FTP session between a client and a server can consist of several streams of traffic. Stateful inspection validates and allows any nonpredicted ports that an application uses through the firewall. For instance. Transport-level state inspection provides a number of ways to make Transmission Control Protocol (TCP) traffic more secure and more difficult for hackers to intercept. Nortel VPN Router Configuration — Firewalls.

/base/ engineering refers to all user tunnels in that group. Interface name—the value of the Description field assigned to the physical interface on the System > LAN (or System > WAN) window. filters and NAT Interfaces The VPN Router can have many interfaces. the rule ignores this classification. — Tunnel:user—specify a group name for user tunnels. If the rule designates Any as an interface. / base/mktng/tony refers to branch office tony in group /base/mktng. For example. Filter rules Filtering uses a set of rules to determine whether to allow a packet through the firewall. the interface name defaults to the value of the Interface field on the same page. NN46110-601 . • You can configure any physical interface as private or public on the System > LAN > Interfaces window.28 Chapter 1 Overview of firewalls. For example. If the rule designates an interface or group of interfaces. You construct the rules in a policy to either use or ignore this classification. the rule uses this classification. the LAN interface (Slot 0) is private and all other interfaces are public. and all VPN Routers have two or more physical interfaces. By default. Each tunnel (end user or branch office) is a virtual interface. Use the following terms to designate an interface for the rules in a policy: • • • • • Any—any physical interface or tunnel Trusted—any private physical interface or tunnel Untrusted—any public physical interface Tunnel:Any—any tunnel For tunnels. specify either a group name for user tunnels or the specific branch office tunnel for branch office tunnels: — Tunnel:/base—specify the specific branch office tunnel. The interface on which packets arrive at the VPN Router (the source interface) or the interface on which packets leave the VPN Router (the destination interface) classify the packets. If the description is blank. Typical options are to accept or drop the packet—these options provide a degree of security for a network.

Anti-spoofing performs the following checks: • • • source address is not equal to the destination address source address is not equal to 0 source address from an external network is not one of the directly connected networks Attack detection rules The firewall can detect common attacks launched against corporate networks. SYN flood can disable your network services by flooding them with connection requests. Linux* Blind Spoof attempts to establish a spoofed connection instead of sending final ACK with correct sequence number and with no flag set. It also drops any packets resulting from the attack. Linux does not try to verify if the ACK is not set. The firewall drops any packet that does not have the ACK set. and QoS • . Typically. anti-spoofing examines and validates the source address of each packet.Chapter 1 Overview of firewalls. which maintains a list of unestablished incoming connections. Nortel VPN Router Configuration — Firewalls. This fills the SYN queue. The VPN Router Stateful Firewall protects against the following types of objects: • • Jolt2 is a fragmentation attack affecting Windows PCs by sending the same fragment repetitively. Filters. NAT. filters and NAT 29 The rules determine one of the following actions: • • • • accept the packet drop the packet reject the packet by sending a reject to the source address log the packet locally (you can use these actions with any of the previous three actions) Anti-spoofing Anti-spoofing prevents a packet from forging its source IP address. preventing denial-of-service as well as nonauthorized intruders. forcing it to not accept additional connections. The VPN Router Stateful Firewall provides a defense against denial of service attacks with well-known prevention methods.

this packet causes a loop within the operating system. Smurf sends a large number of ICMP echo (ping) messages to an IP broadcast address with the forged source address of the intended victim. This causes the remote system to either reboot or panic during processing. You need complete control over which users have access to particular servers and services. which exhausts available resources and stops responses to other user requests. The routing device forwarding traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast. Filters for access control As you progressively put in place the components of your VPN Router configuration.30 Chapter 1 Overview of firewalls. When accepted by the target host. access control becomes an important security mechanism. The TCP packet is a SYN packet that establishes a new connection and is sent from the same TCP source port as the destination port. causing the remote system to incorrectly process this packet. This applies to the user command. Ping of death sends a fragmented packet larger than 65536 bytes. causing the host to stop all legitimate TCP connections to the host that is spoofed in the ICMP packet. filters and NAT • • • • • • • • • UDP Bomb sends malformed UDP packets that can crash a remote system. essentially locking the system. On a multi-access broadcast network. multiplying the traffic by the number of hosts responding. there are potentially hundreds of machines to reply to each packet. NN46110-601 . which means an attacker does not need a valid account to crash the system. FTP command overflow crashes FTP servers that contain buffer overflows for commands that take arguments. causing most network hosts to take the ICMP echo request and issue a reply to each. Fraggle sends a large number of UDP echo messages. Data flood sends a large amount of data to a system that is used as a denial of service attack. Land attack sends a TCP packet to a running service on the target host with a source address of the same host. Teardrop/Teardrop-2 is a fragmentation attack that sends out invalid fragmented IP packets that trigger a bug in the IP fragment reassembly code of some operating systems. ICMP unreachable sends ICMP unreachable packets from a spoofed address to a host.

When NAT runs on this single computer.Chapter 1 Overview of firewalls. so a client receives a different address each time they connect to the ISP. the packet is discarded (denied). This address is dynamic. Nortel VPN Router Configuration — Firewalls. and QoS . The filters are defined by: • • • • • Protocol ID Direction Source and destination IP addresses Source and destination port TCP connection establishment You create a list of rules for a filter profile to perform precisely the action that you want. When you use NAT in an extranet. Filters. All users have custom filter profiles based on their group profiles that describes the resources they can access on the network. filters and NAT 31 You use filtering to fine-tune access to specific hosts and services. multiple private networks can connect dynamically through secure tunnels without requiring any address space reconfiguration. it is possible to share that single address between multiple local computers and connect them all at the same time. Increasing use of NAT comes from two major factors: • Shortage of IP addresses—Most Internet service providers (ISPs) allocate only one address to a single customer. Because users receive a single IP address. the order of the rules is very important. The outside world is unaware of this division and performs all communications as though only a single machine on the local network is accessible. Network address translation Network address translation (NAT) enables transparent routing between address spaces. they can have only one computer connected to the Internet at a time. These rules are tested in order until the first match is found. NAT. Therefore. The filtering mechanism works such that if no rule matches a packet. therefore no traffic is transmitted or received unless it is specifically permitted.

32 Chapter 1 Overview of firewalls, filters and NAT

Security — NAT automatically provides security without any special set-up because it allows only connections that originate on the private network. It is still possible to make some internal servers available to the outside world by statically mapping internal addresses to externally available ones, thus making services such as FTP available in a controlled way.

In the context of virtual private networks, NAT is necessary to allow multiple intranets with conflicting subnets to communicate. Because you can fix the configuration of branch office or partner networks, a VPN solution must be able to securely route between these networks without requiring all the private addresses to be unique across the entire extranet.

NN46110-601

33

Chapter 2 Configuring the VPN Router Stateful Firewall
To use the firewall on the VPN Router, you must install a license key and enable the firewall service. Without the firewall enabled, the VPN Router forwards the following traffic patterns: • • • private physical interface to private physical interface private physical interface to user or branch office tunnel tunnel to tunnel (user or branch office)

When the firewall is enabled, the VPN Router additionally routes traffic from public to private interfaces. Note: Shut off all traffic to the VPN Router before you activate the firewall on the Services > Firewall/NAT window. Do this during off hours to prevent inconvenience to the users. You must create rules for tunnel traffic before traffic on existing tunnels is allowed. The VPN Router Stateful Firewall uses the principle that any traffic not specifically allowed is disallowed. The rule set of the active policy applies to all traffic, including tunneled and non-tunneled traffic.Therefore, when you first enable the VPN Router Stateful Firewall, all traffic is disallowed until you configure rules specifically allowing certain types of traffic.

Nortel VPN Router Configuration — Firewalls, Filters, NAT, and QoS

34 Chapter 2 Configuring the VPN Router Stateful Firewall

Configuring prerequisites
Before you set up your VPN Router Stateful Firewall, be sure you have the following information: • • The management IP address of your VPN Router. This address is found on the VPN Router’s System > Identity window. The firewall license key. Go to the Admin > Install Keys window and type the key that you obtained from Nortel in the box to the right of VPN Router Stateful Firewall and click Install. It is only necessary to install a key once on each VPN Router. Click Delete to remove the key. The name of the firewall is the name used by the Domain Name Service (DNS) server to identify the management address of the VPN Router. This name is entered in the DNS Host Name field of the VPN Router System > Identity window. The names and IP addresses of your VPN Router’s interfaces. These are found on the Status > Statistics: Interfaces window.

The following system requirements are necessary to access the VPN Router Stateful Firewall Manager: • Supported operating systems and platforms include Solaris* (OS 2.8 and 2.9) on an x86 or SPARC* platform and Microsoft Windows 2000, or Windows XP. Required software includes Java* 2 Plug-in Version 1.4.2_04, available in the Java 2 Runtime Environment Version 1.4.2_04. The J2RE is available for automatic download on a Windows platform for all VPN Routers except the 1010, 1050 and 1100 (refer to the Java 2 Runtime Environment Installation). J2RE installation files for Windows and Solaris are also available on the Nortel CD in the tools/java directory. Supported browsers include Internet Explorer 6 and higher and Netscape 7.x, 8.0.x and 8.1.x. Netscape 6 comes with a version of the Java 2 Plug-in that is not supported. If you wish to use Netscape 6, refer to the Netscape section of the Java 2 Runtime Environment Installation.

NN46110-601

A window appears and tries to load the VPN Router Stateful Firewall Manager. 4 When the Security Warning window appears. depending on whether you use Internet Explorer or Netscape Navigator to access the VPN Router.Chapter 2 Configuring the VPN Router Stateful Firewall 35 Installing Java 2 software To access the VPN Router Stateful Firewall Manager. Click Manage Policies. you must install Java 2 Runtime Environment on the computer that administers the VPN Router. or Windows NT from Internet Explorer: 1 2 3 Connect to the management IP address of the VPN Router and log in. click Yes to install the Java 2 Runtime Environment (Figure 1). Figure 1 Security Warning window Nortel VPN Router Configuration — Firewalls. NAT. and QoS . Windows 2000. Using Internet Explorer To install the Java 2 software on Windows 9x. Select Services > Firewall/NAT. There are two separate procedures to install the Java 2 software. Filters.

The Java Plugin Download window appears (Figure 2).36 Chapter 2 Configuring the VPN Router Stateful Firewall The installation program downloads the software from the VPN Router. NN46110-601 . Click Next to finish the installation. close all open Web browsers. (This is not available for the 1010. and 1100 hardware platforms. or Windows NT from Netscape Navigator: 1 2 3 Connect to the management IP address of the VPN Router and log in. Click Manage Policies. click the white or gray box that appears on the browser window. Reboot the computer for the changes to take effect. 1050. Using Netscape To install the Java 2 software on Windows 9x. click Yes to accept the agreement. 5 6 7 8 9 When the installation program displays the Software Licensing Agreement. When the installation is complete. When the installation program asks for an installation location. The Plug-in Not Loaded box appears.) 4 Click Get the Plug-in to download the Java 2 Runtime Environment. accept the default location or choose another installation location.) It can take several minutes to load. (If this box does not appear. Windows 2000. Select Services > Firewall. A window appears and tries to load the VPN Router Stateful Firewall Manager. depending on the speed of your connection to the VPN Router.

depending on the speed of your connection to the VPN Router.) When the download finishes.4. 1 Install the Java 2 Runtime Environment as described in the previous Netscape section and be sure to restart the computer. When the installation program asks for an installation location. The following steps change the default plug-in to Version 1. close all open Web browsers. Nortel VPN Router Configuration — Firewalls. 12 Reboot the computer for the changes to take effect. accept the default location or choose an alternate installation location. Filters. Using Netscape 6 Netscape 6 currently includes a version of Java 2 Plug-in that is not supported (Version 1. and QoS . 7 8 9 10 Click Next to finish the installation.4.Chapter 2 Configuring the VPN Router Stateful Firewall 37 Figure 2 Download Java Runtime window 5 6 Click the Download now link next to the Windows version of the Java Runtime Environment. To successfully load the VPN Router Stateful Firewall Manager.2_04. 11 When the installation is complete. When the installation program displays the Software Licensing Agreement. you must use Version 1. When the browser prompts you for a location to save the file. go to the download location and double-click the icon for the Java Runtime Environment. click Yes to accept the agreement.2_04). choose a download location and click OK to continue.4.2_04. (This can take several minutes to load. NAT.

so file. Follow the platform-specific installation instructions contained in the README file. Click Apply. Copy the binary (. the command to set the NPX_PLUGIN_PATH from the C shell is: setenv NPX_PLUGIN_PATH “/usr/j2re1.4.2_04 directory on a SPARC. Close the window. either intel for x86 or sparc for SPARC. Click the Advanced tab. The correct plug-in is available. Using Netscape on Solaris The Java 2 Runtime Environment for Solaris is available on the Nortel CD.38 Chapter 2 Configuring the VPN Router Stateful Firewall 2 3 4 5 6 7 8 Load the Java Plug-in Properties from Start > Settings > Control Panel > Java Plug-in. Go to the tools/java/solaris directory on the Nortel CD. the plug-in is now available. The installation files and instructions are available for x86 and SPARC platforms. Choose the subdirectory for the installed platform.4.8 and 2. Choose JRE V 1. For example.2_04/plugin/sparc” 8 9 NN46110-601 Start Netscape and then close it.9) from Netscape Navigator: 1 2 3 4 5 6 7 Ensure that a version of Netscape is installed on the computer. Start Netscape again. To install the Java 2 software on Solaris (OS 2. Close all instances of Netscape if any are open.bin) and the README files to the computer. if the J2RE was installed in the /usr/j2re1.2_04 from the list. .4. Close all open instances of Netscape. Restart Netscape. Set the NPX_PLUGIN_PATH environment variable to the directory containing the javaplugin.

Select VPN Router Firewall. Confirm your selection. To enable no Firewall: 1 Select Services > Firewall/NAT. you can run any combination of the following: — — — — — 3 4 5 VPN Router Stateful Firewall VPN Router Interface Filter Interface NAT Anti-spoofing Malicious Scan Detection Click OK. • To enable the VPN Router firewall: 1 2 Select Services > Firewall/NAT.Chapter 2 Configuring the VPN Router Stateful Firewall 39 Enabling firewall options You can select only one firewall choice at any one time. Nortel VPN Router Configuration — Firewalls. After you enable firewall support. When you enable the VPN Router Firewall. You must restart the VPN Router before the firewall becomes active. you must configure the specified firewall. NAT. At the prompt. and QoS . you can run any combination of the following: — VPN Router Stateful Firewall — VPN Router Interface Filter — Interface NAT — Anti-spoofing — Malicious Scan Detection No Firewall—disables all firewall features on the VPN Router. Filters. When you enable the VPN Router Firewall. The choices are: • VPN Router Firewall—enables the VPN Router Stateful Firewall feature. reboot the VPN Router. In this configuration. the VPN Router performs VPN routing only.

