LASYSTEMS - Brusselsesteenweg 208 - 1730 Asse - Belgium
Phone: +32-2-4531312 - Fax: +32-2-4531763 E-mail: info@lasystems.be

Asus RX3041 (RX3041)

RX3041 Broadband Router with 4-Port Switch

Price details:

Price excl. VAT: 23.42 Eco fees: 0.00 VAT 21 %: 4.92
PDF generated on: 8 June, 2011

Product details:

Product code: RX3041 EAN: Manufacturer: Asus

28.34

* VAT included
Product is discontinued. You can not order it anymore.
ASUS RX3041 is an ideal-designed broadband router for sharing network at home or in SOHO. It possesses featurerich firewall and management function. With intelligent setup wizard, users are able to quickly configure it and connect to computer to share Internet, files, games, or communication. In addition, ASUS specific and friendly user interface allows users to benefit from advanced security function. Benefits and Advantages: -3-easy-step setup wizard -User friendly Web GUI Interface -Support NAT, NAPT, DHCP Server/Client, and DNS proxy -Multi DMZ host support -Support PPTP and IPSec pass through -Advanced security management functions -Multi-placement Options Main specifications:

Data transmission

Maximum data transfer rate: Supported data transfer rates: 0 Gbit/s 10/100 Mbps Wireless N NAT, NAPT, DNS Y Y N Y PPTP, IPSec Y T

Networking

Connectivity technology: Supports ISDN connection:

Protocols

Supported network protocols: DHCP client: DHCP server:

ADSL features

ADSL connection:

Wireless LAN features

Wireless LAN (WLAN) connection:

Security

Security algorithms supported:

Illumination/Alarms

Power LED: Connectivity LEDs:
*PLEASE NOTE: Every effort has been made to ensure the accuracy of all information contained herein. Lasystems makes no warranty expressed or implied with respect to accuracy of the information, including price, editorials or specifications. Lasystems or its suppliers shall not be liable for incidental, consequential or special damages arising from, or as a result of, any electronic transmission or the accuracy of the information contained herin, even if Lasystems has been advised of the possibility of such damages. Product and manufacturer names are used only for the purpose of identification.

Figure 9.26 IP Pool Configuration.... 76 Figure 9.27. Network Diagram for IP Pool Configuration... 77 Figure 9.28. IP Pool Example Add Two IP Pools MISgroup1 and MISgroup2.. 77 Figure 9.29. IP Pool Example Deny QUAKE-II Connection for MISgroup1... 78 Figure 9.30. NAT Pool configuration.... 79 Figure 9.31. Network Diagram for NAT Pool Example... 80 Figure 9.32. NAT Pool Example Create a Static NAT Pool... 80 Figure 9.33. NAT Pool Example Associate a NAT Pool to an ACL Rule.. 81 Figure 9.34. Time Range Configuration.... 82 Figure 9.35. Time Range Example Create a Time Range... 83 Figure 9.36. Time Range Example Deny FTP Access for MISgroup1 During OfficeHours.. 83 Figure 9.37. Firewall Statistics.... 84 Figure 10.1. User Group Configuration..... 86 Figure 10.2. User Group and Users Configuration Example... 88 Figure 10.3. Group ACL Configuration Example... 89 Figure 10.4. Group ACL List.... 89 Figure 10.5. Login Console..... 90 Figure 10.6. Login Status Screen.... 90 Figure 10.7. Network Diagram for Inbound Remote Access... 91 Figure 10.8. User and User Group Configuration Example... 92 Figure 10.9. Group ACL Configuration Example... 92 Figure 11.1. System Services Configuration.... 93 Figure 11.2. Password Configuration.... 94 Figure 11.3. Management Station Configuration.... 95 Figure 11.4. Management Station Summary... 96 Figure 11.5. System Identiy Configuration.... 96 Figure 11.6. Date and Time Configuration Page... 98 Figure 11.7. SNMP Configuration.... 99 Figure 11.8. Existing SNMP Configuration.... 99 Figure 11.9. Default Setting Configuration... 99 Figure 11.10. Counter Timer for Default Setting Configuration... 100 Figure 11.11. Backup System Configuration.... 100 Figure 11.12. Restore System Configuration.... 101 Figure 11.13. Windows File Browser.... 101 Figure 11.14. Firmware Upgrade Page.... 102 Figure 11.15. Counter Down Counter for Firmware Update... 102 Figure 11.16. Router Reset Page.... 102
Figure 11.17. Counter Down Counter for Router Reset... 102 Figure 11.18. Logout Page..... 103 Figure 11.19. Confirmation for Closing Browser (IE).... 103 Figure D.1. Using the ping Utility.... 119 Figure D.2. Using the nslookup Utility..... 120

