ZyXEL Communications ZYWALL 2 PLUS User Manual

ZyXEL Communications ZYWALL 2 PLUS User Manual

Internet security appliance
Hide thumbs Also See for ZYWALL 2 PLUS:
Table of Contents

Advertisement

Quick Links

ZyWALL 2 Plus
Internet Security Appliance
User's Guide
Version 4.02
3/2007
Edition 1
www.zyxel.com

Advertisement

Table of Contents
loading

Summary of Contents for ZyXEL Communications ZYWALL 2 PLUS

  • Page 1 ZyWALL 2 Plus Internet Security Appliance User’s Guide Version 4.02 3/2007 Edition 1 www.zyxel.com...
  • Page 3: About This User's Guide

    • Supporting Disk Refer to the included CD for support documents. • ZyXEL Web Site Please refer to www.zyxel.com for additional support documentation and product certifications. User Guide Feedback Help us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead.
  • Page 4: Document Conventions

    Syntax Conventions • The ZyWALL 2 Plus may be referred to as the “ZyWALL”, the “device” or the “system” in this User’s Guide. • Product labels, screen names, field labels and field choices are all in bold font.
  • Page 5 Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server DSLAM Firewall Telephone Switch Router ZyWALL 2 Plus User’s Guide...
  • Page 6: Safety Warnings

    • Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning. This product is recyclable. Dispose of it properly. ZyWALL 2 Plus User’s Guide...
  • Page 7: Table Of Contents

    DNS ............................343 Remote Management ......................355 UPnP ............................377 ALG Screen ..........................387 Logs and Maintenance ......................393 Logs Screens ........................... 395 Maintenance ..........................427 SMT and Troubleshooting ....................443 Introducing the SMT ........................ 445 ZyWALL 2 Plus User’s Guide...
  • Page 8 System Information & Diagnosis ..................... 537 Firmware and Configuration File Maintenance ................ 549 System Maintenance Menus 8 to 10 ..................563 Remote Management ......................571 Call Scheduling ........................575 Troubleshooting ........................579 Appendices and Index ......................587 ZyWALL 2 Plus User’s Guide...
  • Page 9: Table Of Contents

    2.4 Navigating the ZyWALL Web Configurator ................52 2.4.1 Title Bar ........................52 2.4.2 Main Window ......................53 2.4.3 HOME Screen: Router Mode ................. 53 2.4.4 HOME Screen: Bridge Mode ..................55 2.4.5 Navigation Panel ......................58 ZyWALL 2 Plus User’s Guide...
  • Page 10 4.4 How to Manage the ZyWALL’s Bandwidth ................110 4.4.1 Example Parameters and Scenario ................111 4.4.2 Configuring Bandwidth Management Rules ..............111 Chapter 5 Registration ........................... 117 5.1 myZyXEL.com overview .....................117 5.1.1 Content Filtering Subscription Service ..............117 5.2 Registration ........................118 5.3 Service ..........................119 ZyWALL 2 Plus User’s Guide...
  • Page 11 ..........................144 8.7.1 WAN Ethernet Encapsulation ................... 144 8.7.2 PPPoE Encapsulation ....................147 8.7.3 PPTP Encapsulation ....................150 8.8 Traffic Redirect ......................153 8.9 Configuring Traffic Redirect ....................154 8.10 Configuring Dial Backup ....................155 ZyWALL 2 Plus User’s Guide...
  • Page 12 11.6 Asymmetrical Routes ....................... 190 11.6.1 Asymmetrical Routes and IP Alias ................. 190 11.7 Firewall Default Rule (Router Mode) ................191 11.8 Firewall Default Rule (Bridge Mode) ................193 11.9 Firewall Rule Summary ....................194 ZyWALL 2 Plus User’s Guide...
  • Page 13 14.4 Additional IPSec VPN Topics ................... 243 14.4.1 SA Life Time ......................243 14.4.2 IPSec High Availability ................... 244 14.4.3 Encryption and Authentication Algorithms ............. 245 14.5 VPN Rules (IKE) Gateway Policy Edit ................245 ZyWALL 2 Plus User’s Guide...
  • Page 14 15.8 My Certificate Import ..................... 283 15.8.1 Certificate File Formats ..................284 15.9 My Certificate Create ..................... 285 15.10 Trusted CAs ......................... 288 15.11 Trusted CA Details ......................289 15.12 Trusted CA Import ....................... 292 ZyWALL 2 Plus User’s Guide...
  • Page 15 17.5.2 Port Forwarding: Services and Port Numbers ............318 17.5.3 Configuring Servers Behind Port Forwarding (Example) ........318 17.5.4 Port Translation ...................... 319 17.6 Port Forwarding Screen ....................320 17.7 Port Triggering ....................... 321 Chapter 18 Static Route ........................... 325 ZyWALL 2 Plus User’s Guide...
  • Page 16 20.6 System Screen ........................ 345 20.6.1 Adding an Address Record .................. 346 20.6.2 Inserting a Name Server Record ................347 20.7 DNS Cache ........................349 20.8 Configure DNS Cache ..................... 349 20.9 Configuring DNS DHCP ....................350 ZyWALL 2 Plus User’s Guide...
  • Page 17 22.1 Universal Plug and Play Overview ................377 22.1.1 How Do I Know If I'm Using UPnP? ............... 377 22.1.2 NAT Traversal ......................377 22.1.3 Cautions with UPnP ....................377 22.1.4 UPnP and ZyXEL ....................378 ZyWALL 2 Plus User’s Guide...
  • Page 18 24.4.1 Viewing Web Site Hits .................... 403 24.4.2 Viewing Host IP Address ..................403 24.4.3 Viewing Protocol/Port ..................... 404 24.4.4 System Reports Specifications ................406 24.5 Log Descriptions ......................406 24.6 Syslog Logs ........................424 ZyWALL 2 Plus User’s Guide...
  • Page 19 26.5 Resetting the ZyWALL ..................... 451 Chapter 27 SMT Menu 1 - General Setup ....................453 27.1 Introduction to General Setup ..................453 27.2 Configuring General Setup ....................453 27.2.1 Configuring Dynamic DNS ..................454 ZyWALL 2 Plus User’s Guide...
  • Page 20 31.3 TCP/IP Setup ........................480 31.3.1 IP Address ......................480 31.3.2 IP Alias Setup ......................481 Chapter 32 Wireless Setup ........................483 32.1 TCP/IP Setup ........................483 32.1.1 IP Address ......................483 32.1.2 IP Alias Setup ......................484 ZyWALL 2 Plus User’s Guide...
  • Page 21 36.1.1 Activating the Firewall .................... 517 Chapter 37 Filter Configuration....................... 519 37.1 Introduction to Filters ....................... 519 37.1.1 The Filter Structure of the ZyWALL ................ 520 37.2 Configuring a Filter Set ....................522 37.2.1 Configuring a Filter Rule ..................524 ZyWALL 2 Plus User’s Guide...
  • Page 22 40.3.3 Example of FTP Commands from the Command Line .......... 552 40.3.4 GUI-based FTP Clients ..................552 40.3.5 File Maintenance Over WAN .................. 552 40.3.6 Backup Configuration Using TFTP ................. 553 40.3.7 TFTP Command Example ..................553 ZyWALL 2 Plus User’s Guide...
  • Page 23 Call Scheduling ........................575 43.1 Introduction to Call Scheduling ..................575 Chapter 44 Troubleshooting........................579 44.1 Power, Hardware Connections, and LEDs ..............579 44.2 ZyWALL Access and Login ....................580 44.3 Internet Access ........................ 582 ZyWALL 2 Plus User’s Guide...
  • Page 24 Appendix I NetBIOS Filter Commands ................. 653 Appendix J Certificates Commands ..................655 Appendix K Brute-Force Password Guessing Protection............. 659 Appendix L Boot Commands....................661 Appendix M Legal Information....................663 Appendix N Customer Support..................... 667 Index............................671 ZyWALL 2 Plus User’s Guide...
  • Page 25: List Of Figures

    Figure 36 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy ..........89 Figure 37 SECURITY > FIREWALL > Rule Summary ................90 Figure 38 SECURITY > FIREWALL > Rule Summary > Edit: Allow ............. 91 ZyWALL 2 Plus User’s Guide...
  • Page 26 Figure 76 Tutorial Example: Bandwidth Management Class Setup Done ..........114 Figure 77 Tutorial Example: Bandwidth Management Monitor ..............115 Figure 78 REGISTRATION ........................118 Figure 79 REGISTRATION: Registered Device ..................119 Figure 80 REGISTRATION > Service ....................120 Figure 81 LAN and WAN ........................123 ZyWALL 2 Plus User’s Guide...
  • Page 27 Figure 122 Blocking All LAN to WAN IRC Traffic Example ..............188 Figure 123 Limited LAN to WAN IRC Traffic Example ................189 Figure 124 Using IP Alias to Solve the Triangle Route Problem ............191 ZyWALL 2 Plus User’s Guide...
  • Page 28 Figure 164 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy ......... 246 Figure 165 Local and Remote Network IP Address Overlap ..............252 Figure 166 Virtual Mapping of Local and Remote Network IP Addresses ..........253 Figure 167 VPN: Transport and Tunnel Mode Encapsulation .............. 254 ZyWALL 2 Plus User’s Guide...
  • Page 29 Figure 207 ADVANCED > NAT > Port Forwarding ................320 Figure 208 Trigger Port Forwarding Process: Example ................ 322 Figure 209 ADVANCED > NAT > Port Triggering ................. 322 Figure 210 Example of Static Routing Topology ................... 325 ZyWALL 2 Plus User’s Guide...
  • Page 30 Figure 249 ADVANCED > UPnP ......................378 Figure 250 ADVANCED > UPnP > Ports ....................379 Figure 251 H.323 ALG Example ......................388 Figure 252 SIP ALG Example ......................389 Figure 253 ADVANCED > ALG ......................390 ZyWALL 2 Plus User’s Guide...
  • Page 31 Figure 293 Menu 11.2: Remote Node Profile (Backup ISP) ..............463 Figure 294 Menu 11.2.2: Remote Node Network Layer Options ............465 Figure 295 Menu 11.2.3: Remote Node Script ..................467 Figure 296 Menu 11.2.4: Remote Node Filter ..................468 ZyWALL 2 Plus User’s Guide...
  • Page 32 Figure 335 Menu 4: Internet Access & NAT Example ................509 Figure 336 NAT Example 2 ........................510 Figure 337 Menu 15.2: Specifying an Inside Server ................510 Figure 338 NAT Example 3 ........................511 Figure 339 Example 3: Menu 11.1.2 ......................511 ZyWALL 2 Plus User’s Guide...
  • Page 33 Figure 378 System Maintenance: Backup Configuration ..............554 Figure 379 System Maintenance: Starting Xmodem Download Screen ..........554 Figure 380 Backup Configuration Example ..................554 Figure 381 Successful Backup Confirmation Screen ................555 Figure 382 Telnet into Menu 24.6 ......................555 ZyWALL 2 Plus User’s Guide...
  • Page 34 Figure 422 Red Hat 9.0: KDE: Network Configuration: Devices ............605 Figure 423 Red Hat 9.0: KDE: Ethernet Device: General ..............605 Figure 424 Red Hat 9.0: KDE: Network Configuration: DNS ............... 606 Figure 425 Red Hat 9.0: KDE: Network Configuration: Activate ............606 ZyWALL 2 Plus User’s Guide...
  • Page 35 Figure 465 Managing the Bandwidth of an IPSec SA ................644 Figure 466 Managing the Bandwidth of an IKE SA ................644 Figure 467 Routing Command Example ....................645 Figure 468 Option to Enter Debug Mode ....................661 ZyWALL 2 Plus User’s Guide...
  • Page 36 List of Figures Figure 469 Boot Module Commands ....................662 ZyWALL 2 Plus User’s Guide...
  • Page 37: List Of Tables