Slot n Interface n represents an optional LAN card in expansion Slot n using Interface n. You assign an IP address to the LAN. The implied rules are included with every new policy. Click OK. the default name for the interface is Slot n Interface 1 (n=1 to 6). The message Retrieving policies appears. 11 You can toggle the browser windows between the VPN Router Stateful Firewall Manager applet and the Services > Firewall/NAT window. The configuration procedures assume that you configured the VPN Router (except for the firewall component) and that you obtained the required firewall license. 9 10 Click View to review this policy. In this configuration. Click Manage policies to load the VPN Router Stateful Firewall Manager applet. Enable VPN Router Stateful Firewall. The first time you do this on any workstation. The description is case sensitive and you cannot abbreviate it when specifying the interface in the rules. the VPN Router performs VPN routing only. click OK and on the confirmation page. you can make Internet the description for Slot 1 Interface 1 and ServiceNet the description for Slot 2 Interface 1. 4 5 6 7 8 Select Services > Firewall/NAT. On the system shutdown window. click Configure. To enable the VPN Router Stateful Firewall: 1 2 3 Select System > LAN.40 Chapter 2 Configuring the VPN Router Stateful Firewall 2 3 Select No Firewall. You do not need a license for the VPN Router Interface Filter. The available slot numbers are hardware platform specific. you must load the Java applet. After the VPN Router reboots. return to Services > Firewall/NAT. and cannot be abbreviated. For example. click OK to indicate the reboot. If you use NN46110-601 . which is read-only. Enter a label in the Description field. This disables all firewall features on the VPN Router. This name identifies interfaces in the security policy rules. is case sensitive. If you do not specify a description. Select the System Default policy. For each interface. which represents the physical port interface.

and NAT Traffic—logs when flows and conversations are created or removed Policy manager—logs firewall processes and when rules and policies are created Firewall—logs how the firewall handles packets within a flow Nortel VPN Router Configuration — Firewalls.Chapter 2 Configuring the VPN Router Stateful Firewall 41 your browser to change other settings on the VPN Router while running the VPN Router Stateful Firewall Manager applet. you must have a complete three-way handshake prior to the application of data. policy manager. The new policies you create are not automatically applied to the firewall. Selecting logging options The following options control the amount of firewall event information recorded in the event log. and QoS . the current VPN Router Stateful Firewall Manager applet does not reflect these changes. • • • • All—includes traffic. Rule enforcement ICMP is allowed or disallowed on public and private interfaces. Only one policy at a time is in effect on the firewall. However. This information is not saved in the system log. there are no restrictions on creating new policies. Any changes made in the VPN Router Stateful Firewall Manager applet are not evident in the Services > Firewall/NAT window until you save the policy. To enable ICMP. Click the Firewall icon in the VPN Router Stateful Firewall Manager applet to refresh the list of policies and other VPN Router settings. 12 Click Manager > Exit to exit the VPN Router Stateful Firewall Manager. Note: You cannot import or export new policies. Filters. NAT. firewall. 13 After you exit the VPN Router Stateful Firewall Manager applet. click Refresh on the Services > Firewall/NAT window.

which reserves memory for a maximum number of connections. Each IPsec tunnel requires two connections. Under the Maximum Connection Number section. You must reboot the VPN Router if you change the maximum connection number. The range displayed varies depending on the model and amount of memory for your VPN Router. Application-specific logging Firewall-specific logging includes application-specific logging. You can select whether to send all events or only firewall-specific events to the remote syslog server. You can also set a maximum connection number. You can configure the firewall rules to enable logging in either brief or detail format for rules with FTP and HTTP service. enter a number in the indicated range. and the ability to send firewall-specific events to a remote syslog server. the VPN Router sends a message to the syslog that the server is disabled. Nortel recommends that you set the number near the middle of the range displayed unless you have specific requirements to consider. NN46110-601 . Remote system logging The VPN Router can forward firewall-specific events to a remote syslog server. The application-specific logs for HyperText Transfer Protocol (HTTP) and FTP contain a unique connection identifier so that events are traced to the start and end of a TCP session. Determining the optimum memory allocation makes it easier to configure your system for firewall traffic. denial of service attack logging. To configure remote syslog: 1 Select Services > Firewall/NAT > VPN Router Firewall > Edit.42 Chapter 2 Configuring the VPN Router Stateful Firewall • • NAT—logs NAT-related events Debug—creates special log messages intended for use only by Nortel customer support personnel You edit these options on the VPN Router Firewall > Edit window. When you disable the syslog server parameter.

Nortel VPN Router Configuration — Firewalls. 10 Select 514 (default) for the UDP port. Filters. (Figure 3) Figure 3 Syslog forwarding window 5 6 7 8 9 Insert a Hostname or IP address. Select Firewall for the Subentity. The options are: • • • • • • All Traffic Policy Manager Firewall NAT Debug 3 Identify which type of log you require by setting the Implied Rule Log level to one of the following: • • • • None Brief Detail Trap 4 Configure a remote syslog server from the Services > Syslog window.Chapter 2 Configuring the VPN Router Stateful Firewall 43 2 Enable Logging beside each feature you want to configure for the VPN Router Stateful Firewall. and QoS . Select Security for the Entity. Select All for Filter Level. Select KERN for the Tagged Facility. NAT.

Click OK. 13 Start syslog on the remote syslog system. (Figure 4) Figure 4 Anti-Spoofing configuration window 4 5 Select the public interface on which you want to enable anti-spoofing. NN46110-601 . Configuring malicious scan detection Scan detection detects port scanning attempts through the VPN Router that are aimed at private resources. Select Anti-spoofing. 12 Click OK. send traffic through the VPN Router that generates firewall events. The Anti-Spoofing window appears. Click Edit.44 Chapter 2 Configuring the VPN Router Stateful Firewall 11 Click Enabled. Configuring anti-spoofing To configure anti-spoofing: 1 2 3 Select Firewall/NAT. 14 To verify that firewall-specific events appear on the remote syslog system.

In the Network Scan Threshold box. Select Malicious Scan Detection. The Scan Detection window appears. (Figure 5) Figure 5 Scan Detection configuration window 4 In the Detection Interval box. and QoS . the security log logs the scan. Click OK.Chapter 2 Configuring the VPN Router Stateful Firewall 45 To configure scan detection: 1 2 3 Select Services > Firewall/NAT. specify the number of host-to-host connections (between 1 and 10000) on the private side to which an attacking machine must send scan packets during the inspection interval to trigger an event in the security log. 5 6 7 Nortel VPN Router Configuration — Firewalls. In the Port Scan Threshold box. specify the interval (1 through 60) over which the number of port scans or host scans are inspected. This is the number of ports on one host on the private side to which an attacking machine must send scan packets during the inspection interval to trigger an event in the security log. Filters. If the number of scans exceeds the configured threshold during this interval. enter the number of one-to-many connections (between 1 and 10000) needed to trigger an event . Click Edit. NAT.

you can further refine the control over what traffic you allow on your internal networks. and logging mechanisms. The rule set of the active policy applies to all traffic. Security policies consist of a set of rules that specify what service is allowed or denied. ICMP). You can define custom policies when you need more complex security policies and the standard policies are not sufficient. UDP. services. actions. when you first enable the VPN Router Stateful Firewall. A rule defines whether communication is accepted or rejected (or logged) based on its source. and service. The firewall policies use standard actions. all traffic is disallowed until you configure rules specifically allowing certain types of traffic. You use service objects to specify all rule fields for service policies. and the port number (or range) on which the service occurs. NN46110-601 . the protocol (TCP. including tunneled and nontunneled traffic. A set of rules defines a specific security policy. By customizing your policies.46 Chapter 2 Configuring the VPN Router Stateful Firewall Setting up policies Firewall service consists of two primary components: • • service properties security policy Service properties define the offered service and includes a service name. You must create rules for tunnel traffic before traffic on existing tunnel definitions is allowed. Each rule consists of a combination of network objects. destination. The VPN Router Stateful Firewall uses the principle that whatever traffic is not specifically allowed is disallowed.Therefore. which represent the most commonly used policies.

NAT. The current policy is bold and and read-only policies are italic. (Figure 6) Nortel VPN Router Configuration — Firewalls. Click Manage Policies beside VPN Router Stateful Firewall. You can use either interface to configure the following: • • • Network objects Service objects Rules See Nortel VPN Router Using the Command Line Interface (NN46110-507) for a list of CLI commands. edit. and QoS . Filters. copy. The System Default policy is always listed.Chapter 2 Configuring the VPN Router Stateful Firewall 47 Creating and editing firewall policies You implement access control parameters through the graphical user interface (GUI) or the command line interface (CLI). Adding a policy To add a new policy: 1 2 Select Services > Firewall/NAT. or rename a firewall policy. The Select Policy window appears. delete. Creating policies You use the Services > Firewall/NAT > VPN Router Stateful Firewall > Manage Policies window to create. This read-only policy defines the firewall behavior when no user-defined policies are applied or when the selected policy is not available.

Copying an existing policy To copy a firewall policy: 1 NN46110-601 Select the policy that you want to copy. The New Policy window appears and prompts you for a name for the new policy. If you select one of these policies.48 Chapter 2 Configuring the VPN Router Stateful Firewall Figure 6 Select Policy window 3 Click New. " characters. or click Cancel to return to the policy selection window. The name must begin with a letter and cannot contain the : + = ] . 4 5 Enter the policy name. The Delete policy confirmation box appears. . . 2 Click OK to delete the selected policy. which has a blank firewall policy. the Delete option is disabled. Click OK to go to the Policy Edit window. To delete an existing policy: 1 Select the policy that you want to delete and click Delete. Deleting an existing policy You cannot delete a read-only policy or the policy that is currently applied to the VPN Router.

The Copy window appears. Nortel VPN Router Configuration — Firewalls. Click Rename. Renaming an existing policy You cannot rename a read-only policy or the policy that is applied to the VPN Router. NAT.80. 3 4 Enter a name for the copied policy. under Interface Specific Rules. which is the serial port. Navigating rules You use the Firewall Policy > Edit window to add. 3 4 Enter the new name of the policy. The new policy appears in the list of policies in the firewall policies window. the Rename option is disabled.Chapter 2 Configuring the VPN Router Stateful Firewall 49 2 Click Copy. To rename an existing firewall policy: 1 2 Select the policy that you want to rename. Filters. and modify the rules within a policy. The serial port listing does not appear on versions of the VPN Router prior to Version 4. If you select a read-only policy. The Rename window appears. and QoS . it lists Slot 7 Interface 1. Click OK. Click OK. delete. This window is divided into the following rule groups: • • • • Implied rules Override rules Interface-specific rules Default rules Note: When you create a firewall rule. This policy contains the same rules as the policy from which it was copied.

They are derived from the Services > Available window and other configuration windows (such as RIP.50 Chapter 2 Configuring the VPN Router Stateful Firewall Implied rules The firewall processes implied rules first. Interface-specific or Default rules. Figure 7 Implied rules NN46110-601 . You can control any routed traffic that is not directed to the VPN Router with Override rules. OSPF. and VRRP). (Figure 7) You cannot modify these rules—they are for display purposes only. These rules permit tunnel termination and access to the management interface. The system statically generates and defines some rules. Implied rules regulate traffic that originated from or terminated at the VPN Router. which are read-only.

and QoS . Filters. Network Time Protocol Routing > VRRP Routing > RIP Routing > OSPF Enable/Disable NAT Traversal UDP. Table 1 Servers and corresponding configuration windows Servers DHCP. Table 1 shows the server type and its corresponding configuration windows. nbsession Pptp IPSEC L2TP & L2F FWUA Radius HTTP.Chapter 2 Configuring the VPN Router Stateful Firewall 51 Static pre-implied rules The first rule in the implied rules section is the only statically generated rule. It always exists in the implied rules section regardless of the configuration. configured port Configuration Window Servers > DHCP Relay System > Identity UDP port 17185 Remote Netbios Description NTP VRRP RIP OSPF Nortel VPN Router Configuration — Firewalls. DHCP-CLIENT DNS Remote-RPC Nbdatagram. NAT. HTTPS SNMP FTP TELNET CRL CMP LDAP UDP Wrapper Services > Available Services > Available Services > Available Services > Available Services > Available Services > Available Services > Available Services > Available Services > Available Services > Available Services > Available Servers > LDAP Services > IPSEC (Ipsec Settings) System > DATE&TIME. This rule allows the listed services to leave the VPN Router on any of the private interfaces as long as the services originated from the VPN Router.

52 Chapter 2 Configuring the VPN Router Stateful Firewall Table 1 Servers and corresponding configuration windows (continued) Servers SSH Server BGP Configuration Window Services > SSH Server Services > BGP PR or BGP key must be installed. Trusted. Implied rules for ports that are not well known have a service name that consists of the protocol and the port number. possibly for a short period. (Figure 8) The purpose of these rules is to quickly override the rest of the rules described later in the policy. while debugging a problem. These rules do not specify a specific interface in the source or destination interface column. You can only select from the interface groupings (Any. Override rules Override rules are the first set of modifiable rules in the policy. Branch Tunnel:Any. Untrusted. Tunnel:Any. SSL-VPN). Description Dynamic implied rules All of the available services on the Services > Available window generate dynamic implied rules. User Tunnel:Any. For example. a tcp10 rule is generated from port numbers associated with external LDAP and RADIUS servers and configurable FWUA ports. Figure 8 Override rules NN46110-601 .

and QoS . Physical interface names correspond to the names configured on either the System > LAN or System > WAN window. Tunnels that are also interfaces correspond either to a group name for user tunnels or the specific branch office tunnel name. To view all of the interface-specific rules. Interface-specific rules have two rule types: source and destination. (Figure 9) and (Figure 10) Source rules define the selected interface as the source. The interface-specific rule section displays only one interface at a time. select All Interfaces. Figure 9 Interface-specific rules (Source rules) Nortel VPN Router Configuration — Firewalls. Filters. Destination rules define the selected interface as the destination. NAT.Chapter 2 Configuring the VPN Router Stateful Firewall 53 Interface-specific rules Interface-specific rules apply only to packets that enter or leave the VPN Router through one specific interface (physical or tunnel).

These rules specify interface groupings for the source or destination (Any. but are not restricted to a specific interface. Untrusted. Tunnel:Any. Figure 11 Default rules NN46110-601 . Trusted.54 Chapter 2 Configuring the VPN Router Stateful Firewall Figure 10 Interface-specific rules (Destination rules) Default rules Default rules (Figure 11) apply to all traffic. User Tunnel:Any. Branch Tunnel:Any).

You use this menu item to add a new rule to the top of the list. Add New Rule. You use this menu to add a new rule at a particular location. This menu contains one item. You access menus by right-clicking an option.Chapter 2 Configuring the VPN Router Stateful Firewall 55 Creating rules Menus control actions on rules. There are two types of cell menus: option menus and procedure menus. and perform cut/copy/paste operations on a rule. either the operation is performed immediately (such as Copy) or an additional window appears. When you click on one of the items. Procedure menus provide a list of operations that you can perform on the cell. Each menu controls a different aspect of the rule. Rule columns Each rule within a firewall policy has the same attributes. Cell menus Cell menus are cell specific and accessed by right-clicking on an individual cell. such as Add and Edit. Header row menu Right-clicking on any header cell brings up the Header row menu. The cell displays the selection when you click on one of the items. The new rule appears in position one and all existing rules increment by one. delete the specific rule. prompting you for more information (such as Add). Filters. and QoS . Option menus provide a list of possible values for the cell. NAT. Row menu Right-clicking on the number next to an existing rule activates the row menu. which are specified by the column headers. The following sections describe the columns within a firewall rule: Nortel VPN Router Configuration — Firewalls.

the log information includes this number (#). You can modify these attributes by right-clicking on a column in the cell.56 Chapter 2 Configuring the VPN Router Stateful Firewall # This column specifies the ordering of the rules within the section. These groupings are: • • • • • • • Any—any physical interface or tunnel Trusted—any private physical interface or tunnel Untrusted—any public physical interface Tunnel:Any—any tunnel. Src interface and Dst interface These columns specify the source and destination interfaces for the rule. the interfaces may only be interface groupings. For the Override and Default rules. The order applies only to the section in which the rule appears and does not have meaning across the entire policy. Right-clicking on the cell displays an option menu containing possible interfaces. What appears in this option menu depends on which section of the Firewall policy the particular column appears in. which then brings up a procedure menu. If you log a rule. NN46110-601 . You can add more than one source or destination address to a rule. you can specify the interfaces as either groupings or individual interfaces. Source and Destination These columns specify the source and destination network object for the rule. You use this window to select a specific tunnel (branch office or user tunnel). Clicking on the user tunnel or branch office menu items displays the tunnel selection window. excluding any physical interfaces User Tunnel:Any—any user tunnel Branch Tunnel:Any—any branch tunnel SSL-VPN—any SSL-VPN tunnel For interface-specific rules.

and Delete options in this window to create. NAT.Chapter 2 Configuring the VPN Router Stateful Firewall 57 Click Add to display the Network Object Selection window. edit and delete network objects. (Figure 13) You use this window to modify the attributes for the selected network object. IP range. You use the New. Figure 12 Network Object Selection window Italicized objects in the list are read-only—you cannot modify them. Note: You use NOT operand to specify which networks you do not want included. Nortel VPN Router Configuration — Firewalls. (Figure 12) Use this window to define and apply a new network object. You can create the following network objects: host. and group (a collection of these objects). Edit. Click Edit to display the Network Object Edit window. Filters. network. and QoS .

or Paste to perform those operations on the current network object. IP protocol. UDP. You can add more than one service to a rule.58 Chapter 2 Configuring the VPN Router Stateful Firewall Figure 13 Network object edit window Click Delete to remove the selected network object. ICMP. Right-clicking on the cell displays the standard procedure menu (Add or Edit). it returns to the default value. NN46110-601 . and object groups (a collection of these objects). where you define and apply a new service object. If the object that you want to delete is the last object. Click Add to access the Service Object Selection window (Figure 14). You can create the following service objects: TCP. Service This column specifies the service objects handled by the selected rule. Cut. Click Copy.