List of Tables

Table 2.1. Front Panel Label and LEDs....3 Table 2.2. Rear Panel Labels and LEDs.....4 Table 2.3. DoS Attacks.....6 Table 3.1. LED Indicators.... 10 Table 3.2. Default Settings Summary.... 20 Table 4.1. Description of Commonly Used Buttons and Icons... 23 Table 5.1. LAN IP Configuration Parameters... 25 Table 5.2. DHCP Server Configuration Parameters.... 27 Table 5.3. DHCP Address Assignment Parameters.... 28 Table 5.4. Fixed DHCP Lease Configuration Parameters... 29 Table 6.1. WAN PPPoE Configuration Parameters... 33 Table 6.2. WAN Dynamic IP Configuration Parameters... 36 Table 6.3. WAN Static IP Configuration Parameters... 37 Table 7.1. Dynamic Routing (RIP) Configuration Parameters.... 41 Table 7.2. Static Route Configuration Parameters.... 43 Table 8.1. DDNS Configuration Parameters.... 46 Table 9.1. ACL Rule Configuration Parameters.... 55 Table 9.2. URL Filter Configuration Parameters... 61 Table 9.3. Self Access Configuration Parameters.... 63 Table 9.4. Service List configuration parameters.... 64 Table 9.5. DoS Protection Configuration Parameters... 66 Table 9.6. Application Filter Configuration Parameters... 69 Table 9.7. IP Pool Configuration Parameters... 75 Table 9.8. NAT Pool Configuration Parameters.... 78 Table 9.9. Time Range Configuration Parameters.... 81 Table 10.1. User Group Configuration Parameters.... 85 Table 10.2. Group ACL Specific Configuration Parameters... 88 Table 11.1. Management Station Configuration Parameters... 95 Table 11.2. Date/Time Configuration Parameters... 97

Enter Subnet Mask for the WAN. This information should be provided by your ISP. Typically, it is 255.255.255.0. Enter gateway address provided by your ISP in the space provided. Enter at lease the primary DNS IP address provided by your ISP. Secondary DNS IP address is optional. Enter it in the space provided if you have such information from your ISP. Click to save the static IP settings
You have now completed customizing basic configuration settings. Read the following section to determine if you have access to the Internet.

Testing Your Setup

At this point, the RX3041H should enable any computer on your LAN to use the RX3041Hs ADSL or cable modem connection to access the Internet. To test the Internet connection, open your web browser, and type the URL of any external website (such as http://www.asus.com). The LED labeled WAN should be blinking rapidly and may appear solid as the device connects to the site. You should also be able to browse the web site through your web browser. If the LEDs do not illuminate as expected or the web page does not display, see Appendix D for troubleshooting suggestions.

Default Router Settings

In addition to handling the DSL connection to your ISP, the router provides a variety of services to your network. The device is pre-configured with default settings for use with a typical home or small office network. Table 3.2 lists some of the most important default settings; these and other features are described fully in the subsequent chapters. For a complete list of default settings, please refer to the section B.2 Default Settings. If you are familiar with network configuration settings, review the settings in Table 3.2 to verify that they meet the needs of your network. Follow the instructions to change them if necessary. If you are unfamiliar with these settings, try using the device without modification. Before modifying any settings, review Chapter 4 for general information about accessing and using the Configuration Manager. Table 3.2. Default Settings Summary Option DHCP (Dynamic Host Configuration Protocol) Default Setting DHCP server enabled with the following pool of addresses: 192.168.1.10 through 192.168.1.200 Explanation/Instructions The router maintains a pool of private IP addresses for dynamic assignment to your LAN computers. To use this service, you must have set up your computers to accept IP information dynamically, as described in Part 2 of the Quick Start Guide. See section 5.2 for an explanation of the DHCP service. This is the IP address of the LAN port on the RX3041H. The LAN port connects the device to your Ethernet network. Typically, you will not need to change this address. See section 5.1 LAN IP Address for instructions.

