EAGLE Management Manual: Industrial ETHERNET Firewall/VPN-System

IP-ADDRESS
Aufkleber MAC-Adresse
LS/DA
P
1
1
2
V.24
2 V.24
+24V (P1)
2
1
0V
FAULT
0V
FAULT
STATUS
EAGLE
+24V (P2)
g
IP-ADDRESS
IP-ADDRESS
Aufkleber
MAC-Adresse
x
h
LS/DA
PP
1
2
0 1
R
V.24
V.24
RM
V.24
1 2 RING
4
3
2
LS
LS
LS
LS
DA
DA
DA
DA
+24V (P1) +24V (P1)
2
1
0V 0V
RM
FAULT FAULT
0V 0V
FAULT
STATUS
RS2-4R
EAGLE
+24V (P2) +24V (P2)
g
IP-ADDRESS
x
LS/DA
P
1
1
EAGLE Management Manual
V.24
2 V.24
+24V (P1)
2
1
0V
FAULT
Industrial ETHERNET Firewall/VPN-System
0V
FAULT
STATUS
EAGLE
+24V (P2) k
g
IP-ADDRESS
x
LS/DA
P
1
1
2
V.24
2 V.24
+24V (P1)
2
1
0V
FAULT
0V
FAULT
STATUS
EAGLE
+24V (P2)
k
g
IP-ADDRESS
LS/DA
P
1
1
2
V.24
2 V.24
+24V (P1)
2
1
0V
FAULT
0V
FAULT
STATUS
EAGLE
+24V (P2)
g
IP-ADDRESS
IP-ADDRESS
Aufkleber
MAC-Adresse
x
h
LS/DA
PP
1
2
0 1
R
V.24
V.24
RM
V.24
1 2 RING
4
3
2
LS
LS
LS
LS
DA
DA
DA
DA
+24V (P1) +24V (P1)
2
1
0V 0V
RM
FAULT FAULT
0V 0V
FAULT
STATUS
RS2-4R
EAGLE
+24V (P2) +24V (P2)
g
IP-ADDRESS
x
LS/DA
P
1
1
EAGLE Management Manual
V.24
2 V.24
+24V (P1)
2
1
0V
FAULT
Industrial ETHERNET Firewall/VPN-System
0V
FAULT
STATUS
EAGLE
+24V (P2) k
g
IP-ADDRESS
x
LS/DA
P
1
1
2
V.24
2 V.24
+24V (P1)
2
1
0V
FAULT
0V
FAULT
STATUS
EAGLE
+24V (P2)
k
g
The naming of copyrighted trademarks in this manual, even when not specially indicated, should
not be taken to mean that these names may be considered as free in the sense of the trademark
and tradename protection law and hence that they may be freely used by anyone.
© 2004 Hirschmann Electronics GmbH & Co. KG
Manuals and software are protected by copyright. All rights reserved. The copying, reproduction,
translation, conversion into any electronic medium or machine scannable form is not permitted,
either in whole or in part. An exception is the preparation of a backup copy of the software for
your own use.
The performance features described here are binding only if they have been expressly guaran-
teed in the contract. This publication has been created by Hirschmann Electronics GmbH & Co.
KG according to the best of our knowledge. Hirschmann reserves the right to change the con-
tents of this manual without prior notice. Hirschmann can give no guarantee in respect of the
correctness or accuracy of the details in this publication.
Hirschmann can accept no responsibility for damages, resulting from the use of the network
components or the associated operating software. In addition, we refer to the conditions of use
specified in the license contract.
Printed in Germany
Hirschmann Electronics GmbH & Co. KG

Automation and Network Solutions
Stuttgarter Straße 45-51
72654 Neckartenzlingen
Tel. +49 1805 141538 039 500-001-02-1004
Hirschmann worldwide:
U Germany
D-72654 Neckartenzlingen
Tel. ++49-7127-14-1480
Fax ++49-7127-14-1502
email: ans-hi-line@nt.hirschmann.de
Internet: www.hirschmann.de
U Switzerland
Hirschmann Electronics GmbH & Co. KG, Neckartenzlingen
Niederlassung Uster
Seestr. 16
CH-8610 Uster
Tel. ++41-44905-8282
Fax ++41-44905-8289
email: ans_ch@hirschmann.ch
U France
Hirschmann Electronics S.A.S.
2, rue des Charpentiers
F-95330 Domont
Tel. ++33-1-39350100
Fax ++33-1-39350102
email: ans@hirschmann.fr
EAGLE
Release 1.02 10/04 5
U Great Britain
Hirschmann Electronics Ltd.
4303 Waterside Centre
Solihull Parkway
Birmingham Business Park
Birmingham
West Midlands B37 7YN
Tel. ++44-121 329 5000
Fax ++44-121 329 5001
email: enquiry@hirschmann.co.uk
U Netherlands
Hirschmann Electronics B.V.
Pampuslaan 170
NL-1382 JS Weesp
Tel. ++31-294-462591
Fax ++31-294-462554
email: ans@hirschmann.nl
U Spain
Hirschmann Electronics S.A.
Calle Traspaderne, 29
Barrio del Aeropuerto
Edificio Barajas I, 2a Planta
E-28042 Madrid
Tel. ++34-1-7461730
Fax ++34-1-7461735
email: hes@hirschmann.es
U Hungary
Hirschmann Electronics Kft.
Rokolya u. 1-13
H-1131 Budapest
Tel. ++36-1-3494199
Fax ++36-1-3298453
email: hirschmann.budapest@axelero.hu
EAGLE
6 Release 1.02 10/04
U USA
Hirschmann Electronics Inc.
20440 Century Boulevard, Suite 150
Germantown, MD 20874
Tel. ++1-240-686 2300
Fax ++1-240-686 3589
email: ans@hirschmann-usa.com
U Singapore
Hirschmann Electronics Pte. Ltd.
2 International Business Park #11-02/03 Tower One
The Strategy Singapore 609930
Tel: ++65 6316 7797
Fax:++65 6316 7977
email: hirschmann.svi@pacific.net.sg
U China
Hirschmann Electronics Pte Ltd Shanghai Office
Room 828, Summit Centre,
1088 West Yan An Road
Shanghai 200052
P.R. China
Tel: ++86-21 6207 6637
Fax: ++86-21 6207 6837
Mobile: ++86-1370 185 7382
E-Mail: hirschmann@sh163.net
For all other countries please dial Tel. +49-7127-14-16 20

Contact address see Hirschmann Germany.
EAGLE
Release 1.02 10/04 7
EAGLE
8 Release 1.02 10/04
Hirschmann Competence
In the longterm, product excellence alone is not an absolute guarantee of a

successful project implementation. Comprehensive service makes a differ-
ence worldwide. In the current scenario of global competition, the Hir-
schmann Competence Center stands head and shoulders above the
competition with its comprehensive spectrum of innovative services:
D Consulting incorporates comprehensive technical advice, from system
evaluation through network planning to project planning.
D Training offers you an introduction to the technological fundamentals,
product briefing and user training with certification.
D Support ranges from commissioning through the standby service to main-
tenance concepts.
With the Competence Center, you firmly rule out any compromise: the client-
specific package leaves you free to choose the service components that you
will use.
Internet:
http://www.hicomcenter.com
EAGLE
Release 1.02 10/04 9
EAGLE
10 Release 1.02 10/04
Safety instructions
Safety instructions
U Supply voltage
The devices are designed for operation with a safety extra-low voltage.
They may only be connected to the supply voltage connections and to
the signal contact with PELV circuits or alternatively SELV circuits with
the voltage restrictions in accordance with IEC/EN 60950.
The supply voltage is electrically isolated from the housing.
V Never start operation with damaged components!
V Relevant for North America:
The subject unit is to be suppplied by a Class 2 power source
complying with the requirements of the National Electrical Code, table
11(b). If power is redundant supplied (two individual power sources)
the power sources together should comply with the requirements of
the National Electrical Code, table 11 (b).
V Relevant for North America:
Use 60/75°C or 75°C copper(CU)wire only.
V Relevant für Nordamerika:
Power, input and output (I/O) wiring must be in accordance with
Class I, Division 2 wiring methods [Article 501-4(b) of the National
Electrical Code, NFPA 70] and in accordance with the authority having
jurisdiction.
U Shielding ground
The shielding ground of the connectable twisted pair lines is connected
to the front panel as a conductor.
V Beware of possible short circuits when connecting a cable section with
conductive shielding braiding.
EAGLE
Release 1.02 10/04 11
Safety instructions
U Housing
Only technicians authorized by Hirschmann are permitted to open the
housing.
The device is grounded via the separated ground screw. It is located on
the bottom of the front panel.
V Make sure that the electrical installation meets local or nationally
applicable safety regulations.
V The ventilation slits must not be covered to ensure free air circulation.
V The distance to the ventilation slots of the housing has to be a
minimum of 10 cm.
V Never insert pointed objects (thin screwdrivers, wires, etc.) into the
inside of the subrack! Failure to observe this point may result in injuries
caused by electric shocks.
V The housing has to be mounted in upright position.
V If installed in a living area or office environment, the device must be
operated exclusively in switch cabinets with fire protection
characteristics according to EN 60950.
U Environment
The device may only be operated in the listed maximum surrounding air
temperature range at the listed relative air humidity range (non-
condensing).
V The installation location is to be selected so as to ensure compliance
with the climatic limits listed in the Technical Data.
V To be used in a Pollution Degree 2 environment only.
U Qualification requirements for personnel

Qualified personnel as understood in this manual and the warning signs,
are persons who are familiar with the setup, assembly, startup, and
operation of this product and are appropriately qualified for their job. This
includes, for example, those persons who have been:
D trained or directed or authorized to switch on and off, to ground and to
label power circuits and devices or systems in accordance with current
safety engineering standards;
D trained or directed in the care and use of appropriate safety equipment
in accordance with the current standards of safety engineering;
D trained in providing first aid.
EAGLE
12 Release 1.02 10/04
Safety instructions
U General Safety Instructions

This device is electrically operated. Adhere strictly to the safety
requirements relating to voltages applied to the device as described in
the operating instructions!
Failure to observe the information given in the warnings could result in

serious injury and/or major damage.
V Only personnel that have received appropriate training should operate
this device or work in its immediate vicinity. The personnel must be
fully familiar with all of the warnings and maintenance measures in
these operating instructions.
V Correct transport, storage, and assembly as well as careful operation
and maintenance are essential in ensuring safe and reliable operation
of this device.
V These products are only to be used in the manner indicated in this
version of the manual.
V Any work that may have to be performed on the electrical installation
should be performed by fully qualified technicians only.
Warning!
LED- or LASER components according to IEC 60825-1 (2001):
CLASS 1 LASER PRODUCT.
LIGHT EMITTING DIODE - CLASS 1 LED PRODUCT.
U National and international safety regulations

V Make sure that the electrical installation meets local or nationally
applicable safety regulations.
EAGLE
Release 1.02 10/04 13
Safety instructions
U Note on the CE marking

The devices comply with the regulations contained in the following
European directives:
89/336/EEC
Directive of the council for standardizing the regulations of member
states on electromagnetic compatibility (changed by RL 91/263/EEC, 92/
31/EEC and 93/68/EEC).
In accordance with the above-named EU directives, the EU conformity
declaration will be at the disposal of the relevant authorities at the
following address:

D-72654 Neckartenzlingen
Germany
Phone ++49 7127 14 1480
The product can be used in living areas (living area, place of business,
small business) and in industrial areas.
D Interference immunity: EN 61000-6-2:2001
D Emitted interference: EN 55022:1998 + A1 2000 Class A
Warning!
This is a class A device. This device can cause interference in living
areas, and in this case the operator may be required to take appropriate
measures.
The assembly guidelines provided in these instructions must be strictly
adhered to in order to observe the EMC value limits.
EAGLE
14 Release 1.02 10/04
Safety instructions
U FCC note:
Appropriate testing has established that this device fulfills the
requirements of a class A digital device in line with part 15 of the FCC
regulations.
These requirements are designed to provide sufficient protection against
interference where the device is being used in a business environment.
The device creates and uses high frequencies and can radiate same,
and if it is not installed and used in accordance with this operating
manual, it can cause radio transmission interference. The use of this
device in a living area can also cause interference, and in this case the
user is obliged to cover the costs of removing the interference.
U Recycling note:
After usage, this product must be disposed of properly as electronic
waste in accordance with the current disposal regulations of your county
/ state / country.
EAGLE
Release 1.02 10/04 15
Safety instructions
EAGLE
16 Release 1.02 10/04
Content
Content
Hirschmann worldwide: 5
Hirschmann Competence 9
Safety instructions 11
1 Introduction 25
1.1 Requirement and solution 27
1.2 Product features 29
1.3 Device models 31
2 Typical
application scenarios 33
EAGLE
Release 1.02 10/04 17
Content
3 Hardware 39
3.1 Display 41
3.1.1 Device status 41
3.1.2 Port status 43
3.1.3 Function state 43
3.2 Recovery button 45
4 Installation and
startup procedure 47
4.1 Device installation 49

4.1.1 6-pin terminal block 49
4.1.2 Assembly 50
4.1.3 Interfaces 52
4.1.4 Disassembly 54
4.2 Startup operation 57
4.3 Basic settings 59

4.3.1 System configuration via HiDiscovery 59
4.3.2 System configuration via Web-based management 62
4.3.3 System configuration via V.24 64
EAGLE
18 Release 1.02 10/04
Content
5 Configuration 65
5.1 Setting up a local configuration connection 67

5.1.1 Web-based administrator interface 67
5.1.2 After a successful connection setup 69
5.2 Remote configuration 71

5.2.1 Remote configuration via LAN 71
5.2.2 Remote configuration via modem 72
6 Web-based management 77
6.1 Overview 79
6.2 System menu 81

6.2.1 System:Configurations-Profiles 81
6.2.2 System:Reboot 84
6.2.3 System:Logs - Display 85
6.2.4 System:HiDiscovery 86
6.2.5 System:Signal contact 88
6.3 Ports menu 91

6.3.1 Ports:Configuration Table 91
6.4 Redundancy 93
6.4.1 Redundancy:Layer 2 Redundancy 93
EAGLE
Release 1.02 10/04 19
Content
6.5 Network menu 95

6.5.1 Network:Base 95
6.5.2 Network:Transparent mode 100
6.5.3 Network:Router 102
6.5.4 Network:PPPoE 104
6.5.5 Network:PPTP 105
6.5.6 Network:Status 107
6.6 Configuring the firewall 109

6.6.1 Firewall:Incoming 110
6.6.2 Firewall:Outgoing 112
6.6.3 Firewall:Port Forwarding 114
6.6.4 Firewall:NAT 116
6.6.5 Firewall:Extended Settings 119
6.6.6 Firewall:Logs - Display 120
6.7 Setting up a VPN connection 121

6.7.1 VPN:Connections 122
6.7.2 VPN:Machine Certificate 135
6.7.3 VPN:L2TP 138
6.7.4 VPN Configuration, IPsec Status - Display 139
6.7.5 VPN:L2TP Status - Display 140
6.7.6 VPN:VPN Logs - Display 140
6.8 Services menu 141

6.8.1 Services:DNS 141
6.8.2 Services:DynDNS Monitoring 144
6.8.3 Services:DynDNS registration 145
6.8.4 Services:DHCP 147
6.8.5 Services:NTP 149
6.8.6 Services:Remote Logging 152
6.8.7 Services:SNMP Traps 154
EAGLE
20 Release 1.02 10/04
Content
6.9 Access menu 157

6.9.1 Access:passwords 157
6.9.2 Access:Language 159
6.9.3 Access:HTTPS 160
6.9.4 Access:SSH 163
6.9.5 Access:SNMP 166
6.9.6 Access:Serial line 169
6.10 Features menu 173

6.10.1 Features:Install Update 173
6.10.2 Features:Update Server 175
6.10.3 Features:Software information - Display 176
6.10.4 Features:Hardware information 177
6.11 Support menu 179

6.11.1 Support:Snapshot 179
6.11.2 Support:Status - Display 180
6.12 CIDR (Classless InterDomain Routing) 183
6.13 Example of a network 185
EAGLE
Release 1.02 10/04 21
Content
7 The Recovery button 187
7.1 Performing a restart 189
7.2 Executing the recovery procedure 191

7.2.1 Aim 191
7.2.2 Action 191
7.3 Flashing the firmware 193

7.3.1 Requirements for flashing the firmware 195
7.3.2 Installing the DHCP and tftp server under Windows 196
7.3.3 Installing DHCP and TFTP servers under Linux 198
8 HiConfig 199
EAGLE
22 Release 1.02 10/04
Content
A Appendix 207
FAQ 209
Based specifications and standards 211
SNMP traps 213
Certifications 215
Technical data 217
Literature references 221
Reader's comments 223
Copyright of integrated software 225
B Glossar 227
C Stichwortverzeichnis 235
EAGLE
Release 1.02 10/04 23
Content
EAGLE
24 Release 1.02 10/04
Introduction
1 Introduction
Today, Ethernet is the most widely used type of communications technology.

It has become the de facto standard in an office environment. Ethernet
technology is also gaining significance in the field of industrial automation.
In addition to the advantages of using a standardized form of communication,
Ethernet allows for a seamless infrastructure that extends from the office all
the way to the machine or sensor. Consequently, not only are process and
production data available on the field level, but they also integrate
seamlessly with interdepartmental data acquisition systems.
Despite these advantages there are new issues that must be solved to be
able to operate the installations securely and reliably. A top-priority issue is
that of security which is determined by the factors: authentication,
authorization, confidentiality, availability and data integrity.
EAGLE
Release 1.02 10/04 25
Introduction
EAGLE
26 Release 1.02 10/04
Introduction 1.1 Requirement and solution
1.1 Requirement and solution
Increasing standardization and networking in the field of automation will lead

to increased vulnerability of these networks. The threat emanates from
dangers which office users have been exposed to for quite some time and
which they have been attempting to ward off with popular security solutions
-- with mixed success.
The greatest danger is not only from hackers and is often not intentional.
Fusing the office and production network makes for easy prey when it comes
to the risks posed by worms. Furthermore, machine and production cells are
often unprotected against intrusions (for example, faulty addressing or faulty
program code) from the production network.
Today this no longer has to be the case:
The industrial firewall and virtual private network (VPN) system EAGLE
monitors with an "eagle's eye" the security of networks across company
borders.
Migration is performed in existing networks for secure and insecure ports via
twisted pair and F/O connections. Furthermore, a V.24 port is available for
configuration and for connecting a modem.
The scaleable security function featuring a

D Pure firewall or a
D Firewall and VPN function
provides customized protection.
In router mode, subnetworks can be separated from the main network.

A particularly user-friendly feature is the implementation of security
mechanisms in industrial networks through transparent modes in
combination with filter rules of the stateful inspection firewall that manage
data communication in a controlled manner. Yet another advantage of the
transparent modes in which the system functions as a bridge is that no further
IP configuration or changes to IP parameters are required to integrate the
EAGLE into the network.
The integrated DHCP server makes it easy and safe to set up service ports
for employees in the field.
By providing a login procedure (internal and external), it is possible to
analyze and thus optimize the data traffic.
Using redundant ring coupling and Dual Homing, the system supports the
Hirschmann redundancy procedure.
EAGLE
Release 1.02 10/04 27
Introduction 1.1 Requirement and solution
RS2-…
x EAGLE
1 2
P FAULT
LS/DA STATUS
1 2 V.24
R
IP-ADDRESS
1
g
MICE
FAULT
+24V (P1)
+24V (P2)
0V
0V
V.24
RS2-…
RS2-…
MICE
Fig. 1: A typical application scenario (for further application scenarios,

see Page 33)
EAGLE
28 Release 1.02 10/04
Introduction 1.2 Product features
1.2 Product features
The state-of-the-art security system secures the authentication, fuse

protection, and confidentiality of the communication in production networks:
In combination with the EAGLE, firewalls, VPNs and scaleable security
functions provide the highest possible level of protection for industrial
networks and prevent inadvertent and uncontrolled data manipulation.
The EAGLE can be integrated into existing networks thanks to its single-
client or multi-client transparent mode without having to reconfigure
IP addresses. It also allows you to separate subnetworks from the main
network in router mode.
D Scalability of the security function:
- pure firewall
- firewall with VPN function
D Support for Hirschmann redundancy scenarios:
- redundant ring coupling
- Dual Homing
D Creation of subnetworks:
- router mode
D Easy integration into existing networks without changing IP addresses:
- single-client transparent mode
- multi-client transparent mode
D Easy starting operation:
- HiDiscovery support
- support for the AutoConfiguration adapter
D Remote access to the network:
- dial-in access via V.24
D Extensive diagnostics:
- Web-based management
- status LEDs
- signal contact
- logging in to the SysLog server
- integration with HiVision
D Migration to existing networks:
Twisted pair and F/O links for
- secure port
- insecure port
EAGLE
Release 1.02 10/04 29
Introduction 1.2 Product features
D Design suitable for industrial use:

- redundant 24 V power supply
- can be mounted to a top-hat rail
- IP 20 without fan
EAGLE
30 Release 1.02 10/04
Introduction 1.3 Device models
1.3 Device models
The EAGLE is available in 16 different models:

D 8 models with a firewall function and VPN function.
D 8 models with a firewall function,
devices with (FW) in their type description,
EAGLE (FW) Medium/Medium

Insecure port
Secure port
(FW): Firewall
Device name
EAGLE Medium/Medium
Insecure port
Secure port
Firewall with VPN function
Device name
Fig. 2: Device identifier:
EAGLE
Release 1.02 10/04 31
Introduction 1.3 Device models
Device type TP ports F/O port F/O port F/O port

10/100 multimode singlemode singlemode
100 MBit/s 1300 nm, 1550 nm,
100 MBit/s 100 MBit/s
EAGLE TX/TX 2
EAGLE TX/MM SC 1 1
EAGLE TX/SM SC 1 1
EAGLE TX/LH SC 1 1
EAGLE MM SC/TX 1 1
EAGLE MM SC/MM SC 2
EAGLE MM SC/SM SC 1 1
EAGLE MM SC/LH SC 1 1
EAGLE (FW) TX/TX 2
EAGLE (FW) TX/MM SC 1 1
EAGLE (FW) TX/SM SC 1 1
EAGLE (FW) TX/LH SC 1 1
EAGLE (FW) MM SC/TX 1 1
EAGLE (FW) MM SC/MM SC 2
EAGLE (FW) MM SC/SM SC 1 1
EAGLE (FW) MM SC/LH SC 1 1
Table 1: Device models
EAGLE
32 Release 1.02 10/04
Typical application scenarios
2 Typical application scenarios
The most common applications used in industry require the operation of the
EAGLE in one of the following modes:
D Single-client transparent mode,
D Multi-client transparent mode and
D Router mode.
U Remote access via a VPN tunnel