Right-clicking on the cell displays an option list containing four items: Accept. or Paste to perform those operations on the current service object. and User Authentication. Log Use the Log column to specify the logging level for this rule. and QoS . Right-clicking on this cell brings up an option list containing the following logging levels: None. You use the New. Detail. Filters. Nortel VPN Router Configuration — Firewalls. and delete service objects. Drop. Edit. Click Edit to display the Service Object Edit window. Click Copy. Cut. NAT. the cell returns to its default value. You use this window to modify the attributes for the selected service object. Click Delete to remove the selected service object from the cell. If the object you want to delete is the last object in the cell. Action The Action column specifies the action that occurs when you activate a rule. Clicking one of these items sets the cell to the selected state. Reject. edit.Chapter 2 Configuring the VPN Router Stateful Firewall 59 Figure 14 Service Object Selection window Italicized objects in the list are read-only—you cannot modify them. and Trap. and Delete options in this window to create. Brief.

and modify the rules for the policy. The New Policy window appears. In this window. 4 Click New to create a new policy.60 Chapter 2 Configuring the VPN Router Stateful Firewall Status The Status column specifies the status of the particular rule. The Firewall/NAT window appears. " characters. then type a comment in the dialog box that appears. Click Manage Policies. Enable the VPN Router Firewall. Remark Use the Remark column to attach a remark to a particular rule. Right-click Remark and select Add or Edit remark. The Firewall > Select Policy window appears. Creating a new policy To configure the firewall policies: 1 Select Services > Firewall/NAT. 2 3 In the Configuration section. 5 Enter the policy name and click OK. delete. The Firewall > Edit Policy: <policyname> window appears with no rules defined. you can add. 6 You can select the rule group as follows: • • • • NN46110-601 Implied rules (view only) Override rules Interface-specific rules Default rules . The name must begin with a letter and cannot contain the : + = ] . . either Enabled or Disabled.

Select an interface and a subinterface from the lists. go to the Manage menu and click Close Manager. To verify that the firewall functions properly. 12 Select Policy and click Save Policy to save your changes. NAT. 11 Repeat these steps to add more rules. Filters. From the client. 13 When the policies are saved. From the client. Select either Source Interface Rules or Destination Interface Rules. access a Web page on the internal network. and QoS . Perform an FTP operation from a host on the private side of the VPN Router to a host on the public side. you can use a procedure similar to the following: 1 2 3 4 Make sure the firewall is using a security policy that allows the type of traffic you use for the test (or you can use an Accept All policy for the testing). Verify tunnel-to-Internet traffic. Successful completion of these steps indicates that the VPN Router firewall is functioning and that the VPN Router routing patterns are available. Connect a remote VPN Router system to the local VPN Router. Verify private-to-public traffic. Verifying the configuration When you complete the configuration tasks for the firewall. access a Web page on the Internet. 10 Right-click the appropriate cell to add a new rule. Verify public-to-private traffic. 5 Nortel VPN Router Configuration — Firewalls. you can check the VPN Router’s routing patterns.Chapter 2 Configuring the VPN Router Stateful Firewall 61 7 8 9 Select the Interface Specific Rules tab. Verify tunnel-to-internal network traffic. Perform an FTP operation from a host on the public side of the VPN Router to a host on the private side. Connect a remote VPN Client system to the VPN Router.

62 Chapter 2 Configuring the VPN Router Stateful Firewall Configuring a sample security policy In this configuration example. On the Firewall > Edit Policy (Interface Specific Rules) window. and click OK. On the Firewall > Edit Policy (Interface Specific Rules) window. right-click to display the selection menu. a b c In the Network Object Selection window. On the Firewall > Edit Policy window. In the Network Object Insert window.20).3.3. select Host as the type of object to create.20 on the public network Security policy allows users to download files to the FTP server.168.3. right-click # in the header. click the Interface Specific Rules tab. click New. right-click to display the selection menu. and select SSL-VPN. with no other access to the Internet permitted To configure the VPN Router Stateful Firewall to implement a security policy: 1 2 3 4 5 Select Services > Firewall/NAT. 6 7 8 In the Interface Specific Rules tab. 3. select Add New Rule.3. Make no changes to the interface or subinterface lists and leave Source Interface Rules selected.168. 9 NN46110-601 .168. In the Network Object Type Selection window. In the Interface Specific Rules tab. and select Add. enter the Host name (externalFTPserver) and the IP address (192. click the Destination value (*any). the following setup exists: • • • • Public IP address 192. On the Firewall > Select Policy window. click the DST Interface value (*any). Enter AllowFTPAccess as the policy name and click OK.102 (VPN Router default is LAN) FTP server IP address 192. click New. Click Manage Policies for VPN Router Stateful Firewall.22 (Internet Access) Private IP address 10.

(You can apply only a single policy to the VPN Router. click the Service value (*any). click the Manager menu at the top left of the window and click Exit CSF/NAT. 12 On the Firewall > Edit Policy (Interface Specific Rules) window. click the Action value (drop). In this example. (Within a policy. check VPN Router Stateful Firewall. click OK to add the externalFTPserver network object into the Destination field. right-click to display the Service Object Selection box. In the Save Changes to this policy box. and click OK. Web. and Default groups. Filters. and click the required status value to enter it into the Status field. DNS. click Yes. you can independently disable each rule in the Override. Firewall deployment examples You can customize security policies and apply them to individual subscribers. 10 On the Firewall > Edit Policy (Interface Specific Rules) window.Chapter 2 Configuring the VPN Router Stateful Firewall 63 d In the Network Object Selection window. mail) accessible through this firewall? Nortel VPN Router Configuration — Firewalls. 15 On the Services > Firewall/NAT window. scroll down to and click FTP. select AllowFTPAccess from the policy box. Interface-Specific. right-click to display the Action menu. the log value is brief. and click OK. and click OK.) 14 On the Firewall > Edit Policy (Interface Specific Rules) window. You are prompted to reboot the VPN Router to activate the new firewall configuration. 13 On the Firewall > Edit Policy (Interface Specific Rules) window.) 16 Click Firewall. or you can create them as templates and apply them to many subscribers. NAT. click the Status value (checked means enabled). and click the required log value to enter it into the Log field. Some questions to consider when establishing firewall rules include: • What are the IP addresses for all of your servers (FTP. right-click to display the Log menu. click the Log value (blank = none). and click Accept to enter it into the Action field. 11 On the Firewall > Edit Policy (Interface Specific Rules) window. and QoS . right-click to display the Status menu.

64 Chapter 2 Configuring the VPN Router Stateful Firewall • • If you are setting up NAT. A business user must have access to internal resources. mail protocols. what IP addresses can you list that are otherwise not visible? What applications. SMTP. Typically. The choices for service indicate which protocols to accept or reject on the network. such as mail servers and Web servers. you can use the Interface Specific Rules tab on the Firewall > Edit Policy window to configure a single interface specific rule that allows traffic sourced from the physical interface LAN (slot 1/0). Trusted traffic is traffic that comes from either a trusted physical interface or a tunnel. such as some forms of ICMP. run across your firewall? Residential firewall example A residential firewall (Figure 15) is generally a simple firewall designed to allow user-initiated traffic while blocking any incoming traffic or port scans. other than HTTP. Business firewall example A business firewall (Figure 16) requires a more complex rule configuration. Figure 15 Example of a basic residential firewall U ser Public Internet Use the Override Rules tab on the Firewall > Edit Policy window to configure your residential firewall with a single override rule that allows all trusted traffic. FTP. NN46110-601 . these include HTTP. and other typical network traffic. FTP and network protocols. Alternatively.

Chapter 2 Configuring the VPN Router Stateful Firewall 65 Figure 16 Business firewall When configuring a business firewall. Nortel VPN Router Configuration — Firewalls. you must set override rules to do the following: • • • require branch office users to authenticate themselves prior to accessing internal resources allows user tunnel traffic to go anywhere allows non-tunneled FTP and HTTP to gain access to the DMZ You must also set an interface specific rule to allow all traffic that enters from the private (LAN) to go anywhere. You set the interface specific rule in the Interface Specific tab in the Firewall > Edit Policy window. NAT. Filters. and QoS . You set the override rules in the Override Rules tab on the Firewall > Edit Policy window.

66 Chapter 2 Configuring the VPN Router Stateful Firewall NN46110-601 .

Adding and editing filters To add a filter: 1 Select Profiles > Filters. When you change a tunnel filter. Filter names are a convenient way to manage a set of rules. it does not affect any existing tunnels.67 Chapter 3 Configuring filters There are two types of filters: tunnel filters and interface filters. and QoS . NAT. To view the available filters. go to Profiles > Filters. However. (Figure 17) Nortel VPN Router Configuration — Firewalls. The Profile > Filters window appears. you must reestablish the existing tunnels before any changes take effect. The Tunnel Filters > Edit window appears. You use tunnel filters for user groups and you use interface filters for LAN and WAN interfaces. The Current VPN Router Tunnel Filters and Current VPN Router Interface Filters show the currently available filters. 2 3 Enter a new filter name in the Create dialog box . Click Create. A filter usually consists of one or more inbound rules (for traffic coming into the network) and one or more outbound rules (for traffic leaving the network). Filters.

The Tunnel Filters > Edit > Manage Rules window appears. select the rule. To move the rule down one place in the Rules in Set list. select a rule from the Available Rules list. To move the rule up one place in the Rules in Set list. then click the right arrow. select the rule. select the rule. (Figure 18) NN46110-601 . then click the left arrow. click Manage Rules. then click the up arrow. To remove or delete a rule from the Rules in Set list. They appear in the format of Name: Rule String.68 Chapter 3 Configuring filters Figure 17 Adding a filter 4 5 6 7 To add a rule to the Rules in Set list. 2 Click Edit. The Tunnel Filters > Rules > Edit window appears. The Available Rules box lists all of the available rules you can add to the filter. To edit a filter: 1 From the Profiles > Filters > Edit window. then click the down arrow.

either inbound or outbound. either Permit. By specifying the management services allowed through a tunnel. For the Destination Port. Configuring Allow Management Traffic You use the Allow Management Traffic options to restrict management access to the VPN Router through tunnels.Chapter 3 Configuring filters 69 Figure 18 Editing a filter 3 4 5 6 7 8 9 Select the Filter Action. Each filter set has an explicit list of management services. or Nexthop. select options from both lists. Filters. or udp. Select a Protocol. you can control which groups of users perform different management tasks while tunneled into the VPN Router. ip. 10 Click OK. For the TCP Connection. select options from both lists. Select an Address. For the Source Port. NAT. and QoS . tcp. Select the Direction. The choices are icmp. Nortel VPN Router Configuration — Firewalls. select either Established or Don’t Care. Deny.

RADIUS—enable or disable the VPN Router’s ability to access a remote RADIUS server. The Local Services options are: • • • • • • HTTP—enable or disable access to the Web server on the VPN Router SNMP—enable or disable SNMP gets to the VPN Router FTP—enable or disable FTP puts or gets to the VPN Router Telnet—enable or disable Telnet access to the VPN Router PING—enable or disable PING access to the VPN Router RADIUS—enable or disable access to the VPN Router’s RADIUS authentication service The Remote Servers options restrict traffic to external services that the VPN Router needs. and PING. However. The Remote Servers options are: • FTP—enable or disable FTP access from the VPN Router to external FTP servers on the other end of a tunnel. The management protocols consist of two groups: Local Services and Remote Servers. all management traffic settings are disabled by default.70 Chapter 3 Configuring filters The VPN Router's default filter is Permit All. SNMP. you can restrict which VPN Router tunnels can send protocol traffic for the external services it requires. The management services apply to user and branch office connections. DHCP—enable or disable access to dynamic host configuration protocol (DHCP) servers from the VPN Router. By specifying these services. When enabled. The FTP back-up and FTP upgrades facilities are examples of external services that this option controls. SNMP. • • • NN46110-601 . and the settings for this filter are to allow HTTP. network traffic for these services is allowed through tunnels. if you create a new filter. The Remote Servers selections refer to services that reside on other systems that the VPN Router uses. DNS—enable or disable remote users from using the Domain Name Server (DNS) service for the VPN Router. Telnet. These options do not affect HTTP. or PING protocol traffic that passes through the VPN Router outside a tunnel. FTP. The Local Services selections refer to services that reside on the VPN Router.

it must appear in both windows on the Filters window. For example. and QoS . tunnel traffic only enters and exits through a single physical interface. Click Up or Down to move the filter to the other Current Filters window. it can enter through a public interface and exit through a private interface. Nortel VPN Router Configuration — Firewalls. asking you to confirm that you want to copy the filter. When a filter rule with next hop (Table 2) configured matches an incoming packet. then traditional destination-based routing occurs using the routing table. you may need to set up additional steps because the traffic that uses the VPN Router Stateful Firewall traverses two VPN Router interfaces. If the lookup fails. For example.Chapter 3 Configuring filters 71 Use Copy Filter to copy an existing filter from one filter set to the other. Each IP interface can have inbound and/or outbound filters that cause an action on a packet if the packet matches the filter criteria. Note: If you plan to use a filter for both tunnels and interfaces. the configured next hop performs a forwarding lookup and the packet is forwarded using that routing table instance. the filter accepts the packet and uses the next hop for forwarding. The Copy Filters window appears. Configuring next hop traffic filters Customers use next hop traffic filters to control the next hop selection and route traffic within their domain. if you already have a filter for tunnels. However. you can copy it for use by your VPN Router’s interfaces. NAT. To copy a filter: 1 2 Click the existing filter in one Current Filters window. If a packet matches filter criteria. If you copy a tunnel filter for use by a VPN Router Stateful Firewall. Filters.