    Table 35 NETWORK > WAN > WAN (PPTP Encapsulation) ............... 151 Table 36 NETWORK > WAN > Traffic Redirect ................... 155 Table 37 NETWORK > WAN > Dial Backup ..................156 Table 38 NETWORK > WAN > Dial Backup > Edit ................160 ZyWALL 2 Plus User’s Guide...
  • Page 38 Table 79 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 ........285 Table 80 SECURITY > CERTIFICATES > My Certificates > Create ........... 286 Table 81 SECURITY > CERTIFICATES > Trusted CAs ..............288 ZyWALL 2 Plus User’s Guide...
  • Page 39 Table 121 ADVANCED > REMOTE MGMT > FTP ................369 Table 122 SNMP Traps ........................371 Table 123 ADVANCED > REMOTE MGMT > SNMP ................372 Table 124 ADVANCED > REMOTE MGMT > DNS ................373 ZyWALL 2 Plus User’s Guide...
  • Page 40 Table 163 MAC-address-to-port Mapping Table .................. 433 Table 164 MAINTENANCE > Device Mode (Router Mode) ..............435 Table 165 MAINTENANCE > Device Mode (Bridge Mode) ..............436 Table 166 MAINTENANCE > Firmware Upload .................. 438 Table 167 Restore Configuration ......................440 ZyWALL 2 Plus User’s Guide...
  • Page 41 Table 207 System Maintenance: Status Menu Fields ................538 Table 208 Fields in System Maintenance: Information ................ 540 Table 209 System Maintenance Menu Syslog Parameters ..............542 Table 210 System Maintenance Menu Diagnostic ................546 ZyWALL 2 Plus User’s Guide...
  • Page 42 Table 238 Commonly Used Services ....................623 Table 239 Firewall Commands ......................647 Table 240 NetBIOS Filter Default Settings ..................654 Table 241 Certificates Commands ....................... 655 Table 242 Brute-Force Password Guessing Protection Commands ........... 659 ZyWALL 2 Plus User’s Guide...
  • Page 43: Introduction And Registration

    Introduction and Registration Getting to Know Your ZyWALL (45) Introducing the Web Configurator (49) Wizard Setup (67) Tutorial (85) Registration (117)
  • Page 45: Getting To Know Your Zywall

    (company network, or your cable or DSL modem for example). Connect computers or servers to the LAN ports for shared Internet access. The ZyWALL guarantees not only high speed Internet access, but secure internal network protection and traffic management as well. ZyWALL 2 Plus User’s Guide...
  • Page 46: Vpn Application

    • SNMP. The device can be monitored by an SNMP manager. See the SNMP chapter in this User’s Guide. • Vantage CNM (Centralized Network Management). The device can be remotely managed using a Vantage CNM server. ZyWALL 2 Plus User’s Guide...
  • Page 47: Good Habits For Managing The Zywall

    The ZyWALL has a successful 10Mbps Ethernet connection. Flashing The 10M LAN/DMZ/WLAN is sending or receiving packets. Orange The ZyWALL has a successful 100Mbps Ethernet connection. Flashing The 100M LAN/DMZ/WLAN is sending or receiving packets. ZyWALL 2 Plus User’s Guide...
  • Page 48 The ZyWALL has a successful 10Mbps WAN connection. Flashing The 10M WAN is sending or receiving packets. Orange The ZyWALL has a successful 100Mbps WAN connection. Flashing The 100M WAN is sending or receiving packets. ZyWALL 2 Plus User’s Guide...
  • Page 49: Introducing The Web Configurator

    2 Launch your web browser. 3 Type "192.168.1.1" as the URL. 4 Type "1234" (default) as the password and click Login. In some versions, the default password appears automatically - if this is the case, click Login. ZyWALL 2 Plus User’s Guide...
  • Page 50: Figure 4 Change Password Screen

    Figure 8 on page 53). The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes). Simply log back into the ZyWALL if this happens to you. ZyWALL 2 Plus User’s Guide...
  • Page 51: Resetting The Zywall

    5 Release the RESET button and wait for the ZyWALL to finish restarting. 2.3.2 Uploading a Configuration File Via Console Port 1 Download the default configuration file from the ZyXEL FTP site, unzip it and save it in a folder.
  • Page 52: Navigating The Zywall Web Configurator

    DESCRIPTION Wizards: Click this icon to open one of the web configurator wizards. See Chapter 3 on page 67 for more information. Help: Click this icon to open the help page for the current screen. ZyWALL 2 Plus User’s Guide...
  • Page 53: Main Window

    This is the System Name you enter in the MAINTENANCE > General screen. It is for identification purposes. Click the field label to go to the screen where you can specify a name for this ZyWALL. Model This is the model name of your ZyWALL. ZyWALL 2 Plus User’s Guide...
  • Page 54 The first number shows how many megabytes of the heap memory the ZyWALL is using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL Network Operating System) and is thus available for running processes like NAT, VPN and the firewall.
  • Page 55: Home Screen: Bridge Mode

    ZyWALL's IP address in order to access the ZyWALL for management. If you connect your computer directly to the ZyWALL, you also need to assign your computer a static IP address in the same subnet as the ZyWALL's IP address in order to access the ZyWALL. ZyWALL 2 Plus User’s Guide...
  • Page 56: Figure 9 Web Configurator Home Screen In Bridge Mode

    This is the bootbase version and the date created. Version Firmware This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's Version proprietary Network Operating System design. Click the field label to go to the screen where you can upload a new firmware file.
  • Page 57 The first number shows how many megabytes of the heap memory the ZyWALL is using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL Network Operating System) and is thus available for running processes like NAT, VPN and the firewall.
  • Page 58: Navigation Panel

    The following table lists the features available for each device mode. Not all ZyWALLs have all features listed in this table. Table 5 Bridge and Router Mode Features Comparison FEATURE BRIDGE MODE ROUTER MODE Internet Access Wizard VPN Wizard DHCP Table System Statistics Registration Bridge ZyWALL 2 Plus User’s Guide...
  • Page 59: Table 6 Screens Summary

    Use this screen to change the LAN/DMZ/WLAN port roles. BRIDGE Bridge Use this screen to change the bridge settings on the ZyWALL. Port Roles Use this screen to change the LAN/DMZ/WLAN port roles on the ZyWALL. ZyWALL 2 Plus User’s Guide...
  • Page 60 Use this screen to view and manage the list of the trusted CAs. Trusted Use this screen to view and manage the certificates belonging to Remote Hosts the trusted remote hosts. Directory Use this screen to view and manage the list of the directory Servers servers. ZyWALL 2 Plus User’s Guide...
  • Page 61 Use this screen to enable UPnP on the ZyWALL. Ports Use this screen to view the NAT port mapping rules that UPnP creates on the ZyWALL. Use this screen to allow certain applications to pass through the ZyWALL. ZyWALL 2 Plus User’s Guide...
  • Page 62: Port Statistics

    Dial backup is not available in bridge mode. For the LAN, DMZ and WLAN ports, this displays the port speed and duplex setting. TxPkts This is the number of transmitted packets on this port. ZyWALL 2 Plus User’s Guide...
  • Page 63: Dhcp Table Screen

    This is the index number of the host computer. IP Address This field displays the IP address relative to the # field listed above. Host Name This field displays the computer host name. ZyWALL 2 Plus User’s Guide...
  • Page 64: Vpn Status

    This field displays the IP address of the computer using the VPN IPSec feature of your ZyWALL. Remote Network This field displays IP address (in a range) of computers on the remote network behind the remote IPSec router. ZyWALL 2 Plus User’s Guide...
  • Page 65: Bandwidth Monitor

    Budget (kbps) This field displays the amount of bandwidth allocated to the bandwidth class. Current Usage (kbps) This field displays the amount of bandwidth that each bandwidth class is using. ZyWALL 2 Plus User’s Guide...
  • Page 66 A.If you allocate all the root class’s bandwidth to the bandwidth classes, the default class still displays a budget of 2 kbps (the minimum amount of bandwidth that can be assigned to a bandwidth class). ZyWALL 2 Plus User’s Guide...
  • Page 67: Wizard Setup

    The Internet access wizard screen has three variations depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information. ZyWALL 2 Plus User’s Guide...
  • Page 68: Isp Parameters

    Select Dynamic If your ISP did not assign you a fixed IP address. This is the Assignment default selection. Select Static If the ISP assigned a fixed IP address. The fields below are available only when you select Static. ZyWALL 2 Plus User’s Guide...
  • Page 69: Figure 16 Isp Parameters: Pppoe Encapsulation

    IETF (Internet Engineering Task Force) standard specifying how a host personal computer interacts with a broadband modem (for example DSL, cable, wireless, etc.) to achieve access to high-speed data networks. Figure 16 ISP Parameters: PPPoE Encapsulation ZyWALL 2 Plus User’s Guide...
  • Page 70: Table 12 Isp Parameters: Pppoe Encapsulation

