Page of 433

ZyXEL Communications ZyXEL ZyWALL 2WE User's Manual

Zyxel internet security gateway user's guide.
Also See for ZyXEL ZyWALL 2WE:
Brochure - 2 pages
ZyWALL 2/2WE
Internet Security Gateway
User's Guide
Version 3.60
March 2003

   Also See for ZyXEL Communications ZyXEL ZyWALL 2WE

   Related Manuals for ZyXEL Communications ZyXEL ZyWALL 2WE

   Summary of Contents for ZyXEL Communications ZyXEL ZyWALL 2WE

  • Page 1

    ZyWALL 2/2WE Internet Security Gateway User’s Guide Version 3.60 March 2003...

  • Page 2

    ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.

  • Page 3

    ZyWALL 2 and ZyWALL 2WE Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations.

  • Page 4

    ZyWALL 2 and ZyWALL 2WE Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction. Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company.

  • Page 5

    ZyWALL 2 and ZyWALL 2WE ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to...

  • Page 6

    +45-3955-0700 www.zyxel.dk +45-3955-0707 ftp.zyxel.dk +49-2405-6909-0 www.zyxel.de +49-2405-6909-99 REGULAR MAIL ZyXEL Communications Corp., 6 Innovation Road II, Science- Based Industrial Park, Hsinchu 300, Taiwan ZyXEL Communications Inc., 1650 Miraloma Avenue, Placentia, CA 92870, U.S.A. ZyXEL Communications A/S, Columbusvej 5, 2860 Soeborg, Denmark ZyXEL Deutschland GmbH.

  • Page 7: Table Of Contents

    Copyright...ii Federal Communications Commission (FCC) Interference Statement... iii Information for Canadian Users ...iv ZyXEL Limited Warranty ...v Customer Support ...vi List of Figures ...xvi List of Tables ... xxiii Preface ...xxvii Overview ... I Chapter 1 Getting to Know Your ZyWALL ... 1-1 Introducing the ZyWALL 2/2WE Internet Security Gateway ...

  • Page 8: Table Of Contents

    Accessing the ZyWALL Web Configurator ...3-1 Web Configurator Navigation...3-2 Chapter 4 Introducing the SMT...4-1 Introduction to the SMT...4-1 Accessing the Console Port via the Console Port ...4-1 Navigating the SMT Interface...4-2 Changing the System Password ...4-7 Resetting the ZyWALL...4-8 Chapter 5 SMT Menu 1 - General Setup...5-1 Introduction to General Setup ...5-1 System Name ...5-1 Dynamic DNS...5-1...

  • Page 9: Table Of Contents

    Levels of Security ... 8-1 Data Encryption with WEP ... 8-2 Network Authentication ... 8-3 Local User Authentication ... 8-8 MAC Address Filtering... 8-10 Chapter 9 Internet Access ... 9-1 Introduction to Internet Access Setup ... 9-1 Ethernet Encapsulation... 9-1 PPTP Encapsulation ...

  • Page 10: Table Of Contents

    12.5 General NAT Examples ...12-17 12.6 Trigger Port Forwarding ...12-24 Firewall and Content Filters ...IV Chapter 13 Firewalls ...13-1 13.1 Introduction to Firewalls...13-1 13.2 Types of Firewalls...13-1 13.3 Introduction to ZyXEL’s Firewall ...13-2 13.4 Denial of Service...13-3 13.5 Stateful Inspection ...13-7 13.6 Guidelines For Enhancing Security With Your Firewall ...13-11 13.7...

  • Page 11: Table Of Contents

    16.7 Creating/Editing A Custom Port ... 16-14 16.8 Example Firewall Rule... 16-15 Chapter 17 Content Filtering... 17-1 17.1 Introduction to Content Filtering... 17-1 17.2 Restrict Web Features ... 17-1 17.3 Days and Times... 17-1 17.4 Configure Content Filtering ... 17-1 Logs, Filter Configuration, and SNMP Configuration ...V Chapter 18 Centralized Logs ...

  • Page 12: Table Of Contents

    21.1 Introduction to System Status ...21-1 21.2 System Status...21-1 21.3 System Information and Console Port Speed...21-3 21.4 Log and Trace ...21-6 21.5 Diagnostic ...21-11 Chapter 22 Firmware and Configuration File Maintenance ...22-1 22.1 Filename Conventions ...22-1 22.2 Backup Configuration...22-2 22.3 Restore Configuration...22-8 22.4 Uploading Firmware and Configuration Files ...22-11...

  • Page 13: Table Of Contents

    25.1 Introduction to Call Scheduling ... 25-1 25.2 Configuring Call Scheduling... 25-1 25.3 Applying Schedule Sets ... 25-3 Chapter 26 Introduction to IPSec... 26-1 26.1 VPN Overview ... 26-1 26.2 IPSec Architecture ... 26-3 26.3 Encapsulation ... 26-5 26.4 IPSec and NAT ... 26-5 Chapter 27 VPN/IPSec Setup ...

  • Page 14: Table Of Contents

    23.1 Problems Starting Up the ZyWALL ...28-1 28.1 Problems with a LAN Interface ...28-2 28.2 Problems with the WAN Interface...28-2 28.3 Problems with Internet Access...28-3 23.2 Problems with the Password ...28-3 28.4 Problems with Remote Management ...28-3 General Appendices ... X Appendix A Setting up Your Computer’s IP Address...

  • Page 15

    ZyWALL 2 and ZyWALL 2WE Index ...A Table of Contents...

  • Page 16

    ZyWALL 2 and ZyWALL 2WE List of Figures Figure 1-1 Secure Internet Access and VPN Application ...1-6 Figure 1-2 ZyWALL 2WE Wireless LAN Application...1-6 Figure 2-1 ZyWALL 2WE Front Panel...2-1 Figure 2-2 ZyWALL 2 Front Panel...2-2 Figure 2-3 ZyWALL 2WE Rear Panel...2-3 Figure 2-4 ZyWALL 2 Rear Panel...2-3 Figure 3-1 Change Password Screen ...3-1 Figure 3-2 Web Configurator Main Menu ...3-2...

  • Page 17

    ZyWALL 2 and ZyWALL 2WE Figure 7-7 Menu 3.2.1: IP Alias Setup... 7-9 Figure 7-8 RTS Threshold...7-11 Figure 7-9 Menu 3.5 – Wireless LAN Setup... 7-12 Figure 8-1 ZyWALL Wireless Security Levels ... 8-1 Figure 8-2 Wireless LAN ... 8-2 Figure 8-3 Sequence for EAP Authentication ...

  • Page 18

    ZyWALL 2 and ZyWALL 2WE Figure 12-1 How NAT Works ...12-3 Figure 12-2 NAT Application With IP Alias ...12-4 Figure 12-3 Menu 4: Applying NAT for Internet Access...12-7 Figure 12-4 Menu 11.3: Applying NAT to the Remote Node ...12-8 Figure 12-5 Menu 15: NAT Setup ...12-9 Figure 12-6 Menu 15.1: Address Mapping Sets ...12-9 Figure 12-7 Menu 15.1.255: SUA Address Mapping Rules ...12-10 Figure 12-8 Menu 15.1.1: First Set...12-11...

  • Page 19

    ZyWALL 2 and ZyWALL 2WE Figure 13-3 SYN Flood... 13-5 Figure 13-4 Smurf Attack ... 13-6 Figure 13-5 Stateful Inspection ... 13-8 Figure 14-1 Menu 21: Filter and Firewall Setup... 14-1 Figure 14-2 Menu 21.2: Firewall Setup ... 14-2 Figure 15-1 Enabling the Firewall ... 15-2 Figure 15-2 Attack Alert ...

  • Page 20

    ZyWALL 2 and ZyWALL 2WE Figure 19-3 Menu 21: Filter and Firewall Setup...19-4 Figure 19-4 Menu 21.1: Filter Set Configuration ...19-4 Figure 19-5 Menu 21.1.1.1: TCP/IP Filter Rule ...19-7 Figure 19-6 Executing an IP Filter...19-10 Figure 19-7 Menu 21.1.4.1: Generic Filter Rule...19-11 Figure 19-8 Telnet Filter Example ...19-13 Figure 19-9 Example Filter: Menu 21.1.3.1...19-14 Figure 19-10 Example Filter Rules Summary: Menu 21.1.3 ...19-15...

  • Page 21

    ZyWALL 2 and ZyWALL 2WE Figure 22-4 System Maintenance: Starting Xmodem Download Screen... 22-7 Figure 22-5 Backup Configuration Example ... 22-7 Figure 22-6 Successful Backup Confirmation Screen... 22-7 Figure 22-7 Telnet into Menu 24.6... 22-9 Figure 22-8 Restore Using FTP Session Example ... 22-10 Figure 22-9 System Maintenance: Restore Configuration ...

  • Page 22

    ZyWALL 2 and ZyWALL 2WE Figure 25-3 Applying Schedule Set(s) to a Remote Node (PPPoE)...25-4 Figure 25-4 Applying Schedule Set(s) to a Remote Node (PPTP) ...25-5 Figure 26-1 Encryption and Decryption ...26-2 Figure 26-2 VPN Application ...26-3 Figure 26-3 IPSec Architecture...26-4 Figure 26-4 Transport and Tunnel Mode IPSec Encapsulation...26-5 Figure 27-1 IPSec Summary Fields ...27-3 Figure 27-2 VPN Summary ...27-3...

  • Page 23

    ZyWALL 2 and ZyWALL 2WE List of Tables Table 2-1 LED Descriptions... 2-2 Table 2-2 ZyWALL Wireless LAN Coverage ... 2-5 Table 4-1 Main Menu Summary ... 4-3 Table 5-1 General Setup Menu Field ... 5-2 Table 5-2 Configure Dynamic DNS Menu Fields... 5-3 Table 6-1 MAC Address Cloning in WAN Setup...

  • Page 24

    ZyWALL 2 and ZyWALL 2WE Table 10-6 Traffic Redirect Setup...10-12 Table 11-1 IP Static Route Menu Fields ...11-3 Table 12-1 NAT Definitions...12-1 Table 12-2 NAT Mapping Types...12-5 Table 12-3 Applying NAT in Menus 4 & 11.3 ...12-8 Table 12-4 SUA Address Mapping Rules ...12-10 Table 12-5 Fields in Menu 15.1.1 ...12-12 Table 12-6 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set ...12-13 Table 12-7 Services &...

  • Page 25

    ZyWALL 2 and ZyWALL 2WE Table 18-7 Reports Specifications... 18-12 Table 19-1 Abbreviations Used in the Filter Rules Summary Menu... 19-5 Table 19-2 Rule Abbreviations Used ... 19-6 Table 19-3 TCP/IP Filter Rule Menu Fields... 19-7 Table 19-4 Generic Filter Rule Menu Fields... 19-12 Table 20-1 SNMP Configuration Menu Fields...

  • Page 26

    ZyWALL 2 and ZyWALL 2WE Table 27-8 Advanced ...27-16 IKE VPN Rule Setup Table 27-9 Manual ...27-21 IKE VPN Rule Setup Table 27-10 VPN SA Monitor ...27-25 Table 27-11 VPN Global Setting ...27-26 Table 27-12 Telecommuter and Headquarters Configuration Example ...27-27 Table 28-1 Troubleshooting the Start-Up of Your ZyWALL ...28-1 Table 28-2 Troubleshooting the LAN Interface ...28-2 Table 28-3 Troubleshooting the WAN interface ...28-2...

  • Page 27

    Congratulations on your purchase of the ZyWALL 2/2WE Internet Security Gateway. About This User's Manual This manual is designed to guide you through the configuration of your ZyWALL for its various applications. This manual may refer to the ZyWALL 2/2WE Internet Security Gateway as the ZyWALL. This manual covers the ZyWALL 2 and 2WEmodels.

  • Page 28

    • A single keystroke is in Arial font and enclosed in square brackets, for instance, [ENTER] means the Enter, or carriage return, key; [ESC] means the escape key and [SPACE BAR] means the space bar. [UP] and [DOWN] are the up and down arrow keys. •...

  • Page 29

    Overview Part I: Overview This part covers Getting to Know Your ZyWALL and Hardware Installation.

  • Page 31: Chapter 1 Getting To Know Your Zywall, Introducing The Zywall 2/2we Internet Security Gateway, Features

    This chapter introduces the main features and applications of the ZyWALL. Introducing the ZyWALL 2/2WE Internet Security Gateway The ZyWALL 2 and 2WE (Wireless LAN Embedded) are ideal secure gateways for all data passing between the Internet and the LAN. By integrating NAT, firewall and VPN capability, ZyXEL’s ZyWALL 2/2WE is a complete security solution that protects your Intranet and efficiently manages data traffic on your network.

  • Page 32

    ZyWALL 2 and ZyWALL 2WE Auxiliary Port The ZyWALL 2 and 2WE use the same port for console management and for an auxiliary WAN backup. The AUX port can be used in reserve as a traditional dial-up connection when/if ever the broadband connection to the WAN port fails.

  • Page 33

    ZyWALL 2 and ZyWALL 2WE RADIUS (RFC2138, 2139) The ZyWALL 2WE uses RADIUS (Remote Authentication Dial In User Service) to have a server handle authentication, authorization and accounting for your wireless network. IEEE 802.1x for Network Security The ZyWALL 2WE supports the IEEE 802.1x standard that works with the IEEE 802.11 to enhance user authentication.

  • Page 34

    ZyWALL 2 and ZyWALL 2WE PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet. The ZyWALL supports one PPTP server connection at any given time. Dynamic DNS Support With Dynamic DNS (Domain Name System) support, you can have a static hostname alias for a dynamic IP address, allowing the host to be more easily accessible from various locations on the Internet.

  • Page 35: Applications For The Zywall

    DHCP (Dynamic Host Configuration Protocol) DHCP (Dynamic Host Configuration Protocol) allows the individual client computers to obtain the TCP/IP configuration at start-up from a centralized DHCP server. The ZyWALL has built-in DHCP server capability, enabled by default, which means it can assign IP addresses, an IP default gateway and DNS servers to all systems that support the DHCP client.

  • Page 36

    ZyWALL 2 and ZyWALL 2WE Figure 1-1 Secure Internet Access and VPN Application 1.3.2 Wireless LAN Application The ZyWALL 2WE is an ideal access solution for wireless Internet connections for a small office or home environment. A typical Internet access application is shown next. Figure 1-2 ZyWALL 2WE Wireless LAN Application Getting to Know Your ZyWALL...

  • Page 37: Chapter 2 Hardware Installation, Introduction To Hardware Installation, Front Panels Leds

    This chapter explains the LEDs and ports as well as how to connect the hardware. The wireless Introduction to Hardware Installation This chapter provides graphics of the front and rear panels, descriptions of the ZyWALL’s front panel LEDs and hardware connection instructions. Front Panels LEDs The LEDs on the front panel indicate the operational status of the ZyWALL.