If the next hop is not reachable.140.140.216 When you apply a next hop filter on an interface.255. Click Manage Rules.255.0 IP (255.32. then the VPN Router uses the destination address in the IP header (as in normal routing) to forward the packet. This assumes that there is a reachable route to the next hop address.0) (255. make sure the +next hop address is beyond the remote end point of the tunnel and along the path to the actual destination. To configure next hop traffic filters: 1 2 3 4 Select Profiles > Filters.0. Select the rule that you want to change and click Edit.0.17.255.72 Chapter 3 Configuring filters Next hop traffic filters are only applicable for inbound filters per interface (physical or virtual) per protocol. NN46110-601 . Table 2 Filter rule with next hop Source address Destination address Service Action Nexthop Next hop address Comment 10.32.0.0) forwarded to 192. Select Nexthop for the filter action.216 Filtered traffic is (255. all incoming IP traffic coming to that interface from 10 network and going to the 47 network is forwarded to the next hop address.253. For tunnels.0) 192. as shown in Figure 19.0. You can optionally enter the source and destination address fields.255.0 47.

Filters. 6 7 Enable Apply packet filter on private to tunnel traffic in the Next Hop Forwarding section. NAT. select System > Forwarding. Click OK. and QoS . The Forwarding window appears. Nortel VPN Router Configuration — Firewalls.Chapter 3 Configuring filters 73 Figure 19 Nexthop filter action 5 To enable private to tunnel forwarding.

74 Chapter 3 Configuring filters NN46110-601 .

A network can use one set of network addresses internally and a different set when dealing with external networks. When a packet is routed. NAT contains a pool of continually reused global addresses. Address translations You can set up address translation permanently (static) or allocate it dynamically. No guaranteed one-to-one mapping takes place. As soon as the application session is over. Nortel VPN Router Configuration — Firewalls. NAT allows multiple intranets with conflicting subnets to communicate. Global addresses must remain unique to distinguish between different hosts. and QoS .75 Chapter 4 Configuring NAT Network Address Translation (NAT) uses one or more globally unique IP addresses to give ports on a private network access to the Internet. which uses the TCP/UDP source port and source address to allow multiple sessions from many hosts using a single public NAT address. allowing many devices on an internal network to share a few IP addresses. NAT replaces the internal corporate address with a global address. NAT. An example of dynamic translation is port mapping. For virtual private networks. Dynamic address translation occurs when a session starts. Static translation allocates one external host address for each internal address and is converted to a different global IP address. the global address returns to the pool so that subsequent connections can use the global address. NAT can also modify the source and destination port numbers. The internal considerations of the network determine the allocation of internal network addresses. Filters. The configuration of branch office or partner networks may be fixed and must be able to securely route between these networks without requiring unique private addresses across the entire extranet.

0.0.1. the VPN Router drops the packet. If all smaller ports are unavailable.1.1. If all ports are unavailable.154. many internal IP addresses hide behind a single external address. NAT assigns a port greater than the one requested.1. only the public IP address is visible from the public network. source ports are dynamically translated to unique translated ports. If not.0. This is especially useful if you need to use several IP addresses and have only one address available from your ISP.0. All requests originating from the private network (10. Dynamic many-to-one translation is used only for traffic initiated from an internal host.154. Dynamically-assigned ports distinguish one IP address from another.0 hidden behind the public address 30. In addition. NAT attempts to assign a port from the corresponding port list. NAT tries to assign a port from the largest port number that is smaller than the original port. NN46110-601 .0) have their source IP addresses replaced with the public IP address 30. Figure 20 shows the private network 10. The original port is assigned if it is available.76 Chapter 4 Configuring NAT NAT supports the following address translations: • • • • • • Dynamic many-to-one Dynamic many-to-many Static one-to-one Port forwarding IPsec-aware NAT Double NAT Dynamic many-to-one—port translation With network address port translation (NAPT).

154-30.1.154-10.0. the number of externally visible IP addresses is less than the number hidden behind the VPN Router.1. Filters. The user configures a pooled NAT rule converting the internal address range 10. Each time a host on the private network makes a request.0.0.156 destined to a machine (11.164 to 30.0. The following example (Figure 21) illustrates many-to-many dynamic translation.2) on the public Internet.1. NAT. only the address (not the port) is translated. Both addresses are translated to unique public addresses dynamically. and then performs the translation. Traffic is initiated from 10.Chapter 4 Configuring NAT 77 Figure 20 Port translation Dynamic many-to-many—pooled translation In dynamic many-to-many NAT.54 and 10. Nortel VPN Router Configuration — Firewalls. Usually.154.1.0. Dynamic many-to-many is used only for traffic initiated from an internal host.1.1. and QoS .1.0.1. the VPN Router chooses an unused external IP address.

Figure 22 shows host 10.0.1.154 on the private side statically mapped to an external address 30.2 to initiate a session using the translated external address.78 Chapter 4 Configuring NAT Figure 21 Dynamic pooled address translation Static one-to-one translation Static address translation allocates one external host address for each internal address.1.1. The host using this rule is always bound to the same external address. This allocation is always the same.1. which allows Internet host 11. NN46110-601 .0.154.

1.2 on the Internet needs to access a Web server and an FTP server running on two separate internal machines that are hidden behind the single externally visible address 30.Chapter 4 Configuring NAT 79 Figure 22 Static address translation Port forwarding With Port Forwarding. Figure 23 illustrates Port Forwarding. To do this. and you can forward FTP traffic destined to the same external IP address to a different device that provides FTP services. you use a port forwarding NAT rule that sends the traffic to the two different machines based on the forwarding ports. Nortel VPN Router Configuration — Firewalls. and QoS . NAT. one externally accessible IP address forwards incoming requests to different addresses behind the NAT device based on the protocol used. A host 11. You can route incoming Web traffic to a Web server.0.154. Filters.1.1.

one to translate the source address and one to translate the destination address.0.2 on the Internet initiating a connection to 30.1.1.154. You can modify both the source and destination addresses for each packet entering and leaving the VPN Router. You use rules to achieve this.80 Chapter 4 Configuring NAT Figure 23 Port forwarding example Double NAT You can use double NAT to translate both external and internal networks at the same time. NAT translates both the source and destination addresses as the packet traverses NAT. Figure 24 shows a host 11. the translated address of the internal host.1. NN46110-601 . The destination address translation must use a static rule.

usually performed by NAT. Filters. Figure 25 IPsec-aware NAT example Nortel VPN Router Configuration — Firewalls. and QoS . Unlike NAT traversal. NAT.Chapter 4 Configuring NAT 81 Figure 24 Double NAT IPsec-aware NAT IPsec-aware NAT protects against the alteration of TCP/IP headers. This allows inter-operability with IPsec implementations that do not support the UDP wrapper solution to perform NAT on IPsec traffic. Figure 25 shows an IPsec-aware NAT example. IPsec-aware NAT is used when an IPsec tunnel passes through a VPN Router performing NAT translation. IPsec-aware NAT is always on and you cannot configure it. but does not terminate at the VPN Router.

Full Cone NAT A Full Cone NAT maps all requests from the same internal IP address and port to the same external IP address and port. NN46110-601 . you can classify NATs in four different modes: • • • • Full Cone NAT Restricted Cone NAT Port Restricted Cone NAT Symmetric NAT . Any external host can send a packet to the internal host by sending a packet to the mapped external address.82 Chapter 4 Configuring NAT NAT modes Based on the handling of UDP packets. Note: Only Restricted Cone NAT and Symmetric NAT modes are supported. All visible references to Cone NAT in the system refer to Restricted Cone NAT.

NAT. Filters. Anyone on the public side can send packets to that external IP/port and the client’s internal IP/port correctly translates those packets.123. Unlike a Full Cone NAT. and QoS .Chapter 4 Configuring NAT 83 Figure 26 Full Cone NAT Figure 26 is an example of a private client behind a NAT with IP 10.0.0. an external client can send a packet to the internal client only if the internal client has previously sent a packet to the IP address.25:12345. Nortel VPN Router Configuration — Firewalls.1 sending and receiving on port 8000 mapped to the external IP/port on the NAT of 202. Restricted Cone NAT A Restricted Cone NAT maps all requests from the same internal IP address and port to the same external IP address and port.211.

84 Chapter 4 Configuring NAT Figure 27 Restricted Cone NAT Figure 27 shows an example of a private client sending a packet to an external client (computer A). which allows the public client to send back packets to the NAT address of the private client. Port restricted Cone NAT A Port Restricted Cone NAT is similar to a Restricted Cone NAT. An external client can send a packet to the internal client only if the internal client has previously sent a packet to the IP address and port. but the restriction includes port numbers. the NAT blocks all packets coming from an external client (computer B) until the private client sends a packet to that external IP address.25:12345. However. NN46110-601 .123.0. Once that is done. both external clients can send packets destined to the NAT address and they are translated correctly to the clients’ private address.0.211. The NAT maps 10.1:8000 to 202.

they can all respond to the client at the same mapped IP address and port and the NAT does the reverse translation to the internal IP address. a different mapping is used. to a specific destination IP address. The default NAT mode is Symmetric. Only the external host that receives a packet can send a packet back to the internal host. If the same host sends a packet with the same source address and port to a different destination.1 and port 10101.111. If an internal client sends a packet to an external client at IP 222. If the internal client sent packets to multiple external IP address/ports. Filters. and QoS . go to the Services > Firewall > NAT > Edit window. Nortel VPN Router Configuration — Firewalls.Chapter 4 Configuring NAT 85 Figure 28 Port Restricted Cone NAT Figure 28 shows an example of a Port Restricted Cone NAT.99. To change the mode to restricted Cone NAT. to the same external IP address and port. Symmetric NAT A Symmetric NAT maps all requests from the same internal IP address and port. the NAT only allows packets that come from the same IP and port. NAT.

The external client on computer B can only send a packet to the mapped source address of the packet it received and the external client on computer A can only send a packet to the mapped external source IP of its received packets. each of which can NAT the packet.2.86 Chapter 4 Configuring NAT Figure 29 Symmetric NAT Figure 29 shows an example of a Symmetric NAT.99.211.111.123. By default.1:8000 sends a packet to the external IP 222. You enable NAT traversal on the Services > IPsec window. Most hotels and airports that provide Internet connectivity use NAT to connect to the Internet.0.211.25:45678). it may be mapped to 202. NAT traversal is disabled. NN46110-601 .111.123.88.1 may be mapped to a different public IP and port (202.0. If the internal client 10. NAT traversal solves the user tunnel case where the IPsec-aware NAT does not always work because other NATs are between the source and destination PC hosts. NAT traversal The VPN client or server user tunnels use NAT traversal to pass through intermediate routers or gateways.25:12345 while a packet sent from the same address and port to 222.

NAT. Nortel recommends that you use the Auto-Detect NAT setting.Chapter 4 Configuring NAT 87 To use NAT traversal. Note: You can use any unused UDP port for NAT traversal. and QoS . Because there are a variety of NAT devices and varying IPsec pass-through implementations.49151). Filters. not all environments function properly using the Auto-Detect IPsec NAT mode. Selecting Auto-Detect NAT allows the client and VPN Router to UDP encapsulate ESP data whenever NAT is detected. Do not use L2TP/L2F port 1701 or General Packet Radio Service (GPRS) port 3386. Nortel VPN Router Configuration — Firewalls. you must also define a UDP port that all client connections use to connect to the VPN Router. Therefore. but only if the NAT detected is non-IPSec aware (when the NAT box does not allow for IPsec pass-through). By default. NAT traversal is Not Allowed. even if NAT is detected between the client and the VPN Router. By default. Note: To allow NAT traversal with the IPsec client. In environments with unknown NAT devices. This port must be a unique and unused UDP port within the private network (supported range 1025 . You use the group-level NAT traversal setting to configure the NAT traversal mode at the group level. It also allows the client and VPN Router to UDP encapsulate ESP data. Make sure that any port you select does not conflict with any ports you are already using. no UDP port is defined. UDP encapsulation of ESP data does not occur. you must enable the NAT traversal setting on the Profiles > Groups > Edit IPsec window. Nortel only recommends the Auto-Detect IPsec NAT setting for environments with well-known NAT devices.

Private addresses are typically assigned to the IP endpoints in a VoIP network (IP Phones. resulting in a one way speech path. NAT cannot conduct translation on private IP addresses within the payload of application layer messages. the voice media. the media end points send probe packets to a server to discover the public IP address and port to use for a specific media stream. Voice calls from and to the public network must reach endpoints in the private network and. ALGs are discussed in “NAT ALG for SIP” on page 107. NN46110-601 . The challenges for VoIP traversal in NAT occur for the following reasons: • • • NATs only look at Layer 3 addressing VoIP signaling protocols embed IP addresses at Layer 5 RTP and RTCP work at Layer 5 Two of the most common solutions that have been proposed to fix the NAT traversal issue are: • • Application Level Gateways (ALG) Address/port discovery The following section focuses on the address/port discovery mechanisms for VoIP. VoIP protocols introduce a number of complexities for NAT. is not routed to the private address. proper routing of media to endpoints with private addresses requires network address translation. Address/Port discovery In address/port discovery. since they carry IP address and port information within the body of the message that is not accessible to NAT. The server echoes back to the end point its source IP address as seen after the NAT Translation. as a result. NAT translates IP addresses and port numbers in private address ranges into public addresses. which gets directed to the private IP address identified in the signaling message. Soft Clients) to hide the IP identity from the public network.88 Chapter 4 Configuring NAT NAT and VoIP When traffic traverses between private and public networks. Therefore.

a lightweight protocol. regardless of where the packet is going. Figure 30 STUN STUN inspects exploratory STUN messages that arrive at the STUN server to identify the public-side NAT details. Applications also use STUN to determine the public IP addresses allocated by the NAT. and QoS . This means that Symmetric NAT does not work for peer-to-peer media with address/port discovery. it is imperative that NAT use the same IP address and port binding. NAT. These are then used in the call establishment messages sent to the SIP server. Note that the STUN server does not sit in the signaling or media data flows. For the discovered IP address and port to be valid. The STUN-enabled client sends an exploratory message to the external STUN server to determine the transmit and receive ports to use. Nortel VPN Router Configuration — Firewalls. to discover the presence and types of NATs and firewalls between the application and the public Internet. The STUN server examines the incoming message and informs the client which public IP address and ports the NAT used. STUN requires any Cone NAT implementation. Filters.Chapter 4 Configuring NAT 89 Applications use Simple Traversal of UDP through NATs (STUN). Restricted Cone NAT makes the VPN Router more secure. Figure 30 shows how STUN works.