    Virtual Private Network (VPN) using TCP/ IP-based networks. PPTP supports on-demand, multi-protocol, and virtual private networking over public networks, such as the Internet. The ZyWALL supports one PPTP server connection at any given time. ZyWALL 2 Plus User’s Guide...
  • Page 71: Figure 17 Isp Parameters: Pptp Encapsulation

    Select Nailed-Up if you do not want the connection to time out. Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPTP server. PPTP Configuration My IP Address Type the (static) IP address assigned to you by your ISP. ZyWALL 2 Plus User’s Guide...
  • Page 72: Internet Access Wizard: Second Screen

    Click Next to go to the screen where you can register your ZyWALL and activate the free content filtering trial application. Otherwise, click Skip to display the congratulations screen and click Close to complete the Internet access setup. Figure 18 Internet Access Wizard: Second Screen ZyWALL 2 Plus User’s Guide...
  • Page 73: Internet Access Wizard: Registration

    Use this screen to register the ZyWALL with myZyXEL.com. You must register your ZyWALL before you can activate trial application of service like content filtering. If you want to activate a standard service with your iCard’s PIN number (license key), use the REGISTRATION > Service screen. ZyWALL 2 Plus User’s Guide...
  • Page 74: Figure 20 Internet Access Wizard: Registration

    Click Back to return to the previous screen. Next Click Next to continue. After you fill in the fields and click Next, the following screen shows indicating the registration is in progress. Wait for the registration progress to finish. ZyWALL 2 Plus User’s Guide...
  • Page 75: Figure 21 Internet Access Wizard: Registration In Progress

    Figure 23 Internet Access Wizard: Registration Failed If the ZyWALL has been registered, the Device Registration screen is read-only and the Service Activation screen appears indicating what trial applications are activated after you click Next. ZyWALL 2 Plus User’s Guide...
  • Page 76: Vpn Wizard Gateway Setting

    Use this screen to name the VPN gateway policy (IKE SA) and identify the IPSec routers at either end of the VPN tunnel. Click VPN Setup in the Wizard Setup Welcome screen (Figure 14 on page 67) to open the VPN configuration wizard. The first screen displays as shown next. ZyWALL 2 Plus User’s Guide...
  • Page 77: Vpn Wizard Network Setting

    Click Next to continue. 3.4 VPN Wizard Network Setting Use this screen to name the VPN network policy (IPSec SA) and identify the devices behind the IPSec routers at either end of a VPN tunnel. ZyWALL 2 Plus User’s Guide...
  • Page 78: Figure 27 Vpn Wizard: Network Setting

    Local Network field is configured to Range IP, enter the end (static) IP address, in a Subnet Mask range of computers on the LAN behind your ZyWALL. When the Local Network field is configured to Subnet, this is a subnet mask on the LAN behind your ZyWALL. ZyWALL 2 Plus User’s Guide...
  • Page 79: Vpn Wizard Ike Tunnel Setting (Ike Phase 1)

    3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1) Use this screen to specify the authentication, encryption and other settings needed to negotiate a phase 1 IKE SA. Figure 28 VPN Wizard: IKE Tunnel Setting ZyWALL 2 Plus User’s Guide...
  • Page 80: Vpn Wizard Ipsec Setting (Ike Phase 2)

    Click Back to return to the previous screen. Next Click Next to continue. 3.6 VPN Wizard IPSec Setting (IKE Phase 2) Use this screen to specify the authentication, encryption and other settings needed to negotiate a phase 2 IPSec SA. ZyWALL 2 Plus User’s Guide...
  • Page 81: Figure 29 Vpn Wizard: Ipsec Setting

    A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected. ZyWALL 2 Plus User’s Guide...
  • Page 82: Vpn Wizard Status Summary

    3.7 VPN Wizard Status Summary This read-only screen shows the status of the current VPN setting. Use the summary table to check whether what you have configured is correct. Figure 30 VPN Wizard: VPN Status ZyWALL 2 Plus User’s Guide...
  • Page 83: Table 19 Vpn Wizard: Vpn Status

    This is the length of time before an IKE SA automatically renegotiates. (Seconds) Pre-Shared Key This is a pre-shared key identifying a communicating party during a phase 1 IKE negotiation. IPSec Setting (IKE Phase 2) Encapsulation Mode This shows Tunnel mode or Transport mode. ZyWALL 2 Plus User’s Guide...
  • Page 84: Vpn Wizard Setup Complete

    Congratulations! You have successfully set up the VPN rule for your ZyWALL. If you already had VPN rules configured, the wizard adds the new VPN rule after the last existing VPN rule. Figure 31 VPN Wizard Setup Complete ZyWALL 2 Plus User’s Guide...
  • Page 85: Tutorial

    VPN tunnels to the FTP server. Furthermore, you can configure the firewall rule so that only the network behind device B can access the FTP server through a VPN tunnel (not other remote networks that have VPN tunnels with the ZyWALL). ZyWALL 2 Plus User’s Guide...
  • Page 86: Configuring The Vpn Rule

    1 Click Security > VPN to open the following screen. Click the Add Gateway Policy icon. Figure 33 SECURITY > VPN > VPN Rules (IKE) 2 Use this screen to set up the connection between the routers. Configure the fields that are circled as follows and click Apply. ZyWALL 2 Plus User’s Guide...
  • Page 87: Figure 34 Security > Vpn > Vpn Rules (Ike)> Add Gateway Policy

    Chapter 4 Tutorial Figure 34 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy 3 Click the Add Network Policy icon. ZyWALL 2 Plus User’s Guide...
  • Page 88: Figure 35 Security > Vpn > Vpn Rules (Ike): With Gateway Policy Example

    VPN network policy. • The firewall provides better security because it operates at layer 4 and checks traffic sessions. The VPN network policy only operates at layer 3 and just checks IP addresses and port numbers. ZyWALL 2 Plus User’s Guide...
  • Page 89: Configuring The Firewall Rules

    (like chat, e-mail, web and so on). The following sections show how to configure firewall rules to enforce these restrictions. 4.1.3.1 Firewall Rule to Allow Access Example Configure a firewall rule that allows FTP access from the VPN tunnel to the FTP server. ZyWALL 2 Plus User’s Guide...
  • Page 90: Figure 37 Security > Firewall > Rule Summary

    Figure 37 SECURITY > FIREWALL > Rule Summary 3 Configure the rule as follows and click Apply. The source addresses are the VPN rule’s remote network and the destination address is the LAN FTP server. ZyWALL 2 Plus User’s Guide...
  • Page 91: Figure 38 Security > Firewall > Rule Summary > Edit: Allow

    Chapter 4 Tutorial Figure 38 SECURITY > FIREWALL > Rule Summary > Edit: Allow 4 The rule displays in the summary list of VPN to LAN firewall rules. ZyWALL 2 Plus User’s Guide...
  • Page 92: Using Nat With Multiple Public Ip Addresses

    Figure 40 SECURITY > FIREWALL > Default Rule: Block From VPN To LAN 4.2 Using NAT with Multiple Public IP Addresses This section shows you examples of how to set up your ZyWALL if you have more than one fixed (static) IP address from your ISP. ZyWALL 2 Plus User’s Guide...
  • Page 93: Example Parameters And Scenario

    1 Configure the WAN connection to use the first public IP address (1.2.3.4). 2 Configure NAT address mapping for other public IP addresses (1.2.3.5 and 1.2.3.6). 3 Configure NAT port forwarding to forward FTP traffic from the WAN to a specific computer on your local network. ZyWALL 2 Plus User’s Guide...
  • Page 94: Configuring The Wan Connection With A Static Ip Address

    ISP. If your ISP didn’t give you the service name, leave the field blank. 4 In the WAN IP Address Assignment section, select Use Fixed IP Address and enter the first fixed public IP address (1.2.3.4 in this example). 5 Click Apply. ZyWALL 2 Plus User’s Guide...
  • Page 95: Figure 43 Tutorial Example: Wan Screen

    DNS server the ZyWALL can query to resolve domain names. Figure 44 Tutorial Example: DNS > System 8 Select Public DNS Server and enter the first DNS server’s IP address given by your ISP. Click Apply. ZyWALL 2 Plus User’s Guide...
  • Page 96: Figure 45 Tutorial Example: Dns > System Edit-1

    Note: To resolve a domain name, theZyWALL checks it against the name server record entries in the order that they appear in this list. Figure 46 Tutorial Example: DNS > System Edit-2 10The DNS > System screen should look as shown. ZyWALL 2 Plus User’s Guide...
  • Page 97: Public Ip Address Mapping

    11Go to the Home screen to check your WAN connection status. Make sure the status is not down. Figure 48 Tutorial Example: Status 4.2.3 Public IP Address Mapping To have the local computers and servers use specific WAN IP addresses, you need to map static public IP addresses to them. ZyWALL 2 Plus User’s Guide...
  • Page 98: Figure 49 Tutorial Example: Mapping Multiple Public Ip Addresses To Inside Servers

    Note: The ZyWALL applies the rules in the order that you specify. You should put any one-to-one rules before a many-to-one rule. 1 Click ADVANCED > NAT. 2 Enable NAT and select Full Feature as you have multiple public IP addresses to map to private IP addresses. Click Apply. ZyWALL 2 Plus User’s Guide...
  • Page 99: Figure 50 Tutorial Example: Nat > Nat Overview

    4 Click the first rule’s Edit icon ( ) in the Modify column to display the Address Mapping Rule screen. Figure 51 Tutorial Example: NAT > Address Mapping 5 Map a public IP address to the web server. ZyWALL 2 Plus User’s Guide...
  • Page 100: Figure 52 Tutorial Example: Nat Address Mapping Edit: One-To-One (1)

    9 Map a public IP address to other outgoing LAN traffic. Select the Many-to-One type and enter 192.168.1.1 as the local start IP address, 192.168.1.254 as the local end IP address and 1.2.3.4 as the global start IP address. Click Apply. ZyWALL 2 Plus User’s Guide...
  • Page 101: Figure 54 Tutorial Example: Nat Address Mapping Edit: Many-To-One

    IP address (1.2.3.7) that can be assigned to another internal server when you expand your network. Figure 55 Tutorial Example: NAT Address Mapping Done Note: To allow traffic from the WAN to be forwarded through the ZyXEL Device, you must also create a firewall rule. Refer to Section 4.2.5 on page 103 for more information.
  • Page 102: Forwarding Traffic From The Wan To A Local Computer

