[Top] [Prev] [Next] [Bottom]

Using Internet Connections        16

This chapter uses an example to demonstrate how to configure the PortMaster to establish a continuous connection to an Internet service provider (ISP), shown in Figure 16-1. This connection creates a gateway from your office to the Internet using a dial-out connection through one of the serial ports on your PortMaster. Internet connections can also be set for on-demand operation.

The following topics are discussed:

  Continuous Internet Connection

Overview of Continuous Internet Connections

You can configure two types of continuous connections:

A continuous dial-up connection starts as soon as the PortMaster boots and is redialed whenever the telephone connection is dropped. If you use a continuous dial-out link from the S1 serial port, one location table entry is needed for the ISP.
The network hardwired configuration is typically used if you are using a leased analog or digital line or an asynchronous-to-synchronous converter. If you use a network hardwired port, no entries are needed in the location table.
This example provides configuration information for both types of continuous connections.

For this example, IPX packets are not transmitted to or from the ISP.

You can also connect to an ISP with a dial-on-demand configuration, as described in Chapter 15, "Using Office-to-Office Connections." However, dial-on-demand ISP connections do not allow Internet users access to your site when the dial-up connection is not established.

Configuration Steps for an Internet Connection

The example described in this chapter connects a PortMaster router located in an office (office1) with an ISP (isp1) using Frame Relay on a synchronous interface.

To install your PortMaster, follow the instructions in your hardware installation guide. If you need additional help, refer to the troubleshooting chapter of the installation guide. The example in this chapter shows variables in italics. Change these values to reflect your network.

Once you have assigned an IP address to the PortMaster, continue with the following steps:

  1. Configure the following settings for the PortMaster in Office 1:

a. Global settings (page 16-4)

b. Ethernet interface settings (page 16-5)

c. Serial port settings (page 16-5 or page 16-6)

d. Dial-out location (page 16-7)
  1. Test the configuration (page 16-8 or page 16-10).

  2. Set network filtering (page 16-10).

    Alternatively, you can configure a PortMaster with an ISDN port for an Internet connection. See "Using ISDN for Internet Connections" on page 16-12.

Configuring Global Settings

 

Global Settings Values

Setting

Command

Default IP gateway

set gateway 192.168.5.6

Configure the global settings to the values shown in Table 16-1.

For more information about global settings, see Chapter 3, "Configuring Global Settings."

After configuring the global settings, save the configuration using the following command:

 
Command> save all

Configuring Port Settings

You must configure settings for your Ethernet port and settings for either a dial-out or hardwired connection on your asynchronous port.

Ethernet Interface Settings

Set the Ethernet parameters to the values shown in Table 16-2.  
Ethernet Port Parameter Values

Setting

Command

IP address

set ether0 address 192.168.200.1

Netmask

set ether0 netmask 255.255.255.0

Broadcast address

set ether0 broadcast high

After configuring the Ethernet interface, reset it and save the configuration using the following commands:

Command> reset ether0

Command> save all

For more information on Ethernet interface parameters, refer to Chapter 4, "Configuring the Ethernet Interface."

Serial Port Settings for Dial-Out

For continuous dial-out on a serial port, configure the port with the values shown in Table 16-3.  
Serial Port Values for Continuous Dial-Out

Setting

Command

Port type

set s1 network dialout

Protocol

set s1 protocol ppp

Speed 1

set s1 speed 1 115200

Speed 2

set s1 speed 2 115200

Speed 3

set s1 speed 3 115200

Modem control

set s1 cd on

Hardware flow control

set s1 rts/cts on

Software flow control

set s1 xon/xoff off

Dial group

set s1 group 1

Leave all other settings at their default values. After configuring the serial port, reset the port and save the configuration using the following commands:

Command> reset s1

Command> save all

For more information about asynchronous ports and configuring modems, refer to Chapter 5, "Configuring an Asynchronous Port."

Serial Port Settings for a Hardwired Connection

To establish a hardwired connection on a serial port, configure the port with the values shown in Table 16-4.  
Serial Port Values for a Hardwired Port

Setting

Command

Port type

set s1 network hardwired

Protocol

set s1 protocol ppp

MTU

set s1 mtu 1500

Speed 1

set s1 speed 1 115200

Modem control

set s1 cd on

Hardware flow control

set s1 rts/cts on

Software flow control

set s1 xon/xoff off

IP destination

set s1 destination 192.168.5.6

Netmask

set s1 netmask 255.255.255.0

RIP routing

set s1 rip off

Compression

set s1 compression on

Leave all other settings at their default values. After configuring the serial port, reset the port and save the configuration using the following commands:

Command> reset s1

Command> save all

For more information about asynchronous ports, refer to Chapter 5, "Configuring an Asynchronous Port."

Configuring a Dial-Out Location

If you are using a continuous dial-out link, a location entry on the PortMaster must be created for the location identified as isp1. This entry allows the PortMaster to establish a connection with the ISP as soon as it is booted. The new location isp1 should be configured with the values shown in Table 16-5, or as instructed by your ISP.  
Location Table Values

Setting

Command

Location name

add location isp1

Type

set location isp1 manual

(Change to continuous after testing the configuration.)