  • Page 38: Led Descriptions

    LED Descriptions The following table describes the LED functions. The SYS and WLAN LEDs apply to the ZyWALL 2WE. STATUS Green Light on Light flashing Green Light off Green Light on Light flashing Red Light on Green light 10/100M Orange light Both lights off Light flashing Green light...

  • Page 39: Zywall Rear Panels And Connections, Hardware Connections

    ZyWALL Rear Panels and Connections The following figure shows the rear panels of the ZyWALL. Hardware Connections This section outlines how to connect your ZyWALL. If you want to connect a cable modem, you must connect the coaxial cable from your cable service to the threaded coaxial cable connector on the back of the Hardware Installation Figure 2-3 ZyWALL 2WE Rear Panel Figure 2-4 ZyWALL 2 Rear Panel...

  • Page 40

    cable modem. Connect a DSL modem to the DSL wall jack. See the Safety Warnings and Instructions Appendix for safety instructions when making connections to the ZyWALL. 2.5.1 Connecting a Broadband Modem to the WAN Port You need a cable/DSL/wireless modem and an ISP account. Connecting the ZyWALL to a cable modem: Connect the port labeled WAN on the ZyWALL to the Ethernet port on the cable modem using the Ethernet cable that came with your cable modem.

  • Page 41: Hardware Mounting Options, Additional Installation Requirements For Using 802.1x, Turning On Your Zywall

    2.5.6 Antennas The ZyWALL 2WE is equipped with two reverse SMA connectors and two detachable omni-directional 2dBi antennas to provide a clear radio signal between the wireless stations and the access points. Refer to the Antennas appendix for more information. The following table shows the ZyWALL’s coverage (in meters) using the included antennas.

  • Page 43

    Initial Setup and Configuration Part II: Initial Setup and Configuration This part covers Introducing the Web Configurator, Introducing the SMT, SMT Menu 1 General Setup, WAN Setup, LAN Setup, Wireless LAN Security and Internet Access.

  • Page 45: Chapter 3 Introducing The Web Configurator, Introduction To The Web Configurator

    Introducing the Web Configurator This chapter describes how to access and navigate the ZyWALL web configurator. Introduction to the Web Configurator The embedded web configurator is easy to navigate and use to configure the ZyWALL. The web configurator is independent of the operating system platform you use. Use the directions in this chapter in order to access and navigate the web configurator.

  • Page 46: Web Configurator Navigation

    The ZyWALL automatically times out after five minutes of inactivity. Simply log back into the ZyWALL if this happens to you. Web Configurator Navigation Click a link on the navigation panel on the left to open a screen or a submenu. Click WIZARD SETUP for initial configuration including general setup, ISP parameters for Internet Access and WAN IP/DNS Server/MAC...

  • Page 47: Chapter 4 Introducing The Smt, Introduction To The Smt

    When you turn on your ZyWALL, it performs several internal tests as well as line initialization. After the tests, the ZyWALL asks you to press [ENTER] to continue, as shown next. Copyright (c) 1994 - 2002 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:a0:c5:41:51:61 initialize ch =1, ethernet address: 00:a0:c5:41:51:62 Press ENTER to continue...

  • Page 48: Navigating The Smt Interface

    Please note that if there is no activity for longer than five minutes after you log in, your ZyWALL automatically logs you out and displays a blank screen. If you see a blank screen, press [ENTER] to bring up the login screen again. Navigating the SMT Interface The SMT (System Management Terminal) is the interface that you use to configure your ZyWALL.

  • Page 49

    4.3.1 Main Menu After you enter the password, the SMT displays the ZyWALL Main Menu, as shown next. Copyright (c) 1994 - 2001 ZyXEL Communications Corp. Getting Started 1. General Setup 2. WAN Setup 3. LAN Setup 4. Internet Access Setup Advanced Applications 11.

  • Page 50

    MENU TITLE System Password System Maintenance Schedule Setup VPN /IPSec Setup Exit 4.3.3 SMT Menus at a Glance The available SMT screens vary by ZyWALL model. The wireless LAN SMT menus apply to the ZyWALL 2WE. Table 4-1 Main Menu Summary Change your password in this menu (recommended).

  • Page 51

    ZyWALL 2 and ZyWALL 2WE Figure 4-4 Getting Started and Advanced Applications SMT Menus (ZyWALL 2WE) Introducing the SMT...

  • Page 52

    ZyWALL 2 and ZyWALL 2WE Figure 4-5 Advanced Management SMT Menus Introducing the SMT...

  • Page 53: Changing The System Password

    Figure 4-6 Schedule Setup and IPSec VPN Configuration SMT Menus Changing the System Password Change the default system password by following the steps shown next. Step 1. Enter 23 in the main menu to open Menu 23 - System Password as shown next. Step 2.

  • Page 54: Resetting The Zywall

    Resetting the ZyWALL If you forget your password or cannot access the SMT menu, you will need to reload the factory-default configuration file or use the RESET button the back of the ZyWALL. Uploading this configuration file replaces the current configuration file with the factory-default configuration file. This means that you will lose all configurations that you had previously and the speed of the console port will be reset to the default of 9600bps with 8 data bit, no parity, one stop bit and flow control set to none.

  • Page 55

    4.5.2 Procedure To Use The Reset Button Make sure the PWR LED (ZyWALL 2) or SYS LED (ZyWALL 2WE) is on (not blinking) before you begin this procedure. Step 1. Press the RESET button for ten seconds, and then release it. If the SYS LED begins to blink, the defaults have been restored and the ZyWALL restarts.

  • Page 57: Chapter 5 Smt Menu 1 - General Setup, Introduction To General Setup, System Name

    Menu 1 - General Setup contains administrative and system-related information. Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. Use the instructions in this chapter to configure identification and dynamic DNS for your ZyWALL. System Name System Name is for identification purposes.

  • Page 58: General Setup

    To use this service, you must register with the Dynamic DNS service provider. The Dynamic DNS service provider will give you a password or key. The ZyWALL supports www.dyndns.org. You can apply to this service provider for Dynamic DNS service. 5.3.1 DYNDNS Wildcard Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address...

  • Page 59

    FIELD When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. 5.4.1 Configuring Dynamic DNS To configure Dynamic DNS, go to Menu 1: General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field.

  • Page 60

    Table 5-2 Configure Dynamic DNS Menu Fields FIELD DDNS Type Press [SPACE BAR] and then [ENTER] to select DynamicDNS if you have a dynamic IP address(es). Select StaticDNS if you have a static IP address(s). Select CustomDNS to have dyns.org provide DNS service for a domain name that you already have from a source other than dyndns.org.

  • Page 61

    Table 5-2 Configure Dynamic DNS Menu Fields FIELD Press [SPACE BAR] to select Yes and then press [ENTER] to update the IP address of the host name(s) to the IP address User Specified IP specified below. Addr Only select Yes if the ZyWALL uses or is behind a static public IP address.

  • Page 63: Chapter 6 Wan Setup, Introduction To Wan Setup, Cloning The Mac Address, Wan Setup

    Introduction to WAN Setup This chapter explains how to configure settings for your WAN port. Cloning The MAC Address The MAC address field allows users to configure the WAN port's MAC address by using either the factory default or cloning the MAC address from a computer on your LAN. Once it is successfully configured, the address will be copied to the rom file (ZyNOS configuration file).

  • Page 64

    Table 6-1 MAC Address Cloning in WAN Setup FIELD MAC Address: Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address. Choose Factory Default to select the factory assigned default MAC Address. Choose IP address attached on LAN to use the MAC Address of that workstation whose IP you give in the following field.

  • Page 65: Chapter 7 Lan Setup, Introduction To Lan Setup, Accessing The Lan Menus

    This chapter describes how to configure the LAN using Menu 3: LAN Setup. Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN and wireless LAN connections. Accessing the LAN Menus From the main menu, enter 3 to open Menu 3 – LAN Setup. LAN Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to the LAN traffic.

  • Page 66: Tcp/ip And Lan Dhcp

    TCP/IP and LAN DHCP The ZyWALL has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability. 7.4.1 Factory LAN Defaults The LAN parameters of the ZyWALL are preset in the factory with the following values: 1.

  • Page 67

    There are two ways that an ISP disseminates the DNS server addresses. The first is for an ISP to tell a customer the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, enter them in the DNS Server fields in DHCP Setup.

  • Page 68

    You can obtain your IP address from the IANA, from an ISP or have it assigned by a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks.

  • Page 69: Tcp/ip And Dhcp Ethernet Setup Menu

    ZyWALL 2 and ZyWALL 2WE information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255.

  • Page 70

    Figure 7-5 Menu 3: TCP/IP and DHCP Setup From menu 3, select the submenu option TCP/IP and DHCP Setup and press [ENTER]. The screen now displays Menu 3.2: TCP/IP and DHCP Ethernet Setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server Configuration: TCP/IP Setup:...

  • Page 71

    Follow the instructions in the next table on how to configure the DHCP fields. Table 7-3 DHCP Ethernet Setup Menu Fields FIELD DHCP This field enables/disables the DHCP server. If set to Server, your ZyWALL will act as a DHCP server. If set to None, the DHCP server will be disabled.

  • Page 72

    FIELD Version Press [SPACE BAR] and then [ENTER] to select the RIP version. Options are: RIP-1, RIP-2B or RIP-2M. Multicast IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group. The ZyWALL supports both IGMP version 1 (IGMP-v1) and version 2 (IGMP-v2).

  • Page 73

    Press Space Bar to Toggle. Use the instructions in the following table to configure IP Alias parameters. FIELD IP Alias Choose Yes to configure the LAN network for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign.

  • Page 74: Wireless Lan

    Wireless LAN This section introduces the wireless LAN and some basic configuration. Wireless LANs can be as simple as two computers with wireless network interface cards (NICs) communicating in a peer-to-peer network or as complex as a number of computers with wireless NICs communicating through access points which bridge network traffic to the wired LAN.

  • Page 75: Wireless Lan Setup

    The RTS Threshold mechanism provides a solution to prevent these data collisions. When you enable RTS Threshold on a possible hidden station, this station and its AP will use a Request to Send/Clear to Send protocol (RTS/CTS). The station send an RTS message to the AP, informing that it is going to transmit the data.

  • Page 76

    See section 8.3 for instructions on WEP and section 8.6 for instructions on configuring the MAC address filter. If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL’s ESSID or WEP settings, you will lose your wireless connection when you press [ENTER] to confirm.

  • Page 77

    Table 7-6 Wireless LAN Setup Menu Fields FIELD Press [SPACE BAR] to select Yes to hide the ESSID in the outgoing Hide ESSID beacon frame so a station cannot obtain the ESSID through passive scanning. Channel ID This allows you to set the operating frequency/channel depending on your particular region.

  • Page 79: Chapter 8 Wireless Lan Security Setup, Introduction To Wireless Lan Security, Levels Of Security

    This chapter describes the types of security you can enable on the ZyWALL. Wireless LAN is Introduction to Wireless LAN Security Wireless security is vital to your network to protect wireless communication between wireless clients, access points and other wireless. Use the web configurator to configure your ZyWALL’s wireless LAN security settings.

  • Page 80: Data Encryption With Wep

    ZyWALL 2 and ZyWALL 2WE Data Encryption with WEP WEP encryption scrambles the data transmitted between the wireless clients and the access points to keep network communications private. It encrypts unicast and multicast communications in a network. Both the wireless clients and the access points must use the same WEP key for data encryption and decryption. For wireless LAN setup, refer to section 7.7.

  • Page 81: Network Authentication

    The following table describes the WEP related fields in this screen. For wireless LAN field descriptions refer to section 7.7. FIELD Before you enable the wireless LAN you should configure some security by setting Enable MAC filters and/or 802.1x security; otherwise your wireless LAN will be vulnerable Wireless upon enabling it.

  • Page 82

    • Authentication Determines the identity of the users. • Authorization Determines the network services available to authenticated users once they are connected to the network. • Accounting Keeps track of the client’s network activity. RADIUS is a simple package exchange in which your ZyWALL acts as a message relay between the wireless client and the network RADIUS server.

  • Page 83

    In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access.

  • Page 84

    Figure 8-4 Wireless LAN 802.1X Authentication The following table describes the fields in this screen. Table 8-2 Wireless LAN 802.1X Authentication FIELD Select Force Authorized, Force UnAuthorized or Auto from the drop-down list Authentication Control box. Select Auto to authenticate all wireless clients before they can access the wired network.

  • Page 85

    The following table describes the fields in this screen. FIELD Authentication Server Active Select Yes from the drop-down list box to enable user authentication through an external authentication server. Select No to enable user authentication using the local user database on the ZyWALL. Server Address Enter the IP address of the external authentication server in dotted decimal notation.

  • Page 86: Local User Authentication

    FIELD Port Number The default port of the RADIUS server for authentication is 1812. You need not change this value unless your network administrator instructs you to do so with additional information. Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the access points.

  • Page 87

    ZyWALL 2 and ZyWALL 2WE Figure 8-6 Local User Database Wireless LAN Security Setup...

  • Page 88: Mac Address Filtering

    The following table describes the fields in this screen. FIELD Active Select this check box to enable the user profile. User Name Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile. Click Apply to save these settings back to the ZyWALL.

  • Page 89

    The following table describes the fields in this menu. FIELD Active Use the drop down list box to enable or disable MAC address filtering. Define the filter action for the list of MAC addresses in the MAC address filter table. Select Deny Association to block access to the router, MAC addresses not listed will be Filter Action allowed to access the router.

  • Page 91: Chapter 9 Internet Access, Introduction To Internet Access Setup, Ethernet Encapsulation

    This chapter shows you how to configure your ZyWALL for Internet access. Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet. There are three different menu 4 screens depending on whether you chose Ethernet, PPTP or PPPoE Encapsulation.

  • Page 92: Pptp Encapsulation

    Table 9-1 Menu 4: Internet Access Setup Menu Fields FIELD Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet. The encapsulation method influences your choices for the IP Address field. Service Type Press [SPACE BAR] and then [ENTER] to select Standard, RR-Toshiba (RoadRunner Toshiba authentication method), RR-Manager (RoadRunner Manager authentication method) or RR-Telstra.

  • Page 93: Pppoe Encapsulation

    The ZyWALL supports only one PPTP server connection at any given time. 9.3.1 Configuring the PPTP Client To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection. After configuring My Login and Password for PPP connection, press [SPACE BAR] and then [ENTER] in the Encapsulation field in Menu 4 -Internet Access Setup to choose PPTP as your encapsulation option.

  • Page 94

    For the service provider, PPPoE offers an access and authentication method that works with existing access control systems (for example Radius). PPPoE provides a login and authentication method that the existing Microsoft Dial-Up Networking software can activate, and therefore requires no new learning or procedures for Windows users.