    Tutorial Example: NAT Address Mapping Edit: Server 3 Click the Port Forwarding tab. 4 Select the Active check box, enter a descriptive name (FTP for example), incoming port number (21) and 192.168.1.39 as the server IP address. Click Apply. ZyWALL 2 Plus User’s Guide...
  • Page 103: Allow Wan-To-Lan Traffic Through The Firewall

    In this example, you create the firewall rules to allow traffic from the WAN to the following servers on the LAN: • Web server • Mail server • FTP server Figure 59 Tutorial Example: Forwarding Incoming FTP Traffic to a Local Computer ZyWALL 2 Plus User’s Guide...
  • Page 104: Figure 60 Tutorial Example: Firewall Default Rule

    5 Configure a firewall rule to allow traffic from the WAN to the web server. Enter a descriptive name (W-L_Web for example). Select Any in the Destination Address(es) box and click Delete. Select Single Address as the destination address type. Enter 192.168.1.12 and click Add. ZyWALL 2 Plus User’s Guide...
  • Page 105: Figure 62 Tutorial Example: Firewall Rule: Wan To Lan Address Edit For Web Server

    6 Select Any(All) in the Available Services box on the left, and click >> to add it to the Selected Service(s) box on the right. Click Apply. Figure 63 Tutorial Example: Firewall Rule: WAN to LAN Service Edit for Web Server ZyWALL 2 Plus User’s Guide...
  • Page 106: Figure 64 Tutorial Example: Firewall Rule: Wan To Lan Address Edit For Mail Server

    Figure 64 Tutorial Example: Firewall Rule: WAN to LAN Address Edit for Mail Server 8 Select Any(All) in the Available Services box on the left, and click >> to add it to the Selected Service(s) box on the right. Click Apply. ZyWALL 2 Plus User’s Guide...
  • Page 107: Figure 65 Tutorial Example: Firewall Rule: Wan To Lan Service Edit For Mail Server

    9 Click the Insert button to configure a firewall rule to allow FTP traffic from the WAN to the FTP server. Enter a descriptive name (W-L_FTP for example). Select Any in the Destination Address(es) box and click Delete. Select Single Address as the destination address type. Enter 192.168.1.39 and click Add. ZyWALL 2 Plus User’s Guide...
  • Page 108: Figure 66 Tutorial Example: Firewall Rule: Wan To Lan Address Edit For Ftp Server

    10Select FTP(TCP:20,21) in the Available Services box on the left, and click >> to add it to the Selected Service(s) box on the right. Click Apply. Figure 67 Tutorial Example: Firewall Rule: WAN to LAN Service Edit for FTP Server ZyWALL 2 Plus User’s Guide...
  • Page 109: Testing The Connections

    If two users (behind the ZyWALL) want to connect to the same server to play online games at the same time, but the server does not allow more than one login from the same IP address, you can configure a many-to-many rule instead of a many-to-one rule. ZyWALL 2 Plus User’s Guide...
  • Page 110: How To Manage The Zywall's Bandwidth

    When you finish configuration, the screen looks as shown. Figure 69 Tutorial Example: NAT Address Mapping Done: Game Playing Note: To allow traffic from the WAN to be forwarded through the ZyXEL Device, you must also create a firewall rule. Refer to Section 4.2.5 on page 103...
  • Page 111: Example Parameters And Scenario

    4 Select Priority-Based to have the ZyWALL give preference to bandwidth classes with higher priorities. 5 Deselect the Maximize Bandwidth Usage option to reserve bandwidth for traffic that is not defined in a bandwidth class. 6 Click Apply. ZyWALL 2 Plus User’s Guide...
  • Page 112: Figure 71 Tutorial Example: Bandwidth Management Summary

    VoIP traffic. The higher the number, the higher the priority. 10Enable this filter and select the SIP service. 11Leave the IP address and subnet mask fields blank, so that the filter will be applied to any outgoing traffic through the WAN port. Click Apply. ZyWALL 2 Plus User’s Guide...
  • Page 113: Figure 73 Tutorial Example: Bandwidth Management Class Setup: Voip

    12Click the Add Sub-Class button to create a rule for FTP traffic as follows. Click Apply. Figure 74 Tutorial Example: Bandwidth Management Class Setup: FTP 13Click the Add Sub-Class button to create a rule for WWW traffic as follows. Click Apply. ZyWALL 2 Plus User’s Guide...
  • Page 114: Figure 75 Tutorial Example: Bandwidth Management Class Setup: Www

    14When you are finished, the Class Setup screen looks as shown. Figure 76 Tutorial Example: Bandwidth Management Class Setup Done 15Use the Monitor screen to view the bandwidth usage and allotments for the WAN interface. ZyWALL 2 Plus User’s Guide...
  • Page 115: Figure 77 Tutorial Example: Bandwidth Management Monitor

    Chapter 4 Tutorial Figure 77 Tutorial Example: Bandwidth Management Monitor ZyWALL 2 Plus User’s Guide...
  • Page 116 Chapter 4 Tutorial ZyWALL 2 Plus User’s Guide...
  • Page 117: Registration

    H A P T E R Registration 5.1 myZyXEL.com overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. You need to create an account before you can register your device and activate the services at myZyXEL.com.
  • Page 118: Registration

    REGISTRATION > Service screen to extend the service. Content Filtering 1- Select the check box to activate a trial. The trial period starts the day you month Trial activate the trial. ZyWALL 2 Plus User’s Guide...
  • Page 119: Service

    PIN number (license key). Click REGISTRATION > Service to open the screen as shown next. If you restore the ZyWALL to the default configuration file or upload a different configuration file after you register, click the Service License Refresh button to update license information. ZyWALL 2 Plus User’s Guide...
  • Page 120: Figure 80 Registration > Service

    (specific to your ZyWALL) and enter the new PIN number to extend the service. Service License Click this button to renew service license information (such as the license Refresh key, registration status and expiration day). ZyWALL 2 Plus User’s Guide...
  • Page 121: Network

    Network LAN Screens (123) Bridge Screens (135) WAN Screens (141) DMZ Screens (161) Wireless LAN (171)
  • Page 123: Lan Screens

    Figure 81 LAN and WAN 6.2 IP Address and Subnet Mask Similar to the way houses on a street share a common street name, so too do computers on a LAN share one common network number. ZyWALL 2 Plus User’s Guide...
  • Page 124: Private Ip Addresses

    Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. ZyWALL 2 Plus User’s Guide...
  • Page 125: Dhcp

    2 and version 1, please see sections 4 and 5 of RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255. The address ZyWALL 2 Plus User’s Guide...
  • Page 126: Wins

    Click NETWORK > LAN to open the LAN screen. Use this screen to configure the ZyWALL’s IP address and other LAN TCP/IP settings as well as the built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability. ZyWALL 2 Plus User’s Guide...
  • Page 127: Figure 82 Network > Lan

    RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, RIP direction is set to Both and the Version set to RIP-1. ZyWALL 2 Plus User’s Guide...
  • Page 128 Clear this check box to block all NetBIOS packets going from the LAN to the WLAN and from the WLAN to the LAN. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
  • Page 129: Lan Static Dhcp

    00:A0:C5:00:00:02. To change your ZyWALL’s static DHCP settings, click NETWORK > LAN > Static DHCP. The screen appears as shown. Figure 83 NETWORK > LAN > Static DHCP ZyWALL 2 Plus User’s Guide...
  • Page 130: Lan Ip Alias

    The following figure shows a LAN divided into subnets A, B, and C. Figure 84 Physical Network & Partitioned Logical Networks To change your ZyWALL’s IP alias settings, click NETWORK > LAN > IP Alias. The screen appears as shown. ZyWALL 2 Plus User’s Guide...
  • Page 131: Figure 85 Network > Lan > Ip Alias

    By default, RIP direction is set to Both and the Version set to RIP-1. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
  • Page 132: Lan Port Roles

    ZyWALL’s DMZ IP address and MAC address. WLAN Select a port’s WLAN radio button to use the port as part of the WLAN. The port will use the ZyWALL’s WLAN IP address and MAC address. ZyWALL 2 Plus User’s Guide...
  • Page 133: Figure 87 Port Roles Change Complete

    After you change the LAN/DMZ/WLAN port roles and click Apply, please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 87 Port Roles Change Complete ZyWALL 2 Plus User’s Guide...
  • Page 134 Chapter 6 LAN Screens ZyWALL 2 Plus User’s Guide...
  • Page 135: Bridge Screens

    Figure 88 Bridge Loop: Bridge Connected to Wired LAN To prevent bridge loops, ensure that your ZyWALL is not set to bridge mode while connected to two wired segments of the same LAN or you enable RSTP in the Bridge screen. ZyWALL 2 Plus User’s Guide...
  • Page 136: Spanning Tree Protocol (Stp)

    STP. Network packets are therefore only forwarded between enabled ports, eliminating any possible network loops. STP-aware bridges exchange Bridge Protocol Data Units (BPDUs) periodically. When the bridged LAN topology changes, a new spanning tree is constructed. ZyWALL 2 Plus User’s Guide...
  • Page 137: Stp Port States

    RSTP (Rapid Spanning Tree Protocol) settings. In bridge mode, if you need to let DHCP clients behind the ZyWALL use a DHCP server on the WAN, enable the default WAN to LAN firewall rule for the BOOTP_CLIENT service. ZyWALL 2 Plus User’s Guide...
  • Page 138: Figure 89 Network > Bridge

    If you have the IP address(es) of the DNS server(s), enter the DNS server's IP address(es) in the field(s) to the right. ZyWALL 2 Plus User’s Guide...
  • Page 139: Bridge Port Roles

    To change your ZyWALL’s port role settings, click NETWORK > BRIDGE > Port Roles. The screen appears as shown. The radio buttons correspond to Ethernet ports on the front panel of the ZyWALL. On the ZyWALL, ports 1 to 4 are all LAN ports by default. ZyWALL 2 Plus User’s Guide...
  • Page 140: Figure 90 Network > Bridge > Port Roles

    After you change the LAN/DMZ/WLAN port roles and click Apply, please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 91 Port Roles Change Complete ZyWALL 2 Plus User’s Guide...
  • Page 141: Wan Screens

    The dial-backup or traffic redirect routes cannot take priority over the WAN routes. 8.3 WAN Route Click NETWORK > WAN to open the Route screen. Use this screen to configure the priorities of the ZyWALL’s routes and settings for Windows Networking traffic. ZyWALL 2 Plus User’s Guide...
  • Page 142: Figure 92 Network > Wan Route

