Page 1 ZyWALL 10/10W/50/100 Internet Security Gateway User’s Guide Versions 3.52 and 3.60 December 2002...
Page 2 Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others.
Page 3 Consult the dealer or an experienced radio/TV technician for help. Notice 1 Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment. Certifications Refer to the product page at www.zyxel.com.
Page 4: Information For Canadian Users
ZyWALL 10~100 Series Internet Security Gateway Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction. Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company.
Page 5: Zyxel Limited Warranty
Any returned products without proof of purchase or those with an out-dated warranty will be repaired or replaced (at the discretion of ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products will be shipped by ZyXEL to the corresponding return address, Postage Paid.
Page 6: Customer Support
Brief description of the problem and the steps you took to solve it. METHOD E-MAIL TELEPHONE/FAX WEB SITE/ FTP SITE REGULAR MAIL SUPPORT/SALES LOCATION WORLDWIDE support@zyxel.com.tw +886-3-578-3942 www.zyxel.com ZyXEL Communications Corp., www.europe.zyxel.com 6 Innovation Road II, Science- Based Industrial Park, Hsinchu 300, Taiwan sales@zyxel.com.tw +886-3-578-2439 ftp.europe.zyxel.com NORTH support@zyxel.com +1-714-632-0882 www.zyxel.com ZyXEL Communications Inc.,...
Page 7: Table Of Contents
ZyWALL 10~100 Series Internet Security Gateway Table of Contents Copyright..............................ii Federal Communications Commission (FCC) Interference Statement..........iii Information for Canadian Users .......................iv ZyXEL Limited Warranty ..........................v Customer Support ............................vi List of Figures ............................xvi List of Tables ............................xxv Preface ..............................xxx Overview ................................I Chapter 1 Getting to Know Your ZyWALL ..................
Page 8 ZyWALL 10~100 Series Internet Security Gateway System Name ..........................4-1 Dynamic DNS..........................4-1 General Setup..........................4-2 Chapter 5 WAN and Dial Backup Setup ....................5-1 Cloning The MAC Address ......................5-1 WAN Setup..........................5-1 Dial Backup ..........................5-2 Configuring Dial Backup in Menu 2...................5-2 Advanced WAN Setup........................5-4 Backup Remote Node Setup .......................5-6 Remote Node Profile (Backup ISP) ....................5-7 Editing PPP Options ........................5-9...
Page 9 ZyWALL 10~100 Series Internet Security Gateway MAC Address Filtering......................7-10 Chapter 8 DMZ Setup ..........................8-1 Introduction..........................8-1 DMZ Port Filter Setup ....................... 8-2 TCP/IP Setup..........................8-2 Chapter 9 Internet Access ........................9-1 Internet Access Setup ......................... 9-1 Basic Setup Complete ........................ 9-5 Advanced Applications ..........................
Page 10 ZyWALL 10~100 Series Internet Security Gateway 13.2 Types of Firewalls.........................13-1 13.3 Introduction to ZyXEL’s Firewall ..................13-2 13.4 Denial of Service........................13-3 13.5 Stateful Inspection ........................13-7 13.6 Guidelines For Enhancing Security With Your Firewall ............13-11 13.7 Packet Filtering Vs Firewall ....................13-12 Chapter 14 Introducing the ZyWALL Firewall ...................14-1 14.1...
Page 11 ZyWALL 10~100 Series Internet Security Gateway 17.4 List Update ........................... 17-8 17.5 Exempt Computers......................17-10 17.6 Customizing ........................17-11 17.7 Domain Name ........................17-14 Logs, Filter Configuration, and SNMP Configuration ................V Chapter 18 Centralized Logs ........................ 18-1 18.1 View Log..........................18-1 18.2 Log Settings .........................
Page 12 ZyWALL 10~100 Series Internet Security Gateway 22.1 Filename Conventions ......................22-1 22.2 Backup Configuration......................22-2 22.3 Restore Configuration......................22-8 22.4 Uploading Firmware and Configuration Files ..............22-11 System Maintenance and Information and Remote Management ............VII Chapter 23 System Maintenance & Information.................23-1 23.1 Command Interpreter Mode....................23-1 23.2 Call Control Support ......................23-2 23.3...
Page 13 ZyWALL 10~100 Series Internet Security Gateway 25.7 Bandwidth Borrowing ......................25-8 25.8 Bandwidth Management Setup ..................25-10 IP Policy Routing, Call Scheduling and VPN/IPSec................... IX Chapter 26 IP Policy Routing ....................... 26-1 26.1 Introduction .......................... 26-1 26.2 Benefits ..........................26-1 26.3 Routing Policy........................
Page 14 ZyWALL 10~100 Series Internet Security Gateway Troubleshooting .............................. X Chapter 31 Troubleshooting ........................1 31.1 Problems Starting Up the ZyWALL ..................1 31.2 Problems with the LAN Interface ....................2 31.3 Problems with the DMZ Interface....................2 31.4 Problems with the WAN Interface..................... 3 31.5 Problems with Internet Access....................
Page 15 ZyWALL 10~100 Series Internet Security Gateway Appendix Q Log Descriptions........................69 Appendix R Brute-Force Password Guessing Protection...............87 Index................................XIII Index ................................A Table of Contents...
Page 16 Figure 1-2 VPN Application ...........................1-9 Figure 2-1 ZyWALL 100 Front Panel......................2-1 Figure 2-2 ZyWALL 50 Front Panel.......................2-1 Figure 2-3 ZyWALL 10W Front Panel ......................2-1 Figure 2-4 ZyWALL 10 Front Panel.......................2-2 Figure 2-5 ZyWALL 100 Rear Panel......................2-4 Figure 2-6 ZyWALL 50 Rear Panel........................2-4 Figure 2-7 ZyWALL 10W Rear Panel ......................2-5...
Page 17 ZyWALL 10~100 Series Internet Security Gateway Figure 5-6 Remote Node PPP Options Menu Fields..................5-10 Figure 5-7 Menu 11.3: Remote Node Network Layer Options ..............5-11 Figure 5-8 Menu 11.4 – Remote Node Setup Script ..................5-14 Figure 5-9 Menu 11.5: Remote Node Filter (Ethernet) ................5-15 Figure 5-10 Menu 11.5: Remote Node Filter (PPPoE or PPTP) ..............
Page 18 Figure 10-12 Menu 11.6: Traffic Redirect Setup ..................10-14 Figure 11-1 Example of Static Routing Topology ..................11-1 Figure 11-2 Menu 12: IP Static Route Setup (ZyWALL 10W)..............11-2 Figure 11-3 Menu 12. 1: Edit IP Static Route....................11-3 Figure 12-1 How NAT Works ........................12-3 Figure 12-2 NAT Application With IP Alias ....................12-4...
Page 19 ZyWALL 10~100 Series Internet Security Gateway Figure 12-11 Multiple Servers Behind NAT Example ................12-16 Figure 12-12 NAT Example 1 ........................12-17 Figure 12-13 Menu 4: Internet Access & NAT Example ................12-17 Figure 12-14 NAT Example 2 ........................12-18 Figure 12-15 Menu 15.2: Specifying an Inside Server................
Page 20 ZyWALL 10~100 Series Internet Security Gateway Figure 16-4 Creating/Editing A Firewall Rule (ZyWALL100)..............16-12 Figure 16-5 Adding/Editing Source and Destination Addresses..............16-14 Figure 16-6 Creating/Editing A Custom Port....................16-16 Figure 16-7 Firewall Rule Configuration Screen (ZyWALL100)...............16-17 Figure 16-8 Firewall IP Config Screen .......................16-18 Figure 16-9 Custom Port for MyService.....................16-19 Figure 16-10 MyService Rule Configuration (ZyWALL100) ..............16-20 Figure 16-11 Example 3: Rule Summary (ZyWALL100)................16-21...
Page 21 Figure 21-2 Menu 24.1: System Maintenance: Status (ZyWALL 100)............21-2 Figure 21-3 Menu 24.2: System Information and Console Port Speed............21-3 Figure 21-4 Menu 24.2.1: System Maintenance: Information (ZyWALL 10W).......... 21-4 Figure 21-5 Menu 24.2.2: System Maintenance: Change Console Port Speed..........21-5 Figure 21-6 Menu 24.3: System Maintenance: Log and Trace ..............
Page 22 ZyWALL 10~100 Series Internet Security Gateway Figure 22-11 Restore Configuration Example ....................22-11 Figure 22-12 Successful Restoration Confirmation Screen ................22-11 Figure 22-13 Telnet Into Menu 24.7.1: Upload System Firmware .............22-12 Figure 22-14 Telnet Into Menu 24.7.2: System Maintenance..............22-13 Figure 22-15 FTP Session Example of Firmware File Upload ..............22-14 Figure 22-16 Menu 24.7.1 as seen using the Console Port.................22-16 Figure 22-17 Example Xmodem Upload ....................22-17 Figure 22-18 Menu 24.7.2 as seen using the Console Port.................22-18...
Page 23 ZyWALL 10~100 Series Internet Security Gateway Figure 25-10 Bandwidth Management Statistics ..................25-16 Figure 25-11 Bandwidth Manager Monitor ....................25-18 Figure 26-2 IP Routing Policy Setup ......................26-2 Figure 26-4 Menu 25.1: Sample IP Routing Policy Setup ................26-3 Figure 26-5 IP Routing Policy ........................26-4 Figure 26-6 Menu 3.2: TCP/IP and DHCP Ethernet Setup ................
Page 24 ZyWALL 10~100 Series Internet Security Gateway Figure 29-10 Menu 27.1.1.2: Manual Setup ....................29-22 Figure 30-1 Menu 27.2: SA Monitor ......................30-1 xxiv List of Figures...
Page 25 ZyWALL 10~100 Series Internet Security Gateway List of Tables Table 1-1 Model Specific Features......................... 1-1 Table 2-1 LED Descriptions........................... 2-2 Table 2-2 LAN Port Connections With an Uplink Button ................2-7 Table 3-1 Main Menu Commands........................3-2 Table 3-2 Main Menu Summary ........................3-3 Table 4-1 General Setup Menu Field ......................
Page 26 ZyWALL 10~100 Series Internet Security Gateway Table 9-1 Menu 4: Internet Access Setup Menu Fields ..................9-1 Table 9-2 New Fields in Menu 4 (PPTP) Screen ....................9-3 Table 9-3 New Fields in Menu 4 (PPPoE) screen...................9-5 Table 10-1 Fields in Menu 11.1 ........................10-2 Table 10-2 Fields in Menu 11.1 (PPPoE Encapsulation Specific) ..............10-5 Table 10-3 Fields in Menu 11.1 (PPTP Encapsulation) ................10-6 Table 10-4 Remote Node Network Layer Options Menu Fields..............10-7...
Page 27 ZyWALL 10~100 Series Internet Security Gateway Table 16-4 Adding/Editing Source and Destination Addresses..............16-15 Table 16-5 Creating/Editing A Custom Port....................16-16 Table 17-1 Content Filter: Categories ......................17-2 Table 17-2 Content Filter: Free ........................17-6 Table 17-3 Content Filter: iCard ........................17-7 Table 17-4 Content Filter: List Update ......................
Page 28: Chapter 31 Troubleshooting
ZyWALL 10~100 Series Internet Security Gateway Table 24-1 Menu 24.11 – Remote Management Control................24-3 Table 25-1 Application and Subnet-based Bandwidth Management Example ..........25-4 Table 25-2 Bandwidth Manager: Summary ....................25-12 Table 25-3 Bandwidth Manager: Class Setup.....................25-13 Table 25-4 Bandwidth Manager: Class Configuration................25-14 Table 25-5Services and Port Numbers......................25-16 Table 25-6 Bandwidth Management Statistics....................25-17 Table 25-7 Bandwidth Manager Monitor....................25-18...
Page 29 ZyWALL 10~100 Series Internet Security Gateway Table 31-4 Troubleshooting the WAN interface....................3 Table 31-5 Troubleshooting Internet Access ......................3 Table 31-6 Troubleshooting the Password ......................4 Table 31-7 Troubleshooting Telnet........................4 List of Tables xxix...
Page 30: Related Documentation
The Packing List Card lists all items that should have come in the package. Certifications Refer to the product page at www.zyxel.com for information on product certifications. ZyXEL Glossary and Web Site Please refer to www.zyxel.com for an online glossary of networking terms and additional support documentation. Syntax Conventions •...
Page 31 ZyWALL 10~100 Series Internet Security Gateway • Mouse action sequences are denoted using a comma. For example, “click the Apple icon, Control Panels and then Modem” means first click the Apple icon, then point your mouse pointer to Control Panels and then click Modem. •...
Page 33 Overview Part I: Overview This part covers Getting to Know Your ZyWALL and Hardware Installation.
Page 35: Table 1-1 Model Specific Features
The ZyWALL 10/10W/50/100 are the ideal secure gateways for all data passing between the Internet and the LAN. By integrating NAT, firewall and VPN capability, ZyXEL’s ZyWALL 10/10W/50/100 is a complete security solution that protects your Intranet and efficiently manages data traffic on your network.
Page 36: Physical Features
Number of IPSec VPN Security Associations UPnP * The ZyWALL 10W uses the same port for console management and for an auxiliary WAN backup Table Key: An “O” in a model’s column shows that the model has the specified feature. A number specific to an individual model may alternately be displayed.
Page 37: Time And Date
ZyWALL 10~100 Series Internet Security Gateway 10/100 Mbps Ethernet WAN The 10/100 Mbps Ethernet WAN port attaches to the Internet via broadband modem or router. This feature is not available on all models. Backup WAN or Auxiliary The Dial Backup or Auxiliary port can be used in reserve as a traditional dial-up connection when/if ever the broadband connection to the WAN port fails.
Page 38: Content Filtering
LAN from content filtering. You can configure most features of the ZyWALL via SMT but ZyXEL recommends using the embedded web configurator to configure the firewall and content filtering.
Page 39: Call Scheduling
ZyWALL 10~100 Series Internet Security Gateway Universal Plug and Play (UPnP) Using the standard TCP/IP protocol, the ZyWALL and other UPnP enabled devices can dynamically join a network, obtain an IP address and convey its capabilities to other devices on the network. This feature is not available on all models.
Page 40: Traffic Redirect
ZyWALL 10~100 Series Internet Security Gateway SNMP SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your ZyWALL supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyWALL through the network.
Page 41: Applications For The Zywall
ZyWALL 10~100 Series Internet Security Gateway Upgrade ZyWALL Firmware via LAN The firmware of the ZyWALL can be upgraded via the LAN. Embedded FTP and TFTP Servers The ZyWALL’s embedded FTP and TFTP Servers enable fast firmware upgrades as well as configuration file backups and restoration.
Page 42: Figure 1-1 Secure Internet Access Via Cable, Dsl Or Wireless Modem
ZyWALL 10~100 Series Internet Security Gateway Figure 1-1 Secure Internet Access via Cable, DSL or Wireless Modem Getting to Know Your ZyWALL...
Page 43: Figure 1-2 Vpn Application
ZyWALL 10~100 Series Internet Security Gateway 1.3.2 VPN Application ZyWALL VPN is an ideal cost-effective way to connect branch offices and business partners over the Internet without the need (and expense) for leased lines between sites. Figure 1-2 VPN Application Getting to Know Your ZyWALL...
Page 45: Chapter 2 Hardware Installation
Front Panel LEDs and Back Panel Ports 2.1.1 Front Panel LEDs The LEDs on the front panel indicate the operational status of the ZyWALL. Figure 2-1 ZyWALL 100 Front Panel Figure 2-2 ZyWALL 50 Front Panel Figure 2-3 ZyWALL 10W Front Panel Hardware Installation...
Page 46: Figure 2-4 Zywall 10 Front Panel
ZyWALL 10~100 Series Internet Security Gateway Figure 2-4 ZyWALL 10 Front Panel The following table describes the LED functions. Not all LEDs are included in every model. Table 2-1 LED Descriptions COLOR STATUS MEANING Green The ZyWALL is turned on. The ZyWALL is turned off.
Page 47: Zywall Rear Panel And Connections
ZyWALL 10~100 Series Internet Security Gateway Table 2-1 LED Descriptions COLOR STATUS MEANING Orange The 100M DMZ is not connected. 100M The ZyWALL is connected to a 100Mbps DMZ. Flashing The 100M DMZ is sending or receiving packets. WAN 10M Green The 10M WAN link is not ready, or has failed.
Page 48: Figure 2-5 Zywall 100 Rear Panel
ZyWALL 10~100 Series Internet Security Gateway Figure 2-5 ZyWALL 100 Rear Panel Figure 2-6 ZyWALL 50 Rear Panel Hardware Installation...
Page 49: Figure 2-7 Zywall 10W Rear Panel
ZyWALL 10~100 Series Internet Security Gateway Figure 2-7 ZyWALL 10W Rear Panel Figure 2-8 ZyWALL 10 Rear Panel This section outlines how to connect your ZyWALL. If you want to connect a cable modem, you must connect the coaxial cable from your cable service to the threaded coaxial cable connector on the back of the cable modem.
Page 50: Connecting The Console Port
TA cable to the dial backup port of the ZyWALL and the other end to your modem or TA. This feature is not available on all models. With the ZyWALL 10W, the console port is also the auxiliary WAN port. Push the CON/AUX switch to AUX and use the included CON/AUX converter with the console cable to connect the CON/AUX port to your modem or TA.
Page 51: Table 2-2 Lan Port Connections With An Uplink Button
ZyWALL 10~100 Series Internet Security Gateway Other ZyWALL models have an uplink button that allows you to switch When the ZyWALL is on and properly connected to a computer or a hub, the corresponding LAN LED on the front panel turns on. Table 2-2 LAN Port Connections With an Uplink Button CABLE FOR CONNECTING TO: A COMPUTER...
Page 52: Additional Installation Requirements
ZyWALL 10~100 Series Internet Security Gateway Do not force, bend or twist the wireless LAN card. Figure 2-9 Inserting the Wireless LAN Card 2.2.7 Connecting the Power to your ZyWALL Connect the female end of the included power adaptor or power cord to the port labeled POWER on the rear panel of your ZyWALL.
Page 53: Additional Installation Requirements For Using 802.1X
ZyWALL 10~100 Series Internet Security Gateway After the ZyWALL is properly set up, you can make future changes to the configuration through telnet connections. To keep the ZyWALL operating at optimal internal temperature, keep the bottom, sides and rear clear of obstructions and away from the exhaust of other equipment.
Page 55 Initial Setup and Configuration Part II: Initial Setup and Configuration This part covers Initial Setup, SMT Menu 1 General Setup, WAN and Dial Backup Setup, LAN Setup, Wireless LAN Setup, DMZ Setup, and Internet Access.
Page 57: Chapter 3 Initial Setup
When you turn on your ZyWALL, it performs several internal tests as well as line initialization. After the tests, the ZyWALL asks you to press [ENTER] to continue, as shown next. Copyright (c) 1994 - 2002 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:a0:c5:41:51:61 initialize ch =1, ethernet address: 00:a0:c5:41:51:62 Press ENTER to continue...
Page 58: Navigating The Smt Interface
ZyWALL 10~100 Series Internet Security Gateway Enter Password : XXXX Figure 3-2 Password Screen Navigating the SMT Interface The SMT (System Management Terminal) is the interface that you use to configure your ZyWALL. Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below.
Page 59: Table 3-2 Main Menu Summary
Main Menu After you enter the password, the SMT displays the ZyWALL Main Menu, as shown next. Not all models have all the features shown. Copyright (c) 1994 - 2001 ZyXEL Communications Corp. ZyWALL 100 Main Menu Getting Started Advanced Management 1.
Page 60 ZyWALL 10~100 Series Internet Security Gateway Table 3-2 Main Menu Summary MENU TITLE FUNCTION Internet Access Setup Configure your Internet Access setup (Internet address, gateway, login, etc.) with this menu. DMZ Setup (This feature Use this menu to configure your public servers connected to the DMZ is not available on all port.
Page 61: Figure 3-4 Getting Started And Advanced Applications Smt Menus
ZyWALL 10~100 Series Internet Security Gateway 3.2.3 SMT Menus at a Glance The available SMT screens vary by ZyWALL model. The following SMT overview applies to the ZyWALL 100. Figure 3-4 Getting Started and Advanced Applications SMT Menus Initial Setup...
Page 62: Figure 3-5 Advanced Management Smt Menus
ZyWALL 10~100 Series Internet Security Gateway Figure 3-5 Advanced Management SMT Menus Initial Setup...
Page 63: Changing The System Password
ZyWALL 10~100 Series Internet Security Gateway Figure 3-6 Schedule Setup and IPSec VPN Configuration SMT Menus Changing the System Password Change the default system password by following the steps shown next. Step 1. Enter 23 in the main menu to open Menu 23 - System Password as shown next. Menu 23 - System Password Old Password= ? New Password= ?
Page 64: Resetting The Zywall
The password will be reset to “1234” and the LAN IP address to 192.168.1.1also. To obtain the default configuration file, download it from the ZyXEL FTP site, unzip it and save it in a folder. Turn the ZyWALL off and then on to begin a session. When you turn on the ZyWALL again you will see the initial screen.
Page 65: Chapter 4 Smt Menu 1 - General Setup
SMT Menu 1 - General Setup Menu 1 - General Setup contains administrative and system-related information. System Name System Name is for identification purposes. ZyXEL recommends you enter your computer’s “Computer name”. • In Windows 95/98 click Start -> Settings -> Control Panel and then double-click Network. Click the Identification tab, note the entry for the Computer name field and enter it in the ZyWALL System Name field.
Page 66: Figure 4-1 Menu 1: General Setup
The Menu 1 - General Setup screen appears, as shown next. Fill in the required fields. Menu 1 - General Setup System Name= ZyWALL Domain Name=zyxel.com.tw Edit Dynamic DNS= No Press ENTER to Confirm or ESC to Cancel: Figure 4-1 Menu 1: General Setup...
Page 67: Figure 4-2 Configure Dynamic Dns
ZyWALL 10~100 Series Internet Security Gateway 4.3.1 Configuring Dynamic DNS To configure Dynamic DNS, go to Menu 1: General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1— Configure Dynamic DNS (shown next). Not all models have every field shown.
Page 68 ZyWALL 10~100 Series Internet Security Gateway Table 4-2 Configure Dynamic DNS Menu Fields FIELD DESCRIPTION EXAMPLE USER Enter your user name. Password Enter the password assigned to you. Enable Wildcard Your ZyWALL supports DYNDNS Wildcard. Press [SPACE BAR] and then [ENTER] to select Yes or No This field is N/A when you choose DDNS client as your service provider.
Page 69: Cloning The Mac Address
(ZyNOS configuration file). It will not change unless you change the setting in menu 2 or upload a different rom file. ZyXEL recommends that you clone the MAC address of a computer on your LAN even if your ISP does not require MAC address authentication.
Page 70: Table 5-1 Mac Address Cloning In Wan Setup
ZyWALL 10~100 Series Internet Security Gateway Table 5-1 MAC Address Cloning in WAN Setup FIELD DESCRIPTION EXAMPLE MAC Address: Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods IP address to assign a MAC Address. Choose Factory Default to select the factory attached on assigned default MAC Address.
Page 71: Figure 5-2 Menu 2: Dial Backup Setup
ZyWALL 10~100 Series Internet Security Gateway Menu 2 - WAN Setup MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Phone Number= Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= No Press ENTER to Confirm or ESC to Cancel: Figure 5-2 Menu 2: Dial Backup Setup Table 5-2 Menu 2: Dial Backup Setup FIELD...
Page 72: Advanced Wan Setup
ZyWALL 10~100 Series Internet Security Gateway Table 5-2 Menu 2: Dial Backup Setup FIELD DESCRIPTION EXAMPLE When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. Advanced WAN Setup Consult the manual of your WAN device connected to your Dial Backup port for specific AT commands.
Page 73: Figure 5-3 Menu 2.1 Advanced Wan Setup
ZyWALL 10~100 Series Internet Security Gateway Menu 2.1 - Advanced WAN Setup AT Command Strings: Call Control: Dial= atdt Dial Timeout(sec)= 60 Drop= ~~+++~~ath Retry Count= 0 Answer= ata Retry Interval(sec)= N/A Drop Timeout(sec)= 20 Drop DTR When Hang Up= Yes Call Back Delay(sec)= 15 AT Response Strings: CLID= NMBR =...
Page 74: Backup Remote Node Setup
ZyWALL 10~100 Series Internet Security Gateway Table 5-3 Advanced WAN Port Setup: AT Commands Fields FIELD DESCRIPTION DEFAULT Called Id Enter the keyword preceding the dialed number. Speed Enter the keyword preceding the connection speed. CONNECT Table 5-4 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION DEFAULT...
Page 75: Remote Node Profile (Backup Isp)
ZyWALL 10~100 Series Internet Security Gateway 3. Dial-backup route (see the Backup Remote Node Setup chapter) For example, if the normal route has a metric of "1" and the traffic-redirect route has a metric of "2" and dial- backup route has a metric of "3", then the normal route acts as the primary default route. If the normal route fails to connect to the Internet, the ZyWALL tries the traffic-redirect route next.
Page 76 ZyWALL 10~100 Series Internet Security Gateway Table 5-5 Fields in Menu 11.1 Remote Node Profile (Backup ISP) FIELD DESCRIPTION EXAMPLE My Login Enter the login name assigned by your ISP for this remote node. My Password Enter the password assigned by your ISP for this remote node. ***** CHAP/PAP Authen...
Page 77: Editing Ppp Options
ZyWALL 10~100 Series Internet Security Gateway Table 5-5 Fields in Menu 11.1 Remote Node Profile (Backup ISP) FIELD DESCRIPTION EXAMPLE Period(hr) Enter the time period (in hours) for how often the budget should be reset. For example, to allow calls to this remote node for a maximum (default) of 10 minutes every hour, set the Allocated Budget to 10 (minutes) and the Period to 1 (hour).
Page 78: Figure 5-5 Menu 11.2 - Remote Node Ppp Options
ZyWALL 10~100 Series Internet Security Gateway Menu 11.2 - Remote Node PPP Options Encapsulation= Standard PPP Compression= No Enter here to CONFIRM or ESC to CANCEL: Press Space Bar to Toggle. Figure 5-5 Menu 11.2 - Remote Node PPP Options This table describes the Remote Node PPP Options Menu, and contains instructions on how to configure the PPP options fields.
Page 79: Editing Tcp/Ip Options
ZyWALL 10~100 Series Internet Security Gateway Editing TCP/IP Options Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Network Layer Options. Menu 11.3 - Remote Node Network Layer Options Rem IP Addr= 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0...
Page 80: Editing Login Script
ZyWALL 10~100 Series Internet Security Gateway Table 5-6 Remote Node Network Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE Network Press [SPACE BAR] and then [ENTER] to select either Full Feature, None Address None or SUA Only. See the Network Address Translation (NAT) chapter (default) Translation for a full discussion on this feature.
Page 81 ZyWALL 10~100 Series Internet Security Gateway upper or lower case. Similarly, you specify “word: ” as the ‘Expect’ string and your password as the ‘Send’ string for the second prompt in set 2. You can use two variables, $USERNAME and $PASSWORD (all UPPER case), to represent the actual user name and password in the script, so they will not show in the clear.
Page 82: Remote Node Filter
ZyWALL 10~100 Series Internet Security Gateway Menu 11.4 - Remote Node Script Active= No Set 1: Set 5: Expect= Expect= Send= Send= Set 2: Set 6: Expect= Expect= Send= Send= Set 3: Expect= Send= Set 4: Expect= Send= Enter here to CONFIRM or ESC to CANCEL: Figure 5-8 Menu 11.4 –...
Page 83: Figure 5-9 Menu 11.5: Remote Node Filter (Ethernet)
ZyWALL 10~100 Series Internet Security Gateway Use menu 11.5 to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the ZyWALL to prevent certain packets from triggering calls. You can specify up to four filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field.
Page 85: Introduction
LAN Setup This chapter describes how to configure the LAN using Menu 3: LAN Setup. Wireless LAN is available on the ZyWALL 10W and 100 models. Introduction From the main menu, enter 3 to open Menu 3 – LAN Setup.
Page 86: Tcp/Ip And Lan Dhcp
Use DNS to map a domain name to its corresponding IP address and vice versa, for example, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it.
Page 87: Ip Address And Subnet Mask
ZyWALL 10~100 Series Internet Security Gateway There are two ways that an ISP disseminates the DNS server addresses. The first is for an ISP to tell a customer the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, enter them in the DNS Server fields in DHCP Setup.
Page 88: Rip Setup
ZyWALL 10~100 Series Internet Security Gateway Table 6-2 Private IP Address Ranges 10.0.0.0 — 10.255.255.255 172.16.0.0 — 172.31.255.255 192.168.0.0 — 192.168.255.255 You can obtain your IP address from the IANA, from an ISP or have it assigned by a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks.
Page 89: Tcp/Ip And Dhcp Ethernet Setup Menu
ZyWALL 10~100 Series Internet Security Gateway information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255.
Page 90: Figure 6-5 Menu 3: Tcp/Ip And Dhcp Setup
ZyWALL 10~100 Series Internet Security Gateway Menu 3 - LAN Setup 1. LAN Port Filter Setup 2. TCP/IP and DHCP Setup 5. Wireless LAN Setup Enter Menu Selection Number: Figure 6-5 Menu 3: TCP/IP and DHCP Setup From menu 3, select the submenu option TCP/IP and DHCP Setup and press [ENTER]. The screen now displays Menu 3.2: TCP/IP and DHCP Ethernet Setup as shown next.
Page 91: Table 6-3 Dhcp Ethernet Setup Menu Fields
ZyWALL 10~100 Series Internet Security Gateway Follow the instructions in the next table on how to configure the DHCP fields. Table 6-3 DHCP Ethernet Setup Menu Fields FIELD DESCRIPTION EXAMPLE DHCP This field enables/disables the DHCP server. Server If set to Server, your ZyWALL will act as a DHCP server. If set to None, the DHCP server will be disabled.
Page 92: Ip Alias Setup
ZyWALL 10~100 Series Internet Security Gateway Table 6-4 LAN TCP/IP Setup Menu Fields FIELD DESCRIPTION EXAMPLE RIP Direction Press [SPACE BAR] and then [ENTER] to select the RIP direction. Both Options are: Both, In Only, Out Only or None. (default) RIP-1 Version Press [SPACE BAR] and then [ENTER] to select the RIP version.
Page 93: Figure 6-7 Menu 3.2.1: Ip Alias Setup
ZyWALL 10~100 Series Internet Security Gateway Menu 3.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A IP Alias 2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A...
Page 94: Wireless Lan
ZyWALL 10~100 Series Internet Security Gateway Wireless LAN This section introduces the wireless LAN and some basic configuration. Wireless LANs can be as simple as two computers with wireless network interface cards (NICs) communicating in a peer-to-peer network or as complex as a number of computers with wireless NICs communicating through access points which bridge network traffic to the wired LAN.
Page 95: Wireless Lan Setup
ZyWALL 10~100 Series Internet Security Gateway Figure 6-8 RTS Threshold The RTS Threshold mechanism provides a solution to prevent these data collisions. When you enable RTS Threshold on a possible hidden station, this station and its AP will use a Request to Send/Clear to Send protocol (RTS/CTS).
Page 96: Figure 6-9 Menu 3.5 - Wireless Lan Setup
ZyWALL 10~100 Series Internet Security Gateway See section 7.2 for instructions on WEP and section 7.5 for instructions on configuring the MAC address filter. If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL’s ESSID or WEP settings, you will lose your wireless connection when you press [ENTER] to confirm.
Page 97 ZyWALL 10~100 Series Internet Security Gateway Table 6-6 Wireless LAN Setup Menu Fields FIELD DESCRIPTION EXAMPLE Press [SPACE BAR] to select Yes to hide the ESSID in the outgoing Hide ESSID beacon frame so a station cannot obtain the ESSID through passive (default) scanning.
Page 99: Levels Of Security
Wireless LAN Security Setup This chapter describes the types of security you can enable on the ZyWALL. Wireless LAN is available on the ZyWALL 10W and 100 models. Levels of Security Wireless security is vital to your network to protect wireless communication between wireless clients, access points and other wireless.
Page 100: Figure 7-2 Wireless Lan
ZyWALL 10~100 Series Internet Security Gateway Your ZyWALL allows you to configure up to four 64-bit or 128-bit WEP keys but only one key can be enabled at any one time. In order to configure and enable WEP encryption; click Advanced, Wireless and the Wireless tab to the display the Wireless LAN screen.
Page 101: Table 7-1 Wireless Lan
ZyWALL 10~100 Series Internet Security Gateway Table 7-1 Wireless LAN FIELD DESCRIPTION EXAMPLE Enable Before you enable the wireless LAN you should configure some security by setting Wireless MAC filters and/or 802.1x security; otherwise your wireless LAN will be vulnerable upon enabling it.
Page 102: Types Of Radius Messages
ZyWALL 10~100 Series Internet Security Gateway • Authorization Determines the network services available to authenticated users once they are connected to the network. • Accounting Keeps track of the client’s network activity. RADIUS is a simple package exchange in which your ZyWALL acts as a message relay between the wireless client and the network RADIUS server.
Page 103: Figure 7-3 Sequence For Eap Authentication
ZyWALL 10~100 Series Internet Security Gateway 7.3.3 Sequence for EAP Authentication The following figure shows the authentication steps when you enable EAP and specify a RADIUS server on your access point. Figure 7-3 Sequence for EAP Authentication The steps below describe how the IEEE 802.1x EAP authentication works. Step 1.
Page 104: Figure 7-4 Wireless Lan 802.1X Authentication
ZyWALL 10~100 Series Internet Security Gateway Figure 7-4 Wireless LAN 802.1X Authentication The following table describes the fields in this screen. Table 7-2 Wireless LAN 802.1X Authentication FIELD DESCRIPTION Select Force Authorized, Force UnAuthorized or Auto from the drop-down list Authentication Control box.
Page 105: Figure 7-5 Authentication Radius
ZyWALL 10~100 Series Internet Security Gateway Figure 7-5 Authentication RADIUS The following table describes the fields in this screen. Table 7-3 Authentication RADIUS FIELD DESCRIPTION EXAMPLE Authentication Server Active Select Yes from the drop-down list box to enable user authentication through an external authentication server. Select No to enable user authentication using the local user profile on the ZyWALL.
Page 106: Local User Authentication
ZyWALL 10~100 Series Internet Security Gateway Table 7-3 Authentication RADIUS FIELD DESCRIPTION EXAMPLE Port Number The default port of the RADIUS server for authentication is 1812 1812. You need not change this value unless your network administrator instructs you to do so with additional information. Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the access points.
Page 107: Figure 7-6 Local User Database
ZyWALL 10~100 Series Internet Security Gateway Figure 7-6 Local User Database Wireless LAN Security Setup...
Page 108: Table 7-4 Local User Database
ZyWALL 10~100 Series Internet Security Gateway The following table describes the fields in this screen. Table 7-4 Local User Database FIELD DESCRIPTION Active Select this check box to enable the user profile. User Name Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile.
Page 109: Figure 7-7 Wlan Mac Address Filter
ZyWALL 10~100 Series Internet Security Gateway Figure 7-7 WLAN MAC Address Filter The following table describes the fields in this menu. Table 7-5 WLAN MAC Address Filter FIELD DESCRIPTION Active Use the drop down list box to enable or disable MAC address filtering. Define the filter action for the list of MAC addresses in the MAC address filter table.
Page 110 ZyWALL 10~100 Series Internet Security Gateway Table 7-5 WLAN MAC Address Filter FIELD DESCRIPTION Click Apply to save these settings back to the ZyWALL. Click Reset to start this screen afresh. 7-12 Wireless LAN Security Setup...
Page 111: Chapter 8 Dmz Setup
ZyWALL 10~100 Series Internet Security Gateway Chapter 8 DMZ Setup This chapter describes how to configure the ZyWALL 100’s DMZ using Menu 5: DMZ Setup. Introduction The DeMilitarized Zone (DMZ) auto-negotiating 10/100 Mbps Ethernet port provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death).
Page 112: Figure 8-2 Menu 5.1: Dmz Port Filter Setup
ZyWALL 10~100 Series Internet Security Gateway DMZ Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to your public server(s) traffic. This feature is not available on all models. Menu 5.1 – DMZ Port Filter Setup Input Filter Sets: protocol filters= device filters=...
Page 113: Figure 8-4 Menu 5.2: Tcp/Ip Setup
ZyWALL 10~100 Series Internet Security Gateway Menu 5.2 - TCP/IP Ethernet Setup TCP/IP Setup: IP Address= ? IP Subnet Mask= RIP Direction= Both Version= RIP-1 Multicast= None Edit IP Alias= No Press ENTER to Confirm or ESC to Cancel: Figure 8-4 Menu 5.2: TCP/IP Setup The TCP/IP setup fields are the same as the ones in Menu 3.2 TCP/IP Ethernet Setup.
Page 114: Figure 8-5 Menu 5.2.1: Ip Alias Setup
ZyWALL 10~100 Series Internet Security Gateway Menu 5.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A IP Alias 2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A...
Page 115: Chapter 9 Internet Access
ZyWALL 10~100 Series Internet Security Gateway Chapter 9 Internet Access This chapter shows you how to configure your ZyWALL for Internet access. Internet Access Setup You will see three different menu 4 screens depending on whether you chose Ethernet, PPTP or PPPoE Encapsulation.
Page 116 ZyWALL 10~100 Series Internet Security Gateway Table 9-1 Menu 4: Internet Access Setup Menu Fields FIELD DESCRIPTION Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet. The encapsulation method influences your choices for the IP Address field. Service Type Press [SPACE BAR] and then [ENTER] to select Standard, RR-Toshiba (RoadRunner Toshiba authentication method), RR-Manager (RoadRunner Manager authentication method) or RR-Telstra.
Page 117: Figure 9-2 Internet Access Setup (Pptp)
ZyWALL 10~100 Series Internet Security Gateway The ZyWALL supports only one PPTP server connection at any given time. 9.1.3 Configuring the PPTP Client To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
Page 118: Figure 9-3 Internet Access Setup (Pppoe)
ZyWALL 10~100 Series Internet Security Gateway 9.1.4 PPPoE Encapsulation The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.) connection. The PPPoE option is for a dial-up connection using PPPoE. For the service provider, PPPoE offers an access and authentication method that works with existing access control systems (for example Radius).
Page 119: Table 9-3 New Fields In Menu 4 (Pppoe) Screen
ZyWALL 10~100 Series Internet Security Gateway Table 9-3 New Fields in Menu 4 (PPPoE) screen FIELD DESCRIPTION EXAMPLE Encapsulation Press [SPACE BAR] and then press [ENTER] to choose PPPoE. PPPoE The encapsulation method influences your choices in the IP Address field. Idle Timeout This value specifies the time in seconds that elapses before the ZyWALL automatically disconnects from the PPPoE server.
Page 121: Advanced Applications
Advanced Applications Part III: Advanced Applications This part covers Remote Node Setup, IP Static Route Setup and Network Address Translation.
Page 123: Chapter 10 Remote Node Setup
ZyWALL 10~100 Series Internet Security Gateway Chapter 10 Remote Node Setup This chapter shows you how to configure a remote node. A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection.
Page 124: Remote Node Profile
ZyWALL 10~100 Series Internet Security Gateway 10.2 Remote Node Profile The following explains how to configure the remote node profile menu. 10.2.1 Ethernet Encapsulation There are two variations of menu 11.1 depending on whether you choose Ethernet Encapsulation or PPPoE Encapsulation. You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Page 125: Pppoe Encapsulation
ZyWALL 10~100 Series Internet Security Gateway Table 10-1 Fields in Menu 11.1 FIELD DESCRIPTION EXAMPLE Service Type Press [SPACE BAR] and then [ENTER] to select from Standard, Standard RR-Toshiba (RoadRunner Toshiba authentication method) or RR- Manager (RoadRunner Manager authentication method). Choose one of the RoadRunner methods if your ISP is Time Warner's RoadRunner;...
Page 126: Figure 10-3 Menu 11.1: Remote Node Profile For Pppoe Encapsulation
ZyWALL 10~100 Series Internet Security Gateway The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet). You can only use PPPoE encapsulation when you’re using the ZyWALL with a DSL modem as the WAN device. If you change the Encapsulation to PPPoE, then you will see the next screen. Please see the Appendices for more information on PPPoE.
Page 127: Table 10-2 Fields In Menu 11.1 (Pppoe Encapsulation Specific)
ZyWALL 10~100 Series Internet Security Gateway Do not specify a nailed-up connection unless your telephone company offers flat-rate service or you need a constant connection and the cost is of no concern. The following table describes the fields not already described in Table 10-1. Metric See the Metric section in the WAN and Dial Backup Setup chapter for details on the Metric field.
Page 128: Figure 10-4 Menu 11.1: Remote Node Profile For Pptp Encapsulation
ZyWALL 10~100 Series Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Service Name=N/A Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login= Schedules= My Password= ******** Nailed-up Connections=...
Page 129: Editing Tcp/Ip Options (With Ethernet Encapsulation)
ZyWALL 10~100 Series Internet Security Gateway 10.3 Editing TCP/IP Options (with Ethernet Encapsulation) Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Network Layer Options. Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A...
Page 130 ZyWALL 10~100 Series Internet Security Gateway Table 10-4 Remote Node Network Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE Metric Enter a number from 1 to 15 to set this route’s priority among the ZyWALL’s routes (see the Metric section in the WAN and Dial Backup Setup chapter) The smaller the number, the higher priority the route has.
Page 131: Figure 10-6 Menu 11.3: Remote Node Network Layer Options For Pptp Encapsulation
ZyWALL 10~100 Series Internet Security Gateway 10.3.1 Editing TCP/IP Options (with PPTP Encapsulation) Make sure that Encapsulation is set to PPTP in menu 11.1. Then move the cursor to the Edit IP field in menu 11.1, press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Network Layer Options.
Page 132: Table 10-5 Remote Node Network Layer Options Menu Fields
ZyWALL 10~100 Series Internet Security Gateway Table 10-5 Remote Node Network Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE My WAN Addr Some implementations, especially the UNIX derivatives, require the 0.0.0.0 WAN link to have a separate IP network number from the LAN and each end must have a unique address within the WAN network number.
Page 133: Figure 10-7 Menu 11.5: Remote Node Filter (Ethernet Encapsulation)
ZyWALL 10~100 Series Internet Security Gateway 10.3.2 Editing TCP/IP Options (with PPPoE Encapsulation) Make sure Encapsulation is set to PPPoE in menu 11.1. Move the cursor to the Edit IP field in Menu 11.1 and press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Network Layer Options.
Page 134: Figure 10-8 Menu 11.5: Remote Node Filter (Pppoe Or Pptp Encapsulation)
ZyWALL 10~100 Series Internet Security Gateway Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= Device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= Device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 10-8 Menu 11.5: Remote Node Filter (PPPoE or PPTP Encapsulation) 10.5 Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect to the...
Page 135: Figure 10-10 Traffic Redirect Lan Setup
ZyWALL 10~100 Series Internet Security Gateway one subnet (Subnet 1 in the following figure) and the backup gateway in another subnet (Subnet 2). Configure a LAN to LAN/ZyWALL firewall rule that forwards packets from the protected LAN (Subnet 1) to the backup gateway (Subnet 2). Figure 10-10 Traffic Redirect LAN Setup To configure the parameters for traffic redirect, enter 11 from the main menu to display Menu 11.1—...
Page 136: Figure 10-12 Menu 11.6: Traffic Redirect Setup
ZyWALL 10~100 Series Internet Security Gateway Table 10-6 Menu 11.1: Remote Node Profile (Traffic Redirect Field) FIELD DESCRIPTION EXAMPLE Edit Press [SPACE BAR] to select Yes or No. Traffic Select No (default) if you do not want to configure this feature. Redirect Select Yes and press [ENTER] to configure Menu 11.6 —...
Page 137 ZyWALL 10~100 Series Internet Security Gateway Table 10-7 Traffic Redirect Setup FIELD DESCRIPTION EXAMPLE Configuration: Backup Enter the IP address of your backup gateway in dotted decimal notation. 0.0.0.0 Gateway IP The ZyWALL automatically forwards traffic to this IP address if the Address ZyWALL’s Internet connection terminates.
Page 139: Chapter 11 Ip Static Route Setup
ZyWALL 10~100 Series Internet Security Gateway Chapter 11 IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. Static routes tell the ZyWALL routing information that it cannot learn automatically through other means. This can arise in cases where RIP is disabled on the LAN. Each remote node specifies only the network to which the gateway is directly connected, and the ZyWALL has no knowledge of the networks beyond.
Page 140: Ip Static Route Setup
9. ________ 10. ________ 11. ________ 12. ________ Enter selection number: Figure 11-2 Menu 12: IP Static Route Setup (ZyWALL 10W) Now, enter the index number of the static route that you want to configure. 11-2 IP Static Route Setup...
Page 141: Figure 11-3 Menu 12. 1: Edit Ip Static Route
ZyWALL 10~100 Series Internet Security Gateway Menu 12.1 - Edit IP Static Route Route #: 1 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to CONFIRM or ESC to CANCEL: Figure 11-3 Menu 12.
Page 142 ZyWALL 10~100 Series Internet Security Gateway Table 11-1 IP Static Route Menu Fields FIELD DESCRIPTION Private This parameter determines if the ZyWALL will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast.
Page 143: Table 12-1 Nat Definitions
ZyWALL 10~100 Series Internet Security Gateway Chapter 12 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 12.1 Introduction NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet.
Page 144: What Nat Does
ZyWALL 10~100 Series Internet Security Gateway NAT never changes the IP address (either local or global) of an outside host. 12.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side.
Page 145: Figure 12-1 How Nat Works
ZyWALL 10~100 Series Internet Security Gateway Figure 12-1 How NAT Works 12-3...
Page 146: Figure 12-2 Nat Application With Ip Alias
ZyWALL 10~100 Series Internet Security Gateway 12.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter. Figure 12-2 NAT Application With IP Alias 12.1.5 NAT Mapping Types NAT supports five types of IP/port mapping.
Page 147: Table 12-2 Nat Mapping Types
ZyWALL 10~100 Series Internet Security Gateway 2. Many to One: In Many-to-One mode, the ZyWALL maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL’s Single User Account feature (the SUA Only option).
Page 148: Using Nat
ZyWALL 10~100 Series Internet Security Gateway Table 12-2 NAT Mapping Types TYPE IP MAPPING SMT ABBREVIATION Many-One-to-One ILA1 IGA1 M-1-1 ILA2 IGA2 ILA3 IGA3 … Server Server 1 IP IGA1 Server Server 2 IP IGA1 Server 3 IP IGA1 12.2 Using NAT You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL.
Page 149: Figure 12-3 Menu 4: Applying Nat For Internet Access
ZyWALL 10~100 Series Internet Security Gateway Menu 4 - Internet Access Setup ISP's Name= myISP Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel:...
Page 150: Nat Setup
ZyWALL 10~100 Series Internet Security Gateway Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= N/A Private= N/A RIP Direction= None Version= N/A Multicast= None Enter here to CONFIRM or ESC to CANCEL:...
Page 151: Figure 12-5 Menu 15: Nat Setup
ZyWALL 10~100 Series Internet Security Gateway 11.3, the SMT will use Set 1, which supports all mapping types as outlined in Table 12-2. When you select SUA Only, the SMT will use the pre-configured Set 255 (read only). The server set is a list of LAN and DMZ servers mapped to external ports. To use this set, a server rule must be set up inside the NAT address mapping set.
Page 152: Figure 12-7 Menu 15.1.255: Sua Address Mapping Rules
ZyWALL 10~100 Series Internet Security Gateway Menu 15.1.255 - Address Mapping Rules Set Name= SUA Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- ------ 0.0.0.0 255.255.255.255 0.0.0.0 0.0.0.0 Server Press ENTER to Confirm or ESC to Cancel: Figure 12-7 Menu 15.1.255: SUA Address Mapping Rules The following table explains the fields in this screen.
Page 153: Figure 12-8 Menu 15.1.1: First Set
ZyWALL 10~100 Series Internet Security Gateway Table 12-4 SUA Address Mapping Rules FIELD DESCRIPTION EXAMPLE Once you have finished configuring a rule in this menu, press [ENTER] at the message “Press ENTER to Confirm…” to save your configuration, or press [ESC] to cancel. User-Defined Address Mapping Sets Now look at option 1 in menu 15.1.
Page 154 ZyWALL 10~100 Series Internet Security Gateway ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules. For example, if you have already configured rules 1 to 6 in your current set and now you configure rule number 9.
Page 155: Figure 12-9 Menu 15.1.1.1: Editing/Configuring An Individual Rule In A Set
ZyWALL 10~100 Series Internet Security Gateway An IP End address must be numerically greater than its corresponding IP Start address. Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= = N/A Global IP: Start= = N/A Press ENTER to Confirm or ESC to Cancel: Figure 12-9 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set Table 12-6 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set FIELD...
Page 156: Table 12-7 Services & Port Numbers
ZyWALL 10~100 Series Internet Security Gateway 12.4 NAT Server Sets – Port Forwarding A NAT server set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make accessible to the outside world even though NAT makes your whole inside network appear as a single machine to the outside world.
Page 157: Configuring A Server Behind Nat
ZyWALL 10~100 Series Internet Security Gateway Table 12-7 Services & Port Numbers SERVICES PORT NUMBER DNS (Domain Name System) Finger HTTP (Hyper Text Transfer protocol or WWW, Web) POP3 (Post Office Protocol) NNTP (Network News Transport Protocol) SNMP (Simple Network Management Protocol) SNMP trap PPTP (Point-to-Point Tunneling Protocol) 1723...
Page 158: Figure 12-10 Menu 15.2: Nat Server Setup
ZyWALL 10~100 Series Internet Security Gateway Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------- Default Default 0.0.0.0 192.168.1.33 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 1026 1026 RR Reserved Press ENTER to Confirm or ESC to Cancel: Figure 12-10 Menu 15.2: NAT Server Setup Figure 12-11 Multiple Servers Behind NAT Example 12-16...
Page 159: General Nat Examples
ZyWALL 10~100 Series Internet Security Gateway 12.5 General NAT Examples 12.5.1 Internet Access Only In the following Internet access example, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP. Figure 12-12 NAT Example 1 Menu 4 - Internet Access Setup ISP's Name= ChangeMe...
Page 160: Figure 12-14 Nat Example 2
ZyWALL 10~100 Series Internet Security Gateway From menu 4 shown above, simply choose the SUA Only option from the Network Address Translation field. This is the Many-to-One mapping discussed in section 12.5. The SUA Only read-only option from the Network Address Translation field in menus 4 and 11.3 is specifically pre-configured to handle this case.
Page 161: Figure 12-15 Menu 15.2: Specifying An Inside Server
ZyWALL 10~100 Series Internet Security Gateway Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------- Default Default 192.168.1.10 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 1026 1026 RR Reserved Press ENTER to Confirm or ESC to Cancel: Figure 12-15 Menu 15.2: Specifying an Inside Server 12.5.3 Example 3: Multiple Public IP Addresses With Inside Servers In this example, there are 3 IGAs from our ISP.
Page 162: Figure 12-16 Nat Example 3
ZyWALL 10~100 Series Internet Security Gateway Figure 12-16 NAT Example 3 Step 1. In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.3) in Figure 12-17.
Page 163: Figure 12-17 Example 3: Menu 11.3
ZyWALL 10~100 Series Internet Security Gateway Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= N/A Private= N/A RIP Direction= None Version= N/A Enter here to CONFIRM or ESC to CANCEL: Figure 12-17 Example 3: Menu 11.3...
Page 164: Figure 12-19 Example 3: Final Menu 15.1.1
ZyWALL 10~100 Series Internet Security Gateway Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- ------ 1. 192.168.1.10 10.132.50.1 192.168.1.11 10.132.50.2 3. 0.0.0.0 255.255.255.255 10.132.50.3 10.132.50.3...
Page 165: Figure 12-21 Nat Example 4
ZyWALL 10~100 Series Internet Security Gateway 12.5.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not change for Many-One-to-One (and One-to-One) NAT mapping types.
Page 166: Trigger Port Forwarding
ZyWALL 10~100 Series Internet Security Gateway Menu 15.1.1.1 Address Mapping Rule Type= Many-One-to-One Local IP: Start= 192.168.1.10 = 192.168.1.12 Global IP: Start= 10.132.50.1 = 10.132.50.3 Press ENTER to Confirm or ESC to Cancel: Figure 12-22 Example 4: Menu 15.1.1.1: Address Mapping Rule After you’ve configured your rule, you should be able to check the settings in menu 15.1.1 as shown next.
Page 167: Figure 12-24 Trigger Port Forwarding Process: Example
ZyWALL 10~100 Series Internet Security Gateway the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address. In order to use the same service on a different LAN computer, you have to manually replace the LAN computer's IP address in the forwarding port with another LAN computer's IP address, Trigger port forwarding solves this problem by allowing computers on the LAN to dynamically take turns...
Page 168: Figure 12-25 Menu 15.3-Trigger Port Setup
ZyWALL 10~100 Series Internet Security Gateway 5. Only Jane can connect to the Real Audio server until the connection is closed or times out. The ZyWALL times out in three minutes with UDP (User Datagram Protocol) or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol).
Page 169: Table 12-8 Menu 15.3-Trigger Port Setup Description
ZyWALL 10~100 Series Internet Security Gateway Table 12-8 Menu 15.3—Trigger Port Setup Description FIELD DESCRIPTION EXAMPLE Rule This is the rule index number. Name Enter a unique name for identification purposes. You may enter up to 15 Real Audio characters in this field. All characters are permitted - including spaces. Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service.
Page 171: Firewall And Content Filters
Firewall and Content Filters Part IV: Firewall and Content Filters This part introduces firewalls in general and the ZyWALL firewall. It also explains custom ports and gives example firewall rules and an overview of content filtering.
Page 173: Chapter 13 Firewalls
ZyWALL 10~100 Series Internet Security Gateway Chapter 13 Firewalls This chapter gives some background information on firewalls and explains how to get started with the ZyWALL firewall. 13.1 What Is a Firewall? Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another.
Page 174: Introduction To Zyxel's Firewall
See section 13.5 for more information on Stateful Inspection. Firewalls, of one type or another, have become an integral part of standard security solutions for enterprises. 13.3 Introduction to ZyXEL’s Firewall The ZyWALL firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated (in SMT menu 21.2 or in the web configurator).
Page 175: Denial Of Service
ZyWALL 10~100 Series Internet Security Gateway Figure 13-1 ZyWALL Firewall Application 13.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.
Page 176: Types Of Dos Attacks
ZyWALL 10~100 Series Internet Security Gateway for use over a single port, such as Web on port 80, other ports are also active. If the person configuring or managing the computer is not careful, a hacker could attack it over an unprotected port. Some of the most common IP ports are: Table 13-1 Common IP Ports Telnet...
Page 177: Figure 13-2 Three-Way Handshake
ZyWALL 10~100 Series Internet Security Gateway Figure 13-2 Three-Way Handshake Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment).
Page 178: Figure 13-4 Smurf Attack
ZyWALL 10~100 Series Internet Security Gateway 2-b In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself.
Page 179: Table 13-3 Legal Netbios Commands
ZyWALL 10~100 Series Internet Security Gateway Illegal Commands (NetBIOS and SMTP) The only legal NetBIOS commands are the following - all others are illegal. Table 13-3 Legal NetBIOS Commands MESSAGE: REQUEST: POSITIVE: NEGATIVE: RETARGET: KEEPALIVE: All SMTP commands are illegal except for those displayed in the following tables. Table 13-4 Legal SMTP Commands AUTH DATA...
Page 180: Figure 13-5 Stateful Inspection
ZyWALL 10~100 Series Internet Security Gateway all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet. In summary, stateful inspection: Allows all sessions originating from the LAN (local network) to the WAN (Internet). Denies all sessions originating from the WAN to the LAN.
Page 181: Stateful Inspection And The Zywall
ZyWALL 10~100 Series Internet Security Gateway 1. The packet travels from the firewall's LAN to the WAN. 2. The packet is evaluated against the interface's existing outbound access list, and the packet is permitted (a denied packet would simply be dropped at this point). 3.
Page 182: Tcp Security
ZyWALL 10~100 Series Internet Security Gateway These custom rules work by evaluating the network traffic’s Source IP address, Destination IP address, IP protocol type, and comparing these to rules set by the administrator. The ability to define firewall rules is a very powerful tool. Using custom rules, it is possible to disable all firewall protection or block all access to the Internet.
Page 183: Guidelines For Enhancing Security With Your Firewall
ZyWALL 10~100 Series Internet Security Gateway A similar situation exists for ICMP, except that the ZyWALL is even more restrictive. Specifically, only outgoing echoes will allow incoming echo replies, outgoing address mask requests will allow incoming address mask replies, and outgoing timestamp requests will allow incoming timestamp replies. No other ICMP packets are allowed in through the firewall, simply because they are too dangerous and contain too little tracking information.
Page 184: Packet Filtering Vs Firewall
ZyWALL 10~100 Series Internet Security Gateway 7. Keep the firewall in a secured (locked) room. 13.6.1 Security In General You can never be too careful! Factors outside your firewall, filtering or NAT can cause security breaches. Below are some generalizations about what you can do to minimize them. 1.
Page 185 ZyWALL 10~100 Series Internet Security Gateway 13.7.1 Packet Filtering: The router filters packets as they pass through the router’s interface according to the filter rules you designed. Packet filtering is a powerful tool, yet can be complex to configure and maintain, especially if you need a chain of rules to filter a service.
Page 186 ZyWALL 10~100 Series Internet Security Gateway 3. To selectively block/allow inbound or outbound traffic between inside host/networks and outside host/networks. Remember that filters cannot distinguish traffic originating from an inside host or an outside host by IP address. 4. The firewall performs better than filtering if you need to check many rules. 5.
Page 187: Remote Management And The Firewall
ZyWALL 10~100 Series Internet Security Gateway Chapter 14 Introducing the ZyWALL Firewall This chapter shows you how to get started with the ZyWALL firewall. 14.1 Remote Management and the Firewall When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.
Page 188: Figure 14-2 Menu 21.2: Firewall Setup
ZyWALL 10~100 Series Internet Security Gateway 14.3.1 Activating the Firewall Enter option 2 in this menu to bring up the following screen. Press [SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks.
Page 189: Web Configurator Login And Main Menu Screens
ZyWALL 10~100 Series Internet Security Gateway Chapter 15 Using the ZyWALL Web Configurator This chapter shows you how to configure your firewall with the web configurator. 15.1 Web Configurator Login and Main Menu Screens Use the ZyWALL web configurator, to configure your firewall. To get started, follow the steps shown next. Step 1.
Page 190: Attack Alert
ZyWALL 10~100 Series Internet Security Gateway Select this check box to enable the firewall. Figure 15-1 Enabling the Firewall (ZyWALL 100) 15.2.1 Alerts Alerts are reports on events, such as attacks, that you may want to know about right away. You can choose to generate an alert when an attack is detected in the Attack Alert screen (Figure 15-2 - check the Generate alert when attack detected checkbox) or when a rule is matched in the Rule Config screen (see Figure 16-4)
Page 191: Threshold Values
ZyWALL 10~100 Series Internet Security Gateway determine when to drop sessions that do not become fully established. These thresholds apply globally to all sessions. You can use the default threshold values, or you can change them to values more suitable to your security requirements.
Page 192 ZyWALL 10~100 Series Internet Security Gateway threshold (one-minute low). The rate is the number of new attempts detected in the last one-minute sample period. TCP Maximum Incomplete and Blocking Time An unusually high number of half-open sessions with the same destination host address could indicate that a Denial of Service attack is being launched against the host.
Page 193: Figure 15-2 Attack Alert
ZyWALL 10~100 Series Internet Security Gateway Figure 15-2 Attack Alert The following table describes the fields in this screen. Table 15-1 Attack Alert FIELD DESCRIPTION DEFAULT VALUES Generate alert when A detected attack automatically generates attack detected a log entry. Check this box to generate an alert (as well as a log) whenever an attack is detected.
Page 194 ZyWALL 10~100 Series Internet Security Gateway Table 15-1 Attack Alert FIELD DESCRIPTION DEFAULT VALUES One Minute High This is the rate of new half-open sessions 100 half-open sessions per that causes the firewall to start deleting minute. The above numbers half-open sessions.
Page 195 ZyWALL 10~100 Series Internet Security Gateway Table 15-1 Attack Alert FIELD DESCRIPTION DEFAULT VALUES Blocking Time When TCP Maximum Incomplete is Select this check box to specify reached you can choose if the next a number in minutes (min) text session should be allowed or blocked.
Page 197: Rules Overview
ZyWALL 10~100 Series Internet Security Gateway Chapter 16 Creating Custom Rules This chapter contains instructions for defining both Local Network and Internet rules. DMZ applies to the ZyWALL 100. 16.1 Rules Overview Firewall rules are grouped based on the direction of travel of packets to which they apply: •...
Page 198: Rule Logic Overview
ZyWALL 10~100 Series Internet Security Gateway This prevents computers on the DMZ from communicating between networks or subnets connected to the DMZ interface and/or managing the ZyWALL. You may define additional rules and sets or modify existing ones but please exercise extreme caution in doing so.
Page 199: Security Ramifications
ZyWALL 10~100 Series Internet Security Gateway 16.2.2 Security Ramifications Once the logic of the rule has been defined, it is critical to consider the security ramifications created by the rule: 1. Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC is blocked, are there users that require this service? 2.
Page 200: Connection Direction Examples
ZyWALL 10~100 Series Internet Security Gateway 16.3 Connection Direction Examples This section describes examples for firewall rules for connections going from LAN to WAN and from WAN to LAN. Rules for the DMZ work in a similar fashion. LAN to LAN/ZyWALL, WAN to WAN/ZyWALL and DMZ to DMZ/ZyWALL rules apply to packets coming in on the associated interface (LAN, WAN, or DMZ respectively).
Page 201: Rule Summary
ZyWALL 10~100 Series Internet Security Gateway See the following figure. Figure 16-2 WAN to LAN Traffic 16.4 Rule Summary Click Advanced, Firewall and the Summary tab to display the following screen. This screen is a summary of the existing rules. Note the order in which the rules are listed. The ordering of your rules is very important as rules are applied in turn.
Page 202: Figure 16-3 Firewall Rules Summary: First Screen (Zywall100)
ZyWALL 10~100 Series Internet Security Gateway Figure 16-3 Firewall Rules Summary: First Screen (ZyWALL100) The following table describes the fields in the firewall summary screen. Table 16-1 Firewall Rules Summary: First Screen FIELD DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.
Page 203 ZyWALL 10~100 Series Internet Security Gateway Table 16-1 Firewall Rules Summary: First Screen FIELD DESCRIPTION Vacant Rules This read-only number is the number of rules that can still be configured for the ZyWALL (the combined total available for all packet directions). Packet Direction Use the drop-down list box to select a direction of travel of packets (LAN to LAN/ZyWALL, LAN to WAN, LAN to DMZ, WAN to WAN/ZyWALL, WAN to LAN,...
Page 204: Table 16-2 Predefined Services
ZyWALL 10~100 Series Internet Security Gateway Table 16-1 Firewall Rules Summary: First Screen FIELD DESCRIPTION Insert Type the index number for where you want to put a rule. For example, if you type “6”, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.
Page 205 SEEME(TCP/UDP:7648, 24032) DNS(UDP/TCP:53) Domain Name Server, a service that matches web names (e.g. www.zyxel.com) to IP numbers. FINGER(TCP:79) Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. FTP(TCP:20.21) File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail.
Page 206 ZyWALL 10~100 Series Internet Security Gateway Table 16-2 Predefined Services SERVICE DESCRIPTION NNTP(TCP:119) Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service. PING(ICMP:0) Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable.
Page 207 ZyWALL 10~100 Series Internet Security Gateway Table 16-2 Predefined Services SERVICE DESCRIPTION TACACS(UDP:49) Login Host Protocol used for (Terminal Access Controller Access Control System). TELNET(TCP:23) Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems.
Page 208: Figure 16-4 Creating/Editing A Firewall Rule (Zywall100)
ZyWALL 10~100 Series Internet Security Gateway Figure 16-4 Creating/Editing A Firewall Rule (ZyWALL100) Table 16-3 Creating/Editing A Firewall Rule FIELD DESCRIPTION OPTIONS Active Check the Active check box to have the ZyWALL use this rule. Leave it unchecked if you do not want the ZyWALL to use the rule after you apply it 16-12 Creating Custom Rules...
Page 209 ZyWALL 10~100 Series Internet Security Gateway Table 16-3 Creating/Editing A Firewall Rule FIELD DESCRIPTION OPTIONS Packet Direction Use the drop-down list box to select the direction of packet LAN to LAN/ZyWALL travel to which you want to apply this firewall rule. LAN to WAN LAN to DMZ WAN to WAN/ZyWALL...
Page 210: Figure 16-5 Adding/Editing Source And Destination Addresses
ZyWALL 10~100 Series Internet Security Gateway Table 16-3 Creating/Editing A Firewall Rule FIELD DESCRIPTION OPTIONS This field determines if a log is created for packets that Match match the rule, don’t match the rule, both or no log is Not Match created.
Page 211: Custom Ports
ZyWALL 10~100 Series Internet Security Gateway Table 16-4 Adding/Editing Source and Destination Addresses FIELD DESCRIPTION OPTIONS Address Type Do you want your rule to apply to packets with a particular Single Address (single) IP address, a range of IP addresses (e.g., Range Address 192.168.1.10 to 192.169.1.50), a subnet or any IP Subnet Address...
Page 212: Figure 16-6 Creating/Editing A Custom Port
ZyWALL 10~100 Series Internet Security Gateway Figure 16-6 Creating/Editing A Custom Port The next table describes the fields in this screen. Table 16-5 Creating/Editing A Custom Port FIELD DESCRIPTION OPTIONS Service Name Enter a unique name for your custom port. Service Type Choose the IP port (TCP, UDP or Both) that defines your customized port from the drop down list box.
Page 213: Example Firewall Rule
ZyWALL 10~100 Series Internet Security Gateway 16.8 Example Firewall Rule The following Internet firewall rule example allows a hypothetical “MyService” connection from the Internet. Step 1. Click the Firewall link and then the Summary tab. Step 2. In the Summary screen, type the index number for where you want to put the rule. For example, if you type “6”, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.
Page 214: Figure 16-8 Firewall Ip Config Screen
ZyWALL 10~100 Series Internet Security Gateway Step 6. Configure the Firewall IP Config screen as follows and click Apply. Figure 16-8 Firewall IP Config Screen Step 7. In the firewall rule configuration screen, click Add under Custom Port to open the Custom Port Configuration screen.
Page 215: Figure 16-9 Custom Port For Myservice
ZyWALL 10~100 Series Internet Security Gateway Figure 16-9 Custom Port for MyService Step 8. The firewall rule configuration screen displays, use the arrows between Available Services and Selected Services to configure it as follows. Click Apply when you are done. Custom ports show up with an “*”...
Page 216: Figure 16-10 Myservice Rule Configuration (Zywall100)
ZyWALL 10~100 Series Internet Security Gateway This is your “MyService” This is the address range of custom port. the “MyService” servers. Click Apply when finished. Figure 16-10 MyService Rule Configuration (ZyWALL100) 16-20 Creating Custom Rules...
Page 217: Figure 16-11 Example 3: Rule Summary (Zywall100)
ZyWALL 10~100 Series Internet Security Gateway Step 9. On completing the configuration procedure for this Internet firewall rule, the Rule Summary screen should look like the following. Remember to click Apply when you have finished configuring your rule(s) to save your settings back to the ZyWALL. Rule 1: Allows a “MyService”...
Page 219: Categories
ZyWALL 10~100 Series Internet Security Gateway Chapter 17 Content Filtering This chapter provides a brief overview of content filtering using the web embedded configurator. Internet content filtering allows schools and businesses to create and enforce Internet access policies tailored to their needs. Content filtering is the ability to block certain web features or specific URLs and should not be confused with packet filtering via SMT menu 21.1.
Page 220: Figure 17-1Content Filter: Categories
ZyWALL 10~100 Series Internet Security Gateway Figure 17-1Content Filter: Categories Table 17-1 Content Filter: Categories LABEL DESCRIPTION Restricted Web Features Select the box(es) to restrict a feature. When you download a page containing a restricted feature, that part of the web page will appear blank or grayed out. A tool for building dynamic and active Web pages and distributed object applications.
Page 221 ZyWALL 10~100 Series Internet Security Gateway Table 17-1 Content Filter: Categories LABEL DESCRIPTION A programming language and development environment for building downloadable Web Java components or Internet and intranet business applications of all kinds. Cookies Used by Web servers to track usage and provide service based on ID. A server that acts as an intermediary between a user and the Internet to provide security, Web Proxy administrative control, and caching service.
Page 222 ZyWALL 10~100 Series Internet Security Gateway Table 17-1 Content Filter: Categories LABEL DESCRIPTION Selecting this category excludes pictures or descriptive text of anyone or anything which are crudely vulgar or grossly deficient in civility or behavior, or which show scatological Gross Depictions impropriety.
Page 223: Free
ZyWALL 10~100 Series Internet Security Gateway Table 17-1 Content Filter: Categories LABEL DESCRIPTION Sports/ Selecting this category excludes pictures or text of leisure, sports, or other similar sites not Entertainment considered applicable to the primary business function. Time of Day (Filter List/Custom Sites/Domain Name) Time of Day allows the administrator to define time periods content filtering is enabled.
Page 224: Figure 17-2 Content Filter: Free
ZyWALL 10~100 Series Internet Security Gateway Figure 17-2 Content Filter: Free Table 17-2 Content Filter: Free LABEL DESCRIPTION Last Name Type your last name. You may enter up to 31 characters. This is a required field. First Name Type your first name. You may enter up to 31 characters. This is a required field. E-mail Type your e-mail address.
Page 225: Figure 17-3 Content Filter: Icard
ZyWALL 10~100 Series Internet Security Gateway 17.3 iCard Click Content on the navigation panel, and then the iCard tab to open the following screen. Use this screen to register the ZyWALL. Registering the ZyWALL allows you to install and activate the Content Filter List and to receive a free subscription to updated Content Filter Lists for a limited period.
Page 226: List Update
ZyWALL 10~100 Series Internet Security Gateway Table 17-3 Content Filter: iCard LABEL DESCRIPTION E-mail Type your e-mail address. You may enter up to 40 characters (required field). Company Type the name of your company. You may enter up to 31 characters. Title Type your job title.
Page 227: Figure 17-4 Content Filter: List Update
ZyWALL 10~100 Series Internet Security Gateway Figure 17-4 Content Filter: List Update Table 17-4 Content Filter: List Update LABEL DESCRIPTION Click Download Now to download and install a new Content Filter List. This process may take a couple of minutes, depending on Internet traffic conditions and Download Now requires a current subscription to the Content Filter List.
Page 228: Exempt Computers
ZyWALL 10~100 Series Internet Security Gateway 17.5 Exempt Computers Click Content on the navigation panel, and then the Exempt Zone tab to open the following screen. Use this screen to include or exclude a range of users on the LAN from content filtering. Figure 17-5 Content Filter: Exempt Zone Table 17-5 Content Filter: Exempt Zone LABEL...
Page 229: Customizing
ZyWALL 10~100 Series Internet Security Gateway Table 17-5 Content Filter: Exempt Zone LABEL DESCRIPTION Exclude specified address ranges from the Select to exempt a specific range of users on your LAN from Content Filter Content Filter policies. enforcement Add Range Fill in the two fields below if you selected one of the last two options above.
Page 230: Figure 17-6 Content Filter: Customize
ZyWALL 10~100 Series Internet Security Gateway Figure 17-6 Content Filter: Customize Table 17-6 Content Filter: Customize LABEL DESCRIPTION Filter List Customization Make sure the Enable Filter List Customization check box is selected to make this feature available. Add or remove sites from the Filter List to customize the Content Filter List. Select this check box to allow Trusted Domain web sites and block Enable Filter List Forbidden Domain web sites.
Page 231 URL of the site - that is, do not include "http://". All Domain subdomains are allowed. For example, entering "zyxel.com" also allows "www.zyxel.com", "partner.zyxel.com", "press.zyxel.com", etc. Click Add Trusted Domain when you have finished adding the host name Add Trusted Domain in the text field above.
Page 232: Figure 17-7 Content Filter: Domain Name
ZyWALL 10~100 Series Internet Security Gateway 17.7 Domain Name Click Content on the navigation panel, and then the Domain Name tab to open the following screen. Use this screen to configure the ZyWALL to block Web sites containing keywords in their URLs. For example, if you enable the keyword "bad", the ZyWALL blocks all sites containing this keyword, for example, the ZyWALL blocks URL http://www.website.com/bad.html, even if it is not included in the Filter List.
Page 233 ZyWALL 10~100 Series Internet Security Gateway Table 17-7 Content Filter: Domain Name LABEL DESCRIPTION Click Add Keyword after you have typed a keyword. Repeat this procedure to add other keywords. Up to 64 keywords are allowed. Add Keyword When you try to access a web page containing a keyword, you will get a message telling you that the Content Filter is blocking this request.
Page 235 Logs, Filter Configuration, and SNMP Configuration Part V: Logs, Filter Configuration, and SNMP Configuration This part provides information and configuration instructions for the logs, filters, and SNMP.
Page 237: Chapter 18 Centralized Logs
ZyWALL 10~100 Series Internet Security Gateway Chapter 18 Centralized Logs This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to the appendices for example log message explanations and how to view the logs via the SMT command interface. 18.1 View Log The web configurator allows you to look at all of the ZyWALL’s logs in one location.
Page 238: Figure 18-1 View Log
ZyWALL 10~100 Series Internet Security Gateway Figure 18-1 View Log Table 18-1 View Log FIELD DESCRIPTION Display The categories that you select in the Log Settings page (see section 18.2) display in the drop-down list box. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page.
Page 239: Log Settings
ZyWALL 10~100 Series Internet Security Gateway Table 18-1 View Log FIELD DESCRIPTION Destination This field lists the destination IP address and the port number of the incoming packet. Note This field displays additional information about the log entry. Email Log Now Click Email Log Now to send the log screen to the e-mail address specified in the Log Settings page (make sure that you have first filled in the Address Info fields in Log Settings, see section 18.2).
Page 240: Figure 18-2 Log Settings
ZyWALL 10~100 Series Internet Security Gateway Figure 18-2 Log Settings 18-4 Centralized Logs...
Page 241: Table 18-2 Log Settings Screen
ZyWALL 10~100 Series Internet Security Gateway Table 18-2 Log Settings Screen FIELD DESCRIPTION Address Info Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail.
Page 242 ZyWALL 10~100 Series Internet Security Gateway Table 18-2 Log Settings Screen FIELD DESCRIPTION Log Schedule This drop-down menu is used to configure the frequency of log messages being sent as E-mail: • Daily • Weekly • Hourly • When the Log is Full •...
Page 243: Chapter 19 Filter Configuration
ZyWALL 10~100 Series Internet Security Gateway Chapter 19 Filter Configuration This chapter shows you how to create and apply filters. 19.1 About Filtering Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering.
Page 244: Figure 19-1 Outgoing Packet Filtering Process
ZyWALL 10~100 Series Internet Security Gateway Call Filtering Active Data Built-in User-defined match match match Outgoing Initiate call default Call Filters Data Packet if line not up Call Filters (if applicable) Send packet and reset Idle Timer Match Match Match Drop Drop packet Drop packet...
Page 245: Figure 19-2 Filter Rule Process
ZyWALL 10~100 Series Internet Security Gateway Start Packet into filter Fetch First Filter Set Filter Set Fetch Next Fetch First Filter Set Filter Rule Fetch Next Filter Rule Next filter Next Filter Set Rule Active? Available? Available? Execute Filter Rule Check Next Rule...
Page 246: Configuring A Filter Set
ZyWALL 10~100 Series Internet Security Gateway You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. 19.2 Configuring a Filter Set The ZyWALL includes filtering for NetBIOS over TCP/IP packets by default.
Page 247: Table 19-1 Abbreviations Used In The Filter Rules Summary Menu
ZyWALL 10~100 Series Internet Security Gateway Step 3. Select the filter set you wish to configure (1-12) and press [ENTER] Step 4. Enter a descriptive name or comment in the Edit Comments field and press [ENTER]. Step 5. Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.1 - Filter Rules Summary.
Page 248: Configuring A Filter Rule
ZyWALL 10~100 Series Internet Security Gateway Table 19-2 Rule Abbreviations Used ABBREVIATION DESCRIPTION Protocol Source Address Source Port number Destination Address Destination Port number Offset Length Refer to the next section for information on configuring the filter rules. 19.2.1 Configuring a Filter Rule To configure a filter rule, type its number in Menu 21.1.1 - Filter Rules Summary and press [ENTER] to open menu 21.1.1.1 for the rule.
Page 249: Figure 19-6 Menu 21.1.1.1: Tcp/Ip Filter Rule
ZyWALL 10~100 Series Internet Security Gateway To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.1.1 - TCP/IP Filter Rule, as shown next. Menu 21.1.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0...
Page 250 ZyWALL 10~100 Series Internet Security Gateway Table 19-3 TCP/IP Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Enter the IP mask to apply to the Destination: IP Addr. IP Mask 0.0.0.0 Port # Enter the destination port of the packets that you wish to filter. 0-65535 The range of this field is 0 to 65535.
Page 251 ZyWALL 10~100 Series Internet Security Gateway Table 19-3 TCP/IP Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS None Press [SPACE BAR] and then [ENTER] to select a logging option from the following: Action None – No packets will be logged. Matched Action Matched - Only packets that match the rule parameters will be logged.
Page 252: Figure 19-7 Executing An Ip Filter
ZyWALL 10~100 Series Internet Security Gateway Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src Not Matched IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest Not Matched IP Addr Matched Check Not Matched IP Protocol Matched Check Src &...
Page 253: Figure 19-8 Menu 21.1.4.1: Generic Filter Rule
ZyWALL 10~100 Series Internet Security Gateway 19.2.3 Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the ZyWALL treats a packet as a byte stream as opposed to an IP or IPX packet.
Page 254: Table 19-4 Generic Filter Rule Menu Fields
ZyWALL 10~100 Series Internet Security Gateway Table 19-4 Generic Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Filter # This is the filter set, filter rule co-ordinates, i.e., 2,3 refers to the second filter set and the third rule of that set. Generic Filter Filter Use [SPACE BAR] and then [ENTER] to select a rule type.
Page 255: Example Filter
ZyWALL 10~100 Series Internet Security Gateway 19.3 Example Filter Let’s look at an example to block outside users from telnetting into the ZyWALL. Please see our included disk for more example filters. Figure 19-9 Telnet Filter Example Step 1. Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup. Step 2.
Page 256: Figure 19-10 Example Filter: Menu 21.1.3.1
ZyWALL 10~100 Series Internet Security Gateway Step 6. Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure. Press [SPACE BAR] and then Menu 21.1.3.1 - TCP/IP Filter Rule [ENTER] to choose this filter rule Filter #: 3,1...
Page 257: Figure 19-11 Example Filter Rules Summary: Menu 21.1.3
ZyWALL 10~100 Series Internet Security Gateway Menu 21.1.3 - Filter Rules Summary # A Type Filter Rules M m n - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F This shows you that you have M = N means an action can be taken immediately.
Page 258: Filter Types And Nat
ZyWALL 10~100 Series Internet Security Gateway 19.4 Filter Types and NAT There are two classes of filter rules, Generic Filter (Device) rules and protocol filter (TCP/IP) rules. Generic filter rules act on the raw data from/to LAN and WAN. Protocol filter rules act on the IP packets. Generic and TCP/IP filter rules are discussed in more detail in the next section.
Page 259: Applying A Filter And Factory Defaults
ZyWALL 10~100 Series Internet Security Gateway 19.6 Applying a Filter and Factory Defaults This section shows you where to apply the filter(s) after you design it (them). The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections.
Page 260: Figure 19-14Filtering Dmz Traffic
ZyWALL 10~100 Series Internet Security Gateway outgoing traffic from the ZyWALL. The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections. The DMZ port is not available on all models. Menu 5.1 –...
Page 261: Chapter 20 Snmp Configuration
ZyWALL 10~100 Series Internet Security Gateway Chapter 20 SNMP Configuration This chapter explains SNMP configuration menu 22. SNMP is only available if TCP/IP is configured. 20.1 About SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices.
Page 262: Figure 20-1 Snmp Management Model
ZyWALL 10~100 Series Internet Security Gateway Figure 20-1 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP.
Page 263: Supported Mibs
ZyWALL 10~100 Series Internet Security Gateway • GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.
Page 264: Table 20-2 Snmp Traps
A trap is sent to the manager when receiving any SNMP RFC-1215) get or set requirements with the wrong community (password). whyReboot (defined in ZYXEL- A trap is sent with the reason of restart before rebooting MIB) when the system is going to restart (warm start).
Page 265: Configuration File Maintenance
System Information and Diagnosis and Firmware and Configuration File Maintenance Part VI: System Information and Diagnosis and Firmware and Configuration File Maintenance This part provides information on system information and diagnosis and maintaining the firmware and configuration files.
Page 267: Chapter 21 System Information & Diagnosis
ZyWALL 10~100 Series Internet Security Gateway Chapter 21 System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. DMZ applies to the ZyWALL 100. Wireless LAN and dial-backup apply to the ZyWALL 100 and 10W (see Table 1-1 Model Specific Features). This chapter covers the diagnostic tools that help you to maintain your ZyWALL.
Page 268: Figure 21-2 Menu 24.1: System Maintenance: Status (Zywall 100)
ZyWALL 10~100 Series Internet Security Gateway Step 1. Enter number 24 to go to Menu 24 - System Maintenance. Step 2. In this menu, enter 1 to open System Maintenance - Status. Step 3. There are three commands in Menu 24.1 - System Maintenance - Status. Entering 1 drops the WAN connection, 9 resets the counters and [ESC] takes you back to the previous screen.
Page 269: Figure 21-3 Menu 24.2: System Information And Console Port Speed
ZyWALL 10~100 Series Internet Security Gateway Table 21-1 System Maintenance: Status Menu Fields FIELD DESCRIPTION Cols The number of collisions on this port. Tx B/s Shows the transmission speed in Bytes per second on this port. Rx B/s Shows the reception speed in Bytes per second on this port. Up Time Total amount of time the line has been up.
Page 270: Figure 21-4 Menu 24.2.1: System Maintenance: Information (Zywall 10W)
Ethernet Address: 00:A0:C5:00:00:01 IP Address: 192.168.1.1 IP Mask: 255.255.255.0 DHCP: Server Press ESC or RETURN to Exit: Figure 21-4 Menu 24.2.1: System Maintenance: Information (ZyWALL 10W) Table 21-2 Fields in System Maintenance: Information FIELD DESCRIPTION Name This is the ZyWALL's system name + domain name assigned in menu 1.
Page 271: Log And Trace
ZyWALL 10~100 Series Internet Security Gateway 21.2.2 Console Port Speed You can change the speed of the console port through Menu 24.2.2 – Console Port Speed. Your ZyWALL supports 9600 (default), 19200, 38400, 57600, and 115200 bps for the console port. Press [SPACE BAR] and then [ENTER] to select the desired speed in menu 24.2.2, as shown next.
Page 272: Figure 21-6 Menu 24.3: System Maintenance: Log And Trace
ZyWALL 10~100 Series Internet Security Gateway After the ZyWALL finishes displaying, you will have the option to clear the error log. Menu 24.3 - System Maintenance - Log and Trace 1. View Error Log 2. UNIX Syslog 4. Call-Triggering Packet Please enter selection Figure 21-6 Menu 24.3: System Maintenance: Log and Trace Examples of typical error and information messages are presented in the following figure.
Page 273: Figure 21-8 Menu 24.3.2: System Maintenance: Unix Syslog (Zywall 100)
ZyWALL 10~100 Series Internet Security Gateway The ZyWALL uses the UNIX syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server. Syslog and accounting can be configured in Menu 24.3.2 - System Maintenance - Unix Syslog, as shown next.
Page 274: System Information And Diagnosis
C02 Call Terminated Jul 19 11:19:27 192.168.102.2 ZyXEL: board 0 line 0 channel 0, call 1, C01 Outgoing Call dev=2 ch=0 40002 Jul 19 11:19:32 192.168.102.2 ZyXEL: board 0 line 0 channel 0, call 1, C02 OutCall Connected 64000 40002 Jul 19 11:20:06 192.168.102.2 ZyXEL: board 0 line 0 channel 0, call 1, C02 Call Terminated...
Page 275: Firewall Log
Proto = LCP / ATCP / BACP / BCP / CBCP / CCP / CHAP/ PAP / IPCP / IPXCP Jul 19 11:42:44 192.168.102.2 ZyXEL: ppp:LCP Closing Jul 19 11:42:49 192.168.102.2 ZyXEL: ppp:IPCP Closing Jul 19 11:42:54 192.168.102.2 ZyXEL: ppp:CCP Closing 5.
Page 276: Diagnostic
ZyWALL 10~100 Series Internet Security Gateway 21.3.3 Call-Triggering Packet Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equivalent information is available in menu 24.1 in hex format. An example is shown next.
Page 277: Figure 21-10 Menu 24.4: System Maintenance: Diagnostic
ZyWALL 10~100 Series Internet Security Gateway Follow the procedure below to get to Menu 24.4 - System Maintenance – Diagnostic. Step 1. From the main menu, select option 24 to open Menu 24 - System Maintenance. Step 2. From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic.
Page 278: Figure 21-11 Wan & Lan Dhcp
ZyWALL 10~100 Series Internet Security Gateway Figure 21-11 WAN & LAN DHCP The following table describes the diagnostic tests available in menu 24.4 for your ZyWALL and associated connections. Table 21-4 System Maintenance Menu Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LAN or WAN. Enter its IP address in the Host IP Address field below.
Page 279: Chapter 22 Firmware And Configuration File Maintenance
The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc. It arrives from ZyXEL with a “rom” filename extension. Once you have customized the ZyWALL's settings, they can be saved back to your computer under a filename of your choosing.
Page 280: Table 22-1 Filename Conventions
ZyWALL 10~100 Series Internet Security Gateway local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 - System Maintenance - Information to confirm that you have uploaded the correct firmware version.
Page 281: Figure 22-1 Telnet Into Menu 24.5
ZyWALL 10~100 Series Internet Security Gateway 22.2.1 Backup Configuration Follow the instructions as shown in the next screen. Menu 24.5 - System Maintenance - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2.
Page 282: Figure 22-2 Ftp Session Example
331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
Page 283: Backup Configuration Using Tftp
ZyWALL 10~100 Series Internet Security Gateway 1. The firewall is active (turn the firewall off in menu 21.2 or create a firewall rule to allow access from the WAN). 2. You have disabled Telnet service in menu 24.11. 3. You have applied a filter in menu 3.1 (LAN) or in menu 11.5 (WAN) to block Telnet service. 4.
Page 284: Table 22-3 General Commands For Gui-Based Tftp Clients
ZyWALL 10~100 Series Internet Security Gateway 22.2.7 TFTP Command Example The following is an example TFTP command: tftp [-i] host get rom-0 config.rom Where “i” specifies binary image transfer mode (use this mode when transferring binary files), “host” is the ZyWALL IP address, “get”...
Page 285: Figure 22-3 System Maintenance: Backup Configuration
ZyWALL 10~100 Series Internet Security Gateway Ready to backup Configuration via Xmodem. Do you want to continue (y/n): Figure 22-3 System Maintenance: Backup Configuration Step 2. The following screen indicates that the Xmodem download has started. You can enter ctrl-x to terminate operation any time.
Page 286: Restore Configuration
ZyWALL 10~100 Series Internet Security Gateway 22.3 Restore Configuration This section shows you how to restore a previously saved configuration. Note that this function erases the current configuration before restoring a previous back up configuration; please do not attempt to restore unless you have a backup configuration file stored on disk.
Page 287: Figure 22-7 Telnet Into Menu 24.6
ZyWALL 10~100 Series Internet Security Gateway Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root" and SMT password as requested.
Page 288: Figure 22-8 Restore Using Ftp Session Example
ZyWALL 10~100 Series Internet Security Gateway 22.3.2 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec. ftp>quit Figure 22-8 Restore Using FTP Session Example Refer to section 22.2.5 to read about configurations that disallow TFTP and FTP over WAN.
Page 289: Uploading Firmware And Configuration Files
ZyWALL 10~100 Series Internet Security Gateway Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Figure 22-11 Restore Configuration Example Step 4. After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu.
Page 290: Figure 22-13 Telnet Into Menu 24.7.1: Upload System Firmware
ZyWALL 10~100 Series Internet Security Gateway WARNING! Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR ZyWALL. 22.4.1 Firmware File Upload FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client.
Page 291: Figure 22-14 Telnet Into Menu 24.7.2: System Maintenance
ZyWALL 10~100 Series Internet Security Gateway 22.4.2 Configuration File Upload You see the following screen when you telnet into menu 24.7.2. Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload the system configuration file, follow the procedure below: 1.
Page 292: Figure 22-15 Ftp Session Example Of Firmware File Upload
ZyWALL 10~100 Series Internet Security Gateway transfers the configuration file on the ZyWALL to your computer and renames it “config.rom.” See earlier in this chapter for more information on filename conventions. Step 7. Enter “quit” to exit the ftp prompt. 22.4.4 FTP Session Example of Firmware File Upload 331 Enter PASS command Password:...
Page 293: Tftp Upload Command Example
ZyWALL 10~100 Series Internet Security Gateway Step 3. Enter the command “sys stdio 0” to disable the console timeout, so the TFTP transfer will not be interrupted. Enter “command sys stdio 5” to restore the five-minute console timeout (default) when the file transfer is complete. Step 4.
Page 294: Figure 22-16 Menu 24.7.1 As Seen Using The Console Port
ZyWALL 10~100 Series Internet Security Gateway 22.4.8 Uploading Firmware File Via Console Port Step 1. Select 1 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.1 - System Maintenance - Upload System Firmware, and then follow the instructions as shown in the following screen.
Page 295: Figure 22-17 Example Xmodem Upload
ZyWALL 10~100 Series Internet Security Gateway 22.4.9 Example Xmodem Firmware Upload Using HyperTerminal Click Transfer, then Send File to display the following screen. Type the firmware file’s location, or click Browse to look for it. Choose the Xmodem protocol. Then click Send. Figure 22-17 Example Xmodem Upload After the firmware upload process has completed, the ZyWALL will automatically restart.
Page 296: Figure 22-18 Menu 24.7.2 As Seen Using The Console Port
ZyWALL 10~100 Series Internet Security Gateway Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1. Enter "y" at the prompt below to go into debug mode. 2. Enter "atlc" after "Enter Debug Mode" message. 3.
Page 297: Figure 22-19 Example Xmodem Upload
ZyWALL 10~100 Series Internet Security Gateway Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Figure 22-19 Example Xmodem Upload After the configuration upload process has completed, restart the ZyWALL by entering “atgo”. Firmware and Configuration File Maintenance 22-19...
Page 299 System Maintenance and Information and Remote Management Part VII: System Maintenance and Information and Remote Management This part provides information on the system maintenance and information functions and how to configure remote management.
Page 301: Chapter 23 System Maintenance & Information
SMT by selecting menu 24.8. Access can be by Telnet or by a serial connection to the console port, although some commands are only available with a serial connection. See the included disk or zyxel.com for more detailed information on CI commands. Enter 8 from Menu 24 - System Maintenance. Type exit to return to the SMT main menu when finished.
Page 302: Call Control Support
ZyWALL 10~100 Series Internet Security Gateway Copyright (c) 1994 - 2001 ZyXEL Communications Corp. ras> ? Valid commands are: exit device ether pptp ipsec hdap ras> Figure 23-2 Valid Commands 23.2 Call Control Support The ZyWALL provides two call control functions: budget management and call history. Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1.
Page 303: Figure 23-4 Budget Management
ZyWALL 10~100 Series Internet Security Gateway 23.2.1 Budget Management Menu 24.9.1 shows the budget management statistics for outgoing calls. Enter 1 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu. Menu 24.9.1 - Budget Management Remote Node Connection Time/Total Budget Elapsed Time/Total Period...
Page 304: Figure 23-5 Call History
ZyWALL 10~100 Series Internet Security Gateway 23.2.2 Call History This is the second option in Menu 24.9 - System Maintenance - Call Control. It displays information about past incoming and outgoing calls. Enter 2 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu.
Page 305: Time And Date Setting
ZyWALL 10~100 Series Internet Security Gateway 23.3 Time and Date Setting The Real Time Chip (RTC) keeps track of the time and date (Not available on all models). There is also a software mechanism to set the time manually or get the current time and date from an external server when you turn on your ZyWALL.
Page 306: Figure 23-7 Menu 24.10 System Maintenance: Time And Date Setting
ZyWALL 10~100 Series Internet Security Gateway Menu 24.10 - System Maintenance - Time and Date Setting Use Time Server when Bootup= NTP (RFC-1305) Time Server Address= tick.stdtime.gov.tw Current Time: 00 : 00 : 00 New Time (hh:mm:ss): 11 : 23 : 16 Current Date: 2000 - 01 - 01 New Date (yyyy-mm-dd):...
Page 307: Resetting The Time
ZyWALL 10~100 Series Internet Security Gateway Table 23-3 Time and Date Setting Fields FIELD DESCRIPTION Time Zone Press [SPACE BAR] and then [ENTER] to set the time difference between your time zone and Greenwich Mean Time (GMT). Daylight Saving Daylight Saving Time is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daylight time in the evenings.
Page 309: Chapter 24 Remote Management
ZyWALL 10~100 Series Internet Security Gateway Chapter 24 Remote Management This chapter covers remote management found in SMT menu 24.11. 24.1 Remote Management and the Firewall When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.
Page 310: Snmp
24.6 DNS Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for example, the IP address of www.zyxel.com is 204.217.0.2. Refer to the Internet Access chapter for more information. 24.7 Remote Management Remote management control is for managing Telnet, Web and FTP services.
Page 311: Figure 24-2 Menu 24.11 - Remote Management Control
ZyWALL 10~100 Series Internet Security Gateway LAN only, Neither (Disable). When you Choose WAN only or ALL (LAN & WAN), you still need to configure a firewall rule to allow access. To disable remote management of a service, select Disable in the corresponding Server Access field. Enter 11 from menu 24 to bring up Menu 24.11 –...
Page 312: Remote Management And Nat
ZyWALL 10~100 Series Internet Security Gateway Table 24-1 Menu 24.11 – Remote Management Control FIELD DESCRIPTION EXAMPLE Secured Client The default 0.0.0.0 allows any client to use this service to remotely 0.0.0.0 manage the ZyWALL. Enter an IP address to restrict access to a client with a matching IP address.
Page 313: System Timeout
ZyWALL 10~100 Series Internet Security Gateway 24.9 System Timeout There is a system timeout of five minutes (three hundred seconds) for either the console port or telnet/web/FTP connections. Your ZyWALL automatically logs you out if you do nothing in this timeout period, except when it is continuously updating the status in menu 24.1 or when sys stdio has been changed on the command line.
Page 315: Bandwidth Management
Bandwidth Management Part VIII: Bandwidth Management This part provides information on the functions and configuration of Bandwidth Management. VIII...
Page 317: Chapter 25 Bandwidth Management
ZyWALL 10~100 Series Internet Security Gateway Chapter 25 Bandwidth Management This chapter describes the functions and configuration of bandwidth management. Bandwidth management applies to the ZyWALL 100. 25.1 Introduction Bandwidth management allows you to allocate an interface’s outgoing capacity to specific types of traffic. It can also help you make sure that the ZyWALL forwards certain types of traffic (especially real-time applications) with minimum delay.
Page 318: Proportional Bandwidth Allocation
ZyWALL 10~100 Series Internet Security Gateway application and/or subnet. Use the Class Configuration tab (see section 25.8.3) to set up a bandwidth class’s name, bandwidth allotment, and bandwidth filter. You can configure up to one bandwidth filter per bandwidth class. You can also configure bandwidth classes without bandwidth filters. However, it is recommended that you configure child-classes with filters for any classes that you configure without filters.
Page 319: Figure 25-1 Application-Based Bandwidth Management Example
ZyWALL 10~100 Series Internet Security Gateway Figure 25-1 Application-based Bandwidth Management Example 25.4.2 Subnet-based Bandwidth Management Example The following example uses bandwidth classes based solely on LAN subnets. Each bandwidth class (Subnet A and Subnet B) is allotted 5 Mbps. Figure 25-2 Subnet-based Bandwidth Management Example 25.4.3 Application and Subnet-based Bandwidth Management Example The following example uses bandwidth classes based on LAN subnets and applications (specific...
Page 320: Scheduler
ZyWALL 10~100 Series Internet Security Gateway Table 25-1 Application and Subnet-based Bandwidth Management Example TRAFFIC TYPE FROM SUBNET A FROM SUBNET B VoIP 1 Mbps 1 Mbps 1 Mbps 1 Mbps 1 Mbps 1 Mbps E-mail 1 Mbps 1 Mbps Video 1 Mbps 1 Mbps...
Page 321: Maximize Bandwidth Usage
ZyWALL 10~100 Series Internet Security Gateway 25.5.1 Priority-based Scheduler With the priority-based scheduler, the ZyWALL forwards traffic from bandwidth classes according to the priorities that you assign to the bandwidth classes. The larger a bandwidth class’s priority number is, the higher the priority.
Page 322: Figure 25-4 Bandwidth Allotment Example
ZyWALL 10~100 Series Internet Security Gateway Step 2. Do not enable the interface’s Maximize Bandwidth Usage option. Step 3. Do not enable bandwidth borrowing on the child-classes that have the root class as their parent (see section 25.7). 25.6.2 Maximize Bandwidth Usage Example Here is an example of a ZyWALL that has maximize bandwidth usage enabled on an interface.
Page 323: Figure 25-5 Maximize Bandwidth Usage Example
ZyWALL 10~100 Series Internet Security Gateway In this case, suppose that all of the classes except for the administration class need more bandwidth. Each class gets up to its budgeted bandwidth. The administration class only uses 1 Mbps of its budgeted 2 Mbps.
Page 324: Bandwidth Borrowing
ZyWALL 10~100 Series Internet Security Gateway 25.7 Bandwidth Borrowing Bandwidth borrowing allows a child-class to borrow unused bandwidth from its parent class, whereas maximize bandwidth usage allows bandwidth classes to borrow any unused or unbudgeted bandwidth on the whole interface. Enable bandwidth borrowing on a child-class to allow the child-class to use its parent class’s unused bandwidth.
Page 325: Figure 25-6 Bandwidth Borrowing Example
ZyWALL 10~100 Series Internet Security Gateway Figure 25-6 Bandwidth Borrowing Example The Bill class can borrow unused bandwidth from the Sales USA class because the Bill class has bandwidth borrowing enabled. The Bill class can also borrow unused bandwidth from the Sales class because the Sales USA class also has bandwidth borrowing enabled.
Page 326: Bandwidth Management Setup
ZyWALL 10~100 Series Internet Security Gateway The Bill class cannot borrow unused bandwidth from the Root class because the Sales class has bandwidth borrowing disabled. The Amy class cannot borrow unused bandwidth from the Sales USA class because the Amy class has bandwidth borrowing disabled.
Page 327: Figure 25-7 Bandwidth Manager: Summary
ZyWALL 10~100 Series Internet Security Gateway Bandwidth Manager Summary 25.8.1 Enable bandwidth management on an interface and set the maximum allowed bandwidth for that interface in the bandwidth manager’s Summary tab. Click Advanced, BW Manager, and then Summary to open the screen shown next. Figure 25-7 Bandwidth Manager: Summary Bandwidth Management 25-11...
Page 328: Table 25-2 Bandwidth Manager: Summary
ZyWALL 10~100 Series Internet Security Gateway Table 25-2 Bandwidth Manager: Summary FIELD DESCRIPTION These read-only labels represent the physical interfaces. Select an interface’s check box to enable bandwidth management on that interface. Not all interfaces are available on every ZyWALL. WLAN Speed (kbps) Enter the amount of bandwidth for this interface that you want to allocate using...
Page 329: Figure 25-8 Bandwidth Manager: Class Setup
ZyWALL 10~100 Series Internet Security Gateway bigger bandwidth budgets than the total of the budgets of their child-classes. The child-classes can borrow the extra bandwidth as long as they have bandwidth borrowing enabled (see section 25.7). Figure 25-8 Bandwidth Manager: Class Setup Table 25-3 Bandwidth Manager: Class Setup FIELD DESCRIPTION...
Page 330: Figure 25-9 Bandwidth Manager: Class Configuration
ZyWALL 10~100 Series Internet Security Gateway 25.8.3 Bandwidth Manager Class Configuration Configure a bandwidth management class in the Class Configuration screen. You must use the Bandwidth Manager Summary screen to enable bandwidth management on an interface before you can configure classes for that interface. Click Advanced, BW Manager, and then the Class Setup tab.
Page 331 ZyWALL 10~100 Series Internet Security Gateway Table 25-4 Bandwidth Manager: Class Configuration FIELD DESCRIPTION BW Budget (kbps) Specify the maximum bandwidth allowed for the class in kbps. The recommendation is a setting between 20 kbps and 20000 kbps for an individual class. Priority Enter a number between 0 and 7 to set the priority of this class.
Page 332: Figure 25-10 Bandwidth Management Statistics
ZyWALL 10~100 Series Internet Security Gateway Table 25-5Services and Port Numbers SERVICES PORT NUMBER ECHO FTP (File Transfer Protocol) SMTP (Simple Mail Transfer Protocol) DNS (Domain Name System) Finger HTTP (Hyper Text Transfer protocol or WWW, Web) POP3 (Post Office Protocol) NNTP (Network News Transport Protocol) SNMP (Simple Network Management Protocol) SNMP trap...
Page 333: Table 25-6 Bandwidth Management Statistics
ZyWALL 10~100 Series Internet Security Gateway Table 25-6 Bandwidth Management Statistics FIELD DESCRIPTION Class Name This field displays the name of the class the statistics page is showing. Budget (kbps) This field displays the amount of bandwidth allocated to the class. Tx Packets This field displays the total number of packets transmitted.
Page 334: Figure 25-11 Bandwidth Manager Monitor
ZyWALL 10~100 Series Internet Security Gateway Figure 25-11 Bandwidth Manager Monitor Table 25-7 Bandwidth Manager Monitor FIELD DESCRIPTION Select an interface from the drop-down list box to view the bandwidth usage of its Interface bandwidth classes. Class Name This field displays the name of the class. Budget (kbps) This field displays the amount of bandwidth allocated to the class.
Page 335 IPPR, Call Scheduling and VPN/IPSec Part IX: IP Policy Routing, Call Scheduling and VPN/IPSec This part provides information on how to configure IP Policy Routing, call scheduling and VPN/IPSec.
Page 337: Chapter 26 Ip Policy Routing
ZyWALL 10~100 Series Internet Security Gateway Chapter 26 IP Policy Routing This chapter covers setting and applying policies used for IP routing. IP Policy Routing applies to the ZyWALL 100. 26.1 Introduction Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet.
Page 338: Figure 26-2 Ip Routing Policy Setup
ZyWALL 10~100 Series Internet Security Gateway address and port, ToS and precedence (fields in the IP header) and length. The inclusion of length criterion is to differentiate between interactive and bulk traffic. Interactive applications, e.g., telnet, tend to have short packets, while bulk traffic, e.g., file transfer, tends to have large packets. The actions that can be taken include: •...
Page 339: Figure 26-4 Menu 25.1: Sample Ip Routing Policy Setup
ZyWALL 10~100 Series Internet Security Gateway Step 2. Type the index of the policy set you want to configure to open Menu 25.1 – IP Routing Policy Setup. Menu 25.1 shows the summary of a policy set, including the criteria and the action of a single policy, and whether a policy is active or not.
Page 340: Figure 26-5 Ip Routing Policy
ZyWALL 10~100 Series Internet Security Gateway Table 26-1 IP Routing Policy Setup ABBREVIATION MEANING Outgoing Type of service Outgoing Precedence Service Normal Minimum Delay Maximum Throughput Maximum Reliability Minimum Cost Type a number from 1 to 6 to display Menu 25.1.1 – IP Routing Policy (see the next figure). This menu allows you to configure a policy rule.
Page 341 ZyWALL 10~100 Series Internet Security Gateway Table 26-2 IP Routing Policy FIELD DESCRIPTION Active Press [SPACE BAR] and then [ENTER] to select Yes to activate the policy. Criteria IP Protocol Enter a number that represents an IP layer 4 protocol, for example, UDP=17, TCP=6, ICMP=1 and Don’t care=0.
Page 342: Applying An Ip Policy
ZyWALL 10~100 Series Internet Security Gateway Table 26-2 IP Routing Policy FIELD DESCRIPTION When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. 26.5 Applying an IP Policy This section shows you where to apply the IP policies after you design them.
Page 343: Ip Policy Routing Example
ZyWALL 10~100 Series Internet Security Gateway 26.6 IP Policy Routing Example If a network has both Internet and remote node connections, you can route Web packets to the Internet using one policy and route FTP packets to a remote network using another policy. See the next figure. Figure 26-7 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the WAN port of the ZyWALL, follow the steps as shown next.
Page 344: Figure 26-8 Ip Routing Policy Example
ZyWALL 10~100 Series Internet Security Gateway Menu 25.1.1 - IP Routing Policy Policy Set Name= set1 Active= Yes Criteria: IP Protocol Type of Service= Don't Care Packet length= 10 Precedence = Don't Care Len Comp= N/A Source: addr start= 192.168.1.2 end= 192.168.1.64 port start= 0 end= N/A...
Page 345: Figure 26-9 Ip Routing Policy
ZyWALL 10~100 Series Internet Security Gateway Step 5. Create a rule in menu 25.1.1 for this set to route packets from any host (IP=0.0.0.0 means any host) with protocol TCP and port FTP access through another gateway (192.168.1.100). Menu 25.1.1 - IP Routing Policy Policy Set Name= set2 Active= Yes Criteria:...
Page 346: Figure 26-10 Applying Ip Policies
ZyWALL 10~100 Series Internet Security Gateway Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP Setup DHCP= Server Client IP Pool Starting Address= 192.168.1.33 Size of Client IP Pool= 64 Primary DNS Server= 0.0.0.0 Secondary DNS Server= 0.0.0.0 Remote DHCP Server= N/A TCP/IP Setup: IP Address= 192.168.1.1 IP Subnet Mask= 255.255.255.0...
Page 347: Chapter 27 Call Scheduling
ZyWALL 10~100 Series Internet Security Gateway Chapter 27 Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 27.1 Introduction The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long.
Page 348: Figure 27-2 Schedule Set Setup
ZyWALL 10~100 Series Internet Security Gateway To delete a schedule set, enter the set number and press [SPACE BAR] and then [ENTER] or [DEL] in the Edit Name field. To set up a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next.
Page 349 ZyWALL 10~100 Series Internet Security Gateway Table 27-1Schedule Set Setup Fields FIELD DESCRIPTION OPTIONS Once: If you selected Once in the How Often field above, then enter the date the set should activate here in year-month-date format. Date Weekday: If you selected Weekly in the How Often field above, then select the day(s) when the set should activate (and recur) by going to that day(s) and pressing [SPACE BAR] to select Yes, then press [ENTER].
Page 350: Figure 27-3 Applying Schedule Set(S) To A Remote Node (Pppoe)
ZyWALL 10~100 Series Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPPoE Edit IP= No Service Type= Standard Telco Option: Service Name= Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login= Schedules= 1,2,3,4 My Password= ******** Nailed-Up Connection= No...
Page 351: Figure 27-4 Applying Schedule Set(S) To A Remote Node (Pptp)
ZyWALL 10~100 Series Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Service Name=N/A Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login= Schedules= 1,2,3,4 My Password= ******** Nailed-up Connections=...
Page 353: Chapter 28 Introduction To Ipsec
ZyWALL 10~100 Series Internet Security Gateway Chapter 28 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 28.1 Introduction 28.1.1 VPN A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.
Page 354: Figure 28-1 Encryption And Decryption
ZyWALL 10~100 Series Internet Security Gateway Figure 28-1 Encryption and Decryption Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.
Page 355: Ipsec Architecture
ZyWALL 10~100 Series Internet Security Gateway Figure 28-2 VPN Application 28.2 IPSec Architecture The overall IPSec architecture is shown as follows. Introduction to IPSec 28-3...
Page 356: Figure 28-3 Ipsec Architecture
ZyWALL 10~100 Series Internet Security Gateway Figure 28-3 IPSec Architecture 28.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms).
Page 357: Ipsec And Nat
ZyWALL 10~100 Series Internet Security Gateway 28.3 Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 28-4 Transport and Tunnel Mode IPSec Encapsulation 28.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
Page 358: Table 28-1 Vpn And Nat
ZyWALL 10~100 Series Internet Security Gateway A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesn't match.
Page 359: Chapter 29 Vpn/Ipsec Setup
ZyWALL 10~100 Series Internet Security Gateway Chapter 29 VPN/IPSec Setup This chapter introduces the VPN SMT menus. See the Logs chapter and the appendices for information on IPSec logs. 29.1 VPN/IPSec Setup The VPN/IPSec main SMT menu has these main submenus: 1.
Page 360: Ipsec Algorithms
ZyWALL 10~100 Series Internet Security Gateway Menu 27 - VPN/IPSec Setup 1. IPSec Summary 2. SA Monitor Enter Menu Selection Number: Figure 29-2 Menu 27: VPN/IPSec Setup 29.2 IPSec Algorithms The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec VPN.
Page 361: Ipsec Summary
ZyWALL 10~100 Series Internet Security Gateway Table 29-1 AH and ESP Select DES for minimal security and 3DES for maximum. Select MD5 for minimal security and SHA-1 for Select NULL to set up a tunnel without encryption. maximum security. DES (default) MD5 (default) Data Encryption Standard (DES) is a widely used method MD5 (Message Digest 5) produces a 128-bit...
Page 362: Id Type And Content
ZyWALL 10~100 Series Internet Security Gateway IPSec SA lifetime period expires. If there is no traffic when the IPSec SA lifetime period expires, the tunnel is dropped and will have to be renegotiated the next time that someone attempts to send traffic, unless you enable keep alive.
Page 363: Table 29-3 Peer Fields
ZyWALL 10~100 Series Internet Security Gateway Table 29-3 Peer Fields LOCAL ID TYPE= CONTENT= N/A, do not enter anything. Type a domain name (up to 31 characters) by which to identify the remote IPSec router. E-mail Type an e-mail address (up to 31 characters) by which to identify the remote IPSec router.
Page 364: My Ip Address
ZyWALL 10~100 Series Internet Security Gateway Table 29-5 Mismatching ID Type and Content Configuration Example ZYWALL A ZYWALL B Local ID type: IP Local ID type: IP Local ID content: N/A Local ID content: N/A Local IP address: 1.1.1.1 Local IP address: 1.1.1.2 Peer ID type: E-mail Peer ID type: IP Peer ID content: aa@yahoo.com...
Page 365: Figure 29-4 Telecommuter's Zywall Configuration
ZyWALL 10~100 Series Internet Security Gateway Table 29-6 Telecommuter and Headquarters Configuration Example TELECOMMUTER HEADQUARTERS My IP 0.0.0.0 (dynamic IP address Public static IP address address: assigned by the ISP) Secure Public static IP address or 0.0.0.0 Gateway IP domain name. With this IP address only the Address: telecommuter can initiate the IPSec...
Page 366: Figure 29-6 Menu 27.1: Ipsec Summary
172.16.2.40 172.16.2.46 193.81.13.2 zw50 1.1.1.1 1.1.1.1 Tunnel AH SHA1 4.4.4.4 255.255.0.0 zw50test.zyxel. China 192.168.1.40 192.168.1.42 Tunnel ESP DES MD5 0.0.0.0 Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: Figure 29-6 Menu 27.1: IPSec Summary Table 29-7 Menu 27.1: IPSec Summary...
Page 367 ZyWALL 10~100 Series Internet Security Gateway Table 29-7 Menu 27.1: IPSec Summary FIELD DESCRIPTION EXAMPLE Local Addr When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to 192.168.1.35 Start Single, this is a static IP address on the LAN behind your ZyWALL. When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Range, this is the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL.
Page 368 ZyWALL 10~100 Series Internet Security Gateway Table 29-7 Menu 27.1: IPSec Summary FIELD DESCRIPTION EXAMPLE Remote When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to 172.16.2.40 Addr Start Single, this is a static IP address on the network behind the remote IPSec router.
Page 369: Ipsec Setup
ZyWALL 10~100 Series Internet Security Gateway Table 29-7 Menu 27.1: IPSec Summary FIELD DESCRIPTION EXAMPLE Select Press [SPACE BAR] to choose from None, Edit, Delete, Go To Rule, None Command Next Page or Previous Page and then press [ENTER]. You must select a rule in the next field when you choose the Edit, Delete or Go To commands.
Page 370: Figure 29-7 Menu 27.1.1: Ipsec Setup
Name= Taiwan Active= Yes Keep Alive= No Local ID type Content: My IP Addr= 0.0.0.0 Peer ID type Content: Secure Gateway Addr= zw50test.zyxel.com.tw Protocol= 0 Local: Addr Type= SINGLE IP Addr Start= 1.1.1.1 End= N/A Port Start= 0 End= N/A...
Page 371 ZyWALL 10~100 Series Internet Security Gateway Table 29-8 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Keep Alive Press [SPACE BAR] to choose either Yes or No. Choose Yes and press [ENTER] to have the ZyWALL automatically re-initiate the SA after the SA lifetime times out, even if there is no traffic.
Page 372 ZyWALL 10~100 Series Internet Security Gateway Table 29-8 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Content This field is N/A when you select IP in the Peer ID Type field (the ZyWALL uses the IP address in the Secure Gateway Addr field. When you select DNS in the Peer ID Type field, type a domain name (up to 31 characters) by which to identify the remote IPSec router.
Page 373 ZyWALL 10~100 Series Internet Security Gateway Table 29-8 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE End When the Addr Type field is configured to Single, this field is N/A. 192.168.1.38 When the Addr Type field is configured to Range, enter the end (static) IP address, in a range of computers on the LAN behind your ZyWALL.
Page 374 ZyWALL 10~100 Series Internet Security Gateway Table 29-8 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE End When the Addr Type field is configured to Single, this field is N/A. 255.255.0.0 When the Addr Type field is configured to Range, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router.
Page 375: Ike Setup
ZyWALL 10~100 Series Internet Security Gateway 29.5 IKE Setup To edit this menu, the Key Management field Menu 27.1.1 – IPSec Setup must be set to IKE. Move the cursor to the Edit Key Management Setup field in Menu 27.1.1 – IPSec Setup; press [SPACE BAR] to select Yes and then press [ENTER] to display Menu 27.1.1.1 –...
Page 376: Negotiation Mode
ZyWALL 10~100 Series Internet Security Gateway Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA should stay up before it times out. The ZyWALL automatically renegotiates the IPSec SA if there is traffic when the IPSec SA lifetime period expires. The ZyWALL also automatically renegotiates the IPSec SA if both IPSec routers have keep alive enabled, even if there is no traffic.
Page 377 ZyWALL 10~100 Series Internet Security Gateway secret (which may have security implications in the long run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange). Menu 27.1.1.1 - IKE Setup Phase 1 Negotiation Mode= Main Pre-Shared Key= Encryption Algorithm = DES Authentication Algorithm = SHA1 SA Life Time (Seconds)= 28800 Key Group= DH1...
Page 378: Table 29-9 Menu 27.1.1.1: Ike Setup
ZyWALL 10~100 Series Internet Security Gateway Table 29-9 Menu 27.1.1.1: IKE Setup FIELD DESCRIPTION EXAMPLE Encryption When DES is used for data communications, both sender and receiver must Algorithm know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code.
Page 379: Manual Setup
SPI to establish the tunnel. Current ZyXEL implementation assumes identical outgoing and incoming SPIs. To edit this menu, move the cursor to the Edit Manual Setup field in Menu 27.1.1 – IPSec Setup press [SPACE BAR] to select Yes and then press [ENTER] to go to Menu 27.1.1.2 –...
Page 380: Table 29-11 Menu 27.1.1.2: Manual Setup
ZyWALL 10~100 Series Internet Security Gateway Menu 27.1.1.2 – Manual Setup Active Protocol= ESP Tunnel ESP Setup SPI= Encryption Algorithm= DES Key1= Key2= N/A Key3= N/A Authentication Algorithm= MD5 Key= N/A AH Setup SPI (Decimal)= N/A Authentication Algorithm= N/A Key= Press ENTER to Confirm or ESC to Cancel: Figure 29-10 Menu 27.1.1.2: Manual Setup Table 29-11 Menu 27.1.1.2: Manual Setup...
Page 381 ZyWALL 10~100 Series Internet Security Gateway Table 29-11 Menu 27.1.1.2: Manual Setup FIELD DESCRIPTION EXAMPLE Key3 Enter a unique eight-character key. It can be comprised of any character including spaces (but trailing spaces are truncated). Authentication Press [SPACE BAR] to choose from MD5 or SHA1 and then press [ENTER]. Algorithm Key Enter the authentication key to be used by IPSec if applicable.
Page 383: Chapter 30 Sa Monitor
ZyWALL 10~100 Series Internet Security Gateway Chapter 30 SA Monitor This chapter teaches you how to manage your SAs by using the SA Monitor in SMT menu 27.2. 30.1 Introduction A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This menu (shown next) displays active VPN connections.
Page 384: Table 30-1 Menu 27.2: Sa Monitor
ZyWALL 10~100 Series Internet Security Gateway Table 30-1 Menu 27.2: SA Monitor FIELD DESCRIPTION EXAMPLE This is the security association index number. Name This field displays the identification name for this VPN policy. This name is Taiwan unique for each connection where the secure gateway IP address is a public static IP address.
Page 385: Troubleshooting
Troubleshooting Part X: Troubleshooting This part provides possible remedies for potential problems.
Page 387: Table 31-1 Troubleshooting The Start-Up Of Your Zywall
ZyWALL 10~100 Series Internet Security Gateway Chapter 31 Troubleshooting This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our included disk for further information. DMZ applies to the ZyWALL 100. 31.1 Problems Starting Up the ZyWALL Table 31-1 Troubleshooting the Start-Up of your ZyWALL PROBLEM...
Page 388: Problems With The Lan Interface
ZyWALL 10~100 Series Internet Security Gateway 31.2 Problems with the LAN Interface Table 31-2 Troubleshooting the LAN Interface PROBLEM CORRECTIVE ACTION Cannot access Check your Ethernet cable type and connections. Refer to the Rear Panel and the ZyWALL Connections section for LAN connection instructions. from the LAN.
Page 389: Table 31-4 Troubleshooting The Wan Interface
ZyWALL 10~100 Series Internet Security Gateway 31.4 Problems with the WAN Interface Table 31-4 Troubleshooting the WAN interface PROBLEM CORRECTIVE ACTION Cannot get The WAN IP is provided when the ISP recognizes the user as an authorized user after WAN IP from verifying the MAC address, Host Name or User ID.
Page 390: Table 31-6 Troubleshooting The Password
ZyWALL 10~100 Series Internet Security Gateway 31.6 Problems with the Password Table 31-6 Troubleshooting the Password PROBLEM CORRECTIVE ACTION Cannot The Password field is case sensitive. Make sure that you enter the correct password access the using the proper casing. ZyWALL.
Page 391 General Appendices Part XI: General Appendices This part provides background information about setting up your computer’s IP address, triangle route, how functions are related, wireless LAN, 802.1x, PPPoE, PPTP, hardware specifications, Universal Plug and Play, IP subnetting, safety warnings and how to change a ZyWALL 100 Fuse.
Page 393: Appendix A Setting Up Your Computer's Ip Address
ZyWALL 10~100 Series Internet Security Gateway Appendix A Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer.
Page 394 ZyWALL 10~100 Series Internet Security Gateway The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: In the Network window, click Add. Select Adapter and then click Add.
Page 395 ZyWALL 10~100 Series Internet Security Gateway Click the IP Address tab. -If your IP address is dynamic, select Obtain an IP address automatically. -If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields.
Page 396 ZyWALL 10~100 Series Internet Security Gateway Click the Gateway tab. -If you do not know your gateway’s IP address, remove previously installed gateways. -If you have a gateway IP address, type it in the New gateway field and click Add. Click OK to save and close the TCP/IP Properties window.
Page 397 ZyWALL 10~100 Series Internet Security Gateway For Windows XP, click start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. For Windows XP, click Network Right-click Local Area Connection and Connections. For Windows 2000/NT, click then click Properties. Network and Dial-up Connections. Setting Up Your Computer’s IP Address...
Page 398 ZyWALL 10~100 Series Internet Security Gateway Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). -If you have a dynamic IP address click Obtain an IP address automatically.
Page 399 ZyWALL 10~100 Series Internet Security Gateway -If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: -In the IP Settings tab, in IP addresses, click Add.
Page 400 ZyWALL 10~100 Series Internet Security Gateway In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): -Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). -If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.
Page 401 ZyWALL 10~100 Series Internet Security Gateway Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Select Ethernet built-in from the Connect via list. For dynamically assigned settings, select Using DHCP Server from the Configure: list. Setting Up Your Computer’s IP Address...
Page 402: Macintosh Os X
ZyWALL 10~100 Series Internet Security Gateway For statically assigned settings, do the following: -From the Configure box, select Manually. -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your ZyWALL in the Router address box. Close the TCP/IP Control Panel.
Page 403 ZyWALL 10~100 Series Internet Security Gateway Click Network in the icon bar. - Select Automatic from the Location list. - Select Built-in Ethernet from the Show list. - Click the TCP/IP tab. For dynamically assigned settings, select Using DHCP from the Configure list. For statically assigned settings, do the following: -From the Configure box, select Manually.
Page 404: Appendix B Triangle Route
ZyWALL 10~100 Series Internet Security Gateway Appendix B Triangle Route The Ideal Setup When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyWALL to protect your LAN against attacks.
Page 405 ZyWALL 10~100 Series Internet Security Gateway Diagram B-2 “Triangle Route” Problem The “Triangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your ZyWALL supports up to three logical LAN interfaces with the ZyWALL being the gateway for each logical network.
Page 406: Gateways On The Wan Side
ZyWALL 10~100 Series Internet Security Gateway Gateways on the WAN Side A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your ZyWALL to your LAN.
Page 407: Appendix C The Big Picture
ZyWALL 10~100 Series Internet Security Gateway Appendix C The Big Picture The following figure gives an overview of how filtering, the firewall, VPN and NAT are related. Diagram C-1 Big Picture— Filtering, Firewall, VPN and NAT The Big Picture...
Page 408: Benefits Of A Wireless Lan
ZyWALL 10~100 Series Internet Security Gateway Appendix D Wireless LAN and IEEE 802.11 A wireless LAN (WLAN) provides a flexible data communications system that you can use to access various services (navigating the Internet, email, printer services, etc.) without the use of a cabled connection. In effect a wireless LAN environment provides you the freedom to stay connected to the network while roaming around in the coverage area.
Page 409 ZyWALL 10~100 Series Internet Security Gateway The IEEE 802.11 specifies three different transmission methods for the PHY, the layer responsible for transferring data between nodes. Two of the methods use spread spectrum RF signals, Direct Sequence Spread Spectrum (DSSS) and Frequency-Hopping Spread Spectrum (FHSS), in the 2.4 to 2.4825 GHz unlicensed ISM (Industrial, Scientific and Medical) band.
Page 410 ZyWALL 10~100 Series Internet Security Gateway Diagram D-1 Peer-to-Peer Communication in an Ad-hoc Network Infrastructure Wireless LAN Configuration For Infrastructure WLANs, multiple Access Points (APs) link the WLAN to the wired network and allow users to efficiently share network resources. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood.
Page 411 ZyWALL 10~100 Series Internet Security Gateway could be any type of network, it is almost invariably an Ethernet LAN. Mobile nodes can roam between Access Points and seamless campus-wide coverage is possible. Diagram D-2 ESS Provides Campus-Wide Coverage Wireless LAN and IEEE 802.11...
Page 412: Appendix E Wireless Lan With Ieee 802.1X
ZyWALL 10~100 Series Internet Security Gateway Appendix E Wireless LAN With IEEE 802.1x As wireless networks become popular for both portable computing and corporate networks, security is now a priority. Security Flaws with IEEE 802.11 Wireless networks based on the original IEEE 802.11 have a poor reputation for safety. The IEEE 802.11b wireless access standard, first published in 1999, was based on the MAC address.
Page 413 ZyWALL 10~100 Series Internet Security Gateway • Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server. • Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients.
Page 415: Appendix F Pppoe
ZyWALL 10~100 Series Internet Security Gateway Appendix F PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit), which connects to a DSL Access Concentrator where the PPP session terminates (see the next figure).
Page 416: How Pppoe Works
ZyWALL 10~100 Series Internet Security Gateway How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.
Page 417: Appendix G Pptp
ZyWALL 10~100 Series Internet Security Gateway Appendix G PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the short haul between the PC and the modem over Ethernet.
Page 418 ZyWALL 10~100 Series Internet Security Gateway PPTP Protocol Overview PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F (Cisco’s Layer 2 Forwarding). Conceptually, there are three parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Access Concentrator) and the PPTP user.
Page 419 ZyWALL 10~100 Series Internet Security Gateway Diagram G-3 Example Message Exchange between PC and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header. PPTP...
Page 420: Appendix H Hardware Specifications
ZyWALL 10~100 Series Internet Security Gateway Appendix H Hardware Specifications Chart H-1 General Specifications Power Specification 100-240 VAC, 50/60Hz (ZyWALL 100) Power Specification I/P AC 120V / 60Hz; O/P DC 12V 1200 mA (ZyWALL 10,10W, 50) Power Consumption 16 Watts maximum (ZyWALL 100) Power Current (ZyWALL 1.9 Amps...
Page 421: Cable Pin Assignments
ZyWALL 10~100 Series Internet Security Gateway Cable Pin Assignments In a serial communications connection, generally a computer is DTE (Data Terminal Equipment) and a modem is DCE (Data Circuit-terminating Equipment). The ZyWALL is DCE when you connect a computer to the console port. The ZyWALL is DTE when you connect a modem to the dial backup port. Pin 5 Pin 1 Pin 9...
Page 422 ZyWALL 10~100 Series Internet Security Gateway Chart H-3 Ethernet Cable Pin Assignments WAN/LAN/DMZ Ethernet Cable Pin Layout: Straight-Through Crossover (Switch) (Adapter) (Switch) (Switch) IRD + OTD + IRD + IRD + IRD - OTD - IRD - IRD - OTD + IRD + OTD + 3 OTD +...
Page 423 ZyWALL 10~100 Series Internet Security Gateway Chart H-5 European Union AC Power Adaptor Specifications Power consumption: 10 W Plug: European Union standards Safety standards: TUV, CE (EN 60950) AC Power Adapter model JAD-121200E Input power: AC230Volts/50Hz, Output power: DC12Volts/1.2A Power consumption: 9 W Plug: European Union standards Safety standards: TUV, CE (EN 60950) Chart H-6 UK AC Power Adaptor Specifications...
Page 424 ZyWALL 10~100 Series Internet Security Gateway Chart H-8 Australia and New Zealand AC Power Adaptor Specifications AC Power Adapter model AD-1201200Ds or AD-121200DS Input power: AC240Volts/50Hz/0.2A Output power: DC12Volts/1.2A Power consumption: 10 W Plug: Australia and New Zealand standards Safety standards: NATA (AS 3260) Hardware Specifications...
Page 425: Universal Plug And Play
UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device). At the time of writing ZyXEL's UPnP implementation supports Windows Messenger 4.6 and 4.7 while...
Page 426 ZyWALL 10~100 Series Internet Security Gateway Are there any cautions about UPnP? The automated nature of NAT Traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments.
Page 427: Installing Upnp In Windows Me
ZyWALL 10~100 Series Internet Security Gateway Chart I-1 UPnP LABEL DESCRIPTION Enable the Universal Select this checkbox to activate UPnP. Plug and Play (UPnP) Be aware that anyone could use a UPnP application to open the web configurator's feature login screen without entering the ZyWALL's IP address (although you must still enter the password to access the web configurator).
Page 428: Installing Upnp In Windows Xp
ZyWALL 10~100 Series Internet Security Gateway Step 1. Click Start and Control Panel. Double-click Add/Remove Programs. Step 2. Click the Windows Setup tab and select Communication in the Components selection box. Click Details. Step 3. In the Communications window, select the Universal Plug and Play check box in the Components selection box.
Page 429: Using Upnp In Windows Xp Example
This appendix shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL device. Make sure the computer is connected to a LAN port of the ZyXEL device. Turn on your computer and the ZyXEL device.
Page 430 ZyWALL 10~100 Series Internet Security Gateway Step 1. Click start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway. Step 2. Right-click the icon and select Properties. Step 3. In the Internet Connection Properties Step 4. You may edit or delete the port window, click Settings to see the port mappings or click Add to mappings that were automatically created.
Page 431: Web Configurator Easy Access
Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first. This comes helpful if you do not know the IP address of the ZyXEL device.
Page 432 Select My Network Places under Other Places. Step 4. An icon with the description for each UPnP-enabled device displays under Local Network. Step 5. Right-click the icon for your ZyXEL device and select Invoke. The web configurator login screen displays. UPnP...
Page 433 ZyWALL 10~100 Series Internet Security Gateway Step 6. Right-click on the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. UPnP...
Page 434: Appendix J Ip Subnetting
ZyWALL 10~100 Series Internet Security Gateway Appendix J IP Subnetting IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1.
Page 435: Subnet Masks
ZyWALL 10~100 Series Internet Security Gateway A class “B” address (16 host bits) can have 2 –2 or 65534 hosts. A class “A” address (24 host bits) can have 2 –2 hosts (approximately 16 million hosts). Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127.
Page 436 ZyWALL 10~100 Series Internet Security Gateway With subnetting, the class arrangement of an IP address is ignored. For example, a class C address no longer has to have 24 bits of network number and 8 bits of host ID. With subnetting, some of the host ID bits are converted into network number bits.
Page 437 ZyWALL 10~100 Series Internet Security Gateway The first three octets of the address make up the network number (class “C”). You want to have two separate networks. Divide the network 192.168.1.0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit.
Page 438 ZyWALL 10~100 Series Internet Security Gateway 192.168.1.0 with mask 255.255.255.128 is the subnet itself, and 192.168.1.127 with mask 255.255.255.128 is the directed broadcast address for the first subnet. Therefore, the lowest IP address that can be assigned to an actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126. Similarly the host ID range for the second subnet is 192.168.1.129 to 192.168.1.254.
Page 439: Example Eight Subnets
ZyWALL 10~100 Series Internet Security Gateway Subnet Address: 192.168.1.128 Lowest Host ID: 192.168.1.129 Broadcast Address: 192.168.1.191 Highest Host ID: 192.168.1.190 Chart J-10 Subnet 4 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. 11000000 IP Address (Binary) 11000000.10101000.00000001. Subnet Mask (Binary) 11111111.11111111.11111111.
Page 440: Subnetting With Class A And Class B Networks
ZyWALL 10~100 Series Internet Security Gateway Chart J-12 Class C Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) Subnetting With Class A and Class B Networks. For class “A”...
Page 441 ZyWALL 10~100 Series Internet Security Gateway Chart J-13 Class B Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 255.255.255.128 (/25) 255.255.255.192 1024 (/26) 255.255.255.224 2048 (/27) 255.255.255.240 4096 (/28) 255.255.255.248 8192 (/29) 255.255.255.252 16384 (/30) 255.255.255.254 32768...
Page 442: Appendix K Safety Warnings And Instructions
ZyWALL 10~100 Series Internet Security Gateway Appendix K Safety Warnings and Instructions 1. Be sure to read and follow all warning notices and instructions. 2. The maximum recommended ambient temperature for the ZyWALL is 40º Celsius (104º Fahrenheit). Care must be taken to allow sufficient air circulation or space between units when the ZyWALL is installed inside a closed rack assembly.
Page 443 ZyWALL 10~100 Series Internet Security Gateway Appendix L Removing and Installing a ZyWALL 100 Fuse This appendix shows you how to remove and install fuses for the ZYWALL 100. The ZYWALL 100 uses a 0.5 Amp, 250 VAC fuse. The ZYWALL-100 comes from the factory; with two fuses installed in the fuse housing.
Page 445 Command and Log Appendices Part XII: Command and Log Appendices This part provides information on the command line interface, firewall and NetBIOS commands and logs and password protection.
Page 447: Command Interpreter
The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands. Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable.
Page 448: Appendix N Firewall Commands
ZyWALL 10~100 Series Internet Security Gateway Appendix N Firewall Commands The following describes the firewall commands. See the Command Interpreter appendix for information on the command structure. Chart N-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall active <yes | This command turns the firewall on or off.
Page 449 ZyWALL 10~100 Series Internet Security Gateway Chart N-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config display firewall e-mail This command shows all of the e-mail settings. config display firewall ? This command shows all of the available firewall sub commands. config edit firewall e-mail mail- This command sets the IP address to which the e- server <ip address of mail server>...
Page 450: Firewall Commands
ZyWALL 10~100 Series Internet Security Gateway Chart N-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall attack send- This command enables or disables the immediate alert <yes | no> sending of DOS attack notification e-mail messages. config edit firewall attack block Set this command to to block new traffic after <yes | no>...
Page 451 ZyWALL 10~100 Series Internet Security Gateway Chart N-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall set <set #> This command sets a name to identify a specified name <desired name> set. Config edit firewall set <set #> This command sets whether a packet is dropped or default-permit <forward | block>...
Page 452 ZyWALL 10~100 Series Internet Security Gateway Chart N-1 Firewall Commands FUNCTION COMMAND DESCRIPTION Config edit firewall set <set #> This command sets whether a rule is enabled or rule <rule #> active <yes | no> not. Config edit firewall set <set #> This command sets the protocol specification rule <rule #>...
Page 453 ZyWALL 10~100 Series Internet Security Gateway Chart N-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall set <set #> This command sets a rule to have the ZyWALL rule <rule #> destaddr-range <start check for traffic going to this range of addresses. ip address>...
Page 454 ZyWALL 10~100 Series Internet Security Gateway Firewall Commands...
Page 455: Netbios Filter Commands
ZyWALL 10~100 Series Internet Security Gateway Appendix O NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See the Command Interpreter appendix for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN.
Page 456 ZyWALL 10~100 Series Internet Security Gateway This command gives a read-only list of the current NetBIOS filter modes for a ZyWALL that does not have DMZ. =============== NetBIOS Filter Status =============== LAN to WAN: Forward WAN to LAN: Forward IPSec Packets: Forward Trigger Dial: Disabled...
Page 457: Netbios Filter Configuration
ZyWALL 10~100 Series Internet Security Gateway Chart O-1 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE WAN to DMZ This field displays whether NetBIOS packets are blocked or forwarded Forward from the WAN to the DMZ. DMZ to LAN This field displays whether NetBIOS packets are blocked or forwarded Forward from the DMZ to the LAN.
Page 458 ZyWALL 10~100 Series Internet Security Gateway <on|off> = For types 0 and 1, use on to enable the filter and block NetBIOS packets. Use off to disable the filter and forward NetBIOS packets. For type 6, use on to block NetBIOS packets from being sent through a VPN connection.
Page 459: Boot Commands
ZyWALL 10~100 Series Internet Security Gateway Appendix P Boot Commands The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware (ZyNOS) is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen.
Page 460 ZyWALL 10~100 Series Internet Security Gateway just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) change system date to year/month/day or show current date ATDS...
Page 461: Appendix Q Log Descriptions
ZyWALL 10~100 Series Internet Security Gateway Appendix Q Log Descriptions Chart Q-1 System Error Logs LOG MESSAGE DESCRIPTION %s exceeds the max. This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host. number of session per host! Chart Q-2 System Maintenance Logs...
Page 462 ZyWALL 10~100 Series Internet Security Gateway Chart Q-2 System Maintenance Logs TELNET Login Fail Someone has failed to log on to the router via telnet. FTP Login Someone has logged on to the router via ftp. Successfully FTP Login Fail Someone has failed to log on to the router via ftp.
Page 463 ZyWALL 10~100 Series Internet Security Gateway Chart Q-5 Attack Logs LOG MESSAGE DESCRIPTION attack IGMP The firewall detected an IGMP attack. attack ESP The firewall detected an ESP attack. attack GRE The firewall detected a GRE attack. attack OSPF The firewall detected an OSPF attack. attack ICMP (type:%d, The firewall detected an ICMP attack;...
Page 464 ZyWALL 10~100 Series Internet Security Gateway Chart Q-5 Attack Logs LOG MESSAGE DESCRIPTION syn flood TCP The firewall detected a TCP syn flood attack. ports scan TCP The firewall detected a TCP port scan attack. teardrop TCP The firewall detected a TCP teardrop attack. teardrop UDP The firewall detected an UDP teardrop attack.
Page 465 ZyWALL 10~100 Series Internet Security Gateway Chart Q-6 Access Logs LOG MESSAGE DESCRIPTION Firewall default TCP access matched the default policy of the listed ACL set and the ZyWALL blocked or forwarded it according to the ACL set’s policy: TCP (set:%d) configuration.
Page 466 ZyWALL 10~100 Series Internet Security Gateway Chart Q-6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule match: IGMP access matched the listed firewall rule and the ZyWALL blocked or forwarded it according to the rule’s configuration. IGMP (set:%d, rule:%d) Firewall rule match: ESP access matched the listed firewall rule and the ZyWALL blocked or forwarded it according to the rule’s configuration.
Page 467 ZyWALL 10~100 Series Internet Security Gateway Chart Q-6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule NOT OSPF access did not match the listed firewall rule and the ZyWALL logged it. match: OSPF (set:%d, rule:%d) Firewall rule NOT Access did not match the listed firewall rule and the ZyWALL logged match: (set:%d, rule:%d) Filter default policy...
Page 468 ZyWALL 10~100 Series Internet Security Gateway Chart Q-6 Access Logs LOG MESSAGE DESCRIPTION Filter match DROP ICMP access matched the listed filter rule and the ZyWALL dropped the packet to block access. <set %d/rule %d> Filter match DROP Access matched the listed filter rule and the ZyWALL dropped the packet to block access.
Page 469 ZyWALL 10~100 Series Internet Security Gateway Chart Q-6 Access Logs LOG MESSAGE DESCRIPTION Firewall sent TCP The firewall sent out TCP reset packets. reset packets Packet without a NAT The router blocked a packet that did not have a corresponding NAT table entry.
Page 470 ZyWALL 10~100 Series Internet Security Gateway Chart Q-7 ACL Setting Notes ACL SET DIRECTION DESCRIPTION NUMBER DMZ to ACL set 9 for packets traveling from the DMZ to the DM or the DMZ/ZyWALL ZyWALL. Chart Q-8 ICMP Notes TYPE CODE DESCRIPTION Echo Reply Echo reply message...
Page 471 ZyWALL 10~100 Series Internet Security Gateway Chart Q-8 ICMP Notes TYPE CODE DESCRIPTION Echo message Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error Timestamp Timestamp request message Timestamp Reply Timestamp reply message Information Request Information request message Information Reply...
Page 472: Log Descriptions
ZyWALL 10~100 Series Internet Security Gateway Index: Date/Time: Log: ------------------------------------------------------------ 01 Jan 08:02:22 Send Main Mode request to <192.168.100.101> 01 Jan 08:02:22 Send:<SA> 01 Jan 08:02:22 Recv:<SA> 01 Jan 08:02:24 Send:<KE><NONCE> 01 Jan 08:02:24 Recv:<KE><NONCE> 01 Jan 08:02:26 Send:<ID><HASH> 01 Jan 08:02:26 Recv:<ID><HASH>...
Page 473 ZyWALL 10~100 Series Internet Security Gateway The following table shows sample log messages during IKE key exchange. Chart Q-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION Send <Symbol> Mode request to <IP> The ZyWALL has started negotiation with the peer. Send <Symbol>...
Page 474 ZyWALL 10~100 Series Internet Security Gateway Chart Q-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION !! Remote IP <IP start> / <IP end> If the security gateway is “0.0.0.0”, the ZyWALL will conflicts use the peer’s “Local Addr” as its “Remote Addr”. If a peer’s “Local Addr”...
Page 475 ZyWALL 10~100 Series Internet Security Gateway Chart Q-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION vs. My Local <IP address> The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the local router.
Page 476 ZyWALL 10~100 Series Internet Security Gateway Chart Q-11 Sample IPSec Logs During Packet Transmission LOG MESSAGE DESCRIPTION Rule <#d> idle time out, If an SA has no packets transmitted for a period of time disconnect (configurable via CI command), the ZyWALL drops the connection. The following table shows RFC-2408 ISAKMP payload types that the log displays.
Page 477: Log Commands
ZyWALL 10~100 Series Internet Security Gateway Log Commands Go to the command line interface (the Command Interpreter Appendix explains how to access and use the commands). Configuring What You Want the ZyWALL to Log Use the sys logs load command to load the log setting buffer that allows you to configure which logs the ZyWALL is to record.
Page 478: Log Command Example
ZyWALL 10~100 Series Internet Security Gateway Use the sys logs display [log category] command to show the logs in an individual ZyWALL log category. Use the sys logs clear command to erase all of the ZyWALL’s logs. Log Command Example This example shows how to set the ZyWALL to record the access logs and alerts and then view the results.
Page 479 ZyWALL 10~100 Series Internet Security Gateway Appendix R Brute-Force Password Guessing Protection The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See the Command Interpreter appendix for information on the command structure. Chart R-1 Brute-Force Password Guessing Protection Commands COMMAND DESCRIPTION...
Page 481 Index Part XIII: Index This part provides an Index of key terms. XIII...
Page 483 ZyWALL 10~100 Series Internet Security Gateway Index 10/100 Mbps Ethernet WAN ......1-3 Backup ............22-2 Backup WAN ..........1-3 Access Point........... 6-12 Bandwidth Borrowing ........25-8 Action for Matched Packets ......16-13 Bandwidth Class ..........25-1 Active..........5-7, 5-10, 10-2 Bandwidth Filter .........
Page 484 ZyWALL 10~100 Series Internet Security Gateway call back delay ..........5-6 Connections ............2-3 Call Control ........... 23-2 Additional Requirements for 802.1x ....2-9 Call History............ 23-4 Console Port ......2-6, 21-3, 21-5, 29 Call Scheduling........1-5, 27-1 Configuration File Upload......22-17 maximum number of schedule sets.... 27-1 File Backup..........22-6 PPPoE ............
Page 485 ZyWALL 10~100 Series Internet Security Gateway Default Policy Log ......... 16-7 Primary Server ..........6-7 DeMilitarized Zone .......... 8-1 Secondary Server ......... 6-7 Denial of Service..13-2, 13-3, 14-2, 15-3, 15-4 Server Address..........6-2 Denial of Services Domain Name......4-1, 12-15, 21-4 Thresholds..........
Page 486 ZyWALL 10~100 Series Internet Security Gateway ESS ....... See Extended Service Set Structure .............19-2 ESS ID ............6-10 TCP/IP Rule ..........19-7 ESSID ............6-12 Filters Ethernet Cable Pin Assignments......30 Executing a Filter Rule.......19-2 Ethernet Encapsulation 5-4, 9-1, 10-2, 10-6, 10-7, IP Filter Logic Flow ........19-9 10-11, 12-14 Firewall.............1-4...
Page 487 ZyWALL 10~100 Series Internet Security Gateway When To Use ........... 13-13 Firmware File Half-Open Sessions ........15-3 Maintenance..........22-1 Hardware Installation........2-1 Flow Control ............ 2-8 Hardware Requirements ........2-8 Fragmentation Threshold ....... 6-11 Hidden Menus..........3-2 Frequency-Hopping Spread Spectrum ....17 Hidden Node problem........
Page 488 ZyWALL 10~100 Series Internet Security Gateway Infrastructure Configuration ......18 IP Policy Routing ..........1-5 Initial Screen............ 3-1 IP Policy Routing (IPPR) Inside ............. 12-1 Applying an IP Policy ........26-6 Inside Global Address........12-1 Ethernet IP Policies ........26-6 Inside Local Address ........12-1 Gateway............26-5 Installation Requirements ........
Page 489 ZyWALL 10~100 Series Internet Security Gateway ISP’s Name ............9-1 Main Menu Commands ........3-2 Management Information Base (MIB)... 20-2 Key Fields For Configuring Rules ....16-3 Many to Many No Overload....See NAT Many to Many Overload......See NAT LAN 100M LED ..........2-2 Many to One ...........See NAT LAN 10M LED ..........
Page 490 ZyWALL 10~100 Series Internet Security Gateway Applying NAT in the SMT Menus .... 12-6 Configuring..........12-8 Packet Filtering........1-4, 13-13 Definitions ..........12-1 Packet Filtering Firewalls.......13-1 Examples ..........12-17 Packet Triggered..........21-7 How NAT Works........12-2 PAP............5-8, 10-5 Mapping Types .......... 12-4 Password....3-1, 3-7, 20-3.
Page 491 ZyWALL 10~100 Series Internet Security Gateway Precedence ..........26-2, 26-5 Firewall............14-1 Priority ............25-15 Remote Management and NAT ..... 24-4 Priority-based Scheduler ........ 25-5 Remote Management Limitations....24-4 Private ....5-12, 6-3, 6-4, 10-8, 10-10, 11-4 Remote Node ..........10-1 Private IP Addresses ........
Page 492 ZyWALL 10~100 Series Internet Security Gateway Rules ............. 16-1, 16-4 Service Type......9-2, 10-3, 16-16, 3 Checklist ............ 16-2 Set Up a Schedule...........27-2 Creating Custom ........16-1 SMT..3-2. See System Management Terminal Key Fields..........16-3 SMT Menus at a Glance ........3-5 LAN to WAN ..........
Page 493 ZyWALL 10~100 Series Internet Security Gateway Subnet Masks ............ 43 Terminal Emulator........... 2-6 Subnetting ............43 TFTP.............. 22-5 SYN Flood ..........13-4, 13-5 File Upload ..........22-14 SYN-ACK............13-5 GUI-based Clients ........22-6 SYS LED ............2-2 TFTP and FTP over WAN......22-4 Syslog............
Page 494 ZyWALL 10~100 Series Internet Security Gateway Troubleshooting...........1 WAN 10M LED ..........2-3 Internet Access..........3 WAN DHCP........21-11, 21-12 LAN Interface..........2 WAN Setup ..........5-1, 3 WAN Interface..........3 WAN to LAN Rules ........16-4 Trusted Network ........See LAN Web ..............24-2 Turning On ............3-1 Web Configurator..13-2, 13-11, 14-2, 15-1, 16-3 Type of Service......
Page 495 ZyWALL 10~100 Series Internet Security Gateway ZyNOS F/W Version ....21-3, 21-4, 22-2 ZyXEL’s Firewall ZyWALL Firewall Application...... 13-3 Introduction ..........13-2 ZyWALL Web Configurator......15-1 Index...

This manual is also suitable for:

Zywall 10 Zywall 50 Zywall 100

ZyXEL Communications ZYWALL 10W User Manual

Chapter 31 Troubleshooting

Chapter 1 Getting to Know Your Zywall

Chapter 2 Hardware Installation

Chapter 3 Initial Setup

Chapter 4 SMT Menu 1 - General Setup

Chapter 5 WAN and Dial Backup Setup

Chapter 6 LAN Setup

Chapter 7 Wireless LAN Security Setup

Chapter 8 DMZ Setup

Chapter 9 Internet Access

Chapter 10 Remote Node Setup

Chapter 11 IP Static Route Setup

Chapter 12 Network Address Translation (NAT)

Chapter 13 Firewalls

Chapter 14 Introducing the Zywall Firewall

Chapter 15 Using the Zywall Web Configurator

Chapter 16 Creating Custom Rules

Chapter 17 Content Filtering

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZYWALL 10W

Summary of Contents for ZyXEL Communications ZYWALL 10W