Asus Router RX3141 User Manual
Have a look at the manual Asus Router RX3141 User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 379 Asus manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
RX3141 User’s Manual Chapter 9. Configuring Firewall/NAT Settings 61 3. Make desired changes to any settings.. 4. Click on the button to save the changes. The new settings for this Self-Access rule will then be displayed in the Existing Self-Access ACL table located at the bottom half of the Self-Access ACL configuration page. 9.6.3 Delete a Self-Access Rule To delete a Self-Access rule, open the Self-Access Rule configuration page by double clicking the Router Setup Î Self Access ACL menu and then click on the icon of the rule to be deleted. 9.6.4 View Configured Self-Access Rules To see existing Self-Access Rules, just open the Self-Access ACL configuration page by double clicking Router Setup Î Self-Access ACL menu. Figure 9.10. Existing Self-Access ACL Rules 9.7 Firewall Log – (Router Setup Î Log) You may open the firewall log page by double clicking Router Setup Î Log menu to see any logged events for any security breaches. Figure 9.11 shows a sample firewall log. You may click on the button at the bottom of the Log page to see the updated log messages.
Chapter 9. Configuring Firewall/NAT Settings RX3141 User’s Manual 62 Figure 9.11 Sample Firewall Log 9.7.1 Log Format Two types of log are supported by the RX3141 – system security log and firewall access control log. They are designated by the two keywords, sys and fw respectively. The log format is best explained by examples: System Security Log Example: Jan 1 00:01:22 2000 klogd: sys: TCP XMAS/NULL packet from 192.168.1.100. Explanation: Jan 1 00:01:22 2000 indicates the time of the attack; klogd: sys, this attack is detected by the system security model; TCP XMAS/NULL, the type of attack detected; 192.168.1.100, source of the attack. Firewall Access Control Log Example: Jan 1 00:03:11 2000 klogd: fw: OUTBOUND rule=1 allow icmp from 192.168.1.100 to 211.1.1.1 type=8 code=0 id=512Explanation: Jan 1 00:03:11 2000 indicates the time of the access; klogd: fw, indicates the log is related to firewall access control; OUTBOUND, the direction of the traffic; rule=1, the rule that matches the IP information of the traffic; allow, action taken by the firewall; icmp, protocol type of the traffic; 192.168.1.100, source of the traffic; 211.1.1.1, destination of the traffic; type=8, ICMP message type; code=0, ICMP message code; id=512, ICMP message ID.
RX3141 User’s Manual Chapter 11. System Management 63 10 Virtual Sever and Special Application This chapter describes the configuration procedures for: f Virtual Server f Special Application NAT is the technology used to support the above applications. 10.1 NAT Overview Network Address Translation allows use of a single device, such as the RX3141, to act as an agent between the Internet (public network) and a local (private) network. This means that a NAT IP address can represent an entire group of computers to any entity outside a network. Network Address Translation (NAT) is a mechanism for conserving registered IP addresses in large networks and simplifying IP addressing management tasks. Because of the translation of IP addresses, NAT also conceals true network address from privy eyes and provide a certain degree security to the local network. 10.1.1 NAPT (Network Address and Port Translation) or PAT (Port Address Translation) Also called IP Masquerading, this feature maps many internal hosts to one globally valid Internet address. The mapping contains a pool of network ports to be used for translation. Every packet is translated with the globally valid Internet address and the port number is translated with an un-used port from the pool of network ports. Figure 10.1 shows that all the hosts on the local network gain access to the Internet by mapping to only one globally valid IP address and different port numbers from a free pool of network ports. Figure 10.1 NAPT – Map Any Internal PCs to a Single Global IP Address
Chapter 11. System Management RX3141 User’s Manual 64 Figure 10.2 Reverse NAPT – Relayed Incoming Packets to the Internal Host Base on the Protocol, Port Number or IP Address 10.1.2 Reverse NAPT / Virtual Server Reverse NAPT is also called inbound mapping, port mapping, or virtual server. Any packet coming to the RX3141 can be relayed to the internal host based on the protocol, port number and/or IP address specified in the ACL rule. This is useful when multiple services are hosted on different internal hosts. Figure 10.2 shows that web server (TCP/80) is hosted on PC A, telnet server (TCP/23) on PC B, DNS server (UDP/53) on PC C and FTP server (TCP/21) on PC D. This means that the inbound traffic of these four services will be directed to respective host hosting these services. 10.2 Configure Virtual Server Virtual server allows you to configure up to ten public servers, such as a Web, E-mail, FTP server and etc. accessible by external users of the Internet. Each service is provided by a dedicated server configured with a fixed IP Address. Although the internal service addresses are not directly accessible to the external users, the router is able to identify the service requested by the service port number and redirects the request to the appropriate internal server. Note RX3141 supports only one server of any particular type at a time. 10.2.1 Virtual Server Configuration Parameters Table 10.1 describes the configuration parameters available for virtual server configuration.