  • Page 95: Basic Setup Complete

    Table 9-3 New Fields in Menu 4 (PPPoE) screen FIELD Idle Timeout This value specifies the time in seconds that elapses before the ZyWALL automatically disconnects from the PPPoE server. If you need a PPPoE service name to identify and reach the PPPoE server, please go to menu 11 and enter the PPPoE service name provided to you in the Service Name field.

  • Page 97

    Advanced Applications Part III: Advanced Applications This part covers Remote Node Setup, IP Static Route Setup and Network Address Translation (NAT).

  • Page 99: Chapter 10 Remote Node Setup, Introduction To Remote Node Setup, Remote Node Setup

    10.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. Note that when you use menu 4 to set up Internet access, you are actually configuring a remote node.

  • Page 100: Remote Node Profile Setup

    ZyWALL 2 and ZyWALL 2WE 10.3 Remote Node Profile Setup The following explains how to configure the remote node profile menu. 10.3.1 Ethernet Encapsulation There are two variations of menu 11.1 depending on whether you choose Ethernet Encapsulation or PPPoE Encapsulation. You must choose the Ethernet option when the WAN port is used as a regular Ethernet.

  • Page 101

    FIELD Service Type Press [SPACE BAR] and then [ENTER] to select from Standard, RR-Toshiba (RoadRunner Toshiba authentication method) or RR- Manager (RoadRunner Manager authentication method). Choose one of the RoadRunner methods if your ISP is Time Warner's RoadRunner; otherwise choose Standard. Service Name If you are using PPPoE encapsulation, then type the name of your PPPoE service here.

  • Page 102

    ZyWALL 2 and ZyWALL 2WE Encapsulation to PPPoE, then you will see the next screen. Please see the Appendices for more information on PPPoE. Rem Node Name= ChangeMe Active= Yes Encapsulation= PPPoE Service Type= Standard Service Name= Outgoing: My Login= My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP...

  • Page 103

    Metric The metric sets the priority for the ZyWALL’s routes to the Internet. If the two routes have the same metric, the ZyWALL uses the following pre-defined priorities: 1. Normal route: designated by the ISP (see Remote Node Setup chapter) or a static route (see the IP Static Route Setup chapter) 2.

  • Page 104

    ZyWALL 2 and ZyWALL 2WE Table 10-2 Fields in Menu 11.1 (PPPoE Encapsulation Specific) FIELD Session Type the length of idle time (when there is no traffic from the ZyWALL to Options the remote node) in seconds that can elapse before the ZyWALL automatically disconnects the PPPoE connection.

  • Page 105: Edit Ip

    Table 10-3 Fields in Menu 11.1 (PPTP Encapsulation) My IP Addr Enter the IP address of the WAN Ethernet port. My IP Mask Enter the subnet mask of the WAN Ethernet port. Server IP Addr Enter the IP address of the ANT modem. Connection Enter the connection ID or connection name in the ANT.

  • Page 106

    ZyWALL 2 and ZyWALL 2WE Table 10-4 Remote Node Network Layer Options Menu Fields FIELD IP Address If your ISP did not assign you an explicit IP address, press [SPACE Assignment BAR] and then [ENTER] to select Dynamic; otherwise select Static and enter the IP address &...

  • Page 107: Remote Node Filter

    Table 10-4 Remote Node Network Layer Options Menu Fields FIELD Multicast IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group. The ZyWALL supports both IGMP version 1 (IGMP-v1) and version 2 (IGMP-v2). Press [SPACE BAR] to enable IP Multicasting or select None to disable it.

  • Page 108: Traffic Redirect

    ZyWALL 2 and ZyWALL 2WE Figure 10-7 Menu 11.5: Remote Node Filter (PPPoE or PPTP Encapsulation) 10.6 Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the ZyWALL still provides firewall protection.

  • Page 109

    subnet (Subnet 1 in the following figure) and the backup gateway in another subnet (Subnet 2). Configure a LAN to LAN/ZyWALL firewall rule that forwards packets from the protected LAN (Subnet 1) to the backup gateway (Subnet 2). To configure the parameters for traffic redirect, enter 11 from the main menu to display Menu 11.1— Remote Node Profile as shown next.

  • Page 110

    ZyWALL 2 and ZyWALL 2WE Table 10-5 Menu 11.1: Remote Node Profile (Traffic Redirect Field) FIELD Edit Press [SPACE BAR] to select Yes or No. Traffic Select No (default) if you do not want to configure this feature. Redirect Select Yes and press [ENTER] to configure Menu 11.6 — Traffic Redirect Setup.

  • Page 111

    FIELD Configuration: Backup Enter the IP address of your backup gateway in dotted decimal notation. Gateway IP The ZyWALL automatically forwards traffic to this IP address if the Address ZyWALL’s Internet connection terminates. Metric Enter a number from 1 to 15 to set this route’s priority among the ZyWALL’s routes.

  • Page 113: Chapter 11 Ip Static Route Setup, Introduction To Static Route

    ZyWALL 2 and ZyWALL 2WE Chapter 11 IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. 11.1 Introduction to Static Route Static routes tell the ZyWALL routing information that it cannot learn automatically through other means. This can arise in cases where RIP is disabled on the LAN.

  • Page 114: Ip Static Route Setup

    ZyWALL 2 and ZyWALL 2WE 11.2 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12. 1. Figure 11-2 Menu 12: IP Static Route Setup Now, enter the index number of the static route that you want to configure.

  • Page 115

    Figure 11-3 Menu 12. 1: Edit IP Static Route `The following table describes the IP Static Route Menu fields. FIELD Route # This is the index number of the static route that you chose in menu 12. Route Name Enter a descriptive name for this route. This is for identification purposes only. Active This field allows you to activate/deactivate this static route.

  • Page 116

    ZyWALL 2 and ZyWALL 2WE FIELD Private This parameter determines if the ZyWALL will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts.

  • Page 117: Chapter 12 Network Address Translation (nat), Introduction To Nat

    Network Address Translation (NAT) 12.1 Introduction to NAT NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network.

  • Page 118

    ZyWALL 2 and ZyWALL 2WE NAT never changes the IP address (either local or global) of an outside host. 12.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side.

  • Page 119

    ZyWALL 2 and ZyWALL 2WE Figure 12-1 How NAT Works 12-3...

  • Page 120

    ZyWALL 2 and ZyWALL 2WE 12.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter. Figure 12-2 NAT Application With IP Alias 12.1.5 NAT Mapping Types NAT supports five types of IP/port mapping.

  • Page 121

    2. Many to One: In Many-to-One mode, the ZyWALL maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL’s Single User Account feature (the SUA Only option). 3. Many to Many Overload: In Many-to-Many Overload mode, the ZyWALL maps the multiple local IP addresses to shared global IP addresses.

  • Page 122: Using Nat

    ZyWALL 2 and ZyWALL 2WE TYPE Server 12.2 Using NAT You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL. 12.2.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.

  • Page 123

    Figure 12-3 Menu 4: Applying NAT for Internet Access The following figure shows how you apply NAT to the remote node in menu 11.1. Step 1. Enter 11 from the main menu. Step 2. Move the cursor to the Edit IP field, press [SPACE BAR] to select Yes and then press [ENTER] to bring up Menu 11.3 - Remote Node Network Layer Options.

  • Page 124: Nat Setup

    ZyWALL 2 and ZyWALL 2WE Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= N/A Private= N/A RIP Direction= None Multicast= None Enter here to CONFIRM or ESC to CANCEL: Press Space Bar to Toggle.

  • Page 125

    will use Set 1, which supports all mapping types as outlined in Table 12-2. When you select SUA Only, the SMT will use the pre-configured Set 255 (read only). The server set is a list of LAN servers mapped to external ports. To use this set, a server rule must be set up inside the NAT address mapping set.

  • Page 126

    ZyWALL 2 and ZyWALL 2WE Set Name= SUA Local Start IP Local End IP --------------- --------------- 0.0.0.0 255.255.255.255 Press ENTER to Confirm or ESC to Cancel: Figure 12-7 Menu 15.1.255: SUA Address Mapping Rules The following table explains the fields in this screen. FIELD Set Name This is the name of the set you selected in menu 15.1 or enter the...

  • Page 127

    Once you have finished configuring a rule in this menu, press [ENTER] at the message “Press ENTER to Confirm…” to save your configuration, or press [ESC] to cancel. User-Defined Address Mapping Sets Now look at option 1 in menu 15.1. Enter 1 to bring up this menu. Look at the differences from the previous menu.

  • Page 128

    ZyWALL 2 and ZyWALL 2WE up by that number of empty rules. For example, if you have already configured rules 1 to 6 in your current set and now you configure rule number 9. In the set summary screen, the new rule will be rule 7, not 9. Now if you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so as old rule 5 becomes rule 4, old rule 6 becomes rule 5 and old rule 7 becomes rule 6.

  • Page 129

    Type= One-to-One Local IP: Start= Global IP: Start= Figure 12-9 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set Table 12-6 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set FIELD Type Press [SPACE BAR] and then [ENTER] to select from a total of five types.

  • Page 130: Nat Server Sets – Port Forwarding

    ZyWALL 2 and ZyWALL 2WE 12.4 NAT Server Sets – Port Forwarding A NAT server set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make accessible to the outside world even though NAT makes your whole inside network appear as a single machine to the outside world.

  • Page 131

    POP3 (Post Office Protocol) NNTP (Network News Transport Protocol) SNMP (Simple Network Management Protocol) SNMP trap PPTP (Point-to-Point Tunneling Protocol) 12.4.1 Configuring a Server behind NAT Follow these steps to configure a server behind NAT: Step 1. Enter 15 in the main menu to go to Menu 15 - NAT Setup. Step 2.

  • Page 132

    ZyWALL 2 and ZyWALL 2WE Rule --------------------------------------------------- Figure 12-10 Menu 15.2: NAT Server Setup Figure 12-11 Multiple Servers Behind NAT Example 12-16 Menu 15.2 - NAT Server Setup Start Port No. End Port No. Default Default Press ENTER to Confirm or ESC to Cancel: IP Address 0.0.0.0 192.168.1.33...

  • Page 133: General Nat Examples

    12.5 General NAT Examples The following are some examples of NAT configuration. 12.5.1 Internet Access Only In the following Internet access example, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP. Figure 12-13 Menu 4: Internet Access &...

  • Page 134

    ZyWALL 2 and ZyWALL 2WE From menu 4 shown above, simply choose the SUA Only option from the Network Address Translation field. This is the Many-to-One mapping discussed in section 12.5. The SUA Only read-only option from the Network Address Translation field in menus 4 and 11.3 is specifically pre-configured to handle this case.

  • Page 135

    --------------------------------------------------- Figure 12-15 Menu 15.2: Specifying an Inside Server 12.5.3 Example 3: Multiple Public IP Addresses With Inside Servers In this example, there are 3 IGAs from our ISP. There are many departments but two have their own FTP server. All departments share the same router. The example will reserve one IGA for each department with an FTP server and all departments use the other IGA.

  • Page 136

    ZyWALL 2 and ZyWALL 2WE Step 1. In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.3) in Figure 12-17. Step 2.

  • Page 137

    Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= N/A Private= N/A RIP Direction= None Version= N/A Enter here to CONFIRM or ESC to CANCEL: The following figure shows how to configure the first rule.

  • Page 138

    ZyWALL 2 and ZyWALL 2WE Set Name= Example3 Local Start IP --------------- 1. 192.168.1.10 192.168.1.11 3. 0.0.0.0 Figure 12-19 Example 3: Final Menu 15.1.1 Now configure the IGA3 to map to our web server and mail server on the LAN. Step 8.

  • Page 139

    ZyWALL 2 and ZyWALL 2WE 12.5.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not change for Many-One-to-One (and One-to-One) NAT mapping types.

  • Page 140: Trigger Port Forwarding

    ZyWALL 2 and ZyWALL 2WE Type= Many-One-to-One Local IP: Start= 192.168.1.10 = 192.168.1.12 Global IP: Start= 10.132.50.1 = 10.132.50.3 Figure 12-22 Example 4: Menu 15.1.1.1: Address Mapping Rule After you’ve configured your rule, you should be able to check the settings in menu 15.1.1 as shown next. Set Name= Example4 Local Start IP ---------------...

  • Page 141

    the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address. In order to use the same service on a different LAN computer, you have to manually replace the LAN computer's IP address in the forwarding port with another LAN computer's IP address, Trigger port forwarding solves this problem by allowing computers on the LAN to dynamically take turns...

  • Page 142

    ZyWALL 2 and ZyWALL 2WE 5. Only Jane can connect to the Real Audio server until the connection is closed or times out. The ZyWALL times out in three minutes with UDP (User Datagram Protocol) or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol).

  • Page 143

    Table 12-8 Menu 15.3—Trigger Port Setup Description FIELD Rule This is the rule index number. Name Enter a unique name for identification purposes. You may enter up to 15 characters in this field. All characters are permitted - including spaces. Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service.

  • Page 145

    Firewall and Content Filters Part IV: Firewall and Content Filters This part introduces firewalls in general and the ZyWALL firewall. It also explains custom ports and gives example firewall rules and an overview of content filtering.

  • Page 147: Chapter 13 Firewalls, Introduction To Firewalls, Types Of Firewalls

    ZyWALL 2 and ZyWALL 2WE Chapter 13 Firewalls This chapter gives some background information on firewalls and explains how to get started with the ZyWALL firewall. 13.1 Introduction to Firewalls Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another.

  • Page 148: Introduction To Zyxel's Firewall

    Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems. Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging.

  • Page 149: Denial Of Service

    ZyWALL 2 and ZyWALL 2WE Figure 13-1 ZyWALL Firewall Application 13.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.

  • Page 150

    for use over a single port, such as Web on port 80, other ports are also active. If the person configuring or managing the computer is not careful, a hacker could attack it over an unprotected port. Some of the most common IP ports are: 13.4.2 Types of DoS Attacks There are four types of DoS attacks: 1.

  • Page 151

    Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. 2-a SYN Attack floods a targeted system with a series of SYN packets.

  • Page 152

    2-b In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself. 3.

  • Page 153: Stateful Inspection

    Illegal Commands (NetBIOS and SMTP) The only legal NetBIOS commands are the following - all others are illegal. All SMTP commands are illegal except for those displayed in the following tables. AUTH DATA EHLO QUIT RCPT RSET Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute the firewall gaining knowledge of the network topology inside the firewall.

  • Page 154

    all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet. In summary, stateful inspection: Allows all sessions originating from the LAN (local network) to the WAN (Internet). Denies all sessions originating from the WAN to the LAN. The previous figure shows the ZyWALL’s default firewall rules in action as well as demonstrates how stateful inspection works.