Protocol

set location isp1 protocol ppp

IP destination

set location isp1 destination 192.168.5.6

Netmask

set location isp1 netmask 255.255.255.0

RIP routing

set location isp1 rip broadcast

MTU

set location isp1 mtu 1500

Compression

set location isp1 compression on

Input filter

set location isp1 ifilter internet.in

Output filter

set location isp1 ofilter internet.out

Idle timer

set location isp1 idle 0

High-water mark

set location isp1 high_water 0

Dial group

set location isp1 group 1

Telephone number

set location isp1 telephone 5551212

Username

set location isp1 username office

(This value is provided by your ISP.)

Password

set location isp1 password passwd

(This value is provided by your ISP.)

Maximum ports

set location isp1 maxports 1

Note ¯ Configuring the maximum ports setting to a value higher than 0 causes the PortMaster to dial out to a continuous location, or become available for dial-out to an on-demand location. By configuring the maximum ports setting last, you ensure that the PortMaster will not attempt to make a connection with a location until you have configured all the settings for that location.

You can also authenticate using CHAP if it is supported by the ISP.

After configuring the location table settings, save the configuration using the following command:

Command> save all

For more information about configuring locations, see Chapter 8, "Configuring Dial-Out Connections."

Testing the Continuous Dial-Out Setup

The configuration should be tested before the location isp1 is set for continuous dialing. To test the configuration, follow these steps:

  1. Enter the following commands to connect from your office to location isp1:

    Command> set console

    Command> set debug 0x51 -x

    Command> dial isp1

  2. Monitor the dial-and-connect sequence between the two locations.

  3. If everything connects as expected, reset the port, turn off debugging, and change the location type to continuous:

    Command> reset s1

    Command> set debug off

    Command> set location isp1 continuous

  4. If you notice a problem, do the following:

a. Reset the port.

b. Check your configuration.

c. Dial the ISP again.

d. Repeat this procedure until the connection is made correctly.
Contact your ISP if you are unable to connect as expected. The ISP might be able to provide additional information.
  1. When you have configured the PortMaster correctly, reset the port and save the configuration:

    Command> reset s1

    Command> save all

Testing the Network Hardwired Setup

To test a network hardwired connection, follow these steps:

  1. Reset the newly configured serial port:

    Command> reset s1

The network hardwired connection should be established within a few seconds.
  1. Verify that the port status is ESTABLISHED by using the following command:

    Command> show s1

  2. If there is a problem, check your configuration.

    Contact your ISP if you are unable to connect as expected.

  3. When you have configured the PortMaster correctly, reset the port and save the configuration:

    Command> reset s1

    Command> save all

Providing Network Filtering

Your connection to the Internet can be vulnerable to attack from other Internet users. Therefore, Lucent Remote Access recommends that you add an input filter to the location isp1 for the continuous dial-out connection. For a hardwired connection, you should attach an input filter to the hardwired port.

Note ¯ This section describes an example filter that might not protect your network from all forms of attack. For more information about filters, refer to "Additional References" in the preface and Chapter 9, "Configuring Filters." Refer to the ChoiceNet Administrator's Guide and the RADIUS Administrator's Guide for more information on network security.

The filter named internet.in contains the following rules:

deny 192.168.200.0/24 0.0.0.0/0 log

permit tcp estab

permit 0.0.0.0/0 mail.edu.com/32 tcp dst eq 25

permit 0.0.0.0/0 ftp.edu.com/32 tcp dst eq 21

permit 0.0.0.0/0 www.edu.com/32 tcp dst eq 80

permit tcp src eq 20 dst gt 1023

permit udp dst eq 53

permit tcp dst eq 53

permit icmp

If you have not configured a name server for the PortMaster, use IP addresses instead of hostnames when creating filters. Table 16-6 describes the filter.  
Description of Internet Filter

Rule

Description

1

Denies any incoming packets claiming to be from your own network (192.168.200.0). This rule blocks IP spoofing attacks and logs the spoofing attempt.

2

Permits already established TCP connections.

3

Permits SMTP connections to the mail server mail.edu.com.

4

Permits FTP connections to the host ftp.edu.com.

5

Permits WWW HTTP connections to the Web server www.edu.com.

6

Permits an FTP data channel back to outgoing FTP requests.

7

Permits the Domain Name Service (DNS).

8

Permits DNS zone transfers. (You might want to restrict this rule to allow only connections to your name servers.)

9

Permits ICMP packets.

If your domain name server is outside your local network, refer to "Input and Output Filters for FTP Packets" on page 9-11.

Using ISDN for Internet Connections

Using the ISDN port on a PortMaster is very similar to using the serial port, except that you must do the following:


[Top] [Prev] [Next] [Bottom]

spider@livingston.com
Copyright © 1998, Livingston Enterprises, Inc. All rights reserved.