    Select this check box to forward NetBIOS packets from the WLAN to the WAN and WAN and WLAN from the WAN to the WLAN. Clear this check box to block all NetBIOS packets going from the WLAN to the WAN and from the WAN to the WLAN. ZyWALL 2 Plus User’s Guide...
  • Page 143: Wan Ip Address Assignment

    Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it.
  • Page 144: Wan Mac Address

    For ISPs (such as Telstra) that send UDP heartbeat packets to verify that the customer is still online, please create a WAN-to-WAN/ZyWALL firewall rule for those packets. Contact your ISP to find the correct port number. The screen shown next is for Ethernet encapsulation. ZyWALL 2 Plus User’s Guide...
  • Page 145: Figure 93 Network > Wan > Wan (Ethernet Encapsulation)

    Type the authentication server IP address here if your ISP gave you one. Address This field is not available for Telia Login. Login Server Type the domain name of the Telia login server, for example login1.telia.com. (Telia Login only) ZyWALL 2 Plus User’s Guide...
  • Page 146 Enable Multicast Select this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. ZyWALL 2 Plus User’s Guide...
  • Page 147: Pppoe Encapsulation

    LAN do not need PPPoE software installed, since the ZyWALL does that part of the task. Furthermore, with NAT, all of the LANs’ computers will have access. The screen shown next is for PPPoE encapsulation. ZyWALL 2 Plus User’s Guide...
  • Page 148: Figure 94 Network > Wan > Wan (Pppoe Encapsulation)

    Type the user name given to you by your ISP. Password Type the password associated with the user name above. Retype to Type your password again to make sure that you have entered is correctly. Confirm ZyWALL 2 Plus User’s Guide...
  • Page 149 Enable Multicast Select this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. ZyWALL 2 Plus User’s Guide...
  • Page 150: Pptp Encapsulation

    Virtual Private Network (VPN) using TCP/IP-based networks. PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet. The screen shown next is for PPTP encapsulation. ZyWALL 2 Plus User’s Guide...
  • Page 151: Figure 95 Network > Wan > Wan (Pptp Encapsulation)

    Type the user name given to you by your ISP. Password Type the password associated with the user name above. Retype to Confirm Type your password again to make sure that you have entered is correctly. ZyWALL 2 Plus User’s Guide...
  • Page 152 When set to Both or In Only, the ZyWALL will incorporate RIP information that it receives. When set to None, the ZyWALL will not send any RIP packets and will ignore any RIP packets received. By default, RIP Direction is set to Both. ZyWALL 2 Plus User’s Guide...
  • Page 153: Traffic Redirect

    Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the ZyWALL still provides firewall protection for the LAN. ZyWALL 2 Plus User’s Guide...
  • Page 154: Configuring Traffic Redirect

    Figure 97 Traffic Redirect LAN Setup 8.9 Configuring Traffic Redirect To change your ZyWALL’s traffic redirect settings, click NETWORK > WAN > Traffic Redirect. The screen appears as shown. Figure 98 NETWORK > WAN > Traffic Redirect ZyWALL 2 Plus User’s Guide...
  • Page 155: Configuring Dial Backup

    Click Reset to begin configuring this screen afresh. 8.10 Configuring Dial Backup Click NETWORK > WAN > Dial Backup to display the Dial Backup screen. Use this screen to configure the backup WAN dial-up connection. ZyWALL 2 Plus User’s Guide...
  • Page 156: Figure 99 Network > Wan > Dial Backup

    Use the drop-down list box to select an authentication protocol for outgoing calls. Type Options are: CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this remote node. CHAP - Your ZyWALL accepts CHAP only. PAP - Your ZyWALL accepts PAP only. ZyWALL 2 Plus User’s Guide...
  • Page 157 Multicasting can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. ZyWALL 2 Plus User’s Guide...
  • Page 158: Advanced Modem Setup

    ATDP. For ISDN lines, there are many more protocols and operational modes. Please consult the documentation of your TA. You may need additional commands in both Dial and Init strings. ZyWALL 2 Plus User’s Guide...
  • Page 159: Dtr Signal

    Click the Edit button in the Dial Backup screen to display the Advanced Setup screen. Consult the manual of your WAN device connected to your dial backup port for specific AT commands. Figure 100 NETWORK > WAN > Dial Backup > Edit ZyWALL 2 Plus User’s Guide...
  • Page 160: Table 38 Network > Wan > Dial Backup > Edit

    Type a number of seconds for the ZyWALL to wait between dropping a callback (sec) request call and dialing the corresponding callback call. Apply Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL 2 Plus User’s Guide...
  • Page 161: Dmz Screens

    Like the LAN, the ZyWALL can also assign TCP/IP configuration via DHCP to computers connected to the DMZ ports. From the main menu, click NETWORK > DMZ to open the DMZ screen. The screen appears as shown next. ZyWALL 2 Plus User’s Guide...
  • Page 162: Figure 101 Network > Dmz

    RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, RIP direction is set to Both and the Version set to RIP-1. ZyWALL 2 Plus User’s Guide...
  • Page 163 Clear this check box to block all NetBIOS packets going from the WLAN to the DMZ and from the DMZ to the WLAN. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
  • Page 164: Dmz Static Dhcp

    00:A0:C5:00:00:02. To change your ZyWALL’s static DHCP settings on the DMZ, click NETWORK > DMZ > Static DHCP. The screen appears as shown. Figure 102 NETWORK > DMZ > Static DHCP ZyWALL 2 Plus User’s Guide...
  • Page 165: Dmz Ip Alias

    Make sure that the subnets of the logical networks do not overlap. To change your ZyWALL’s IP alias settings, click NETWORK > DMZ > IP Alias. The screen appears as shown. ZyWALL 2 Plus User’s Guide...
  • Page 166: Figure 103 Network > Dmz > Ip Alias

    By default, RIP direction is set to Both and the Version set to RIP-1. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
  • Page 167: Dmz Public Ip Address Example

    161) and configure the other subnet in the Network > DMZ > IP Alias screen (see Figure 9.4 on page 165) to use this kind of network setup. You also need to configure NAT for the private DMZ IP addresses. ZyWALL 2 Plus User’s Guide...
  • Page 168: Dmz Port Roles

    The radio buttons correspond to Ethernet ports on the front panel of the ZyWALL. On the ZyWALL, ports 1 to 4 are all LAN ports by default. Your changes are also reflected in the LAN and/or WLAN Port Roles screens. ZyWALL 2 Plus User’s Guide...
  • Page 169: Figure 106 Network > Dmz > Port Roles

    Select a port’s WLAN radio button to use the port as part of the WLAN. The port will use the ZyWALL’s WLAN IP address and MAC address. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
  • Page 170 Chapter 9 DMZ Screens ZyWALL 2 Plus User’s Guide...
  • Page 171: Wireless Lan

    178) to set a port to be part of the WLAN and connect an access point (AP) to the WLAN interface. Click NETWORK > WLAN to open the WLAN screen to configure the IP address for ZyWALL’s WLAN interface, other TCP/IP and DHCP settings. ZyWALL 2 Plus User’s Guide...
  • Page 172: Figure 107 Network > Wlan

    RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, RIP direction is set to Both and the Version set to RIP-1. ZyWALL 2 Plus User’s Guide...
  • Page 173 Clear this check box to block all NetBIOS packets going from the WLAN to the DMZ and from the DMZ to the WLAN. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
  • Page 174: Wlan Static Dhcp

    00:A0:C5:00:00:02. To change your ZyWALL’s WLAN static DHCP settings, click NETWORK >WLAN > Static DHCP. The screen appears as shown. Figure 108 NETWORK > WLAN > Static DHCP ZyWALL 2 Plus User’s Guide...
  • Page 175: Wlan Ip Alias

    WLAN's logical networks (subnets). Make sure that the subnets of the logical networks do not overlap. To change your ZyWALL’s IP alias settings, click NETWORK > WLAN > IP Alias. The screen appears as shown. ZyWALL 2 Plus User’s Guide...
  • Page 176: Figure 109 Network > Wlan > Ip Alias

    By default, RIP direction is set to Both and the Version set to RIP-1. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
  • Page 177: Wlan Port Roles

    The radio buttons correspond to Ethernet ports on the front panel of the ZyWALL. On the ZyWALL, ports 1 to 4 are all LAN ports by default. Your changes are also reflected in the LAN and DMZ Port Roles screen. ZyWALL 2 Plus User’s Guide...
  • Page 178: Figure 111 Network > Wlan > Port Roles

    After you change the LAN/DMZ/WLAN port roles and click Apply, please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 112 NETWORK > WLAN > Port Roles: Change Complete ZyWALL 2 Plus User’s Guide...
  • Page 179: Security

    Security Firewall (181) Content Filtering Screens (211) Content Filtering Reports (227) IPSec VPN (235) Certificates (275) Authentication Server (301)
  • Page 181: Firewall

    Messaging) session from the LAN to the WAN (1). Return traffic for this session is also allowed (2). However other traffic initiated from the WAN is blocked (3 and 4). Figure 113 Default Firewall Action ZyWALL 2 Plus User’s Guide...
  • Page 182: Packet Direction Matrix

    To set the ZyWALL to by default silently block traffic from the WAN from going to the DMZ interfaces, you would find where the From WAN row and the To DMZ column intersect and set the field to Drop as shown. ZyWALL 2 Plus User’s Guide...
  • Page 183: Packet Direction Examples

    ZyWALL. • LAN to WAN These rules specify which computers on the LAN can access which computers or services connected to the WAN. See Section 11.5 on page for an example. ZyWALL 2 Plus User’s Guide...
  • Page 184: To Vpn Packet Direction

    LAN computers to go out through any of the ZyWALL’s VPN tunnels. You could configure the From DMZ To VPN default rule to set the ZyWALL to silently block traffic from the DMZ computers from going out through any of the ZyWALL’s VPN tunnels. ZyWALL 2 Plus User’s Guide...
  • Page 185: From Vpn Packet Direction

    You can also apply firewall rules to traffic that comes in through the ZyWALL’s VPN tunnels. The ZyWALL decrypts the VPN traffic and then applies the firewall rules. From VPN means traffic that came into the ZyWALL through a VPN tunnel and is going to the selected “to” interface. ZyWALL 2 Plus User’s Guide...
  • Page 186: Figure 118 From Vpn To Lan Example