  • Page 155

    1. The packet travels from the firewall's LAN to the WAN. 2. The packet is evaluated against the interface's existing outbound access list, and the packet is permitted (a denied packet would simply be dropped at this point). 3. The packet is inspected by a firewall rule to determine and record information about the state of the packet's connection.

  • Page 156

    ZyWALL 2 and ZyWALL 2WE These custom rules work by evaluating the network traffic’s Source IP address, Destination IP address, IP protocol type, and comparing these to rules set by the administrator. The ability to define firewall rules is a very powerful tool. Using custom rules, it is possible to disable all firewall protection or block all access to the Internet.

  • Page 157: Guidelines For Enhancing Security With Your Firewall

    A similar situation exists for ICMP, except that the ZyWALL is even more restrictive. Specifically, only outgoing echoes will allow incoming echo replies, outgoing address mask requests will allow incoming address mask replies, and outgoing timestamp requests will allow incoming timestamp replies. No other ICMP packets are allowed in through the firewall, simply because they are too dangerous and contain too little tracking information.

  • Page 158: Packet Filtering Vs Firewall

    7. Keep the firewall in a secured (locked) room. 13.7 Packet Filtering Vs Firewall Below are some comparisons between the ZyWALL’s filtering and firewall functions. 13.7.1 Packet Filtering: The router filters packets as they pass through the router’s interface according to the filter rules you designed.

  • Page 159

    When To Use The Firewall 1. To prevent DoS attacks and prevent hackers cracking your network. 2. A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better choice when complex rules are required. 3.

  • Page 161: Chapter 14 Introducing The Zywall Firewall, Introduction To The Zywall Firewall

    Introducing the ZyWALL Firewall 14.1 Introduction to the ZyWALL Firewall The ZyWALL provides a configurable stateful inspection firewall. The firewall is also sometimes referred to as Access Control and the firewall rules are known as the ACL (Access Control List). 14.2 Remote Management and the Firewall When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.

  • Page 162

    14.4.1 Activating the Firewall Enter option 2 in this menu to bring up the following screen. Press [SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks.

  • Page 163: Chapter 15 Firewall Configuration, Introduction To Firewall Configuration, Enabling The Firewall

    ZyWALL 2 and ZyWALL 2WE Chapter 15 Firewall Configuration This chapter shows you how to configure your firewall with the web configurator. 15.1 Introduction to Firewall Configuration Use the ZyWALL web configurator, to configure your firewall. Refer to the Introducing the Web Configurator chapter for details on how to access and navigate the web configurator.

  • Page 164

    15.2.1 Alerts Alerts are reports on events, such as attacks, that you may want to know about right away. You can choose to generate an alert when an attack is detected in the Attack Alert screen (Figure 15-2 - check the Generate alert when attack detected checkbox) or when a rule is matched in the Rule Config screen (see Figure 16-4) When an event generates an alert, a message is immediately sent to an e-mail account specified by...

  • Page 165: Attack Alert

    ZyWALL 2 and ZyWALL 2WE 15.3 Attack Alert Attack alerts are the first defense against DOS attacks. In the Attack Alert screen, shown later, you may choose to generate an alert whenever an attack is detected. For DoS attacks, the ZyWALL uses thresholds to determine when to drop sessions that do not become fully established.

  • Page 166

    When the rate of new connection attempts rises above a threshold (one-minute high), the ZyWALL starts deleting half-open sessions as required to accommodate new connection requests. The ZyWALL continues to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (one-minute low).

  • Page 167

    The following table describes the fields in this screen. FIELD Generate alert when A detected attack automatically generates attack detected a log entry. Check this box to generate an alert (as well as a log) whenever an attack is detected. See the chapter on logs for more information on logs and alerts.

  • Page 168

    FIELD One Minute High This is the rate of new half-open sessions that causes the firewall to start deleting half-open sessions. When the rate of new connection attempts rises above this number, the ZyWALL deletes half-open sessions as required to accommodate new connection attempts.

  • Page 169

    FIELD Blocking Time When TCP Maximum Incomplete is reached you can choose if the next session should be allowed or blocked. If you check Blocking Time any new sessions will be blocked for the length of time you specify in the next field (min) and all old incomplete sessions will be cleared during this period.

  • Page 171: Chapter 16 Creating Custom Rules, Introduction To Custom Rules

    This chapter contains instructions for defining both Local Network and Internet rules. 16.1 Introduction to Custom Rules Firewall rules are grouped based on the direction of travel of packets to which they apply: • LAN to LAN/ZyWALL • LAN to WAN By default, the ZyWALL’s stateful packet inspection allows packets traveling in the following directions: •...

  • Page 172: Rule Logic Overview

    ♦ Allow everyone except your competitors to access a Web server. ♦ Restrict use of certain protocols, such as Telnet, to authorized users on the LAN. These custom rules work by comparing the Source IP address, Destination IP address and IP protocol type of network traffic to rules set by the administrator.

  • Page 173: Connection Direction Examples

    ZyWALL 2 and ZyWALL 2WE Once these questions have been answered, adding rules is simply a matter of plugging the information into the correct fields in the web configurator screens. 16.2.3 Key Fields For Configuring Rules Action Should the action be to Block or Forward? “Block”...

  • Page 174

    16.3.2 WAN to LAN Rules The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If you wish to allow certain WAN users to have access to your LAN, you will need to create custom rules to allow it. See the following figure.

  • Page 175: Rule Summary

    16.4 Rule Summary Click Firewall and the Summary tab to display the following screen. This screen is a summary of the existing rules. Note the order in which the rules are listed. The ordering of your rules is very important as rules are applied in turn. Figure 16-3 Firewall Rules Summary: First Screen The following table describes the fields in the firewall summary screen.

  • Page 176

    Table 16-1 Firewall Rules Summary: First Screen FIELD Bypass Triangle Select this check box to have the ZyWALL firewall ignore the use of triangle route Route topology on the network. See the appendices for more on triangle route topology. Total Configured This read-only number is the total number of rules that have been configured for the Rules ZyWALL (the combined total for all packet directions).

  • Page 177: Predefined Services

    Table 16-1 Firewall Rules Summary: First Screen FIELD This field shows you if a log is created for packets that match the rule (Match), don't match the rule (Not Match), both (Both) or no log is created (None). Alert This field tells you whether this rule generates an alert (Yes) or not (No) when the rule is matched.

  • Page 178

    SERVICE BOOTP_CLIENT(UDP:68) BOOTP_SERVER(UDP:67) SEEME(TCP/UDP:7648, 24032) DNS(UDP/TCP:53) FINGER(TCP:79) FTP(TCP:20.21) H.323(TCP:1720) HTTP(TCP:80) HTTPS(TCP:443) ICQ(UDP:4000) IKE(UDP:500) IPSEC_TUNNEL(AH:0) IPSEC_TUNNEL(ESP:0) IRC(TCP/UDP:6667) Messenger(TCP:1863) MULTICAST(IGMP:0) NEW-ICQ(TCP:5190) NEWS(TCP:144) 16-8 Table 16-2 Predefined Services DHCP Client. DHCP Server. A popular videoconferencing solution from White Pines Software. Domain Name Server, a service that matches web names (e.g. www.zyxel.com) to IP numbers.

  • Page 179

    SERVICE NFS(UDP:2049) NNTP(TCP:119) PING(ICMP:0) POP3(TCP:110) PPTP(TCP:1723) PPTP_TUNNEL(GRE:0) RCMD(TCP:512) REAL_AUDIO(TCP:7070) REXEC(TCP:514) RLOGIN(TCP:513) RTELNET(TCP:107) RTSP(TCP/UDP:554) SFTP(TCP:115) SMTP(TCP:25) SNMP(TCP/UDP:161) SNMP- TRAPS(TCP/UDP:162) SQL-NET(TCP:1521) SSH(TCP/UDP:22) Creating Custom Rules Table 16-2 Predefined Services DESCRIPTION Network File System - NFS is a client/server distributed file service that provides transparent file sharing for network environments.

  • Page 180

    SERVICE STRM WORKS(UDP:1558) SYSLOG(UDP:514) TACACS(UDP:49) TELNET(TCP:23) TFTP(UDP:69) VDOLIVE(TCP:7000) 16.5.1 Creating/Editing Firewall Rules Follow these directions to create a new rule. Step 1. In the Summary screen, type the index number for where you want to put the rule. For example, if you type “6”, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.

  • Page 181

    Figure 16-4 Creating/Editing A Firewall Rule Table 16-3 Creating/Editing A Firewall Rule FIELD Active Check the Active check box to have the ZyWALL use this rule. Leave it unchecked if you do not want the ZyWALL to use the rule after you apply it Packet Direction Use the drop-down list box to select the direction of packet travel to which you want to apply this firewall rule.

  • Page 182

    FIELD Source Address Click SrcAdd to add a new address, SrcEdit to edit an existing one or SrcDelete to delete one. Please see the next section for more information on adding and editing source addresses. Destination Click DestAdd to add a new address, DestEdit to edit an Address existing one or DestDelete to delete one.

  • Page 183

    16.5.2 Source and Destination Addresses To add a new source or destination address, click SrcAdd or DestAdd from the previous screen. To edit an existing source or destination address, select it from the box and click SrcEdit or DestEdit from the previous screen.

  • Page 184: Custom Ports, Creating/editing A Custom Port

    Table 16-4 Adding/Editing Source and Destination Addresses FIELD Subnet Mask Enter the subnet mask here, if applicable. When you have finished, click Apply to save your customized settings and exit this screen, Cancel to exit this screen without saving, or Help for online HTML help on fields in this screen. 16.6 Custom Ports Configure customized ports for services not predefined by the ZyWALL (see section 16.5 for a list of predefined services).

  • Page 185: Example Firewall Rule

    The next table describes the fields in this screen. Table 16-5 Creating/Editing A Custom Port FIELD Service Name Enter a unique name for your custom port. Service Type Choose the IP port (TCP, UDP or Both) that defines your customized port from the drop down list box. Port Configuration Type Click Single to specify one port only or Range to specify a span of...

  • Page 186

    ZyWALL 2 and ZyWALL 2WE Step 3. Click Insert to display the firewall rule configuration screen. Select WAN to LAN from the drop-down list box. Figure 16-7 Firewall Rule Configuration Screen Example Step 4. Click Any in the Source Address box and then click ScrDelete. Step 5.

  • Page 187

    Figure 16-8 Firewall IP Config Screen Example Step 7. In the firewall rule configuration screen, click Add under Custom Port to open the Custom Port Configuration screen. Configure it as follows and click Apply. Creating Custom Rules ZyWALL 2 and ZyWALL 2WE 16-17...

  • Page 188

    Step 7. The firewall rule configuration screen displays, use the arrows between Available Services and Selected Services to configure it as follows. Click Apply when you are done. Custom ports show up with an “*” before their names in the Services list box and the Rule Summary list box.

  • Page 189

    This is the address range of the “MyService” servers. Figure 16-10 Rule Configuration Example Creating Custom Rules Click Apply when finished. ZyWALL 2 and ZyWALL 2WE This is your “MyService” custom port. 16-19...

  • Page 190

    ZyWALL 2 and ZyWALL 2WE Step 8. On completing the configuration procedure for this Internet firewall rule, the Rule Summary screen should look like the following. Remember to click Apply when you have finished configuring your rule(s) to save your settings back to the ZyWALL. Rule 1: Allows a “MyService”...

  • Page 191: Chapter 17 Content Filtering, Introduction To Content Filtering, Restrict Web Features, Days And Times

    ZyWALL 2 and ZyWALL 2WE Chapter 17 Content Filtering This chapter provides a brief overview of content filtering using the web embedded configurator. 17.1 Introduction to Content Filtering Internet content filtering allows you to create and enforce Internet access policies tailored to their needs. Content filtering is the ability to block certain web features or specific URL keywords and should not be confused with packet filtering via SMT menu 21.1.

  • Page 192

    ZyWALL 2 and ZyWALL 2WE LABEL Restrict Web Features Select the box(es) to restrict a feature. When you download a page containing a restricted feature, that part of the web page will appear blank or grayed out. 17-2 Figure 17-1Content Filter Table 17-1 Content Filter DESCRIPTION Content Filtering...

  • Page 193

    LABEL A tool for building dynamic and active Web pages and distributed object applications. When ActiveX you visit an ActiveX Web site, ActiveX controls are downloaded to your browser, where they remain in case you visit the site again. A programming language and development environment for building downloadable Web Java components or Internet and intranet business applications of all kinds.

  • Page 194

    ZyWALL 2 and ZyWALL 2WE LABEL Enter the time period, in 24-hour format, during which content filtering will be enforced. Select Time of Day to the All Day check box to have content filtering always active on the days selected in Day to Block Block with time of day limitations not enforced.

  • Page 195

    Logs, Filter Configuration, and SNMP Configuration Part V: Logs, Filter Configuration, and SNMP Configuration This part provides information and configuration instructions for the logs, filters, and SNMP.

  • Page 197: Chapter 18 Centralized Logs, Introduction To Centralized Logs, View Log

    ZyWALL 2 and ZyWALL 2WE Chapter 18 Centralized Logs This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to the appendices for example log message explanations and how to view the logs via the SMT command interpreter interface. 18.1 Introduction to Centralized Logs You can select which logs you want the ZyWALL to record and which alerts you want the ZyWALL to send.

  • Page 198

    ZyWALL 2 and ZyWALL 2WE Log entries in red indicate system error logs. The log wraps around and deletes the old entries after it fills. Click a column heading to sort the entries. A triangle indicates ascending or descending sort order. LABEL Display The categories that you select in the Log Settings page (see section 18.3) display in the...

  • Page 199: Log Settings

    LABEL Message This field states the reason for the log. Source This field lists the source IP address and the port number of the incoming packet. Destination This field lists the destination IP address and the port number of the incoming packet. Notes This field displays additional information about the log entry.

  • Page 200

    ZyWALL 2 and ZyWALL 2WE Figure 18-2 Log Settings 18-4 Centralized Logs...

  • Page 201

    LABEL Address Info Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail. Mail Subject Type a title that you want to be in the subject line of the log e-mail message that the ZyWALL sends.

  • Page 202: Reports

    ZyWALL 2 and ZyWALL 2WE LABEL Day for Sending Log Use the drop down list box to select which day of the week to send the logs. Time for Sending Log Enter the time of the day in 24-hour format (for example 23:00 equals 11:00 pm) to send the logs.

  • Page 203

    The web site hit count may not be 100% accurate because sometimes when an individual web page loads, it may contain references to other web sites that also The ZyWALL records web site hits by counting the HTTP GET packets. Many web sites include HTTP GET references to other web sites and the ZyWALL may count these as hits, thus the web hit count is not (yet) 100% accurate.

  • Page 204

    ZyWALL 2 and ZyWALL 2WE LABEL Report Type Use the drop-down list box to select the type of reports to display. Web Site Hits displays the web sites that have been visited the most often from the LAN and how many times they have been visited. Protocol/Port displays the protocols or service ports that have been used the most and the amount of traffic for the most used protocols or service ports.