LAN Port IP Address

Static IP address: 192.168.1.1 subnet mask: 255.255.255.0
Chapter 4. Getting Started with the Configuration Manager
Getting Started with the Configuration Manager[CT9]
Your router includes a preinstalled program called the Configuration Manager, which allows you to customize the device settings to meet the needs of your network. You access the Configuration Manager through a web browser from any PC that has access to the router via network connections. This chapter describes the general guidelines for using the Configuration Manager.
Log into the Configuration Manager
To access the Configuration Manager, you need the following: A computer that has access to the router via network connections as described in the Quick Start Guide chapter. A web browser on your computer. Configuration Manager is compatible with Microsoft Internet Explorer 5.5, Netscape 7.0.2 or newer. Although you may log into the Configuration Manager from any computer that can reach your router via the LAN or WAN connections, the instructions provided here assumes that your computer is connected to the LAN port of your router. 1. From a LAN computer, open your web browser, type the following in the web address (or location) box, and press <Enter>: http://192.168.1.1 This is the predefined IP address for the LAN port of your router. A login screen displays, as shown in Figure 4.1.
Figure 4.1. Configuration Manager Login Screen 2. Enter your user name and password, and then click The first time you log into the program, use these defaults:
Default User Name: Default Password: admin admin

button.

You can change the password at any time (see section 11.2.1 Change the Login Password on page 93).
The Setup Wizard page, as shown in Figure 3.3, displays each time you log into the Configuration Manager.

Functional Layout

Typical Configuration Manager page consists of two separate frames. The left frame, as shown in Figure 4.2, contains all the menus available for device configuration. Menus are indicated by file icons, , and related or , menus are grouped into categories, such as LAN, WAN and etc., and indicated by folder icons, depending on whether the group of menus are expanded or not. You can click on any of these to display a specific configuration page.
Setup Menu Frame Configuration Frame
Figure 4.2. Typical Configuration Manager Page A separate page displays in the right-hand-side frame for each menu. For example, the configuration page displayed in Figure 4.2 is intended for DHCP configuration.

You can change the default to reflect the true IP address that you want to use with your network. The RX3041H itself can function as a DHCP server for your LAN computers, as described in section 5.2.2, but not for its own LAN port.
LAN IP Configuration Parameters
Table 5.1. LAN IP Configuration Parameters
Table 5.1describes the configuration parameters available for LAN IP configuration.

Setting IP Address

Description The LAN IP address of the RX3041H. This IP is used by your computers to identify the RX3041Hs LAN port. Note that the public IP address assigned to you by your ISP is not your LAN IP address. The public IP address identifies the WAN port on the RX3041H to the Internet. The LAN subnet mask identifies which parts of the LAN IP Address refer to your network as a whole and which parts refer specifically to nodes on the network. Your device is preconfigured with a default subnet mask of 255.255.255.0.

Subnet Mask

Configuring the LAN IP Address

IP menu.

Follow these steps to change the default LAN IP address. 1. Open the LAN configuration page by clicking the LAN
2. Enter a LAN IP address and subnet mask for the RX3041H in the IP Address and Subnet Mask fields as shown in Figure 5.1.
Figure 5.1. LAN IP Address Configuration 3. Click. button to save the LAN IP address.
If you change the LAN IP address, the connection will be terminated. 4. Reconfigure your PCs, if necessary, so that their IP addresses place them in the same subnet as the new IP address of the LAN port. See the Quick Start Guide chapter, Part 2 Configuring Your Computers, for instructions. 5. Log into Configuration Manager by typing the new IP address in your Web browsers address/location box.

5.2.1.1

DHCP (Dynamic Host Configuration Protocol)

What is DHCP?

DHCP is a protocol that enables network administrators to centrally manage the assignment and distribution of IP information to computers on a network. When you enable DHCP on a network, you allow a device such as the RX3041H to assign temporary IP addresses to your computers whenever they connect to your network. The assigning device is called a DHCP server, and the receiving device is a DHCP client. If you followed the Quick Start Guide instructions, you either configured each LAN PC with an IP address, or you specified that it will receive IP information dynamically (automatically). If you chose to have the information assigned dynamically, then you configured your PCs as DHCP clients that will accept IP addresses assigned from a DCHP server such as the RX3041H.

8.4.1.3

Delete a Host Table Entry
icon of the entry to be deleted or follow the instruction below:
To delete a host table entry, click on the
1. Open the DDNS configuration page by clicking on the DDNS menu. 2. Click on the icon of the host table entry to be deleted in the host table or select the host table entry from the host table drop-down list. 3. Click on the button to delete the entry. Note that the entry deleted will be removed from the host table located at the bottom half of the DDNS configuration page.