RX3141 User’s Manual Chapter 11. System Management 65 Table 10.1. Virtual Server Configuration Parameters Setting Description Enable Select an application from the list of pre-configured applications. The corresponding protocol and the redirect port range will be automatically selected. Select “Manual Setting” if you want to configure the settings yourself. To activate the policy, make sure the check box is checked. For a list of pre-configured applications, please refer to Table 10.2. Protocol This option allows you to select protocol type from a drop-down list. Available settings are All, TCP, UDP, TCP/UDP, and ESP. Redirect Port Range Enter the desired port numbers. To IP Address Enter the server IP address. Table 10.2. Port Numbers for Popular Applications Application Service Port Numbers AOE II(Server) 2300-2400 AUTH 113 Baldurs Gate II 2300-2400 Battle Isle 3004-3004 Counter Strike 27005-27015 Cu See Me 7648-7648, 56800,24032 Diablo II 4000-4000 DNS UDP 53-53 FTP TCP 21-21 FTP TCP 20(ALG)-21 GOPHER TCP 70-70 HTTP TCP 80-80 HTTP8080 TCP 8080-8080 HTTPS TCP 443-443 I-phone 5.0 TCP/UDP 22555-22555 ISAKMP UDP 500-500 mIrc 6601-700 MSN Messenger 1863 ALG Need for Speed 5 9400-9400 Netmeeting Audio TCP 1731-1731 Netmeeting Call TCP 1720-1720 Netmeeting Conference UDP 49500-49700 Netmeeting File Transfer TCP 1503-1503
Chapter 11. System Management RX3141 User’s Manual 66 Application Service Port Numbers Netmeeting or VOIP 1503-1503, 1720 (ALG) NEWS TCP 119-119 PC Anywhere TCP: 5631 PC Anywhere TCP: 5631, UDP: 5632 POP3 TCP 110-110 Powwow Chat 13223-13223 Red Alert II 1234-1237 SMTP TCP 25-25 Sudden Strike 2300-2400 TELNET TCP 23-23 Win VNC UDP 5800-5900 10.2.2 Virtual Server Example Following describes the procedure to setup a FTP server: 1. Open the Virtual Server configuration page, as shown in Figure 10.3, by double clicking the Advanced Î Virtual Server menu. 2. Select FTP from the Enable drop-down list and the check the check box to activate this policy. Note that the protocol and the redirect port range are automatically selected. 3. Enter the IP address of the FTP server. Note that this IP address is a private IP address. 4. Click to save the settings. Figure 10.3. Virtual Server Example
RX3141 User’s Manual Chapter 11. System Management 67 5. For security concerns, the RX3141 denies all the access requests from the external users unless a proper inbound ACL rule is setup for each virtual server to allow external users to access the internal servers set up in the Virtual Server configuration page. For example, if you want to allow any one in the external network to access the FTP server, define an inbound ACL rule as configured in Figure 10.4. Note that the destination IP address is the IP address entered in the “ To IP Address” and the destination port is the port numbers entered in the “Redirect Port Range ” in the Virtual Server configuration page. If you want to restrict access to the FTP server from particular IP addresses, change the settings for the source IP in the inbound ACL rule. For example, if source IP in the inbound ACL rule is configured as 198.175.2.10, the RX3141 will deny all the external access to the FTP server except those from this particular IP address. For detail information about configuring an inbound ACL rule, please refer to the section 9.4 Configuring Inbound ACL Rules. Figure 10.4. Virtual Server Example – Inbound ACL RuleConfigure Special Application Some applications use multiple TCP/UDP ports to transmit data. Due to the NAT operation, these applications cannot work with the router. Special Application setting allows some of these applications to work properly. Note Only one PC can use one particular special application at any time. 10.2.3 Special Application Configuration Parameters Table 10.1 describes the configuration parameters available for Special Application configuration. Table 10.3. Special Application Configuration Parameters Setting Description Enable Select an application from the list of pre-configured applications. The corresponding protocol and the redirect port range will be automatically selected. Select “Manual Setting” if you want to configure the settings yourself. To activate the policy, make sure the check box is checked. Same as “Redirect Port Range” Same as “To IP Address”