  • Page 205

    Figure 18-4 Web Site Hits Report Example LABEL Web Site This column lists the domain names of the web sites visited most often from computers on the LAN. The names are ranked by the number of visits to each web site and listed in descending order with the most visited web site listed first.

  • Page 206

    ZyWALL 2 and ZyWALL 2WE Figure 18-5 Protocol/Port Report Example LABEL Protocol/Port This column lists the protocols or service ports for which the most traffic has gone through the ZyWALL. The protocols or service ports are listed in descending order with the most used protocol or service port listed first.

  • Page 207

    18.4.3 LAN IP Address In the Reports screen, select LAN IP Address from the Report Type drop-down list box to have the ZyWALL record and display the LAN IP addresses that the most traffic has been sent to and/or from and how much traffic has been sent to and/or from those IP addresses.

  • Page 208

    ZyWALL 2 and ZyWALL 2WE 18.4.4 Reports Specifications The following table lists detailed specifications on the reports feature. LABEL Number of web sites/protocols or ports/IP addresses listed: Hit count limit: Bytes count limit: 18-12 Table 18-7 Reports Specifications Up to 2 hits can be counted per web site.

  • Page 209: Chapter 19 Filter Configuration, Introduction To Filters

    ZyWALL 2 and ZyWALL 2WE Chapter 19 Filter Configuration This chapter shows you how to create and apply filters. 19.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering.

  • Page 210

    ZyWALL 2 and ZyWALL 2WE Outgoing Data Packet Match Drop packet Figure 19-1 Outgoing Packet Filtering Process For incoming packets, your ZyWALL applies data filters only. Packets are processed depending upon whether a match is found. The following sections describe how to configure filter sets. 19.1.1 The Filter Structure of the ZyWALL A filter set consists of one or more filter rules.

  • Page 211

    Fetch Next Filter Set Next Filter Set Available? Drop Packet Filter Configuration Filter Set Fetch Next Filter Rule Next filter Rule Available? Check Next Rule Figure 19-2 Filter Rule Process ZyWALL 2 and ZyWALL 2WE Start Packet into filter Fetch First Filter Set Fetch First Filter Rule...

  • Page 212: Configuring A Filter Set

    ZyWALL 2 and ZyWALL 2WE You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. 19.2 Configuring a Filter Set The ZyWALL includes filtering for NetBIOS over TCP/IP packets by default.

  • Page 213

    Step 3. Select the filter set you wish to configure (1-12) and press [ENTER] Step 4. Enter a descriptive name or comment in the Edit Comments field and press [ENTER]. Step 5. Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.1 - Filter Rules Summary.

  • Page 214

    ZyWALL 2 and ZyWALL 2WE ABBREVIATION Refer to the next section for information on configuring the filter rules. 19.2.1 Configuring a Filter Rule To configure a filter rule, type its number in Menu 21.1.x - Filter Rules Summary and press [ENTER] to open menu 21.1.x.x for the rule.

  • Page 215

    To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.x.x - TCP/IP Filter Rule, as shown next. Press Space Bar to Toggle. Figure 19-5 Menu 21.1.1.1: TCP/IP Filter Rule The following table describes how to configure your TCP/IP filter rule. Table 19-3 TCP/IP Filter Rule Menu Fields FIELD Active...

  • Page 216

    ZyWALL 2 and ZyWALL 2WE Table 19-3 TCP/IP Filter Rule Menu Fields FIELD Enter the IP mask to apply to the Destination: IP Addr. IP Mask Port # Enter the destination port of the packets that you wish to filter. The range of this field is 0 to 65535.

  • Page 217

    Table 19-3 TCP/IP Filter Rule Menu Fields FIELD Press [SPACE BAR] and then [ENTER] to select a logging option from the following: None – No packets will be logged. Action Matched - Only packets that match the rule parameters will be logged. Action Not Matched - Only packets that do not match the rule parameters will be logged.

  • Page 218

    ZyWALL 2 and ZyWALL 2WE Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest IP Addr Matched Check IP Protocol Matched Check Src & Dest Port Matched More? Action Matched...

  • Page 219

    19.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the ZyWALL treats a packet as a byte stream as opposed to an IP or IPX packet.

  • Page 220

    ZyWALL 2 and ZyWALL 2WE Table 19-4 Generic Filter Rule Menu Fields FIELD Filter # This is the filter set, filter rule co-ordinates, i.e., 2,3 refers to the second filter set and the third rule of that set. Filter Use [SPACE BAR] and then [ENTER] to select a rule type. Parameters Type displayed below each type will be different.

  • Page 221: Example Filter

    19.3 Example Filter Let’s look at an example to block outside users from accessing the ZyWALL via telnet. Please see our included disk for more example filters. Step 1. Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup. Step 2.

  • Page 222

    ZyWALL 2 and ZyWALL 2WE Step 6. Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure. Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes...

  • Page 223

    Menu 21.1.3 - Filter Rules Summary # A Type - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 This shows you that you have configured and activated (A = Y) a TCP/IP filter rule (Type = IP, Pr = 6) for destination telnet ports (DP = 23).

  • Page 224: Filter Types And Sua/nat, Firewall Versus Filters

    ZyWALL 2 and ZyWALL 2WE 19.4 Filter Types and SUA/NAT There are two classes of filter rules, Generic Filter (Device) rules and protocol filter (TCP/IP) rules. Generic filter rules act on the raw data from/to LAN and WAN. Protocol filter rules act on the IP packets. Generic and TCP/IP filter rules are discussed in more detail in the next section.

  • Page 225: Applying A Filter And Factory Defaults

    19.6 Applying a Filter and Factory Defaults This section shows you where to apply the filter(s) after you design it (them). The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections.

  • Page 226

    ZyWALL 2 and ZyWALL 2WE Press ENTER to Confirm or ESC to Cancel: Figure 19-13 Filtering Remote Node Traffic 19-18 Menu 11.5 – Remote Node Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Filter Configuration...

  • Page 227: Chapter 20 Snmp Configuration, Introduction To Snmp

    ZyWALL 2 and ZyWALL 2WE Chapter 20 SNMP Configuration This chapter explains SNMP configuration menu 22. SNMP is only available if TCP/IP is configured. 20.1 Introduction to SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices.

  • Page 228

    ZyWALL 2 and ZyWALL 2WE Figure 20-1 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP.

  • Page 229: Supported Mibs, Snmp Configuration

    • GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.

  • Page 230: Snmp Traps

    ZyWALL 2 and ZyWALL 2WE Table 20-1 SNMP Configuration Menu Fields FIELD Set Community Type the Set community, which is the password for incoming Set requests from the management station. Trusted Host If you enter a trusted host, your ZyWALL will only respond to SNMP messages from this address.

  • Page 231

    System Information and Diagnosis and Firmware and Configuration File Maintenance Part VI: System Information and Diagnosis and Firmware and Configuration File Maintenance This part provides information on system information and diagnosis and maintaining the firmware and configuration files.

  • Page 233: Chapter 21 System Information & Diagnosis, Introduction To System Status, System Status

    This chapter covers SMT menus 24.1 to 24.4. Wireless LAN applies to the ZyWALL 2WE. 21.1 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trace capabilities. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown below.

  • Page 234

    ZyWALL 2 and ZyWALL 2WE monitor your ZyWALL. Specifically, it gives you information on your system firmware version, number of packets sent and number of packets received. To get to the System Status: Step 1. Enter number 24 to go to Menu 24 - System Maintenance. Step 2.

  • Page 235: System Information And Console Port Speed

    Table 21-1 System Maintenance: Status Menu Fields FIELD TxPkts The number of transmitted packets on this port. RxPkts The number of received packets on this port. Cols The number of collisions on this port. Tx B/s Shows the transmission speed in Bytes per second on this port. Rx B/s Shows the reception speed in Bytes per second on this port.

  • Page 236

    ZyWALL 2 and ZyWALL 2WE Figure 21-3 Menu 24.2: System Information and Console Port Speed 21.3.1 System Information System Information gives you information about your system as shown below. More specifically, it gives you information on your routing protocol, Ethernet address, IP address, etc. Menu 24.2.1 - System Maintenance - Information Figure 21-4 Menu 24.2.1: System Maintenance: Information 21-4...

  • Page 237

    Table 21-2 Fields in System Maintenance: Information FIELD Name Routing ZyNOS F/W Version Ethernet Address IP Address IP Mask DHCP When finished viewing, press [ESC] or [ENTER] to exit. 21.3.2 Console Port Speed You can change the speed of the console port through Menu 24.2.2 – Console Port Speed. Your ZyWALL supports 9600 (default), 19200, 38400, 57600, and 115200 bps for the console port.

  • Page 238: Log And Trace

    ZyWALL 2 and ZyWALL 2WE 21.4 Log and Trace There are two logging facilities in the ZyWALL. The first is the error logs and trace records that are stored locally. The second is the UNIX syslog facility for message logging. 21.4.1 Viewing Error Log The first place you should look for clues when something goes wrong is the error/trace log.

  • Page 239

    0 Wed Aug 22 21:23:26 2001 PP17 1 Wed Aug 22 21:23:26 2001 PP17 2 Wed Aug 22 21:23:54 2001 PINI 3 Wed Aug 22 21:24:26 2001 PP0d 4 Wed Aug 22 21:24:26 2001 PP17 5 Wed Aug 22 21:24:26 2001 PP0d 6 Wed Aug 22 21:24:26 2001 PP17 7 Wed Aug 22 21:24:26 2001 PP17 8 Wed Aug 22 21:24:26 2001 PP17...

  • Page 240

    ZyWALL 2 and ZyWALL 2WE You need to configure the UNIX syslog parameters described in the following table to activate syslog then choose what you want to log. Table 21-3 System Maintenance Menu Syslog Parameters PARAMETER UNIX Syslog: Active Press [SPACE BAR] and then [ENTER] to turn syslog on or off. Syslog IP Address Enter the IP Address of the server that will log the CDR (Call Detail Record) and system messages i.e., the syslog server.

  • Page 241

    2. Packet triggered Packet triggered Message Format SdcmdSyslogSend( SYSLOG_PKTTRI, SYSLOG_NOTICE, String ); String = Packet trigger: Protocol=xx Data=xxxxxxxxxx…..x Protocol: (1:IP 2:IPX 3:IPXHC 4:BPDU 5:ATALK 6:IPNG) Data: We will send forty-eight Hex characters to the server Jul 19 11:28:39 192.168.102.2 ZyXEL: Packet Trigger: Protocol=1, Data=4500003c100100001f010004c0a86614ca849a7b08004a5c020001006162636465666768696a6b6c6d6e6f707172 7374 Jul 19 11:28:56 192.168.102.2 ZyXEL: Packet Trigger: Protocol=1,...

  • Page 242

    ZyWALL 2 and ZyWALL 2WE 5. Firewall log Firewall Log Message Format SdcmdSyslogSend(SYSLOG_FIREWALL, SYSLOG_NOTICE, buf); buf = IP[Src=xx.xx.xx.xx : spo=xxxx Dst=xx.xx.xx.xx : dpo=xxxx | prot | rule | action] Src: Source Address spo: Source port (empty means no source port information) Dst: Destination Address dpo: Destination port (empty means no destination port information) prot: Protocol (“TCP”,”UDP”,”ICMP”, ”IGMP”, ”GRE”, ”ESP”)

  • Page 243: Diagnostic

    IP Frame: ENET0-RECV Size: Frame Type: IP Header: IP Version Header Length Type of Service Total Length Identification Flags Fragment Offset Time to Live Protocol Header Checksum Source IP Destination IP TCP Header: Source Port Destination Port Sequence Number Ack Number Header Length Flags Window Size...

  • Page 244

    ZyWALL 2 and ZyWALL 2WE Step 2. From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic. Figure 21-10 Menu 24.4: System Maintenance: Diagnostic 21.5.1 WAN DHCP DHCP functionality can be enabled on the LAN or WAN as shown in Figure 21-11. LAN DHCP has already been discussed.

  • Page 245

    The following table describes the diagnostic tests available in menu 24.4 for your ZyWALL and associated connections. Table 21-4 System Maintenance Menu Diagnostic FIELD Ping Host WAN DHCP Release WAN DHCP Renewal Internet Setup Test Reboot System Host IP Address= Enter the number of the selection you would like to perform or press [ESC] to cancel.

  • Page 247: Chapter 22 Firmware And Configuration File Maintenance, Filename Conventions

    ZyWALL 2 and ZyWALL 2WE Chapter 22 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 22.1 Filename Conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc.

  • Page 248: Backup Configuration

    ZyWALL 2 and ZyWALL 2WE local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 - System Maintenance - Information to confirm that you have uploaded the correct firmware version.

  • Page 249

    22.2.1 Backup Configuration Follow the instructions as shown in the next screen. Menu 24.5 - System Maintenance - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2.

  • Page 250

    ZyWALL 2 and ZyWALL 2WE 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.

  • Page 251

    1. The firewall is active (turn the firewall off in menu 21.2 or create a firewall rule to allow access from the WAN). 2. You have disabled Telnet service in menu 24.11. 3. You have applied a filter in menu 3.1 (LAN) or in menu 11.5 (WAN) to block Telnet service. 4.

  • Page 252

    ZyWALL 2 and ZyWALL 2WE 22.2.7 TFTP Command Example The following is an example TFTP command: tftp [-i] host get rom-0 config.rom Where “i” specifies binary image transfer mode (use this mode when transferring binary files), “host” is the ZyWALL IP address, “get” transfers the file source on the ZyWALL (rom-0, name of the configuration file on the ZyWALL) to the file destination on the computer and renames it config.rom.

  • Page 253

    Ready to backup Configuration via Xmodem. Do you want to continue (y/n): Figure 22-3 System Maintenance: Backup Configuration Step 2. The following screen indicates that the Xmodem download has started. You can enter ctrl-x to terminate operation any time. Starting XMODEM download... Figure 22-4 System Maintenance: Starting Xmodem Download Screen Step 3.

  • Page 254: Restore Configuration

    ZyWALL 2 and ZyWALL 2WE 22.3 Restore Configuration This section shows you how to restore a previously saved configuration. Note that this function erases the current configuration before restoring a previous back up configuration; please do not attempt to restore unless you have a backup configuration file stored on disk.

  • Page 255

    Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root" and SMT password as requested.

  • Page 256

    ZyWALL 2 and ZyWALL 2WE 22.3.2 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec. ftp>quit Figure 22-8 Restore Using FTP Session Example Refer to section 22.2.5 to read about configurations that disallow TFTP and FTP over WAN.

  • Page 257: Uploading Firmware And Configuration Files

    Figure 22-11 Restore Configuration Example Step 4. After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu. Figure 22-12 Successful Restoration Confirmation Screen 22.4 Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files.