8.4.1.4

View the Host Table
To see existing host table, just open the DDNS configuration page by clicking on the DDNS menu.
Chapter 9. Configuring Firewall/NAT Settings
Configuring Firewall/NAT Settings
The RX3041H provides built-in firewall/NAT functions, enabling you to protect the system against denial of service (DoS) attacks and other types of malicious accesses to your LAN while providing Internet access sharing at the same time. You can also specify how to monitor attempted attacks, and who should be automatically notified. This chapter describes how to create/modify/delete ACL (Access Control List) rules to control the data passing through your network. You will use firewall configuration pages to: Create, modify, delete and view inbound/outbound ACL rules. Create, modify and delete pre-defined services, IP pools, NAT pools, application filters and time ranges to be used in inbound/outbound ACL configurations. View firewall statistics. Note: When you define an ACL rule, you instruct the RX3041H to examine each data packet it receives to determine whether it meets criteria set forth in the rule. The criteria can include the network or internet protocol it is carrying, the direction in which it is traveling (for example, from the LAN to the Internet or vice versa), the IP address of the sending computer, the destination IP address, and other characteristics of the packet data. If the packet matches the criteria established in a rule, the packet can either be accepted (forwarded towards its destination), or denied (discarded), depending on the action specified in the rule.

Firewall Overview

The stateful packet inspection engine in the RX3041H maintains a state table that is used to keep track of connection states of all the packets passing through the firewall. The firewall will open a hole to allow the packet to pass through if the state of the packet that belongs to an already established connection matches the state maintained by the stateful packet inspection engine. Otherwise, the packet will be dropped. This hole will be closed when the connection session terminates. No configuration is required for stateful packet inspection; it is enabled by default when the firewall is enabled. Please refer to section 11.1 Configure System Services to enable or disable firewall service on the RX3041H.

IP Pool

Destination IP This option allows you to set the destination network to which this rule should apply. Use the dropdown list to select one of the following options: Any This option allows you to apply this rule to all the computers in the destination network such as those on the LAN for inbound ACL rules and those on the Internet for outbound ACL rules. Select any of these options and enter details as described in the Source IP section above.
IP Address, Subnet, Range and IP Pool
Source Port This option allows you to set the source port to which this rule should apply. Use the drop-down list to select one of the following options: Any Single Port Number Range Select this option if you want this rule to apply to all applications with an arbitrary source port number. This option allows you to apply this rule to an application with a specific source port number. Enter the source port number Select this option if you want this rule to apply to applications with this port range. The following fields become available for entry when this option is selected. Begin End Enter the starting port number of the range Enter the ending port number of the range
Destination Port This option allows you to set the destination port to which this rule should apply. Use the drop-down list to select one of the following options: Any Single, Range Select this option if you want this rule to apply to all applications with an arbitrary destination port number. Select any of these and enter details as described in the Source Port section above.

Field Service

Description This option allows you to select any of the pre-configured services (selectable from the drop-down list) instead of the destination port. The following are examples of services: BATTLE-NET, PC-ANYWHERE, FINGER, DIABLO-II, L2TP, H323GK, CUSEEME, MSN-ZONE, ILS, ICQ_2002, ICQ_2000, MSN, AOL, RPC, RTSP7070, RTSP554, QUAKE, N2P, PPTP, MSG2, MSG1, IRC, IKE, H323, IMAP4, HTTPS, DNS, SNMP, NNTP, POP3, SMTP, HTTP, FTP, TELNET. Note: service is a combination of protocol and port number. They appear here after you add them in the Firewall Service configuration page.
Protocol This option allows you to select protocol type from a drop-down list. Available settings are All, TCP, UDP, ICMP, AH and ESP. Note that if you select service for the destination port, this option will not be available. NAT This option allows you to select the type of NAT for the traffic. None IP Address Select this option if you dont intend to use NAT in this ACL rule. For inbound ACL rules: select this option to specify the IP address of the computer (usually a server in your LAN) that you want the incoming traffic to be directed. Note this option is called reverse NAPT or virtual server. For outbound ACL rules: Select this option to specify the IP address that you want the outbound traffic to use. Note this option is called NAPT or overload. NAT Pool Select this option to associate a pre-configured NAT pool to the rule. For inbound ACL rules, only reverse static NAT and reverse NAPT pool can be used. For outbound ACL rules, only static, dynamic and overload NAT pool can be used. This option is available for outbound ACL rules only. Select this option to use the WAN interface IP address for the outbound traffic. Note that WAN IP must be configured prior to selecting this option. Three options are available: eth0, pppoe0 and pppoe1. Select eth0 if your WAN interface type is static or dynamic; pppoe0 if WAN interface is PPPoE0, and pppoe1 if WAN interface is PPPoE1.