Chapter 11. System Management RX3141 User’s Manual 68 Setting Description Application Name The name identifying the application. Outgoing (Trigger) Port Range The port range this application uses when it sends outbound packets. The outgoing port numbers act as the trigger. When the router detects the outgoing packets with these port numbers, it will allow the corresponding inbound packets with the incoming port numbers specified in the Incoming Port Range field to pass through the router. For a list of port numbers used by some popular applications, please refer to Table 10.4. Incoming Port Range The port range that the corresponding inbound packet used. For a list of port numbers used by some popular applications, please refer to Table 10.4. Table 10.4. Port Numbers for Popular Applications Application Outgoing Port Number Incoming Port Range Battle.net 6112 6112 DialPad 7175 51200,51201,51210 ICU II 2019 2000-2038, 2050-2051, 2069,2085,3010-3030 MSN Gaming Zone 47624 2300-2400,28800-29000 PC to Phone 12053 12120,12122,24150-24220 Quick Time 4 554 6970-6999 wowcall 8000 4000-4020 10.2.4 Special Application Example Figure 10.5. Special Application Configuration Page
RX3141 User’s Manual Chapter 11. System Management 69 Following describes the procedure to setup a special application for Quick Time. 1. Open the Special Application configuration page, as shown in Figure 10.5, by double clicking the Advanced Î Special Application menu. 2. Select Quick Time from the Enable drop-down list and the check the check box to activate this policy. Note that the application name, outgoing and incoming port range are automatically selected. 3. Click to save the settings. 4. The RX3141 has a default outbound ACL rule to forward all the outbound traffic to the external networks. This default outbound ACL rule allows any one to use application defined in the Special Application configuration page. If this is what you want, skip this step. However, for security concerns or any other reasons, you may want to restrict the use of these applications to a particular group of users. Then configure an outbound ACL rule to control outbound access as illustrated in Figure 10.6. This example restricts the access to hosts in the IP address range from 192.168.1.110 to 192.168.1.115. Note that you must remove the default firewall outbound ACL rule for the access restriction to work because the default outbound ACL rule allows any one to use any applications setup in the Special Application configuration page. To delete the default outbound ACL rule, just click the icon in front of the default ACL rule in the Outbound ACL Rule table located in the Outbound ACL Rule configuration page (as shown in Figure 10.7). For details on configuring an outbound ACL rule, please refer to the section 9.5 Configuring Outbound ACL Rules . Figure 10.6. Special Application Example – Outbound ACL Rule Figure 10.7. Outbound ACL Rule Table Default Outbound ACL Rule
Chapter 11. System Management RX3141 User’s Manual 70 11 System Management This chapter describes the following administrative tasks that you can perform using the Configuration Manager: f Modify password and system-wide settings f View system information f Modify system date and time f Reset system configuration f Reboot system f Update firmware f Backup/restore system configuration 11.1 Login Password and System-Wide Settings The first time you log into the Configuration Manager, you use the default username and password (admin and admin). Note This username and password is only used for logging into the Configuration Manager; it is not the same login password that you use to connect to your ISP. Figure 11.1. System Administration Configuration Page