  • Page 258

    ZyWALL 2 and ZyWALL 2WE When you telnet into the ZyWALL, you will see the following screens for uploading firmware and the configuration file using FTP. Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1.

  • Page 259

    Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload the system configuration file, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "root" and SMT password as requested.

  • Page 260

    ZyWALL 2 and ZyWALL 2WE Step 7. Enter “quit” to exit the ftp prompt. 22.4.4 FTP Session Example of Firmware File Upload 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> put firmware.bin ras 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK...

  • Page 261

    Step 4. Launch the TFTP client on your computer and connect to the ZyWALL. Set the transfer mode to binary before starting data transfer. Step 5. Use the TFTP client (see the example below) to transfer files between the ZyWALL and the computer.

  • Page 262

    ZyWALL 2 and ZyWALL 2WE Menu 24.7.1 - System Maintenance - Upload System Firmware To upload system firmware: 1. Enter "y" at the prompt below to go into debug mode. 2. Enter "atur" after "Enter Debug Mode" message. 3. Wait for "Starting XMODEM upload" message before activating Xmodem upload on your terminal.

  • Page 263

    22.4.10 Uploading Configuration File Via Console Port Step 1. Select 2 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.2 - System Maintenance - Upload System Configuration File. Follow the instructions as shown in the next screen. Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1.

  • Page 264

    ZyWALL 2 and ZyWALL 2WE After the configuration upload process has completed, restart the ZyWALL by entering “atgo”. 22-18 Figure 22-19 Example Xmodem Upload Firmware and Configuration File Maintenance Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol.

  • Page 265

    System Maintenance and Information and Remote Management Part VII: System Maintenance and Information and Remote Management This part provides information on the system maintenance and information functions and how to configure remote management.

  • Page 267: Chapter 23 System Maintenance & Information, Command Interpreter Mode

    System Maintenance & Information 23.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions. Enter the CI from the SMT by selecting menu 24.8.

  • Page 268: Call Control Support

    ZyWALL 2 and ZyWALL 2WE Copyright (c) 1994 - 2001 ZyXEL Communications Corp. ras> ? Valid commands are: ras> 23.2 Call Control Support The ZyWALL provides two call control functions: budget management and call history. Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1.

  • Page 269

    Menu 24.9.1 shows the budget management statistics for outgoing calls. Enter 1 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu. Remote Node 1.ChangeMe The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked.

  • Page 270

    ZyWALL 2 and ZyWALL 2WE 23.2.2 Call History This is the second option in Menu 24.9 - System Maintenance - Call Control. It displays information about past incoming and outgoing calls. Enter 2 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu.

  • Page 271: Time And Date Setting

    23.3 Time and Date Setting The ZyWALL has a software mechanism to set the time manually or get the current time and date from an external server when you turn on your ZyWALL. Menu 24.10 allows you to update the time and date settings of your ZyWALL.

  • Page 272

    ZyWALL 2 and ZyWALL 2WE FIELD Use Time Server Enter the time service protocol that your timeserver sends when you turn on the when Bootup ZyWALL. Not all timeservers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works. The main differences between them are the format.

  • Page 273

    When the ZyWALL starts up, if there is a timeserver configured in menu 24.10. iii. 24-hour intervals after starting. System Maintenance & Information ZyWALL 2 and ZyWALL 2WE 23-7...

  • Page 275: Chapter 24 Remote Management, Remote Management And The Firewall, Telnet

    ZyWALL 2 and ZyWALL 2WE Chapter 24 Remote Management This chapter covers remote management found in SMT menu 24.11. 24.1 Remote Management and the Firewall When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.

  • Page 276: Snmp, Remote Management

    ZyWALL 2 and ZyWALL 2WE 24.3 FTP You can upload and download the ZyWALL’s firmware and configuration files using FTP, please see the chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP client. 24.4 Web You can use the ZyWALL’s embedded web configurator for configuration and file management.

  • Page 277

    LAN only, When you Choose WAN only or ALL (LAN & WAN), you still need to configure a To disable remote management of a service, select Disable in the corresponding Server Access field. Enter 11 from menu 24 to bring up Menu 24.11 – Remote Management Control. TELNET Server: FTP Server: Web Server:...

  • Page 278: Remote Management And Sua/nat

    ZyWALL 2 and ZyWALL 2WE Table 24-1 Menu 24.11 – Remote Management Control FIELD Secured Client The default 0.0.0.0 allows any client to use this service to remotely manage the ZyWALL. Enter an IP address to restrict access to a client with a matching IP address.

  • Page 279: System Timeout

    ZyWALL 2 and ZyWALL 2WE 24.9 System Timeout There is a system timeout of five minutes (three hundred seconds) for either the console port or telnet/web/FTP connections. Your ZyWALL automatically logs you out if you do nothing in this timeout period, except when it is continuously updating the status in menu 24.1 or when sys stdio has been changed on the command line.

  • Page 281

    Call Scheduling and VPN/IPSec Part VIII: Call Scheduling and VPN/IPSec This part provides information on how to configure call scheduling and VPN/IPSec. VIII...

  • Page 283: Chapter 25 Call Scheduling, Introduction To Call Scheduling, Configuring Call Scheduling

    Call scheduling allows you to dictate when a remote node should be called and for how long. 25.1 Introduction to Call Scheduling The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long.

  • Page 284

    ZyWALL 2 and ZyWALL 2WE and 4 as the ZyWALL, by default, applies the lowest numbered set first. Set 2 will take precedence over set 3 and 4, and so on. You can design up to 12 schedule sets but you can only apply up to four schedule sets for a remote node. To delete a schedule set, enter the set number and press [SPACE BAR] and then To set up a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next.

  • Page 285: Applying Schedule Sets

    FIELD Should this schedule set recur weekly or be used just once only? Press Often [SPACE BAR] and then [ENTER] to select Once or Weekly. Both these options are mutually exclusive. If Once is selected, then all weekday settings are N/A. When Once is selected, the schedule rule deletes automatically after the scheduled time elapses.

  • Page 286

    ZyWALL 2 and ZyWALL 2WE Rem Node Name= ChangeMe Active= Yes Encapsulation= PPPoE Service Type= Standard Service Name= Outgoing= My Login= My Password= ******** Retype to Confirm= ******* Authen= CHAP/PAP Press Space Bar to Toggle. Figure 25-3 Applying Schedule Set(s) to a Remote Node (PPPoE) You can apply up to four schedule sets, separated by commas, for one remote node.

  • Page 287

    Rem Node Name= ChangeMe Active= Yes Encapsulation= PPTP Service Type= Standard Service Name=N/A Outgoing= My Login= My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP PPTP : My IP Addr= My IP Mask= Server IP Addr= Connection ID/Name= Press Space Bar to Toggle. Figure 25-4 Applying Schedule Set(s) to a Remote Node (PPTP) Call Scheduling Menu 11.1 - Remote Node Profile...

  • Page 289: Vpn Overview, Chapter 26 Introduction To Ipsec

    26.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.

  • Page 290

    Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission. Data Origin Authentication The IPSec receiver can verify the source of IPSec packets.

  • Page 291: Ipsec Architecture

    ZyWALL 2 and ZyWALL 2WE Figure 26-2 VPN Application 26.2 IPSec Architecture The overall IPSec architecture is shown as follows. Introduction to IPSec 26-3...

  • Page 292

    ZyWALL 2 and ZyWALL 2WE Figure 26-3 IPSec Architecture 26.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard) and Triple DES algorithms.

  • Page 293: Encapsulation, Ipsec And Nat

    26.3 Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 26-4 Transport and Tunnel Mode IPSec Encapsulation 26.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).

  • Page 294

    A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesn't match.

  • Page 295: Vpn/ipsec Overview, Ipsec Algorithms, Chapter 27 Vpn/ipsec Setup

    This chapter introduces the VPN web configurator screens. See the Logs chapter and the 27.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections. 27.2 IPSec Algorithms The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec VPN.

  • Page 296: My Ip Address, Secure Gateway Address

    DES (default) Data Encryption Standard (DES) is a widely used method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data. 3DES Triple DES (3DES) is a variant of DES, which iterates three times with three separate keys (3 x 56 = 168 bits), effectively doubling the strength of DES.

  • Page 297: Summary Screen

    ZyWALL 2 and ZyWALL 2WE The Secure Gateway IP Address may be configured as 0.0.0.0 only when using IKE key management and not Manual key management. 27.5 Summary Screen The following figure helps explain the main fields in the web configurator. Figure 27-1 IPSec Summary Fields Local and remote IP addresses must be static.

  • Page 298: Keep Alive

    LABEL This field displays the VPN rule number. Y signifies that this VPN rule is active. Active This field displays the IP address of the computer using the VPN IPSec feature of your Local Addr. ZyWALL. This field displays IP address (in a range) of computers on the remote network behind the Remote Addr.

  • Page 299: Nat Traversal, Id Type And Content

    When there is outbound traffic with no inbound traffic, the ZyWALL automatically 27.7 NAT Traversal NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec routers. Figure 27-3 NAT Router Between IPSec Routers Normally you cannot set up a VPN connection with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet.

  • Page 300

    addresses. Telecommuters can use separate passwords to simultaneously connect to the ZyWALL from IPSec routers with dynamic IP addresses (see section 27.16.2 for a telecommuter configuration example). With main mode (see section 27.10.1), the ID type and content are encrypted to provide identity protection. In this case the ZyWALL can only distinguish between up to eight different incoming SAs that connect from remote IPSec routers that have dynamic WAN IP addresses.

  • Page 301: Configuring Basic Ike Vpn Rule Setup

    27.8.1 ID Type and Content Examples Two IPSec routers must have matching ID type and content configuration in order to set up a VPN tunnel. The two ZyWALLs in this example can complete negotiation and establish a VPN tunnel. Table 27-5 Matching ID Type and Content Configuration Example ZYWALL A Local ID type: E-mail Local ID content: tom@yourcompany.com...

  • Page 302

    LABEL Select this check box to activate this VPN tunnel. This option determines whether a Active VPN rule is applied before a packet leaves the firewall. 27-8 Figure 27-4 Basic IKE VPN Rule Setup Table 27-7 Basic IKE VPN Rule Setup DESCRIPTION VPN/IPSec Setup...

  • Page 303

    LABEL Select this check box to turn on the keep alive feature for this SA. Turn on keep alive to have the ZyWALL automatically reinitiate the SA after the SA Keep Alive lifetime times out, even if there is no traffic. The remote IPSec router must also have keep alive enabled in order for this feature to work.

  • Page 304

    LABEL Enter the WAN IP address of your ZyWALL. The ZyWALL uses its current WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave this field as My IP Address 0.0.0.0. The VPN tunnel has to be rebuilt if this IP address changes. Select IP to identify this ZyWALL by its IP address.

  • Page 305

    LABEL When you select IP in the Peer ID Type field, type the IP address of the computer with which you will make the VPN connection or leave the field blank to have the ZyWALL automatically use the address in the Secure Gateway field. When you select DNS in the Peer ID Type field, type a domain name (up to 31 characters) by which to identify the remote IPSec router.

  • Page 306: Ike Phases

    LABEL Select DES, 3DES or NULL from the drop-down list box. When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code.

  • Page 307

    Choose a negotiation mode. Authenticate the connection by entering a pre-shared key. Choose an encryption algorithm. Choose an authentication algorithm. Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2). Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should stay up before it times out.

  • Page 308: Configuring Advanced Ike Setup

    27.10.3 Diffie-Hellman (DH) Key Groups Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA setup to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 – DH2) Diffie-Hellman groups are supported. Upon completion of the Diffie-Hellman exchange, the two peers have a shared secret, but the IKE SA is not authenticated.

  • Page 309

    ZyWALL 2 and ZyWALL 2WE Figure 27-6 Advanced IKE VPN Rule Setup VPN/IPSec Setup 27-15...

  • Page 310

    LABEL Active Select this check box to activate this VPN/IPSec policy. Select this check box to turn on the Keep Alive feature for this SA. Turn on Keep Alive to have the ZyWALL automatically reinitiate the SA after the SA Keep Alive lifetime times out, even if there is no traffic.

  • Page 311

    LABEL Enter a port number in this field to define a port range. This port number must be Local Port End greater than that specified in the previous field (or equal to it for configuring an individual port). Enter the beginning (static) IP address, in a range of computers behind the remote Remote Address secure gateway.

  • Page 312

    LABEL Type the WAN IP address or the URL (up to 31 characters) of the remote secure Secure Gateway gateway with which you're making the VPN connection. Set this field to 0.0.0.0 if the Address remote secure gateway has a dynamic WAN IP address (the Key Management field must be set to IKE).

  • Page 313

    LABEL Define the length of time before an IKE SA automatically renegotiates in this field. It may range from 60 to 3,000,000 seconds (almost 35 days). A short SA Life Time increases SA Life Time security by forcing the two VPN gateways to update the encryption and authentication keys.

  • Page 314: Manual Key Setup, Configuring Edit Manual Setup

    LABEL Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and SHA1 Authentication (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The Algorithm SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security.

  • Page 315

    ZyWALL 2 and ZyWALL 2WE Select Manual in the Key Management field to display the manual VPN rule setup screen. Figure 27-7 Manual IKE VPN Rule Setup Table 27-9 Manual IKE VPN Rule Setup LABEL DESCRIPTION Active Select this check box to activate this VPN/IPSec policy. VPN/IPSec Setup 27-21...

  • Page 316

    LABEL Select IKE or Manual from the drop-down list box. IKE is the preferred choice as the key is generated automatically; Manual is useful for troubleshooting. IPSec Keying Mode Make sure the remote gateway has the same configuration in this field. Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc.

  • Page 317

    LABEL Enter the WAN IP address of your ZyWALL. The ZyWALL uses its current WAN IP My IP Address address (static or dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0. The VPN tunnel has to be rebuilt if this IP address changes. Type the WAN IP address or the URL (up to 31 characters) of the remote secure Secure Gateway IP gateway with which you're making the VPN connection.

  • Page 318: Sa Monitor

    LABEL Select SHA1 or MD5 from the drop-down list box. The ZyWALL's authentication algorithm should be identical to the secure remote gateway. MD5 (Message Digest 5) Authentication and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate the Algorithm source and integrity of packet data.

  • Page 319

    LABEL This is the security association index number. Name This field displays the identification name for this VPN policy. Encapsulation This field displays Tunnel or Transport mode. This field displays the security protocols used for an SA. IPSec Algorithm Both AH and ESP increase ZyWALL processing requirements and communications latency (delay).

  • Page 320: Global Settings

    LABEL Next Page Click Next Page to view more items in the summary (if you have a summary list that (if applicable) exceeds this page) 27.15 Global Settings In the web configurator, click VPN on the navigation panel and the Global Setting tab. Use this screen to allow or block NetBIOS packets in the IPSec tunnels.