Interface (Outbound ACL only)
Time Ranges Select a pre-configured time range during which the rule is active. Select Always to make the rule active at all times. Application Filtering This option allows you to select pre-configured FTP, HTTP, RPC and/or SMTP application filters from the drop-down list. Log Click on the Enable or Disable radio button to enable or disable logging for this ACL rule.
Configuring Inbound ACL Rules
Inbound ACL rules are used to control (allow or deny) access to the local network.

Add an Inbound ACL Rule

To add an inbound ACL rule, follow the instructions below: 1. Open the Inbound ACL Rule Configuration Page by clicking on the Firewall Inbound ACL menu. 2. Select Add New from the ID drop-down list. 3. Set desired action (Allow or Deny) from the Action drop-down list. 4. Make changes to any or all of the following fields: Source/Destination IP, Source/Destination Port, Protocol, NAT, Time Ranges, Application Filtering, and Log. Please see Table 9.1 for explanation of these fields. Figure 9.7 illustrates how to create an ACL rule to allow inbound FTP service for any host on the Internet to access to FTP server in the local network w/ IP address 192.168.1.123.
Figure 9.7. Inbound ACL configuration Example 5. Assign a priority for this rule by selecting a number from the Move to drop-down list. Note that the number indicates the priority of the rule with 1 being the highest. Higher priority rules will be examined prior to the lower priority rules by the firewall. 6. Click on the button to create the new ACL rule. You may verify the new ACL rule in the inbound access control list table displayed at the bottom half of the Inbound ACL configuration page as shown in Figure 9.8.
Figure 9.8. Inbound ACL List
Modify an Inbound ACL Rule

Inbound ACL

To modify an inbound ACL rule, follow the instructions below: 1. Open the Inbound ACL Rule Configuration Page by clicking on the Firewall menu.
2. Click on the icon of the rule to be modified in the inbound ACL table or select the rule number from the ID drop-down list. 3. Make desired changes to any or all of the following fields: action, source/destination IP, source/destination port, protocol, port mapping, time ranges, application filtering, and log. Please see Table 9.1 for explanation of these fields. 4. Click on the button to modify this ACL rule. The new settings for this ACL rule will then be displayed in the inbound access control list table at the bottom half of the Inbound ACL configuration page.
Delete an Inbound ACL Rule
in front of the rule to be deleted or follow the instructions below: Inbound ACL
To delete an inbound ACL rule, click on the
1. Open the Inbound ACL Rule Configuration Page by clicking on the Firewall menu.
icon of the rule to be deleted in the inbound ACL table or select the rule number 2. Click on the from the ID drop-down list. 3. Click on the button to delete this ACL rule. Note that the ACL rule deleted will be removed from the ACL rule table located at the bottom half of the same configuration page.

Display Existing Inbound ACL Rules
To see existing inbound ACL rules, just open the Inbound ACL Rule configuration page by clicking on the Firewall Inbound ACL menu.
Configuring Outbound ACL Rules
Outbound ACL rules allow you to control (allow or deny) Internet or external network access for computers on your LAN.

Add an Outbound ACL Rule

To add an outbound ACL rule, follow the instructions below: 1. Open the Outbound ACL Rule configuration page by clicking on the Firewall Outbound ACL menu. 2. Select Add New from the ID drop-down list. 3. Set desired action (Allow or Deny) from the Action drop-down list. 4. Make changes to any or all of the following fields: source/destination IP, source/destination port, protocol, NAT, time ranges, application filtering, and log. Please see Table 9.1 for explanation of these fields. Figure 9.9 illustrates how to create a rule to deny outbound HTTP traffic for a host w/ IP address 192.168.1.15.
Figure 9.9. Outbound ACL Configuration Example 5. Assign a priority for this rule by selecting a number from the Move to drop-down list. Note that the number indicates the priority of the rule with 1 being the highest. Higher priority rules will be examined prior to the lower priority rules by the firewall. 6. Click on the button to create the new ACL rule. The new ACL rule will then be displayed in the outbound access control list table at the bottom half of the Outbound ACL configuration page.
Figure 9.10. Outbound ACL List
Modify an Outbound ACL Rule