To configure Cone NAT: 1 NN46110-601 Select Services > Firewall/NAT. . Figure 31 shows the flow of a Restricted Cone NAT. irrespective of the destination and the session. this mapping changes so that each internal IP address and port is mapped to the same external IP address and port. distinguished only by their dynamic port assignment. With Cone NAT.90 Chapter 4 Configuring NAT Network address port translation (NAPT) Network address port translation (NAPT) is a dynamic NAT where many internal IP addresses hide behind a single external IP address. Figure 31 Restricted Cone NAT — NAPT Configuring Cone NAT You can enable or disable Cone NAT with the graphical user interface (GUI) or the Command Line Interface (CLI). To learn more about the CLI. The Symmetric NAT maps an IP address and port to a unique IP address and port for each session initiated from a private client. see Nortel VPN Router Using the Command Line Interface.

select Cone NAT. Nortel VPN Router Configuration — Firewalls. NAT. Figure 33 shows the Firewall/NAT > Edit window where you select Cone NAT. 3 Under NAT Mode. Filters. and QoS .Chapter 4 Configuring NAT 91 The Firewall/NAT window appears. (Figure 32) Figure 32 Firewall/NAT window 2 Click Edit in the VPN Router Firewall row. The Firewall/NAT > Edit window appears.

and there is one global NAT policy applied to non-tunneled traffic. Note: Changing the NAT mode clears the NAT flow cache. NAT Usage NAT is applied to routed traffic passing through its physical interfaces (interface NAT) and branch office interfaces (branch office NAT) using separate NAT policies. NN46110-601 . Each branch office has one NAT policy.92 Chapter 4 Configuring NAT Figure 33 Firewall/NAT Edit window 4 Click OK. Note: If you make any changes to a branch office parameter. You can use the flow cache clear capability to have NAT changes take effect on existing sessions. you must disable and then reenable the branch office for the changes to take effect. Clearing the NAT cache flow results in a disruption of all active NAT sessions. The Firewall/NAT window reappears with Cone NAT applied.

you can have two or more branches that use the same private addressing scheme. VPN Router2 uses a static translation of 10.0.0.0.0.0.0.0. and QoS .0. the client can access the FTP server.1.0.1. you implement NAT on both sides of the branch office connection. which connects the local network to the remote network through its branch office tunnel.1 based on the NAT table. Nonetheless.0. the branch offices must still communicate with one another. As a result.0.0 network and no tunnel connection is brought up. Nortel VPN Router Configuration — Firewalls. Filters.13 and a destination address of 10.0.0 is the remote LAN for the branch office connection.0. and who sends a packet with a source address of 10. you can implement NAT on both sides of the branch office connection.0.0. NAT.Chapter 4 Configuring NAT 93 Branch office tunnel NAT In branch offices.0.0.VPN Router1 translates the source address of the packet to 11. A packet generated from the client has a source address of 10.0.0 as the remote accessible network. Without NAT.0. In this example. and a branch office tunnel across the internet.0.0.0. A typical scenario can include a client on LAN 1 who tries to access the FTP server on LAN 2. With NAT implemented on both sides of the branch office connection.0. VPN Router1 recognizes that 12.0.0. and VPN Router2 defines a remote accessible network of 11. To allow the client to access the server on the other LAN.0.0.0. A pooled NAT rule is applied to VPN Router1.0.14.13 and a destination address of 12. VPN Router1 defines a remote accessible network of 12.0. but the source address remains 11. Because you cannot use an Interior Gateway Protocol (IGP) to dynamically learn routes at the remote end of the tunnel to allow the client to access the server on the other LAN. Figure 34 shows a simple branch office connection with two LANs.14.14 (server) to 12. VPN Router2 must define 11.0.1.0. VPN Router1 uses a translation of 10. This is a common issue for branch office tunnels where the address space overlaps for each end. the VPN Router looks at the destination address and assumes that the destination is on the same LAN as the source device because the addresses are both on the 10.0. VPN Router 2 looks at the destination address of the incoming packet and translates it to 10.0.13 (client) to 11.1.

NN46110-601 . depending upon the NAT policy.94 Chapter 4 Configuring NAT Figure 34 Overlapping address translation Interface NAT When Interface NAT is applied to IP packets going out from or coming into the VPN Router through its physical interfaces. Note: The difference between interface and branch office NAT is when and where the NAT policy is applied. Figure 35 shows an example of interface NAT. either the source or destination IP address is translated to another IP address.

the range of internal addresses is hidden behind a single external address.Chapter 4 Configuring NAT 95 Figure 35 Interface NAT NAT is applied to interface NAT using the Services > Firewall/NAT window. • Nortel VPN Router Configuration — Firewalls. external packets are routed on a specified port to one of the internal systems. These external addresses are distinguished by using dynamically assigned port numbers. Port Forwarding—for port forwarding mapping. Interface NAT rules can be one of the following types: • • • Static—for static mapping. Pooled—for pooled mapping. and QoS . Note: Interface NAT applies only to clear text traffic (non-tunneled. an internal address range is mapped one to one to an external range. Port—for port mapping. Filters. an internal address is dynamically mapped to the next available address from the external address range. If you disable interface NAT. NAT. routed through the VPN Router). Branch office NAT only applies to specific branch office tunnel traffic. it does not impact branch office NAT.

but it cannot announce a part of a subnet. In Figure 36.10 to 192.1.1. there is not a route advertisement to the entire subnet. NN46110-601 .1. RIP and OSPF protocols distribute NAT routes.0. if you apply NAT to part of subnet. the routes to the translated IP addresses are deleted.1 . the VPN Router has a NAT rule to convert IP addresses in the range of 10.168. Figure 36 NAT with dynamic routing example By default. Therefore.10. You can have a routing policy to block the route advertisement to the original IP addresses.96 Chapter 4 Configuring NAT Dynamic routing protocols You can advertise NAT routes on all interfaces. You can enable NAT on a branch office with dynamic routing. However. you do not want it to announce the route to original IP addresses.0. You use the routing policy list to restrict the route redistribution to only specific interfaces. Whenever you apply a NAT policy to interface or branch office tunnels. the routes to the translated IP addresses are added to the routing table. When NAT is configured for a branch office.1. When NAT is disabled. you can to disable the redistribution for a particular protocol on the Routing > Policy > Redistribution Table window. Destination NAT adds the original destination address and source NAT adds the translated source address.

If you reapply the read-only NAT policy after the copy. you can add those addresses as individual host entries or as a group of smaller subnets (summarization). By default it is enabled. the protocol (TCP. ICMP). NAT uses a port mapping table to track the ports for each client’s outgoing packets. Configuring NAT policy A NAT policy consists of service properties and a security policy.Chapter 4 Configuring NAT 97 You can add the translated address range to the routing table as a single subnet. This applies to TCP and UDP traffic only. services. Note: Read-only NAT Policies created prior to Version 4.80 work according to the previous translation until you apply a modified copy to the interface. NAT can then reverse the process for returning packets and route them back to the correct clients. Filters. source port. However. UDP. You must create a routing policy on the Routing > Policy window. and logging mechanisms. If both NAT and dynamic routing are configured. and translated source port number to a destination address and port. do not enable a branch office when there is no routing policy associated with the corresponding branch office interface. You can define custom policies when you need more complex security policies and the standard policies are not sufficient. Security policies consist of a set of rules that specify what service is allowed or denied. The port mapping table relates the client’s actual local IP address. Nortel VPN Router Configuration — Firewalls. Summarization reduces the number of NAT route entries in the RTM and thereby the number of entries redistributed. You can either enable or disable the summarization option. NAT. and the port number (or range) on which the service occurs. actions. if you choose a non-subnet IP address range. You use service objects to specify all rule fields for service policies. Service properties define the service offered and includes a service name. and QoS . then the read-only policy translates according to the new rules. Each rule consists of a combination of network objects.

Row menus—use this menu to add a new rule at a particular location. These menus are similar to a list box. To view active NAT policies for interface and branch offices. delete the specific rule. which you use to add a new rule to the top of the list. prompting you for more information (such as Add). Each of the following menus control a different aspect of the rule: • Header row menus—contain only Add New Rule. copy. If there is no cached policy. Cell menus—are cell-specific and contain cell option menus and procedure menus. Once the system initialization is complete. it is stored on the local disk as a cached policy and in the LDAP database. such as Add and Edit. the NAT policy is retrieved from the LDAP database and becomes the active policy. NAT obtains a cached policy (if one exists) while the system is initializing. it uses the original policy. go to the Status > Statistics window. and 1100 port maps its private address space to the public IP address.98 Chapter 4 Configuring NAT NAT policy sets The VPN Router maintains one set (source and destination address pair) of active global NAT policies for all non-tunneled traffic and a configurable NAT policy set for each branch office tunnel definition. and perform cut. For the existing sessions. When you change the policy. • • NN46110-601 . — Option menus provide a list of possible values for the cell. Creating rules Menus control actions on rules. When you click one of the items. 1050. The default NAT policy for the VPN Router 1010. or paste operations on a rule. The new rule appears in position one and all existing rules increment by one. You access menus by right-clicking an option. which is no NAT translation. — Procedure menus provide a list of operations that you can perform on the cell. At system startup. NAT uses the active policy for new sessions. the selection is displayed in the cell. it takes the default NAT policy. either the operation is performed immediately (such as Copy) or an additional dialog box appears. When you click one of the items.

Use this window to modify the attributes for the selected network object. You can add more than one source or destination address to a rule. Use the New. right-click on a column in the cell. it returns to the default value. Click Add to display the Network Object Selection dialog box. Use the New. and delete service objects. • Service specifies which service objects are handled by the selected rule. edit. Note: You use the NOT operand to specify which networks you do not want to use NAT. Click Delete to remove the selected service object from the cell. Edit. Right-click on the cell to display the standard procedure menu (Add or Edit). Source and Destination specify the source and destination network object for the rule. To modify these attributes. Click Edit to display the Network Object Edit window.Chapter 4 Configuring NAT 99 For rule columns. You cannot modify them. and group (a collection of these objects). and delete network objects. Click Edit to display the Service Object Edit window. which are specified by the following column headers: • # specifies the ordering of the rules within the section. Filters. In this dialog box you define and apply a new network object. IP protocol. Italicized objects in the list are read-only. Italicized objects in the list are read-only. You can create the following network objects: host. and Delete options in this window to create. You can create the following service objects: TCP. You cannot modify them. and object groups (a collection of these objects). • Nortel VPN Router Configuration — Firewalls. Edit. The order applies only to the section in which the rule appears and does not have meaning across the entire policy. Click Add to access the Service Object Selection dialog box. which brings up a procedure menu. UDP. each rule within a NAT policy has the same attributes. If the object you want to delete is the last object in the cell. network. Use this window to modify the attributes for the selected service object. edit. If the object that you want to delete is the last object. ICMP. and QoS . where you define and apply a new service object. and Delete options to create. NAT. Click Delete to remove the selected network object. Any). the cell returns to its default value (in this case. IP range.

100 Chapter 4 Configuring NAT

Click Copy, Cut, or Paste to perform those operations on the current service object. • NAT Action specifies the action that occurs when the rule is activated. Right-clicking the cell displays an option list containing the following items: None, Static, Pooled, Port Mapping, and Port Forwarding. Click one of these items to set the cell to the selected state. Translated Source—specifies the source IP address of the first packet (static, pooled, port). To modify this attribute, right-click a column in the cell. You can add more than one source address to a rule. You can create the following network objects: host, network, IP range, and group (a collection of these objects). Translated Destination—specifies the destination IP address of the first packet of a port forwarding application session. To modify this attribute, right-clicking a column in the cell, which brings up a procedure menu. You can add more than one destination address to a rule. Status—specifies the status of the particular rule. The status can be either Enabled or Disabled. Remark— allows you to attach a remark to a particular rule. When you right-click Remark and choose Add or Edit remark, a dialog box appears where you can type a comment.

• •

Creating a new policy
To configure NAT policies: 1 2 3 4 Select Services > Firewall/NAT. Enable Interface NAT. Select a NAT Policy from the list. Click Manage Policies. The NAT > Select Policy window appears. Use this window to create, edit, delete, copy, or rename a NAT policy. Bold denotes the policy that is currently applied to the VPN Router and italics denotes read-only policies.

NN46110-601

Chapter 4 Configuring NAT 101

The System Default policy is always listed. This read-only policy defines the NAT behavior when no user-defined policies are applied or when the selected policy is not available. Note: The exception to this rule is the VPN Router 1010, 1050, and 1100 where the default NAT policy is to NAT everything to the public interface IP (Interface NAT). These VPN Router systems are generally used in a small office environment where you want to NAT everything on the private side of the single global IP address assigned by the ISP. 5 Click New to create a new policy. The New Policy dialog box appears. 6 Enter the policy name and click OK. The name must begin with a letter and cannot contain the : + = ] , ; " characters. The NAT > Edit Policy: <policyname> window appears with no rules defined. In this window, you can add, delete, and modify the rules for the policy. 7 You can select the rule group as follows: • • • • 8 9 Implied rules (view only) Override rules Interface-specific rules Default rules

Select either Source Interface Rules or Destination Interface Rules. Right-click the appropriate cell to add a new rule.

10 Repeat these steps to add more rules. 11 Select Policy and click Save Policy to save your changes. 12 When the policies are saved, go to the Manage menu and click Close Manager.

Adding a policy
To add a new policy: 1 Click New.
Nortel VPN Router Configuration — Firewalls, Filters, NAT, and QoS

102 Chapter 4 Configuring NAT

The New Policy dialog box appears and prompts you for a name for the new policy. 2 3 Enter the policy name. The name must begin with a letter and cannot contain the : + = ] , ; " characters. Click OK to go to the Policy Edit window, which has a blank NAT policy, or click Cancel to return to the Policy Selection window.

Deleting an existing policy
You cannot delete a read-only policy or the policy that is currently applied to the VPN Router. If you select one of these policies, the Delete option is disabled. To delete an existing policy: 1 Select the policy that you want to delete and click Delete. The delete policy confirmation dialog box appears. 2 Click OK to delete the selected policy.

Copying an existing policy
To copy a NAT policy: 1 2 Select the policy that you want to copy. Click Copy. The copy dialog box appears. 3 4 Enter a name for the copied policy. Click OK.

The new policy appears in the list of policies in the NAT policies window. This policy contains the same rules as the policy from which it was copied.

NN46110-601

Chapter 4 Configuring NAT 103

Renaming an existing policy
You cannot rename a read-only policy or the policy that is applied to the VPN Router. If you select a read-only policy, the Rename option is disabled. To rename an existing policy: 1 2 Select the policy that you want to rename. Click Rename. The Rename dialog box appears. 3 4 Enter the new name of the policy. Click OK.

Sample NAT procedures
The following sections describe the steps for sample NAT procedures. For the following configuration on the VPN Router, create the NAT policy: STATIC: 10.0.1.0 - 10.0.1.255 -> 30.0.0.0 - 30.0.0.255 Go to Routing > Access List and create an access list acc1 to permit 30.0.0.0/24 and deny 10.0.1.0/24. Create another access list acc2 to permit 10.0.0.0/16 and deny 30.0.0.0/24.

Interface NAT with RIP
This sample shows interface NAT with RIP: 1 2 3 On the VPN Router, enable Interface NAT and attach the above NAT policy to Interface NAT. Select Routing > RIP and enable RIP. Select Routing > Policy and verify the redistribution table for the RIP protocol to redistribute NAT routes.

Nortel VPN Router Configuration — Firewalls, Filters, NAT, and QoS

104 Chapter 4 Configuring NAT

4 5 6

Create a policy list of type Announce on Interface 20.0.9.100 for protocol RIP with acc1 access list. Create another policy list of type Announce on Interface 10.0.9.100 for protocol RIP with acc2 access list. Send a ping request from 10.0.1.1 to 20.0.1.1. Ping gets the reply back.

Interface NAT with OSPF
This sample shows interface NAT with OSPF: 1 2 3 4 5 6 On the VPN Router, enable Interface NAT and attach the above NAT policy to Interface NAT. Select Routing > OSPF and enable OSPF. Select Routing > policy and verify the redistribution table for the OSPF protocol to redistribute NAT routes. Create a policy list of type Announce on Interface 20.0.9.100 for protocol OSPF with an acc1 access list. Create another policy list of type Announce on Interface 10.0.9.100 for protocol OSPF with an acc2 access list. Send a ping request from 10.0.1.1 to 20.0.1.1. Ping gets the reply back.

Branch Office NAT with RIP
This sample shows NAT on a branch office with dynamic routing enabled. 1 2 3 4 5 On the VPN Router, select Profiles > Branch Office and create a branch office with a local end point as 20.0.9.100 and remote end point as 20.0.9.1. Enable dynamic routing for that branch office and enable RIP. Enable NAT and create the above NAT policy. Select Routing > RIP and enable RIP. Select Routing > policy and verify the redistribution table for RIP protocol to redistribute NAT routes. Create a policy list of type Announce on Branch Office Interface for protocol RIP with an acc1 access list.