    Figure 118 From VPN to LAN Example In order to do this, you would configure the SECURITY > FIREWALL > Default Rule screen as follows. Figure 119 Block VPN to LAN Traffic by Default Example ZyWALL 2 Plus User’s Guide...
  • Page 187: From Vpn To Vpn Packet Direction

    VPN tunnel or the ZyWALL itself. VPN traffic destined for the DMZ is allowed through. Figure 120 From VPN to VPN Example You would configure the SECURITY > FIREWALL > Default Rule screen as follows. Figure 121 Block VPN to VPN Traffic by Default Example ZyWALL 2 Plus User’s Guide...
  • Page 188: Security Considerations

    You do not need to specify a schedule since you need the firewall rule to always be in effect. The following figure shows the results of this rule. Figure 122 Blocking All LAN to WAN IRC Traffic Example ZyWALL 2 Plus User’s Guide...
  • Page 189: Figure 123 Limited Lan To Wan Irc Traffic Example

    Figure 123 Limited LAN to WAN IRC Traffic Example Your firewall would have the following configuration. Table 49 Limited LAN to WAN IRC Traffic Example DESTINATIO SOURCE SCHEDULE SERVICE ACTION 192.168.1.7 Allow Drop Default Allow ZyWALL 2 Plus User’s Guide...
  • Page 190: Asymmetrical Routes

    2 The ZyWALL reroutes the packet to Gateway A, which is in Subnet 2. 3 The reply from the WAN goes to the ZyWALL. 4 The ZyWALL then sends it to the computer on the LAN in Subnet 1. ZyWALL 2 Plus User’s Guide...
  • Page 191: Firewall Default Rule (Router Mode)

    Click SECURITY > FIREWALL to open the Default Rule screen. Use this screen to configure general firewall settings when the ZyWALL is set to router mode. Figure 125 SECURITY > FIREWALL > Default Rule (Router Mode) ZyWALL 2 Plus User’s Guide...
  • Page 192: Table 50 Security > Firewall > Default Rule (Router Mode)

    Select the check box next to a direction of packet travel to create a log when the above action is taken for packets that are traveling in that direction and do not match any of your customized rules. ZyWALL 2 Plus User’s Guide...
  • Page 193: Firewall Default Rule (Bridge Mode)

    Use this screen to configure general firewall settings when the ZyWALL is set to bridge mode. Section 11.1 on page 181 for more information about the firewall. Figure 126 SECURITY > FIREWALL > Default Rule (Bridge Mode) ZyWALL 2 Plus User’s Guide...
  • Page 194: Firewall Rule Summary

    Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 11.9 Firewall Rule Summary Click SECURITY > FIREWALL > Rule Summary to open the screen. This screen displays a list of the configured firewall rules. ZyWALL 2 Plus User’s Guide...
  • Page 195: Figure 127 Security > Firewall > Rule Summary

    The following read-only fields summarize the rules you have created that apply to traffic traveling in the selected packet direction. The firewall rules that you configure (summarized below) take priority over the general firewall action settings above. ZyWALL 2 Plus User’s Guide...
  • Page 196: Firewall Edit Rule

    2 Click Insert to display the Firewall Edit Rule screen. Use this screen to create or edit a firewall rule. Refer to the following table for information on the labels. Section 11.1 on page 181 for more information about the firewall. ZyWALL 2 Plus User’s Guide...
  • Page 197: Figure 128 Security > Firewall > Rule Summary > Edit

    Chapter 11 Firewall Figure 128 SECURITY > FIREWALL > Rule Summary > Edit ZyWALL 2 Plus User’s Guide...
  • Page 198: Table 53 Security > Firewall > Rule Summary > Edit

    (No). Go to the Log Settings page and select the Access Control logs category Matched to have the ZyWALL record these logs. Send Alert Select the check box to have the ZyWALL generate an alert when the rule is Message to matched. Administrator When Matched ZyWALL 2 Plus User’s Guide...
  • Page 199: Anti-Probing

    ZyWALL hidden from probing attempts. You can specify which of the ZyWALL’s interfaces will respond to Ping requests and whether or not the ZyWALL is to respond to probing for unused ports. Figure 129 SECURITY > FIREWALL > Anti-Probing ZyWALL 2 Plus User’s Guide...
  • Page 200: Firewall Thresholds

    ACK (acknowledgment). After this handshake, a connection is established. Figure 130 Three-Way Handshake For UDP, half-open means that the firewall has detected no return traffic. An unusually high number (or arrival rate) of half-open sessions could indicate a DOS attack. ZyWALL 2 Plus User’s Guide...
  • Page 201: Threshold Values

    11.12 Threshold Screen Click SECURITY > FIREWALL > Threshold to bring up the next screen. The global values specified for the threshold and timeout apply to all TCP connections. Figure 131 SECURITY > FIREWALL > Threshold ZyWALL 2 Plus User’s Guide...
  • Page 202: Table 55 Security > Firewall > Threshold

    Deny new connection requests for the number of minutes that you specify (between 1 and 255). Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
  • Page 203: Service

    This is the index number of the custom service. Service Name This is the name of the service. Protocol This is the IP protocol type. If you selected Custom, this is the IP protocol value you entered. ZyWALL 2 Plus User’s Guide...
  • Page 204: Firewall Edit Custom Service

    Choose the IP protocol (TCP, UDP, TCP/UDP, ICMP or Custom) that defines your customized service from the drop down list box. If you select Custom, specify the protocol’s number. For example, ICMP is 1, TCP is 6, UDP is 17 and so on. ZyWALL 2 Plus User’s Guide...
  • Page 205: My Service Firewall Rule Example

    Figure 134 My Service Firewall Rule Example: Service 2 Configure it as follows and click Apply. Figure 135 My Service Firewall Rule Example: Edit Custom Service 3 Click Rule Summary. Select WAN to LAN from the Packet Direction drop-down list box. ZyWALL 2 Plus User’s Guide...
  • Page 206: Figure 136 My Service Firewall Rule Example: Rule Summary

    6 Enter the name of the firewall rule. 7 Select Any in the Destination Address(es) box and then click Delete. 8 Configure the destination address fields as follows and click Add. Figure 137 My Service Firewall Rule Example: Rule Edit ZyWALL 2 Plus User’s Guide...
  • Page 207 9 In the Edit Rule screen, use the arrows between Available Services and Selected Service(s) to configure it as follows. Click Apply when you are done. Custom services show up with an * before their names in the Services list box and the Rule Summary list box. ZyWALL 2 Plus User’s Guide...
  • Page 208: Figure 138 My Service Firewall Rule Example: Rule Configuration

    Chapter 11 Firewall Figure 138 My Service Firewall Rule Example: Rule Configuration Rule 1 allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. ZyWALL 2 Plus User’s Guide...
  • Page 209: Figure 139 My Service Firewall Rule Example: Rule Summary

    Chapter 11 Firewall Figure 139 My Service Firewall Rule Example: Rule Summary ZyWALL 2 Plus User’s Guide...
  • Page 210 Chapter 11 Firewall ZyWALL 2 Plus User’s Guide...
  • Page 211: Content Filtering Screens

    Use this screen to enable content filtering, configure a schedule, and create a denial message. You can also choose specific computers to be included in or excluded from the content filtering configuration. ZyWALL 2 Plus User’s Guide...
  • Page 212: Figure 140 Security > Content Filter > General

    ActiveX is a tool for building dynamic and active web pages and distributed object applications. When you visit an ActiveX web site, ActiveX controls are ActiveX downloaded to your browser, where they remain in case you visit the site again. ZyWALL 2 Plus User’s Guide...
  • Page 213 Delete Range Click Delete Range after you select the range of addresses you wish to delete. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
  • Page 214: Content Filtering With An External Database

    Do the following to view content filtering reports (see Chapter 13 on page 227 for details). 1 Log into myZyXEL.com and click your device’s link to open it’s Service Management screen. ZyWALL 2 Plus User’s Guide...
  • Page 215: Figure 142 Security > Content Filter > Categories

    3 Enter your ZyWALL's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 147 on page 229). Type your myZyXEL.com account password in the Password field. Click Submit. Figure 142 SECURITY > CONTENT FILTER > Categories ZyWALL 2 Plus User’s Guide...
  • Page 216: Table 59 Security > Content Filter > Categories

    These pages include very profane or vulgar content and pages that are not appropriate for children. Pornography Selecting this category excludes pages that contain sexually explicit material for the purpose of arousing a sexual or prurient interest. ZyWALL 2 Plus User’s Guide...
  • Page 217 Hacking encompasses instructions on illegal or questionable tactics, such as creating viruses, distributing cracked or pirated software, or distributing other protected intellectual property. ZyWALL 2 Plus User’s Guide...
  • Page 218 Selecting this category excludes pages sponsored by or which provide information on political parties, special interest groups, or any organization that promotes change or reform in public policy, public opinion, social practice, or economic activities. ZyWALL 2 Plus User’s Guide...
  • Page 219 Selecting this category excludes pages that support the offering and purchasing of goods between individuals. This does not include classified advertisements. Real Estate Selecting this category excludes pages that provide information on renting, buying, or selling real estate or properties. ZyWALL 2 Plus User’s Guide...
  • Page 220 ZyWALL’s database of restricted web pages. Test Against Internet Click this button to test whether or not the web site above is saved in the Server external content filter server’s database of restricted web pages. ZyWALL 2 Plus User’s Guide...
  • Page 221: Content Filter Customization

    You can create a list of good (allowed) web site addresses and a list of bad (blocked) web site addresses. You can also block web sites based on whether the web site’s address contains a keyword. Use this screen to add or remove specific sites or keywords from the filter list. ZyWALL 2 Plus User’s Guide...
  • Page 222: Figure 143 Security > Content Filter > Customization

    Enter host names such as www.good-site.com into this text field. Do not enter the complete URL of the site – that is, do not include “http://”. All subdomains are allowed. For example, entering “zyxel.com” also allows “www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, etc.
  • Page 223: Customizing Keyword Blocking Url Checking

    12.6.1 Domain Name or IP Address URL Checking By default, the ZyWALL checks the URL’s domain name or IP address when performing keyword blocking. This means that the ZyWALL checks the characters that come before the first slash in the URL. ZyWALL 2 Plus User’s Guide...
  • Page 224: Full Path Url Checking