Outbound ACL

To modify an outbound ACL rule, follow the instructions below: 1. Open the Outbound ACL Rule configuration page by clicking on the Firewall menu.
icon of the rule to be modified in the outbound ACL table or select the rule 2. Click on the number from the ID drop-down list. 3. Make desired changes to any or all of the following fields: action, source/destination IP, source/destination port, protocol, NAT, time ranges, application filtering, and log. Please see Table 9.1 for explanation of these fields. 4. Click on the button to modify this ACL rule. The new settings for this ACL rule will then be displayed in the outbound access control list table at the bottom half of the Outbound ACL configuration page.

Table 9.3 describes the configuration parameters available in the Self Access configuration page.

Field Protocol Port

Description Select protocol from drop down list - TCP/ UDP/ICMP Enter the Port Number.
Direction Select the direction from which the traffic will be allowed. From LAN From WAN Select Enable or Disable to allow or deny traffic from the LAN (internal network) to the RX3041H. Select Enable or Disable to allow or deny traffic from WAN (external network) to the RX3041H.

9.7.1.2

Add a Self Access Rule
To add a Self Access rule, follow the instructions below: 1. Open the Self Access Rule configuration page by clicking on the Firewall Advanced Self Access menu. 2. Select Add New from the Self Access rule drop-down list. 3. Select a protocol from the Protocol drop-down list. If you select TCP or UDP protocol, you will need to enter port number as well.
Figure 9.13. Self Access Rule Configuration Example 4. Click on the button to create the new Self Access rule. The new rule will then be displayed in the Self Access Rule list table at the bottom half of the Self Access Rule configuration page.

Example

Figure 9.13 displays the screen with entries to: Add a new Self Access rule to: Allow TCP port 80 traffic (i.e. HTTP traffic) from the LAN and deny the HTTP traffic from the WAN port (i.e. from the external network) to the RX3041H.

9.7.1.3

Modify a Self Access Rule

Advanced Self

To modify a Self Access rule, follow the instructions below: 1. Open the Self Access Rule configuration page by clicking on the Firewall Access menu.
icon of the Self Access rule to be modified in the Self Access rule table or select 2. Click on the the Self Access rule from the Self Access rule drop-down list. 3. You may then disable or enable the traffic from LAN or WAN or both. Note that port number cannot be changed if TCP or UCP protocol is selected. To modify the port number, you must first delete the existing Self Access rule and add a new rule instead. 4. Click on the button to save the changes. The new settings for this Self Access rule will then be displayed in the Self Access rule table located at the bottom half of the Self Access Rule configuration page.

9.7.1.4

Delete a Self Access Rule
icon of the rule to be deleted or follow the instruction below: Advanced Self
To delete a Self Access rule, click on the
1. Open the Self Access Rule configuration page by clicking on the Firewall Access menu.
icon of the Self Access rule to be deleted in the Self Access rule table or select 2. Click on the the Self Access rule from the Self Access rule drop-down list. 3. Click on the button to delete the rule. Note that the rule deleted will be removed from the Self Access rule table located at the bottom half of the same configuration page.

Winnuke

MIME Flood

FTP Bounce

Description PORT command in the FTP protocol. An attacker can establish a connection between the FTP server machine and an arbitrary port on another system. This connection may be used to bypass access controls that would otherwise apply.

IP Unaligned Time Stamp

Check or un-check this option to enable or disable protection against unaligned IP time stamp attack. Certain operating systems will crash if they receive a frame with the IP timestamp option that isn't aligned on a 32-bit boundary. Check or un-check this option to enable or disable protection against TCP sequence number prediction attacks. For TCP packets, sequence number is used to guard against accidental receipt of unintended data and malicious use by the attackers if the ISN (Initial Sequence Number) is generated randomly. Forged packets w/ valid sequence numbers can be used to gain trust from the receiving host. Attackers can then gain access to the compromised system. Note that this attack affects only the TCP packets originated or terminated at the RX3041H. Check or un-check this option to enable or disable protection against TCP out of range sequence number attacks. An attacker can send a TCP packet to cause an intrusion detection system (IDS) to become unsynchronized with the data in a connection. Subsequent frames sent in that connection may then be ignored by the IDS. This may indicate an unsuccessful attempt to hijack a TCP session. Check or un-check this option to enable or disable protection against ICMP error message attacks. ICMP messages can be used to flood your network w/ undesired traffic. By default, this option is enabled. Enter the maximum number of fragments the Firewall should allow for every IP packet. This option is required if your connection to the ISP is through PPPoE. This data is used during transmission or reception of IP fragments. When large sized packets are sent via the RX3041H, the packets are chopped into fragments as large as MTU (Maximum Transmission Unit). By default, this number is set to 45. If MTU of the interface is 1500 (default for Ethernet), then there can be a maximum of 45 fragments per IP packet. If the MTU is less, then there can be more number of fragments and this number should be increased. Enter the Minimum size of IP fragments to be allowed through Firewall. This limit will not be enforced on the last fragment of the packet. If the Internet traffic is such that it generates many small sized fragments, this value can be decreased. This can be found if there are lots of packet loss, degradation in speed and if the following log message is generated very often:fragment of size less than configured minimum fragment size detected.

Time Zone SNTP Server Update Interval
11.4.2 Maintain Date and Time
Date and time can be maintained by the router itself by entering correct date and time in the Date and Time fields respectively. Note that you must manually set the date and time again each time the RX3041H reboots. It is recommended that you use external time servers to help maintain the date and time for your router. Follow the instructions below to configure SNTP servers to maintain date and time for your router:
1. Open the Date/Time configuration page by clicking the System Management Date/Time menu. 2. Select a time zone setting from the "Time Zone" drop down list for your region. 3. Enter up to 5 SNTP server IP addresses accessible for your region. 4. Enter the time update interval in the "Update Interval" field. The default update interval is 60 minutes.
Figure 11.6. Date and Time Configuration Page 5. Click on button to save the settings.
11.4.3 View the System Date and Time
To view the system date and time, open the Date/Time configuration page by clicking the System Management Date/Time menu.

11.5 SNMP Setup

SNMP (Simple Network Management Protocol) as its name suggests is used for network management. You may use the SNMP configuration page to enable or disable the SNMP support.
11.5.1 SNMP Configuration Parameters
Table 11.3 describes the configuration parameters available for SNMP setup. Table 11.3. Fixed DHCP Lease Configuration Parameters Field SNMP Description Click on the Enable or Disable radio button to enable or disable the SNMP support. Community string is a clear text string that is used as password between the SNMP management station and the RX3041H. This Read Only community name is used by the SNMP management station to read the settings in the RX3041H. Community string is a clear text string that is used as password between the SNMP management station and the RX3041H. This Read and Write community name is used by the SNMP management station to read and configure the settings in the RX3041H. Trap message is sent by the RX3041H to tell the SNMP management station that something has happened on the RX3041H. This field is used to enter the IP address of the SNMP management station that is supposed to receive trap messages from the RX3041H.

RO Community Name

RW Community Name

Trap Address

11.5.2 Configuring SNMP

Figure 11.17. Count Down Counter for Router Reset
11.9 Logout Configuration Manager
To logout of Configuration Manager, open the Logout page by clicking the Logout menu and then click on the button in the Logout page. If you are using IE, a window similar to the one shown in Figure 11.19 will pop up for logout confirmation before closing your browser window.
Figure 11.18. Logout Page
Figure 11.19. Confirmation for Closing Browser (IE).
Appendix A. ALG Configuration

ALG Configuration

Table A.1. Supported ALG
Table A.1 lists all the supported ALGs (Application Layer Gateway).
ALG/Application Name PC Anywhere RTSP-554
Protocol and Port UDP/22 TCP/554 UDP/53 TCP/80
Predefined Service Name PC-ANYWHERE RTSP554 DNS HTTP RTSP7070 DNS HTTP N2P HTTP HTTPS DNS CUSEEME HTTP DNS H323 DNS H323 ILS DNS H323 H323GK DNS SIP H323 DNS FTP DNS
Tested Software Version pcAnywhere 9.0.0 RealPlayer 8 Plus QuickTime Version 6

RTSP-7070

TCP/7070 UDP/53 TCP/80
RealPlayer 8 Plus QuickTime Version 6

Net2Phone

UDP/6801 TCP/80 TCP/443 UDP/53
Net2Phone CommCenter Release 1.5.0

CUSeeMe

TCP/7648 TCP/80 UDP/53
CUSeeMe Version 5.0.0.043

Netmeeting

TCP/1720 UDP/53

Netmeeting with ILS

TCP/1720 TCP/389 UDP/53
Windows Netmeeting Version 3.01 Opengk Version 1.2.0

Netmeeting with GK

TCP/1720 UDP/1719 UDP/53

SIP Intel Video Phone

UDP/5060 TCP/1720 UDP/53
SIP User Agent 2.0 Intel Video Phone Version 5.0 WFTPD version 2.03 Redhat Linux 7.3