  • Page 321: Telecommuter Vpn/ipsec Examples

    27.16 Telecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyWALL at headquarters from remote IPSec routers that use dynamic WAN IP addresses. 27.16.1 Telecommuters Sharing One VPN Rule Example Multiple telecommuters can use one VPN rule to simultaneously access a ZyWALL at headquarters. They must all use the same IPSec parameters (including the pre-shared key) but the local IP addresses (or ranges of addresses) cannot overlap.

  • Page 322

    ZyWALL 2 and ZyWALL 2WE Figure 27-10 Telecommuters Sharing One VPN Rule Example 27.16.2 Telecommuters Using Unique VPN Rules Example With aggressive negotiation mode (see section 27.10.1), the ZyWALL can use the ID types and contents to distinguish between VPN rules. Telecommuters can each use a separate VPN rule to simultaneously access a ZyWALL at headquarters.

  • Page 323

    ZyWALL 2 and ZyWALL 2WE Figure 27-11 Telecommuters Using Unique VPN Rules Example VPN/IPSec Setup 27-29...

  • Page 325

    Troubleshooting Part IX: Troubleshooting This part provides possible remedies for potential problems.

  • Page 327: Problems Starting Up The Zywall

    This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see the 23.1 Problems Starting Up the ZyWALL Table 28-1 Troubleshooting the Start-Up of Your ZyWALL PROBLEM None of the Make sure that you have the included power adaptor or cord connected to the ZyWALL...

  • Page 328

    28.1 Problems with a LAN Interface Table 28-2 Troubleshooting the LAN Interface PROBLEM Cannot access Check your Ethernet cable type and connections. Refer to the Rear Panel and the ZyWALL Connections section for LAN connection instructions. from the LAN. Make sure your Ethernet card is installed and functioning properly. Cannot ping Check the 10M/100M LAN LEDs on the front panel.

  • Page 329

    28.3 Problems with Internet Access Table 28-4 Troubleshooting Internet Access PROBLEM Cannot Connect your cable/DSL modem with the ZyWALL using appropriate cable. access the Check with the manufacturer of your cable/DSL device about your cable requirement Internet. because some devices may require crossover cable and others a regular straight- through cable.

  • Page 331

    General Appendices Part X: General Appendices This part provides background information about setting up your computer’s IP address, antennas, triangle route, how functions are related, wireless LAN, 802.1x, PPPoE, PPTP, hardware specifications, Universal Plug and Play, IP subnetting and safety warnings.

  • Page 333: Appendix A Setting Up Your Computer's Ip Address

    ZyWALL 2 and ZyWALL 2WE Appendix A Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer.

  • Page 334

    2. The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: In the Network window, click Add. Select Adapter and then click Add. Select the manufacturer and model of your network adapter and then click OK.

  • Page 335

    Click the IP Address tab. -To have your computer assigned a dynamic IP address, select Obtain an IP address automatically. -To give your computer a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields.

  • Page 336

    Click the Gateway tab. -If you do not know your gateway’s IP address, remove previously installed gateways. -If you have a gateway IP address, type it in the New gateway field and click Add. Click OK to save and close the TCP/IP Properties window. Click OK to close the Network window.

  • Page 337

    ZyWALL 2 and ZyWALL 2WE Select your network adapter. You should see your computer's (static) IP address, subnet mask and default gateway in this screen. Verify that your computer’s static IP address is in the correct subnet (192.168.1.2 to 192.168.1.254 if using the default ZyWALL LAN IP address).

  • Page 338

    Windows 2000/NT/XP In Windows XP, click start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. In Windows XP, click Network Connections. In Windows 2000/NT, click Network and Dial-up Connections. Right-click Local Area Connection and then click Properties. Setting Up Your Computer’s IP Address...

  • Page 339

    ZyWALL 2 and ZyWALL 2WE Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. Setting Up Your Computer’s IP Address...

  • Page 340

    ZyWALL 2 and ZyWALL 2WE The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). - To have your computer assigned a dynamic IP address, click Obtain an IP address automatically. -If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields.

  • Page 341

    ZyWALL 2 and ZyWALL 2WE -If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: -In the IP Settings tab, in IP addresses, click Add.

  • Page 342

    In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): -Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). -If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.

  • Page 343

    Macintosh OS 8/9 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Select Ethernet built-in from the Connect via list. Setting Up Your Computer’s IP Address ZyWALL 2 and ZyWALL 2WE...

  • Page 344

    For dynamically assigned settings, select Using DHCP Server from the Configure: list. For statically assigned settings, do the following: -From the Configure box, select Manually. -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your ZyWALL in the Router address box.

  • Page 345

    Click Network in the icon bar. - Select Automatic from the Location list. - Select Built-in Ethernet from the Show list. - Click the TCP/IP tab. For dynamically assigned settings, select Using DHCP from the Configure list. For statically assigned settings, do the following: -From the Configure box, select Manually.

  • Page 346: Appendix B Antennas

    This appendix provides information about antenna selection and positioning. The access points in a wireless LAN send a radio frequency (RF) signal to the antennas, which propagate and capture the RF signal. Choosing the right antennas and positioning them properly increases the range and coverage area of a wireless LAN.

  • Page 347

    • Directional antennas concentrate the RF signal in a beam, like a flashlight. The angle of the beam width determines the direction of the coverage pattern; typically ranges from 20 degrees (less directional) to 90 degrees (very directional). The directional antennas are ideal for hallways and outdoor point-to-point applications.

  • Page 348: Appendix C Triangle Route

    The Ideal Setup When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyWALL to protect your LAN against attacks. The “Triangle Route”...

  • Page 349

    The “Triangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your ZyWALL supports up to three logical LAN interfaces with the ZyWALL being the gateway for each logical network.

  • Page 350

    ZyWALL 2 and ZyWALL 2WE Gateways on the WAN Side A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your ZyWALL to your LAN.

  • Page 351: Appendix D The Big Picture

    ZyWALL 2 and ZyWALL 2WE Appendix D The Big Picture The following figure gives an overview of how filtering, the firewall, VPN and NAT are related. Diagram D-1 Big Picture— Filtering, Firewall, VPN and NAT The Big Picture...

  • Page 352: Appendix E Wireless Lan And Ieee 802.11

    A wireless LAN (WLAN) provides a flexible data communications system that you can use to access various services (navigating the Internet, email, printer services, etc.) without the use of a cabled connection. In effect a wireless LAN environment provides you the freedom to stay connected to the network while roaming around in the coverage area.

  • Page 353

    ZyWALL 2 and ZyWALL 2WE The IEEE 802.11 specifies three different transmission methods for the PHY, the layer responsible for transferring data between nodes. Two of the methods use spread spectrum RF signals, Direct Sequence Spread Spectrum (DSSS) and Frequency-Hopping Spread Spectrum (FHSS), in the 2.4 to 2.4825 GHz unlicensed ISM (Industrial, Scientific and Medical) band.

  • Page 354

    ZyWALL 2 and ZyWALL 2WE Infrastructure Wireless LAN Configuration For Infrastructure WLANs, multiple Access Points (APs) link the WLAN to the wired network and allow users to efficiently share network resources. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood.

  • Page 355: Appendix F Wireless Lan With Ieee 802.1x

    ZyWALL 2 and ZyWALL 2WE Appendix F Wireless LAN With IEEE 802.1x As wireless networks become popular for both portable computing and corporate networks, security is now a priority. Security Flaws with IEEE 802.11 Wireless networks based on the original IEEE 802.11 have a poor reputation for safety. The IEEE 802.11b wireless access standard, first published in 1999, was based on the MAC address.

  • Page 356

    ZyWALL 2 and ZyWALL 2WE • Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server. • Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients.

  • Page 357

    ZyWALL 2 and ZyWALL 2WE Wireless LAN with IEEE 802.1x...

  • Page 359: Appendix G Pppoe

    PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit), which connects to a DSL Access Concentrator where the PPP session terminates (see the next figure). One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP.

  • Page 360

    ZyWALL 2 and ZyWALL 2WE How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.

  • Page 361: Appendix H Pptp

    ZyWALL 2 and ZyWALL 2WE Appendix H PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the short haul between the PC and the modem over Ethernet.

  • Page 362

    ZyWALL 2 and ZyWALL 2WE PPTP Protocol Overview PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F (Cisco’s Layer 2 Forwarding). Conceptually, there are three parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Access Concentrator) and the PPTP user.

  • Page 363

    ZyWALL 2 and ZyWALL 2WE Diagram H-3 Example Message Exchange between PC and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header. PPTP...

  • Page 364

    Power Specification MTBF Operation Temperature Ethernet Specification for Ethernet Specification for LAN/ VPN Ports Cable Pin Assignments In a serial communications connection, generally a computer is DTE (Data Terminal Equipment) and a modem is DCE (Data Circuit-terminating Equipment). The ZyWALL is DCE when you connect a computer to the console port.

  • Page 365

    Chart I-2 Console/Dial Backup Port Pin Assignments CONSOLE Port RS – 232 (Female) DB-9F Pin 1 = NON Pin 2 = DCE-TXD Pin 3 = DCE –RXD Pin 4 = DCE –DSR Pin 5 = GND Pin 6 = DCE –DTR Pin 7 = DCE –CTS Pin 8 = DCE –RTS PIN 9 = NON...

  • Page 366

    Power Adaptor Specifications Chart I-4 North American AC Power Adaptor Specifications AC Power Adapter model AD48-1201200DUY Input power: AC120Volts/60Hz/0.25A Output power: DC12Volts/1.2A Power consumption: 10 W Plug: North American standards Safety standards: UL, CUL (UL 1950, CSA C22.2 No.234-M90) AC Power Adapter model AD48-1201200DUY Input power: AC120Volts/60Hz Output power: DC12Volts/1.2A Power consumption: 9 W...

  • Page 367

    ZyWALL 2 and ZyWALL 2WE Chart I-5 European Union AC Power Adaptor Specifications Safety standards: TUV, CE (EN 60950) Chart I-6 UK AC Power Adaptor Specifications AC Power Adapter model AD-1201200DK Input power: AC230Volts/50Hz/0.2A Output power: DC12Volts/1.2A Power consumption: 10 W Plug: United Kingdom standards Safety standards: TUV, CE (EN 60950, BS7002) Chart I-7 Japan AC Power Adaptor Specifications...

  • Page 368

    What is Universal Plug and Play? Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer- to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network. In turn, a device can leave a network smoothly and automatically when it is no longer in use.

  • Page 369

    ZyWALL 2 and ZyWALL 2WE Are there any cautions about UPnP? The automated nature of NAT Traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments.

  • Page 370

    LABEL Enable the Universal Select this checkbox to activate UPnP. Plug and Play (UPnP) Be aware that anyone could use a UPnP application to open the web configurator's feature login screen without entering the ZyWALL's IP address (although you must still enter the password to access the web configurator).

  • Page 371

    Step 1. Click Start and Control Panel. Double-click Add/Remove Programs. Step 2. Click the Windows Setup tab and select Communication in the Components selection box. Click Details. Step 3. In the Communications window, select the Universal Plug and Play check box in the Components selection box. Step 4.

  • Page 372

    Components Wizard window displays. Step 4. Select Networking Service in the Components selection box and click Details. Step 5. In the Networking Services window, select the Universal Plug and Play check box. Step 6. Click OK to go back to the Windows Optional Networking Component Wizard window and click Next.

  • Page 373

    Step 1. Click start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway. Step 2. Right-click the icon and select Properties. Step 3. In the Internet Connection Properties window, click Settings to see the port mappings that were automatically created. UPnP ZyWALL 2 and ZyWALL 2WE Step 4.

  • Page 374

    When the UPnP-enabled device is disconnected from your computer, all port Step 5. Select Show icon in notification area when connected option and click OK. An icon displays in the system tray. Step 6. Double-click the icon to display your current Internet connection status.

  • Page 375

    Step 1. Click start and then Control Panel. Step 2. Double-click Network Connections. Step 3. Select My Network Places under Other Places. Step 4. An icon with the description for each UPnP-enabled device displays under Local Network. Step 5. Right-click the icon for your ZyXEL device and select Invoke.

  • Page 376

    Step 6. Right-click on the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. UPnP...

  • Page 377: Appendix K Ip Subnetting

    IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1.

  • Page 378

    ZyWALL 2 and ZyWALL 2WE A class “B” address (16 host bits) can have 2 A class “A” address (24 host bits) can have 2 Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127.

  • Page 379

    With subnetting, the class arrangement of an IP address is ignored. For example, a class C address no longer has to have 24 bits of network number and 8 bits of host ID. With subnetting, some of the host ID bits are converted into network number bits.

  • Page 380

    The first three octets of the address make up the network number (class “C”). You want to have two separate networks. Divide the network 192.168.1.0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit.

  • Page 381

    192.168.1.0 with mask 255.255.255.128 is the subnet itself, and 192.168.1.127 with mask 255.255.255.128 is the directed broadcast address for the first subnet. Therefore, the lowest IP address that can be assigned to an actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126. Similarly the host ID range for the second subnet is 192.168.1.129 to 192.168.1.254.

  • Page 382

    IP Address IP Address (Binary) Subnet Mask (Binary) Subnet Address: 192.168.1.128 Broadcast Address: 192.168.1.191 IP Address IP Address (Binary) Subnet Mask (Binary) Subnet Address: 192.168.1.192 Broadcast Address: 192.168.1.255 Example Eight Subnets Similarly use a 27-bit mask to create 8 subnets (001, 010, 011, 100, 101, 110). The following table shows class C IP address last octet values for each subnet.

  • Page 383

    SUBNET SUBNET ADDRESS The following table is a summary for class “C” subnet planning. NO. “BORROWED” HOST BITS Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet mask also determines which bits are part of the network number and which are part of the host ID.

  • Page 384

    NO. “BORROWED” HOST BITS Chart K-13 Class B Subnet Planning SUBNET MASK NO. SUBNETS 255.255.240.0 (/20) 255.255.248.0 (/21) 255.255.252.0 (/22) 255.255.254.0 (/23) 255.255.255.0 (/24) 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) NO. HOSTS PER SUBNET 4094 2046 1022...

  • Page 385

    Safety Warnings and Instructions 1. Be sure to read and follow all warning notices and instructions. 2. The maximum recommended ambient temperature for the ZyWALL is 40º Celsius (104º Fahrenheit). Care must be taken to allow sufficient air circulation or space between units when the ZyWALL is installed inside a closed rack assembly.

  • Page 387

    Command and Log Appendices Part XI: Command and Log Appendices This part provides information on the command line interface, firewall and NetBIOS commands, logs and password protection.

  • Page 389: Appendix M Command Interpreter

    ZyWALL 2 and ZyWALL 2WE Appendix M Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands.