NN46110-601

1.1.0. Ping gets the reply back.9.0.9.100. 8 9 10 Send a ping request from 10. Enable NAT and create the above NAT policy. 1 2 3 4 5 6 7 On VPN Router-1. To configure Router-2 (VPN Router). Branch Office NAT with OSPF This sample shows NAT on a branch office with dynamic routing enabled.0.0.0. Create another policy list of type Announce on Interface 10.1 to 20.1 to 20. To configure the Router-2 (VPN Router). Nortel VPN Router Configuration — Firewalls.9. Enable Dynamic Routing for that branch office and enable RIP.1.9.9. Select Routing > RIP and enable RIP.9.0.1 and remote end point as 20.1. Select Routing > OSPF and enable OSPF.100 for protocol RIP with an acc2 access list.0.100 and remote end point as 20.100. NAT. Enable Dynamic Routing for that Branch Office and enable OSPF.0. Filters.100 for protocol OSPF with an acc2 access list.9.0.0. select Profiles > Branch Office and create a branch office with a local end point as 20.0. Ping gets the reply back. 8 9 10 Send a ping request from 10. select Profiles > Branch Office and create a branch office with a local end point as 20. Create a policy list of type Announce on the Branch Office interface for protocol OSPF with an acc1 access list.0. Select Routing > OSPF and enable OSPF.1 and remote end point as 20.9. Select Routing > Policy and verify the redistribution table for OSPF protocol to redistribute NAT routes.0.0. select Profiles > Branch Office and create a branch office with a local end point as 20.Chapter 4 Configuring NAT 105 6 7 Create another policy list of type Announce on Interface 10.1. and QoS . Enable Dynamic Routing for that branch office and enable OSPF.

enter information for the translated host: Host Name = Sqa64Trans. Right-click Trans Src. you can apply a network object to any Address column of the rule. 6 7 Click New.64.2_04). and click OK. In the Host Object Insert window. IP Address 30. select a working branch office tunnel.4.0. You use this window to create network objects. Click New. and click Configure. Click OK twice to return to the NAT Translate Action window.0.0. A popup advising you to “Please wait …” must appear to show that the policy was saved. enter the host name and IP address: Sqa64. The Network Object Selection window appears. 13 From the NAT menu. and click OK. 8 9 10 In the Host Object Insert window. select Services > Firewall/NAT and click Manage Policies. 11 Click Policy > Save policy. Click OK twice to return to the NAT Translate Action window. select Host and click OK. Figure 37 NAT configuration example 1 2 3 4 5 Using a browser with valid JRE (1.64. Log in to VPN Router Stateful NAT.106 Chapter 4 Configuring NAT Sample branch office NAT configuration This configuration example (Figure 37) adds a NAT static rule with a single host as the source. Once created. select Host. select the policy you added and click OK.0. enter the policy name. NN46110-601 . Click New. 12 Select Profiles > Branch Office. Right-click Orig Src. Right-click # and click Add New Rule. 1.

NAT. To create a NAT policy.4. Add the external address (for example. Filters. click Add . To add a NAT rule. where the NAT address is within the same subnet as the public interface: 1 2 3 Select Profiles > NAT.168. Add the internal VPN Router address (for example. and QoS . Note: The VPN Router Stateful Firewall must have an Allow All policy set. Telnet or another application to pass traffic over the tunnel. Figure 38 illustrates the problem caused by NAT for Session Initiation Protocol (SIP) signaling.4. Configuring NAT with the VPN Router Stateful Firewall To use NAT on the VPN Router with the VPN Router Stateful Firewall. NAT ALG for SIP Traditional NATs do not translate Layer 5 addresses.204) as the starting external address. Therefore.4. Select System > Forwarding and enable Proxy ARP for Physical Interfaces and click OK.Chapter 4 Configuring NAT 107 14 From SQA64. 192. use ping. 10. enter static in the name field and click create. Nortel VPN Router Configuration — Firewalls. the VoIP signaling and Real Time Transport Protocol/Real Time Transport Control Protocol (RTP/RTCP) become unreachable after NAT translation (one-way signaling and audio) due to the embedded IP address and port specified within the IP payload. Enable Interface NAT and select the NAT rule created in Steps 1 and 2.204) as the start and the end internal address. a b c 4 5 Leave the Translation type set to static.

The NAT translates the Layer 3 address. This leaves the state of User A for that session to be up until User A hangs up. 6 7 Two of the solutions that correct the NAT traversal issue are: • • Application level gateways (ALG) Address/port discovery NN46110-601 . the BYE does not get to User A because the header address did not receive the NAT. User B tries to send RTP to User A’s c= / m= address: port. the BYE is sent to User B correctly. If User A hangs up (because of One-Way Audio).108 Chapter 4 Configuring NAT Figure 38 NAT and SIP In Figure 38: 1 2 3 4 5 User A sends an invite to User B. User B receives the invite and responds back to the NAT address. but this fails since it cannot route to User A (the SDP address and port did not receive the NAT) resulting in One-Way Audio. but not the Layer 5 (SIP/Session Description Protocol [SDP]) addresses. If User B hangs up. User A sends RTP to User B’s SDP c= / m= address: port. The signaling gets completed (for example. 200 OK).

Chapter 4 Configuring NAT 109 For more information on the address/port discovery method. ICMP. NAT ALG supports FTP. NAT. To configure NAT ALG for SIP: 1 From the Services > Firewall/NAT window. you must have an ALG. see Nortel VPN Router Using the Command Line Interface. The NAT ALG provides support for SIP traffic to and from SIP phones and the SIP Server MCS 5100" because i2004 phones are UNIStim devices. see “Address/Port discovery” on page 88. Filters. IPsec (ESP only). The data within the SNMP traps is translated. click Edit in the VPN Router Firewall row. For more information about the CLI commands. 2 3 Under NAT Application Level Gateway. Configuring NAT ALG for SIP You can enable or disable NAT ALG for SIP with either the GUI or the CLI. The SNMP ALG is applied to SNMP traps originating from the VPN Router only if there are NAT rules that translate traffic originating from the VPN Router. Application level gateways (ALG) NAT ALG translates any embedded IP addresses and port numbers contained in an application’s protocol messages. For application traffic flows that embed an IP address in the data portion (such as FTP or NetBIOS). Click OK. NetBIOS. Nortel VPN Router Configuration — Firewalls. Berkeley R commands. You must enable the SNMP management system to send SNMP Gets from the Admin > SNMP window. and SNMP. click SIP. The following section focuses on NAT ALG for SIP to support VoIP phones that use SIP as their signaling protocol. SNMP ALG support allows you to use SNMP traps with NAT. preventing inconsistencies within the packet. and QoS . The Firewall/NAT > Edit window appears.

The SIP ALG performs the necessary translation of the IP addresses embedded in the SIP messages and updates the SDP information. The Firewall ALG examines the SDP information. Figure 39 SIP enabled Note: If Firewall is enabled in the Logging section. do not have the intelligence to identify port numbers within the payload of signaling protocols and cannot dynamically open ports for media traversal. The development of ALGs for the VoIP signaling protocols solves this issue. Firewall SIP ALG Firewalls. resulting in blocking of voice traffic. identifies the RTP port number for the call and opens the port in NN46110-601 . Firewalls operate with layer 3 or layer 4 information and cannot access information in higher layer protocols. Figure 39 shows the interface where you enable SIP for NAT ALG.110 Chapter 4 Configuring NAT The Firewall/NAT window reappears with the new configuration applied. the user receives a log with Firewall events in it. by default.

The Firewall ALG also raises a flag to tell NAT to perform an application level translation. which is a Voice over Internet Protocol (VoIP). The controlling entity does not acknowledge any requests from unauthorized devices. The advantage of this late pinhole creation is that the ALG has the exact 5 tuple for which it needs to open a pinhole. NAT. A Firewall Virtual ALG works only with UNIStim signaling. The ALG then performs the address/port mapping and state setup to ensure that the data channels are mapped according to the information in the SDP. The ALG closes the port after call termination. UNIStim phones on the private side can make calls to phones on the public side without explicitly opening up holes in the firewall. and that continuous detection of signaling traffic between the phone and the call server allows media to or from the phone to traverse the firewall. Nortel VPN Router Configuration — Firewalls. The entity controlling the phone in Succession 1000 Call Servers is also referred to as Terminal Proxy Server (TPS). and QoS . With TPS. thus preventing any unauthorized access from the outside. Firewall Virtual ALG is based on a trust model that assumes that the phone authenticates itself with the call server. Filters. The Firewall Virtual ALG creates the pinhole only for outbound traffic. Configuring Firewall Virtual ALG A Firewall Virtual ALG is a syntax-independent application level gateway (ALG) for firewall traversal that works for both encrypted and nonencrypted UNIStim signaling. This provides a mechanism to dynamically open and close ports in the firewall and increases network security by restricting the voice traffic to active sessions only. the Firewall Virtual ALG waits until it receives a RTP/RTCP packet from the phone on the private side to open a pinhole in the firewall. To enforce a more stringent and secure protocol.Chapter 4 Configuring NAT 111 the firewall during call setup. Continuous communication implies that the call server trusts the endpoint and that the call server would not communicate constantly with the endpoint device if the endpoint device was not authorized to send media through the firewall. The Firewall Virtual ALG creates a reverse path in response to the outbound pinhole. The system drops all packets from the outside phone until the internal phone sending packets to the external phone creates the pinhole.

click Configure.112 Chapter 4 Configuring NAT Because the Firewall Virtual ALG cannot interpret and inspect the UNIStim protocol. Figure 40 shows the Virtual ALG disabled. The Virtual ALG window appears. (Figure 41) NN46110-601 . the Firewall Virtual ALG closes the pinholes only after the default timeout period of the underlying transport protocol. Figure 40 Enabling or disabling Firewall Virtual ALG To configure the Firewall Virtual ALG: 1 Select Services > Firewall > Edit. The Services > Firewall/NAT > Edit window appears. To enable or disable the Firewall Virtual ALG: 1 2 Select Services > Firewall/NAT. 2 In the FW Application Level Gateway section. The default is disabled. 3 Click Enable or Disable. Click Edit for the Firewall/NAT type you want to edit. The Services > Firewall > Edit window appears.

Click Apply. Select either TCP or UDP as the Protocol. Enter the port number. and QoS . The Virtual ALG > Add window appears. click Delete.Chapter 4 Configuring NAT 113 Figure 41 Virtual ALG The port number in the Signaling Port and the Media Port dialog boxes is dependent on the configuration of the server. 3 4 5 To edit a call server. click Edit. NAT. To delete a call server. Enter the IP address. click Add. Filters. To add a server. (Figure 42) Figure 42 Adding a server to the Virtual ALG a b c d e Enter the name of the server. Nortel VPN Router Configuration — Firewalls.

When the call server is queried for the IP address of the person being called. Hairpinning corrects this problem by examining the destination address of a packet.114 Chapter 4 Configuring NAT To enable the Virtual ALG with the CLI. It also supplies the called person with the public IP address of the caller. enter the following command: CES(config)#firewall alg virtual enable To disable the Virtual ALG. and making a determination on the requirement for hairpinning. VPN Router NAT blocks packets coming from the private side of the NAT that are destined for the private side for which a NAT binding to a specific port already exists. The SIP NAT ALG translates the IP addresses of the SIP phones from private space to public. evaluating the destination address NAT binding. NAT hairpinning does payload translation on SIP and UNIStim messages. it responds with the public IP address. enter the following command: CES(config)#$firewall alg virtual server <servername> ip <ipaddress> port <portnumber> proto <tcp/udp> The following example shows how to configure ports: CES(config)#firewall alg virtual port-media 5200 CES(config)#firewall alg virtual port-signaling 5000 Hairpinning You need hairpinning when two IP phones behind the same NAT want to communicate. Hairpinning with SIP Hairpinning solves another special issue that is introduced when voice phones are on one side of a NAT boundary and the call server is on the other side. NN46110-601 . enter the following command: CES(config)#no firewall alg virtual enable To configure the Virtual ALG Server. This does not allow peer-to-peer communication between two endpoints behind the same NAT if they try to use their public address.

248. If both IP phones are behind the same NAT. this creates problems because the media packets are sent to the NAT device. looping through the NAT device. However.1:x address.17. it always uses the public address as the Far End address for the other IP phone. Figure 43 shows hairpinning support required for VoIP Media. Figure 43 Hairpinning with SIP Hairpinning with a UNIStim call server When a UNIStim call server sends an Open Audio Stream (OAS) message to an IP phone. The media traffic between the clients needs to go to and from the public addresses. it redirects the packets to the right destination. Figure 44 shows an intra-realm call with hairpinning.1:x IP. Nortel VPN Router Configuration — Firewalls.17.Chapter 4 Configuring NAT 115 Although both clients are in the same private address space.248. which has no idea what these packets are for. each thinks the other resides in the public address space. if the NAT device supports hairpinning. and QoS . The MCS call server sees both private side phones as having a 47. telling the private side caller that the called has a 47. Filters. helping generate the voice path. NAT. and vice-versa.

135.15:12347 47.16:10000 47.135.0.15:52003 47. both i2004a and i2004b are behind the same NAT and registered into the same CS1K TPS server.15:52002 47.16:7000 47.168.152.135.135.3:5000 192.16:7000 47.15:52001 47.168.16:10001 When i2004a calls i2004b.2:5201 192.135.0.152. Upon successful registration of both IP phones.15:52000 47.152.152.152.168.152.135.152.135.152.152.135.3:5200 192.16:10001 47. UNIStim messages are encrypted and the ERouter NAT cannot translate UNIStim messages payload.0.152.135.152. ERouter NAT generates the following NAT table entries: Table 3 NAT entries Internal Address External Address Remote Address 192. TPS sends OAS to i2004b with the following contents: Far End Address = 47.135.152.135.0.152.152.3:5201 47.15:52002 NN46110-601 .116 Chapter 4 Configuring NAT Figure 44 Intra-realm call with hairpinning In Figure 44.0.168.15:52000 Near End Port = 5200 TPS sends OAS to i2004a with the following contents: Far End Address = 47.2:5200 192.2:5000 192.0.135.168.16:10000 47.135.168.15:12345 47.135.

135.135. it first compares the destination address in the packet header against its External Address entries on its NAT table.15:52002) and translates the destination address from 47. The ERouter NAT further compares the source address in the packet header against the Internal Address entries on its NAT table.152.152.0. The ERouter NAT further compares the source address in the packet header against the Internal Address entries on its NAT table.15:52000) and translates the destination address from 47. It finds a match (192. the packet header looks like this: Source Address = 192.0.0.3:5200 to 47.152. with nonencrypted UNIStim messages.168.15:52000 to 192. and a direct media path is achieved. when ERouter NAT receives the media packet generated by i2004b.3:5200. Nortel VPN Router Configuration — Firewalls. and forwards the translated packet to i2004a.2:5200. When ERouter NAT receives the media packet generated by i2004a.152.135.135.Chapter 4 Configuring NAT 117 Near End Port = 5200 When i2004a sends media packets to i2004b.2:5200 to 47.15:52000.0.15:52002.2:5200. Destination = 47.3:5200).135. It finds a match (47. Similarly.135.168. the packet header looks like this: Source = 192.0.168. the hairpinning logic automatically turns off.15:52000.0. For example. and QoS . and forwards the translated packet to i2004b.168. and can coexist with the other portions of the solution. Filters. When i2004b sends media packets to i2004a.0.135. it first compares the destination address in the packet header against its External Address entries on its NAT table.2:5200). translates the source address from 192.168.152.15:52002 to 192.0.168. NAT.15:52002.152.152.152. It finds a match (192.168.168. It finds a match (47.135. Note: Hairpinning support is part of the solution. translates the source address from 192. Destination = 47.3:5200.

blocks the media packets. and makes a determination on the requirement for hairpinning.118 Chapter 4 Configuring NAT Hairpinning with a STUN server When NAT traversal for phones behind the NAT is based on STUN. unaware that the voice packets need NAT hairpinning. it examines the destination address of a packet. Phone A starts to send media to Phone B and vice versa with public NAT destination addresses in the media packets. evaluates the destination address NAT binding. When NAT hairpinning is enabled. The diagram in Figure 45 describes the hairpinning solution with the STUN server. NN46110-601 . the phones use the port discovery protocol between the phone and the STUN server to discover their public addresses and use the discovered public addresses for peer-to-peer communication. Figure 45 NAT Hairpinning Hairpinning requirements NAT Hairpinning has two requirements: • Because IP phones may not accept packets from arbitrary IP addresses. Phone A on the private side of the VPN Router initiates a call to Phone B on the private side. When the call is established. Phone A and Phone B discover their public addresses. the source IP address must be the public IP address of the NAT. VPN Router NAT.