TCP/21 UDP/53

Security ALGs
ALG/Application Name L2TP
Protocol and Port UDP/1701 UDP/53
Predefined Service Name L2TP DNS PPTP DNS IKE
Tested Software Version Windows 2000 Server built-in Windows 2000 Server built-in Windows 2000 Server built-in

TCP/1723 UDP/53

IPSec (Only Tunnel Mode with ESP)

UDP/500 ESP UDP/53

Chats AOL Chat TCP/ 5190 TCP/80 UDP/53 ICQ Chat TCP /5191 NB: Application should TCP/80 be configured to use TCP/5191 UDP/53 IRC TCP/ 6667 TCP/80 UDP/53 MSIM TCP/1863 TCP/80 UDP/53 Games Flight Simulator 2002 (Gaming Zone) TCP/47624 TCP/28801 TCP/443 TCP/80 UDP/53 Quake II (Gaming Zone) UDP/ 27910 TCP/28801 TCP/443 TCP/80 UDP/53 Age Of Empires (Gaming Zone) TCP/47624 TCP/28801 MSG1 MSN-ZONE HTTPS HTTP DNS QUAKE MSN-ZONE HTTPS HTTP DNS MSG1 MSN-ZONE Age of Empires, Gold Edition Quake II Flight Simulator 2002, Professional Edition AOL HTTP DNS ICQ_2000 HTTP DNS IRC HTTP DNS MSN HTTP DNS MSN Messenger Service Version 3.6.0039 MIRC v6.02 ICQ 2000b AOL Instant Messenger Version 5.0.2938

ALG/Application Name

Protocol and Port TCP/443 TCP/80 UDP/53
Predefined Service Name HTTPS HTTP DNS DIABLO-II BATTLE-NET-TCP, BATTLE-NET-UDP DNS Diablo II

Problem

Troubleshooting Suggestion public IP address (usually this public IP address is the WAN IP address). Your PCs IP address must be within the IP range specified in the NAT rules. The default firewall outbound ACL rule includes a NAT rule for all hosts on the LAN.
Configuration Manager Program Forget your Configuration Manager user ID or password. If you have not changed the password from the default, try using admin as the user ID and admin for the password. Otherwise, you can reset the device to the default configuration by following the instructions provided in section 11.6.1.2 Reset to Factory Settings Using Reset Button. WARNING: Resetting to the factory settings removes any custom settings. Use the ping utility, discussed in the following section, to check whether your PC can communicate with the router (by default, the LAN IP address of your router is 192.168.1.1). If it cannot, check the Ethernet cabling. Verify that you are using Internet Explorer v5.5, Netscape 7.0.2 or later. Support for Javascript must be enabled in your browser. Support for Java may also be required. Verify that the PCs IP address is assigned as being on the same subnet as the IP address assigned to the LAN port of the router. Changes to Configuration Manager are not being retained. Be sure to click on button to save changes.
Cannot access the Configuration Manager from your browser.
Diagnosing Problem using IP Utilities
Ping is a command you can use to check whether your PC can recognize other computers on your network and the Internet. A ping command sends a message to the computer you specify. If the computer receives the message, it sends messages in reply. To use it, you must know the IP address of the computer with which you are trying to communicate. On Windows-based computers, you can execute a ping command from the Start menu. Click the Start button, and then click Run. In the Open text box, type a statement such as the following: ping 192.168.1.1 Click site, if known. You can substitute any private IP address on your LAN or a public IP address for an Internet
If the target computer receives the message, a Command Prompt window displays like that shown in Figure D.1.
Figure D.1. Using the ping Utility If the target computer cannot be located, you will receive the message Request timed out. Using the ping command, you can test whether the path to the RX3041H is working (using the preconfigured default LAN IP address 192.168.1.1) or another address you assigned. You can also test whether access to the Internet is working by typing an external address, such as that for www.yahoo.com (216.115.108.243). If you do not know the IP address of a particular Internet location, you can use the nslookup command, as explained in the following section. From most other IP-enabled operating systems, you can execute the same command at a command prompt or through a system administration utility.