A dedicated VPN client software program must be running on the single
computer. Windows 2000/XP contains the VPN client software.
Network mode of the EAGLE: Single-client transparent or router
D In the single-client transparent mode, no changes to the existing TCP/
IP configuration is required on the locally connected computer.
D In router mode, the EAGLE must be defined as the standard gateway
on the locally connected client computer.
MACH 3002
x EAGLE
unsecure LS/DA
P
1
1
2
2 V.24
R
FAULT
STATUS
network
k
IP-ADDRESS
VPN g
Industrial Backbone
FAULT
+24V (P1)
+24V (P2)
0V
0V
V.24
MACH 3002
Fig. 3: Example of remote access via a VPN tunnel
EAGLE
Release 1.02 10/04 33
U Secure cell separation

Network mode of the EAGLE: Multi-client transparent mode.
D Use in existing networks without changing existing IP configurations.
D Create firewall rules for
– controlled access between backbone and cells or also
– between the cells.
Network mode of the EAGLE: Router mode

on the client computer connected to the secure port.
EAGLE
34 Release 1.02 10/04
MICE MICE
Cell/ Subnet 3 Cell/Subnet 2
RS2-… RS2-… RS2-… RS2-…
MICE
MICE
x EAGLE
x EAGLE
P
1 2
FAULT
LS/DA STATUS
1 2 V.24
1 2
P FAULT R
LS/DA STATUS
k
1 2 V.24
R
IP-ADDRESS
k 1
IP-ADDRESS
2
g
FAULT
+24V (P1)
+24V (P2)
0V
0V
FAULT
+24V (P1)
+24V (P2)
V.24
0V
0V
V.24
MICE
Industrial Backbone /
RS2-… Subnet 1 RS2-…
MACH 3002
Fig. 4: Example of secure cell separation
EAGLE
Release 1.02 10/04 35
U Secure service port

Network mode of the EAGLE: SCT, MCT or router mode.
D Configuration of the EAGLE as the DHCP server: on the insecure port,
enter the MAC-IP allocation (see Fig. 63).
D Definition of firewall rules for the IP address entered in the DHCP
server.
RS2-…
x EAGLE
1 2
P FAULT
LS/DA STATUS
1 2 V.24
R
k
IP-ADDRESS
g
MICE
FAULT
+24V (P1)
+24V (P2)
0V
0V
V.24
RS2-…
RS2-…
MICE
Fig. 5: Example of a secure service port
EAGLE
36 Release 1.02 10/04
U Secure connection of networks

Network mode of the EAGLE: Router
D If you use a DSL modem, make the PPPoE settings
(see “Network:PPPoE” on page 104).
MACH 3002
MACH 3002
Industrial Backbone Industrial Backbone

x EAGLE
x EAGLE
LS/DA
P
1
1
2
2 V.24
R
FAULT
STATUS
unsecure LS/DA
P
1
1
2
2 V.24
R
FAULT
STATUS
network
k k
IP-ADDRESS
IP-ADDRESS
1 1
2 2
g g
FAULT
FAULT
+24V (P1)
+24V (P2)
+24V (P1)
+24V (P2)
0V
0V
0V
0V
V.24 V.24
Fig. 6: Example of a secure connection of networks
EAGLE
Release 1.02 10/04 37
EAGLE
38 Release 1.02 10/04
Hardware
3 Hardware
6pin terminal block

x EAGLE
x
h
RS2-4R
EAGLE
x EAGLE
x EAGLE
(screw locking
mechanism)
P
1 2
FAULT PP
1 2
FAULT P
1 2
FAULT P
1 2
FAULT
LED display
LS/DA STATUS LS/DA 0 1 RM
STATUS LS/DA STATUS LS/DA STATUS elements
RM
1 2 V.24 V.24
1 2 RING 1 2 V.24 1 2 V.24 Recovery button
FAULT
R R
V.24 R R
+24V (P1)
+24V (P2)
Port 1 and 2
k k k k
IP-ADDRESS
0V
0V
TX (RJ45 connector, autonegotiaton

IP-ADDRESS
IP-ADDRESS
IP-ADDRESS
IP-ADDRESS
+ autopolarity + autocrossing)
1 DA 1 or FX (SC connector; multimode,
1 singlemode, longhaul)
1 1
LS
2
DA
2
2
2
2 Port 1
(trusted)
k Port 2
(untrusted)
g
MAC-Adresse
MM
MM
g g g g
SM
SM
LS
TX
TX
LH
LH
MAC-Adresse
DA
EAGLE TX/TX x x
Aufkleber
3
EAGLE TX/MM SC x x
Aufkleber
LS
EAGLE TX/SM SC x x
FAULT
FAULT
FAULT
FAULT
DA
+24V (P1)
+24V (P2)
+24V (P1)
+24V (P2)
+24V (P1)
+24V (P2)
+24V (P1)
+24V (P2)
4
EAGLE TX/LH SC x x
0V
0V
0V
0V
0V
0V
0V
0V
EAGLE MM SC/TX x x
LS
EAGLE MM SC/MM SC x x
V.24 V.24 V.24 V.24
EAGLE MM SC/SM SC x x
EAGLE MM SC/LH SC x x
V.24 interface EAGLE FW TX/TX x x

MAC address field external EAGLE FW TX/MM SC x x
IP address field management EAGLE FW TX/SM SC x x
and modem EAGLE FW TX/LH SC x x
EAGLE FW MM SC/TX x x
EAGLE FW MM SC/MM SC x x
EAGLE FW MM SC/SM SC x x
EAGLE FW MM SC/LH SC x x
Fig. 7: Front view
EAGLE
Release 1.02 10/04 39
Hardware
EAGLE
40 Release 1.02 10/04
Hardware 3.1 Display
3.1 Display
x EAGLE
1 2
P FAULT
LS/DA STATUS
1 2 V.24
R
Fig. 8: Display
3.1.1 Device status

These LEDs provide information about statuses which affect the function of
the entire EAGLE.
U P1 - Power 1 (Green LED)
Display Meaning
lit Supply voltage 1 is present.
not lit Supply voltage 1 is less than 9.6 V.
EAGLE
Release 1.02 10/04 41
U P2 - Power 2 (Green LED)
Display Meaning
lit Supply voltage 2 is present.
not lit Supply voltage 2 is less than 9.6 V.
U FAULT - Failure (Red LED)
Display Meaning
lit The indicator contact is open, i.e. it indicates an error.
not lit The indicator contact is closed, i.e. it does not indicate an error.
If the “Operational supervision” on page 88 is active for the signal con-

tact, then the error display is independant of the signal contact position.
U STATUS - Device status (Yellow/green LED)
Display Meaning
flashes green Initialization of the device.
lit green Device is operational.
U AutoConfiguration Adapter ACA

The “STATUS” and “V.24” LEDs display memory operations of the
ACA 11.
Display Meaning
flashing alternatively: Error in memory operation.
LEDs flash simultaneously; twice a second Loading the configuration from the ACA.
LEDs flash simultaneously; once a second Saving the configuration to the ACA.
EAGLE
42 Release 1.02 10/04
3.1.2 Port status

These LEDs display port-related information.
U LS/DA 1, 2 and V.24 - Data, Link status (green/yellow LED)
Display Meaning
not lit No valid link.
lit green Valid link.
flashes yellow Receiving data.
running light Initialization phase after a reset.
3.1.3 Function state

These displays go together with the Recovery button (refer to “The Recovery
button” on page 187).
EAGLE
Release 1.02 10/04 43
EAGLE
44 Release 1.02 10/04
Hardware 3.2 Recovery button
3.2 Recovery button
The Recovery button is used to set the device into the following states:
D Restart (refer to “Performing a restart” on page 189),
D Recovery procedure (refer to “Executing the recovery procedure” on page
191),
D Flashing the firmware (refer to “Flashing the firmware” on page 193)
EAGLE
Release 1.02 10/04 45
Hardware 3.2 Recovery button
EAGLE
46 Release 1.02 10/04
Installation and startup procedure
4 Installation and
startup procedure
The EAGLE industrial firewall/VPN system has been developed for practical
applications in a harsh industrial environment. Accordingly, the installation
process has been kept simple. The few configuration settings required for
operation are described in this chapter.
Note: For security reasons, change the root and the administrator passwords
when you initially change the configuration.
EAGLE
Release 1.02 10/04 47
Installation and startup procedure
RS2-… Before
MICE
RS2-…
RS2-…
MICE
After RS2-…
x EAGLE
1 2
P FAULT
LS/DA STATUS
1 2 V.24
R
k
IP-ADDRESS
g
MICE
FAULT
+24V (P1)
+24V (P2)
0V
0V
V.24
RS2-…
RS2-…
MICE
Fig. 9: Connecting the EAGLE
EAGLE
48 Release 1.02 10/04
Installation and startup procedure 4.1 Device installation
4.1 Device installation
4.1.1 6-pin terminal block

The supply voltage and the signal contact are connected via a 6-pin terminal
block with snap lock.
Warning!
The devices are designed for operation with safety extra-low voltage.
Thus, they may only be connected to the supply voltage connections and to
the signal contact with PELV circuits or alternatively SELV circuits with the
voltage restrictions in accordance with IEC/EN 60950.
U Supply voltage
The supply voltage can be connected redundantly. Both inputs are
uncoupled. There is no distributed load. With redundant supply, the
transformer supplies the device alone with the higher output voltage.
The supply voltage is electrically isolated from the housing.
U Signal contact
The signal contact monitors proper functioning of the device,
thus enabling remote diagnostics.
A break in contact is reported via the potential-free signal contact
(relay contact, closed circuit):
D The failure of at least one of the two supply voltages (supply voltage 1
or 2 < 9,6 V).
D A continuous malfunction in the device (internal 3.3 VDC voltage).
D The defective link status of at least one port. With the device the
indication of link status can be masked by the management for each
port. Link status is not monitored in the delivery condition.
D Error during self-test.
EAGLE
Release 1.02 10/04 49
+24 V (P1) 0V 0V +24 V (P2)
Fault
Fig. 10: Pin assignment of the 6-pin terminal block
V Pull the terminal block off the device and connect the power supply and
signal lines.
4.1.2 Assembly
On delivery, the device is ready for operation.
V Attach the upper snap-in guide of the device into the top-hat rail and press
it down against the top-hat rail until it snaps into place.
EAGLE
50 Release 1.02 10/04
Fig. 11: Assembly
Note: The front panel of the housing is grounded via a ground connection.
Note: The housing must not be opened.
Note: The shielding ground of the industrial connectable twisted pair lines is
connected to the front panel as a conductor.
EAGLE
Release 1.02 10/04 51
4.1.3 Interfaces
U 10/100 Mbit/s connection

10/100 Mbit/s ports (8-pin R45 socket) enable the connection of terminal
devices or independent network segments in compliance with the
IEEE 802.3 100BASE-TX / 10BASE-T standards. These ports support:
D auto-negotiation
D autocrossing (when autonegotiation is switched off)
D autopolarity
D 100 Mbit/s half duplex mode
D 100 Mbit/s full duplex mode
D 10 Mbit/s half duplex mode
D 10 Mbit/s full duplex mode
State on delivery: Autonegotiation activated. Alternative to the Web-
based interface (see “Ports:Configuration Table” on page 91), the
HiConfig interface (see “HiConfig” on page 199) allows you to change
this setting. While you have access to the Web-based interface of the
EAGLE via the secure and insecure port, you can also reach the
HiConfig interface via the V.24 port.
The socket housings are electrically connected to the front panel.
n.c. Pin 8
n.c. Pin 7
TD- Pin 6
n.c. Pin 5
n.c. Pin 4
TD+ Pin 3
RD- Pin 2
RD+ Pin 1
Fig. 12: Pin assignment of a TP/TX interface in MDI-X mode, RJ45 socket
U 100 Mbit/s F/O connection

100 MBit/s F/O ports (DSC sockets) enable the connection of terminal
devices or independent network segments in compliance with the
IEEE 802.3 100BASE-FX standard. These ports support:
D full and half duplex mode.
State on delivery: full duplex. This configuration is required to form
redundant structures.
EAGLE
52 Release 1.02 10/04
Note: Make sure, that you conncet LH ports only to LH ports, SM ports
only to SM ports and MM ports only to MM ports.
U V.24 interface (external management)

A serial interface is provided on the RJ11 socket (V.24 interface) for the
local connection of
D an external management station (VT100 terminal or PC with
appropriate terminal emulation).
D a modem (via PPP).
D an ACA 11 AutoConfiguration Adapter.
VT-100 terminal settings in state on delivery:

- Speed: 9,600 baud
- Data: 8 bit
- Stopbit: 1 bit
- Handshake: off
- Parity: none
The socket housing is electrically connected to the lower covering of the

device.
The signal lines are electrically isolated from the supply voltage (60 V
insulation voltage) and the front panel.
RJ11 DB9
Pin 5
Pin 6 Pin 8
Pin 1
Pin 1
CTS 1
n.c. 2 2
TX 3 3
GND 4
RX 5 5
RTS 6
Fig. 13: Pin assignment of the terminal cable
EAGLE
Release 1.02 10/04 53
RJ11 DB9
Pin 1
Pin 6 Pin 7
Pin 1
Pin 5
1
CTS 1 2
n.c. 2 3
TX 3 4
GND 4 5
RX 5 6
RTS 6 7
8
9
Fig. 14: Pin assignment of the modem cable
V Install the signal lines and, if necessary, the terminal/modem cable.

V Attach the ground cable to the ground screw.
4.1.4 Disassembly
V In order to remove the device from the top-hat rail, move the screwdriver
horizontally under the chassis in the locking gate, pull this down — without
tilting the screwdriver — and fold the device up.
EAGLE
54 Release 1.02 10/04
Fig. 15: Disassembly
EAGLE
Release 1.02 10/04 55
EAGLE
56 Release 1.02 10/04
Installation and startup procedure 4.2 Startup operation
4.2 Startup operation
When the supply voltage is connected via the terminal, start up the device.
EAGLE
Release 1.02 10/04 57
Installation and startup procedure 4.2 Startup operation
EAGLE
58 Release 1.02 10/04
Installation and startup procedure 4.3 Basic settings
4.3 Basic settings
On delivery the device is set to multi-client transparent mode (MCT mode)

and can be reached over the default IP address 1.1.1.1 from the secure
network.
In MCT mode, no network settings (for example for subnetworks) are
required for operation.
The firewall has been preconfigured so that all IP traffic from the secure
network is possible; however, traffic from the insecure network to the secure
one is not possible.
Thus already in the delivery state, external intrusions on the secure network
are not possible.
The EAGLE provides 3 options for configuring the management IP address

in transparent mode:
D Entry by HiDiscovery protocol,
D Entry via the Web-based management,
D Entry via the V.24 port.
4.3.1 System configuration via HiDiscovery

The HiDiscovery protocol enables you to assign IP parameters to the device
via the secure network.
You can easily configure additional parameters with the “Web-based
management” on page 77.
Install the HiDiscovery software on your PC. The software is on the CD

supplied with the device.
V To install it, you start the installation program on the CD.
EAGLE
Release 1.02 10/04 59
Note: The installation of HiDiscovery involves installing the WinPcap

Version 3.0 software package.
If an earlier version of WinPcap is already installed on the PC, then you must
first uninstall it. A newer version remains intact when you install HiDiscovery.
However, this can not be guaranteed for all future versions of WinPcap.
In the event that the installation of HiDiscovery has overwritten a newer
version of WinPcap, then you uninstall WinPcap 3.0 and then re-install the
new version.
V Start the HiDiscovery program.
Fig. 16: HiDiscovery
When HiDiscovery is started, it automatically searches the network for those

devices which support the HiDiscovery protocol.
HiDiscovery uses the first PC network card found. If your computer has
several network cards, you can select these in HiDiscovery on the toolbar.
HiDiscovery enables you to identify the devices displayed.

V Select a device line.
V Click on the symbol with the two green dots in the tool bar to set the LEDs
for the selected device flashing. To switch off the flashing, click on the
symbol again.
EAGLE
60 Release 1.02 10/04
By double-clicking a line, you open a window in which you can enter the
device name and the IP parameter.
Fig. 17: HiDiscovery - assigning IP parameters
Note: For security reasons, switch off the HiDiscovery function for the device
in the Web-based management, after you have assigned the IP parameters
to the device.
EAGLE
Release 1.02 10/04 61
4.3.2 System configuration via

Web-based management
U With a configured network interface of the management

station
In order for the EAGLE in transparent mode (SCT/MCT) to be accessed
via the address https://1.1.1.1/, it must of course first be connected to a
configured network interface. This is the case, if you insert it into an
existing network connection (see Fig. 9).
In this case the Web browser can access the EAGLE configuration
interface at the address https://1.1.1.1/ - see “Setting up a local
configuration connection” on page 67. Continue from this point onwards
in this case.
U Without a configured network interface of the

managementstation
If the computer's network interface has not yet been configured ...
If the system, which will be used to configure the device, was not
previously connected to a network, e.g. because the computer is new,
its network interface will generally not be configured yet. This means that
the system has not yet "been informed" that network traffic should be
handled by this interface.
In this case, you must initialize the standard gateway by assigning it a
dummy value. To accomplish this, proceed as follows:
Initializing the standard gateway

V Determine the currently valid standard gateway address.
If you are using Windows XP, click on
Start:Control Panel:Network Connections.
Right click on the icon of the LAN adapter and then click on
Properties in the pop-up menu. In the dialog Internet
Protocol Properties on the General tab, select Internet
Protocol (TCP/IP) under "This connection uses the following
items" and then click on the Properties button to open the following
dialog:
EAGLE
62 Release 1.02 10/04
Check for the

IP address of the
standard gateway
or set it.
Fig. 18: Standard gateway IP address
If no IP address has been entered for the standard gateway in this dialog
box, e.g. because Obtain an IP address automatically has been
activated, enter an IP addresses manually. To do so, first activate Use
the following IP address and then enter, as an example, the following
addresses:
IP address:192.168.1.2
Subnet mask:255.255.255.0
Standard gateway:192.168.1.1
Note: Do not - under any circumstances - set the configuration computer

to an address like 1.1.1.2!
V On the DOS level (Start:Programs:Accessories:Command

Prompt), enter:
arp -s <IP of the standard gateway> aa-aa-aa-aa-aa-aa
EAGLE
Release 1.02 10/04 63
Example:
You have determined that the address of the standard gateway is:
192.168.1.1
Then the command should be:
arp -s 192.168.1.1 aa-aa-aa-aa-aa-aa
V To proceed with the configuration, first establish the necessary

connection (see “Setting up a local configuration connection” on page 67).
After setting the configuration, restore the original setting for the standard
gateway address. To do so, either restart the configuration computer or
enter the following command at the DOS level [in the Command Prompt
window]:
arp -d
4.3.3 System configuration via V.24

Connect your PC with the EAGLE as described in “Making a connection to
HiConfig over a V.24 port.” on page 201.
For entering IP parameters see “IP parameter configuration in transparent
mode” on page 205.
EAGLE
64 Release 1.02 10/04
Configuration
5 Configuration
Requirements
D When you make the initial configuration, there must be a valid connection
at both network ports (secure and insecure). If this not be possible, enter
a standard gateway on the configuration computer (see the example on
page 63).
D For local configuration:
The computer with which you make the configuration must be either
– directly connected to the device,
– or it must be connected to it via the local network.
D For remote configuration on the insecure port:
The EAGLE must be configured in such a way that it allows remote
configuration.
D The EAGLE must be switched on, i.e. must be connected to a power
supply unit so that it is supplied with current.
D The EAGLE must be connected, i.e. the required connections must
function properly.
EAGLE
Release 1.02 10/04 65
Configuration
EAGLE
66 Release 1.02 10/04
Configuration 5.1 Setting up a local configuration connection
5.1 Setting up a local

configuration connection
5.1.1 Web-based administrator interface

The EAGLE is configured with the Web browser that runs on the
configuration computer (for example MS Internet-Explorer starting with
version 5.0 or Netscape Communicator staring with version 4.0)
Note: The Web browser must support SSL (i.e. https).
Depending on the network mode (operating mode) in which the EAGLE is in,
it can be reached at the one of the following addresses according to the
factory setting:
Mode Address
Transparent https://1.1.1.1/
Router or PPPoE https://192.168.1.1/
Table 2: Address line of the browsers
Proceed as follows:
V Start a Web browser.

(For example, MS Internet Explorer Version 5.0 or later or Netscape
Communicator Version 4.0 or later; the Web browser must support SSL
(i.e. https).)
EAGLE
Release 1.02 10/04 67
V Make certain that the browser does not automatically setup a connection
when it starts, because otherwise the connection startup to the EAGLE
could be impaired.
In MS Internet Explorer, you can prevent this with the following setting:
In the Extras menu, select Internet Options... and click on
the Connections tab. Make certain that "Never dial a connection" is
selected under Dial-up and Virtual Private Network settings.
V Enter the complete address of the EAGLE into the browser's address
field.
Afterwards:
The EAGLE's Administrator Web page will be displayed. The security
notice shown on the next page will displayed.
Note: If the Administrator Web page is not displayed...

If - even after repeated attempts - the browser still reports that the page
cannot be displayed, try the following:
D Check if both ports have a network connection.
D Check whether the standard gateway has been initialized on the
connected configuration system. See “System configuration via Web-
based management” on page 62.
D Try disabling any existing firewall.
D Make certain that the browser does not use a proxy server.
In MS Internet Explorer (Version 6.0), you can prevent this with the
following setting: In the Extras menu, select Internet Options...
and click on the Connections tab. Under LAN Settings click on the
Properties... button and, in the Local Area Network (LAN)
Settings dialog, check to make certain that Use a proxy server for
your LAN (under Proxy server) is not activated.
D If any other LAN connection is active on the system, deactivate it until the
configuration has been completed.
Under the Windows Start menu:Settings:Control
Panel:Network Connections or Network and Dial-up
Connections, right click on the associated icon and select Disable in
the pop-up menu.
EAGLE
68 Release 1.02 10/04
5.1.2 After a successful connection setup
After the connection has been successfully setup, the following security
notice will be displayed (MS Internet Explorer):
Since administrative tasks can

only be performed when a secure
(encrypted) access has been
established to the device, a signed
(by the device) certificate will be
returned.
Fig. 19: Security notice dialog
V Acknowledge the associated security notice by clicking on Yes.