    12.6.2 Full Path URL Checking Full path URL checking has the ZyWALL check the characters that come before the last slash in the URL. For example, with the URL www.zyxel.com.tw/news/pressroom.php, full path URL checking searches for keywords within www.zyxel.com.tw/news/. Use the...
  • Page 225: Figure 144 Security > Content Filter > Cache

    Remaining Time This is the number of hours left before the URL entry is discarded from the cache. (hour) Modify Click the delete icon to remove the URL entry from the cache. ZyWALL 2 Plus User’s Guide...
  • Page 226 Chapter 12 Content Filtering Screens ZyWALL 2 Plus User’s Guide...
  • Page 227: Content Filtering Reports

    You need to register your iCard before you can view content filtering reports. Alternatively, you can also view content filtering reports during the free trial (up to 30 days). 1 Go to http://www.myZyXEL.com. 2 Fill in your myZyXEL.com account information and click Submit. ZyWALL 2 Plus User’s Guide...
  • Page 228: Figure 145 Myzyxel.com: Login

    Figure 145 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under Registered ZyXEL Products. You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see...
  • Page 229: Figure 147 Myzyxel.com: Service Management

    Chapter 13 Content Filtering Reports Figure 147 myZyXEL.com: Service Management 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 147 on page 229).
  • Page 230: Figure 149 Content Filtering Reports Main Screen

    Run Report.The screens vary according to the report type you selected in the Report Home screen. 10 A chart and/or list of requested web site categories display in the lower half of the screen. ZyWALL 2 Plus User’s Guide...
  • Page 231: Figure 151 Global Report Screen Example

    Chapter 13 Content Filtering Reports Figure 151 Global Report Screen Example 11 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. ZyWALL 2 Plus User’s Guide...
  • Page 232: Web Site Submission

    1 Log into the content filtering reports web site (see Section 13.2 on page 227). 2 In the Web Filter Home screen (see Figure 149 on page 230), click Site Submissions to open the Web Page Review Process screen shown next. ZyWALL 2 Plus User’s Guide...
  • Page 233: Figure 153 Web Page Review Process Screen

    Chapter 13 Content Filtering Reports Figure 153 Web Page Review Process Screen 3 Type the web site’s URL in the field and click Submit to have the web site reviewed. ZyWALL 2 Plus User’s Guide...
  • Page 234 Chapter 13 Content Filtering Reports ZyWALL 2 Plus User’s Guide...
  • Page 235: Ipsec Vpn

    The following figure provides one perspective of a VPN tunnel. Figure 154 VPN: Example The VPN tunnel connects the ZyWALL (X) and the remote IPSec router (Y). These routers then connect the local network (A) and remote network (B). ZyWALL 2 Plus User’s Guide...
  • Page 236: Ike Sa Overview

    14.1.1.1 IP Addresses of the ZyWALL and Remote IPSec Router In the ZyWALL, you have to specify the IP addresses of the ZyWALL and the remote IPSec router to establish an IKE SA. ZyWALL 2 Plus User’s Guide...
  • Page 237: Vpn Rules (Ike)

    This figure helps explain the main fields in the VPN setup. Figure 157 IPSec Fields Summary Click SECURITY > VPN to display the VPN Rules (IKE) screen. Use this screen to manage the ZyWALL’s list of VPN rules (tunnels) that use IKE SAs. ZyWALL 2 Plus User’s Guide...
  • Page 238: Figure 158 Security > Vpn > Vpn Rules (Ike)

    (behind the IPSec routers) can use the VPN tunnel. Remote This is the remote network behind the remote IPsec router. Network Click this icon to display a screen in which you can associate a network policy to a gateway policy. ZyWALL 2 Plus User’s Guide...
  • Page 239: Ike Sa Setup

    Both routers must use the same encryption algorithm, authentication algorithm, and DH key group. See the field descriptions for information about specific encryption algorithms, authentication algorithms, and DH key groups. See Section 14.3.1.1 on page 240 for more information about DH key groups. ZyWALL 2 Plus User’s Guide...
  • Page 240: Figure 160 Ike Sa: Main Negotiation Mode, Steps 3 - 4: Dh Key Exchange

    ID content is a specific IP address, domain name, or e-mail address. The ID content is only used for identification; the IP address, domain name, or e-mail address that you enter does not have to actually exist. ZyWALL 2 Plus User’s Guide...
  • Page 241: Table 63 Vpn Example: Matching Id Type And Content

    CAs you have set up. Alternatively, if you want to use a specific certificate to authenticate the remote IPSec router, you can use the information in the certificate to specify the peer ID type and ID content. ZyWALL 2 Plus User’s Guide...
  • Page 242 ZyWALL and the identity of the remote IPSec router are not encrypted. It is usually used when the address of the initiator is not known by the responder and both parties want to use pre-shared keys for authentication (for example, telecommuters). ZyWALL 2 Plus User’s Guide...
  • Page 243: Additional Ipsec Vpn Topics

    • There is traffic when the SA life time expires • The IPSec SA is configured on the ZyWALL as nailed up (see below) Otherwise, the ZyWALL must re-negotiate the SA the next time someone wants to send traffic. ZyWALL 2 Plus User’s Guide...
  • Page 244: Ipsec High Availability

    • Should ideally identify itself by a domain name or dynamic domain name (it must otherwise have My Address set to 0.0.0.0) • Should use a WAN connectivity check to this ZyWALL’s WAN IP address ZyWALL 2 Plus User’s Guide...
  • Page 245: Encryption And Authentication Algorithms

    Use this screen to configure a VPN gateway policy. The gateway policy identifies the IPSec routers at either end of a VPN tunnel (My ZyWALL and Remote Gateway) and specifies the authentication, encryption and other settings needed to negotiate a phase 1 IKE SA. ZyWALL 2 Plus User’s Guide...
  • Page 246: Figure 164 Security > Vpn > Vpn Rules (Ike) > Edit Gateway Policy

    Chapter 14 IPSec VPN Figure 164 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy ZyWALL 2 Plus User’s Guide...
  • Page 247: Table 65 Security > Vpn > Vpn Rules (Ike) > Edit Gateway Policy

    WAN IP address or domain name (you cannot set either to 0.0.0.0). Redundant Type the WAN IP address or the domain name (up to 31 characters) of the Remote Gateway backup IPSec router to use when the ZyWALL cannot not connect to the primary remote gateway. ZyWALL 2 Plus User’s Guide...
  • Page 248 ZyWALL in the local Content field. Use up to 31 ASCII characters including spaces, although trailing spaces are truncated. The domain name or e-mail address is for identification purposes only and can be any string. ZyWALL 2 Plus User’s Guide...
  • Page 249 5. Regardless of how you configure the ID Type and Content fields, two active IPSec SAs cannot have both the local and remote IP address ranges overlap between rules. Extended Authentication Enable Extended Select this check box to activate extended authentication. Authentication ZyWALL 2 Plus User’s Guide...
  • Page 250 IKE SA, even if they are less secure than the ones you configure for the VPN rule. Clear this to have the ZyWALL use only the configured phase 1 key groups and encryption and authentication algorithms when negotiating an IKE SA. ZyWALL 2 Plus User’s Guide...
  • Page 251: Ipsec Sa Overview

    If you select the VPN rules skip applying to the overlap range of local and remote IP addresses option (see Figure 174 on page 267) and the VPN rule’s local and remote network settings are both 0.0.0.0 (any), no traffic will go through the VPN tunnel. ZyWALL 2 Plus User’s Guide...
  • Page 252: Virtual Address Mapping

    • You set ZyWALL B to change the source IP addresses of packets from the remote network Y (192.168.1.2 to 192.168.1.27) to virtual IP addresses 172.21.2.2 to 172.21.2.27 before sending them through the VPN tunnel. ZyWALL 2 Plus User’s Guide...
  • Page 253: Active Protocol

    Transport mode is only used when the IPSec SA is used for communication between the ZyWALL and remote IPSec router (for example, for remote management), not between computers on the local and remote networks. ZyWALL 2 Plus User’s Guide...
  • Page 254: Ipsec Sa Proposal And Perfect Forward Secrecy

    If you do not enable PFS, the ZyWALL and remote IPSec router use the same root key that was generated when the IKE SA was established to generate encryption keys. The DH key exchange is time-consuming and may be unnecessary for data that does not require such security. ZyWALL 2 Plus User’s Guide...
  • Page 255: Vpn Rules (Ike): Network Policy Edit

    A network policy identifies the devices behind the IPSec routers at either end of a VPN tunnel and specifies the authentication, encryption and other settings needed to negotiate a phase 2 IPSec SA. Figure 168 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy ZyWALL 2 Plus User’s Guide...
  • Page 256: Table 66 Security > Vpn > Vpn Rules (Ike) > Edit Network Policy

    IP addresses of computers on your local network to other (virtual) IP addresses before sending the packets to the remote IPSec router. This translation hides the source IP addresses of computers in the local network. ZyWALL 2 Plus User’s Guide...
  • Page 257 Range Address, enter the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL. When the Address Type field is configured to Subnet Address, this is a (static) IP address on the LAN behind your ZyWALL. ZyWALL 2 Plus User’s Guide...
  • Page 258 Authentication Select which hash algorithm to use to authenticate packet data in the IPSec SA. Algorithm Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower. ZyWALL 2 Plus User’s Guide...
  • Page 259: Vpn Rules (Ike): Network Policy Edit: Port Forwarding

    One as the Type and click the Port Forwarding Rules button to open the following screen. Use this screen to configure port forwarding for your VPN tunnels to let the ZyWALL forward traffic coming in through the VPN tunnel to the appropriate IP address on the LAN. ZyWALL 2 Plus User’s Guide...
  • Page 260: Figure 169 Security > Vpn > Vpn Rules (Ike) > Edit Network Policy > Port Forwarding

    Type your server IP address in this field. Apply Click this button to save these settings. Reset Click this button to begin configuring this screen afresh. Cancel Click this button to return to the VPN-Network Policy -Edit screen without saving your changes. ZyWALL 2 Plus User’s Guide...
  • Page 261: Vpn Rules (Ike): Network Policy Move

    When there is a network policy in Recycle Bin, the Recycle Bin gateway policy automatically displays in the VPN Rules (IKE) screen. Apply Click Apply to save the changes. Cancel Click Cancel to discard all changes and return to the main VPN screen. ZyWALL 2 Plus User’s Guide...
  • Page 262: Ipsec Sa Using Manual Keys