Click OK. packets sent from private devices to the assigned VPN IP are hairpinned back without entering the VPN tunnel.Chapter 4 Configuring NAT 119 • If the device is performing NAT on a VPN tunnel. the associated translation must age out so that the available translation addresses are not exhausted. 3 4 Click hairpinning. Filters. For more information about the CLI commands. Enabling hairpinning You can use the GUI or the CLI to turn the hairpinning of packets on or off. To configure hairpining: 1 2 Select Services > Firewall/NAT. NAT deletes the associated translations. However. Hairpinning statistics are shown on the Status -> Statistics -> NAT Stats window. Time-outs When a session terminates. Figure 39 on page 110 shows hairpinning enabled. and QoS . the source IP address must be the assigned VPN IP address. The Firewall/NAT > Edit window appears. The NAT time-outs are grouped by the following protocol: • • • ICMP—3 minutes UDP—3 minutes TCP—120 minutes Nortel VPN Router Configuration — Firewalls. see Nortel VPN Router Using the Command Line Interface. When the packets reach the private endpoint. NAT. Click Edit beside VPN Router Firewall. if a server goes down unexpectedly.

0. Proxy ARP Proxy ARP is needed if the translated address assigned by NAT to a private host makes it appear as if that private host is on the other host’s network.150 pings the host 20. Because the interface NAT policy statically maps 20. The other host ARPs and does not get a response unless you enable Proxy ARP for physical interfaces on the VPN Router.1.1 is broadcast to the network.0.1.1. the numbers correspond to the following actions: 1 2 3 4 5 Host 20.1.1.0.1. In Figure 46. this first packet is translated and sent to 10.1.0. The VPN Router responds to the ARP request using its own hardware address for the ARP reply.0. The ICMP echo reply is sent directly to the host 20.1.0.1.1.1.1 to 10. The ARP request for host 20.120 Chapter 4 Configuring NAT NAT statistics The following statistics counters are provided for source and destination NAT services: • • • • • • • Source Translated—number of packets with the source address translated Destination Translated—number of packets with the destination address translated Flows Translated—number of flows translated by NAT service No Action—number of flows for which no translation was done Dropped—number of packets dropped because NAT could not translate the source/destination address Pooled Address Translations failed—number of packets dropped because NAT could not map a new address from the available address pool Port Translations failed—number of packets dropped because NAT could not map a new port for translation You can view the NAT statistics on the Status > Statistics window.0. NN46110-601 .

0. NAT.1 receives the ping.1.150.Chapter 4 Configuring NAT 121 6 7 8 9 Host 10.1. Filters. The target host receives the packet.1. and the ping program reports the results. Figure 46 Proxy ARP example Nortel VPN Router Configuration — Firewalls.1 and sent to 20. The packet's source IP 10. It replies with its own ICMP echo reply and sends the packet to the VPN Router.1 is translated to 20.0.1. and QoS .0.0. processes the ICMP.

122 Chapter 4 Configuring NAT NN46110-601 .

and QoS . NAT. TunnelGuard verifies that. For more information on FWUA with TunnelGuard. You can also apply it on non-tunneled traffic when the VPN Router acts as a router and firewall edge device. Filters. the PC has the proper patches installed and is running antivirus software before granting it access to the network. FWUA extends and enforces user authentication on traffic between branch office (BO) tunnels. Nortel VPN Router Configuration — Firewalls. which enforces user authentication on traffic between branch office connections in the VPN environment. FWUA with TunnelGuard extends the capabilities of FWUA by downloading the TunnelGuard applet after the user is authenticated. see Nortel VPN Router Configuration — Tunnel Guard. with username and passwords supported for both internal authentication services (LDAP) or external authentication services (RADIUS or LDAP proxy). Example 1 is based on authentication by internal LDAP and Example 2 is based on authentication by an external service (RADIUS and LDAP proxy). FWUA provides more granular security controls against unauthorized firewall use and is used for user-level accounting information for firewall users. This authentication method is also applied to nontunneled traffic FWUA when the VPN Router acts as a router and a firewall edge device. Depending on how it is configured. FWUA by SecurID extends the authentication approach of FWUA. FWUA uses the existing authentication services. for example.123 Chapter 5 Configuring firewall user authentication You use firewall user authentication (FWUA) to ensure users log in to the VPN Router Stateful Firewall before they are granted network access.

User UATM sessions are mapped to the active session table by source IP address. Users must register an active HTTPS logon session with the User Authentication Table Manager (UATM) before they are permitted access granted by the rule. Figure 47 is an example of FWUA.124 Chapter 5 Configuring firewall user authentication Policies within the VPN Router can contain a User Authentication specification for any rule. Figure 47 FWUA example NN46110-601 . Users who do not have an existing logon session registered with the UATM are not granted access even if the traffic profile is explicitly permitted by the rule.

NAT. Nortel VPN Router Configuration — Firewalls. all user-level accounting mechanisms that are available for VPN users are also available for FWUA users. DES.0 and Transport Layer Security (TLS) 1. key agreement protocols. and QoS . the following combinations of ciphers. A FWUA user directs their HTTPS-enabled Web browser to a specific Uniform Resource Locator (URL) designated for the FWUA logon on the VPN Router. The following suites are supported: • • • Symmetric Ciphers—RC4.Chapter 5 Configuring firewall user authentication 125 Secure HTTP (HTTPS) support provides a secured communication channel for administration traffic to the VPN Router system and for firewall users to provide their authentication credentials to the VPN Router Stateful Firewall. Both Secure Socket Layer (SSL) 2. Filters. and Triple DES (Cipher Block Chaining or CBC) Public Key Cryptography and Key Agreement Protocols—RSA and Diffie-Hellman Authentication Codes and Hash Algorithms—MD5 and SHA-1 Also.0/3. and hashing algorithms are available: • • • • • • • • • • • • EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA RC4-SHA RC4-MD5 EXP1024-RC4-SHA EXP1024-DES-CBC-SHA EXP1024-RC4-MD5 EDH-RSA-DES-CBC-SHA DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-DES-CBC-SHA The authentication facilities for FWUA use the existing authentication services currently available on the VPN Router with the exception of RADIUS-based tokens and digital certificates. By using the existing authentication services.0 are supported.

NN46110-601 .126 Chapter 5 Configuring firewall user authentication Prerequisites for using FWUA are: • • • The VPN Router Stateful Firewall must be running to configure and process FWUA sessions. which also requires that the VPN Router has a valid digital certificate installed to support HTTPS communication. FWUA users must have an HTTPS-enabled Web browser with a compatible SSL/TLS crypto suite. Figure 48 is an example of FWUA configuration. The Services > Available window appears. SSL/TLS must be enabled. Figure 48 FWUA configuration To configure FWUA: 1 Select Services > Available.

2_04 is also available on the VPN Router server CD. Click an FWUA user profile in internal LDAP. and the default max session value. which removes the need for the user to log on to FWUA. If you do not have a sufficient JRE you are prompted by the VPN Router to download and install JRE 1. Select Services > FWUA.4. The SSL window appears.4. a b After you log in. Note: The firewall UI requires JRE 1. For more information on TunnelGuard. Nortel VPN Router Configuration — Firewalls.509 digital server certificate preconfigured for this VPN Router (for example. and QoS .Chapter 5 Configuring firewall user authentication 127 2 3 Click Public and Private for Firewall User Authentication. 8 9 10 Select Services > Firewall/NAT > Manage Policies. the port value (default 8000). Click TunnelGuard Checking Only to enable FWUA for TunnelGuard enforcement only. You add RADIUS or LDAP proxy authentication servers to the authentication order later. Select Profiles > Users > User Management > Edit User. 4 Enter the text for a welcome banner. Filters. Select the Default Rules tab. right-click on the # sign and select Add New Rule. C=US). A copy of JRE 1. see Nortel VPN Router Configuration — TunnelGuard. The Firewall UA Settings window appears. CN=ces48.2_04 or later. click New and enter the name of the policy. 11 Create a firewall policy. Select Services > SSL/TLS.4. If you select this option. This username and password is used to anonymously logon all FWUA users. O=CSE. If no available certificates appear in the list. select the Group and create a password. NAT. Enter the user name. 5 6 7 Click the desired Ciphers (default all) and enter an existing X. you must provide a User ID and Password for the user.2_04 directly from the VPN Router. no server certificates are defined on your VPN Router or the existing server certificate is disabled.

Select the new firewall policy (refresh the screen for the new policy to appear in the list). Also you must reboot the VPN Router the first time you enable the VPN Router Stateful Firewall. Select Policy > Save Policy and Manager > Exit CSF. If you select *any for the group. NN46110-601 . you are prompted by your Web browser with a security alert dialog box. the browser window must remain open during the entire time that you want to communicate through the firewall. Click Yes to trust the certificate and proceed. You can disable the VPN Router tunnel filters as they are no longer needed. Note: You must have a valid VPN Router Stateful Firewall license key installed. After a successful authentication. Communication attempts should fail. The FWUA logon URL follows the format of https:// VPNRouterhostname:port/FWUA. Communication attempts should be successful. 13 Try to communicate through the firewall again.htm or https://VPNRouterIPaddress:port/ FWUA. regardless of their group association to authenticate to the firewall. Check VPN Router Stateful Firewall on the Firewall/NAT window to be sure it is enabled. try to communicate through the VPN Router.htm where VPNRouterhostname or VPNRouterIPaddress resolves to a VPN Router interface (not management IP). it forces all users. and click OK. Select the group that contains the FWUA user. Note: If the domain VPN Router digital server certificate is not part of a certificate domain trusted by your Web browser (you do not have a certificate issued by the same CA) or the domain listed on the VPN Router certificate does not match the DNS domain of the VPN Router. This keeps an active FWUA session in the UATM. The port is the port number you specified on the Services > FWUA window.128 Chapter 5 Configuring firewall user authentication c d Right-click the Action cell and select User Authentication. e f To test the FWUA rule. 12 Direct your HTTPS enabled browser to the predefined FWUA logon URL on the VPN Router and log into the firewall using the FWUA user profile that you created.

Filters. it is also used to authenticate FWUA users. and QoS . go to Services > FWUA > Add RADIUS or Add LDAP Authentication Server. NAT.Chapter 5 Configuring firewall user authentication 129 14 To modify the current FWUA configuration to accommodate external authentication methods. The Associated Group specifies the group the RADIUS or LDAP Proxy Authentication users obtain their privileges as defined on the Server > RADIUS Auth or the Server > LDAP Proxy windows. Nortel VPN Router Configuration — Firewalls. If the /Base group is configured to authenticate RADIUS or LDAP Proxy Auth users for VPN connections.

130 Chapter 5 Configuring firewall user authentication NN46110-601 .

The Current Multi-Field (MF) Classifiers list includes all existing MF classifiers. and Call admission priority allows you to reserve connection resources for high-priority users. Select from the Current Multi-Field (MF) Classifiers and click Edit to edit the rules for that MF Classifier. Traffic conditioning by DSCP provides a method to limit traffic at ingress to the VPN Router based on Diffserv Code Point (DSCP) value. and QoS 2 . NAT. Traffic that exceeds the configured rate for a particular DSCP is dropped in ingress to the VPN Router. external QoS using Resource ReSerVation Protocol (RSVP) signals the public network to reserve a portion of the network’s bandwidth for a specific connection. In addition. To configure an MF classifier: 1 Select QoS > Classifiers.131 Chapter 6 Configuring QoS The VPN Router supports two internal quality of service (QoS) mechanisms as well as participates in external network signaling to enhance performance. Filters. Configuring classifiers You can define an MF Classifier for an interface (interface MF). QoS provides the option of dropping data that exceeds configured traffic conditioning assured forwarding rates. This ensures that particular DSCP values obtain the desired amount of egress bandwidth. This allows for guaranteed bandwidth based on Diffserv code points that guarantees a fixed percentage of total bandwidth to each of several applications. The interface MF-Classifier is applied to routing traffic going through that interface. Nortel VPN Router Configuration — Firewalls. Forwarding priority allows for prioritized traffic.

The Available Rules list shows all existing rules. Source and destination are relative to the direction of the rule. then click the left arrow. Click Edit to edit an existing rule. Click Modify next to the Source and Destination Address fields to edit either of these fields. The default list of protocols include: • ICMP—Internet Control Message Protocol is a Network protocol layer. Multicast IP packets (packets that have multicast destinations). You can select rules from this list to move them into the Rules in Classifier list and apply them to the MF Classifier. The PING utility generates ICMP packets. PING is often used to check if a system’s network is available. Select the appropriate protocol from the list. This adds the selected rule to the current rules list. The new rule is added after the rule currently selected in the Rules in Classifier list. IP packets that are encapsulated within other packets create IP over IP. The Classifier Rule for field shows the name of the rule. Enabling this option makes the VPN Router respond to ICMP packets (PING) when VRRP becomes master for an IP address that it backs up. are the most common implementation.132 Chapter 6 Configuring QoS The Edit Rule window appears. Examples are conferences and other services offered through Multicast Backbone (MBONE ). carried between networks that support multicasting over intermediate networks that do not. 3 Select a rule from the Available Rules list on the right of the window. The Rules in Classifier list shows all rules that are applied to the MF Classifier. 4 6 7 • NN46110-601 . The Edit/Create Rules window appears. The DiffServ Rules Definition Address window appears. 5 Enter the source and destination addresses to limit the rule to acting on packets from and to these addresses. IP—Internet Protocol is a Network layer protocol in the TCP/IP stack that offers a connectionless internetwork service.

the queues are the appropriate size. (EF excess data is always dropped. Examples are Web browsers using HTTP and FTP. and therefore requires that other protocols handle error handling and retransmissions.Chapter 6 Configuring QoS 133 • • TCP—Transmission Control Protocol is a transport layer protocol in the TCP/IP protocol stack. This is a connection-oriented protocol that provides reliable full-duplex data transmission. 8 9 Click Modify next to the Protocol field to edit it. Nortel VPN Router Configuration — Firewalls. Filters. that this rule applies to data. If the configured data rates for the assured forwarding queues are based on the interface shaping rate. Configuring Interface shaping Interface Shaping shapes or delays the outgoing packet flow through an interface to better match the throughput of a downstream device. Click Modify to the right of the TCP/UDP Source and Destination Port fields to edit them. UDP is a connectionless service that exchanges datagrams without acknowledgment or delivery guarantees. It is applicable for Ethernet Interfaces only.) This data is dropped on ingress and never enqueued. You can configure the assured forwarding queues option to drop data exceeding the configured rate. Examples are DNS and WINS. which is based on the downstream data rate. The DSCP value and mask assignments allow packets that are already marked to retain their settings or to be remarked based on their previous DSCP value. 10 Click Modify to the right of the Current DSCP Value field to create and edit the DSCP value and mask. The source or destination is relative to the direction of the rule. You can filter packets to or from the Source and Destination ports to permit or deny any packets transferred by the VPN Router. either expedited forwarding (EF) or an assured forwarding (AF) level. NAT. and QoS . 11 Select the DSCP you want marked on the next meter. UDP—User Datagram Protocol is a transport layer protocol in the UDP/ IP protocol stack.