Afterwards:
Once you have entered the correct user name (Login) and password,
the Administrator Web page of the EAGLE will be displayed.
Name Entry
Login admin
Passwort private
Table 3: Factory settings for login name and password
Note: These entries are case-sensitive!
EAGLE
Release 1.02 10/04 69
Fig. 20: Administrator website start screen
To configure the device, proceed as follows:
V Call up the desired dialog - see “Web-based management” on page 77.
V Make the desired settings on the associated page
V Once you have confirmed the changes by clicking on OK, the new settings
will be activated on the device.
You may receive a message from the system (confirmation).
If the changes are not shown when you open the page again, because the
browser has loaded the page from a cache, reload the page to refresh the
display. To do so, click on the appropriate icon in the browser toolbar.
Note: Depending on how you configure the EAGLE, you may also need to
modify the network interface settings of the locally connected system or
network accordingly.
EAGLE
70 Release 1.02 10/04
Configuration 5.2 Remote configuration
5.2 Remote configuration
Prerequisites:
The EAGLE must be configured via the unsecure port. For reasons of
security, remote configuration is disabled by default.
For information on how to enable remote configuration, see “Access:HTTPS”
on page 160.
5.2.1 Remote configuration via LAN

To configure the EAGLE from a remote computer, first establish a connection
between it and the local EAGLE.
Proceed as follows:
V Start a Web browser (e.g. MS Internet Explorer Version 5.0 or later or

Netscape Communicator Version 4.0 or later; the Web browser must
support SSL (i.e. https) on the remote system.
V As the URL, enter: the IP address under which the remote site can be
reached via the Internet or WAN, plus the port number.
Example:
If this EAGLE can be found in the Internet at the address 192.144.112.5 and
the Port Number 443 has been set as the port for remote access, you must
enter the following address in the Web browser's address field on the remote
system: 192.144.112.5
(If a different Port Number is used, this must be appended to the IP address,
e.g.: 192.144.112.5:442)
Note: For reasons of security, we recommend that you change the default
Root and Administrator passwords during the first configuration - see
“Access:passwords” on page 157.
EAGLE
Release 1.02 10/04 71
5.2.2 Remote configuration via modem

The V.24 port allows you to,
D perform remote maintenance in transparent mode EAGLE
D perform remote maintenance on the EAGLE in router mode and on the
secure network behind it
via a modem (e.g. INSYS modem 56K small).
Access to the secure network is subject to the firewall rules in this dialog.
U Local installation:
V Connect your modem on the one end to the telephone network and
on the other end to the V.24 port of the EAGLE via the mode cable
(see “Accessories” on page 220).
U Remote installation:
V Connect your PC to the telephone network via the built-in or external
modem.
RS2-…
x EAGLE
INSYS
1 2
P FAULT
LS/DA STATUS
1 2 V.24
R
k
IP-ADDRESS
Telephone line
1
g
MICE
FAULT
+24V (P1)
+24V (P2)
0V
0V
V.24
Modem
RS2-…
unsecure
network
RS2-…
MICE
Fig. 21: Example of a modem connection
EAGLE
72 Release 1.02 10/04
Example of establishing a modem connection under Windows 2000:

V Choose:
Start:Settings:Network and Dial-Up Connections:Make
New Connection
and continue with the Network Connection Wizard (see the following
two figures). Enter the phone number at which you can reach the
modem.
Fig. 22: Network connection type, phone number
Select "Properties" to
check the settings for
the connection (see the
following two figures).
Fig. 23: Establishing a connection
EAGLE
Release 1.02 10/04 73
Fig. 24: General connection properties
Fig. 25: Connection properties: Options, security and network
EAGLE
74 Release 1.02 10/04
After a connection has been set up, the connection symbol will appear in
the task bar tray at the bottom right.
V Left-click the connection symbol and select Status.
V In the status window click the register card "Details".
This register card contains the
IP address of the EAGLE (= server IP address).
V Enter htpps:// followed by this IP address in the address bar of your
browser to establish the connection to the EAGLE's Web-based
administrator user interface.
Requirement: Configuration of the serial interface (see the following
figure).
Fig. 26: Configuring the serial interface
EAGLE
Release 1.02 10/04 75
EAGLE
76 Release 1.02 10/04
6 Web-based management
The EAGLE supports both SNMP management and Web-based

management and can thus offer
D extensive diagnostic and configuration functions for fast startup and
D extensive network and device information.
The EAGLE supports the TCP/IP protocol family.
The user-friendly Web-based interface gives you the option of managing the
MICE from any location in the network via a standard browser such as the
Netscape Navigator/Communicator or the Microsoft Internet Explorer.
The Web-based interface allows you to graphically configure the EAGLE.
EAGLE
Release 1.02 10/04 77
EAGLE
78 Release 1.02 10/04
Web-based management 6.1 Overview
6.1 Overview
The Overview dialog shows you a graphic display of the EAGLE and the
system data:
D Name: any name you wish to assign to the EAGLE for easier
identification.
D Location: Location of this EAGLE.
D Power supply 1/2: Status of the power supply units.
D Uptime: Time that has elapsed since the EAGLE was last restarted.
D Temperature, displays the temperature inside the EAGLE. Enter the
lower and upper temperatures as alarm thresholds.
Fig. 27: System data
EAGLE
Release 1.02 10/04 79
Web-based management 6.1 Overview
EAGLE
80 Release 1.02 10/04
Web-based management 6.2 System menu
6.2 System menu
6.2.1 System:Configurations-Profiles
You can save the configuration settings as a configuration profile under any
name in the EAGLE. You can create and save multiple configuration profiles.
You can then select and activate the configuration profile appropriate at the
time, if you use the EAGLE in different operating environments.
Furthermore, you can also save configuration profiles as files on the
configuration system. Naturally, these configuration files can then be read
back into the EAGLE and activated.
Furthermore, you can restore the EAGLE to the factory settings at any time.
Note: Passwords and user names are not saved in the configuration profiles.
Note: With Save Current Configuration to ACA 11 you save the

current configuration on the ACA 11, if it is connected. Enter the valid root
password.
Fig. 28: Configuration profiles
EAGLE
Release 1.02 10/04 81
U Saving the current configuration in the EAGLE as a profile

V In the Name for the new profile: field, enter the desired name.
V Click on the Save Current Configuration to Profile button.
Stored
configuration
profile
Fig. 29: Example of a stored configuration profile
U Display / Activate / Delete a configuration profile stored in

the EAGLE
Requirement: At least one configuration profile has been created and is
stored in the EAGLE (see above).
D Display the configuration profile:
Click the name of the configuration profile.
D Activate the configuration profile:
Click the Restore button next to the right of the respective
configuration profile.
D Delete the configuration profile:
Click the Delete button to the right of the respective configuration
profile.
EAGLE
82 Release 1.02 10/04
U Factory default settings - displaying / activating

The default setting is stored in the EAGLEas configuration profile under
the name Factory Default.
D Displays: Click the name Factory Default.
D Activate: Click the Restore button next to the name Factory
Default.
It is not possible to delete the configuration profile Factory
Default.
U Saving a configuration profile as a file on a hard disk

V Click on the Download button at the right of the name of the
configuration profile.
V Enter the filename and folder (where the configuration profile should
be saved) in the displayed dialog. You can give the file any name
desired.
U Uploading a configuration profile from a hard disk to the

EAGLE
Prerequisite: Naturally, you must stored (as described above) at least
one configuration profile as a file on the hard disk of the configuration
system.
V In the Name for the new profile field, enter the name that should
be assigned to configuration profile uploaded from the disk.
V Click on Choose and then select the file.
V Click on the Upload Configuration to Profile button.
Afterwards: The uploaded configuration will now be displayed in the
list of configuration profiles.
V If you want to activate the uploaded configuration profile, click on the
Restore button next to the name.
Note: If the restore procedure involves changing from the transparent

mode to another network mode, the EAGLE will be restarted. If the
ACA 11 is connected, the EAGLE will obtain the configuration data
from the ACA 11.
EAGLE
Release 1.02 10/04 83
6.2.2 System:Reboot
At the end of restart, the text appears “Restarted.”
A reboot can be initiated by switching the device off and then back again or
by pressing the Recovery button (see “Performing a restart” on page 189).
Fig. 30: Reboot
EAGLE
84 Release 1.02 10/04
6.2.3 System:Logs - Display

Displays all recorded log entries (overall system log). For a selection of
specific log entries, see the respective dialogs (see for example “VPN:VPN
Logs - Display” on page 140).
The format of the log corresponds to that common under Linux
Special analysis programs are available which can be used to present the
information from the log in a more readable format.
You can send the logged entries to an external server (see “Services:Remote
Logging” on page 152).
Fig. 31: Logs
EAGLE
Release 1.02 10/04 85
6.2.4 System:HiDiscovery
The HiDiscovery protocol allows you to assign the EAGLE an IP address
based on its MAC address. Activate the HiDiscovery protocol if you want
to assign an IP address to the EAGLE from your PC with the enclosed
HiDiscovery software (setting on delivery: active).
Note: For security reasons, the EAGLE HiDiscovery function supports only
the secure port
Fig. 32: HiDiscovery
U Local HiDiscovery Support

(SCT/MCT, internal/trusted port only)
D Enabled, local IP address assignment via HiDiscovery possible.
D Read-Only, HiDiscovery can read local parameters.
D Disabled, no HiDiscovery access to local parameters possible.
EAGLE
86 Release 1.02 10/04
U HiDiscovery Frame Forwarding

(SCT/MCT, bidirectional)
D No, the EAGLE blocks HiDiscovery data packets.
D Yes, the EAGLE forwards HiDiscovery data packets from Hirschmann
devices.
MACH 3002
x EAGLE
1 2
P FAULT
LS/DA STATUS
1 2 V.24
R
MICE k
IP-ADDRESS
g
Industrial Backbone
FAULT
+24V (P1)
+24V (P2)
0V
0V
V.24
MACH 3002
Subnet 1
RS2-… RS2-…
MICE
Network Management F
Fig. 33: Example of HiDiscovery frame forwarding
EAGLE
Release 1.02 10/04 87
6.2.5 System:Signal contact

The signal contact is for
D manual setting the signal contact.
D monitoring proper functioning of the EAGLE and enables remote
diagnostics.
U Signal contact
Setting the function of the signal contact:
D Operational supervision
D Manual setting
U Operational supervision
A break in contact is reported via the zero-potential signal contact
(relay contact, closed circuit):
D the failure of at least one of the two supply voltages (power supply
voltage 1 or 2 < 9,6 V).
Note: With a non-redundant supply of the supply voltage, the EAGLE will
report a supply power failure. You can prevent this by
– feeding the supply voltage over both inputs or
– by selecting “Ignore redundant power supply”.
D the defective link status of at least one port. The link status message
can be masked for
– Ignore: no link monitor
– Supervise only internal port (trusted)
– Supervise only external port (untrusted)
– Supervise both ports
Link status is not monitored in the delivery condition.
U Manual settings
This mode gives you the option of remote switching the signal contact.
V Select Open (Alarm) to open the contact.
V Select Closed to close the contact.
EAGLE
88 Release 1.02 10/04
Application options:
D Simulation of an error during SPS error monitoring.
D Remote control of a device via SNMP, such as switching on a camera.
Fig. 34: Signal contact
EAGLE
Release 1.02 10/04 89
EAGLE
90 Release 1.02 10/04
Web-based management 6.3 Ports menu
6.3 Ports menu
6.3.1 Ports:Configuration Table

This table allows you to configure every port of the EAGLE.
Fig. 35: Port configuration
U Automatic Configuration
In the “Automatic Configuration” (Autonegotiation) column, you can
activate the automatic selection of a port's operating mode by marking
the appropriate field. After the au-tonegotiation has been switched on,
it takes a few seconds for the oper-ating mode to be set.
EAGLE
Release 1.02 10/04 91
Web-based management 6.3 Ports menu
U Manual Configuration
In the “Manual Configuration” column, you set the operating mode for
this port. The choice of operating modes depends on the media module.
The possible operating modes are:
D 10 Mbit/s half duplex (HDX),
D 10 Mbit/s full duplex (FDX),
D 100 Mbit/s HDX and
D 100 Mbit/s FDX.
Note: The active automatic configuration has priority over the manual
configuration.
EAGLE
92 Release 1.02 10/04
Web-based management 6.4 Redundancy
6.4 Redundancy
6.4.1 Redundancy:Layer 2 Redundancy

This dialog offers you the option of including the EAGLE in the path of the
Redundant Ring /Network Coupling or Dual Homing (requirement for Dual
Homing: redundancy check is deactivated in the MACH 3000).
V For this application select the operating mode

Multi-client transparent mode.
Fig. 36: Layer 2 Redundancy
U Activate Ring/Network Coupling/Dual Homing

If you include the EAGLE in the path of the redundant Ring/Network
Coupling or Dual Homing, select Yes.
Default setting: No.
EAGLE
Release 1.02 10/04 93
Web-based management 6.4 Redundancy
U Redundancy port
Select the port that leads directly to the coupling switch (see Fig. 37).
MICE
Stand-by switch Cell 1

RS2-…
RS2-…
MICE Coupling switch
x EAGLE x EAGLE
1 2
P FAULT
1 2
P FAULT STATUS
LS/DA
LS/DA STATUS
1 2 V.24
1 2 V.24 R
R
k k
IP-ADDRESS
IP-ADDRESS
1
1
2
2
g Aufkleber MAC-Adresse
g
FAULT
FAULT
+24V (P1)
+24V (P2)
Redundancy port
+24V (P1)
+24V (P2)
0V
0V
0V
0V
V.24
V.24
MACH 3002
MACH 3002
Industrial Backbone
MACH 3002
Fig. 37: Example of Layer 2 redundancy in multi-client transparent mode
EAGLE
94 Release 1.02 10/04
Web-based management 6.5 Network menu
6.5 Network menu
6.5.1 Network:Base
The EAGLE must naturally be set to the Network Mode (= operating mode)
that matches its connection to the local computer or network (see “Typical
application scenarios” on page 33).
Fig. 38: Network:Base
Variable IP address
in transparent mode 1.1.1.1
in router mode 192.168.1.1
in PPPoE mode 192.168.1.1
Local netmask 255.255.255.0
Table 4: The EAGLEs preset local IP address
EAGLE
Release 1.02 10/04 95
Note: When the Network Mode has been changed, the device will reboot
automatically.
Note: If you change the address of the EAGLE (e.g. by changing the Network
Mode from Stealth to Router), the device will be immediately, after a restart,
only accessible at the new address. See “System configuration via Web-
based management” on page 62.
Note: If you set the Network Mode to Router, PPPoE or PPTP and then
change the internal IP address and/or the local netmask, make very certain
that you enter the correct values. Otherwise, the EAGLE will no longer be
accessible.
U Network mode
D Transparent mode
The Transparent mode is used to connect an individual (single client,
SCT) or several devices (multi-client, MCT) to secure port (state on
delivery: Multi-client transparent mode).
Integrate the EAGLE into the existing network. The IP parameters of
the existing network do not need to be reconfigured (see Fig. 9).
The EAGLE analyzes the flowing network traffic and configures its
network connection automatically and operates transparently, i. e.
without the client having to be reconfigured.
Here you can enter the local IP parameters of the EAGLE. These
parameters allow you access to the management of the EAGLE.
The firewall security function is available in the SCT and MCT mode.
The VPN security function is available in SCT.
Note: If transparent is selected as the network mode, no entries need

to be made under Internal IPs and additional internal routers. Existing
entries under these points are ignored.
EAGLE
96 Release 1.02 10/04
D Router mode
If the EAGLE is not in transparent mode, it functions as a normal
router and consequently has an external and internal IP address.
The security functions firewall and VPN are available.
Note: If the EAGLE is operated in router mode, a locally connected client

computer of the EAGLE must be defined as the standard gateway, i.e. the
address of the standard gateway must be set to the internal IP address of
the EAGLE (see “IP configuration for the Windows clients” on page 149.)
Note: If the EAGLE is operated in Router mode and is used to establish

the connection to the Internet, you should activate NAT to allow access
to the Internet from the local network (see “Firewall:NAT” on page 116).
If NAT is not activated, the device will only allow VPN connections.
D PPPoE mode
The PPPoE mode corresponds to router mode with DHCP – with one
difference: To connect to an external network (Internet, WAN) the
PPPoE protocol is used – as in Germany – which is used by many
DSL modems (for DSL Internet access). The external IP address,
at which the EAGLE can be reached from a remote terminal, is
determined dynamically by the provider.
Address of the device (for configuration purposes):
IP address: 192.168.1.1
Local network mask: 255.255.255.0
Note: If the EAGLE is operated in PPPoE mode, a locally connected

client computer of the EAGLE must be defined as the standard gateway,
i.e. the address of the standard gateway must be set to the internal IP
address of the EAGLE (see “IP configuration for the Windows clients” on
page 149.)
Note: If the EAGLE is in PPPoE mode, NAT must be activated to enable

access to the Internet (see “Firewall:NAT” on page 116). If NAT is not
activated, the device will only allow VPN connections.
D PPTP Mode
This mode is similar to PPPoE mode. In Austria, for example,
PPTP is used instead of the PPPoE protocol for DSL connections.
PPTP is the protocol, which was originally used by Microsoft for
VPN connections.
EAGLE
Release 1.02 10/04 97
Note: If the EAGLE is operated in PPTP mode, you must set it as the
standard gateway in the locally connected client computers. In other
words, the address entered for the standard gateway must be the internal
IP address of the EAGLE (see “IP configuration for the Windows clients”
on page 149).
Note: If the EAGLE is in PPTP mode, NAT must be activated to enable

access to the Internet (see “Firewall:NAT” on page 116). If NAT is not
activated, the device will only allow VPN connections.
U Internal IPs
Router / PPPoE / PPTP mode
Internal IPs is the IP address, under which the EAGLE can be

accessed from the locally connected LAN.
Default setting:
IP address: 192.168.1.1
Lokal Netmask: 255.255.255.0
You can also specify other addresses, under which the EAGLE can be
accessed by devices on the locally connected network. This can be
useful, for example, if the locally connected network is divided into
subnetworks. In this case, multiple units on different subnetworks can
access the EAGLE under different addresses
V If you wish to define another internal IP, click on New.
V If you wish to delete an internal IP, click on Delete.
The first IP address in the list cannot be deleted.
EAGLE
98 Release 1.02 10/04
U Additional Internal Routes

Router / PPPoE / PPTP mode
If the locally connected network includes subnetworks, you can define

additional routes.
Also see “Example of a network” on page 185.
V If you wish to define another route to a subnetwork, click on New.
Enter:
– the IP address of the subnetwork (network), plus
– the IP address of the gateway through which the subnetwork is
connected.
You can define any number of internal routes.
V If you wish to delete an internal route, click on Delete.
Note: If additional internal routers are defined, these have no effect in

transparent mode.
EAGLE
Release 1.02 10/04 99
6.5.2 Network:Transparent mode

Requirement: The EAGLE has been set to the network mode transparent.
Fig. 39: Network:Transparent mode
U Single client automatic

A single device to be protected is connected to the EAGLE.
To to be able to support VPN, the EAGLE analyzes the network traffic
that passes through it, configures its network connection automatically,
and operates transparently. Enter the IP parameters for local
management under “Local IP configuration”.
EAGLE
100 Release 1.02 10/04
U Single client static:

A device to be protected is connected to the EAGLE.
V Enter the IP parameters for local management (see above).
If the EAGLE is unable to analyze the network traffic that passes through
it, for example, because the locally connected computer is only receiving
data, the transparent configuration must be set to single-client
transparent mode, static , to support VPN.
In this case, make the following settings for the points in question:
D IP Address of the connected client
D Client's MAC address. This is the physical address of the local
computer's network adapter to which the EAGLE is connected.
The MAC address can be determined in the following manner:
On the DOS level (Start:Programs:Accessories:Command
Prompt), enter the following command:
ipconfig /all
U Multiple-Client:
Several devices to be protected are connected to the EAGLE
(default settings). The EAGLE does not support VPN in MCT mode.
Enter the IP parameters under “IP local configuration”.
EAGLE
Release 1.02 10/04 101
6.5.3 Network:Router
Requirement: The EAGLE has been set to the network mode Router.
Fig. 40: Network:Router
U External interface
Obtain external configuration via DHCP: Yes / No.
V If the EAGLE obtains the configuration data per DHCP (Dynamic Host
Configuration Protocol) from the DHCP server, set Yes. No other
information is necessary.
V If the EAGLE does not obtain the data via DHCP (Dynamic Host
Configuration Protocol) from the DHCP server, set No.
The EAGLE must then operate in the network mode Router
(see “Router mode” on page 97). You must then make provide
further information:
EAGLE
102 Release 1.02 10/04
U External networks (connected to the insecure port)

External IPs (untrusted port)
At these external IP addresses, the EAGLE can be reached by devices
of the external network (connected to the Ethernet socket of the EAGLE).
They form the interface to other parts of the LAN or to the Internet. If the
gateway to the Internet is here, the IP address are then determined by
the Internet service provider (ISP).
V If you wish to provide an additional external IP, click “New”.
V If you wish to delete one of the external IPs, click “Delete”.
Additional External Routes