  • Page 390: Appendix N Firewall Commands

    The following describes the firewall commands. See the Command Interpreter appendix for information on the command structure. FUNCTION config edit firewall active <yes | no> config retrieve firewall config save firewall config display firewall config display firewall set <set #> config display firewall set <set #>...

  • Page 391

    FUNCTION config display firewall e-mail config display firewall ? config edit firewall e-mail mail- server <ip address of mail server> config edit firewall e-mail return- addr <e-mail address> config edit firewall e-mail email- to <e-mail address> config edit firewall e-mail policy <full | hourly | daily | weekly>...

  • Page 392

    FUNCTION config edit firewall attack send- alert <yes | no> config edit firewall attack block <yes | no> config edit firewall attack block- minute <0-255> config edit firewall attack minute- high <0-255> config edit firewall attack minute- low <0-255> config edit firewall attack max- incomplete-high <0-255>...

  • Page 393

    FUNCTION config edit firewall set <set #> name <desired name> Config edit firewall set <set #> default-permit <forward | block> Config edit firewall set <set #> icmp-timeout <seconds> Config edit firewall set <set #> udp-idle-timeout <seconds> Config edit firewall set <set #> connection-timeout <seconds>...

  • Page 394

    FUNCTION Config edit firewall set <set #> rule <rule #> active <yes | no> Config edit firewall set <set #> rule <rule #> protocol <integer protocol value > Config edit firewall set <set #> rule <rule #> log <none | match | not-match | both>...

  • Page 395

    FUNCTION config edit firewall set <set #> rule <rule #> destaddr-range <start ip address> <end ip address> config edit firewall set <set #> rule <rule #> TCP destport-single <port #> config edit firewall set <set #> rule <rule #> TCP destport-range <start port #>...

  • Page 396

    ZyWALL 2 and ZyWALL 2WE Firewall Commands...

  • Page 397

    The following describes the NetBIOS packet filter commands. See the Command Interpreter appendix for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.

  • Page 398

    NAME LAN to WAN This field displays whether NetBIOS packets are blocked or forwarded from the LAN to the WAN. WAN to LAN This field displays whether NetBIOS packets are blocked or forwarded from the WAN to the LAN. IPSec Packets This field displays whether NetBIOS packets sent through a VPN connection are blocked or forwarded.

  • Page 399

    sys filter netbios config 1 off Command: This command forwards WAN to LAN NetBIOS packets Command: sys filter netbios config 6 on This command blocks IPSec NetBIOS packets Command: sys filter netbios config 7 off This command stops NetBIOS commands from initiating calls. NetBIOS Filter Commands ZyWALL 2 and ZyWALL 2WE...

  • Page 400: Appendix P Boot Commands

    The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware (ZyNOS) is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen. In debug mode you have access to a series of boot module commands, for example ATLC firmware) and...

  • Page 401

    just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) change system date to year/month/day or show current date ATDS dump RAS stack ATDT...

  • Page 402: Appendix Q Log Descriptions

    LOG MESSAGE %s exceeds the max. number of session per host! LOG MESSAGE Time calibration is successful Time calibration failed DHCP client gets %s DHCP client IP expired DHCP server assigns SMT Login Successfully SMT Login Fail WEB Login Successfully WEB Login Fail TELNET Login Successfully...

  • Page 403

    TELNET Login Fail FTP Login Successfully FTP Login Fail NAT Session Table is Full! LOG MESSAGE UPnP pass through Firewall CATEGORY LOG MESSAGE URLFOR IP/Domain Name URLBLK IP/Domain Name JAVBLK IP/Domain Name LOG MESSAGE attack TCP attack UDP Log Descriptions Chart Q-2 System Maintenance Logs Someone has failed to log on to the router via telnet.

  • Page 404

    LOG MESSAGE attack IGMP attack ESP attack GRE attack OSPF attack ICMP (type:%d, code:%d) land TCP land UDP land IGMP land ESP land GRE land OSPF land ICMP (type:%d, code:%d) ip spoofing - WAN TCP ip spoofing - WAN UDP ip spoofing - WAN IGMP ip spoofing - WAN ESP...

  • Page 405

    LOG MESSAGE syn flood TCP ports scan TCP teardrop TCP teardrop UDP teardrop ICMP (type:%d, code:%d) illegal command TCP NetBIOS TCP ip spoofing - no routing entry TCP ip spoofing - no routing entry UDP ip spoofing - no routing entry IGMP ip spoofing - no routing entry ESP ip spoofing - no...

  • Page 406

    LOG MESSAGE Firewall default policy: TCP (set:%d) Firewall default policy: UDP (set:%d) Firewall default policy: ICMP (set:%d, type:%d, code:%d) Firewall default policy: IGMP (set:%d) Firewall default policy: ESP (set:%d) Firewall default policy: GRE (set:%d) Firewall default policy: OSPF (set:%d) Firewall default policy: (set:%d) Firewall rule match: TCP (set:%d, rule:%d)

  • Page 407

    LOG MESSAGE Firewall rule match: IGMP (set:%d, rule:%d) Firewall rule match: ESP (set:%d, rule:%d) Firewall rule match: GRE (set:%d, rule:%d) Firewall rule match: OSPF (set:%d, rule:%d) Firewall rule match: (set:%d, rule:%d) Firewall rule NOT match: TCP (set:%d, rule:%d) Firewall rule NOT match: UDP (set:%d, rule:%d) Firewall rule NOT...

  • Page 408

    LOG MESSAGE Firewall rule NOT match: OSPF (set:%d, rule:%d) Firewall rule NOT match: (set:%d, rule:%d) Filter default policy DROP! Filter default policy DROP! Filter default policy DROP! Filter default policy DROP! Filter default policy DROP! Filter default policy FORWARD! Filter default policy FORWARD! Filter default policy FORWARD!

  • Page 409

    LOG MESSAGE Filter match DROP <set %d/rule %d> Filter match DROP <set %d/rule %d> Filter match DROP <set %d/rule %d> Filter match FORWARD <set %d/rule %d> Filter match FORWARD <set %d/rule %d> Filter match FORWARD <set %d/rule %d> Filter match FORWARD <set %d/rule %d>...

  • Page 410

    ZyWALL 2 and ZyWALL 2WE LOG MESSAGE Firewall sent TCP reset packets Packet without a NAT table entry blocked Out of order TCP handshake packet blocked Drop unsupported/out- of-order ICMP Router sent ICMP response packet (type:%d, code:%d) ACL SET DIRECTION NUMBER LAN to WAN WAN to LAN...

  • Page 411

    TYPE CODE Echo Reply Echo reply message Destination Unreachable Net unreachable Host unreachable Protocol unreachable Port unreachable A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) Source route failed Source Quench A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network.

  • Page 412

    ZyWALL 2 and ZyWALL 2WE TYPE CODE Timestamp Timestamp request message Timestamp Reply Timestamp reply message Information Request Information request message Information Reply Information reply message LOG MESSAGE Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" msg="<msg>" note="<note>" VPN/IPSec logs To view the IPSec and IKE connection log, type 3 in menu 27 and press [ENTER] to display the IPSec log as shown next.

  • Page 413

    Index: Date/Time: ------------------------------------------------------------ 01 Jan 08:02:22 01 Jan 08:02:22 01 Jan 08:02:22 01 Jan 08:02:24 01 Jan 08:02:24 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 Clear IPSec Log (y/n): Diagram Q-1 Example VPN Initiator IPSec Log VPN Responder IPSec Log The following figure shows a typical log from the VPN connection peer.

  • Page 414

    A PYLD_MALFORMED packet usually means that the two ends of the VPN tunnel Chart Q-10 Sample IKE Key Exchange Logs LOG MESSAGE Send <Symbol> Mode request to <IP> Send <Symbol> Mode request to <IP> Recv <Symbol> Mode request from <IP> Recv <Symbol>...

  • Page 415

    Chart Q-10 Sample IKE Key Exchange Logs LOG MESSAGE !! Invalid IP <IP start>/<IP end> !! Remote IP <IP start> / <IP end> conflicts !! Active connection allowed exceeded !! IKE Packet Retransmit !! Failed to send IKE Packet !! Too many errors! Deleting SA !! Phase 1 ID type mismatch !! Phase 1 ID content mismatch !! No known phase 1 ID type...

  • Page 416

    Chart Q-10 Sample IKE Key Exchange Logs LOG MESSAGE vs. My Local <IP address> -> <symbol> Error ID Info The following table shows sample log messages during packet transmission. Chart Q-11 Sample IPSec Logs During Packet Transmission LOG MESSAGE !! WAN IP changed to <IP> !! Cannot find IPSec SA !! Cannot find outbound SA for rule <%d>...

  • Page 417

    The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Chart Q-12 RFC-2408 ISAKMP Payload Types LOG DISPLAY PROP TRANS CER_REQ HASH NONCE NOTFY Log Commands Go to the command interpreter interface (the Command Interpreter Appendix explains how to access and use the commands).

  • Page 418

    Chart Q-13 Log Categories and Available Settings LOG CATEGORIES attack error ipsec javablocked mten upnp urlblocked urlforward to not record logs for that category, alerts for that category, and Use the sys logs save command to store the settings in the ZyWALL (you must do this in order to record logs).

  • Page 419

    .time notes message 0|11/11/2002 15:10:12 |172.22.3.80:137 |ACCESS BLOCK Firewall default policy: UDP(set:8) 1|11/11/2002 15:10:12 |172.21.4.17:138 |ACCESS BLOCK Firewall default policy: UDP(set:8) 2|11/11/2002 15:10:11 |172.17.2.1 |ACCESS BLOCK Firewall default policy: IGMP(set:8) 3|11/11/2002 15:10:11 |172.22.3.80:137 |ACCESS BLOCK Firewall default policy: UDP(set:8) 4|11/11/2002 15:10:10 |192.168.10.1:520 |ACCESS BLOCK Firewall default policy: UDP(set:8) 5|11/11/2002 15:10:10 |172.21.4.67:137...

  • Page 420

    Brute-Force Password Guessing The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See the Command Interpreter appendix for information on the command structure. Chart R-1 Brute-Force Password Guessing Protection Commands COMMAND sys pwderrtm sys pwderrtm 0...

  • Page 421

    Index Part XII: Index This part provides an Index of key terms.

  • Page 423

    10/100 Mbps Ethernet WAN ... 1-1 4-Port Switch ... 1-1 Access Point... 7-12 Action for Matched Packets ... 16-12 Active... 10-2 Ad-hoc Configuration ... 21 Allocated Budget ... 10-5 Alternative Subnet Mask Notation... 47 Antenna... 2-5 Directional... 15 Omni-directional ... 14 Types...

  • Page 424

    Canada ...iv Caution...iv Central Network Management... 1-4 Certifications ... iii Changing the Password... 4-7 Channel ID... 7-13 CHAP ... 10-5 Classes of IP Addresses ...45 Clear to Send protocol ... 7-11 CLI Commands...58 Cloning the MAC address... 6-1 COM port... See Connecting the Console Port COM1 ...

  • Page 425

    DIAL BACKUP... 33 Direct Sequence Spread Spectrum ... 21 Disclaimer ... ii Distribution System... 22 DNS ...5-1, 7-2, 24-2 Primary Server ... 7-7 Secondary Server ... 7-7 Server Address ... 7-2 Domain Name ...5-1, 12-14, 21-5 Basics ... 13-3 Types... 13-4 DoS (Denial of Service)...

  • Page 426

    NAT ... 19-16 Remote Node ... 19-17 Structure... 19-2 TCP/IP Rule... 19-7 Filters Executing a Filter Rule ... 19-2 IP Filter Logic Flow... 19-9 Firewall... 1-2 Access Methods ... 14-1 Activating ... 14-2 Address Type ... 16-13 Alerts ... 15-2 Connection Direction...

  • Page 427

    Hardware Connections... 2-3 Hardware Installation... 2-1 Hidden Menus... 4-2 Hidden Node problem... 7-10 Host... 5-4 Host IDs ... 45 HTTP ... 12-14, 13-1, 13-3, 13-4 HyperTerminal... 22-16, 22-17 HyperTerminal program ... 22-6, 22-10 i.e...See Syntax Conventions IANA ...7-3, 7-4 IBSS ... See Independent Basic Service Set ICMP echo ...

  • Page 428

    Destination IP Address ... 11-3 IP Subnet Mask... 11-3 Name... 11-3 Route Number... 11-3 IP Subnet Mask... 7-9 IPSec VPN Capability ... 1-2 ISP’s Name ... 9-1 Key Fields For Configuring Rules... 16-3 LAN 10/100M ... 2-4 LAN Defaults ... 7-2 LAN IP Address ...

  • Page 429

    Nailed-up Connection ... 10-4 Nailed-Up Connection ... 10-5 Nailed-Up Connections... 10-7 NAT ... 10-8, 19-16 Application... 12-4 Applying NAT in the SMT Menus ... 12-6 Configuring ... 12-8 Definitions... 12-1 Examples... 12-17 How NAT Works ... 12-2 Mapping Types ... 12-4 NAT Unfriendly Application Programs ...

  • Page 430

    Protocol Filters... 7-9 Incoming... 7-9 Outgoing ... 7-9 Protocol/Port... 18-8, 18-9 Quick Start Guide ... 3-1 RADIUS ... 1-3, 8-3 Shared Secret Key... 8-5 RADIUS Message Types... 8-4 RADIUS Server Configure ... 8-6, 8-8 Read Me First ...xxvii Rear Panel... 2-3 Related Documentation...xxvii Relay...

  • Page 431

    Safety Instructions ... 53 Saving the State... 13-7 Schedule Sets Duration ... 25-2 Schedules ... 10-5, 10-7 Security Ramifications... 16-2 Select...See Syntax Conventions Serial Port... See Connecting the Console Port Server7-2, 7-3, 9-2, 10-3, 12-5, 12-6, 12-9, 12-10, 12-13, 12-14, 12-15, 12-16, 12-18, 12-19, 23-6 Server IP ...

  • Page 432

    TCP/IP 7-2, 7-5, 7-7, 10-7, 13-3, 13-4, 19-6, 19-7, 19-9, 19-12, 19-16, 24-1 Setup ... 7-7 TCP/IP and DHCP Setup... 7-6 TCP/IP filter rule ... 19-6 Teardrop... 13-4 Telnet ... 24-1 Telnet Configuration... 24-1 Terminal Emulation ... 4-1 Terminal Emulator... 2-4 TFTP...

  • Page 433

    View Log ... 18-1 VPN ... 9-2 VT100 ... 4-1 WAN DHCP ... 21-12, 21-13 WAN Setup...6-1, 28-2 WAN to LAN Rules... 16-4 Warranty ... v Web... 24-2 Web Configurator ... 3-1, 13-2, 13-11, 14-2, 16-3 Web Site Hits ... 18-8 WEP ...7-11, 8-2 WEP Encryption ...

Comments to this Manuals

Symbols: 0
Latest comments: