Version 7.00 Part No.

NN46110-601 315896-F Rev 01 February 2007 Document status: Standard 600 Technology Park Drive Billerica, MA 01821-4130

Nortel VPN Router Configuration — Firewalls, Filters, NAT, and QoS

2

Copyright © 2007 Nortel Networks. All rights reserved.
The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks. The software described in this document is furnished under a license agreement and may be used only in accordance with the terms of that license. The software license agreement is included in this document.

Trademarks
Nortel Networks, the Nortel Networks logo, and Nortel VPN Router are trademarks of Nortel Networks. Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated. Cisco and Cisco Systems are trademarks of Cisco Systems, Inc. Entrust and Entrust Authority are trademarks of Entrust Technologies, Incorporated. Java and Solaris are trademarks of Sun Microsystems. Linux and Linux FreeS/WAN are trademarks of Linus Torvalds. Microsoft, Windows, Windows NT, and MS-DOS are trademarks of Microsoft Corporation. Netscape, Netscape Communicator, Netscape Navigator, and Netscape Directory Server are trademarks of Netscape Communications Corporation. SPARC is a trademark of Sparc International, Inc. All other trademarks and registered trademarks are the property of their respective owners. The asterisk after a name denotes a trademarked item.

Restricted rights legend
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013. Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.

Statement of conditions
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the right to make changes to the products described in this document without notice. Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein. Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission.

NN46110-601

3
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties).

Nortel Networks Inc. software license agreement
This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel Networks Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping container, within 30 days of purchase to obtain a credit for the full purchase price. “Software” is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel Networks grants you a license to use the Software only in the country where you acquired the Software. You obtain no rights other than those granted to you under this License Agreement. You are responsible for the selection of the Software and for the installation of, use of, and results obtained from the Software. 1. Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable. To the extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”), Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software contains trade secrets and Customer agrees to treat Software as confidential information using the same care and discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate. Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement. Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property to Nortel Networks are beneficiaries of this provision. Upon termination or breach of the license by Customer or in the event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel Networks or certify its destruction. Nortel Networks may audit by remote polling or other reasonable means to determine Customer’s Software activation or usage levels. If suppliers of third party software included in Software require Nortel Networks to include additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks with respect to such third party software. 2. Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer, Software is provided “AS IS” without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in such event, the above exclusions may not apply. 3. Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF, OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN

Nortel VPN Router Configuration — Firewalls, Filters, NAT, and QoS

regardless of form. f.F. Neither party may bring an action.F. The forgoing limitations of remedies also apply to any developer and/or supplier of the Software. Customer is responsible for payment of any taxes. In either event. Customer must either return the Software to Nortel Networks or certify its destruction. more than two years after the cause of the action arose. 227. in the event Software is licensed for or on behalf of the United States Government. Federal Regulations at 48 C.R. NN46110-601 . Some jurisdictions do not allow these limitations or exclusions and. e. in such event. Customer may terminate the license at any time. Such developer and/or supplier is an intended beneficiary of this Section. d. The terms and conditions of this License Agreement form the complete and exclusive agreement between Customer and Nortel Networks.R. resulting from Customer’s use of the Software. 4. If the Software is acquired in the United States. they may not apply. Sections 12. This License Agreement is governed by the laws of the country in which Customer acquires the Software. b. General a. then this License Agreement is governed by the laws of the state of New York. upon termination. the respective rights to the software and software documentation are governed by Nortel Networks standard commercial license in accordance with U. including personal property taxes.4 ADVISED OF THEIR POSSIBILITY. the following paragraph shall apply: All Nortel Networks Software available under this License Agreement is commercial computer software and commercial computer software documentation and.212 (for non-DoD entities) and 48 C. Customer agrees to comply with all applicable laws including all applicable export and import laws and regulations. c.7202 (for DoD entities). Nortel Networks may terminate the license if Customer fails to comply with the terms and conditions of this license.S. If Customer is the United States Government.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . 25 VPN Router Stateful Firewall concepts . . 15 Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Finding the latest updates on the Nortel Web site . . 30 Network address translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Getting help over the phone from a Nortel Solutions Center . . . . . . . . . . . 21 Getting help through a Nortel distributor or reseller . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 New in this release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Chapter 1 Overview of firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Filter rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Firewall Virtual ALG . . . . . . . . . . . . 20 Getting help from the Nortel Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Filters for access control . . 21 Getting help from a specialist by using an Express Routing Code . . . . . . . . . . . . 23 Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . 26 Stateful inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Nortel VPN Router Security -— Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Attack detection rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Anti-spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . and QoS . . . . . . . . . NAT. . . . . . . . . . . . . . . . . . . . . Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Hard-copy technical manuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . filters and NAT . 19 How to get help . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . 60 Verifying the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Rule columns . . . . . . 36 Using Netscape 6 . . . . . . . . . . . . . . . . . . . . . . . 50 Override rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Deleting an existing policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Creating policies . . . . . . . . . . . . . . . . 35 Using Netscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 NN46110-601 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Creating rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Row menu . . . . . . . . . . . . . . . . . . . . . . . . . 55 Creating a new policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Renaming an existing policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Default rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Application-specific logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Configuring malicious scan detection . . . 61 Configuring a sample security policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Configuring anti-spoofing . 33 Configuring prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Creating and editing firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Adding a policy . . . . . . . . . . . . . . . . . . . . 49 Implied rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Remote system logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Using Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Interface-specific rules . . . . . . . . . . . . . . 34 Installing Java 2 software . . . . . . . . 41 Selecting logging options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Enabling firewall options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Navigating rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Contents Chapter 2 Configuring the VPN Router Stateful Firewall. 37 Using Netscape on Solaris . . . . . . . . . . . . . . 55 Cell menus . . . . . . . . . . . . . . . . . . . . . . . 44 Setting up policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Copying an existing policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Rule enforcement . . . . . . . . . . . . . . . . . . . . . 55 Header row menu . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . 94 Dynamic routing protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Port forwarding . . . . . . . . . . . . . 85 NAT traversal . . . . . . . . . . . . . . . 64 Business firewall example . . 83 Port restricted Cone NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 NAT modes . . . . . . . . . . . . . . . . . 76 Dynamic many-to-many—pooled translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Adding and editing filters . 90 NAT Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NAT. . 75 Address translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Contents 7 Firewall deployment examples . . . . . . . . . . . . . . . . . . . . . 64 Chapter 3 Configuring filters . . . 82 Full Cone NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Configuring next hop traffic filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Network address port translation (NAPT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 NAT and VoIP . . . . . . . . . . . . . . . . . . . . . . . . . 77 Static one-to-one translation . . . . . . . . . . . . . . . . . . . . . and QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 IPsec-aware NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Chapter 4 Configuring NAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Double NAT . 88 Address/Port discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Branch office tunnel NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Configuring NAT policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 NAT policy sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Configuring Cone NAT . 82 Restricted Cone NAT . . . . . . . . . . . . . . . . . . . . . . . 98 Nortel VPN Router Security -— Firewalls. . . . . . . 75 Dynamic many-to-one—port translation . . . . . . . . . . . . 67 Configuring Allow Management Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Residential firewall example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Symmetric NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Filters. . . . . . . . . . . . . . . . . . . . . . . . 93 Interface NAT . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 NN46110-601 . . . . . . . . . . . . . . . . . . . 107 NAT ALG for SIP . 104 Branch Office NAT with OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Hairpinning with a UNIStim call server . . . . . . .8 Contents Creating rules . . . . . . 131 Configuring classifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Configuring Firewall Virtual ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Interface NAT with OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Chapter 5 Configuring firewall user authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Configuring NAT ALG for SIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Enabling hairpinning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Firewall SIP ALG . . . . . . . . . . . . . 115 Hairpinning with a STUN server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Application level gateways (ALG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Hairpinning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Deleting an existing policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Branch Office NAT with RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Configuring bandwidth management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Proxy ARP . . . . 103 Interface NAT with RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Time-outs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Configuring NAT with the VPN Router Stateful Firewall . . . . . 105 Sample branch office NAT configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Sample NAT procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Hairpinning requirements . . . . . . . . . . . . . . . . . . . . . . . . . 102 Copying an existing policy . . . . . . . . . . . . . . . . . . 102 Renaming an existing policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Creating a new policy . . . . . . . . . . . . . 119 NAT statistics . . . . . . . . . . . . . 100 Adding a policy . . . . . . . 114 Hairpinning with SIP . . . . . . . . . . . . . . 123 Chapter 6 Configuring QoS . . . . . . . 131 Configuring Interface shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. 143 Nortel VPN Router Security -— Firewalls. . . . . . . .1p mapping . . . . and QoS . . . . . . . . . 140 Index . . . . . . NAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Contents 9 Configuring Differentiated Services (DiffServ) . . 139 DSCP to 802. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Using forwarding priority . . . . . . . . . . . . . . . . . . . . . . . . 137 Using call admission priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Using RSVP . . . . . . . . . . . . . . . . . . Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

10 Contents NN46110-601 .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Editing a filter . . . . . 64 Business firewall . . . . . . . . . . . . . . . . . . . . . . . . 57 Network object edit window . . . 81 Full Cone NAT . . . . . . . . . . . . . . . . . . . 35 Download Java Runtime window . . . . . . . . . . . . . . . . . . . . . . 77 Dynamic pooled address translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Static address translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Override rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Port translation . . . . . . . . . . . . . 79 Port forwarding example . . . . . . . . . . . . 44 Scan Detection configuration window . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Symmetric NAT . . . . . . . . NAT. . . . . . . . . . . . . 53 Interface-specific rules (Destination rules) . . . . . . . . . . . . . . . . . . . . . . . and QoS . . . . . . . . . . . . . . . . 43 Anti-Spoofing configuration window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Interface-specific rules (Source rules) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 Figures Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 Figure 7 Figure 8 Figure 9 Figure 10 Figure 11 Figure 12 Figure 13 Figure 14 Figure 15 Figure 16 Figure 17 Figure 18 Figure 19 Figure 20 Figure 21 Figure 22 Figure 23 Figure 24 Figure 25 Figure 26 Figure 27 Figure 28 Figure 29 Security Warning window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Select Policy window . . . . . . . . . . . . . . . . . . 83 Restricted Cone NAT . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Implied rules . . . . . . . . . . . . . . . . . . . . . . . . 65 Adding a filter . . . . . . . . . . . . . . . . . . . . . . . . Filters. . . . . . 86 Nortel VPN Router Security -— Firewalls. . . . . . . . . . . . . . . . 84 Port Restricted Cone NAT . . . . . . . . . . . . . . . . . . . 59 Example of a basic residential firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Double NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 IPsec-aware NAT example . . . . . . . . . . . 37 Syslog forwarding window . . . . . . . . . 58 Service Object Selection window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Network Object Selection window . . . . . . 54 Default rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Nexthop filter action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Proxy ARP example . . . . . . . . . . . . . . . . . . . . 113 Adding a server to the Virtual ALG . . . . . 108 SIP enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Example 802. . . . . . . . . . . . 96 NAT configuration example . . 141 NN46110-601 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Overlapping address translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1p to DSCP mapping . . . . . . . . . . . . . . . . . . . . . 124 FWUA configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 95 NAT with dynamic routing example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Virtual ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Enabling or disabling Firewall Virtual ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Firewall/NAT Edit window . . . . . . . . . . . . . . . . . . . . 106 NAT and SIP . . . . . . . . . . . . . . . . . . . . . . . . 115 Intra-realm call with hairpinning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Restricted Cone NAT — NAPT . . . . . . . . . . . . . . . . . . . . . . . 121 FWUA example . . . . . . . . . . . . . . . . . . . . . . 116 NAT Hairpinning . . . . . . . . . . . . . . . . . . . . .12 Figures Figure 30 Figure 31 Figure 32 Figure 33 Figure 34 Figure 35 Figure 36 Figure 37 Figure 38 Figure 39 Figure 40 Figure 41 Figure 42 Figure 43 Figure 44 Figure 45 Figure 46 Figure 47 Figure 48 Figure 49 STUN . . . . . 113 Hairpinning with SIP . . . . . . . . . 94 Interface NAT . . . . . . . . . . . . . . . . . 90 Firewall/NAT window . . . . . .

. . . . . . . . . . . . . . . . . . . . . 116 Bandwidth allocation per priority level . NAT. . . . . . . . . 72 NAT entries . . . 142 Nortel VPN Router Security -— Firewalls. . . . . . . . . . . 137 Call admission priority . . . . . . . . . . . . . . . . . 139 Default incoming 802. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Filter rule with next hop . . Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Maximum connections per priority . . . . .1p mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Default outgoing 802. . . . . . . . . . . . . . . . . . . . . . . . . . .13 Tables Table 1 Table 2 Table 3 Table 4 Table 5 Table 6 Table 7 Table 8 Servers and corresponding configuration windows . . . . . . . . . . and QoS . . . . . . . . . . . . . . . . .1p mappings . . . . . . .

14 Tables NN46110-601 .

Example: If the command syntax is ping <ip_address>.32. Nortel VPN Router Configuration — Firewalls. you enter ping 192. and QoS .10. Before you begin This guide is for network managers who are responsible for setting up and configuring the VPN Router. Example: Use the show health command. Filters. Do not type the brackets when entering the command. Example: Enter terminal paging {off | on}. NAT.15 Preface This guide describes overview and configuration information for the Nortel VPN Router Stateful Firewall and VPN Router filters. This guide assumes that you have experience with windowing systems or graphical user interfaces (GUI) and familiarity with the network management. Text conventions This guide uses the following text conventions: angle brackets (< >) Indicate that you choose the text to enter based on the description inside the brackets.12 bold Courier text Indicates command names and options and text that you need to enter.

Do not type the brackets when entering the command. You must choose only one of the options. plain Courier text NN46110-601 . Example: If the command syntax is ldap-server source {external | internal}. Example: If the command syntax is show ntp [associations]. you must enter either ldap-server source external or ldap-server source internal. Example: If the command syntax is more diskn:<directory>/. Indicates system output. but not both. Do not type the braces when entering the command. book titles. Where a variable is two or more words. or default rsvp token-bucket rate. you enter more and the fully qualified name of the file. you can enter either show ntp or show ntp associations. you can enter default rsvp. Indicate that you repeat the last element of the command as needed. Example: If the command syntax is ping <ip_address>.<file_name>. Indicate optional elements in syntax descriptions. brackets ([ ]) ellipsis points (. Example: If the command syntax is default rsvp [token-bucket {depth | rate}]. prompts and system messages... for example.16 Preface braces ({}) Indicate required elements in syntax descriptions where there is more than one option. ip_address is one variable and you substitute one value for it. and variables in command syntax descriptions. the words are connected by an underscore. default rsvp token-bucket depth. ) italic text Indicates new terms. . Example: File not found. .

but not both.Preface 17 separator ( > ) vertical line ( | ) Shows menu paths. Acronyms This guide uses the following acronyms: ACK ALG BCM FTP FWUA H. Do not type the vertical line when entering the command. Separates choices for command keywords and arguments. Example: If the command syntax is terminal paging {off | on}. Enter only one of the choices. and QoS . NAT. Filters. you enter either terminal paging off or terminal paging on.323 JRE LAN MCS NAPT NAT PAT RTCP RTP SDP SIP acknowledgement application level gateway business communications manager File Transfer Protocol firewall user authentication ITU-T specification for multimedia over IP networks of non-guaranteed QOS Java Runtime Environment local area network multimedia communications server network address port translation network address translation public address table RTP control protocol Real Time Transport Protocol Session Description Protocol Session Initiation Protocol Nortel VPN Router Configuration — Firewalls. Example: Choose Status > Health Check.

PPPoE. dial services and demand services. Nortel VPN Router Configuration—Basic Features (NN46110-500) introduces the product and provides information about initial setup and configuration. refer to the following publications: • Release notes provide the latest information. DLSw. Nortel VPN Router Configuration—Tunneling Protocols (NN46110-503) provides configuration information for the tunneling protocols IPsec. user groups. and Certificates (NN46110-600) provides instructions for configuring authentication services and digital certificates. problems fixed in this release. and portal links. frame relay. PPP. • • • • • NN46110-601 . L2TP. T1CSU/DSU. Nortel VPN Router Configuration—Advanced Features (NN46110-502) provides instructions for configuring advanced LAN and WAN settings.18 Preface STUN TCP TPS UATM UDP UNIStim VOIP VPN WAN simple traversal of UDP through NAT Transmission Control Protocol terminal proxy server User Authentication Table Manager User Datagram Protocol unified networks IP stimulus protocol voice over IP virtual private networks wide area network Related publications For more information about the Nortel VPN Router. including brief descriptions of the new features. including authentication. Nortel VPN Router Configuration—SSL VPN Services (NN46110-501) provides instructions for configuring services on the SSL VPN Module 1000. IPX. Nortel VPN Router Security—Servers. ADSL and ATM. and SSL VPN. and L2F. Authentication. networks. PPTP. and known problems and workarounds.

Nortel VPN Router Configuration—TunnelGuard (NN46110-307) provides information about configuring and using the TunnelGuard feature. directly from the Internet. and client address redistribution (CAR). Filters.adobe. and VRRP. and examples for the commands that you can use from the command line interface.Preface 19 • • • • Nortel VPN Router Configuration—Routing (NN46110-504) provides instructions for configuring BGP.com to download a free copy of the Adobe Reader. as well as instructions for configuring ECMP. provides troubleshooting information and inter operability considerations. Nortel VPN Router Troubleshooting (NN46110-602) provides information about system administrator tasks such as backup and recovery. and instructions for monitoring VPN Router status and performance. Also. and QoS . and print them on most standard printers. Hard-copy technical manuals You can print selected technical manuals and release notes free. Go to www.com/documentation. Nortel VPN Router Configuration — Firewalls. OSPF. descriptions. find the product for which you need documentation. then locate the specific category and model or version for your hardware or software product. Nortel VPN Router Using the Command Line Interface (NN46110-507) provides syntax. and upgrading software. NAT. Go to the Adobe Web site at www. RIP. search for the sections you need. file management. Use Adobe Reader to open the manuals and release notes.nortel. routing policy services.

com/support This site provides quick access to software. documentation. and tools to address issues with Nortel products. and product bulletins search the Technical Support Web site and the Nortel Knowledge Base for answers to technical issues NN46110-601 .nortel. click one of the following links: Link to Latest software Takes you directly to the Nortel page for VPN Router software located at: www130.jsp?cscat=SOFTWARE&resetFilter=1&poid =12325 Latest documentation Nortel page for VPN Router documentation located at: www130.jsp?cscat=DOCUMENTATION&resetFilter= 1&poid=12325 Getting help from the Nortel Web site The best way to get technical support for Nortel products is from the Nortel Technical Support Web site: www. From this site. Finding the latest updates on the Nortel Web site The content of this documentation was current at the time the product was released.com/cgi-bin/eserv/cs/ main.20 Preface How to get help This section explains how to get help for Nortel products and services. To check for updates to the latest documentation and software for the VPN Router. bulletins. you can: • • download software.com/cgi-bin/eserv/cs/ main.nortelnetworks.nortelnetworks. documentation.

and you have a Nortel support contract.nortel. NAT.nortel. you can use an Express Routing Code (ERC) to quickly route your call to a specialist in your Nortel product or service. In North America. call 1-800-4NORTEL (1-800-466-7835). go to: www.Preface 21 • • sign up for automatic notification of new software and documentation for Nortel equipment open and manage technical support cases Getting help over the phone from a Nortel Solutions Center If you do not find the information you require on the Nortel Technical Support Web site. To locate the ERC for your product or service.com/callus Getting help from a specialist by using an Express Routing Code To access some Nortel Technical Solutions Centers. Filters.com/erc Getting help through a Nortel distributor or reseller If you purchased a service contract for your Nortel product from a distributor or authorized reseller. Nortel VPN Router Configuration — Firewalls. Outside North America. contact the technical support staff for that distributor or reseller. go to the following web site to obtain the phone number for your region: www. you can also get help over the phone from a Nortel Solutions Center. and QoS .

22 Preface NN46110-601 .

and QoS for Release 7. A Virtual ALG works only with UNIStim signaling. NAT. Virtual ALG is based on a trust model that assumes that the phone authenticates itself with the call server. Filters.23 New in this release The following section details what is new in Nortel VPN Router Security — Firewalls. and QoS . The controlling entity does not acknowledge any requests from unauthorized devices. NAT. which is a Voice over Internet Protocol (VoIP). and that continuous detection of signaling traffic between the phone and the call server allows media to or from the phone to traverse the firewall. Feature See the following section for information about feature changes: Firewall Virtual ALG A Virtual ALG is a syntax-independent application level gateway (ALG) for firewall traversal that works for both encrypted and nonencrypted UNIStim signaling.0. Filter. Continuous communication implies that the call server trusts the endpoint and that the call server would not communicate constantly with the endpoint device if the endpoint device was not authorized to send media through the firewall. For more information about Virtual Alg. see “Configuring Firewall Virtual ALG” on page 111. Nortel VPN Router Configuration — Firewalls.

24 New in this release NN46110-601 .

The Stateful Firewall delivers full firewall capabilities. you can configure the VPN Router to securely route non-tunneled traffic from its private interface. users on the VPN Router’s private network can access the Internet without requiring a separate. assuring the highest level of network security. filters and NAT The VPN Router designs integrated firewall solutions to meet the needs of a variety of customers. but the Stateful Firewall services base how to process the packets on the defined security policy. Nortel VPN Router Configuration — Firewalls. The VPN Router Stateful Firewall achieves optimum performance as a result of advanced memory management techniques and optimized packet inspection. For example. To do this. The VPN Router interface filters provide a cost-effective level of protection. The VPN Router provides the following firewall solutions: • • VPN Router Stateful Firewall VPN Router Interface Filters With the VPN Router Stateful Firewall. depending on how you set up the routing capabilities. dedicated router. With this configuration. the VPN Router performs a variety of secure routing functions. Security rules do not filter packets directly. and the flexibility to define the rules to fit your environment. the fastest runtime. The VPN Router Stateful Firewall provides a high level of security. NAT. and QoS . You can disable the interface filters only when the VPN Router Stateful Firewall is enabled.25 Chapter 1 Overview of firewalls. and out its public interface. through the firewall. Filters. the Stateful Firewall examines both incoming and outgoing packets and compares them to a common security policy. All service rules are interpreted based on IP conversations (not packets) and are fully stateful.

PAT is disabled when either the VPN Router Stateful Firewall or VPN Router Interface Filter is enabled. The firewall does the following: • • protects your network and the information on your network from unauthorized intrusion from external networks provides a line of defense to allow acceptable traffic. and system failures. PAT does not limit the packets from any of those trusted sources. and to drop all unacceptable traffic before it enters or leaves the network monitors packets and sessions and. firewall status changes.26 Chapter 1 Overview of firewalls. The IP PAT limits unauthorized sources. PAT applies only to packets received on a public interface. which is often referred to as port address translation. The VPN Router Stateful Firewall public address table information is not related to network address translation (NAT) or network address port translation (NAPT). based on established rules. the IP public address table (PAT) provides the routing information to route packets to the appropriate trusted interfaces. such as the Internet. For packets coming from any address that is not in the trusted source list. VPN Router Stateful Firewall concepts The VPN Router Stateful Firewall provides a secure access point between an internal network and an external network. PAT applies a rate limit (6 packet/10 second) based on the source address. such as all e-mail transactions. This includes all connections over the network. PAT has a list of trusted sources that includes the remote client or branch office tunnel end point. as defined by your organization. you can configure the firewall to log some or all significant events. When you disable the firewall. determines the appropriate actions to take • In addition. remote Radius/CMP/CRL server address (if on the public side). NN46110-601 . filters and NAT Because no routing protocols (such as RIP) run on untrusted interfaces. because the latter two provide better policy-based security. You can use the logged information to help enhance network security or track unauthorized use.

an FTP session between a client and a server can consist of several streams of traffic. All of this traffic is part of the same conversation. Traffic on that port then passes through the firewall for the duration of the FTP session. Transport-level state inspection provides a number of ways to make Transmission Control Protocol (TCP) traffic more secure and more difficult for hackers to intercept. NAT.Chapter 1 Overview of firewalls. For instance. the control connection is typically created using a known port. for example. filters and NAT 27 Stateful inspection Some protocols are difficult to securely allow through a firewall using traditional filtering mechanisms. with both data and control packets flowing back and forth. TCP sequence numbers are randomized to prevent sequence number guessing. You need stateful inspection to allow an FTP data connection through a firewall without leaving a large number of open ports. Stateful inspection of TCP verifies the consistency of the TCP header and prevents some well-known TCP attacks. Nortel VPN Router Configuration — Firewalls. and QoS . The following applications are inspected: • • • • • • FTP TFTP RCMD SQLNET VDOLive RealAudio All unique end-to-end communication creates a conversation. Stateful inspection validates and allows any nonpredicted ports that an application uses through the firewall. Packets are inspected at the application layer to determine the port used by the data connection. Stateful inspection of each application is unique. In File Transfer Protocol (FTP). but the data connection is over a random port. Filters.

filters and NAT Interfaces The VPN Router can have many interfaces. Each tunnel (end user or branch office) is a virtual interface. The interface on which packets arrive at the VPN Router (the source interface) or the interface on which packets leave the VPN Router (the destination interface) classify the packets. For example. — Tunnel:user—specify a group name for user tunnels. • You can configure any physical interface as private or public on the System > LAN > Interfaces window. For example. and all VPN Routers have two or more physical interfaces. the LAN interface (Slot 0) is private and all other interfaces are public. Filter rules Filtering uses a set of rules to determine whether to allow a packet through the firewall. the rule ignores this classification. / base/mktng/tony refers to branch office tony in group /base/mktng. If the rule designates Any as an interface. the rule uses this classification. If the rule designates an interface or group of interfaces. the interface name defaults to the value of the Interface field on the same page.28 Chapter 1 Overview of firewalls. Typical options are to accept or drop the packet—these options provide a degree of security for a network. Interface name—the value of the Description field assigned to the physical interface on the System > LAN (or System > WAN) window. specify either a group name for user tunnels or the specific branch office tunnel for branch office tunnels: — Tunnel:/base—specify the specific branch office tunnel. If the description is blank. By default. NN46110-601 . Use the following terms to designate an interface for the rules in a policy: • • • • • Any—any physical interface or tunnel Trusted—any private physical interface or tunnel Untrusted—any public physical interface Tunnel:Any—any tunnel For tunnels. You construct the rules in a policy to either use or ignore this classification. /base/ engineering refers to all user tunnels in that group.

SYN flood can disable your network services by flooding them with connection requests. filters and NAT 29 The rules determine one of the following actions: • • • • accept the packet drop the packet reject the packet by sending a reject to the source address log the packet locally (you can use these actions with any of the previous three actions) Anti-spoofing Anti-spoofing prevents a packet from forging its source IP address. forcing it to not accept additional connections. and QoS • . Nortel VPN Router Configuration — Firewalls. Linux does not try to verify if the ACK is not set. This fills the SYN queue. The VPN Router Stateful Firewall provides a defense against denial of service attacks with well-known prevention methods.Chapter 1 Overview of firewalls. NAT. Filters. The VPN Router Stateful Firewall protects against the following types of objects: • • Jolt2 is a fragmentation attack affecting Windows PCs by sending the same fragment repetitively. anti-spoofing examines and validates the source address of each packet. It also drops any packets resulting from the attack. The firewall drops any packet that does not have the ACK set. Linux* Blind Spoof attempts to establish a spoofed connection instead of sending final ACK with correct sequence number and with no flag set. Typically. Anti-spoofing performs the following checks: • • • source address is not equal to the destination address source address is not equal to 0 source address from an external network is not one of the directly connected networks Attack detection rules The firewall can detect common attacks launched against corporate networks. preventing denial-of-service as well as nonauthorized intruders. which maintains a list of unestablished incoming connections.

30 Chapter 1 Overview of firewalls. access control becomes an important security mechanism. there are potentially hundreds of machines to reply to each packet. NN46110-601 . which exhausts available resources and stops responses to other user requests. The TCP packet is a SYN packet that establishes a new connection and is sent from the same TCP source port as the destination port. Land attack sends a TCP packet to a running service on the target host with a source address of the same host. Ping of death sends a fragmented packet larger than 65536 bytes. On a multi-access broadcast network. causing the host to stop all legitimate TCP connections to the host that is spoofed in the ICMP packet. ICMP unreachable sends ICMP unreachable packets from a spoofed address to a host. You need complete control over which users have access to particular servers and services. Data flood sends a large amount of data to a system that is used as a denial of service attack. Smurf sends a large number of ICMP echo (ping) messages to an IP broadcast address with the forged source address of the intended victim. This causes the remote system to either reboot or panic during processing. The routing device forwarding traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast. essentially locking the system. which means an attacker does not need a valid account to crash the system. Teardrop/Teardrop-2 is a fragmentation attack that sends out invalid fragmented IP packets that trigger a bug in the IP fragment reassembly code of some operating systems. causing most network hosts to take the ICMP echo request and issue a reply to each. multiplying the traffic by the number of hosts responding. this packet causes a loop within the operating system. Filters for access control As you progressively put in place the components of your VPN Router configuration. Fraggle sends a large number of UDP echo messages. FTP command overflow crashes FTP servers that contain buffer overflows for commands that take arguments. When accepted by the target host. causing the remote system to incorrectly process this packet. This applies to the user command. filters and NAT • • • • • • • • • UDP Bomb sends malformed UDP packets that can crash a remote system.

they can have only one computer connected to the Internet at a time. Nortel VPN Router Configuration — Firewalls. Filters. Because users receive a single IP address. Network address translation Network address translation (NAT) enables transparent routing between address spaces. All users have custom filter profiles based on their group profiles that describes the resources they can access on the network. so a client receives a different address each time they connect to the ISP. The filters are defined by: • • • • • Protocol ID Direction Source and destination IP addresses Source and destination port TCP connection establishment You create a list of rules for a filter profile to perform precisely the action that you want. When you use NAT in an extranet. the order of the rules is very important. therefore no traffic is transmitted or received unless it is specifically permitted. This address is dynamic.Chapter 1 Overview of firewalls. the packet is discarded (denied). and QoS . The outside world is unaware of this division and performs all communications as though only a single machine on the local network is accessible. multiple private networks can connect dynamically through secure tunnels without requiring any address space reconfiguration. Therefore. Increasing use of NAT comes from two major factors: • Shortage of IP addresses—Most Internet service providers (ISPs) allocate only one address to a single customer. filters and NAT 31 You use filtering to fine-tune access to specific hosts and services. it is possible to share that single address between multiple local computers and connect them all at the same time. These rules are tested in order until the first match is found. When NAT runs on this single computer. The filtering mechanism works such that if no rule matches a packet. NAT.

32 Chapter 1 Overview of firewalls, filters and NAT

Security — NAT automatically provides security without any special set-up because it allows only connections that originate on the private network. It is still possible to make some internal servers available to the outside world by statically mapping internal addresses to externally available ones, thus making services such as FTP available in a controlled way.

In the context of virtual private networks, NAT is necessary to allow multiple intranets with conflicting subnets to communicate. Because you can fix the configuration of branch office or partner networks, a VPN solution must be able to securely route between these networks without requiring all the private addresses to be unique across the entire extranet.

NN46110-601

33

Chapter 2 Configuring the VPN Router Stateful Firewall
To use the firewall on the VPN Router, you must install a license key and enable the firewall service. Without the firewall enabled, the VPN Router forwards the following traffic patterns: • • • private physical interface to private physical interface private physical interface to user or branch office tunnel tunnel to tunnel (user or branch office)

When the firewall is enabled, the VPN Router additionally routes traffic from public to private interfaces. Note: Shut off all traffic to the VPN Router before you activate the firewall on the Services > Firewall/NAT window. Do this during off hours to prevent inconvenience to the users. You must create rules for tunnel traffic before traffic on existing tunnels is allowed. The VPN Router Stateful Firewall uses the principle that any traffic not specifically allowed is disallowed. The rule set of the active policy applies to all traffic, including tunneled and non-tunneled traffic.Therefore, when you first enable the VPN Router Stateful Firewall, all traffic is disallowed until you configure rules specifically allowing certain types of traffic.

Nortel VPN Router Configuration — Firewalls, Filters, NAT, and QoS

34 Chapter 2 Configuring the VPN Router Stateful Firewall

Configuring prerequisites
Before you set up your VPN Router Stateful Firewall, be sure you have the following information: • • The management IP address of your VPN Router. This address is found on the VPN Router’s System > Identity window. The firewall license key. Go to the Admin > Install Keys window and type the key that you obtained from Nortel in the box to the right of VPN Router Stateful Firewall and click Install. It is only necessary to install a key once on each VPN Router. Click Delete to remove the key. The name of the firewall is the name used by the Domain Name Service (DNS) server to identify the management address of the VPN Router. This name is entered in the DNS Host Name field of the VPN Router System > Identity window. The names and IP addresses of your VPN Router’s interfaces. These are found on the Status > Statistics: Interfaces window.

The following system requirements are necessary to access the VPN Router Stateful Firewall Manager: • Supported operating systems and platforms include Solaris* (OS 2.8 and 2.9) on an x86 or SPARC* platform and Microsoft Windows 2000, or Windows XP. Required software includes Java* 2 Plug-in Version 1.4.2_04, available in the Java 2 Runtime Environment Version 1.4.2_04. The J2RE is available for automatic download on a Windows platform for all VPN Routers except the 1010, 1050 and 1100 (refer to the Java 2 Runtime Environment Installation). J2RE installation files for Windows and Solaris are also available on the Nortel CD in the tools/java directory. Supported browsers include Internet Explorer 6 and higher and Netscape 7.x, 8.0.x and 8.1.x. Netscape 6 comes with a version of the Java 2 Plug-in that is not supported. If you wish to use Netscape 6, refer to the Netscape section of the Java 2 Runtime Environment Installation.

NN46110-601

NAT. depending on whether you use Internet Explorer or Netscape Navigator to access the VPN Router. click Yes to install the Java 2 Runtime Environment (Figure 1). Filters. Windows 2000. 4 When the Security Warning window appears. and QoS . Using Internet Explorer To install the Java 2 software on Windows 9x. or Windows NT from Internet Explorer: 1 2 3 Connect to the management IP address of the VPN Router and log in.Chapter 2 Configuring the VPN Router Stateful Firewall 35 Installing Java 2 software To access the VPN Router Stateful Firewall Manager. There are two separate procedures to install the Java 2 software. you must install Java 2 Runtime Environment on the computer that administers the VPN Router. Select Services > Firewall/NAT. Click Manage Policies. A window appears and tries to load the VPN Router Stateful Firewall Manager. Figure 1 Security Warning window Nortel VPN Router Configuration — Firewalls.

click the white or gray box that appears on the browser window. (If this box does not appear. Click Manage Policies. accept the default location or choose another installation location. click Yes to accept the agreement. Click Next to finish the installation. depending on the speed of your connection to the VPN Router. When the installation is complete. The Java Plugin Download window appears (Figure 2). or Windows NT from Netscape Navigator: 1 2 3 Connect to the management IP address of the VPN Router and log in. Reboot the computer for the changes to take effect.) It can take several minutes to load. Select Services > Firewall. and 1100 hardware platforms. 5 6 7 8 9 When the installation program displays the Software Licensing Agreement. When the installation program asks for an installation location. Using Netscape To install the Java 2 software on Windows 9x.) 4 Click Get the Plug-in to download the Java 2 Runtime Environment. A window appears and tries to load the VPN Router Stateful Firewall Manager. The Plug-in Not Loaded box appears. Windows 2000. NN46110-601 . close all open Web browsers.36 Chapter 2 Configuring the VPN Router Stateful Firewall The installation program downloads the software from the VPN Router. (This is not available for the 1010. 1050.

When the installation program asks for an installation location. depending on the speed of your connection to the VPN Router.Chapter 2 Configuring the VPN Router Stateful Firewall 37 Figure 2 Download Java Runtime window 5 6 Click the Download now link next to the Windows version of the Java Runtime Environment.4. choose a download location and click OK to continue.2_04). 12 Reboot the computer for the changes to take effect. accept the default location or choose an alternate installation location. NAT. To successfully load the VPN Router Stateful Firewall Manager. 1 Install the Java 2 Runtime Environment as described in the previous Netscape section and be sure to restart the computer.2_04. When the installation program displays the Software Licensing Agreement. (This can take several minutes to load. click Yes to accept the agreement. go to the download location and double-click the icon for the Java Runtime Environment.2_04. When the browser prompts you for a location to save the file.4. The following steps change the default plug-in to Version 1. 7 8 9 10 Click Next to finish the installation. Filters. you must use Version 1. and QoS .4. Using Netscape 6 Netscape 6 currently includes a version of Java 2 Plug-in that is not supported (Version 1. 11 When the installation is complete. Nortel VPN Router Configuration — Firewalls. close all open Web browsers.) When the download finishes.

4. either intel for x86 or sparc for SPARC.38 Chapter 2 Configuring the VPN Router Stateful Firewall 2 3 4 5 6 7 8 Load the Java Plug-in Properties from Start > Settings > Control Panel > Java Plug-in. Start Netscape again. Click the Advanced tab.4. Set the NPX_PLUGIN_PATH environment variable to the directory containing the javaplugin. Close all instances of Netscape if any are open. Choose JRE V 1. The installation files and instructions are available for x86 and SPARC platforms.4. For example. Copy the binary (. . Follow the platform-specific installation instructions contained in the README file. Click Apply.so file. Close all open instances of Netscape. To install the Java 2 software on Solaris (OS 2.2_04/plugin/sparc” 8 9 NN46110-601 Start Netscape and then close it.bin) and the README files to the computer.2_04 directory on a SPARC. Restart Netscape.8 and 2. Close the window. Choose the subdirectory for the installed platform. the plug-in is now available. Using Netscape on Solaris The Java 2 Runtime Environment for Solaris is available on the Nortel CD. if the J2RE was installed in the /usr/j2re1. the command to set the NPX_PLUGIN_PATH from the C shell is: setenv NPX_PLUGIN_PATH “/usr/j2re1. Go to the tools/java/solaris directory on the Nortel CD. The correct plug-in is available.2_04 from the list.9) from Netscape Navigator: 1 2 3 4 5 6 7 Ensure that a version of Netscape is installed on the computer.

the VPN Router performs VPN routing only. The choices are: • VPN Router Firewall—enables the VPN Router Stateful Firewall feature. When you enable the VPN Router Firewall. Confirm your selection. At the prompt. Nortel VPN Router Configuration — Firewalls. you can run any combination of the following: — — — — — 3 4 5 VPN Router Stateful Firewall VPN Router Interface Filter Interface NAT Anti-spoofing Malicious Scan Detection Click OK. You must restart the VPN Router before the firewall becomes active. • To enable the VPN Router firewall: 1 2 Select Services > Firewall/NAT. To enable no Firewall: 1 Select Services > Firewall/NAT. you can run any combination of the following: — VPN Router Stateful Firewall — VPN Router Interface Filter — Interface NAT — Anti-spoofing — Malicious Scan Detection No Firewall—disables all firewall features on the VPN Router. In this configuration. reboot the VPN Router. When you enable the VPN Router Firewall. Filters. and QoS . NAT. you must configure the specified firewall. After you enable firewall support. Select VPN Router Firewall.Chapter 2 Configuring the VPN Router Stateful Firewall 39 Enabling firewall options You can select only one firewall choice at any one time.

The available slot numbers are hardware platform specific. you must load the Java applet. The configuration procedures assume that you configured the VPN Router (except for the firewall component) and that you obtained the required firewall license. click OK to indicate the reboot. Slot n Interface n represents an optional LAN card in expansion Slot n using Interface n. The first time you do this on any workstation. return to Services > Firewall/NAT. 11 You can toggle the browser windows between the VPN Router Stateful Firewall Manager applet and the Services > Firewall/NAT window. If you do not specify a description. Enable VPN Router Stateful Firewall. click OK and on the confirmation page. The implied rules are included with every new policy. Click Manage policies to load the VPN Router Stateful Firewall Manager applet. For each interface. 9 10 Click View to review this policy. For example. which is read-only. you can make Internet the description for Slot 1 Interface 1 and ServiceNet the description for Slot 2 Interface 1. After the VPN Router reboots. If you use NN46110-601 . which represents the physical port interface. the VPN Router performs VPN routing only. and cannot be abbreviated.40 Chapter 2 Configuring the VPN Router Stateful Firewall 2 3 Select No Firewall. You assign an IP address to the LAN. The message Retrieving policies appears. The description is case sensitive and you cannot abbreviate it when specifying the interface in the rules. This disables all firewall features on the VPN Router. This name identifies interfaces in the security policy rules. Enter a label in the Description field. click Configure. On the system shutdown window. is case sensitive. Click OK. Select the System Default policy. the default name for the interface is Slot n Interface 1 (n=1 to 6). In this configuration. To enable the VPN Router Stateful Firewall: 1 2 3 Select System > LAN. 4 5 6 7 8 Select Services > Firewall/NAT. You do not need a license for the VPN Router Interface Filter.

The new policies you create are not automatically applied to the firewall. click Refresh on the Services > Firewall/NAT window. policy manager. This information is not saved in the system log. Only one policy at a time is in effect on the firewall. Filters. Rule enforcement ICMP is allowed or disallowed on public and private interfaces. • • • • All—includes traffic. However. and NAT Traffic—logs when flows and conversations are created or removed Policy manager—logs firewall processes and when rules and policies are created Firewall—logs how the firewall handles packets within a flow Nortel VPN Router Configuration — Firewalls.Chapter 2 Configuring the VPN Router Stateful Firewall 41 your browser to change other settings on the VPN Router while running the VPN Router Stateful Firewall Manager applet. Click the Firewall icon in the VPN Router Stateful Firewall Manager applet to refresh the list of policies and other VPN Router settings. Note: You cannot import or export new policies. 12 Click Manager > Exit to exit the VPN Router Stateful Firewall Manager. firewall. NAT. there are no restrictions on creating new policies. and QoS . Any changes made in the VPN Router Stateful Firewall Manager applet are not evident in the Services > Firewall/NAT window until you save the policy. 13 After you exit the VPN Router Stateful Firewall Manager applet. To enable ICMP. you must have a complete three-way handshake prior to the application of data. the current VPN Router Stateful Firewall Manager applet does not reflect these changes. Selecting logging options The following options control the amount of firewall event information recorded in the event log.

You can also set a maximum connection number. The application-specific logs for HyperText Transfer Protocol (HTTP) and FTP contain a unique connection identifier so that events are traced to the start and end of a TCP session. You can configure the firewall rules to enable logging in either brief or detail format for rules with FTP and HTTP service. Under the Maximum Connection Number section. Remote system logging The VPN Router can forward firewall-specific events to a remote syslog server. Each IPsec tunnel requires two connections. Nortel recommends that you set the number near the middle of the range displayed unless you have specific requirements to consider. You must reboot the VPN Router if you change the maximum connection number.42 Chapter 2 Configuring the VPN Router Stateful Firewall • • NAT—logs NAT-related events Debug—creates special log messages intended for use only by Nortel customer support personnel You edit these options on the VPN Router Firewall > Edit window. When you disable the syslog server parameter. NN46110-601 . Determining the optimum memory allocation makes it easier to configure your system for firewall traffic. The range displayed varies depending on the model and amount of memory for your VPN Router. the VPN Router sends a message to the syslog that the server is disabled. Application-specific logging Firewall-specific logging includes application-specific logging. which reserves memory for a maximum number of connections. To configure remote syslog: 1 Select Services > Firewall/NAT > VPN Router Firewall > Edit. and the ability to send firewall-specific events to a remote syslog server. You can select whether to send all events or only firewall-specific events to the remote syslog server. enter a number in the indicated range. denial of service attack logging.

The options are: • • • • • • All Traffic Policy Manager Firewall NAT Debug 3 Identify which type of log you require by setting the Implied Rule Log level to one of the following: • • • • None Brief Detail Trap 4 Configure a remote syslog server from the Services > Syslog window. 10 Select 514 (default) for the UDP port. Nortel VPN Router Configuration — Firewalls. Select KERN for the Tagged Facility. Filters. Select Security for the Entity. Select Firewall for the Subentity. and QoS . (Figure 3) Figure 3 Syslog forwarding window 5 6 7 8 9 Insert a Hostname or IP address. Select All for Filter Level.Chapter 2 Configuring the VPN Router Stateful Firewall 43 2 Enable Logging beside each feature you want to configure for the VPN Router Stateful Firewall. NAT.

NN46110-601 . Configuring anti-spoofing To configure anti-spoofing: 1 2 3 Select Firewall/NAT. Select Anti-spoofing. (Figure 4) Figure 4 Anti-Spoofing configuration window 4 5 Select the public interface on which you want to enable anti-spoofing. The Anti-Spoofing window appears. 13 Start syslog on the remote syslog system. Click Edit.44 Chapter 2 Configuring the VPN Router Stateful Firewall 11 Click Enabled. send traffic through the VPN Router that generates firewall events. 14 To verify that firewall-specific events appear on the remote syslog system. 12 Click OK. Click OK. Configuring malicious scan detection Scan detection detects port scanning attempts through the VPN Router that are aimed at private resources.

Select Malicious Scan Detection. (Figure 5) Figure 5 Scan Detection configuration window 4 In the Detection Interval box. Click OK. If the number of scans exceeds the configured threshold during this interval. enter the number of one-to-many connections (between 1 and 10000) needed to trigger an event . specify the interval (1 through 60) over which the number of port scans or host scans are inspected. In the Port Scan Threshold box. and QoS .Chapter 2 Configuring the VPN Router Stateful Firewall 45 To configure scan detection: 1 2 3 Select Services > Firewall/NAT. NAT. In the Network Scan Threshold box. The Scan Detection window appears. Click Edit. Filters. 5 6 7 Nortel VPN Router Configuration — Firewalls. This is the number of ports on one host on the private side to which an attacking machine must send scan packets during the inspection interval to trigger an event in the security log. the security log logs the scan. specify the number of host-to-host connections (between 1 and 10000) on the private side to which an attacking machine must send scan packets during the inspection interval to trigger an event in the security log.

The VPN Router Stateful Firewall uses the principle that whatever traffic is not specifically allowed is disallowed. which represent the most commonly used policies. The firewall policies use standard actions. You must create rules for tunnel traffic before traffic on existing tunnel definitions is allowed. UDP. You use service objects to specify all rule fields for service policies. By customizing your policies. including tunneled and nontunneled traffic. all traffic is disallowed until you configure rules specifically allowing certain types of traffic. Security policies consist of a set of rules that specify what service is allowed or denied. actions. and logging mechanisms. when you first enable the VPN Router Stateful Firewall. and the port number (or range) on which the service occurs.46 Chapter 2 Configuring the VPN Router Stateful Firewall Setting up policies Firewall service consists of two primary components: • • service properties security policy Service properties define the offered service and includes a service name. the protocol (TCP. services. NN46110-601 . destination. A rule defines whether communication is accepted or rejected (or logged) based on its source. and service. you can further refine the control over what traffic you allow on your internal networks. You can define custom policies when you need more complex security policies and the standard policies are not sufficient. The rule set of the active policy applies to all traffic. A set of rules defines a specific security policy. Each rule consists of a combination of network objects.Therefore. ICMP).

This read-only policy defines the firewall behavior when no user-defined policies are applied or when the selected policy is not available. Click Manage Policies beside VPN Router Stateful Firewall. The Select Policy window appears. You can use either interface to configure the following: • • • Network objects Service objects Rules See Nortel VPN Router Using the Command Line Interface (NN46110-507) for a list of CLI commands. The System Default policy is always listed. Filters. (Figure 6) Nortel VPN Router Configuration — Firewalls.Chapter 2 Configuring the VPN Router Stateful Firewall 47 Creating and editing firewall policies You implement access control parameters through the graphical user interface (GUI) or the command line interface (CLI). or rename a firewall policy. and QoS . delete. Creating policies You use the Services > Firewall/NAT > VPN Router Stateful Firewall > Manage Policies window to create. Adding a policy To add a new policy: 1 2 Select Services > Firewall/NAT. edit. NAT. copy. The current policy is bold and and read-only policies are italic.

or click Cancel to return to the policy selection window. To delete an existing policy: 1 Select the policy that you want to delete and click Delete. If you select one of these policies. . 4 5 Enter the policy name. The Delete policy confirmation box appears. Copying an existing policy To copy a firewall policy: 1 NN46110-601 Select the policy that you want to copy. The name must begin with a letter and cannot contain the : + = ] . . which has a blank firewall policy. Deleting an existing policy You cannot delete a read-only policy or the policy that is currently applied to the VPN Router. the Delete option is disabled. 2 Click OK to delete the selected policy. " characters. Click OK to go to the Policy Edit window. The New Policy window appears and prompts you for a name for the new policy.48 Chapter 2 Configuring the VPN Router Stateful Firewall Figure 6 Select Policy window 3 Click New.

Nortel VPN Router Configuration — Firewalls.80. The Rename window appears. under Interface Specific Rules. and modify the rules within a policy. Click OK. delete. To rename an existing firewall policy: 1 2 Select the policy that you want to rename. Click Rename. the Rename option is disabled. Click OK. The serial port listing does not appear on versions of the VPN Router prior to Version 4. Filters. The Copy window appears. it lists Slot 7 Interface 1. The new policy appears in the list of policies in the firewall policies window. 3 4 Enter a name for the copied policy.Chapter 2 Configuring the VPN Router Stateful Firewall 49 2 Click Copy. and QoS . NAT. If you select a read-only policy. 3 4 Enter the new name of the policy. This policy contains the same rules as the policy from which it was copied. Renaming an existing policy You cannot rename a read-only policy or the policy that is applied to the VPN Router. which is the serial port. This window is divided into the following rule groups: • • • • Implied rules Override rules Interface-specific rules Default rules Note: When you create a firewall rule. Navigating rules You use the Firewall Policy > Edit window to add.

Interface-specific or Default rules.50 Chapter 2 Configuring the VPN Router Stateful Firewall Implied rules The firewall processes implied rules first. They are derived from the Services > Available window and other configuration windows (such as RIP. and VRRP). You can control any routed traffic that is not directed to the VPN Router with Override rules. The system statically generates and defines some rules. (Figure 7) You cannot modify these rules—they are for display purposes only. Implied rules regulate traffic that originated from or terminated at the VPN Router. OSPF. Figure 7 Implied rules NN46110-601 . which are read-only. These rules permit tunnel termination and access to the management interface.

Filters. HTTPS SNMP FTP TELNET CRL CMP LDAP UDP Wrapper Services > Available Services > Available Services > Available Services > Available Services > Available Services > Available Services > Available Services > Available Services > Available Services > Available Services > Available Servers > LDAP Services > IPSEC (Ipsec Settings) System > DATE&TIME. NAT. Table 1 Servers and corresponding configuration windows Servers DHCP. Network Time Protocol Routing > VRRP Routing > RIP Routing > OSPF Enable/Disable NAT Traversal UDP. and QoS . DHCP-CLIENT DNS Remote-RPC Nbdatagram. Table 1 shows the server type and its corresponding configuration windows. configured port Configuration Window Servers > DHCP Relay System > Identity UDP port 17185 Remote Netbios Description NTP VRRP RIP OSPF Nortel VPN Router Configuration — Firewalls. This rule allows the listed services to leave the VPN Router on any of the private interfaces as long as the services originated from the VPN Router. It always exists in the implied rules section regardless of the configuration. nbsession Pptp IPSEC L2TP & L2F FWUA Radius HTTP.Chapter 2 Configuring the VPN Router Stateful Firewall 51 Static pre-implied rules The first rule in the implied rules section is the only statically generated rule.

Tunnel:Any. Figure 8 Override rules NN46110-601 . You can only select from the interface groupings (Any. possibly for a short period.52 Chapter 2 Configuring the VPN Router Stateful Firewall Table 1 Servers and corresponding configuration windows (continued) Servers SSH Server BGP Configuration Window Services > SSH Server Services > BGP PR or BGP key must be installed. User Tunnel:Any. Description Dynamic implied rules All of the available services on the Services > Available window generate dynamic implied rules. SSL-VPN). These rules do not specify a specific interface in the source or destination interface column. Implied rules for ports that are not well known have a service name that consists of the protocol and the port number. (Figure 8) The purpose of these rules is to quickly override the rest of the rules described later in the policy. For example. a tcp10 rule is generated from port numbers associated with external LDAP and RADIUS servers and configurable FWUA ports. Untrusted. Override rules Override rules are the first set of modifiable rules in the policy. Branch Tunnel:Any. Trusted. while debugging a problem.

NAT. The interface-specific rule section displays only one interface at a time. Interface-specific rules have two rule types: source and destination. Filters. (Figure 9) and (Figure 10) Source rules define the selected interface as the source. Tunnels that are also interfaces correspond either to a group name for user tunnels or the specific branch office tunnel name. Figure 9 Interface-specific rules (Source rules) Nortel VPN Router Configuration — Firewalls. and QoS . Physical interface names correspond to the names configured on either the System > LAN or System > WAN window.Chapter 2 Configuring the VPN Router Stateful Firewall 53 Interface-specific rules Interface-specific rules apply only to packets that enter or leave the VPN Router through one specific interface (physical or tunnel). To view all of the interface-specific rules. Destination rules define the selected interface as the destination. select All Interfaces.

Tunnel:Any. Trusted. Figure 11 Default rules NN46110-601 . User Tunnel:Any. Branch Tunnel:Any). but are not restricted to a specific interface.54 Chapter 2 Configuring the VPN Router Stateful Firewall Figure 10 Interface-specific rules (Destination rules) Default rules Default rules (Figure 11) apply to all traffic. These rules specify interface groupings for the source or destination (Any. Untrusted.

Procedure menus provide a list of operations that you can perform on the cell. Filters. Cell menus Cell menus are cell specific and accessed by right-clicking on an individual cell. delete the specific rule. Add New Rule. The new rule appears in position one and all existing rules increment by one. The cell displays the selection when you click on one of the items. Row menu Right-clicking on the number next to an existing rule activates the row menu. and perform cut/copy/paste operations on a rule. Header row menu Right-clicking on any header cell brings up the Header row menu. such as Add and Edit. The following sections describe the columns within a firewall rule: Nortel VPN Router Configuration — Firewalls. Rule columns Each rule within a firewall policy has the same attributes. which are specified by the column headers. This menu contains one item. You use this menu to add a new rule at a particular location. either the operation is performed immediately (such as Copy) or an additional window appears. Each menu controls a different aspect of the rule. prompting you for more information (such as Add). and QoS . When you click on one of the items. You use this menu item to add a new rule to the top of the list. Option menus provide a list of possible values for the cell. There are two types of cell menus: option menus and procedure menus. You access menus by right-clicking an option. NAT.Chapter 2 Configuring the VPN Router Stateful Firewall 55 Creating rules Menus control actions on rules.

56 Chapter 2 Configuring the VPN Router Stateful Firewall # This column specifies the ordering of the rules within the section. NN46110-601 . excluding any physical interfaces User Tunnel:Any—any user tunnel Branch Tunnel:Any—any branch tunnel SSL-VPN—any SSL-VPN tunnel For interface-specific rules. You can add more than one source or destination address to a rule. which then brings up a procedure menu. These groupings are: • • • • • • • Any—any physical interface or tunnel Trusted—any private physical interface or tunnel Untrusted—any public physical interface Tunnel:Any—any tunnel. Right-clicking on the cell displays an option menu containing possible interfaces. The order applies only to the section in which the rule appears and does not have meaning across the entire policy. For the Override and Default rules. you can specify the interfaces as either groupings or individual interfaces. the interfaces may only be interface groupings. You use this window to select a specific tunnel (branch office or user tunnel). If you log a rule. You can modify these attributes by right-clicking on a column in the cell. Source and Destination These columns specify the source and destination network object for the rule. the log information includes this number (#). What appears in this option menu depends on which section of the Firewall policy the particular column appears in. Src interface and Dst interface These columns specify the source and destination interfaces for the rule. Clicking on the user tunnel or branch office menu items displays the tunnel selection window.

Figure 12 Network Object Selection window Italicized objects in the list are read-only—you cannot modify them. NAT. (Figure 13) You use this window to modify the attributes for the selected network object. Edit. Click Edit to display the Network Object Edit window. You use the New.Chapter 2 Configuring the VPN Router Stateful Firewall 57 Click Add to display the Network Object Selection window. Note: You use NOT operand to specify which networks you do not want included. network. Filters. (Figure 12) Use this window to define and apply a new network object. and Delete options in this window to create. and group (a collection of these objects). and QoS . You can create the following network objects: host. Nortel VPN Router Configuration — Firewalls. IP range. edit and delete network objects.

IP protocol. You can add more than one service to a rule. Click Add to access the Service Object Selection window (Figure 14). If the object that you want to delete is the last object. ICMP. or Paste to perform those operations on the current network object. UDP. it returns to the default value. You can create the following service objects: TCP. Cut. NN46110-601 . Click Copy.58 Chapter 2 Configuring the VPN Router Stateful Firewall Figure 13 Network object edit window Click Delete to remove the selected network object. where you define and apply a new service object. Service This column specifies the service objects handled by the selected rule. Right-clicking on the cell displays the standard procedure menu (Add or Edit). and object groups (a collection of these objects).

edit. Click Edit to display the Service Object Edit window. Right-clicking on the cell displays an option list containing four items: Accept. the cell returns to its default value. NAT. Drop. Clicking one of these items sets the cell to the selected state. Reject. Click Copy. If the object you want to delete is the last object in the cell. or Paste to perform those operations on the current service object. Log Use the Log column to specify the logging level for this rule. Click Delete to remove the selected service object from the cell. and delete service objects. You use this window to modify the attributes for the selected service object. Nortel VPN Router Configuration — Firewalls. and User Authentication. Action The Action column specifies the action that occurs when you activate a rule. You use the New. Filters.Chapter 2 Configuring the VPN Router Stateful Firewall 59 Figure 14 Service Object Selection window Italicized objects in the list are read-only—you cannot modify them. Brief. Edit. and QoS . and Trap. Right-clicking on this cell brings up an option list containing the following logging levels: None. Detail. and Delete options in this window to create. Cut.

4 Click New to create a new policy. The Firewall/NAT window appears. either Enabled or Disabled. Right-click Remark and select Add or Edit remark. 6 You can select the rule group as follows: • • • • NN46110-601 Implied rules (view only) Override rules Interface-specific rules Default rules . 2 3 In the Configuration section. In this window. Remark Use the Remark column to attach a remark to a particular rule. Click Manage Policies.60 Chapter 2 Configuring the VPN Router Stateful Firewall Status The Status column specifies the status of the particular rule. The name must begin with a letter and cannot contain the : + = ] . The New Policy window appears. and modify the rules for the policy. delete. 5 Enter the policy name and click OK. you can add. Enable the VPN Router Firewall. . The Firewall > Edit Policy: <policyname> window appears with no rules defined. The Firewall > Select Policy window appears. then type a comment in the dialog box that appears. Creating a new policy To configure the firewall policies: 1 Select Services > Firewall/NAT. " characters.

Verify tunnel-to-Internet traffic. Successful completion of these steps indicates that the VPN Router firewall is functioning and that the VPN Router routing patterns are available. Select an interface and a subinterface from the lists. Verifying the configuration When you complete the configuration tasks for the firewall. 13 When the policies are saved. you can check the VPN Router’s routing patterns.Chapter 2 Configuring the VPN Router Stateful Firewall 61 7 8 9 Select the Interface Specific Rules tab. From the client. From the client. NAT. access a Web page on the Internet. Select either Source Interface Rules or Destination Interface Rules. Verify public-to-private traffic. Verify private-to-public traffic. access a Web page on the internal network. 11 Repeat these steps to add more rules. and QoS . Verify tunnel-to-internal network traffic. Connect a remote VPN Router system to the local VPN Router. 12 Select Policy and click Save Policy to save your changes. Perform an FTP operation from a host on the private side of the VPN Router to a host on the public side. you can use a procedure similar to the following: 1 2 3 4 Make sure the firewall is using a security policy that allows the type of traffic you use for the test (or you can use an Accept All policy for the testing). 10 Right-click the appropriate cell to add a new rule. To verify that the firewall functions properly. go to the Manage menu and click Close Manager. Connect a remote VPN Client system to the VPN Router. Perform an FTP operation from a host on the public side of the VPN Router to a host on the private side. Filters. 5 Nortel VPN Router Configuration — Firewalls.

168. Make no changes to the interface or subinterface lists and leave Source Interface Rules selected.3. click New. with no other access to the Internet permitted To configure the VPN Router Stateful Firewall to implement a security policy: 1 2 3 4 5 Select Services > Firewall/NAT. and click OK. 3. On the Firewall > Edit Policy window.168. On the Firewall > Edit Policy (Interface Specific Rules) window. select Host as the type of object to create.22 (Internet Access) Private IP address 10. and select SSL-VPN. the following setup exists: • • • • Public IP address 192. In the Network Object Insert window.3. Enter AllowFTPAccess as the policy name and click OK. click New. select Add New Rule. click the Destination value (*any).168.3. Click Manage Policies for VPN Router Stateful Firewall. right-click # in the header. click the Interface Specific Rules tab.20). On the Firewall > Edit Policy (Interface Specific Rules) window. In the Network Object Type Selection window. enter the Host name (externalFTPserver) and the IP address (192.62 Chapter 2 Configuring the VPN Router Stateful Firewall Configuring a sample security policy In this configuration example. In the Interface Specific Rules tab. and select Add. click the DST Interface value (*any).3. 6 7 8 In the Interface Specific Rules tab. On the Firewall > Select Policy window.102 (VPN Router default is LAN) FTP server IP address 192.20 on the public network Security policy allows users to download files to the FTP server. right-click to display the selection menu. right-click to display the selection menu. 9 NN46110-601 . a b c In the Network Object Selection window.

right-click to display the Status menu. right-click to display the Service Object Selection box. scroll down to and click FTP. check VPN Router Stateful Firewall. and QoS . 12 On the Firewall > Edit Policy (Interface Specific Rules) window.) 16 Click Firewall. click the Action value (drop). and Default groups. and click OK. right-click to display the Log menu. click Yes. (Within a policy. or you can create them as templates and apply them to many subscribers. and click OK. click the Service value (*any). Firewall deployment examples You can customize security policies and apply them to individual subscribers. click OK to add the externalFTPserver network object into the Destination field.Chapter 2 Configuring the VPN Router Stateful Firewall 63 d In the Network Object Selection window. 13 On the Firewall > Edit Policy (Interface Specific Rules) window. (You can apply only a single policy to the VPN Router. and click the required status value to enter it into the Status field. and click Accept to enter it into the Action field. NAT. 11 On the Firewall > Edit Policy (Interface Specific Rules) window. Interface-Specific. right-click to display the Action menu. click the Manager menu at the top left of the window and click Exit CSF/NAT. Some questions to consider when establishing firewall rules include: • What are the IP addresses for all of your servers (FTP. In this example. select AllowFTPAccess from the policy box. the log value is brief. DNS. In the Save Changes to this policy box.) 14 On the Firewall > Edit Policy (Interface Specific Rules) window. you can independently disable each rule in the Override. 10 On the Firewall > Edit Policy (Interface Specific Rules) window. You are prompted to reboot the VPN Router to activate the new firewall configuration. Web. and click the required log value to enter it into the Log field. mail) accessible through this firewall? Nortel VPN Router Configuration — Firewalls. click the Log value (blank = none). Filters. and click OK. 15 On the Services > Firewall/NAT window. click the Status value (checked means enabled).

The choices for service indicate which protocols to accept or reject on the network. run across your firewall? Residential firewall example A residential firewall (Figure 15) is generally a simple firewall designed to allow user-initiated traffic while blocking any incoming traffic or port scans.64 Chapter 2 Configuring the VPN Router Stateful Firewall • • If you are setting up NAT. SMTP. NN46110-601 . FTP. Trusted traffic is traffic that comes from either a trusted physical interface or a tunnel. Figure 15 Example of a basic residential firewall U ser Public Internet Use the Override Rules tab on the Firewall > Edit Policy window to configure your residential firewall with a single override rule that allows all trusted traffic. A business user must have access to internal resources. these include HTTP. mail protocols. such as mail servers and Web servers. such as some forms of ICMP. and other typical network traffic. you can use the Interface Specific Rules tab on the Firewall > Edit Policy window to configure a single interface specific rule that allows traffic sourced from the physical interface LAN (slot 1/0). Business firewall example A business firewall (Figure 16) requires a more complex rule configuration. other than HTTP. Alternatively. what IP addresses can you list that are otherwise not visible? What applications. FTP and network protocols. Typically.

Chapter 2 Configuring the VPN Router Stateful Firewall 65 Figure 16 Business firewall When configuring a business firewall. you must set override rules to do the following: • • • require branch office users to authenticate themselves prior to accessing internal resources allows user tunnel traffic to go anywhere allows non-tunneled FTP and HTTP to gain access to the DMZ You must also set an interface specific rule to allow all traffic that enters from the private (LAN) to go anywhere. You set the interface specific rule in the Interface Specific tab in the Firewall > Edit Policy window. Nortel VPN Router Configuration — Firewalls. NAT. Filters. You set the override rules in the Override Rules tab on the Firewall > Edit Policy window. and QoS .

66 Chapter 2 Configuring the VPN Router Stateful Firewall NN46110-601 .

When you change a tunnel filter. A filter usually consists of one or more inbound rules (for traffic coming into the network) and one or more outbound rules (for traffic leaving the network). you must reestablish the existing tunnels before any changes take effect. However. 2 3 Enter a new filter name in the Create dialog box . To view the available filters. and QoS . The Profile > Filters window appears. go to Profiles > Filters. it does not affect any existing tunnels. Filter names are a convenient way to manage a set of rules. The Current VPN Router Tunnel Filters and Current VPN Router Interface Filters show the currently available filters. NAT. The Tunnel Filters > Edit window appears.67 Chapter 3 Configuring filters There are two types of filters: tunnel filters and interface filters. Filters. Adding and editing filters To add a filter: 1 Select Profiles > Filters. You use tunnel filters for user groups and you use interface filters for LAN and WAN interfaces. (Figure 17) Nortel VPN Router Configuration — Firewalls. Click Create.

then click the down arrow. click Manage Rules. select the rule. The Tunnel Filters > Edit > Manage Rules window appears. They appear in the format of Name: Rule String. then click the up arrow. select the rule. 2 Click Edit. then click the left arrow. To move the rule down one place in the Rules in Set list. (Figure 18) NN46110-601 . To edit a filter: 1 From the Profiles > Filters > Edit window. The Tunnel Filters > Rules > Edit window appears. The Available Rules box lists all of the available rules you can add to the filter. To move the rule up one place in the Rules in Set list. select a rule from the Available Rules list. then click the right arrow. select the rule.68 Chapter 3 Configuring filters Figure 17 Adding a filter 4 5 6 7 To add a rule to the Rules in Set list. To remove or delete a rule from the Rules in Set list.

select options from both lists. For the TCP Connection. NAT. Deny. ip. and QoS . The choices are icmp. By specifying the management services allowed through a tunnel. either Permit. either inbound or outbound. Filters. or udp. tcp. Select a Protocol. or Nexthop. Each filter set has an explicit list of management services. 10 Click OK. For the Source Port. you can control which groups of users perform different management tasks while tunneled into the VPN Router. For the Destination Port. select either Established or Don’t Care. Nortel VPN Router Configuration — Firewalls. Configuring Allow Management Traffic You use the Allow Management Traffic options to restrict management access to the VPN Router through tunnels.Chapter 3 Configuring filters 69 Figure 18 Editing a filter 3 4 5 6 7 8 9 Select the Filter Action. select options from both lists. Select the Direction. Select an Address.

SNMP. The Local Services options are: • • • • • • HTTP—enable or disable access to the Web server on the VPN Router SNMP—enable or disable SNMP gets to the VPN Router FTP—enable or disable FTP puts or gets to the VPN Router Telnet—enable or disable Telnet access to the VPN Router PING—enable or disable PING access to the VPN Router RADIUS—enable or disable access to the VPN Router’s RADIUS authentication service The Remote Servers options restrict traffic to external services that the VPN Router needs. network traffic for these services is allowed through tunnels. if you create a new filter. However. By specifying these services. • • • NN46110-601 . and PING. DNS—enable or disable remote users from using the Domain Name Server (DNS) service for the VPN Router. The Local Services selections refer to services that reside on the VPN Router. you can restrict which VPN Router tunnels can send protocol traffic for the external services it requires. and the settings for this filter are to allow HTTP. The management services apply to user and branch office connections. When enabled. SNMP.70 Chapter 3 Configuring filters The VPN Router's default filter is Permit All. all management traffic settings are disabled by default. The management protocols consist of two groups: Local Services and Remote Servers. The Remote Servers options are: • FTP—enable or disable FTP access from the VPN Router to external FTP servers on the other end of a tunnel. These options do not affect HTTP. The FTP back-up and FTP upgrades facilities are examples of external services that this option controls. FTP. DHCP—enable or disable access to dynamic host configuration protocol (DHCP) servers from the VPN Router. RADIUS—enable or disable the VPN Router’s ability to access a remote RADIUS server. or PING protocol traffic that passes through the VPN Router outside a tunnel. The Remote Servers selections refer to services that reside on other systems that the VPN Router uses. Telnet.

then traditional destination-based routing occurs using the routing table. the configured next hop performs a forwarding lookup and the packet is forwarded using that routing table instance. Click Up or Down to move the filter to the other Current Filters window. Configuring next hop traffic filters Customers use next hop traffic filters to control the next hop selection and route traffic within their domain. Note: If you plan to use a filter for both tunnels and interfaces. When a filter rule with next hop (Table 2) configured matches an incoming packet.Chapter 3 Configuring filters 71 Use Copy Filter to copy an existing filter from one filter set to the other. If the lookup fails. To copy a filter: 1 2 Click the existing filter in one Current Filters window. Nortel VPN Router Configuration — Firewalls. Each IP interface can have inbound and/or outbound filters that cause an action on a packet if the packet matches the filter criteria. tunnel traffic only enters and exits through a single physical interface. Filters. you may need to set up additional steps because the traffic that uses the VPN Router Stateful Firewall traverses two VPN Router interfaces. you can copy it for use by your VPN Router’s interfaces. it must appear in both windows on the Filters window. The Copy Filters window appears. NAT. asking you to confirm that you want to copy the filter. For example. and QoS . it can enter through a public interface and exit through a private interface. if you already have a filter for tunnels. For example. If a packet matches filter criteria. However. If you copy a tunnel filter for use by a VPN Router Stateful Firewall. the filter accepts the packet and uses the next hop for forwarding.

17.0. You can optionally enter the source and destination address fields.0) 192. Table 2 Filter rule with next hop Source address Destination address Service Action Nexthop Next hop address Comment 10.0) forwarded to 192.0 47. make sure the +next hop address is beyond the remote end point of the tunnel and along the path to the actual destination.255.216 When you apply a next hop filter on an interface. To configure next hop traffic filters: 1 2 3 4 Select Profiles > Filters.140.140. If the next hop is not reachable. all incoming IP traffic coming to that interface from 10 network and going to the 47 network is forwarded to the next hop address.255.0.0.0 IP (255.255.72 Chapter 3 Configuring filters Next hop traffic filters are only applicable for inbound filters per interface (physical or virtual) per protocol. Select Nexthop for the filter action. For tunnels. NN46110-601 .216 Filtered traffic is (255.32.0) (255. This assumes that there is a reachable route to the next hop address. then the VPN Router uses the destination address in the IP header (as in normal routing) to forward the packet.32.0.253. Select the rule that you want to change and click Edit.255. as shown in Figure 19. Click Manage Rules.

Chapter 3 Configuring filters 73 Figure 19 Nexthop filter action 5 To enable private to tunnel forwarding. 6 7 Enable Apply packet filter on private to tunnel traffic in the Next Hop Forwarding section. Click OK. Filters. and QoS . select System > Forwarding. The Forwarding window appears. Nortel VPN Router Configuration — Firewalls. NAT.

74 Chapter 3 Configuring filters NN46110-601 .

which uses the TCP/UDP source port and source address to allow multiple sessions from many hosts using a single public NAT address. When a packet is routed. allowing many devices on an internal network to share a few IP addresses. The internal considerations of the network determine the allocation of internal network addresses. NAT allows multiple intranets with conflicting subnets to communicate. NAT can also modify the source and destination port numbers. Address translations You can set up address translation permanently (static) or allocate it dynamically. NAT contains a pool of continually reused global addresses. Dynamic address translation occurs when a session starts. Static translation allocates one external host address for each internal address and is converted to a different global IP address. the global address returns to the pool so that subsequent connections can use the global address. The configuration of branch office or partner networks may be fixed and must be able to securely route between these networks without requiring unique private addresses across the entire extranet. NAT. Nortel VPN Router Configuration — Firewalls. Filters. Global addresses must remain unique to distinguish between different hosts. No guaranteed one-to-one mapping takes place. As soon as the application session is over. and QoS . A network can use one set of network addresses internally and a different set when dealing with external networks. NAT replaces the internal corporate address with a global address. For virtual private networks. An example of dynamic translation is port mapping.75 Chapter 4 Configuring NAT Network Address Translation (NAT) uses one or more globally unique IP addresses to give ports on a private network access to the Internet.

0. If not. All requests originating from the private network (10.0.1. only the public IP address is visible from the public network.76 Chapter 4 Configuring NAT NAT supports the following address translations: • • • • • • Dynamic many-to-one Dynamic many-to-many Static one-to-one Port forwarding IPsec-aware NAT Double NAT Dynamic many-to-one—port translation With network address port translation (NAPT).1. In addition. Dynamic many-to-one translation is used only for traffic initiated from an internal host. many internal IP addresses hide behind a single external address.0 hidden behind the public address 30. The original port is assigned if it is available. NAT assigns a port greater than the one requested.154.1.1. NAT tries to assign a port from the largest port number that is smaller than the original port.0. If all smaller ports are unavailable. the VPN Router drops the packet.154. NAT attempts to assign a port from the corresponding port list. NN46110-601 .0) have their source IP addresses replaced with the public IP address 30. source ports are dynamically translated to unique translated ports. Figure 20 shows the private network 10. If all ports are unavailable. This is especially useful if you need to use several IP addresses and have only one address available from your ISP.0. Dynamically-assigned ports distinguish one IP address from another.

0. The user configures a pooled NAT rule converting the internal address range 10.1.0. Nortel VPN Router Configuration — Firewalls. Traffic is initiated from 10. only the address (not the port) is translated. Both addresses are translated to unique public addresses dynamically.1. Usually. The following example (Figure 21) illustrates many-to-many dynamic translation.1.0.Chapter 4 Configuring NAT 77 Figure 20 Port translation Dynamic many-to-many—pooled translation In dynamic many-to-many NAT.154-30.1.0.54 and 10. the number of externally visible IP addresses is less than the number hidden behind the VPN Router.0.1.1. the VPN Router chooses an unused external IP address. Filters. NAT. and then performs the translation.154.156 destined to a machine (11. and QoS .154-10.0. Each time a host on the private network makes a request.2) on the public Internet. Dynamic many-to-many is used only for traffic initiated from an internal host.1.1.164 to 30.

154.2 to initiate a session using the translated external address. NN46110-601 .1.0.78 Chapter 4 Configuring NAT Figure 21 Dynamic pooled address translation Static one-to-one translation Static address translation allocates one external host address for each internal address.0.1. Figure 22 shows host 10.1.154 on the private side statically mapped to an external address 30. The host using this rule is always bound to the same external address. This allocation is always the same. which allows Internet host 11.1.

Chapter 4 Configuring NAT 79 Figure 22 Static address translation Port forwarding With Port Forwarding. You can route incoming Web traffic to a Web server.1.1. one externally accessible IP address forwards incoming requests to different addresses behind the NAT device based on the protocol used.0. Filters. NAT.154. and QoS . To do this. and you can forward FTP traffic destined to the same external IP address to a different device that provides FTP services. you use a port forwarding NAT rule that sends the traffic to the two different machines based on the forwarding ports. Figure 23 illustrates Port Forwarding. Nortel VPN Router Configuration — Firewalls. A host 11.1.2 on the Internet needs to access a Web server and an FTP server running on two separate internal machines that are hidden behind the single externally visible address 30.

1.1. You use rules to achieve this.1.2 on the Internet initiating a connection to 30. one to translate the source address and one to translate the destination address. the translated address of the internal host.0. NN46110-601 . The destination address translation must use a static rule.154. Figure 24 shows a host 11. You can modify both the source and destination addresses for each packet entering and leaving the VPN Router.80 Chapter 4 Configuring NAT Figure 23 Port forwarding example Double NAT You can use double NAT to translate both external and internal networks at the same time. NAT translates both the source and destination addresses as the packet traverses NAT.

IPsec-aware NAT is always on and you cannot configure it. but does not terminate at the VPN Router. This allows inter-operability with IPsec implementations that do not support the UDP wrapper solution to perform NAT on IPsec traffic. IPsec-aware NAT is used when an IPsec tunnel passes through a VPN Router performing NAT translation. NAT.Chapter 4 Configuring NAT 81 Figure 24 Double NAT IPsec-aware NAT IPsec-aware NAT protects against the alteration of TCP/IP headers. and QoS . Unlike NAT traversal. Figure 25 shows an IPsec-aware NAT example. Filters. Figure 25 IPsec-aware NAT example Nortel VPN Router Configuration — Firewalls. usually performed by NAT.

Any external host can send a packet to the internal host by sending a packet to the mapped external address. NN46110-601 . you can classify NATs in four different modes: • • • • Full Cone NAT Restricted Cone NAT Port Restricted Cone NAT Symmetric NAT . Full Cone NAT A Full Cone NAT maps all requests from the same internal IP address and port to the same external IP address and port.82 Chapter 4 Configuring NAT NAT modes Based on the handling of UDP packets. Note: Only Restricted Cone NAT and Symmetric NAT modes are supported. All visible references to Cone NAT in the system refer to Restricted Cone NAT.

Unlike a Full Cone NAT. Nortel VPN Router Configuration — Firewalls.Chapter 4 Configuring NAT 83 Figure 26 Full Cone NAT Figure 26 is an example of a private client behind a NAT with IP 10.1 sending and receiving on port 8000 mapped to the external IP/port on the NAT of 202.25:12345. Anyone on the public side can send packets to that external IP/port and the client’s internal IP/port correctly translates those packets. an external client can send a packet to the internal client only if the internal client has previously sent a packet to the IP address. Filters.0. and QoS . Restricted Cone NAT A Restricted Cone NAT maps all requests from the same internal IP address and port to the same external IP address and port.123. NAT.211.0.

An external client can send a packet to the internal client only if the internal client has previously sent a packet to the IP address and port. Once that is done.25:12345. However.123.1:8000 to 202.84 Chapter 4 Configuring NAT Figure 27 Restricted Cone NAT Figure 27 shows an example of a private client sending a packet to an external client (computer A). both external clients can send packets destined to the NAT address and they are translated correctly to the clients’ private address. but the restriction includes port numbers. which allows the public client to send back packets to the NAT address of the private client.211.0. NN46110-601 .0. Port restricted Cone NAT A Port Restricted Cone NAT is similar to a Restricted Cone NAT. The NAT maps 10. the NAT blocks all packets coming from an external client (computer B) until the private client sends a packet to that external IP address.

they can all respond to the client at the same mapped IP address and port and the NAT does the reverse translation to the internal IP address. Symmetric NAT A Symmetric NAT maps all requests from the same internal IP address and port. To change the mode to restricted Cone NAT.111. The default NAT mode is Symmetric. a different mapping is used. If the internal client sent packets to multiple external IP address/ports. to a specific destination IP address. If the same host sends a packet with the same source address and port to a different destination.1 and port 10101. Only the external host that receives a packet can send a packet back to the internal host.Chapter 4 Configuring NAT 85 Figure 28 Port Restricted Cone NAT Figure 28 shows an example of a Port Restricted Cone NAT. the NAT only allows packets that come from the same IP and port. and QoS . Nortel VPN Router Configuration — Firewalls. If an internal client sends a packet to an external client at IP 222.99. go to the Services > Firewall > NAT > Edit window. Filters. NAT. to the same external IP address and port.

99.211.25:12345 while a packet sent from the same address and port to 222.0.2.25:45678). The external client on computer B can only send a packet to the mapped source address of the packet it received and the external client on computer A can only send a packet to the mapped external source IP of its received packets. You enable NAT traversal on the Services > IPsec window.1 may be mapped to a different public IP and port (202.123. it may be mapped to 202. NAT traversal solves the user tunnel case where the IPsec-aware NAT does not always work because other NATs are between the source and destination PC hosts. NAT traversal is disabled. NN46110-601 . Most hotels and airports that provide Internet connectivity use NAT to connect to the Internet.211.1:8000 sends a packet to the external IP 222.111.88.0.86 Chapter 4 Configuring NAT Figure 29 Symmetric NAT Figure 29 shows an example of a Symmetric NAT. NAT traversal The VPN client or server user tunnels use NAT traversal to pass through intermediate routers or gateways.111. By default.123. each of which can NAT the packet. If the internal client 10.

Nortel only recommends the Auto-Detect IPsec NAT setting for environments with well-known NAT devices. Because there are a variety of NAT devices and varying IPsec pass-through implementations. Therefore. Nortel VPN Router Configuration — Firewalls. but only if the NAT detected is non-IPSec aware (when the NAT box does not allow for IPsec pass-through). Make sure that any port you select does not conflict with any ports you are already using. and QoS . NAT. You use the group-level NAT traversal setting to configure the NAT traversal mode at the group level.49151). Filters. Note: You can use any unused UDP port for NAT traversal. In environments with unknown NAT devices. NAT traversal is Not Allowed. you must enable the NAT traversal setting on the Profiles > Groups > Edit IPsec window. By default. Note: To allow NAT traversal with the IPsec client. It also allows the client and VPN Router to UDP encapsulate ESP data. Do not use L2TP/L2F port 1701 or General Packet Radio Service (GPRS) port 3386. Nortel recommends that you use the Auto-Detect NAT setting. even if NAT is detected between the client and the VPN Router.Chapter 4 Configuring NAT 87 To use NAT traversal. not all environments function properly using the Auto-Detect IPsec NAT mode. you must also define a UDP port that all client connections use to connect to the VPN Router. This port must be a unique and unused UDP port within the private network (supported range 1025 . Selecting Auto-Detect NAT allows the client and VPN Router to UDP encapsulate ESP data whenever NAT is detected. By default. no UDP port is defined. UDP encapsulation of ESP data does not occur.

NAT translates IP addresses and port numbers in private address ranges into public addresses. The server echoes back to the end point its source IP address as seen after the NAT Translation. NAT cannot conduct translation on private IP addresses within the payload of application layer messages. Soft Clients) to hide the IP identity from the public network. is not routed to the private address. The challenges for VoIP traversal in NAT occur for the following reasons: • • • NATs only look at Layer 3 addressing VoIP signaling protocols embed IP addresses at Layer 5 RTP and RTCP work at Layer 5 Two of the most common solutions that have been proposed to fix the NAT traversal issue are: • • Application Level Gateways (ALG) Address/port discovery The following section focuses on the address/port discovery mechanisms for VoIP. as a result. ALGs are discussed in “NAT ALG for SIP” on page 107. Private addresses are typically assigned to the IP endpoints in a VoIP network (IP Phones. Voice calls from and to the public network must reach endpoints in the private network and. VoIP protocols introduce a number of complexities for NAT.88 Chapter 4 Configuring NAT NAT and VoIP When traffic traverses between private and public networks. Address/Port discovery In address/port discovery. resulting in a one way speech path. the media end points send probe packets to a server to discover the public IP address and port to use for a specific media stream. which gets directed to the private IP address identified in the signaling message. proper routing of media to endpoints with private addresses requires network address translation. the voice media. since they carry IP address and port information within the body of the message that is not accessible to NAT. Therefore. NN46110-601 .

NAT. STUN requires any Cone NAT implementation.Chapter 4 Configuring NAT 89 Applications use Simple Traversal of UDP through NATs (STUN). and QoS . it is imperative that NAT use the same IP address and port binding. The STUN server examines the incoming message and informs the client which public IP address and ports the NAT used. a lightweight protocol. The STUN-enabled client sends an exploratory message to the external STUN server to determine the transmit and receive ports to use. Filters. Applications also use STUN to determine the public IP addresses allocated by the NAT. Nortel VPN Router Configuration — Firewalls. Note that the STUN server does not sit in the signaling or media data flows. regardless of where the packet is going. This means that Symmetric NAT does not work for peer-to-peer media with address/port discovery. These are then used in the call establishment messages sent to the SIP server. Restricted Cone NAT makes the VPN Router more secure. Figure 30 STUN STUN inspects exploratory STUN messages that arrive at the STUN server to identify the public-side NAT details. to discover the presence and types of NATs and firewalls between the application and the public Internet. For the discovered IP address and port to be valid. Figure 30 shows how STUN works.

To learn more about the CLI. To configure Cone NAT: 1 NN46110-601 Select Services > Firewall/NAT. . distinguished only by their dynamic port assignment. see Nortel VPN Router Using the Command Line Interface.90 Chapter 4 Configuring NAT Network address port translation (NAPT) Network address port translation (NAPT) is a dynamic NAT where many internal IP addresses hide behind a single external IP address. irrespective of the destination and the session. Figure 31 shows the flow of a Restricted Cone NAT. With Cone NAT. this mapping changes so that each internal IP address and port is mapped to the same external IP address and port. The Symmetric NAT maps an IP address and port to a unique IP address and port for each session initiated from a private client. Figure 31 Restricted Cone NAT — NAPT Configuring Cone NAT You can enable or disable Cone NAT with the graphical user interface (GUI) or the Command Line Interface (CLI).

Filters. NAT. The Firewall/NAT > Edit window appears. (Figure 32) Figure 32 Firewall/NAT window 2 Click Edit in the VPN Router Firewall row. select Cone NAT. Figure 33 shows the Firewall/NAT > Edit window where you select Cone NAT. and QoS . 3 Under NAT Mode.Chapter 4 Configuring NAT 91 The Firewall/NAT window appears. Nortel VPN Router Configuration — Firewalls.

Note: If you make any changes to a branch office parameter. Each branch office has one NAT policy. NN46110-601 . NAT Usage NAT is applied to routed traffic passing through its physical interfaces (interface NAT) and branch office interfaces (branch office NAT) using separate NAT policies. you must disable and then reenable the branch office for the changes to take effect. Clearing the NAT cache flow results in a disruption of all active NAT sessions. Note: Changing the NAT mode clears the NAT flow cache.92 Chapter 4 Configuring NAT Figure 33 Firewall/NAT Edit window 4 Click OK. You can use the flow cache clear capability to have NAT changes take effect on existing sessions. The Firewall/NAT window reappears with Cone NAT applied. and there is one global NAT policy applied to non-tunneled traffic.

0.1.1.0.0. Because you cannot use an Interior Gateway Protocol (IGP) to dynamically learn routes at the remote end of the tunnel to allow the client to access the server on the other LAN. and QoS .13 and a destination address of 10. To allow the client to access the server on the other LAN. VPN Router1 defines a remote accessible network of 12. A typical scenario can include a client on LAN 1 who tries to access the FTP server on LAN 2.14.0.0.0.0.0.13 (client) to 11.0. which connects the local network to the remote network through its branch office tunnel. Without NAT.0 as the remote accessible network.VPN Router1 translates the source address of the packet to 11.0. VPN Router2 must define 11.0.0. and who sends a packet with a source address of 10.0.0.0.0.0. With NAT implemented on both sides of the branch office connection.0. the client can access the FTP server. and VPN Router2 defines a remote accessible network of 11. VPN Router1 recognizes that 12. A packet generated from the client has a source address of 10.0. you implement NAT on both sides of the branch office connection.1. you can have two or more branches that use the same private addressing scheme.0 is the remote LAN for the branch office connection. the branch offices must still communicate with one another.0. but the source address remains 11. Nonetheless. the VPN Router looks at the destination address and assumes that the destination is on the same LAN as the source device because the addresses are both on the 10.0.0 network and no tunnel connection is brought up. NAT. and a branch office tunnel across the internet.0.13 and a destination address of 12. Filters.0.0.0.0.1 based on the NAT table.Chapter 4 Configuring NAT 93 Branch office tunnel NAT In branch offices.0. VPN Router 2 looks at the destination address of the incoming packet and translates it to 10.14 (server) to 12.0. A pooled NAT rule is applied to VPN Router1. you can implement NAT on both sides of the branch office connection.0. In this example. VPN Router1 uses a translation of 10.0.0.0.1. Figure 34 shows a simple branch office connection with two LANs. As a result.14. VPN Router2 uses a static translation of 10. This is a common issue for branch office tunnels where the address space overlaps for each end. Nortel VPN Router Configuration — Firewalls.0.0.

NN46110-601 . Figure 35 shows an example of interface NAT.94 Chapter 4 Configuring NAT Figure 34 Overlapping address translation Interface NAT When Interface NAT is applied to IP packets going out from or coming into the VPN Router through its physical interfaces. Note: The difference between interface and branch office NAT is when and where the NAT policy is applied. either the source or destination IP address is translated to another IP address. depending upon the NAT policy.

Port Forwarding—for port forwarding mapping. NAT. an internal address is dynamically mapped to the next available address from the external address range.Chapter 4 Configuring NAT 95 Figure 35 Interface NAT NAT is applied to interface NAT using the Services > Firewall/NAT window. Branch office NAT only applies to specific branch office tunnel traffic. • Nortel VPN Router Configuration — Firewalls. and QoS . an internal address range is mapped one to one to an external range. Port—for port mapping. it does not impact branch office NAT. Pooled—for pooled mapping. external packets are routed on a specified port to one of the internal systems. routed through the VPN Router). If you disable interface NAT. These external addresses are distinguished by using dynamically assigned port numbers. Note: Interface NAT applies only to clear text traffic (non-tunneled. Interface NAT rules can be one of the following types: • • • Static—for static mapping. the range of internal addresses is hidden behind a single external address. Filters.

0.1. you can to disable the redistribution for a particular protocol on the Routing > Policy > Redistribution Table window. However. When NAT is disabled. Therefore. You can enable NAT on a branch office with dynamic routing. but it cannot announce a part of a subnet. You can have a routing policy to block the route advertisement to the original IP addresses.168. there is not a route advertisement to the entire subnet. In Figure 36.10 to 192. NN46110-601 .1 . When NAT is configured for a branch office. you do not want it to announce the route to original IP addresses. You use the routing policy list to restrict the route redistribution to only specific interfaces. RIP and OSPF protocols distribute NAT routes. Destination NAT adds the original destination address and source NAT adds the translated source address.10.0. Figure 36 NAT with dynamic routing example By default.96 Chapter 4 Configuring NAT Dynamic routing protocols You can advertise NAT routes on all interfaces. the routes to the translated IP addresses are added to the routing table.1.1. the routes to the translated IP addresses are deleted.1. if you apply NAT to part of subnet. the VPN Router has a NAT rule to convert IP addresses in the range of 10. Whenever you apply a NAT policy to interface or branch office tunnels.

Summarization reduces the number of NAT route entries in the RTM and thereby the number of entries redistributed. Nortel VPN Router Configuration — Firewalls. Service properties define the service offered and includes a service name. If both NAT and dynamic routing are configured. NAT can then reverse the process for returning packets and route them back to the correct clients. and QoS .80 work according to the previous translation until you apply a modified copy to the interface. NAT. You use service objects to specify all rule fields for service policies. the protocol (TCP. actions. UDP. NAT uses a port mapping table to track the ports for each client’s outgoing packets. you can add those addresses as individual host entries or as a group of smaller subnets (summarization). Configuring NAT policy A NAT policy consists of service properties and a security policy. then the read-only policy translates according to the new rules. and the port number (or range) on which the service occurs. By default it is enabled. The port mapping table relates the client’s actual local IP address. ICMP). You can define custom policies when you need more complex security policies and the standard policies are not sufficient. and logging mechanisms. Note: Read-only NAT Policies created prior to Version 4. Each rule consists of a combination of network objects. and translated source port number to a destination address and port. source port. do not enable a branch office when there is no routing policy associated with the corresponding branch office interface. services. if you choose a non-subnet IP address range. This applies to TCP and UDP traffic only.Chapter 4 Configuring NAT 97 You can add the translated address range to the routing table as a single subnet. If you reapply the read-only NAT policy after the copy. You can either enable or disable the summarization option. You must create a routing policy on the Routing > Policy window. Security policies consist of a set of rules that specify what service is allowed or denied. However. Filters.

Creating rules Menus control actions on rules. If there is no cached policy. prompting you for more information (such as Add). either the operation is performed immediately (such as Copy) or an additional dialog box appears. 1050. Each of the following menus control a different aspect of the rule: • Header row menus—contain only Add New Rule. When you click one of the items. • • NN46110-601 .98 Chapter 4 Configuring NAT NAT policy sets The VPN Router maintains one set (source and destination address pair) of active global NAT policies for all non-tunneled traffic and a configurable NAT policy set for each branch office tunnel definition. Once the system initialization is complete. When you click one of the items. it uses the original policy. the NAT policy is retrieved from the LDAP database and becomes the active policy. the selection is displayed in the cell. The new rule appears in position one and all existing rules increment by one. or paste operations on a rule. When you change the policy. These menus are similar to a list box. At system startup. Row menus—use this menu to add a new rule at a particular location. To view active NAT policies for interface and branch offices. You access menus by right-clicking an option. NAT obtains a cached policy (if one exists) while the system is initializing. NAT uses the active policy for new sessions. For the existing sessions. — Option menus provide a list of possible values for the cell. it is stored on the local disk as a cached policy and in the LDAP database. and 1100 port maps its private address space to the public IP address. and perform cut. go to the Status > Statistics window. — Procedure menus provide a list of operations that you can perform on the cell. copy. delete the specific rule. Cell menus—are cell-specific and contain cell option menus and procedure menus. which is no NAT translation. it takes the default NAT policy. which you use to add a new rule to the top of the list. The default NAT policy for the VPN Router 1010. such as Add and Edit.

and Delete options to create. • Nortel VPN Router Configuration — Firewalls. Use this window to modify the attributes for the selected service object. Italicized objects in the list are read-only. it returns to the default value. Click Add to display the Network Object Selection dialog box. Click Edit to display the Network Object Edit window. the cell returns to its default value (in this case. ICMP. UDP. where you define and apply a new service object. and QoS . Click Delete to remove the selected network object. To modify these attributes. IP protocol. Use the New. and delete service objects. If the object that you want to delete is the last object. You can create the following network objects: host. You cannot modify them. Click Edit to display the Service Object Edit window. Filters. Right-click on the cell to display the standard procedure menu (Add or Edit). and delete network objects. Use the New. which brings up a procedure menu.Chapter 4 Configuring NAT 99 For rule columns. Click Add to access the Service Object Selection dialog box. and object groups (a collection of these objects). each rule within a NAT policy has the same attributes. and Delete options in this window to create. You can add more than one source or destination address to a rule. edit. Italicized objects in the list are read-only. IP range. network. Click Delete to remove the selected service object from the cell. Edit. Source and Destination specify the source and destination network object for the rule. Edit. which are specified by the following column headers: • # specifies the ordering of the rules within the section. right-click on a column in the cell. and group (a collection of these objects). You cannot modify them. Use this window to modify the attributes for the selected network object. • Service specifies which service objects are handled by the selected rule. edit. The order applies only to the section in which the rule appears and does not have meaning across the entire policy. You can create the following service objects: TCP. If the object you want to delete is the last object in the cell. NAT. In this dialog box you define and apply a new network object. Note: You use the NOT operand to specify which networks you do not want to use NAT. Any).

100 Chapter 4 Configuring NAT

Click Copy, Cut, or Paste to perform those operations on the current service object. • NAT Action specifies the action that occurs when the rule is activated. Right-clicking the cell displays an option list containing the following items: None, Static, Pooled, Port Mapping, and Port Forwarding. Click one of these items to set the cell to the selected state. Translated Source—specifies the source IP address of the first packet (static, pooled, port). To modify this attribute, right-click a column in the cell. You can add more than one source address to a rule. You can create the following network objects: host, network, IP range, and group (a collection of these objects). Translated Destination—specifies the destination IP address of the first packet of a port forwarding application session. To modify this attribute, right-clicking a column in the cell, which brings up a procedure menu. You can add more than one destination address to a rule. Status—specifies the status of the particular rule. The status can be either Enabled or Disabled. Remark— allows you to attach a remark to a particular rule. When you right-click Remark and choose Add or Edit remark, a dialog box appears where you can type a comment.

• •

Creating a new policy
To configure NAT policies: 1 2 3 4 Select Services > Firewall/NAT. Enable Interface NAT. Select a NAT Policy from the list. Click Manage Policies. The NAT > Select Policy window appears. Use this window to create, edit, delete, copy, or rename a NAT policy. Bold denotes the policy that is currently applied to the VPN Router and italics denotes read-only policies.

NN46110-601

Chapter 4 Configuring NAT 101

The System Default policy is always listed. This read-only policy defines the NAT behavior when no user-defined policies are applied or when the selected policy is not available. Note: The exception to this rule is the VPN Router 1010, 1050, and 1100 where the default NAT policy is to NAT everything to the public interface IP (Interface NAT). These VPN Router systems are generally used in a small office environment where you want to NAT everything on the private side of the single global IP address assigned by the ISP. 5 Click New to create a new policy. The New Policy dialog box appears. 6 Enter the policy name and click OK. The name must begin with a letter and cannot contain the : + = ] , ; " characters. The NAT > Edit Policy: <policyname> window appears with no rules defined. In this window, you can add, delete, and modify the rules for the policy. 7 You can select the rule group as follows: • • • • 8 9 Implied rules (view only) Override rules Interface-specific rules Default rules

Select either Source Interface Rules or Destination Interface Rules. Right-click the appropriate cell to add a new rule.

10 Repeat these steps to add more rules. 11 Select Policy and click Save Policy to save your changes. 12 When the policies are saved, go to the Manage menu and click Close Manager.

Adding a policy
To add a new policy: 1 Click New.
Nortel VPN Router Configuration — Firewalls, Filters, NAT, and QoS

102 Chapter 4 Configuring NAT

The New Policy dialog box appears and prompts you for a name for the new policy. 2 3 Enter the policy name. The name must begin with a letter and cannot contain the : + = ] , ; " characters. Click OK to go to the Policy Edit window, which has a blank NAT policy, or click Cancel to return to the Policy Selection window.

Deleting an existing policy
You cannot delete a read-only policy or the policy that is currently applied to the VPN Router. If you select one of these policies, the Delete option is disabled. To delete an existing policy: 1 Select the policy that you want to delete and click Delete. The delete policy confirmation dialog box appears. 2 Click OK to delete the selected policy.

Copying an existing policy
To copy a NAT policy: 1 2 Select the policy that you want to copy. Click Copy. The copy dialog box appears. 3 4 Enter a name for the copied policy. Click OK.

The new policy appears in the list of policies in the NAT policies window. This policy contains the same rules as the policy from which it was copied.

NN46110-601

Chapter 4 Configuring NAT 103

Renaming an existing policy
You cannot rename a read-only policy or the policy that is applied to the VPN Router. If you select a read-only policy, the Rename option is disabled. To rename an existing policy: 1 2 Select the policy that you want to rename. Click Rename. The Rename dialog box appears. 3 4 Enter the new name of the policy. Click OK.

Sample NAT procedures
The following sections describe the steps for sample NAT procedures. For the following configuration on the VPN Router, create the NAT policy: STATIC: 10.0.1.0 - 10.0.1.255 -> 30.0.0.0 - 30.0.0.255 Go to Routing > Access List and create an access list acc1 to permit 30.0.0.0/24 and deny 10.0.1.0/24. Create another access list acc2 to permit 10.0.0.0/16 and deny 30.0.0.0/24.

Interface NAT with RIP
This sample shows interface NAT with RIP: 1 2 3 On the VPN Router, enable Interface NAT and attach the above NAT policy to Interface NAT. Select Routing > RIP and enable RIP. Select Routing > Policy and verify the redistribution table for the RIP protocol to redistribute NAT routes.

Nortel VPN Router Configuration — Firewalls, Filters, NAT, and QoS

104 Chapter 4 Configuring NAT

4 5 6

Create a policy list of type Announce on Interface 20.0.9.100 for protocol RIP with acc1 access list. Create another policy list of type Announce on Interface 10.0.9.100 for protocol RIP with acc2 access list. Send a ping request from 10.0.1.1 to 20.0.1.1. Ping gets the reply back.

Interface NAT with OSPF
This sample shows interface NAT with OSPF: 1 2 3 4 5 6 On the VPN Router, enable Interface NAT and attach the above NAT policy to Interface NAT. Select Routing > OSPF and enable OSPF. Select Routing > policy and verify the redistribution table for the OSPF protocol to redistribute NAT routes. Create a policy list of type Announce on Interface 20.0.9.100 for protocol OSPF with an acc1 access list. Create another policy list of type Announce on Interface 10.0.9.100 for protocol OSPF with an acc2 access list. Send a ping request from 10.0.1.1 to 20.0.1.1. Ping gets the reply back.

Branch Office NAT with RIP
This sample shows NAT on a branch office with dynamic routing enabled. 1 2 3 4 5 On the VPN Router, select Profiles > Branch Office and create a branch office with a local end point as 20.0.9.100 and remote end point as 20.0.9.1. Enable dynamic routing for that branch office and enable RIP. Enable NAT and create the above NAT policy. Select Routing > RIP and enable RIP. Select Routing > policy and verify the redistribution table for RIP protocol to redistribute NAT routes. Create a policy list of type Announce on Branch Office Interface for protocol RIP with an acc1 access list.

NN46110-601

1 and remote end point as 20. Enable Dynamic Routing for that Branch Office and enable OSPF.100 and remote end point as 20.0.9.0.9.9.0.1 to 20.1. Enable Dynamic Routing for that branch office and enable RIP.100 for protocol OSPF with an acc2 access list.0.0. Ping gets the reply back.100. Select Routing > OSPF and enable OSPF. Select Routing > Policy and verify the redistribution table for OSPF protocol to redistribute NAT routes.9.100 for protocol RIP with an acc2 access list. Enable NAT and create the above NAT policy.9. select Profiles > Branch Office and create a branch office with a local end point as 20.Chapter 4 Configuring NAT 105 6 7 Create another policy list of type Announce on Interface 10. 1 2 3 4 5 6 7 On VPN Router-1. Filters.1.1. Create a policy list of type Announce on the Branch Office interface for protocol OSPF with an acc1 access list. 8 9 10 Send a ping request from 10.0.9. Branch Office NAT with OSPF This sample shows NAT on a branch office with dynamic routing enabled.1.1 and remote end point as 20.0. To configure the Router-2 (VPN Router).0.0.0. NAT.9. To configure Router-2 (VPN Router). select Profiles > Branch Office and create a branch office with a local end point as 20.9.0. Select Routing > OSPF and enable OSPF.0. and QoS . Ping gets the reply back.0.100.0. Enable Dynamic Routing for that branch office and enable OSPF. Nortel VPN Router Configuration — Firewalls. 8 9 10 Send a ping request from 10. select Profiles > Branch Office and create a branch office with a local end point as 20.1 to 20. Select Routing > RIP and enable RIP.1. Create another policy list of type Announce on Interface 10.

0. 12 Select Profiles > Branch Office. 6 7 Click New. A popup advising you to “Please wait …” must appear to show that the policy was saved.106 Chapter 4 Configuring NAT Sample branch office NAT configuration This configuration example (Figure 37) adds a NAT static rule with a single host as the source. NN46110-601 .64. 1. 8 9 10 In the Host Object Insert window. and click OK. select Host. enter information for the translated host: Host Name = Sqa64Trans. Right-click Trans Src. select the policy you added and click OK. Click New.0. and click OK. enter the policy name.64.0. and click Configure. The Network Object Selection window appears.4. Click New. select Host and click OK. Right-click # and click Add New Rule. Figure 37 NAT configuration example 1 2 3 4 5 Using a browser with valid JRE (1. Click OK twice to return to the NAT Translate Action window. 13 From the NAT menu. select a working branch office tunnel. you can apply a network object to any Address column of the rule. Click OK twice to return to the NAT Translate Action window. You use this window to create network objects. IP Address 30. enter the host name and IP address: Sqa64. 11 Click Policy > Save policy. In the Host Object Insert window. select Services > Firewall/NAT and click Manage Policies.2_04). Log in to VPN Router Stateful NAT. Right-click Orig Src. Once created.0.

Telnet or another application to pass traffic over the tunnel. Configuring NAT with the VPN Router Stateful Firewall To use NAT on the VPN Router with the VPN Router Stateful Firewall. To create a NAT policy. Note: The VPN Router Stateful Firewall must have an Allow All policy set. Filters.4.4. use ping.4. the VoIP signaling and Real Time Transport Protocol/Real Time Transport Control Protocol (RTP/RTCP) become unreachable after NAT translation (one-way signaling and audio) due to the embedded IP address and port specified within the IP payload. Add the internal VPN Router address (for example. and QoS . 10. Select System > Forwarding and enable Proxy ARP for Physical Interfaces and click OK. where the NAT address is within the same subnet as the public interface: 1 2 3 Select Profiles > NAT. NAT. Figure 38 illustrates the problem caused by NAT for Session Initiation Protocol (SIP) signaling. To add a NAT rule.Chapter 4 Configuring NAT 107 14 From SQA64. 192. a b c 4 5 Leave the Translation type set to static.204) as the start and the end internal address.168. Enable Interface NAT and select the NAT rule created in Steps 1 and 2.204) as the starting external address. click Add . enter static in the name field and click create. NAT ALG for SIP Traditional NATs do not translate Layer 5 addresses. Therefore. Nortel VPN Router Configuration — Firewalls. Add the external address (for example.

The signaling gets completed (for example. If User B hangs up. 200 OK). If User A hangs up (because of One-Way Audio). User B tries to send RTP to User A’s c= / m= address: port. the BYE does not get to User A because the header address did not receive the NAT. The NAT translates the Layer 3 address. User B receives the invite and responds back to the NAT address. 6 7 Two of the solutions that correct the NAT traversal issue are: • • Application level gateways (ALG) Address/port discovery NN46110-601 . User A sends RTP to User B’s SDP c= / m= address: port.108 Chapter 4 Configuring NAT Figure 38 NAT and SIP In Figure 38: 1 2 3 4 5 User A sends an invite to User B. but this fails since it cannot route to User A (the SDP address and port did not receive the NAT) resulting in One-Way Audio. This leaves the state of User A for that session to be up until User A hangs up. the BYE is sent to User B correctly. but not the Layer 5 (SIP/Session Description Protocol [SDP]) addresses.

see Nortel VPN Router Using the Command Line Interface. click Edit in the VPN Router Firewall row. preventing inconsistencies within the packet. Nortel VPN Router Configuration — Firewalls. you must have an ALG. see “Address/Port discovery” on page 88. The Firewall/NAT > Edit window appears. NetBIOS. SNMP ALG support allows you to use SNMP traps with NAT. You must enable the SNMP management system to send SNMP Gets from the Admin > SNMP window. Configuring NAT ALG for SIP You can enable or disable NAT ALG for SIP with either the GUI or the CLI. Click OK. NAT. NAT ALG supports FTP. The NAT ALG provides support for SIP traffic to and from SIP phones and the SIP Server MCS 5100" because i2004 phones are UNIStim devices. The SNMP ALG is applied to SNMP traps originating from the VPN Router only if there are NAT rules that translate traffic originating from the VPN Router. IPsec (ESP only). To configure NAT ALG for SIP: 1 From the Services > Firewall/NAT window. Application level gateways (ALG) NAT ALG translates any embedded IP addresses and port numbers contained in an application’s protocol messages. The following section focuses on NAT ALG for SIP to support VoIP phones that use SIP as their signaling protocol. 2 3 Under NAT Application Level Gateway.Chapter 4 Configuring NAT 109 For more information on the address/port discovery method. click SIP. For application traffic flows that embed an IP address in the data portion (such as FTP or NetBIOS). The data within the SNMP traps is translated. ICMP. For more information about the CLI commands. and QoS . Berkeley R commands. Filters. and SNMP.

identifies the RTP port number for the call and opens the port in NN46110-601 . Figure 39 shows the interface where you enable SIP for NAT ALG. the user receives a log with Firewall events in it. do not have the intelligence to identify port numbers within the payload of signaling protocols and cannot dynamically open ports for media traversal. resulting in blocking of voice traffic. Figure 39 SIP enabled Note: If Firewall is enabled in the Logging section. by default. The development of ALGs for the VoIP signaling protocols solves this issue. The Firewall ALG examines the SDP information. The SIP ALG performs the necessary translation of the IP addresses embedded in the SIP messages and updates the SDP information. Firewalls operate with layer 3 or layer 4 information and cannot access information in higher layer protocols.110 Chapter 4 Configuring NAT The Firewall/NAT window reappears with the new configuration applied. Firewall SIP ALG Firewalls.

which is a Voice over Internet Protocol (VoIP). The advantage of this late pinhole creation is that the ALG has the exact 5 tuple for which it needs to open a pinhole. This provides a mechanism to dynamically open and close ports in the firewall and increases network security by restricting the voice traffic to active sessions only. thus preventing any unauthorized access from the outside. Configuring Firewall Virtual ALG A Firewall Virtual ALG is a syntax-independent application level gateway (ALG) for firewall traversal that works for both encrypted and nonencrypted UNIStim signaling. Continuous communication implies that the call server trusts the endpoint and that the call server would not communicate constantly with the endpoint device if the endpoint device was not authorized to send media through the firewall. The Firewall Virtual ALG creates the pinhole only for outbound traffic. the Firewall Virtual ALG waits until it receives a RTP/RTCP packet from the phone on the private side to open a pinhole in the firewall. and QoS . and that continuous detection of signaling traffic between the phone and the call server allows media to or from the phone to traverse the firewall.Chapter 4 Configuring NAT 111 the firewall during call setup. The controlling entity does not acknowledge any requests from unauthorized devices. UNIStim phones on the private side can make calls to phones on the public side without explicitly opening up holes in the firewall. The system drops all packets from the outside phone until the internal phone sending packets to the external phone creates the pinhole. The Firewall ALG also raises a flag to tell NAT to perform an application level translation. The ALG closes the port after call termination. With TPS. A Firewall Virtual ALG works only with UNIStim signaling. NAT. Nortel VPN Router Configuration — Firewalls. The entity controlling the phone in Succession 1000 Call Servers is also referred to as Terminal Proxy Server (TPS). Filters. Firewall Virtual ALG is based on a trust model that assumes that the phone authenticates itself with the call server. To enforce a more stringent and secure protocol. The ALG then performs the address/port mapping and state setup to ensure that the data channels are mapped according to the information in the SDP. The Firewall Virtual ALG creates a reverse path in response to the outbound pinhole.

the Firewall Virtual ALG closes the pinholes only after the default timeout period of the underlying transport protocol. 2 In the FW Application Level Gateway section.112 Chapter 4 Configuring NAT Because the Firewall Virtual ALG cannot interpret and inspect the UNIStim protocol. 3 Click Enable or Disable. click Configure. The default is disabled. Figure 40 Enabling or disabling Firewall Virtual ALG To configure the Firewall Virtual ALG: 1 Select Services > Firewall > Edit. The Virtual ALG window appears. (Figure 41) NN46110-601 . Figure 40 shows the Virtual ALG disabled. The Services > Firewall/NAT > Edit window appears. Click Edit for the Firewall/NAT type you want to edit. The Services > Firewall > Edit window appears. To enable or disable the Firewall Virtual ALG: 1 2 Select Services > Firewall/NAT.

Nortel VPN Router Configuration — Firewalls. To delete a call server. Select either TCP or UDP as the Protocol. To add a server. NAT. Enter the port number. click Edit. and QoS . (Figure 42) Figure 42 Adding a server to the Virtual ALG a b c d e Enter the name of the server. Click Apply. Filters. click Add. The Virtual ALG > Add window appears. 3 4 5 To edit a call server. Enter the IP address. click Delete.Chapter 4 Configuring NAT 113 Figure 41 Virtual ALG The port number in the Signaling Port and the Media Port dialog boxes is dependent on the configuration of the server.

114 Chapter 4 Configuring NAT To enable the Virtual ALG with the CLI. it responds with the public IP address. VPN Router NAT blocks packets coming from the private side of the NAT that are destined for the private side for which a NAT binding to a specific port already exists. enter the following command: CES(config)#no firewall alg virtual enable To configure the Virtual ALG Server. evaluating the destination address NAT binding. and making a determination on the requirement for hairpinning. enter the following command: CES(config)#firewall alg virtual enable To disable the Virtual ALG. Hairpinning corrects this problem by examining the destination address of a packet. NN46110-601 . Hairpinning with SIP Hairpinning solves another special issue that is introduced when voice phones are on one side of a NAT boundary and the call server is on the other side. When the call server is queried for the IP address of the person being called. This does not allow peer-to-peer communication between two endpoints behind the same NAT if they try to use their public address. enter the following command: CES(config)#$firewall alg virtual server <servername> ip <ipaddress> port <portnumber> proto <tcp/udp> The following example shows how to configure ports: CES(config)#firewall alg virtual port-media 5200 CES(config)#firewall alg virtual port-signaling 5000 Hairpinning You need hairpinning when two IP phones behind the same NAT want to communicate. It also supplies the called person with the public IP address of the caller. NAT hairpinning does payload translation on SIP and UNIStim messages. The SIP NAT ALG translates the IP addresses of the SIP phones from private space to public.

248. looping through the NAT device. which has no idea what these packets are for. Figure 44 shows an intra-realm call with hairpinning. If both IP phones are behind the same NAT. Filters.17. helping generate the voice path. if the NAT device supports hairpinning.248. it redirects the packets to the right destination. Figure 43 shows hairpinning support required for VoIP Media.1:x address. telling the private side caller that the called has a 47. it always uses the public address as the Far End address for the other IP phone. Figure 43 Hairpinning with SIP Hairpinning with a UNIStim call server When a UNIStim call server sends an Open Audio Stream (OAS) message to an IP phone.1:x IP.17. The media traffic between the clients needs to go to and from the public addresses. this creates problems because the media packets are sent to the NAT device. However. and QoS . and vice-versa. each thinks the other resides in the public address space. NAT. Nortel VPN Router Configuration — Firewalls. The MCS call server sees both private side phones as having a 47.Chapter 4 Configuring NAT 115 Although both clients are in the same private address space.

135.152. TPS sends OAS to i2004b with the following contents: Far End Address = 47.135.15:52003 47.0.135.3:5201 47.152. both i2004a and i2004b are behind the same NAT and registered into the same CS1K TPS server.152.152.16:10001 When i2004a calls i2004b.15:52000 47.135.3:5200 192.135.2:5201 192.16:7000 47.152.0.135.0.16:7000 47.152.2:5200 192. UNIStim messages are encrypted and the ERouter NAT cannot translate UNIStim messages payload.16:10001 47.15:52000 Near End Port = 5200 TPS sends OAS to i2004a with the following contents: Far End Address = 47.152.2:5000 192.152.152.16:10000 47.0.152.135.152.135. ERouter NAT generates the following NAT table entries: Table 3 NAT entries Internal Address External Address Remote Address 192.15:52002 NN46110-601 .0.135.15:52001 47.135.135.16:10000 47.116 Chapter 4 Configuring NAT Figure 44 Intra-realm call with hairpinning In Figure 44.15:52002 47.3:5000 192.15:12345 47.15:12347 47.152.168.135.135.152.168.168.168.0.152.135. Upon successful registration of both IP phones.168.168.

and forwards the translated packet to i2004a.0.0. translates the source address from 192.0.168.135. the hairpinning logic automatically turns off.15:52000. Note: Hairpinning support is part of the solution.3:5200. with nonencrypted UNIStim messages. it first compares the destination address in the packet header against its External Address entries on its NAT table.3:5200 to 47. and QoS . It finds a match (192.135.15:52000.135.3:5200. and a direct media path is achieved. The ERouter NAT further compares the source address in the packet header against the Internal Address entries on its NAT table.2:5200 to 47. Destination = 47.0.168.135.2:5200). when ERouter NAT receives the media packet generated by i2004b. NAT.168. When i2004b sends media packets to i2004a.0.2:5200. Filters.135.Chapter 4 Configuring NAT 117 Near End Port = 5200 When i2004a sends media packets to i2004b.152. Nortel VPN Router Configuration — Firewalls.135.152. It finds a match (47. the packet header looks like this: Source = 192.0. it first compares the destination address in the packet header against its External Address entries on its NAT table. When ERouter NAT receives the media packet generated by i2004a.168.135.168.168.15:52002 to 192.15:52002.168.152.15:52002.15:52002) and translates the destination address from 47.152.152. It finds a match (47. For example.152.152.0.0. and can coexist with the other portions of the solution. Similarly.135.152. and forwards the translated packet to i2004b. the packet header looks like this: Source Address = 192. Destination = 47. translates the source address from 192. It finds a match (192.15:52000) and translates the destination address from 47. The ERouter NAT further compares the source address in the packet header against the Internal Address entries on its NAT table.15:52000 to 192.168.3:5200).2:5200.

When the call is established. Phone A starts to send media to Phone B and vice versa with public NAT destination addresses in the media packets. it examines the destination address of a packet. Figure 45 NAT Hairpinning Hairpinning requirements NAT Hairpinning has two requirements: • Because IP phones may not accept packets from arbitrary IP addresses.118 Chapter 4 Configuring NAT Hairpinning with a STUN server When NAT traversal for phones behind the NAT is based on STUN. The diagram in Figure 45 describes the hairpinning solution with the STUN server. When NAT hairpinning is enabled. evaluates the destination address NAT binding. the source IP address must be the public IP address of the NAT. Phone A on the private side of the VPN Router initiates a call to Phone B on the private side. VPN Router NAT. the phones use the port discovery protocol between the phone and the STUN server to discover their public addresses and use the discovered public addresses for peer-to-peer communication. unaware that the voice packets need NAT hairpinning. blocks the media packets. NN46110-601 . Phone A and Phone B discover their public addresses. and makes a determination on the requirement for hairpinning.

Filters. the source IP address must be the assigned VPN IP address. Figure 39 on page 110 shows hairpinning enabled. and QoS . Click Edit beside VPN Router Firewall. Time-outs When a session terminates.Chapter 4 Configuring NAT 119 • If the device is performing NAT on a VPN tunnel. the associated translation must age out so that the available translation addresses are not exhausted. NAT deletes the associated translations. NAT. To configure hairpining: 1 2 Select Services > Firewall/NAT. Enabling hairpinning You can use the GUI or the CLI to turn the hairpinning of packets on or off. However. 3 4 Click hairpinning. Click OK. see Nortel VPN Router Using the Command Line Interface. if a server goes down unexpectedly. The Firewall/NAT > Edit window appears. The NAT time-outs are grouped by the following protocol: • • • ICMP—3 minutes UDP—3 minutes TCP—120 minutes Nortel VPN Router Configuration — Firewalls. packets sent from private devices to the assigned VPN IP are hairpinned back without entering the VPN tunnel. Hairpinning statistics are shown on the Status -> Statistics -> NAT Stats window. For more information about the CLI commands. When the packets reach the private endpoint.

0.1.1.1.1. this first packet is translated and sent to 10.1.1.1. the numbers correspond to the following actions: 1 2 3 4 5 Host 20. Proxy ARP Proxy ARP is needed if the translated address assigned by NAT to a private host makes it appear as if that private host is on the other host’s network.0. The ICMP echo reply is sent directly to the host 20.1 is broadcast to the network.120 Chapter 4 Configuring NAT NAT statistics The following statistics counters are provided for source and destination NAT services: • • • • • • • Source Translated—number of packets with the source address translated Destination Translated—number of packets with the destination address translated Flows Translated—number of flows translated by NAT service No Action—number of flows for which no translation was done Dropped—number of packets dropped because NAT could not translate the source/destination address Pooled Address Translations failed—number of packets dropped because NAT could not map a new address from the available address pool Port Translations failed—number of packets dropped because NAT could not map a new port for translation You can view the NAT statistics on the Status > Statistics window. The VPN Router responds to the ARP request using its own hardware address for the ARP reply.1. In Figure 46.0.1. NN46110-601 . Because the interface NAT policy statically maps 20.1.150 pings the host 20.1. The ARP request for host 20. The other host ARPs and does not get a response unless you enable Proxy ARP for physical interfaces on the VPN Router.0.0.0.0.1 to 10.

1 receives the ping. Figure 46 Proxy ARP example Nortel VPN Router Configuration — Firewalls. Filters. The target host receives the packet. The packet's source IP 10.1. NAT. processes the ICMP.150. It replies with its own ICMP echo reply and sends the packet to the VPN Router.1 is translated to 20.0.0. and QoS .Chapter 4 Configuring NAT 121 6 7 8 9 Host 10. and the ping program reports the results.1.1.1 and sent to 20.1.0.0.

122 Chapter 4 Configuring NAT NN46110-601 .

NAT. with username and passwords supported for both internal authentication services (LDAP) or external authentication services (RADIUS or LDAP proxy). FWUA with TunnelGuard extends the capabilities of FWUA by downloading the TunnelGuard applet after the user is authenticated. for example. and QoS . FWUA uses the existing authentication services. see Nortel VPN Router Configuration — Tunnel Guard. You can also apply it on non-tunneled traffic when the VPN Router acts as a router and firewall edge device. which enforces user authentication on traffic between branch office connections in the VPN environment. the PC has the proper patches installed and is running antivirus software before granting it access to the network.123 Chapter 5 Configuring firewall user authentication You use firewall user authentication (FWUA) to ensure users log in to the VPN Router Stateful Firewall before they are granted network access. Depending on how it is configured. Filters. Nortel VPN Router Configuration — Firewalls. This authentication method is also applied to nontunneled traffic FWUA when the VPN Router acts as a router and a firewall edge device. Example 1 is based on authentication by internal LDAP and Example 2 is based on authentication by an external service (RADIUS and LDAP proxy). FWUA extends and enforces user authentication on traffic between branch office (BO) tunnels. FWUA by SecurID extends the authentication approach of FWUA. For more information on FWUA with TunnelGuard. TunnelGuard verifies that. FWUA provides more granular security controls against unauthorized firewall use and is used for user-level accounting information for firewall users.

Figure 47 is an example of FWUA. Users must register an active HTTPS logon session with the User Authentication Table Manager (UATM) before they are permitted access granted by the rule. Figure 47 FWUA example NN46110-601 .124 Chapter 5 Configuring firewall user authentication Policies within the VPN Router can contain a User Authentication specification for any rule. Users who do not have an existing logon session registered with the UATM are not granted access even if the traffic profile is explicitly permitted by the rule. User UATM sessions are mapped to the active session table by source IP address.

By using the existing authentication services.0/3.Chapter 5 Configuring firewall user authentication 125 Secure HTTP (HTTPS) support provides a secured communication channel for administration traffic to the VPN Router system and for firewall users to provide their authentication credentials to the VPN Router Stateful Firewall. The following suites are supported: • • • Symmetric Ciphers—RC4. Both Secure Socket Layer (SSL) 2. DES. key agreement protocols. Nortel VPN Router Configuration — Firewalls. NAT. and QoS . the following combinations of ciphers. Filters. and hashing algorithms are available: • • • • • • • • • • • • EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA RC4-SHA RC4-MD5 EXP1024-RC4-SHA EXP1024-DES-CBC-SHA EXP1024-RC4-MD5 EDH-RSA-DES-CBC-SHA DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-DES-CBC-SHA The authentication facilities for FWUA use the existing authentication services currently available on the VPN Router with the exception of RADIUS-based tokens and digital certificates. A FWUA user directs their HTTPS-enabled Web browser to a specific Uniform Resource Locator (URL) designated for the FWUA logon on the VPN Router.0 are supported. and Triple DES (Cipher Block Chaining or CBC) Public Key Cryptography and Key Agreement Protocols—RSA and Diffie-Hellman Authentication Codes and Hash Algorithms—MD5 and SHA-1 Also. all user-level accounting mechanisms that are available for VPN users are also available for FWUA users.0 and Transport Layer Security (TLS) 1.

FWUA users must have an HTTPS-enabled Web browser with a compatible SSL/TLS crypto suite. The Services > Available window appears. which also requires that the VPN Router has a valid digital certificate installed to support HTTPS communication.126 Chapter 5 Configuring firewall user authentication Prerequisites for using FWUA are: • • • The VPN Router Stateful Firewall must be running to configure and process FWUA sessions. Figure 48 FWUA configuration To configure FWUA: 1 Select Services > Available. Figure 48 is an example of FWUA configuration. SSL/TLS must be enabled. NN46110-601 .

C=US). 4 Enter the text for a welcome banner. Note: The firewall UI requires JRE 1.2_04 directly from the VPN Router.2_04 or later. CN=ces48. If you select this option. If no available certificates appear in the list. no server certificates are defined on your VPN Router or the existing server certificate is disabled. If you do not have a sufficient JRE you are prompted by the VPN Router to download and install JRE 1. a b After you log in. NAT. the port value (default 8000). Select Services > SSL/TLS. 11 Create a firewall policy.4. you must provide a User ID and Password for the user. Select Services > FWUA. select the Group and create a password. and QoS .509 digital server certificate preconfigured for this VPN Router (for example. Click TunnelGuard Checking Only to enable FWUA for TunnelGuard enforcement only. A copy of JRE 1. This username and password is used to anonymously logon all FWUA users. Nortel VPN Router Configuration — Firewalls. which removes the need for the user to log on to FWUA. Select Profiles > Users > User Management > Edit User. see Nortel VPN Router Configuration — TunnelGuard. The SSL window appears. click New and enter the name of the policy.4. The Firewall UA Settings window appears.Chapter 5 Configuring firewall user authentication 127 2 3 Click Public and Private for Firewall User Authentication. For more information on TunnelGuard. O=CSE. Click an FWUA user profile in internal LDAP.4. and the default max session value. Enter the user name. You add RADIUS or LDAP proxy authentication servers to the authentication order later. Filters. 5 6 7 Click the desired Ciphers (default all) and enter an existing X. right-click on the # sign and select Add New Rule. Select the Default Rules tab. 8 9 10 Select Services > Firewall/NAT > Manage Policies.2_04 is also available on the VPN Router server CD.

Click Yes to trust the certificate and proceed. the browser window must remain open during the entire time that you want to communicate through the firewall. The port is the port number you specified on the Services > FWUA window. Note: You must have a valid VPN Router Stateful Firewall license key installed. Check VPN Router Stateful Firewall on the Firewall/NAT window to be sure it is enabled. You can disable the VPN Router tunnel filters as they are no longer needed. e f To test the FWUA rule. 13 Try to communicate through the firewall again. Select the new firewall policy (refresh the screen for the new policy to appear in the list). Communication attempts should fail.htm where VPNRouterhostname or VPNRouterIPaddress resolves to a VPN Router interface (not management IP). it forces all users. and click OK.128 Chapter 5 Configuring firewall user authentication c d Right-click the Action cell and select User Authentication. NN46110-601 . try to communicate through the VPN Router. Select the group that contains the FWUA user.htm or https://VPNRouterIPaddress:port/ FWUA. regardless of their group association to authenticate to the firewall. After a successful authentication. This keeps an active FWUA session in the UATM. Select Policy > Save Policy and Manager > Exit CSF. you are prompted by your Web browser with a security alert dialog box. Also you must reboot the VPN Router the first time you enable the VPN Router Stateful Firewall. 12 Direct your HTTPS enabled browser to the predefined FWUA logon URL on the VPN Router and log into the firewall using the FWUA user profile that you created. Communication attempts should be successful. If you select *any for the group. The FWUA logon URL follows the format of https:// VPNRouterhostname:port/FWUA. Note: If the domain VPN Router digital server certificate is not part of a certificate domain trusted by your Web browser (you do not have a certificate issued by the same CA) or the domain listed on the VPN Router certificate does not match the DNS domain of the VPN Router.

it is also used to authenticate FWUA users. go to Services > FWUA > Add RADIUS or Add LDAP Authentication Server. NAT. The Associated Group specifies the group the RADIUS or LDAP Proxy Authentication users obtain their privileges as defined on the Server > RADIUS Auth or the Server > LDAP Proxy windows. Filters.Chapter 5 Configuring firewall user authentication 129 14 To modify the current FWUA configuration to accommodate external authentication methods. If the /Base group is configured to authenticate RADIUS or LDAP Proxy Auth users for VPN connections. and QoS . Nortel VPN Router Configuration — Firewalls.

130 Chapter 5 Configuring firewall user authentication NN46110-601 .

Traffic conditioning by DSCP provides a method to limit traffic at ingress to the VPN Router based on Diffserv Code Point (DSCP) value. To configure an MF classifier: 1 Select QoS > Classifiers. and Call admission priority allows you to reserve connection resources for high-priority users. Nortel VPN Router Configuration — Firewalls.131 Chapter 6 Configuring QoS The VPN Router supports two internal quality of service (QoS) mechanisms as well as participates in external network signaling to enhance performance. This allows for guaranteed bandwidth based on Diffserv code points that guarantees a fixed percentage of total bandwidth to each of several applications. This ensures that particular DSCP values obtain the desired amount of egress bandwidth. NAT. QoS provides the option of dropping data that exceeds configured traffic conditioning assured forwarding rates. and QoS 2 . Traffic that exceeds the configured rate for a particular DSCP is dropped in ingress to the VPN Router. In addition. The interface MF-Classifier is applied to routing traffic going through that interface. Configuring classifiers You can define an MF Classifier for an interface (interface MF). Filters. external QoS using Resource ReSerVation Protocol (RSVP) signals the public network to reserve a portion of the network’s bandwidth for a specific connection. Forwarding priority allows for prioritized traffic. The Current Multi-Field (MF) Classifiers list includes all existing MF classifiers. Select from the Current Multi-Field (MF) Classifiers and click Edit to edit the rules for that MF Classifier.

The default list of protocols include: • ICMP—Internet Control Message Protocol is a Network protocol layer. PING is often used to check if a system’s network is available. Multicast IP packets (packets that have multicast destinations). Examples are conferences and other services offered through Multicast Backbone (MBONE ). then click the left arrow. 3 Select a rule from the Available Rules list on the right of the window. Source and destination are relative to the direction of the rule. Select the appropriate protocol from the list. carried between networks that support multicasting over intermediate networks that do not. The Classifier Rule for field shows the name of the rule. The DiffServ Rules Definition Address window appears. The new rule is added after the rule currently selected in the Rules in Classifier list. are the most common implementation. This adds the selected rule to the current rules list. Enabling this option makes the VPN Router respond to ICMP packets (PING) when VRRP becomes master for an IP address that it backs up.132 Chapter 6 Configuring QoS The Edit Rule window appears. IP packets that are encapsulated within other packets create IP over IP. The Available Rules list shows all existing rules. The Edit/Create Rules window appears. IP—Internet Protocol is a Network layer protocol in the TCP/IP stack that offers a connectionless internetwork service. 5 Enter the source and destination addresses to limit the rule to acting on packets from and to these addresses. 4 6 7 • NN46110-601 . The PING utility generates ICMP packets. The Rules in Classifier list shows all rules that are applied to the MF Classifier. Click Edit to edit an existing rule. You can select rules from this list to move them into the Rules in Classifier list and apply them to the MF Classifier. Click Modify next to the Source and Destination Address fields to edit either of these fields.

and QoS . NAT. You can filter packets to or from the Source and Destination ports to permit or deny any packets transferred by the VPN Router. You can configure the assured forwarding queues option to drop data exceeding the configured rate. Configuring Interface shaping Interface Shaping shapes or delays the outgoing packet flow through an interface to better match the throughput of a downstream device. The DSCP value and mask assignments allow packets that are already marked to retain their settings or to be remarked based on their previous DSCP value. If the configured data rates for the assured forwarding queues are based on the interface shaping rate. (EF excess data is always dropped. and therefore requires that other protocols handle error handling and retransmissions. The source or destination is relative to the direction of the rule. 8 9 Click Modify next to the Protocol field to edit it. Nortel VPN Router Configuration — Firewalls. Examples are DNS and WINS. Filters.Chapter 6 Configuring QoS 133 • • TCP—Transmission Control Protocol is a transport layer protocol in the TCP/IP protocol stack. 11 Select the DSCP you want marked on the next meter. the queues are the appropriate size. 10 Click Modify to the right of the Current DSCP Value field to create and edit the DSCP value and mask.) This data is dropped on ingress and never enqueued. which is based on the downstream data rate. UDP—User Datagram Protocol is a transport layer protocol in the UDP/ IP protocol stack. either expedited forwarding (EF) or an assured forwarding (AF) level. Click Modify to the right of the TCP/UDP Source and Destination Port fields to edit them. UDP is a connectionless service that exchanges datagrams without acknowledgment or delivery guarantees. that this rule applies to data. Examples are Web browsers using HTTP and FTP. This is a connection-oriented protocol that provides reliable full-duplex data transmission. It is applicable for Ethernet Interfaces only.

Click OK. and above excess rate (highest drop preference if excess action is Mark). which includes Interface Shaping. Under Current Interface. You can add call admission to guarantee that resources are available to support the committed bandwidth assigned to a user. the VPN Router drops all the packets above excess action. Bandwidth management forces tunnels to conform to a set of rates. NN46110-601 . 4 5 6 Under Interface Shaping State. When excess action is Drop.134 Chapter 6 Configuring QoS To configure Interface Shaping: 1 2 3 Select QoS > Interfaces. The Interface Shaping window appears. the VPN Router drops packets according to their drop preference. Default is disabled. When there is congestion. This potentially denies a client access before the licensed limit of a VPN Router is reached. There are two rates (committed and excess) and excess action (mark or drop). enter the shaping rate (in bps) . and interface-routed traffic. The VPN Router interface speed determines the available bandwidth. branch offices. The current interface displays its current QoS configuration. Bandwidth components keep track of and control the level of bandwidth used on the physical interfaces and the tunnels. between committed and excess rate (higher drop preference). select the Ethernet Interface that you want to configure and click Display. enable Interface Shaping for the selected Ethernet Interface. You use bandwidth management to configure the VPN Router resources for users. Under Interface Shaping. click Configure. depending on whether they are below committed rate (lowest drop preference). Packets are given different drop preferences. Under Interface Shaping. Configuring bandwidth management You use bandwidth management to manage the VPN Router CPU and interface bandwidth resources to ensure that tunneled sessions get predictable and adequate levels of service.

The default is 10:1. Note: You can have only DiffServ or Forwarding Priority active at any one time. NAT. Select QOS > Interfaces to set the over-subscription rate. Select QoS > Bandwidth Mgmt to define the bandwidth rates. Nortel VPN Router Configuration — Firewalls. 3 4 5 Configuring Differentiated Services (DiffServ) DiffServ settings classify and mark packets to receive specified per-hop forwarding behavior on each node along their path. and how that traffic is forwarded within that network. In the User Bandwidth Policy section. Select Profiles > Groups > Groups > Edit > Connectivity.Chapter 6 Configuring QoS 135 To configure bandwidth management: 1 2 Select Admin > Install and enable the advanced routing license. Anti-Replay does not acknowledge DiffServ and has its own methods of discarding packets. Sophisticated classification. Use this ratio to adjust for some users not using all of their allotted bandwidth simultaneously under normal circumstance. You must define this in bits per second (100 Mbps=100000000). policing. To configure DiffServ: 1 Select QOS > Interfaces and click Configure in the DiffServ Edge section. which adversely affects the DiffServ sorting. The maximum rate you can create is 100 Mbps. define the committed and excess bandwidth rates. Network resources are allocated to traffic streams by service provisioning policies that govern how traffic is marked and conditioned upon entry to a differentiated services-capable network. marking. You must disable Anti-Replay when using IPsec tunnels over LANs or WANs (the typical usage). Best Effort (BE). DiffServ sorting is incorrect if Anti-Replay is enabled. Any DiffServ code points (DSCPs) not recognized are forwarded as if marked for the default behavior. Filters. Enable Bandwidth Management. and shaping operations are implemented at network boundaries or hosts. and QoS . not both at the same time.

In the Ingress (Inbound) field. Traffic conditioning drops and remarks a traffic stream to shape it into compliance with a traffic metering profile. select from the list the MF Classifier that you want to apply when packets are going out this interface. Enter values. Nonconforming traffic is dropped. Any packets above two times the configured rate are marked as high drop precedence. select from the list the MF Classifier that you want to apply when packets are coming into this interface. enter a value. although at times traffic can burst as much as twice the configured rate. for the Assured Forwarding Rate fields (AF4—AF1). For AF1—AF4. you can configure a Traffic Conditioning Meter (in bps). Nonconforming traffic is delayed. Any packets under two times the configured rate are marked as medium drop precedence. in bps. enable or disable the application of MF Classifiers on this interface. Shaping delays the packets in a stream to conform to a defined traffic profile (the EF Shaping value). any packets under the rate are marked as low drop precedence.136 Chapter 6 Configuring QoS 2 3 4 5 In the Multi-Field Classifier State field. enable or disable traffic conditioning on this interface. For Egress (Outbound) traffic conditioning. Note: Enter values for EF and AF1—AF4 greater than 512 bps. traffic above the rate is dropped. For Expedited Forwarding (EF) and Assured Forwarding 1—Assured Forwarding 4 (AF1-AF4). • 6 7 Enter a value. • For EF. Traffic below the rate is forwarded. In the Traffic Conditioning State field. Also. for Expedited Forwarding Shaping Rate. in bps. configure the Excess Action field for each AF rate to either drop traffic exceeding the configured rate or to mark the traffic. 8 NN46110-601 . Traffic conditioning does not work with configured rates smaller than 512 bps or with packets smaller than 64 bytes. in bps. not dropped. for the Expedited Forwarding (EF) Rates field. In the Egress (Outbound) field. the rate is an average rate.

it has the least amount of bandwidth allocated and possibly the highest level of latency. high-priority traffic generated by the company CEO is protected from high-bandwidth traffic generated by lower-priority users. Therefore. and 5 percent from the Priority 4 queue. and QoS . Or. Each class is guaranteed different maximum forwarding times between the interfaces of the VPN Router. if traffic on the VPN Router is heavy. To illustrate how the Forwarding priority works. The technology that supports forwarding priority is called weighted fair queuing with random early detection (RED). especially during heavily congested times. 60 percent come from the Priority 1 queue. NAT. is guaranteed some level of service so that no traffic through the VPN Router is ever completely stalled. especially during the quarter-end rush. Nortel VPN Router Configuration — Firewalls. For example. Table 4 Bandwidth allocation per priority level Priority 1 60% pass Priority 2 25% pass Priority 3 10% pass Priority 4 5% pass Of the total packets transmitted in a hypothetical pass. the example in Table 4 assumes heavy traffic and a queue of packets. Packets sent by this group are transmitted immediately even if there is heavy traffic on the VPN Router. Packets are transmitted according to the approximate rates per pass that are cited in the table. Filters. you can assign the sales team to Priority 1 to make sure they can always place orders. It is important to assign users to the four different class levels to make sure they get the proper service and performance. 25 percent from the Priority 2 queue. if a group profile has a forwarding priority of 4 (lowest). QoS is only effective when all associated lines are capable of servicing the forwarding demands at the required speeds. Each class.Chapter 6 Configuring QoS 137 Using forwarding priority You use forwarding priority quality of service to assign each user to one of four priority classes. If a group profile has a forwarding priority of 1 (highest). fewer packets sent by this group are transmitted when there are higher-level priority packets in the queue. 10 percent from the Priority 3 queue. however. Conversely. it has the highest possible bandwidth guarantee and the lowest level of latency. This queuing mechanism gives each of the four user classes (from 1—high to 4—low) a different weight in the amount of service time they receive by the packet-forwarding process.

This ensures that connections are available to the appropriate users when there is heavy traffic. The next 25 percent of calls guarantee access to only Priority 1. For example. only Priority 1 callers are guaranteed access. The next 15 percent of calls guarantee access to only Priority 1 and 2 callers. For the final 10 percent of calls. Once a connection is accepted. Table 5 shows the connections available for each priority based on a percentage of the total capacity. The VPN Router reserves connections for each class of user. regardless of the assigned call admission priority. Although other callers are permitted access to the VPN Router.138 Chapter 6 Configuring QoS Using call admission priority You use call admission priority quality of service to assign each user group profile to one of four priority classes (from 1—high to 4—low) for call admission. assuming a hypothetical maximum of 2000 sessions. 3 1. Since the VPN Router supports a maximum number of sessions. Table 5 Call admission priority Capacity 0 to 50% 51 to 75% 76 to 90% 91 to 100% Priority All 1. The VPN Router does not accept further low-priority connections when it is servicing the maximum number of low-priority sessions. 2 1 Available connections 1000 500 300 200 NN46110-601 . and 3 callers. it is never dropped. guaranteeing that a large number of low-priority users do not lock out the high-priority users. it is important to assign users to the proper call admission priority classes. any call is admitted access for the first 50 percent of connections. By default. 2. 2. this access is proportional to the assigned priority level for their group.

RSVP is the best-defined technology for resource reservation. and by the data rate of the link between the Internet and the VPN Router. which are responses from the client that it wants to reserve the requested bandwidth. RESV messages. Table 6 Maximum connections per priority Priority 1 2 3 4 Connections 2000 1800 1500 1000 Using RSVP The VPN Router supports Resource ReSerVation protocol (RSVP) quality of service for the Internet. only a few service providers offer a service that uses RSVP. Currently. The two key components of RSVP are: • • PATH messages.Chapter 6 Configuring QoS 139 Table 6 shows the maximum number of connections available for each priority. If the client responds to the PATH messages with RESV messages. Successful external network-level quality of service requires the cooperation of all the devices on the network (between the user and either the access point to the private network or the ultimate destination host). This amount of bandwidth is determined by both the data rate that the user has to the Internet. which are constant announcements by the host system or the VPN Router that a certain amount of bandwidth must be kept available. and QoS . Nortel VPN Router Configuration — Firewalls. then RSVP-ready routers attempt the resource reservation. However. These routers actually reserve the resources requested if they are RSVP-compliant. The VPN Router signals to the other devices on the public network and describes the level of bandwidth that it needs to ensure adequate performance. NAT. Filters.

1Q header. Ethernet networks achieve the required end-to-end QoS behavior.140 Chapter 6 Configuring QoS DSCP to 802.1p mapping and forwards a packet to the layer 2 switch. When a packet is transmitted. the DSCP marker in an IP header does remain with the packet. The 802. the layer 3 switch performs a 802. the layer 3 switch performs a DSCP to 802. However. 802. Differentiated Services Code Point (DSCP) uses six bits of the DS field to select the Per Hop Behavior (PHB) a packet experiences at each node. The 802.1p to DSCP markings are static and are set according to the Nortel standard. If a packet traveling from the layer 2 switch to the router has the 802.1p mapping allows the VPN Router to tag frames for prioritization over public and private physical interfaces. the DSCP value of the inner header is copied to the outer IP header.1p tag as it enters the layer 3 switch. Support for DSCP to 802. This priority extension tags Ethernet frames with 1 of 8 different classes of service to provide service differentiation at the Ethernet layer.1p tag often does not remain with the packet as it travels from source to destination. NN46110-601 . the layer 2 switches are DSCP-unaware and the layer 3 switch and router are DSCP-aware.1p. It supports mapping DiffServ code point (DSCP) to 802.1p utilizes the User Priority field of the 802. Differentiated Services (DiffServ) provides Quality of Service (QoS) at the IP level by redefining the 8 bit Type of Service field of the IPv4 header Type of Service field as a Differentiated Services (DS) field. DSCP identifies the priority of service a packet receives in the network.1p tag.1p mapping 802.1p marking on ingress to or egress from the VPN Router and can separately enable or disable 802. When the router sends a packet back to one of the DSCP-unaware switches. they can interpret the 802. In Figure 49.1p to DSCP mapping on ingress or egress.1p to DSCP mapping and forwards the packet to the router.1p is a specification for prioritizing network traffic at the data link layer. By providing a consistent mapping between DSCP and 802. Although some Ethernet switches cannot interpret the DSCP.

Chapter 6 Configuring QoS 141 Figure 49 Example 802.1p mappings 802. the VPN Router uses the default 802. and QoS . Filters.1p user priority 7 6 5 4 3 2 1 0 Maps to DSCP CS7 EF AF41 AF31 AF21 AF11 DF DF Nortel VPN Router Configuration — Firewalls. Table 7 Default incoming 802.1p to DSCP mapping When mappings are enabled and an incoming packet with 802.1p to DSCP mappings shown in Table 7. NAT.1p marking is received.

VPN Router uses the default DSCP to 802.1p Mapping window. Configure the DSCP Class to 802.1p Mapping section. click configure custom mappings. AF33. AD23. AF43.1p mapping: 1 2 3 4 5 6 7 Select QoS > Interfaces. 8 NN46110-601 . CS5 AF41.1p precedence mapping and the 802. select either Custom or Standard for the Egress (outbound) and for Ingress (inbound). the 802. All undefined DSCPs Maps to 802. CS3 AF21.1p mappings DSCP CS7 CS6 EF.1p tag value is ignored and normal multi-field classifier (MFC) action is applied to all packets. CS4 AF31.1p user priority 7 7 6 5 4 3 2 0 When mappings are disabled. AF13. Click Display to display the selected interface (Fast Ethernet is displayed by default). AF12. CS0.142 Chapter 6 Configuring QoS When mappings are enabled and an outgoing packet is sent out. Table 8 Default outgoing 802. If Custom setting is selected. CS2 AF11. From the Current Interface list. In the DSCP 802. click Configure. On Dscp 802. See Table 7 on page 141 and Table 8 on page 142.1p mappings shown in Table 8. AF32. CS1 DF. select the interface you want the mappings applied to. Click OK. AF22. To configure DSCP to 802.1 precedence to DSCP mapping sections. AF42.

68 B bandwidth management 129 C call admission guarantees 133 priority 133 cell menu 54 columns Dst interface 54 Src interface 54 configuration initial 31 verifying 59 conversation 25 H header row menu 53 I ICMP filter 128 ICMP rule enforcement 39 implied rules 48 installation prerequisites 32 interface classifiers 127 interfaces 26 Nortel VPN Router Security — Firewall. Filters. NAT. 40 forwarding priority 132 quality of service 132 FTP 67.143 Index A access control filters 28 actions on rules 58. 128 E egress (outbound) queueing mode 132 F filter rules 26 filters copy 68 edit current 65 storing 68 firewall imbedded 23 installation prerequisites 32 integrated 23 options 37. 96 anti-spoofing 27. and QoS D default rules 53 Differentiated Services (DiffServ) 130 DSCP tp 802. 38 application layer gateway 105 attack detection 27 available rules 66.1p mapping 136 dynamic many-to-one 72 . 37.

95 J Java 2 Runtime Environment Internet Explorer 33 Netscape 6 36 Netscape on Solaris 36 O override rules 50 L log column 58 levels 58 logging application-specific 41 HTTP 41 remote system 41 logging FTP 41 P policies actions 44 adding 46. 99 selecting 45. 98 editing 45 renaming 47.144 Index interface-specific rules 51 IP packets 128 NAT Traversal 82 Network Address Translation 71 Network Address Translation (NAT) 29 network objects 55. 94 . 96 pooled translation type 91 port mapping 91 port translation (NAPT) 72 proxy ARP 117 publications hard copy 17 M MBONE 128 menus cell 54 header row 53 row 54 N NAPT 24. 86 NAT 24 branch office 89 creating policies 96 double 76 dynamic routing protocol 91 interface NAT 90 IPsec-aware 77 pooled translation 73 port forwarding 75 statistics 116 NAT SIP ALG 105 NN46110-601 Q quality of service 127 forwarding priority 132 RSVP 134 R remarks 58. 98 components 44 copying 47. 98 creating 45 deleting 46. 72. 96 remote system logging 41 row menu 54 RSVP quality of service 134 rule column 54.

96 syslog 41 system requirements 32 T TCP filter 128 technical publications 17 traffic conditioning 131 U UDP filter 129 V VoIP 84 Nortel VPN Router Security — Firewall. NAT. and QoS . 94 override 50 S service objects 57.Index 145 rules default 53 implied 48 in policies 26 interface-specific 51 navigating 47. 53. 95 SNMP 67 stateful inspection 25 application 25 TCP 25 static address NAT 74 static translation type 91 status 58. Filters.

146 Index NN46110-601 .

Sign up to vote on this title
UsefulNot useful