In addition to the default route (see below) you can define other
external routes.
V If you wish to provide an additional external route, click “New”.
V If you wish to delete one of the additional external routes, click
“Delete”.
See also “Example of a network” on page 185.
U Default Route
Default Route via IP
Is determined by the Internet service provider (ISP), when the EAGLE
sets up the gateway to the Internet. If the EAGLE is used within the LAN,
the route from the network administrator is specified.
Note: If the local network is not known to the external router, e.g. in the
case of configuration by DHCP, enter the address of your local network
under Firewall:NAT, in other words 0.0.0.0/0
(see “Firewall:NAT” on page 116).
EAGLE
Release 1.02 10/04 103
6.5.4 Network:PPPoE
Requirement: The EAGLE has been set to the network mode PPPoE.
(see “PPPoE mode” on page 97).
User name (login) and password are requested by the Internet Service
Provider (ISP), when you wish to establish a connection with the Internet.
Fig. 41: Network:PPPoE
U PPPoE Login
In this field, enter the user name (Login), which is expected by your
Internet Service Provider when you setup a connection to the Internet.
U PPPoE Password
In this field, enter the password, which is expected by your Internet
Service Provider when you setup a connection to the Internet.
EAGLE
104 Release 1.02 10/04
6.5.5 Network:PPTP
Requirement: The EAGLE has been set to the network mode PPTP
(see “PPTP Mode” on page 97).
User name (Login) and password are requested by the Internet service
provider (ISP), when you wish to establish a connection with the Internet.
Fig. 42: Network:PPTP
U PPPoE Login
In this field, enter the user name (Login), which is expected by your
Internet Service Provider when you setup a connection to the Internet.
U PPPoE Password
In this field, enter the password, which is expected by your Internet
Service Provider when you setup a connection to the Internet.
EAGLE
Release 1.02 10/04 105
U Set local IP
Via DHCP
If the address data for access to the PPTP server is supplied by the
Internet service provider per DHCP, select via DHCP.
You do not have to make an entry under Local IP.
Modem IP. This is the address of the PPTP server of the Internet Service
Provider.
static (following field)

If the address data for accessing the PPTP server is not supplied by the
Internet service provider per DHCP, the IP address must be specified as
a local IP address for the PPTP server.
Local IP. IP address, at which the EAGLE can be reached from the
PPTP server.
Modem IP. This is the address of the PPTP server of the Internet Service
Provider.
EAGLE
106 Release 1.02 10/04
6.5.6 Network:Status
U Network mode
Displays the current operating mode of the EAGLE: Transparent (SCT/
MCT), router, PPPoE or PPTP (see “Network:Base” on page 95).
U External IP
The IP address of the EAGLE at its connection for the insecure network
(WAN or Internet).
If the EAGLE is assigned an IP address dynamically, you can look up the
currently valid IP address here.
In transport mode, the EAGLE takes on the local IP address
(see “Network:Transparent mode” on page 100).
U Default gateway
The default gateway address is shown here that is entered in the
EAGLE.
Fig. 43: Network:Status
EAGLE
Release 1.02 10/04 107
EAGLE
108 Release 1.02 10/04
Web-based management 6.6 Configuring the firewall
6.6 Configuring the firewall
The EAGLE contains a stateful packet inspection firewall. The connection

data of an active connection are recorded in a database (referred to as
connection tracking). Rules only need to be defined for one direction; data
from the opposite direction of a connection and only this data is automatically
passed through. A side effect is that existing connections are not interrupted
during reconfiguration, even if a new connection can no longer be set up.
Factory settings for the firewall:

D All incoming connections will be rejected (except VPN).
D The data packets of all outgoing connections will be passed through.
Note: VPN connections are not subject to the firewall rules defined under
this menu item. You can define firewall rules for each each individual VPN
connection in the menu “VPN:Connections” on page 122.
Note: If multiple firewall rules are set, they will be searched in the order
in which they are listed (from top to bottom) until a suitable rule is found.
This rule will then be applied. If further down in the list there are other rules,
which would also fit, they will be ignored.
EAGLE
Release 1.02 10/04 109
6.6.1 Firewall:Incoming
Lists the firewall rules that have been set. They apply to incoming data
packets that are initiated externally.
Note: If no rule has been set, all incoming connections (except for VPN)
are rejected (= factory setting).
Fig. 44: Firewall:Incoming
U Deleting a rule
V Click on the “Delete” button next to the entry. Then click on “OK”.
EAGLE
110 Release 1.02 10/04
U Setting a new rule

V If you wish to set a new rule, click on “New”.
V Define the desired rule (see below) and then click on “OK”.
The system will display a confirming message.
The following options are available:

D Protocol: All means: TCP, UDP, ICMP and other IP protocols.
Note: If you select All, the EAGLE ignores the port settings (from port,
to port).
D IP address: 0.0.0.0/0 means all addresses. To indicate a range,

use the CIDR notation - see “CIDR (Classless InterDomain Routing)”
on page 183.
D Port:
(is only evaluated for the protocols TCP and UDP)
any refers to any port.
startport:endport (e. g. 110:120) refers to a port range.
Individual ports can be specified either with the port number or with the
respective service name: (e. g. 110 for pop3 or pop3 for 110). A list of
the most commonly used port numbers can be found at http://
www.iana.org/assignments/port-numbers.
D Action:
Accept means the data packets are permitted to pass through.
Reject means that the data packets are not accepted, and the sender
is notified that the data was rejected. I transparent mode, Reject
has the same effect as Discard.
Discard means the data packets are not permitted to pass through.
They are discarded, and the sender is not notified about what
happened to the data.
Note: In Transparent mode Reject is supported if the local IP address

is entered correctly.
D Log
For each individual firewall rule you can decide if, when the rule is
applied,
– the event should be logged – set Log toYes
– or not – set Log to No (factory default setting).
D Log entries for unknown connection attempts
This logs all connection attempts that are not recorded by the
preceding rules.
EAGLE
Release 1.02 10/04 111
6.6.2 Firewall:Outgoing
Lists the firewall rules that have been established. They apply to outgoing
data connections that are initiated internally. The default setting allows all
packets to pass through.
With the default rule, all outgoing connections are permitted to pass through.
Fig. 45: Firewall:Outgoing
U Deleting a rule

The system will display a confirming message.
EAGLE
112 Release 1.02 10/04

D Protocol: All means: TCP, UDP, ICMP, and other IP protocols.
Note: If you select All, the EAGLE ignores the port settings (from port,
to port).
D IP address: 0.0.0.0/0 means all addresses. To indicate a range,

use the CIDR notation - see CIDR (Classless InterDomain Routing) -
see “CIDR (Classless InterDomain Routing)” on page 183.
D Port:
any refers to any port.
startport:endport (e. g. 110:120) refers to a port range.
Individual ports can be specified either with the port number or with
the respective service name: (e. g. 110 for pop3 or pop3 for 110).
D Action:
is notified that the data was rejected. I transparent mode, Reject
has the same effect as Discard.
They are “swallowed”, and the sender is not notified about what

D Log
applied,
– the event should be logged – set Log to Yes
D Log entries for unknown connection attempts
This logs all connection attempts that are not recorded by the
preceding rules.
EAGLE
Release 1.02 10/04 113
6.6.3 Firewall:Port Forwarding

Lists the rules that have been defined for port forwarding.
The following takes place when during port forwarding: The headers of the
incoming data packets from the external network that are addressed to the
external IP address (or to one of the external IP addresses) of the EAGLE as
well as to a specific port of the EAGLE are translated in such a way that they
are forwarded to the internal network to a particular computer and to a
particular port of this computer. This means that the IP address and port
number in the header of the incoming data packets are changed.
This procedure is also referred to as Destination NAT.
Note: These rules do not apply in transparent mode.
Note: The rules established here have priority over the settings under
“Firewall:Incoming” on page 110.
Fig. 46: Firewall:Port Forwarding
U Deleting a rule
EAGLE
114 Release 1.02 10/04

D Protocol
Enter the protocol which the rule is to refer to.
D Incoming for IP:
Enter the external IP address (or one of the external IP addresses)
of the EAGLE.
OR
In case there is a dynamic change of the external IP addresses of the
EAGLE so that you can enter the address, use the following variable:
%external.
D Incoming for port:
Original destination port that is specified in the incoming data packets.
D Forward to IP:
IP address to which data packets are to be forwarded and into which
the original destination addresses are to be translated.
D Forward to port:
Port to which data packets are to be forwarded and into which the
original port information is to be translated.
Ports can be specified either with the port number or with
D Log
For each individual port forwarding rule you can decide if, when the
rule is applied,
– the event should be logged – set Log toYes
EAGLE
Release 1.02 10/04 115
6.6.4 Firewall:NAT
For outgoing addresses the EAGLE can translate the specified sender IP
addresses from its internal network (in the example below: 192.168.x.x)
into its own external address (in the example below: 148.218.112.7 or
149.218.112.8). The EAGLE can break down the assignment of the
incoming data packets using the logical ports.
This method is used if the internal addresses cannot or should not be
routed externally, for example, because a private address range such
as 192.168.x.x is being used or the internal network structure is to be
concealed.
This procedure is also referred to as IP masquerading.
The dialog lists the defined rules for NAT (Network Address Translation).
U Principle of IP masquerading
For addressing purposes, TCP/IP uses so-called port numbers
(UDP, TCP) for the source and destination in addition to the IP
addresses.
Masquerading makes use of this feature.
If the EAGLE receives a data packet in router mode at a secure port,
it will then enter the IP address of the sender (source) and the port in
an internal table. The EAGLE assigns this table entry its own IP port
address and a random port number as new source information.
The EAGLE then forwards the data packet with this new information
at the insecure port.
This is how the receiver sends its reply to this data packet to the EAGLE.
The EAGLE in turn forwards the reply back to the original address using
its internal address.
This method permits a communication request from the the secure to the
insecure network, for example, for one computer located in cell 3 to a
computer in the industrial backbone (see the figure below).
EAGLE
116 Release 1.02 10/04
192.168.0.3 192.168.0.3
MICE MICE
Cell 3 Cell 2
192.168.0.1 192.168.0.2
192.168.04 192.168.04
RS2-… RS2-… RS2-… RS2-…
192.168.0.1
MICE
192.168.0.1 MICE
x EAGLE
x EAGLE
148.218.112.7
1 2
P FAULT
LS/DA STATUS
1 2 V.24
1 2
P FAULT R
LS/DA STATUS
k
1 2 V.24
R
IP-ADDRESS
k 1
IP-ADDRESS
148.218.112.6
2
2
g
FAULT
+24V (P1)
+24V (P2)
0V
0V
FAULT
+24V (P1)
+24V (P2)
V.24
0V
0V
V.24
148.218.112.9
148.218.112.8 MICE
Industrial Backbone
RS2-…
Fig. 47: Example of a masquerading application: two identically structured

production cells
Note: If the EAGLE is operating in PPPoE/PPTP mode, NAT must be

activated to obtain access to the Internet. If NAT is not activated, only VPN
connections can be used.
Factory setting: There is no NAT.
EAGLE
Release 1.02 10/04 117
Fig. 48: Firewall:NAT
U Deleting a rule

The following entry options are available:

D From IP:
0.0.0.0/0 means all addresses. In other words, all internal IP
addresses are subject to the NAT procedure. To indicate a range,
on page 183.
Example:
For the IP address range 192.168.0.33 to 192.168.0.64 enter:
192.168.0.1.33/27.
EAGLE
118 Release 1.02 10/04
6.6.5 Firewall:Extended Settings

The settings determine what the basic responses of the firewall will be.
Fig. 49: Firewall:Extended Settings
D Maximum number of ...

These 5 settings define upper limits. They are so selected that they are
never reached in normal operation. However, since they can be easily
reached in the event of an attack, the limits provide additional security.
If your operational environment has special requirements, you can
increase these values.
D Enable “Active FTP” NAT/Connection Tracking support
If an outgoing FTP (protocol) connection is setup to download data, the
server called will callback the calling system to establish a connection for
this transfer of data. In other words, for the calling client, the connection
is simply an additional incoming connection, which will be setup with
“Active FTP”. In this case, Enable “Active FTP” NAT/Connection
Tracking support must be set to Yes so that the firewall will pass the
data through (factory setting). Without this function, the unit only permits
passive FTP.
EAGLE
Release 1.02 10/04 119
D Enable “IRC” NAT/Connection Tracking support

This is similar to “Active FTP”: When the IRC protocol is used for chatting
in the Internet, incoming connections must also be permitted after the
connection has been established actively. In this case, Enable “IRC”
NAT/Connection Tracking support must be set to Yes so that the
firewall will permit these connections (factory setting).
D Enable “PPTP” NAT/Connection Tracking support
This need only be set to Yes under the following condition:
if a local system should establish a VPN connection via PPTP to an
external system without help from the EAGLE.
The factory setting is No.
D Transparent Mode only
These 2 settings define maximum values. They are so selected that they
are never reached in normal operation. However, since they can be easily
reached in the event of an attack, the limits provide additional security.
If your operational environment has special requirements, you can
increase these values.
6.6.6 Firewall:Logs - Display

If the logging of events was activated (Log = Yes) on the firewall rules page,
you can view the log with all of the recorded events here.
The format of the log corresponds to that common under Linux.
EAGLE
120 Release 1.02 10/04
Web-based management 6.7 Setting up a VPN connection
6.7 Setting up a VPN connection
Note: VPN is not supported in MCT mode and not by the device models
EAGLE (FW).
Prerequisites for a VPN connection:

The main prerequisite for a VPN connection is that the IP address of the
VPN partner is known and accessible. See “Services:DynDNS Monitoring”
on page 144.
D To successfully set up an IPsec connection, the VPN remote terminal
must support IPsec with the following configuration:
D Authentication via Pre-Shared Key (PSK) or X.509 certificate
Note: The Hirschmann Competence Center creates and manages

safety certificates.
D ESP
D Diffie-Hellman Groups 2 and 5
D DES, 3DES or AES encryption
D MD5 or SHA-1 hash algorithms
D Tunnel or Transport mode
D Quick Mode
D Main Mode
D SA Lifetime (1 second to 24 hours; standard: 8 hours)
If the system at the remote site is running Windows 2000, the Microsoft
Windows 2000 High Encryption Pack or Service Pack 2 must also be
installed.
D If the remote site is behind a NAT router, it must support NAT-T or the
NAT router must support the IPsec protocol (IPsec/VPN Passthrough).
In either case, for technical reasons, only IPsec Tunnel connections are
supported.
EAGLE
Release 1.02 10/04 121
6.7.1 VPN:Connections
Lists the VPN connections that have been setup.
All of the listed connections may be active at the same time.
Fig. 50: VPN:Connections
U Setting up new a VPN connection

V Click “New”.
V Assign a name to the connection and click “Edit”.
V Make the desired or required settings (see below).
V Afterwards, click OK.
U Editing the VPN connection

V Click the button “Edit” next to the respective connection.
V Make the desired or required settings (see below).
EAGLE
122 Release 1.02 10/04
Fig. 51: VPN:Connections:Connection
U Deleting a connection
V Click “Delete” next to the respective entry. Then “OK”.
U Any name for the VPN connection

You can give the connection any name you wish.
U Active
Determine if the connection is to be active (=Yes) or not (= No).
EAGLE
Release 1.02 10/04 123
U Address of the remote site's VPN gateway

D What is meant is the address of the access (gateway) to the private
network in which the remote communication partner can be found
(see Fig. 52).
D If you wish to have the EAGLE actively initiate and setup the
connection to the remote site or if the device is in Stealth mode,
enter the IP address of the remote site here. The remote site must
have a fixed and known IP address. Instead of entering an IP address,
you can enter a hostname (i.e. a domain name in the URL syntax -
www.xyz.de).
If the remote site's VPN gateway does not have a fixed and known
IP address, you can use the DynDNS Service to simulate a fixed and
known address. See “Services:DynDNS Monitoring” on page 144.
D If the EAGLE is ready to accept the connection that initiates and
establishes a remote terminal active to the local EAGLE with random
IP address, then enter: %any
In this case, the local EAGLE can be “called” by a remote site, which
has been dynamically assigned its IP address (by the Internet Service
Provider), i.e. which has an IP address that changes. In this scenario,
you may only enter an IP address when this is the fixed and known
IP address of the remote “calling” site.
EAGLE
124 Release 1.02 10/04
192.168.208.2
MACH 3002
x EAGLE
unsecure LS/DA
P
1
1
2
2 V.24
R
FAULT
STATUS
network
k
IP-ADDRESS
1
VPN g
Industrial Backbone
FAULT
+24V (P1)
+24V (P2)
0V
0V
V.24
192.168.206.10 MACH 3002
192.168.208.11
192.168.208.1
Fig. 52: Devices and addresses of the remote site
Dialog Setting Value

Network:Base Internal IP 192.168.208.11
Netmask 255.255.255.0
Network Mode Router
Network:Router DHCP No
External IP 192.168.206.11
Netmask 255.255.255.0
VPN:L2TP Start L2TP Server for L2TP Yes
Local IP for L2TP connections 10.106.106.2
Assignment of IPs for L2TP remote site 10.106.106.2
10.106.106.254
VPN:Connections Active Yes
VPN:IPsec State Gateway 192.168.206.11
Table 5: Example to devices and addresses of the remote site
EAGLE
Release 1.02 10/04 125
U Connection type
Connection type annotation

Tunnels This type of connection is not only suitable in every case,
(Network <––> Network) but also the most secure. In this mode, the IP datagrams are
completely encrypted before they are sent with a new header
to the remote site‘s VPN gateway – the “tunnel end”. There the
transferred datagrams are decypted to restore the original
datagrams. These are then passed on to the destination
system.
Transport (Host <––> Host) In this type of connection, the device only encrypts the data of
the IP packets. The IP header information remains in the clear
(unencrypted).
Transport If this type of connection is activated on the remote system, the
(L2TP Microsoft Windows) EAGLE will also take this setting - Transport (L2TP
Microsoft Windows) - and will function accordingly.
In other words, the L2TP/PPP protocol will create a tunnel
within the IPsec transport connection. The locally connected
L2TP system will be assigned its IP address dynamically.
If you select the connection type Transport (L2TP
Microsoft Windows), set Perfect Forward
Secrecy (PFS) to No (see below). As soon as the IPsec/
L2TP connection is started under Windows, a dialog will appear
to prompt you to enter your user name and password. You can
make any entry that you want in this dialog, since the X.509
certificate has already provided your authentication, the EAGLE
will ignore these entries.
Transport If this type of connection is activated on the locally connected
(L2TP SSH Sentinel) system, the EAGLE will also take this setting - Transport
(L2TP SSH Sentinel) - and will function accordingly. In other
words, the L2TP/PPP protocol will create a tunnel within the
IPsec transport connection. The locally connected L2TP system
will be assigned its IP address dynamically.
Table 6: Connections types
EAGLE
126 Release 1.02 10/04
U Initiating a connection
There are 2 options:
– Start a connection to the remote side
– Wait for the remote side [to setup a connection]
D Start a connection to the remote side
In this case, the local EAGLE sets up the connection to the remote
side. The fixed IP address or domain name of the remote side must
be entered in Address of the remote site's VPN gateway
(see above) field.
D Wait for the remote side [to setup a connection]
In this case, the local EAGLE is ready to accept a connection, which
a remote site actively initiates and sets up to the local EAGLE.
The entry in the Address of the remote site's VPN gateway
(see above) field may be: %any.
If the EAGLE should only accept a connection initiated by a specific
remote site (which has a fixed IP address), enter its IP address or
hostname to be on the safe side.
Note: If the EAGLE operates in single-client transparent mode, this

setting has no effect, i.e. it is ignored and the connection is initiated
automatically if the EAGLE notices that the connection is to be used.
In multi-client transparent mode, no VPN is possible.
EAGLE
Release 1.02 10/04 127
U Authentication method
There are 2 options:
– X.509 Certifikate and
– Pre-Shared Key
D X.509 Certificate
This method is supported by most of the newer IPsec implementations
and is currently considered the most secure. In this case, the EAGLE
uses the public key of the remote site (filename *.cer or *.pem) to
encrypt the authentication datagram before it sends to the remote site,
the “tunnel end”. (You must have received this *.cer or *.pem file
from the operator at the remote site - perhaps on a diskette or attached
to an e-mail).
To make this public key available to the EAGLE, proceed as follows:

Requirement: You have saved the *.cer- or *.pem file on the
computer.
– Click Configure.
Result: The screen VPN:connections:connection xyz:X.509 certificate
appears. (“xyz” represents the name of the connection.)
– Search... click and select the file.
– Click Import.
After the import, the contents of the new certificate is displayed -
see the following figure. For an explanation of the information
displayed, see the Chapter “VPN:Machine Certificate” on page 135.
Fig. 53: Public key
EAGLE
128 Release 1.02 10/04
D Pre-Shared Key (PSK)

This procedure is particularly supported by older IPsec implementations.
Here, the EAGLE encrypts the datagrams that it sends to the remote
terminal, the “end of the tunnel”, with the public key of the remote
terminal (filename *.cer or *.pem).
To make the arranged key available to the EAGLE, proceed as

follows:
– Click Configure.
Result: The main screen appears.
Fig. 54: Pre-Shared Secret Key
– Enter the string arranged in the entry field Pre-Shared Key

(PSK). To achieve a security level that is equivalent to 3DES,
the string should be approx. 30 characters that are made up of
upper and lower case letters and digits.
– Click Back.
Note: The Pre-Shared Key cannot be used with dynamic (%any)

IP addresses; fixed IP addresses are required at both ends of the tunnel.
EAGLE
Release 1.02 10/04 129
U ISAKMP SA (key exchange)

D Encryption algorithm
– Make arrangements with the administrator at the remote terminal as
to which encryption procedure is to be used.
3DES-168 is the most frequently used procedure and for this reason
is the default setting.
The following principles apply: The more bits an encryption algorithm
has, indicated by the number at the end, the higher level of security it
offers. The relatively new procedure AES-256 is regarded as the most
secure, but has not yet been widely implemented.
The encryption procedure takes longer, the longer the key is.
This aspect is irrelevant for the EAGLE, since it operates with
hardware-based encryption. This could, however, play a role for
the remote terminal.
The algorithm named “Null” offers no encryption whatsoever.
D Checksum algorithm/Hash
Keep the setting on All algorithms. Then it makes no difference
if the remote terminal operates with MD5 or SHA-1.
U IPsec SA (data exchange)

In contrast to ISAKMP SA (key exchange) (see above), the procedure
for exchanging data is defined here. It can differ from the keys of the key
exchange, but this is not mandatory.
D Encryption algorithm
See above.
D Checksum algorithm/Hash
See above.
EAGLE
130 Release 1.02 10/04
U Perfect Forward Secrecy (PFS)

Procedure for increasing security in data transmissions. With IPsec the
keys for exchanging data are renewed at specific intervals. With PFS
new random numbers are negotiated with the remote station instead of
deriving them from previously arranged random numbers.
Select Yes only if the remote terminal supports this procedure.
When you select the connection type Transport (L2TP Microsoft

Windows), set Perfect Forward Secrecy (PFS) to No.
U Tunnel settings
D The address of the local network
D The related network mask
These entries specify the address of the client (network or computer),
that is directly connected to the secure port of the EAGLE which the
EAGLE is protecting. The address designates the local endpoint of
the connection.
MACH 3002
MACH 3002

x EAGLE
x EAGLE
LS/DA
P
1
1
2
2 V.24
R
FAULT
STATUS
unsecure LS/DA
P
1
1
2
2 V.24
R
FAULT
STATUS
network
k k
IP-ADDRESS
IP-ADDRESS
1 1
2 2
g g
FAULT
FAULT
+24V (P1)
+24V (P2)
+24V (P1)
+24V (P2)
0V
0V
0V
0V
V.24 V.24
to the remote
Tunnel: The address of the terminal
local network. (can also be
an individual computer)
Fig. 55: Local devices and addresses
EAGLE
Release 1.02 10/04 131
Example:
If the computer connected to the EAGLE is the one you are using to
configure the device, the entries could then be:
Address of the local network: 192.168.1.1
The related network mask: 255.255.255.0
See also “Example of a network” on page 185.
D The virtual IP which will be used by the client SCT mode
A VPN tunnel can only connect two local networks over a public
network. If the EAGLE is operating in single-client transparent
mode, there is only one single computer connected to it - see
“Network:Transparent mode” on page 100. Hence, to set up
a VPN tunnel, a connected local network must be simulated.
The computer connected to the EAGLE is assigned a virtual
IP address in this network.
For the remote terminal, this virtual IP address is the address of the
(simulated) local network, at which the computer that is physically
connected to the EAGLE can be reached in the VPN. For the remote
terminal this means that this simulated IP address there is to be
specified as the address of the network on the other end when the
VPN connection is configured.
The system locally connected to the EAGLE “knows” nothing of this
virtual IP under which it is accessed by the remote site. In other
words, it need not be specially configured.
What this means is that:
– You can enter any IP address desired in the syntax 192.xxx.xxx.xxx
(x = any digit) as long as it is not already assigned at the remote site.
To avoid conflicts with IP addresses at the remote site, speak with the
responsible administrator.
This virtual IP address must be entered at the remote site in the
configuration of this VPN connection as the Remote network address.
D Tunnel: Remote network address
D Tunnel: The appropriate remote netmask
With these two entries, you specify the address of the network in
which the remote communication partner can be found. This address
can also be that of a computer, which is connected directly to the
VPN gateway.
EAGLE
132 Release 1.02 10/04
MACH 3002
MACH 3002

x EAGLE
x EAGLE
LS/DA
P
1
1
2
2 V.24
R
FAULT
STATUS
unsecure LS/DA
P
1
1
2
2 V.24
R
FAULT
STATUS
network
k k
IP-ADDRESS
IP-ADDRESS
1 1
2 2
Aufkleber MAC-Adresse g g
FAULT
FAULT
+24V (P1)
+24V (P2)
+24V (P1)
+24V (P2)
0V
0V
0V
0V
V.24 V.24
The address of the Tunnel: The address of the

VPN gateway of the network on the opposite end.
remote terminal (can also be an single computer)
Fig. 56: Devices and address of the remote terminal
U Firewall incoming, Firewall outgoing

While the settings made in the Firewall menu only affect non-VPN
connections (see “Firewall:Incoming” on page 110), these settings affect
just the VPN connection defined here. What this means is that: If you
have defined multiple VPN connections, you can restrict the outgoing
or incoming access individually for each connection. You can have any
attempts made to bypass these restrictions logged.
Note: According to the factory setting, the VPN firewall is set up in such
a way that everything is permitted for the VPN connection.
The extended firewall settings, which are defined and explained at the top
(see “Firewall:Extended Settings” on page 119), apply nonetheless for
each individual VPN connection independent of each other.
Note: If multiple firewall rules are set, they will be searched in the order
in which they are listed (from top to bottom) until a suitable rule is found.
This rule will then be applied. If further down in the list there are other
rules, which would also fit, they will be ignored.
V To set or delete a firewall rule, proceed as described in the earlier
sections (see “Firewall:Incoming” on page 110 and
“Firewall:Outgoing” on page 112).
EAGLE
Release 1.02 10/04 133
As there, you have the following entry options:

D Protocol: All means: TCP, UDP, ICMP and other IP protocols.
D IP address: 0.0.0.0/0 means all addresses. To enter an address
space, use the CIDR notation (see “CIDR (Classless InterDomain
Routing)” on page 183).
D Port: (is only evaluated for the protocols TCP and UDP)
any designates any port.
startport:endport (e. g. 110:120) designates a port range.
Individual ports can be specified either with the port number or with
D Action:
is notified that the data was rejected. (In transparent mode, Reject has
the same effect as Discard, see above)
They are “swallowed”, and the sender is not notified about what
Log
applied,
Log entries for unknown connection attempts

If this is set to Yes, all attempts to establish a connection, which were not
covered by the rules defined above, will be logged.

Note: If multiple firewall rules have been set, these will be processed in
the order that they were entered.
EAGLE
134 Release 1.02 10/04
6.7.2 VPN:Machine Certificate
Fig. 57: Machine Certificate
EAGLE
Release 1.02 10/04 135
U Certificate
Display the currently imported X.509 certificate with which the EAGLE
identifies itself to other VPN gateways. The following information is
displayed:
Info Meaning
subject The owner to whom the certificate is issued.
issuer The point of authentication that signed the certificate.
C : Country
ST: State
L : City
O : Organization
OU: Department (organization unit)
CN: Hostname, common name
MD5, SHA1 Fingerprint Fingerprint of the certificate so that it, for example,
can be compared with others on the phone. Here,
Windows displays the fingerprint in the SHA1 format.
notBefore, notAfter Validity period of the certificate. Is ignored by the
EAGLE since it does not have a built-in clock.
Table 7: Certificate information
In addition to the information provided above, the imported certificate file

(filename extension *.p12 or *.pfx) contains, both keys: the public key for
encryption and the private one for decryption. The associated public key
can be assigned to any number of connection partners, allowing them to
send encrypted data.
Dependant on the remote terminal, the certificate must be made
available to the operator of the remote terminal as a .cer or .pem file - for
example, by giving it to the operator personally or sending it as an e-mail.
If you do not have access to a secure transmission path, you should
compare the fingerprint displayed by the EAGLE over a secure path.
Only one certificate file (PKCS#12 file) can be imported into the device.
To import a (new) certificate, proceed as follows:
EAGLE
136 Release 1.02 10/04
U New certificate
Requirement:
The certificate file (filename = *.p12 or *.pfx) is generated and stored on
the connected computer.
V Click Search... to select the file.
V Enter the password with which the private key of the PKCS#12 file is
protected into the field.
V Click Import.
V After the import a system message will appear:
Fig. 58: System message
EAGLE
Release 1.02 10/04 137
6.7.3 VPN:L2TP
Fig. 59: VPN:L2TP
U Start L2TP Server for IPsec/L2TP? Yes / No

If you wish to permit an L2TP connection, set this switch to Yes.
Within the IPsec transport connection, the L2TP connection contains
in turn a PPP connection. This results in a type of tunnel between two
networks. In doing so, the EAGLE informs the remote terminal about
the addresses that are used: for itself and for the remote terminal.
U Local IP for L2TP connections

With the setting shown in the screenshot above, the EAGLE will inform
the remote site that it's address is 10.106.106.1.
U Assignment of IPs for the L2TP remote site

With the settings shown in the screenshot above, the EAGLE will inform
the remote site that it has been assigned addresses starting from
10.106.206.2 (in the case of a single system) all the way to
10.106.206.254 (in the case of multiple systems).
EAGLE
138 Release 1.02 10/04
6.7.4 VPN Configuration, IPsec Status - Display

Provides information about the status of the IPsec connections.
The names of the VPN connections are listed on the left. Their current
statuses are displayed on their right.
D GATEWAY designates the communicating VPN gateways
D TRAFFIC designates the computers or networks that communicate via
VPN gateways.
D ID
designates the distinguished name (DN) of a X.509 certificate.
D ISAKMP status (Internet Security Association and Key Management
Protocol) has the value “established”, if both participating VPN gateways
have set up a channel for exchanging keys. In this case, they can contact
each other and thus all entries, including “ISAKMP SA” on the
configuration end of the connection were correct.
D IPsec status has the value “established”, if the IPsec encryption is
activated for communication. In this case, the values under “IPsec SA”
and “Tunnel Settings” were also correct.
Should you encounter problems, we recommend that you take a look at the
VPN logs of the computer to which the connection was set up. For security
reasons, the initiating computer will not be sent any detailed error messages.
If the display shows:

ISAKMP SA established, IPsec State: WAITING
This means that:
The authentication was successful, but the other parameters are not correct.
Do the connection types (Tunnel, Transport) match?
If Tunnel has been selected, do the network address areas match on at both
ends of the connection?
If the display shows:

IPsec State: IPsec SA established
This means that:
The VPN connection has been successfully setup and can be used. If this is
not the case, there must be a problem with the remote VPN gateway. In this
case, click on the connection name and then on OK to setup the connection
again.
EAGLE
Release 1.02 10/04 139
6.7.5 VPN:L2TP Status - Display

Shows information about the L2TP status, when this type of connection has
been selected. See “VPN:L2TP” on page 138).
6.7.6 VPN:VPN Logs - Display

Lists all VPN events.
The format of the log corresponds to that common under Linux.
EAGLE
140 Release 1.02 10/04
Web-based management 6.8 Services menu
6.8 Services menu
6.8.1 Services:DNS
If the EAGLE is to set up a connection to a remote terminal (for example
VPN gateway or NTP server), it must know the IP address of the remote
terminal. If the address is provided as a domain address (i. e. in the
format www.abc.xyz.de), the device must first look up which IP address
this resolves to on the domain nameserver.
If the EAGLE is not in transparent mode, you can configure the locally
connected clients, so that they can use the EAGLE to resolve the
hostnames into IP addresses (see “IP configuration for the Windows clients”
on page 149).
Fig. 60: Services:DNS
EAGLE
Release 1.02 10/04 141
U Hostname mode
With hostname mode and hostname you can assign the EAGLE
a name. It will be displayed when someone logs in with SSH. A name
environment simplifies the administration of several EAGLEs.
D User defined (see below)
(Standard) The name entered in the field hostname is set as the
name for the EAGLE.
Note: If the EAGLE is operating in transparent mode, the option User

defined must be selected as the hostname mode.
D Provider defined (e. g. via DHCP)
If the network mode permits the hostname to be set externally,
such as with DHCP, the name transmitted by the provider will then
be set for the EAGLE.
U Hostname
If the option User defined is selected under hostname mode, then enter
the name here that is to be given to the EAGLE.
If the option Provider (e. g. via DHCP) is selected under Hostname
mode, an entry in this field will be ignored.
U Domain search path

This entry make it easier for the user to specify a domain name: If the
user enters the domain name in an abbreviated form, the EAGLE will
extend the entry by appending the domain suffix, which is defined here
in the Domain search path.
U Used nameserver
Options:
– Root Nameserver
– Provider defined
– User defined
EAGLE
142 Release 1.02 10/04
D Root Nameserver
Requests are sent to the root nameserver in the Internet whose
IP addresses are stored in the EAGLE. These addresses seldom
change. This setting should only be selected if the alternative settings
do not function.
D Provider defined
With this setting, the device will use the Domain nameserver of
the Internet Service Provider, which is used to access the Internet.
You can select this setting, when the EAGLE will be operated in
PPPoE or Router mode with DHCP active (see “Services:DHCP” on
page 147).
D User defined
If this setting is selected, the EAGLE sets up a connections with the
domain nameservers that are listed in User-defined nameserver.
In transparent mode only the first two entries are evaluated in this list.
U User defined nameservers

You can record the IP addresses of domain nameservers in this list.
If one of these should be used by the EAGLE, specify this under
Servers to query.
Note: If you have selected User defined, you must configure the locally
connected clients to use the address of the EAGLE to retrieve the
IP address associated with a hostname (see “IP configuration for the
Windows clients” on page 149).
EAGLE
Release 1.02 10/04 143
6.8.2 Services:DynDNS Monitoring

When setting up aVPN connection between two locations, it is assumed
that the IP address of at least one location is known and thus can be defined.
Many Internet service providers (ISP) assign IP addresses dynamically.
This means that the IP addresses of the computers or networks that access
the Internet always change.
To solve the problem of assigning IP address dynamically, so-called
DynsDNS services can be used. Such a service makes it possible for the
EAGLE to reach a fixed domain name regardless of the IP address it is
currently using. Each time the IP address changes, the EAGLE reports
the new IP address to the DynDNS server so that the current IP address
is always correctly assigned to the domain name on the DNS server
(see “Glossar” on page 227).
For further information, contact Hirschmann support.
Fig. 61: DynDNS monitoring
U Monitoring hostnames from VPN remote terminals

If the address of the VPN remote terminal is specified to the EAGLE as
the hostname (see “VPN:Connections” on page 122), and if this domain
name is assigned by a DynDNS service, then the EAGLE can poll if
changes have been made at the respective DynDNS.
EAGLE
144 Release 1.02 10/04
U Polling interval
Standard: 300 (seconds)
6.8.3 Services:DynDNS registration

To set up VPN connections at least the IP address of one of the partners
must be known, so that the partners can communicate with each other.
This is not case if both participants are assigned IP addresses dynamically
from their Internet service providers. In such a case, a DynDNS service,
such as the one from the Hirschmann Competence Center or DNS4BIZ.com
can help. With the DynSNS service, the currently valid IP address is
registered under a fixed name (see “Services:DynDNS registration” on
page 145).
Provided that you are registered for one of the DynDNS services supported
by the EAGLE, you can make the proper entries in the dialog box.
Fig. 62: DynDNS registration
EAGLE
Release 1.02 10/04 145
U Register this EAGLE at a DynDNS Service?

Select Yes, if you have registered with a DynDNS Service provider and
the EAGLE should utilize this service. In this case, the EAGLE will report
its current IP address - the one assigned for its own Internet access by its
Internet Service Provider - to the DynDNS Service.
U Refresh Interval
Standard: 420 (seconds)
Whenever the IP address of its own Internet access is changed, the EAGLE
will inform the DynDNS Service of its new IP address. For additional
reliability, the device will also report its IP address at the interval set here.
U DynDNS provider
The providers made available for selection support the same protocol
that the EAGLE supports.
Enter the name of the provider where you are registered, for example
DynDNS.org.
U DynDNS server
Name of the server of the DynDNS providers selected above,
for example: dyndns.org.
U DynDNS Login
Enter the user name that you have been assigned here.
U DynDNS Password
Enter the password that you have been assigned here.
U DynDNS Hostname
The hostname selected at DynDNS service for this EAGLE- provided that
you use a DynDNS service and have made the proper settings above.
EAGLE
146 Release 1.02 10/04
6.8.4 Services:DHCP
The DHCP server (Dynamic Host Configuration Protocol) of the EAGLE
assigns the clients connected to the EAGLE automatically
D the IP addressed defined in the DHCP range and subnet masks or
D the statically entered IP addresses.
Note: It is possible to configure the EAGLE as a DHCP client in router mode

(see “External interface” on page 102).
Server on then secure and insecure port
Statically entered
MAC/IP address pairs
Fig. 63: Services:DHCP
EAGLE
Release 1.02 10/04 147
U Start DHCP server

V Set this switch to Yes, if you wish to activate this function.
Option:
If the DHCP server is activated, you can enter the network parameters to
be used by the clients:
Parameter Meaning
DHCP start of range: Beginning and end of the address range from which the DHCP
DHCP end of range: server of the EAGLE is to assign IP addresses to the locally
connected clients.
Local network mask: The default setting is: 255.255.255.0
Default gateway: Determines which IP address for the client is to be used as the
standard gateway.
DNS Server: Determines from where the clients are to obtain the IP addresses
resolved from hostnames. If the DNS service of the EAGLE is
activated, this can be the local IP address of the EAGLE.
Table 8: Client network parameters
Note: Only one DHCP server per subnet may be used.
Note: When you start the DHCP server of the EAGLE, you must configure
the locally connected clients in such a way that they automatically obtain their
IP addresses.
U Internal server (trusted port)

Dynamic IP address pool =end of range - start of range
MAC address of the clients

Which MAC address are permitted to access the secure port and then
receive an IP address.
U External server (untrusted port)

see “Internal server”
EAGLE
148 Release 1.02 10/04
U IP configuration for the Windows clients

In Windows XP, proceed by clicking
Start:Control Panel:Network Connections,
Right-click the LAN adapter icon and select Properties in the context
menu.
In the dialog box Properties of LAN connection Local Network
on the tab General under “Components checked are used by this
connection”, select the entry Internet protocol (TCP/IP)
and then the click the button Properties.
In the dialog box Internet Protocol (TCP/IP Properties)
select the option Obtain an IP address automatically.
6.8.5 Services:NTP
The network time protocol (NTP) allows you to synchronize the system time
within your network. NTP has a hierarchical structure. The NTP server
makes the UTC (Universal Time Coordinated) available. The NTP client
obtains the UTC from the SNTP server.
EAGLE
Release 1.02 10/04 149
Fig. 64: Network time protocol
U Current system time (UTC)

Displays the current system time in Universal Time Coordinates (UTC).
If the Enable NTP time synchronisation not yet activated
(see below) and Time stamp in filesystem is deactivated, the clock will
start with 1 January 2000.
U Current system time (local time)

If the possibly differing current local time should be displayed, you must
make the corresponding entry under Timezone in POSIX.1
notation... (see below).
U NTP State
Displays the current NTP state.
EAGLE
150 Release 1.02 10/04
U Enable NTP time synchronization: Yes / No

Once the NTP is enabled, the EAGLE takes the time from the Internet
and displays this as its current system time. The synchronisation can
take several seconds.
If this option is set to Yes and at least one time server is specified under
NTP servers to synchronize to (see below), the current system
time will be made available.
U NTP servers to synchronize to

Under this option, enter one or more time servers from which the
EAGLE should obtain the current time. If you enter multiple time servers,
the EAGLE will automatically connect with all of them to determine the
current time.
Note: If you enter a hostname, e.g. pool.ntp.org, instead of an IP address,

a DNS server must also be specified (see “Services:DNS” on page 141).
Note: If the EAGLE is operating in Transparent mode and multiple time

servers are entered, the EAGLE will only use the first two time servers in
the list.
Note: If the EAGLE is operating in Router, PPPoE or PPTP mode, it will

also make the NTP time available to the connected systems.
EAGLE
Release 1.02 10/04 151
U Timezone in POSIX.1 Notation...

If the Current system time above should display your current
local time instead of the current Greenwich time (if it is different to the
Greenwich time), you must enter the number of hours (plus or minus)
that your local time differs from Greenwich time.
Examples:
In Berlin, the time is one hour earlier than in Greenwich. Therefore,
enter: CET-1.
In the entry, the characters preceding the -1, -2 or +1 etc. are not
considered. Only the numerical difference is important. The characters
preceding the numerical difference may be “CET” or any other acronym
that you find useful.
If you wish to display Central European Time (for example for Germany)
and have it automatically switch to/from daylight saving time, enter:
CET-1CEST,M3.5.0,M10.5.0/3
U Time stamp in filesystem (2h granularity): Yes / No

If this option is set to Yes, the EAGLE will save the current system time to
its memory every two hours.
Afterwards: If the EAGLE is switched off and back on, a time from this
two hour period of time will be displayed when the EAGLE is switched
on and not (the factory setting) a time on 1 January 2000.
6.8.6 Services:Remote Logging

All log entries are recorded in the EAGLE´s memory. Once the memory
available for the log has been filled, the oldest log entry will be overwritten.
Furthermore, if the EAGLE is switched off all log entries are deleted.
If you wish to keep a copy of the log, the log entries can be sent to an
external system. This is particularly useful if you wish to have centralised
administration of the logs.
EAGLE
152 Release 1.02 10/04
Fig. 65: Remote Logging
U Activate remote UDP Logging: Yes / No

If all log entries should be sent to an external (specified below)
Log Server, set this option to Yes.
U Log Server IP address

Enter the IP address of the log server to which the log entries should be
sent via UDP.
Note: This entry must be an IP address - not a hostname! This function

does not support hostnames, since, if it did, it would not be possible to
log the loss of a DNS server.
U Log Server port

Enter the port of the log server to which the log entries should be sent via
UDP. Standard: 514.
EAGLE
Release 1.02 10/04 153
6.8.7 Services:SNMP Traps

This dialog allows you to determine which events trigger an alarm (trap) and
where these alarms should be sent.
Fig. 66: SNMP traps
U Enable Authentication traps

The EAGLE sends an authentication alarm, if it rejects an unauthorized
access.
U Enable link Up/Down traps

Der EAGLE sends a link status alarm, if the connection to the connected
network has been interrupted or re-established.
U Enable coldstart traps

Der EAGLE sends a cold reset alarm after it has been switched on.
EAGLE
154 Release 1.02 10/04
U Enable SecurityGateway traps

Der EAGLE sends a SecurityGateway alarm if one of the following
events has occurred:
– HTTPS login: There was a login attempt via HTTPS.
– Shell login: There was a login attempt via the shell.
– DHCP NewClient: The DHCP server has received a request from an
unidentified client.
U Enable chassis traps

The EAGLE sends a chassis alarm if one of the following events has
occurred:
– Power Supply: The status of a supply voltage has changed.
– Signaling relay: The status of the signal contact has changed.
U Enable agent traps

The EAGLE sends an agent alarm if one of the following events has
occurred:
– Temperature: The temperature has exceeded / fallen below the set
threshold values.
– AutoConfigAdapter: The Auto Configuration adapter, ACA, has been
added or removed.
U SNMP trap destinations

Destination IP: Enter the IP address of the recipient here, to which
the traps are to be sent.
Destination name: Here you can enter a name of your choice for
each recipient.
Destination community: The community with which the EAGLE
sends a trap. Enter the community here that the trap recipient is
expecting.
EAGLE
Release 1.02 10/04 155
EAGLE
156 Release 1.02 10/04
Web-based management 6.9 Access menu
6.9 Access menu
6.9.1 Access:passwords
The EAGLE supports 3 levels of user authorization. To login at a specific
level of authorization, the user must enter the corresponding password for
the level.
Fig. 67: Access:Password
U Authorization level root

Offers all rights for all parameters of the EAGLE.
Note: Only this authorization level allows you to connect to the device via
SSH so that you can render the entire system useless by making faulty
configurations. The system can then only be returned to its delivery state
by flashing the firmware (see “Flashing the firmware” on page 193).
Default root password: root
EAGLE
Release 1.02 10/04 157
To change the password, proceed as follows:

V Enter the currently valid root password in the field Old Password.
V Enter the new password twice in the fields New Password and New
Password (Repeat).
U Authorization level Administrator

If you login at this level (password), you will be granted all the rights
required for the configuration options that are accessible via the Web-
based Administrator interface.
Default user name: admin
Default password: private
The user name admin cannot be changed.

To change the password, enter the desired new password once in each
of the corresponding entry fields.
U Authorization level User

If a user password has been defined and activated, the user must -
after every restart of the EAGLE - enter this password to enable a VPN
connection when he or she first attempts to access any HTTP URL.
If you wish to use this option, enter the desired user password once in
each of the corresponding entry fields. Then set Enable User
Password to Yes. (Stat on delivery: No).
To define one, enter the desired password twice in both entry fields.
EAGLE
158 Release 1.02 10/04
6.9.2 Access:Language
If you select “(Automatic)” from the list of languages, the device will use the
language setting of the system's browser.
Fig. 68: Setting the language
EAGLE
Release 1.02 10/04 159
6.9.3 Access:HTTPS
If HTTPS remote access is activated, the EAGLE can be configured via
its Web-based administrator interface from a computer connected to the
insecure port. This means that a browser is used on the remote computer
to configure the local EAGLE.
This option is disabled by default.
Fig. 69: Access:HTTPS
IMPORTANT: If you enable remote access, make sure that a secure root and
administrator password have been defined.
To enable HTTPS remote access, make the following settings:
EAGLE
160 Release 1.02 10/04
U Enable HTTPS remote access

If you wish to enable HTTPS, set this switch to Yes.
Note: Ensure that in this case the firewall rules on this end have been set
so that it possible to access the EAGLE from an external terminal.
U Port for incomming HTTPS connections

(remote administration only)
Standard: 443
You can set another port.
The remote terminal that performs the remote access must add the port
number defined here to the end of the IP address when it assigns the
address.
Example:
If this EAGLE can be reached at the address 192.144.112.5 over the
Internet, and if port number 443 has been set for remote access, this port
number does not have to be added to the end of the address in the Web
browser at the remote terminal.
When using a different port number, this number must be added to the
end of the IP address, e.g.: 192.144.112.5:442.
U Firewall rules to accept external HTTPS access

Lists the firewall rules that have been set up. They apply to the incoming
data packets of an HTTP remote access attempt.
D Delete rule
Click Delete next to the respective entry.
D Set new rule
If you wish to set a new rule, click New.
Define the desired rule (see above) and click OK.
D From IP
Enter the address(s) of the computer(s) which is/are permitted remote
access.
– IP address: 0.0.0.0/0 means all addresses. To indicate a range,
on page 183.
EAGLE
Release 1.02 10/04 161
D Interface
external (fixed)
D Action
Options: Accept / Reject / Drop
Action Meaning
Accept the data packets are permitted to pass through.
Reject the data packets are rejected, and the sender is notified that the data was
rejected.
In transparent mode, Reject has the same effect as Discard, see above.
Drop the data packets are not permitted to pass through. They are “swallowed”,
and the sender is not notified about what happened to the data.
Table 9: Actions for HTTPS access

D Log
applied,
EAGLE
162 Release 1.02 10/04
6.9.4 Access:SSH
If SSH remote access is activated, the EAGLE can be configured by the
computer connected to the insecure port by making an entry on the
command line.
This option is disabled by default.
Fig. 70: Access:SSH
IMPORTANT: If you enable remote access, make sure that a secure root and
administrator password have been defined.
To enable SSH remote access, make the following settings:
U Enable SSH remote access

If you wish to enable SSH remote access, set this switch to Yes.
Note: Ensure that in this case the firewall rules on this end have been set
so that it is possible to access the EAGLE from an external terminal.
EAGLE
Release 1.02 10/04 163
U Port for incomming SSH conections

(remote administration only)
Standard: 22
You can set another port.
The remote terminal that performs the remote access must add the port
number defined here to the end of the IP address when it assigns the
address.
Example:
If this EAGLE can be reached at the address 192.144.112.5 over the
Internet, and if port number 22 has been set for remote access, this port
number does not have to be specified in the SSH client.
This must be specified for another port number (e.g. 22222), for example:
ssh -p 22222 192.144.112.5
U Firewall rules to accept external SSH access

Lists the firewall rules that have been established. They apply to the
incoming data packets of an SSH remote access connection.
D Delete rule
D Set new rule
D From IP
Enter the address(s) of the computer(s) which is/are permitted remote
access.
on page 183.
D Interface
external (fixed)
EAGLE
164 Release 1.02 10/04
D Action
Action Meaning
rejected.

D Log
For each individual firewall rule you can decide if, when the rule
is applied,
EAGLE
Release 1.02 10/04 165
6.9.5 Access:SNMP
SNMP (Simple Network Management Protocol) is mainly used in more
complex networks to monitor the status and operation of devices.
SNMP is available in several releases: SNMPv1/SNMPv2 and SNMPv3.
The older versions SNMPv1/SNMPv2 do not use encryption and are not
considered to be secure. We therefore recommend that you do not use
SNMPv1/SNMPv2.
As far as security is concerned, SNMPv3 is considerably better, but not all
management consoles support it.
Note: When you use SNMPv1, set up a VPN connection between the
management station and the EAGLE. The SNMPv1 passwords will then
be transmitted invisibly.
Fig. 71: Access:SNMP
EAGLE
166 Release 1.02 10/04
U Enable SNMPv3 access

If you wish to allow monitoring of the EAGLE via SNMPv3, set this switch
to Yes.
Unlike SNMPv1/v2 no login data is required, since the protocol itself
organises a secure authentication.
The factory setting for access via SNMPv3, requires an authentication
with a login and password. These entries are:
Login: admin
Password: private
MD5 is supported for the authentication; DES is supported for
encryption.
U Enable SNMPv1/2 access

If you wish to allow monitoring of the EAGLE via SNMPv1/v2, set this
switch to Yes.
In addition, you must enter the following login data:
– SNMPv1 and SNMPv2 read-write Community String
– SNMPv1 und SNMPv2 read-only Community String
Enter the required login data in these two fields.
U Port for incoming ANMP connections

(external interface only)
Standard: 161
U Firewall rules to accept external SNMP access

Lists the firewall rules that have been set. These apply for the incoming
data packets of an SNMP remote access.
D Delete rule
D Set new rule
EAGLE
Release 1.02 10/04 167
D From IP
Enter the address(s) of the computer(s) on which SNMP monitoring
is permitted.
on page 183.
D Interface
external (fixed)
D Action
Action Meaning
rejected.
Note: For security reasons, the EAGLE responds exclusively to ICMP

echo requests (ping) from computers that are permitted access via
SNMP.

D Log
applied,
EAGLE
168 Release 1.02 10/04
6.9.6 Access:Serial line

This dialog allows you to configure the dial-in access via amodem.
In transparent mode (SCT/MCT) you can access the EAGLE directly via
a modem.
In router mode you can also access the secured network according to the
firewall rules in this dialog.
Note: Use the Hirschmann modem cable to connect the modem

(see “Accessories” on page 220).
The socket housing is electrically connected to the front panel of the device.
The signal lines are electrically isolated from the supply voltage (60 V insulation
voltage) and the front panel.
State on delivery:
- Speed:9600 Baud
- Data:8 bit
- Stopbit:1 bit
- Handshake:off
- Parity:none
EAGLE
Release 1.02 10/04 169
Fig. 72: Serial line
U Serial connection, modem, PPP

D Baud rate
Select the same baud rate as the modem.
Note: A change in the baud rate has an effect on terminal operation.

D MODEM (PPP)
Enable access for the modem. An enabled modem prevents access
to the terminal.
D Hardware handshake RTS/CTS
Select the same baud rate as for the modem.
U PPP dial-in options

D Local IP
IP address of the EAGLE for the serial port.
D Remote IP
IP address of the device connected to the serial port.
EAGLE
170 Release 1.02 10/04
D PPP Login name

D PPP Password
U Firewall Incoming (PPP interface)

incoming data packets of a remote access connection from a modem
in the direction of the secured network.
D Delete rule
D Set new rule
D From IP
Enter the address(s) of the computer(s) on which modem monitoring
is permitted.
on page 183.
D From port
D To IP
D To port
D Action
EAGLE
Release 1.02 10/04 171
Action Meaning
rejected.
Table 12: Actions for modem access

D Log
applied,
U Internal server (trusted port)

outgoing data packets of a remote access connection from a modem.
EAGLE
172 Release 1.02 10/04
Web-based management 6.10 Features menu
6.10 Features menu
6.10.1 Features:Install Update

Prerequisite: You must have a current software package either
– saved locally on your configuration system
OR
– available from a remote server.
Note: For information as to whether or not and, if so, in which manner you
can obtain a software update, please contact Hirschmann.
Fig. 73: Install Update
If you have saved a current software update on your configuration computer,

proceed as follows:
V Please read the README file!

V Click on Browse... and then select the file.
EAGLE
Release 1.02 10/04 173
V Click installed packets to load them into the device.

This procedure can take several minutes depending on the size of the
update.
If a reboot is required after the system update, this will be displayed.
If a current software update is made available to you on a remote server,

its address must be entered (see “Features:Update Server” on page 175).
V Enter the file name in the entry field.

V Click on Install Package Set to transfer them to the device.
Depending on the size of the update, this may take several minutes.
If a reboot is necessary after a system update, a message to this effect
will be displayed.
EAGLE
174 Release 1.02 10/04
6.10.2 Features:Update Server

If a software update (see “Features:Install Update” on page 173) for
the EAGLE is made available on a remote server, enter its address here.
The protocol used must, in any case, precede the server's address.
Examples: http://123.456.789.1 or http: //www.xyz.com/update
Fig. 74: Update Servers
EAGLE
Release 1.02 10/04 175
6.10.3 Features:Software information - Display

This page lists the software modules (packages) currently loaded in the
device. Each of these is called a package.
The purpose of this page is to provide the information required prior to

making an update: Compare the displayed package version numbers with
those of the corresponding current packages. For the relevant information.
please contact your distributor.
If new versions are available, you can update the software in the device
(see “Features:Install Update” on page 173).
Fig. 75: Software information
EAGLE
176 Release 1.02 10/04
6.10.4 Features:Hardware information

Only for experienced system administrators or Support.
Fig. 76: Hardware information
EAGLE
Release 1.02 10/04 177
EAGLE
178 Release 1.02 10/04
Web-based management 6.11 Support menu
6.11 Support menu
6.11.1 Support:Snapshot
This function creates a compressed file (in the tar format), which contains
all current configuration settings and log entries, that are relevant for error
diagnostics. This file does not contain any private information such as the
private machine certificate or passwords. However, any pre-shared keys
used for VPN connections are included in the snapshots. If requested,
please provide this file to Hirschmann-Support.
Fig. 77: Snapshot
To create a snapshot, proceed as follows:
V Click Download.
V Save the file under the name snapshot.tar.gz
V Please make the file available to Hirschmann Support, if so requested.
EAGLE
Release 1.02 10/04 179
6.11.2 Support:Status - Display

Displays a summary of various status information for support purposes:
Fig. 78: Support:Status
U Network mode
The EAGLE's mode of operation
D Transparent (SCT/MCT)
D Router
D PPPoE
D PPTP
U Externe IP
The IP address of the EAGLE at its connection for the network
(WAN or Internet) connected to the insecure port.
In transport mode, the EAGLE takes on the local IP address
(see “Network:Transparent mode” on page 100).
EAGLE
180 Release 1.02 10/04
U Default gateway
The default gateway address is shown here that is entered in the
EAGLE.
U VPN
Supports:
D Total: Total number of VPN connections setup
D Used: Number of VPN connections used
D Up: Number of VPN connections currently active
U DynDNS registration
Supports:
D none: no DynDNS server specified
D DynDNS Server: Address of the DynDNS server, at which the EAGLE
should register.
D failure: The EAGLE has unsuccessfully attempted to setup a
connection to the DynDNS server.
D trying: The EAGLE is currently attempting to setup a connection to the
DynDNS server.
U HTTPS remote access

Possible settings
D no
D yes
U SSH remote access

Possible settings
D no
D yes
EAGLE
Release 1.02 10/04 181
U NTP Status
Options:
D synchronized: The EAGLE receives the current time from a time
server (Greenwich time) via the Network Time Protocol.
D not synchronized: The EAGLE is not connected to a time server
and can thus not provide the current time.
U Software version
Shows the version of the software installed in the EAGLE
U System Uptime
This shows how much time has elapsed since the last time that the
EAGLE was started.
U Language
This field shows the currently selected language.
EAGLE
182 Release 1.02 10/04
Web-based management 6.12 CIDR (Classless InterDomain Routing)
6.12 CIDR (Classless InterDomain

Routing)
IP netmasks and CIDR are notations, which define an address space

containing multiple IP addresses. In this case, an address space in which
the addresses follow one another sequentially is treated as a network.
CIDR reduced the e.g. routing tables stored in routers to a network postfix
in the IP address. With this postfix, an aggregate of many networks can be
identified. The method is described in RFC 1518.
To define a range of IP addresses for the EAGLE e.g. when configuring the
firewall, it may be necessary to use the CIDR notation to specify the address
space. The following table presents the IP netmask on the left and the
corresponding CIDR notation on the right.
EAGLE
Release 1.02 10/04 183
Web-based management 6.12 CIDR (Classless InterDomain Routing)
IP binary CIDR
255.255.255.255 11111111 11111111 11111111 11111111 32
255.255.255.254 11111111 11111111 11111111 11111110 31
255.255.255.252 11111111 11111111 11111111 11111100 30
255.255.255.248 11111111 11111111 11111111 11111000 29
255.255.255.240 11111111 11111111 11111111 11110000 28
255.255.255.224 11111111 11111111 11111111 11100000 27
255.255.255.192 11111111 11111111 11111111 11000000 26
255.255.255.128 11111111 11111111 11111111 10000000 25
255.255.255.0 11111111 11111111 11111111 00000000 24

255.255.254.0 11111111 11111111 11111110 00000000 23
255.255.252.0 11111111 11111111 11111100 00000000 22
255.255.248.0 11111111 11111111 11111000 00000000 21
255.255.240.0 11111111 11111111 11110000 00000000 20
255.255.224.0 11111111 11111111 11100000 00000000 19
255.255.192.0 11111111 11111111 11000000 00000000 18
255.255.128.0 11111111 11111111 10000000 00000000 17
255.255.0.0 11111111 11111111 00000000 00000000 16

255.254.0.0 11111111 11111110 00000000 00000000 15
255.252.0.0 11111111 11111100 00000000 00000000 14
255.248.0.0 11111111 11111000 00000000 00000000 13
255.240.0.0 11111111 11110000 00000000 00000000 12
255.224.0.0 11111111 11100000 00000000 00000000 11
255.192.0.0 11111111 11000000 00000000 00000000 10
255.128.0.0 11111111 10000000 00000000 00000000 9
255.0.0.0 11111111 00000000 00000000 00000000 8

254.0.0.0 11111110 00000000 00000000 00000000 7
252.0.0.0 11111100 00000000 00000000 00000000 6
248.0.0.0 11111000 00000000 00000000 00000000 5
240.0.0.0 11110000 00000000 00000000 00000000 4
224.0.0.0 11100000 00000000 00000000 00000000 3
192.0.0.0 11000000 00000000 00000000 00000000 2
128.0.0.0 10000000 00000000 00000000 00000000 1
0.0.0.0 00000000 00000000 00000000 00000000 0
Example: 192.168.1.0 / 255.255.255.0 corresponds to 192.168.1.0/24 in

CIDR notation.
EAGLE
184 Release 1.02 10/04
Web-based management 6.13 Example of a network
6.13 Example of a network
The diagram below illustrates how in a local network with subnetworks the
IP address could be distributed, what the resulting network addresses would
be, and how an additional internal router would be specified.
Internet
External addresses e.g.: 80.81.192.37
Internet (assigned by the Internet service provider)
EAGLE in the network mode router

Internal address of the EAGLE: 192.168.11.1
x EAGLE
1 2
P FAULT
LS/DA STATUS
1 2 V.24
R
A1 A2 A3 A4 A5
k
Network A
IP-ADDRESS
Network
2
g
FAULT
address:
+24V (P1)
+24V (P2)
0V
0V
Router
V.24
192.168.11.0/24
IP external: Network mask:
192.168.11.2 MACH 3002 255.255.255.0
IP internal:
192.168.15.254
Network mask:
255.255.255.0
Network B
Network
Router address:
IP external: 192.168.15.0/24
192.168.15.1 MACH 3002 Network mask:
B1 B2 B3 B4
IP internal: 255.255.255.0
192.168.27.254
Network mask:
255.255.255.0
Network C
Network
address:
= additional 192.168.27.0/24
internal route C1 C2 C3 C4 Network mask:
255.255.255.0
Fig. 79: Network example
EAGLE
Release 1.02 10/04 185
Web-based management 6.13 Example of a network
Computer A1 A2 A3 A4 A5
IP address 192.168.11.3 192.168.11.4 192.168.11.5 192.168.11.6 192.168.11.7
Network mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
Table 13: Network A
Computer B1 B2 B3 B4
IP address 192.168.15.2 192.168.15.3 192.168.15.4 192.168.15.5
Network mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
Table 14: Network B
Computer C1 C2 C3 C4
IP address 192.168.27.1 192.168.27.2 192.168.27.3 192.168.27.4
Network mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
Table 15: Network C
Network Gateway
192.168.15.0/24 192.168.11.2
192.168.27.0/24 192.168.11.2
Table 16: Additional internal routes for EAGLE (see “Network:Base” on page 95)
EAGLE
186 Release 1.02 10/04
The Recovery button
7 The Recovery button
The Recovery button enables you to,

D perform a restart,
D perform the Recovery procedure and
D to flash the firmware.
EAGLE
Release 1.02 10/04 187
The Recovery button
EAGLE
188 Release 1.02 10/04
The Recovery button 7.1 Performing a restart
7.1 Performing a restart
The EAGLE offers several ways of performing a restart.

D Restart with Recovery button
V To perform a restart, press the Recovery button longer than
1.5 seconds and less than 7 seconds until the STATUS LED
goes out and the FAULT LED lights up red.
D The supply of current is temporarily interrupted.
D Management Web interface
See “System:Reboot” on page 84.
D Management SNMP
with the MIB object hmSecAction.
EAGLE
Release 1.02 10/04 189
The Recovery button 7.1 Performing a restart
EAGLE
190 Release 1.02 10/04
The Recovery button 7.2 Executing the recovery procedure
7.2 Executing the recovery

procedure
7.2.1 Aim
The recovery procedure allows you to reset selected parameters to their
default values. These parameters are:
D local IP address (0.0.0.0),
D netmask (0.0.0.0),
D operating mode (MCT mode),
D modem access (off) and
D baud rate (9600).
Note: The configured settings for VPN connections and firewall remain
unchanged, as do the passwords.
Possible reasons for executing the recovery procedure:

D The EAGLE is in router or PPPoE mode,
D The device address of the EAGLE has been configured differently than
the default setting.
D You do not know the current IP address of the device,
D You have no way of making this setting from a V.24 terminal.
7.2.2 Action
V Perform a restart - see “Performing a restart” on page 189.
V Wait until the STATUS-LED is continuously green-lit. This lasts about

30 seconds.
EAGLE
Release 1.02 10/04 191
The Recovery button 7.2 Executing the recovery procedure
V Press the Recovery button slowly 6 times.

Result:
The EAGLE responds after about 2 seconds:
The STATUS LED blinks 6 times yellow and then green.
V Press the Recovery button 6 times again within the next 60 seconds.
Result:
The device performs a restart, switches to transparent mode (MCT),
and deletes the local IP address. It can then be reached again at the
following address:
https://1.1.1.1/
EAGLE
192 Release 1.02 10/04
The Recovery button 7.3 Flashing the firmware
7.3 Flashing the firmware
Aim
The entire EAGLE software is to be loaded into the device.
Note: All configured settings will be deleted. The EAGLE is reset to its default
values (state on delivery).
Possible reasons to flash the firmware:

D You have lost or forgotten the administrator password.
D The firewall rules have been set in such a way that the administrator no
longer has access.
Action
Prerequisites:
D You have copied the software of the EAGLE from the EAGLE CD or
obtained it from Hirschmann support and have saved it on the
configurations computer.
D The DHCP and tftp server are installed on the same computer
(see “Requirements for flashing the firmware” on page 195).
Proceed as follows:
V Keep the Recovery button pressed until the recovery status starts as
follows:
The EAGLE is restarted (after 1.5 seconds). After approx. 7 seconds
the EAGLE switches to recovery status.
Status display of the recovery status: All ports and STATUS LEDs are
green-lit.
V Release the Recovery switch no more than 1 second after the device has
entered its recovery state.
Note: If you do not release the Recovery quickly enough, the EAGLE will
restart again.
EAGLE
Release 1.02 10/04 193
Result:
The EAGLE starts the recovery system. It searches for the DHCP server
via the computer connected to the secure port or via the connected
network in order to obtain an IP address from it.
D Status display: The STATUS LED blinks.
The file install.p7s is loaded from the tftp server. It contains the
electronically signed control procedure for the installation procedure.
Only files that have been signed by Hirschmann are loaded.
The control procedure then deletes the flash memory and prepares the
reinstallation of the software.
D Status display: Die 3 port LEDs form a sequential light.
The software jffs2.img.p7s is then downloaded from the tftp server
and stored in the flash memory. This file contains the actual EAGLE-
operating system and is electronically signed. Only files that have been
signed by Hirschmann are accepted.
D Status display: Die 3 port LEDs form a sequential light.
It takes about 3 to 5 minutes to delete and store the file.
The EAGLE is the then restarted automatically.
The new software is then unpacked and configured.
This takes about 5 minutes.
D Status display: The STATUS LED blinks.
Once the procedure has ended, all port LEDs blink green simultaneously.
V Restart the EAGLE.

To do this, press the Recovery button until the STATUS LED goes out.
or
Disconnect the device from power supply and then reconnect it.
Result:
The EAGLE is in the delivery state. Reconfigure it (see “Setting up a
local configuration connection” on page 67).
EAGLE
194 Release 1.02 10/04
7.3.1 Requirements for flashing the firmware

To flash the firmware, a DHCP and tftp server must be installed on the locally
connected computer or network computer.
(DHCP = Dynamic Host Configuration Protocol; tftp = Trivial File Transfer
Protocol)
V Install the DHCP and tftp server, if needed (see below).
Note: If you install a second DHCP server in a network, this can affect the
configuration of the entire network!
EAGLE
Release 1.02 10/04 195
7.3.2 Installing the DHCP and tftp server under

Windows
Install the software for the tftp server and DHCP server, that is located on
the CD. Proceed by following the steps below:
V If the Windows system is connected to network, disconnect it.
V Copy the software into any empty folder on the Windows system.
Start the program TFTPD32.EXE.
The image files are also found on the CD-ROM, which was included in
the package.
Fig. 80: Start screen of the TFTPD32 program
V The server IP must be set to: 192.168.10.1

This must also be the address of the network adapter.
Click on the Browse button to switch to the folder in which the EAGLE
image files have been saved: install.p7s, jffs2.img.p7s
EAGLE
196 Release 1.02 10/04
V Click on the tftp Server or DHCP Server tab and then click on
the Settings button to open the dialog shown below. Then set the
parameters as shown:
Fig. 81: Settings
EAGLE
Release 1.02 10/04 197
7.3.3 Installing DHCP and TFTP servers under

Linux
All current Linux distributions include DHCP and TFTP servers. Install the
corresponding packages in accord with the instructions for the respective
distribution.
V Configure the DHCP server by making the following settings in the

/etc/dhcp file:
subnet 192.168.134.0 netmask 255.255.255.0 {
range 192.168.134.100 192.168.134.119;
option routers 192.168.134.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.134.255;}
This sample configuration makes 20 IP addresses (.100 to .119)

available. It is assumed that the DHCP server has the address
192.168.134.1 (settings for ISC DHCP 2.0).
The required TFTP server is configured in the following file:

/etc/inetd.conf
V In this file, insert the appropriate lines or set the necessary parameter for
the TFTP service (the directory for data is: /tftpboot)
tftp dgram udp wait root /usr/sbin/in.tftpd -s /tftpboot/
V Then restart the inetd process to activate the modified configuration.

If you use a different mechanism, e.g. xinetd, please read the
corresponding documentation.
EAGLE
198 Release 1.02 10/04
HiConfig
8 HiConfig
HiConfig is a command-line oriented program for configuring the EAGLE.

The HiConfig interface can be reached via
D the secure port,
D the insecure port or
D the V.24 port.
U Making a connection the HiConfig over a LAN

PuTTY is a terminal program with which you can establish a secure
connection to the HiConfig interface of the EAGLEfrom your PC over
the LAN.
V Copy the putty.exe file from the enclosed CD to your PC's hard disk.
V Start PuTTY by doubleclicking this file.
Host name or
IP address of
the EAGLE
Connection
protocol
Fig. 82: Connection setup
V Enter the host name or the IP address of the EAGLE.

V Select the connection protocol.
– SSH, if your PC accesses the EAGLE from within a LAN.
EAGLE
Release 1.02 10/04 199
HiConfig
V Click Open.
PuTTY establishes a connection to the EAGLE and
opens the login window.
V Press the Enter key.
The EAGLE operating system will prompt you to enter the username
(admin or root).
V Enter the username.
The EAGLE operating system will prompt you to enter the password
(private or root).
V Enter the password.
The EAGLE operating system responds with the “$” prompt
(for admin) or “#” (for root).
V Enter hiconfig (please note that entries are case-sensitive)
and press the Enter key.
HiConfig responds by displaying a list of valid commands.
delete the current row

--delete-all-rows
delete all rows
--silent
DON'T reconfigure services
(the gaid session daemon isn't required when option is used)
--get-all
dump all configuration data to stdout
--set-all
read all configuration data from stdin
--cache <file>
alternative location for the cache file
--socket <file>
use an alternative unix domain socket
Examples:
hiconfig --set ROUTERMODE router
hiconfig --set VPN.1.GATEWAY 192.168.1.1
hiconfig --goto VPN.0 --set .GATEWAY %any --set .ENABLED no
hiconfig --goto VPN --add-row --set .NAME tokyo --set .GATEWAY
146.215.5.34
hiconfig --goto VPN.2 --delete-row
#
Fig. 83: HiConfig start page
EAGLE
200 Release 1.02 10/04
HiConfig
U Making a connection to HiConfig over a V.24 port.

The V.24 port allows you to configure the EAGLE, in the event access
via the LAN ports is not possible. The cause for this can be: failed
autonegotiations, faulty firewall configuration, etc.
V Using the terminal cable, connect your PC to the V.24 port of the
EAGLE.
Example of establishing a terminal connection under Windows 2000:

V Choose:
Start:Programs:Accessories:Communication:
HyperTerminal
Enter a name of
your choice for
this connection.
Fig. 84: Setting up the terminal connection
Click OK.
Fig. 85: Terminal connection without phone number
EAGLE
Release 1.02 10/04 201
HiConfig
Enter the connection

settings and click OK.
Fig. 86: Properties of the terminal connection
V Press the Enter key.

The EAGLE operating system will prompt you to enter the username
(admin or root).
V Enter the username.
The EAGLE operating system will prompt you to enter the password
(private or root).
V Enter the password.
The EAGLE operating system responds with the “$” prompt
(for admin) or “#” (for root).
V Enter hiconfig (please note that entries are case-sensitive)
and press the Enter key.
HiConfig responds by displaying a list of valid commands.
EAGLE
202 Release 1.02 10/04
HiConfig
delete the current row

--delete-all-rows
delete all rows
--silent
DON'T reconfigure services
(the gaid session daemon isn't required when option is used)
--get-all
dump all configuration data to stdout
--set-all
read all configuration data from stdin
--cache <file>
alternative location for the cache file
--socket <file>
use an alternative unix domain socket
Examples:
hiconfig --set ROUTERMODE router
hiconfig --set VPN.1.GATEWAY 192.168.1.1
hiconfig --goto VPN.0 --set .GATEWAY %any --set .ENABLED no
hiconfig --goto VPN --add-row --set .NAME tokyo --set .GATEWAY
146.215.5.34
hiconfig --goto VPN.2 --delete-row
#
Fig. 87: HiConfig start page
EAGLE
Release 1.02 10/04 203
HiConfig
U Port Configuration
To set the port configuration you will need the following parameters:
Designation Value
Secure port ETH1
Insecure port ETH0
Enable port ENABLE
Disable port DISABLE
Autonegotiation on AUTONEG yes
Autonegotiation off AUTONEG no
10 Mbit/s, halfduplex FIXEDSETTING 10hd
10 Mbit/s, fullduplex FIXEDSETTING 10fd
100 Mbit/s, halfduplex FIXEDSETTING 100hd
100 Mbit/s, fullduplex FIXEDSETTING 100fd
Table 17: Port configuration parameters
The command hiconfig --set and the proper parameters allow you
to configure the ports.
The command hiconfig --get-all | more displays all the

configured parameters one page at a time.
Example:
Set the secure port to 10 Mbit/s halfduplex:
hiconfig --set ENABLE_ETH1_AUTONEG no
hiconfig --set ETH1_FIXEDSETTING 10hd
Set the secure port to Autonegotiation on:

hiconfig -- set ENABLE_ETH1_AUTONEG yes
EAGLE
204 Release 1.02 10/04
HiConfig
U IP parameter configuration in transparent mode

V Enter the management IP address in transparent mode as follows:
$ hiconfig --set STEALTH_MANAGE_IP 149.218.112.55
V Enter the gateway address in transparent mode as follows:

$ hiconfig --set STEALTH_MANAGE_GW 148.218.112.199
V Enter the network mask in transparent mode as follows:

$ hiconfig --set STEALTH_MANAGE_NET 255.255.255.0
The IP addresses and the network mask refer to the entries in the
HiDiscovery example (see Fig. 17).
EAGLE
Release 1.02 10/04 205
HiConfig
EAGLE
206 Release 1.02 10/04
Appendix
A Appendix
EAGLE
Release 1.02 10/04 207
Appendix
EAGLE
208 Release 1.02 10/04
Appendix FAQ
FAQ
Answers to frequently asked questions can be found at the Hirschmann

Website:
www.hirschmann.com
Under Products/Support inside Automation and Network

Solutions is located on the pages Products the area FAQ.
For detailed information on all services offered by the Hirschmann

Competence Center, please visit the Web site http://www.hicomcenter.com/.
EAGLE
Release 1.02 10/04 209
Appendix FAQ
EAGLE
210 Release 1.02 10/04
Appendix Based specifications and standards
Based specifications and

standards
U List of norms and standards:

D EN 61000-6-2:2001 Basic standard - interference resistance in
industry
D EN 55022:1998 + A1 2000 + A2 2003 - Interference characteristics for
IT systems
D EN 60950:2001 - Security in IT systems
D EN 61131-2:2003 - Programmable Logic Controllers
D FCC 47 CFR Part 15:2003 – Code of Federal Regulations
D Germanischer Lloyd, Rules for Classification and Construction VI - 7 -
3 Part 1, Ed. 2003.
D cUL 508:1998 – Safety for Industrial Control Equipment
D cUL 1604 Electrical Equipment for Use in Class I and Class II, Div.2
and Class III Hazardous (Classified) Locations
D cUL 60950 Safety for Information Technoloy Equipment.
Certified devices are marked with a certification identifier.
U IEEE standards
IEEE 802.1 D Switching, GARP, GMRP, Spanning Tree
IEEE 802.1 Q Tagging
IEEE 802.3 Ethernet
EAGLE
Release 1.02 10/04 211
Appendix Based specifications and standards
U Supported MIBs
Private MIBs:
D hmprivate
D hmSecurityGateway-MIB
Standard MIBs:
D IF-MIB
D MAU-MIB
D RFC1155-SMI
D RFC1213-MIB
D SNMPv2-MIB
D SNMPv2-SMI
D SNMPv2-TC
The private MIBs are located on the enclosed EAGLE CD-ROM.
EAGLE
212 Release 1.02 10/04
Appendix SNMP traps
SNMP traps
U Private MIB:
hmSecHTTPSLoginTrap
is sent, if a login attempt was made via HTTPS.
hmSecShellLoginTrap
is sent if a login was made via the security shell or the V.24 terminal.
hmSecDHCPNewClientTrap
is sent if the DHCP server receives a request from an unknown client.
hmTemperatureTrap
is sent if the temperature exceeds / falls below the set threshold values.
hmPowerSupply
is sent if the status of the voltage supply changes.
hmSignallingRelay
is sent if the status of the signal contact changes.
hmAutoconfigAdapterTrap
is sent if the AutoConfiguration adapter ACA 11 is removed or plugged
in again.
U Standard traps:
coldStart
is sent during the boot process after successful management
initialization following a cold or warm start.
linkUp
is sent if the link to a port is re-established.
linkDown
is sent if the link to a port is interrupted.
EAGLE
Release 1.02 10/04 213
Appendix SNMP traps
authenticationFailure
is sent if a station attempts to access an agent without permission.
EAGLE
214 Release 1.02 10/04
Appendix Certifications
Certifications
The following table lists the certification status of the

EAGLE product family.
Certified devices are marked with a certification identifier.
Standard EAGLE
EN 61131-2 In preparation
CE In preparation
FCC 47 CFR Part 15 In preparation
cUL 508 / CSA C22.2 No.142 In preparation
cUL 1604 / CSA C22.2 No.213 In preparation
Germanischer Lloyd fulfilled
Table 18: Certifications, for the current status, visit www.hirschmann.com
EAGLE
Release 1.02 10/04 215
Appendix Certifications
EAGLE
216 Release 1.02 10/04
Appendix Technical data
Technical data
EAGLE
Dimensions W x H x D 46 x 131 x 111 mm
1.8 in x 5.2 in x 4.4 in
Weight 340 g, 0.75 lb
Top-hat rail fastener in line with IEC 60715:1981 + A1:1995
Power supply
Operating voltage 24 V DC, -25 % +33 %
Nec Class 2 power source,
safety extra-low voltage (SELV/PELV)
redundant inputs uncoupled
Power consumption
with 2 TX ports 7.2 W maximum at 24 V DC
24.6 BTU/h
with 1 TX port and 1 FX port 8.4 W maximum at 24 V DC
28.7 BTU/h
with 2 FX ports 9.6 W maximum at 24 V DC
32.8BTU/h
Overload current protection at input non-changeable thermal fuse
Environment
Ambient temperature Surrouding air:
0 °C to 60 °C (32 °F to 140 °F)
Storage temperature Surrouding air:
-20 °C to +70 °C (-4 °F to 158 °F)
Air humidity 10 % to 95 % (non-condensing)
Atmospheric pressure Suitable for operation up to 2000 m
(6561 ft), 795 hPa
Pollution Degree 2
Protection classes
Laser protection Class 1 conforming to EN 60825-1
(2001)
Protection class IP 20
EAGLE
Release 1.02 10/04 217
EMC interference immunity

EN 61000-4-2 electrostatic discharge
contact discharge:
test level 3 (6 kV)
air discharge:
test level 3 (8 kV)
EN 61000-4-3 electromagnetic field
test level 3
(10 V/m; 80 - 2000 MHz)
EN 61000-4-4 fast transients (burst)
test level 3
(2 kV power line, 1 kV data line)
EN 61000-4-5 surge voltage
power line
symmetric: test level 2 (1kV)
asymmetric: test level 3 (2kV);
data Line: test level 2 (1kV)
EN 61000-4-6 cable-based RF faults: test level 3
10 V (150 kHz - 80 MHz)
EMC emitted immunity

EN 55022 Class A
FCC 47 CFR Part 15 Class A
Germanischer Lloyd Rules for Classification and
Construction VI - 7 - 3 Part 1, Ed. 2003
Stability
Vibration IEC 60068-2-6 Test FC, testing level
in line with IEC 61131-2 E2 CDV and
Germanischer Lloyd Guidelines for
the Performance of Type Tests Part 1
Shock IEC 60068-2-27 Test Ea, testing level
in line with IEC 61131-2 E2 CDV
EAGLE
218 Release 1.02 10/04
Interfaces
Signal contact 1 A maximum, 24 V
V.24 port external management, modem
2 type depending ports TX ports with RJ-45 socket,
FX ports with DSC socket
Network size TX port 10BASE-T/100BASE-TX/1000BASE-TX

Length of a TP segment 100 m (328 ft) max.
Network size F/O ports 100BASE-FX

System attenuation
50/125 µm fiber, multimode 0-8 dB
62.5/125 µm fiber, multimode 0-11 dB
9/125 µm fiber, singlemode 0-16 dB
Wave length 1300 nm
9/125 µm fiber, singlemode 7-29 dB
Wave length 1550 nm
Example for F/O line length

50/125 µm fiber, multimode 5 km/16,400 ft max.
data of fiber: 1 dB/km, 800 MHz*km
62,5/125 fiber, multimode 4 km/13,120 ft max.
1 dB/km, 500 MHz*km
9/125 µm fiber, singlemode 30 km/98,420 ft max.
data of fiber at 1300 nm, 0.4 dB/km
3.5 ps/(nm*km)
9/125 µm fiber, singlemode 24-86.6 km/78,740-284,121 ft
data of fiber at 1550 nm, 0.3 dB/km
19 ps/(nm*km)
EAGLE
Release 1.02 10/04 219
Scope of delivery
EAGLE Firewall/VPN System incl. terminal block for power supply
EAGLE manual on CDROM
Description and operating instructions
Order number
EAGLE TX/TX 943 011-001
EAGLE TX/MM SC 943 011-002
EAGLE TX/SM SC 943 011-003
EAGLE TX/LH SC 943 011-004
EAGLE MM SC/TX 943 011-005
EAGLE MM SC/MM SC 943 011-006
EAGLE MM SC/SM SC 943 011-007
EAGLE MM SC/LH SC 943 011-008
EAGLE FW TX/TX 943 011-011
EAGLE FW TX/MM SC 943 011-012
EAGLE FW TX/SM SC 943 011-013
EAGLE FW TX/LH SC 943 011-014
EAGLE FW MM SC/TX 943 011-015
EAGLE FW MM SC/MM SC 943 011-016
EAGLE FW MM SC/SM SC 943 011-017
EAGLE FW MM SC/LH SC 943 011-018
Accessories
Manual: “Basics of
Industrial ETHERNET and TCP/IP”280720-834
ACA Auto Configuration Adapter 943 751-001
Terminal cable 943 301-001
6-pin terminal block (50 pieces) 943 845-002
Rail Power Supply RPS 30 943 662-003
Network Management Software
HiVision 943 471-100
EAGLE
220 Release 1.02 10/04
Appendix Literature references
Literature references
[1] “Optische Übertragungstechnik

in der Praxis”
Christoph Wrobel
Hüthig Buch Verlag Heidelberg
ISBN 3-8266-5040-9
[2] “TCP/IP Illustrated”, Vol. 1

W.R. Stevens
Addison Wesley 1994
ISBN 0-201-63346-9
[3] Hirschmann Manual

“Basics of Industrial ETHERNET and TCP/IP”
280 720-834

“MultiLAN Switch”
943 309-001

“ETHERNET”
943 320-001

“Network Managent F”
039 584-620
EAGLE
Release 1.02 10/04 221
Appendix Literature references
EAGLE
222 Release 1.02 10/04
Appendix Reader's comments
Reader's comments
What is your opinion of this manual? We are always striving to provide as

comprehensive a description of our product as possible, as well as important
information that will ensure trouble-free operation. Your comments and
suggestions help us to further improve the quality of our documentation.
Your assessment of this manual:
excellent good satisfactory mediocre poor

Accuracy O O O O O
Readability O O O O O
Comprehensibility O O O O O
Examples O O O O O
Structure/Layout O O O O O
Completeness O O O O O
Graphics O O O O O
Drawings O O O O O
Tables O O O O O
Did you discover an error in the manual?

If so, on what page?
.......................................................................................................................
.......................................................................................................................
.......................................................................................................................
.......................................................................................................................
.......................................................................................................................
.......................................................................................................................
.......................................................................................................................
EAGLE
Release 1.02 10/04 223
Appendix Reader's comments
Suggestions for improvement and additional information:

.......................................................................................................................
.......................................................................................................................
.......................................................................................................................
.......................................................................................................................
General comments:
.......................................................................................................................
.......................................................................................................................
.......................................................................................................................
.......................................................................................................................
Company / Department ..........................................................................................................
Name / Telephone number ..........................................................................................................
Street ..........................................................................................................
Zip code / City ..........................................................................................................
Date / Signature ..........................................................................................................
Dear User,
Please fill out and return this page

− by fax to the number +49 (0)7127/14-1798 or
− by mail to
Department AMM
Stuttgarter Str. 45- 51
72654 Neckartenzlingen
Germany
EAGLE
224 Release 1.02 10/04
Appendix Copyright of integrated software
Copyright of integrated software
The EAGLE incorporates certain free and open software. The license terms
associated with this software require that we give copyright and license
information. These informations can be found on the enclosed CD-ROM.
For free software under the terms of the GPL/LGPL we also provide source
code according to Subsection 3b of the GPL or Subsection 6b of the
LGPL,respectively.
Please contact your Hirschmann contract partner.
EAGLE
Release 1.02 10/04 225
Appendix Copyright of integrated software
EAGLE
226 Release 1.02 10/04
Glossar
B Glossar
D 3DES / DES
This symmetrical encryption algorithm was developed by IBM and chek-
ked by the NSA. DES (“Symmetrical encryption” on page 233) was set in
1977 by the American National Bureau of Standards, which was the pre-
decessor of the National Institute of Standards and Technology (NIST), as
the standard for American governmental institutions. Since this was the
very first standardized encryption algorithm, it quickly won acceptance by
industry even outside of America.
DES uses a 56 bit long key, which is no longer considered secure as the
processing power available has greatly increased since 1977.
3DES is a variant of DES. It uses keys that are three times as long, i.e.
168 bits long. 3DES is still considered to be secure and is also included
in the IPsec standard
D Asymmetrical encryption
In the case of asymmetrical encryption, data is encrypted with one key
and decrypted with a second key. Either key may be used for encryption
or decryption. One of the keys is kept secret by its owner (Private Key),
the other is made available to the public (Public Key), i.e. possible com-
munication partners.
A message encrypted with the public key can only be decrypted and
read by the receiver who has the associated private key. A message
encrypted with the private key can only be decrypted and read by a
receiver who has the associated public key. The fact that the message
was encrypted with the private key proves that the owner of the associa-
ted public key actually sent the message. Therefore, the expression
"digital signature" is also often used.
However, asymmetrical encryption techniques such as RSA are both
slow and susceptible to certain types of attack and are therefore fre-
quently combined with some form of symmetrical encryption (“Symmetri-
cal encryption” on page 233). On the other hand, there are concepts
which avoid the additional work of administering symmetrical keys.
D AES
Advanced Encryption Standard. This encryption standard was developed
by NIST (National Institute of Standards and Technology) in cooperation
with the industry. This “Symmetrical encryption” on page 233 was de-
veloped to replace the earlier DES standard. AES specifies three different
key sizes (128, 192 and 256 bits).
EAGLE
Release 1.02 10/04 227
Glossar
In 1997, NIST started the AES initiative and announced its conditions for
the algorithm. From the many proposed encryption algorithms, NIST
selected a total of five algorithms for closer examination - the MARS,
RC6, Rijndael, Serpent and Twofish algorithms. In October 2000, the
Rijndael algorithm was adopted as the standard's encryption algorithm.
D Certificate (X.509)
A type of "Seal", which certifies the authenticity of a public key (“Asymme-
trical encryption” on page 227) and the associated data.
To enable the user of the public key, which will be used to encrypt the da-
ta, to be sure that the public key that he/she has received is really from its
issuer and thus from the instance, which should later receive the data, it
is possible to use certification. A Certification Authority – CA certifies the
authenticity of the public key and the associated link between the identity
of the issuer and his/her key. The certification authority will verify authen-
ticity in accordance with its rules, which may, for example, require that the
issuer of the public key appear before it in person. Once authenticity has
be successfully certified, the certification authority will add its digital signa-
ture to the issuer’s public key. The result is a Certificate.
An X.509(v3) Certificate thus includes a public key, information about the
key owner (given as it Distinguished Name (DN)), the authorized usage
etc. and the signature of the certification authority.
The signature is created as follows: The certification authority creates an
individual bit sequence, which is known as the HASH value, from the bit
sequence of the public key, the information about its owner and other da-
ta. This sequence may be up to 160 bits long. The certification authority
encrypts this with its own private key and then adds it to the certificate.
The encryption with the certification authority's private key proves the au-
thenticity of the certificate, i.e. the encrypted HASH string is the certifica-
tion authority's digital signature. If the certificate's data is altered, this
HASH value will no longer be correct with the consequence that the cer-
tificate will be worthless.
The HASH value is also known as the fingerprint. Since it is encrypted
with the certification authority's private key, anyone who has the public
key can decrypt the bit sequence and thus verify the authenticity of this
fingerprint or signature.
The usage of a certification authority means it is not necessary for each
owner of a key to know every other owner. It is enough for them to know
the certification authority. The additional information about the key further
simplifies the administration of the key.
X.509 certificates are used, e.g. for e-mail encryption, in S/MIME or IPsec.
EAGLE
228 Release 1.02 10/04
Glossar
D Client / Server
In a client-server environment, a server is a program or computer, which
accepts and answers queries from client programs or computers.
In data communication, a computer which establishes a connection to a
server (or host) is also called a client. In other words, the client is the
calling computer and the server (or host) is the computer called.
D Datagram
In the TCP/IP protocol, data is sent in the form of data packets, which are
know as IP datagrams. An IP datagram has the following structure:
IP-Header TCP, UDP, ESP etc. Daten (Payload)
Header
The IP header contains:

– the IP address of the sender (source IP address)
– the IP address of the receiver (destination IP address)
– the protocol number of the protocol of the next higher protocol layer (in
accord with OSI [seven layer] model)
– the IP header checksum used to check the integrity of the received
header.
The TCP/UDP header contains the following information:
– the sender's port (source port)
– the recipient's port (destination port)
– a checksum covering the TCP header and some information from the
IP header (among others the source and destination IP addresses)
D DynamicDNS provider
Every computer, which is connected to the Internet, has an IP address (IP
= Internet Protocol). An IP address consists of a maximum of 4 three-digit
numbers, which are each separated by a dot. If the computer accesses its
Internet Service Provider (ISP) via a modem on a phone line, ISDN or
ADSL, its ISP will assign it a dynamic IP address. In other words, it will be
assigned a different address for every online session. If the computer is
online 24 hours a day without interruption (e.g. in the case of a flat rate
access), the IP address will even change during the session.
If a local computer should be accessible via the Internet, it must have an
address that is known to the remote system. Unless this is true, no con-
nection can be established between the remote system and the local
computer. If the local computer's address is constantly changing, no con-
nection can be setup. Unless, of course, the operator of the local compu-
ter has an account with a Dynamic DNS provider (DNS = Domain Name
Server).
In this case, he/she can define a domain name in URL format (URL - Uni-
form Resource Locator) at this Dynamic DNS provider under which com-
EAGLE
Release 1.02 10/04 229
Glossar
puter should be accessible in the future, e.g.: www.xyz.abc.de. The

Dynamic DNS provider also supplies a small program, which must be in-
stalled and run on this local computer. At each new Internet session, this
tool will inform the Dynamic DNS provider which IP address the local com-
puter has currently been assigned. This Domain Name Server will register
the current assignment of Domain Name « IP Address and will also inform
the other Domain Name Servers in the Internet.
If a remote system now attempts to establish a connection the local com-
puter, which is register with the DynamicDNS provider, the remote system
can use the host name of the local system as its address. This will setup
a connection to the responsible DNS (Domain Name Server) to lookup the
IP address that is currently registered for this domain name. The corre-
sponding IP address will now be sent back from the DNS to the remote
system, which can then use this as the destination address. The remote
system can now directly address the desired local computer.
In principle, all Internet addresses are based on this procedure: First, a
connection will be established to a DNS to lookup the IP address
assigned for the domain name. Once that has been accomplished, this
"looked up" IP address will be used to setup a connection the desired
remote site, which could be any site in the Internet.
D IP address
Every host or router in the Internet or an Intranet has a unambiguous IP
address (IP = Internet Protocol). The IP address is 32 bits (= 4 bytes) long
and is written as 4 three-digit numbers (each in the range from 0 to 255),
which are separated by a dot.
An IP address consists of 2 parts: the network address and the host
address.
Netzwork address Host address
Each host [or workstation] in a network has the same network address,
but a different host address. Depending on the size of the respective net-
work - networks are categorized as Class A, B or C networks, which are
each different in size - the two parts of the address differ in length:
1. Byte 2. Byte 3. Byte 4. Byte
Class A Netz-Adr. Host-Adr.
Class B Netz-Adr. Host-Adr.
Class C Netz-Adr. Host-Adr.
EAGLE
230 Release 1.02 10/04
Glossar
Whether the IP address of a device in a network is Class A, B or C can

be seen in the first byte of the IP address. The following has been
specified:
Wert des Bytes f r die Bytes f r die
1. Byte Netz-Adresse Host-Adresse
Class A 1-126 1 3
Class B 128-191 2 2
Class C 191-223 3 1
As you can see, there can be a worldwide total of 126 Class A networks
and each of these networks can have a maximum of 256 x 256 x 256
hosts (3 bytes of address space). There can be 64 x 256 Class B net-
works and each of these networks can have up to 65,536 hosts (2 bytes
address space: 256 x 256). There can be 32 x 256 x 256 Class C net-
works and each of these networks can have up to 256 hosts (1 bytes
address space).
Subnet Mask see “Subnet Mask” on page 233.
D IPsec
IP Security (IPsec) is a standard, which uses encryption to verify the
authenticity of the sender and ensure the confidentiality and integrity of
the data in IP datagrams (–> Datagram, page 229). The components of
IPsec are the Authentication Header (AH), the Encapsulating Security
Payload (ESP), the Security Association (SA) and the Internet Key Ex-
change (IKE).
To begin communication, the computers at both ends negotiate the mode
to be used: Transport Mode or Tunnel Mode.
In Transport Mode, an IPsec header will be inserted between the
IP header and the TCP or UDP header in each IP datagram. Since the
IP header remains unchanged, this mode is only suitable for a host- to-
host connection.
In Tunnel Mode, an IPsec header and a new IP header will be added in
front of the entire IP datagram. As a consequence, the original datagram
will be encrypted in its entirety and sent as the payload of the new
datagram.
The Tunnel Mode is used in VPN applications: The devices at the tunnel
ends ensure that the datagrams are encrypted before they pass through
the tunnel so the actual datagrams are completely protected while being
transferred over the public network.
EAGLE
Release 1.02 10/04 231
Glossar
D NAT (Network Address Translation)

Using Network Address Translation (NAT) – which is also often called IP-
Masquerading – an entire network is “hidden” behind a single device,
which is known as a NAT router. The internal computers in the local net-
work with their IP addresses will remain hidden, if you communicate with
the outside via a NAT router. The remote system outside will only see the
NAT router with its own IP address.
If the internal computers are to directly communicate with external sy-
stems (in the Internet), the NAT router must modify the IP datagrams that
are passed back-and-forth between the internal computers and the remo-
te sites.
If an IP datagram is sent from the internal network to a remote site, the
NAT router will modify the IP and TCP headers of the outgoing data-
grams. It replaces the source IP address and port with its own official IP
address and its - thus far unused - port. It maintains a table in which the
original values listed together with the corresponding new ones.
When a reply datagram is received, the NAT router will recognize that it
is actually for an internal computer from the datagram’s destination port.
Using the table, the NAT router will replace the destination IP address and
port and pass the datagram on via the internal network.
D Port Number
The Port Number field is a 2 byte field in the UDP and TCP header. Port
Numbers are used to identify the various data streams that are processed
simultaneously by the UDP/TCP. The entire exchange of data between
the UDP/TCP and the application processes is regulated via port num-
bers. The assignment of the port numbers to the application processes is
dynamic and random. Fixed port numbers are assigned for certain,
frequently used application processes. These are called "Assigned
Numbers".
D PPPoE
The acronym for Point-to-Point Protocol over Ethernet. This protocol is
based on the PPP and Ethernet standards. PPPoE defines how to con-
nect users via Ethernet with the Internet via a jointly used broadband me-
dium such as DSL, a Wireless LAN or a cable modem.
D PPTP
The acronym for Point-to-Point Tunneling Protocol. This protocol was de-
veloped in a cooperation between Microsoft, U.S. Robotics and others to
securely transfer data between VPN nodes (“VPN (Virtual Private Net-
work)” on page 234) via a public network.
EAGLE
232 Release 1.02 10/04
Glossar
D Protocol, communication protocol

Devices, which communicate with each other, must follow the same rules.
They must "speak the same language". Such rules and standards are cal-
led protocols or communication protocols. Some of the more frequently
used protocols include, for example, IP, TCP, PPP, HTTP and SMTP.
TCP/IP is the general term for all protocols based on IP.
D Service Provider
Service providers are companies or institutions, which offer users access
to Internet or an online service.
D Spoofing, Anti-Spoofing
In Internet terminology, spoofing means supplying a false address. With
the false Internet address, the user can create the illusion of being an au-
thorized user.
Anti-Spoofing is term for mechanisms, which detect or prevent spoofing.
D Subnet Mask
Normally, a company's network - with access to the Internet - is only
officially assigned a single IP address, e.g. 134.76.0.0. Based on the first
byte of this sample address, one can see that this company network is a
Class B network and therefore the last 2 bytes are free to be used for
host addresses. With a Class B network, the company network has
address space for up to 65,536 hosts (256 x 256).
Obviously, such huge network is not practical. At this point, one can see
a need for subnetworks. The standard answers this need with the Subnet
Mask. Like an IP address, this mask is 4 bytes long. The bytes, which
represent the network address, are each assigned the value 255. The
main purpose of the mask is to "borrow" a portion of the host address
which can then be used to address the subnetworks. As an example, by
using the subnet mask 255.255.255.0 in a Class B network (2 bytes for
the network address, 2 bytes for the host address), the third byte, which
was actually intended for host addressing, can now be used for subnet
addressing. With this configuration, the company's network could sup-
port 256 subnetworks that each have 256 hosts.
D Symmetrical encryption
In the case of symmetrical encryption, the same key is used to encrypt
and decrypt the data. Two examples of symmetrical encryption algo-
rithms are DES and AES. They are fast, but as the number of users
increases the administration becomes rather involved.
EAGLE
Release 1.02 10/04 233
Glossar
D TCP/IP (Transmission Control Protocol/Internet Protocol)

This is a network protocol. It is used to connect two computers in the In-
ternet.
IP ist das Basisprotokoll.
UDP is based on IP and sends individual packets. The packets may arrive
at the recipient in an order different from that in which they were sent or
they may even be lost.
TCP secures the connection and ensures, for example, that data packets
are passed on the application in the right order.
UDP and TCP add the Port Numbers 1 to 65535 to the IP addresses. The
various services offered by the protocols may be distinguished by these
Port Numbers.
A number of additional protocols are based on UDP and TCP, e.g. HTTP
(HyperText Transfer Protocol), HTTPS (Secure HyperText Transfer Pro-
tocol), SMTP (Simple Mail Transfer Protocol), POP3 (Post Office Proto-
col, Version 3) and DNS (Domain Name Service)..
ICMP is based on IP and adds control messages.
UDP is based on IP and sends individual packets.
SMTP is an e-mail protocol that is based on TCP.
IKE is an IPsec protocol that is based on UDP.
ESP is an IPsec protocol that is based on IP.
On a Windows PC, the WINSOCK.DLL (or WSOCK32.DLL) handles both
protocols.
(see datagram, page 229)
D VPN (Virtual Private Network)
A Virtual Private Network (VPN) connects several separate private
networks (subnets) together via a public network, e.g. the Internet, to
form a single joint network. A cryptographic protocol is used to ensure
confidentiality and authenticity. A VPN thus offers an economical
alternative to using dedicated lines to build a nationwide corporate
network.
EAGLE
234 Release 1.02 10/04
Stichwortverzeichnis
C Stichwortverzeichnis
Numerics D
3DES 129, 227 Datagram 128
3DES-168 130 DES 167, 227
Destination IP address 229, 232
A Destination NA 114
ACA 53, 155 Destination port 229
Administration 142 DHCP 97, 102, 106, 142, 147, 155, 198
Administrator interface 158 DHCP client 147
Administrator password 47 DHCP server 155, 193, 195, 197, 198
Administrators 177 Digital signature 227, 228
ADSL 229 Distinguished Name 228
AES 121, 227 DN 228
AES-256 130 DNS 141, 229, 230, 234
Agent alarm 155 Domain address 141
AH 231 Domain name 144, 229
Air humidity 12 Domain nameserver 141
Air temperature 12 Domain suffix 142
Alarm 154 DSL 232
American National Bureau of Standard 227 Dual Homing 93
Anti-Spoofing 233 Dynamic DNS provider 229
Assigned Numbers 232 Dynamic IP address 229
Asymmetrical encryption 227 DynamicDNS 229
Authentication 128, 167 DynDNS Login 146
Authentication Header 231 DynDNS Password 146
Authenticity 228, 231, 234 DynDNS server 144, 146, 181
Authorization level 157 DynDNS Service 124
Auto Configuration Adapter 53, 155
Automatic Configuration 91 E
Autonegotiation 52 Electromagnetic compatibility 14
EMC 14
B Encapsulating Security Payload 231
Browser 77, 159 Encryption 227, 231
ESP 231, 234
C ESP-Header 229
CA 228 EU conformity declaration 14
Cache 70
CE 14 F
Certification Authority 228 Factory setting 67, 110, 117
Chassis alarm 155 FAQ 209
Checksum 229 FCC 15
Checksum algorithm 130 Fingerprint 228
CIDR 111, 113, 118, 161, 164, 168, 171, 183 Firewall 68, 109
Class A 230 Firmware 187
Client 33, 34, 36, 37, 131, 147, 229 Flat rate 229
Climatic 12 Forward 115
Communication protocol 233
Configuration 65, 91 G
Configuration setting 179 Gateway 124, 139, 181
Cryptographic protocol 234 Ground 12, 51
Ground cable 54
EAGLE
Release 1.02 10/04 235
Ground screw 54 M
MAC address 101
H Main Mode 121
Hardware 177 MARS 228
Hash 130, 228 MD5 121, 130, 167
Hash algorithms 121 Modem 72, 229
HCP server 148 Modem cable 54
Header 114 Monitoring proper functioning 88
HiDiscovery 59, 86 MS Internet Explorer 68
Host address 230, 233
Hostname 142 N
Hostname mode 142 NAT 116, 121, 232
HTTP 158 NAT router 121, 232
HTTPS 67, 71, 234 National Institute of Standards and Technolo-
HTTPS login 155 gy 227
HTTPS Remote Access 160, 181 NAT-T 121
Netmask 132
I Network address 230, 233
IANA 111 Network Address Translation 116, 232
ICMP 111, 113, 234 Network coupling 93
IKE 231, 234 Network mask 97, 131
Indicator contact 42 Network Time Protocol 149
Internet Key Exchange 231 Network traffic 101
Internet Protocol 62 NIST 227
Internet Service Provider 104, 105, 124, 144 Norms 211
IP 111, 113, 234 NSA 227
IP address 63, 124, 230 NTP 149
IP datagram 229
IP header 231 O
IP masquerading 116 Online service 233
IP Security 231 Operating mode 91
IP-Header 229 Operating system 194
IP-Masquerading 232
IPsec 121, 129, 138, 227, 228, 231 P
IPsec connection 121 Password 69, 104, 105, 167
IPsec header 231 PELV 11
IPsec Status 139 Perfect Forward Secrecy 131
ISAKMP 130, 139 PFS 126, 131
ISDN 229 Phone line 229
ISP 104, 105, 144, 229 Phone number 73
Point-to-Point Protocol 232
K Point-to-Point Tunneling Protocol 232
Key exchange 130 Pollution Degree 12
POP3 111, 113, 234
L Port number 71, 111, 161, 232
L2TP 126, 131 Power Supply 155
L2TP status 140 PPP 126, 232
LAN adapter 62 PPP connection 138
Language 159, 182 PPPoE 180, 232
Language setting 159 PPPoE Login 104, 105
Linux 198 PPPoE mode 97, 117
Local configuration 65 PPPoE Password 104, 105
Login 69, 104, 105, 142 PPTP 180, 232
Pre-Shared Key 128, 129
EAGLE
236 Release 1.02 10/04
Private Key 227 Shell login 155

Private network 234 Shielding ground 11
Profile 82 Signal contact 49, 88
Protocol 233 Signature 228
Provider 97, 142 Simple Network Management Protocol 166
Provider defined 142 SMTP 234
Proxy server 68 Snap-in guide 50
PSK 129 Snapshot.tar.gz 179
Public Key 128, 227, 228 SNMP 166
Public network 234 Software module 176
Software version 182
Q Source IP address 229
Quick Mode 121 Source port 229
Spoofing 233
R SSH 142, 157
RC6 228 SSH remote access 163, 181
Reboot 174 SSL 67, 71
Recovery 45 Standard gateway 62, 68, 97
Recovery button 193 Standards 211
Recovery procedure 187 State on delivery 96, 157, 194
Recovery status 193 Stateful Packet Inspection 109
Recovery switch 187 Stealth mode 124
Recycling 15 Subnet 233, 234
Redundant coupling 93 Subnet mask 147, 233
Redundant power supply 88 Subnetwork 148
Refresh Interval 146 Subnetwork mask 63
Relay contact 88 Supply voltage 11, 41, 42, 49
Remote configuration 65 Support 177, 209
Remove 54 Surrounding air temperature 12
Restart 189, 192 Symmetrical encryption 227
RFC 1518 183 System time 149
Rijndael 228 System update 174
Ring coupling 93 System Uptime 182
Root 157
Root password 47, 157 T
Router 180, 230 TCP 111, 113, 234
Router mode 97 TCP header 231, 232
RSA 227 TCP/IP 33, 77, 149, 229
TCP-Header 229
S Telephone network 72
S/MIME 228 Temperature 12, 155
SA 231 Terminal block 50
SA Lifetime 121 Terminal cable 54
Safety certificates 121 TFTP 198
Safety regulations 13 TFTP server 193, 195, 197, 198
Security 155 TFTP service 198
Security Association 231 Traffic 139
Security notice 69 Transparent 33, 111, 113, 134, 162, 165, 168,
SELV 11 172, 180
Serpent 228 Transparent mode 96, 111, 113, 192
Server 229 Transport Mode 231
Service names 111 Trap 154
Service Provider 233 Tunnel Mode 231
SHA-1 121, 130 Tunnels 129
EAGLE
Release 1.02 10/04 237
Twofish 228
U
UDP 111, 113, 232, 234
UDP header 229, 231
Update 174
URL 229
User defined 142
User name 69, 104, 105
User password 158
V
V.24 interface 53
V.24 port 72
Virtual Private Network 234
VPN 232, 234
VPN application 231
VPN client 33
VPN connection 109, 117, 121, 144, 181
VT100 53
W
WAN 71, 97, 180
Web browser 67, 71, 161
Windows system 196
Wireless 232
X
X.509 128, 228
EAGLE
238 Release 1.02 10/04

EAGLE Management Manual: Industrial ETHERNET Firewall/VPN-System

Uploaded by

Copyright:

Available Formats

EAGLE Management Manual: Industrial ETHERNET Firewall/VPN-System

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EAGLE Management Manual: Industrial ETHERNET Firewall/VPN-System

Uploaded by

Copyright:

Available Formats

What is the document about?

What is the document about?

What topics are covered in the document?

What topics are covered in the document?

IP-ADDRESS

© 2004 Hirschmann Electronics GmbH & Co. KG

Hirschmann Electronics GmbH & Co. KG

For all other countries please dial Tel. +49-7127-14-16 20

In the longterm, product excellence alone is not an absolute guarantee of a

U Qualification requirements for personnel

U General Safety Instructions

Failure to observe the information given in the warnings could result in

U National and international safety regulations

U Note on the CE marking

Hirschmann Electronics GmbH & Co. KG

1.1 Requirement and solution 27

1.2 Product features 29

1.3 Device models 31

3.2 Recovery button 45

4.1 Device installation 49

4.2 Startup operation 57

4.3 Basic settings 59

5.1 Setting up a local configuration connection 67

5.2 Remote configuration 71

6.2 System menu 81

6.3 Ports menu 91

6.5 Network menu 95

6.6 Configuring the firewall 109

6.7 Setting up a VPN connection 121

6.8 Services menu 141

6.9 Access menu 157

6.10 Features menu 173

6.11 Support menu 179

6.12 CIDR (Classless InterDomain Routing) 183

6.13 Example of a network 185

7 The Recovery button 187

7.1 Performing a restart 189

7.2 Executing the recovery procedure 191

7.3 Flashing the firmware 193

Based specifications and standards 211

SNMP traps 213

Technical data 217

Literature references 221

Reader's comments 223

Copyright of integrated software 225

Today, Ethernet is the most widely used type of communications technology.

1.1 Requirement and solution

Increasing standardization and networking in the field of automation will lead

The scaleable security function featuring a

In router mode, subnetworks can be separated from the main network.

Fig. 1: A typical application scenario (for further application scenarios,

1.2 Product features

The state-of-the-art security system secures the authentication, fuse

D Design suitable for industrial use:

1.3 Device models

The EAGLE is available in 16 different models:

EAGLE (FW) Medium/Medium

Fig. 2: Device identifier:

Device type TP ports F/O port F/O port F/O port