Under Current Interface. and interface-routed traffic. The VPN Router interface speed determines the available bandwidth. Default is disabled.134 Chapter 6 Configuring QoS To configure Interface Shaping: 1 2 3 Select QoS > Interfaces. Bandwidth components keep track of and control the level of bandwidth used on the physical interfaces and the tunnels. You can add call admission to guarantee that resources are available to support the committed bandwidth assigned to a user. Under Interface Shaping. The Interface Shaping window appears. and above excess rate (highest drop preference if excess action is Mark). You use bandwidth management to configure the VPN Router resources for users. When excess action is Drop. 4 5 6 Under Interface Shaping State. NN46110-601 . branch offices. enter the shaping rate (in bps) . click Configure. select the Ethernet Interface that you want to configure and click Display. the VPN Router drops packets according to their drop preference. depending on whether they are below committed rate (lowest drop preference). Configuring bandwidth management You use bandwidth management to manage the VPN Router CPU and interface bandwidth resources to ensure that tunneled sessions get predictable and adequate levels of service. There are two rates (committed and excess) and excess action (mark or drop). Click OK. enable Interface Shaping for the selected Ethernet Interface. When there is congestion. which includes Interface Shaping. Under Interface Shaping. This potentially denies a client access before the licensed limit of a VPN Router is reached. between committed and excess rate (higher drop preference). The current interface displays its current QoS configuration. the VPN Router drops all the packets above excess action. Bandwidth management forces tunnels to conform to a set of rates. Packets are given different drop preferences.

Chapter 6 Configuring QoS 135 To configure bandwidth management: 1 2 Select Admin > Install and enable the advanced routing license. In the User Bandwidth Policy section. 3 4 5 Configuring Differentiated Services (DiffServ) DiffServ settings classify and mark packets to receive specified per-hop forwarding behavior on each node along their path. and shaping operations are implemented at network boundaries or hosts. To configure DiffServ: 1 Select QOS > Interfaces and click Configure in the DiffServ Edge section. and QoS . Sophisticated classification. policing. Select QOS > Interfaces to set the over-subscription rate. and how that traffic is forwarded within that network. Filters. Nortel VPN Router Configuration — Firewalls. Enable Bandwidth Management. Select QoS > Bandwidth Mgmt to define the bandwidth rates. The maximum rate you can create is 100 Mbps. Use this ratio to adjust for some users not using all of their allotted bandwidth simultaneously under normal circumstance. Note: You can have only DiffServ or Forwarding Priority active at any one time. Anti-Replay does not acknowledge DiffServ and has its own methods of discarding packets. not both at the same time. marking. DiffServ sorting is incorrect if Anti-Replay is enabled. Any DiffServ code points (DSCPs) not recognized are forwarded as if marked for the default behavior. Network resources are allocated to traffic streams by service provisioning policies that govern how traffic is marked and conditioned upon entry to a differentiated services-capable network. Select Profiles > Groups > Groups > Edit > Connectivity. Best Effort (BE). NAT. You must disable Anti-Replay when using IPsec tunnels over LANs or WANs (the typical usage). The default is 10:1. define the committed and excess bandwidth rates. You must define this in bits per second (100 Mbps=100000000). which adversely affects the DiffServ sorting.

Nonconforming traffic is dropped. for the Expedited Forwarding (EF) Rates field. in bps. enable or disable the application of MF Classifiers on this interface. in bps. Shaping delays the packets in a stream to conform to a defined traffic profile (the EF Shaping value). Nonconforming traffic is delayed. Traffic below the rate is forwarded. the rate is an average rate. 8 NN46110-601 . In the Ingress (Inbound) field. not dropped. select from the list the MF Classifier that you want to apply when packets are coming into this interface. In the Egress (Outbound) field. Also.136 Chapter 6 Configuring QoS 2 3 4 5 In the Multi-Field Classifier State field. • For EF. although at times traffic can burst as much as twice the configured rate. configure the Excess Action field for each AF rate to either drop traffic exceeding the configured rate or to mark the traffic. For Expedited Forwarding (EF) and Assured Forwarding 1—Assured Forwarding 4 (AF1-AF4). for Expedited Forwarding Shaping Rate. for the Assured Forwarding Rate fields (AF4—AF1). Enter values. For AF1—AF4. enter a value. enable or disable traffic conditioning on this interface. Note: Enter values for EF and AF1—AF4 greater than 512 bps. • 6 7 Enter a value. Traffic conditioning does not work with configured rates smaller than 512 bps or with packets smaller than 64 bytes. in bps. Traffic conditioning drops and remarks a traffic stream to shape it into compliance with a traffic metering profile. In the Traffic Conditioning State field. Any packets above two times the configured rate are marked as high drop precedence. Any packets under two times the configured rate are marked as medium drop precedence. you can configure a Traffic Conditioning Meter (in bps). For Egress (Outbound) traffic conditioning. any packets under the rate are marked as low drop precedence. select from the list the MF Classifier that you want to apply when packets are going out this interface. traffic above the rate is dropped.

if traffic on the VPN Router is heavy. It is important to assign users to the four different class levels to make sure they get the proper service and performance. The technology that supports forwarding priority is called weighted fair queuing with random early detection (RED). 10 percent from the Priority 3 queue. Conversely. and QoS . To illustrate how the Forwarding priority works. fewer packets sent by this group are transmitted when there are higher-level priority packets in the queue. Therefore. high-priority traffic generated by the company CEO is protected from high-bandwidth traffic generated by lower-priority users. if a group profile has a forwarding priority of 4 (lowest). 25 percent from the Priority 2 queue. Packets sent by this group are transmitted immediately even if there is heavy traffic on the VPN Router. If a group profile has a forwarding priority of 1 (highest). you can assign the sales team to Priority 1 to make sure they can always place orders. the example in Table 4 assumes heavy traffic and a queue of packets. NAT.Chapter 6 Configuring QoS 137 Using forwarding priority You use forwarding priority quality of service to assign each user to one of four priority classes. Packets are transmitted according to the approximate rates per pass that are cited in the table. Table 4 Bandwidth allocation per priority level Priority 1 60% pass Priority 2 25% pass Priority 3 10% pass Priority 4 5% pass Of the total packets transmitted in a hypothetical pass. This queuing mechanism gives each of the four user classes (from 1—high to 4—low) a different weight in the amount of service time they receive by the packet-forwarding process. especially during the quarter-end rush. however. and 5 percent from the Priority 4 queue. is guaranteed some level of service so that no traffic through the VPN Router is ever completely stalled. Each class. Or. Each class is guaranteed different maximum forwarding times between the interfaces of the VPN Router. QoS is only effective when all associated lines are capable of servicing the forwarding demands at the required speeds. especially during heavily congested times. Nortel VPN Router Configuration — Firewalls. Filters. 60 percent come from the Priority 1 queue. it has the highest possible bandwidth guarantee and the lowest level of latency. it has the least amount of bandwidth allocated and possibly the highest level of latency. For example.

Although other callers are permitted access to the VPN Router. it is never dropped. only Priority 1 callers are guaranteed access. Table 5 Call admission priority Capacity 0 to 50% 51 to 75% 76 to 90% 91 to 100% Priority All 1. Once a connection is accepted. Since the VPN Router supports a maximum number of sessions. it is important to assign users to the proper call admission priority classes. Table 5 shows the connections available for each priority based on a percentage of the total capacity. 3 1. For the final 10 percent of calls.138 Chapter 6 Configuring QoS Using call admission priority You use call admission priority quality of service to assign each user group profile to one of four priority classes (from 1—high to 4—low) for call admission. The VPN Router does not accept further low-priority connections when it is servicing the maximum number of low-priority sessions. The next 15 percent of calls guarantee access to only Priority 1 and 2 callers. any call is admitted access for the first 50 percent of connections. and 3 callers. guaranteeing that a large number of low-priority users do not lock out the high-priority users. 2. this access is proportional to the assigned priority level for their group. This ensures that connections are available to the appropriate users when there is heavy traffic. 2. By default. 2 1 Available connections 1000 500 300 200 NN46110-601 . The VPN Router reserves connections for each class of user. For example. The next 25 percent of calls guarantee access to only Priority 1. assuming a hypothetical maximum of 2000 sessions. regardless of the assigned call admission priority.

NAT. RSVP is the best-defined technology for resource reservation. Currently.Chapter 6 Configuring QoS 139 Table 6 shows the maximum number of connections available for each priority. which are responses from the client that it wants to reserve the requested bandwidth. The VPN Router signals to the other devices on the public network and describes the level of bandwidth that it needs to ensure adequate performance. These routers actually reserve the resources requested if they are RSVP-compliant. Successful external network-level quality of service requires the cooperation of all the devices on the network (between the user and either the access point to the private network or the ultimate destination host). then RSVP-ready routers attempt the resource reservation. The two key components of RSVP are: • • PATH messages. This amount of bandwidth is determined by both the data rate that the user has to the Internet. However. and QoS . Nortel VPN Router Configuration — Firewalls. Filters. and by the data rate of the link between the Internet and the VPN Router. Table 6 Maximum connections per priority Priority 1 2 3 4 Connections 2000 1800 1500 1000 Using RSVP The VPN Router supports Resource ReSerVation protocol (RSVP) quality of service for the Internet. only a few service providers offer a service that uses RSVP. which are constant announcements by the host system or the VPN Router that a certain amount of bandwidth must be kept available. If the client responds to the PATH messages with RESV messages. RESV messages.

the layer 2 switches are DSCP-unaware and the layer 3 switch and router are DSCP-aware. The 802. NN46110-601 .1p to DSCP mapping on ingress or egress.1p mapping allows the VPN Router to tag frames for prioritization over public and private physical interfaces. Ethernet networks achieve the required end-to-end QoS behavior.1p mapping 802. the layer 3 switch performs a 802.1p marking on ingress to or egress from the VPN Router and can separately enable or disable 802.1p to DSCP markings are static and are set according to the Nortel standard.1p tag. It supports mapping DiffServ code point (DSCP) to 802. Differentiated Services (DiffServ) provides Quality of Service (QoS) at the IP level by redefining the 8 bit Type of Service field of the IPv4 header Type of Service field as a Differentiated Services (DS) field. 802.1p to DSCP mapping and forwards the packet to the router.1p tag as it enters the layer 3 switch. Support for DSCP to 802.1p is a specification for prioritizing network traffic at the data link layer.1p tag often does not remain with the packet as it travels from source to destination. In Figure 49. However. When the router sends a packet back to one of the DSCP-unaware switches. This priority extension tags Ethernet frames with 1 of 8 different classes of service to provide service differentiation at the Ethernet layer. the DSCP marker in an IP header does remain with the packet.1Q header.1p mapping and forwards a packet to the layer 2 switch. The 802. Differentiated Services Code Point (DSCP) uses six bits of the DS field to select the Per Hop Behavior (PHB) a packet experiences at each node. the layer 3 switch performs a DSCP to 802.1p.140 Chapter 6 Configuring QoS DSCP to 802. they can interpret the 802.1p utilizes the User Priority field of the 802. When a packet is transmitted. DSCP identifies the priority of service a packet receives in the network. By providing a consistent mapping between DSCP and 802. Although some Ethernet switches cannot interpret the DSCP. If a packet traveling from the layer 2 switch to the router has the 802. the DSCP value of the inner header is copied to the outer IP header.

Chapter 6 Configuring QoS 141 Figure 49 Example 802. Filters.1p marking is received.1p to DSCP mapping When mappings are enabled and an incoming packet with 802. NAT.1p user priority 7 6 5 4 3 2 1 0 Maps to DSCP CS7 EF AF41 AF31 AF21 AF11 DF DF Nortel VPN Router Configuration — Firewalls.1p to DSCP mappings shown in Table 7. and QoS . the VPN Router uses the default 802. Table 7 Default incoming 802.1p mappings 802.

If Custom setting is selected. From the Current Interface list. AF42. the 802. CS5 AF41.1p mappings shown in Table 8. CS2 AF11. See Table 7 on page 141 and Table 8 on page 142. CS0. select either Custom or Standard for the Egress (outbound) and for Ingress (inbound). 8 NN46110-601 . click Configure.1p Mapping section. AF13. Click Display to display the selected interface (Fast Ethernet is displayed by default).1 precedence to DSCP mapping sections. click configure custom mappings.1p precedence mapping and the 802. Click OK. Table 8 Default outgoing 802. AF32. All undefined DSCPs Maps to 802. AF33. select the interface you want the mappings applied to. AF12.1p mapping: 1 2 3 4 5 6 7 Select QoS > Interfaces.1p user priority 7 7 6 5 4 3 2 0 When mappings are disabled. AD23. On Dscp 802.1p tag value is ignored and normal multi-field classifier (MFC) action is applied to all packets. CS4 AF31. AF22. VPN Router uses the default DSCP to 802. In the DSCP 802. To configure DSCP to 802.1p mappings DSCP CS7 CS6 EF.1p Mapping window. Configure the DSCP Class to 802. CS3 AF21. AF43.142 Chapter 6 Configuring QoS When mappings are enabled and an outgoing packet is sent out. CS1 DF.

68 B bandwidth management 129 C call admission guarantees 133 priority 133 cell menu 54 columns Dst interface 54 Src interface 54 configuration initial 31 verifying 59 conversation 25 H header row menu 53 I ICMP filter 128 ICMP rule enforcement 39 implied rules 48 installation prerequisites 32 interface classifiers 127 interfaces 26 Nortel VPN Router Security — Firewall. and QoS D default rules 53 Differentiated Services (DiffServ) 130 DSCP tp 802. 38 application layer gateway 105 attack detection 27 available rules 66. 40 forwarding priority 132 quality of service 132 FTP 67.143 Index A access control filters 28 actions on rules 58.1p mapping 136 dynamic many-to-one 72 . Filters. 128 E egress (outbound) queueing mode 132 F filter rules 26 filters copy 68 edit current 65 storing 68 firewall imbedded 23 installation prerequisites 32 integrated 23 options 37. NAT. 96 anti-spoofing 27. 37.

96 remote system logging 41 row menu 54 RSVP quality of service 134 rule column 54. 98 editing 45 renaming 47. 86 NAT 24 branch office 89 creating policies 96 double 76 dynamic routing protocol 91 interface NAT 90 IPsec-aware 77 pooled translation 73 port forwarding 75 statistics 116 NAT SIP ALG 105 NN46110-601 Q quality of service 127 forwarding priority 132 RSVP 134 R remarks 58. 72. 96 pooled translation type 91 port mapping 91 port translation (NAPT) 72 proxy ARP 117 publications hard copy 17 M MBONE 128 menus cell 54 header row 53 row 54 N NAPT 24. 94 .144 Index interface-specific rules 51 IP packets 128 NAT Traversal 82 Network Address Translation 71 Network Address Translation (NAT) 29 network objects 55. 98 creating 45 deleting 46. 95 J Java 2 Runtime Environment Internet Explorer 33 Netscape 6 36 Netscape on Solaris 36 O override rules 50 L log column 58 levels 58 logging application-specific 41 HTTP 41 remote system 41 logging FTP 41 P policies actions 44 adding 46. 98 components 44 copying 47. 99 selecting 45.

95 SNMP 67 stateful inspection 25 application 25 TCP 25 static address NAT 74 static translation type 91 status 58. 96 syslog 41 system requirements 32 T TCP filter 128 technical publications 17 traffic conditioning 131 U UDP filter 129 V VoIP 84 Nortel VPN Router Security — Firewall. 94 override 50 S service objects 57.Index 145 rules default 53 implied 48 in policies 26 interface-specific 51 navigating 47. and QoS . 53. Filters. NAT.

146 Index NN46110-601 .

Sign up to vote on this title
UsefulNot useful