    Use this screen to manage the ZyWALL’s list of VPN rules (tunnels) that use manual keys. You may want to configure a VPN rule that uses manual key management if you are having problems with IKE key management. ZyWALL 2 Plus User’s Guide...
  • Page 263: Figure 171 Security > Vpn > Vpn Rules (Manual)

    Click the delete icon to remove the VPN policy. A window displays asking you to confirm that you want to delete the VPN rule. When a VPN policy is deleted, subsequent policies move up in the page list. Click Add to add a new VPN policy. ZyWALL 2 Plus User’s Guide...
  • Page 264: Vpn Rules (Manual): Edit

    NetBIOS packets to pass through VPN tunnels in order to allow local computers to find computers on the remote network and vice versa. Select this check box to send NetBIOS packets through the VPN connection. ZyWALL 2 Plus User’s Guide...
  • Page 265 LAN IP address when using traffic redirect. The VPN tunnel has to be rebuilt if this IP address changes. When the ZyWALL is in bridge mode, this field is read-only and displays the ZyWALL’s IP address. ZyWALL 2 Plus User’s Guide...
  • Page 266: Vpn Sa Monitor

    In the web configurator, click SECURITY > VPN > SA Monitor. Use this screen to display and manage active VPN connections. A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This screen displays active VPN connections. Use Refresh to display active VPN connections. ZyWALL 2 Plus User’s Guide...
  • Page 267: Vpn Global Setting

    Click SECURITY > VPN > Global Setting to open the VPN Global Setting screen. Use this screen to change settings that apply to all of your VPN tunnels. Figure 174 SECURITY > VPN > Global Setting ZyWALL 2 Plus User’s Guide...
  • Page 268: Table 72 Security > Vpn > Global Setting

    If a VPN rule’s local and remote network settings are both set to 0.0.0.0 (any), no traffic goes through the VPN tunnel if you select this check box. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
  • Page 269: Telecommuter Vpn/Ipsec Examples

    14.15.2 Telecommuters Using Unique VPN Rules Example In this example the telecommuters (A, B and C in the figure) use IPSec routers with domain names that are mapped to their dynamic WAN IP addresses (use Dynamic DNS to do this). ZyWALL 2 Plus User’s Guide...
  • Page 270: Figure 176 Telecommuters Using Unique Vpn Rules Example

    Headquarters ZyWALL Rule 1: Local ID Type: IP Peer ID Type: IP Local ID Content: 192.168.2.12 Peer ID Content: 192.168.2.12 Local IP Address: 192.168.2.12 Remote Gateway Address: telecommutera.dydns.org Remote Address 192.168.2.12 Telecommuter B (telecommuterb.dydns.org) Headquarters ZyWALL Rule 2: ZyWALL 2 Plus User’s Guide...
  • Page 271: Vpn And Remote Management

    VPN tunnel to access the ZyWALL’s LAN interface. Remote management must also be configured to allow HTTP access on the ZyWALL’s LAN interface. Figure 177 VPN for Remote Management Example 14.17 Hub-and-spoke VPN Hub-and-spoke VPN connects VPN tunnels to form one secure network. ZyWALL 2 Plus User’s Guide...
  • Page 272: Hub-And-Spoke Vpn Example

    The following figure shows a basic hub-and-spoke VPN. Branch office A uses one VPN rule to access both the headquarters (HQ) network and branch office B’s network. Branch office B uses one VPN rule to access both the headquarters and branch office A’s networks. ZyWALL 2 Plus User’s Guide...
  • Page 273: Hub-And-Spoke Example Vpn Rule Addresses

    • Local IP address: 192.168.169.0/255.255.255.0 • Remote IP address: 192.168.167.0~192.168.168.255 14.17.3 Hub-and-spoke VPN Requirements and Suggestions Consider the following when implementing a hub-and-spoke VPN. The local IP addresses configured in the VPN rules cannot overlap ZyWALL 2 Plus User’s Guide...
  • Page 274 VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address. Make sure that your From VPN and To VPN firewall rules do not block the VPN packets. ZyWALL 2 Plus User’s Guide...
  • Page 275: Certificates

    A certification path is the hierarchy of certification authority certificates that validate a certificate. The ZyWALL does not trust a certificate if any certificate on its path has expired or been revoked. ZyWALL 2 Plus User’s Guide...
  • Page 276: Advantages Of Certificates

    2 Make sure that the certificate has a “.cer” or “.crt” file name extension. Figure 180 Certificates on Your Computer 3 Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. ZyWALL 2 Plus User’s Guide...
  • Page 277: Configuration Summary

    Use the Trusted Remote Hosts screens to import self-signed certificates from trusted remote hosts. Use the Directory Servers screen to configure a list of addresses of directory servers (that contain lists of valid and revoked certificates). ZyWALL 2 Plus User’s Guide...
  • Page 278: My Certificates

    Replace This button displays when the ZyWALL has the factory default certificate. The factory default certificate is common to all ZyWALLs that use certificates. ZyXEL recommends that you use this button to replace the factory default certificate with one that uses your ZyWALL's MAC address.
  • Page 279: My Certificate Details

    You can use this screen to view in-depth certificate information and change the certificate’s name. If it is a self-signed certificate, you can also set the ZyWALL to use the certificate to sign the imported trusted remote host certificates. ZyWALL 2 Plus User’s Guide...
  • Page 280: Figure 184 Security > Certificates > My Certificates > Details

    This certificates. automatically clears the check box in the details screen of the certificate that was previously set to sign the imported trusted remote host certificates. ZyWALL 2 Plus User’s Guide...
  • Page 281 Subject Type=CA means that this is a certification authority’s certificate and “Path Length Constraint=1” means that there can only be one certification authority in the certificate’s path. MD5 Fingerprint This is the certificate’s message digest that the ZyWALL calculated using the MD5 algorithm. ZyWALL 2 Plus User’s Guide...
  • Page 282: My Certificate Export

    Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the ZyWALL. ZyWALL 2 Plus User’s Guide...
  • Page 283: My Certificate Import

    One exception is that you can import a PKCS#12 format certificate without a corresponding certification request since the certificate includes the private key. • You must remove any spaces from the certificate’s filename before you can import it. ZyWALL 2 Plus User’s Guide...
  • Page 284: Certificate File Formats

    DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. ZyWALL 2 Plus User’s Guide...
  • Page 285: My Certificate Create

    Click SECURITY > CERTIFICATES > My Certificates > Create to open the My Certificate Create screen. Use this screen to have the ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. ZyWALL 2 Plus User’s Guide...
  • Page 286: Figure 188 Security > Certificates > My Certificates > Create

    ZyWALL drops trailing spaces. Organization Type up to 127 characters to identify the company or group to which the certificate owner belongs. You may use any character, including spaces, but the ZyWALL drops trailing spaces. ZyWALL 2 Plus User’s Guide...
  • Page 287 SCEP enrollment protocol. Type the key that the certification authority gave you. Apply Click Apply to begin certificate or certification request generation. Cancel Click Cancel to quit and return to the My Certificates screen. ZyWALL 2 Plus User’s Guide...
  • Page 288: Trusted Cas

    This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information. ZyWALL 2 Plus User’s Guide...
  • Page 289: Trusted Ca Details

    ZyWALL to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority. ZyWALL 2 Plus User’s Guide...
  • Page 290: Figure 190 Security > Certificates > Trusted Cas > Details

    The ZyWALL does not trust the end entity’s certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked. Refresh Click Refresh to display the certification path. ZyWALL 2 Plus User’s Guide...
  • Page 291 This is the certificate’s message digest that the ZyWALL calculated using the SHA1 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate. ZyWALL 2 Plus User’s Guide...
  • Page 292: Trusted Ca Import

    DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. ZyWALL 2 Plus User’s Guide...
  • Page 293: Trusted Remote Hosts

    C (Country). It is recommended that each certificate have unique subject information. Valid From This field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable. ZyWALL 2 Plus User’s Guide...
  • Page 294: Trusted Remote Host Certificate Details

    Remote Hosts screen. Click the details icon to open the Trusted Remote Host Details screen. You can use this screen to view in-depth information about the trusted remote host’s certificate and/or change the certificate’s name. ZyWALL 2 Plus User’s Guide...
  • Page 295: Figure 193 Security > Certificates > Trusted Remote Hosts > Details

    CA-signed. The ZyWALL is the Certification Authority that signed the certificate. X.509 means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates. ZyWALL 2 Plus User’s Guide...
  • Page 296 You can copy and paste the certificate into an e-mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example). ZyWALL 2 Plus User’s Guide...
  • Page 297: Trusted Remote Hosts Import

    DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. ZyWALL 2 Plus User’s Guide...
  • Page 298: Directory Servers

    This field displays the IP address or domain name of the directory server. Port This field displays the port number that the directory server uses. Protocol This field displays the protocol that the directory server uses. ZyWALL 2 Plus User’s Guide...
  • Page 299: Directory Server Add Or Edit

    Access Protocol field. You may change the server port number if needed, however you must use the same server port number that the directory server uses. 389 is the default server port number for LDAP. ZyWALL 2 Plus User’s Guide...
  • Page 300 Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to quit configuring this screen and return to the Directory Servers screen. At the time of writing, LDAP is the only choice of directory server access protocol. ZyWALL 2 Plus User’s Guide...
  • Page 301: Authentication Server

    RADIUS is a simple package exchange in which the ZyWALL acts as a message relay between the client and the network RADIUS server. 16.1.3 Types of RADIUS Messages The following types of RADIUS messages are exchanged between the ZyWALL and the RADIUS server for user authentication: • Access-Request ZyWALL 2 Plus User’s Guide...
  • Page 302: Local User Database

    ZyWALL. The ZyWALL can use this list of user profiles to authenticate users. Use this screen to change your ZyWALL’s list of user profiles. ZyWALL 2 Plus User’s Guide...
  • Page 303: Figure 197 Security > Auth Server > Local User Database

    Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
  • Page 304: Radius

    Enter the IP address of the external accounting server in dotted decimal notation. Port Number The default port of the RADIUS server for accounting is 1813. You need not change this value unless your network administrator instructs you to do so with additional information. ZyWALL 2 Plus User’s Guide...
  • Page 305 The key is not sent over the network. This key must be the same on the external accounting server and ZyWALL. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
  • Page 306 Chapter 16 Authentication Server ZyWALL 2 Plus User’s Guide...
  • Page 307: Advanced

    Advanced Network Address Translation (NAT) (309) Static Route (325) Bandwidth Management (329) DNS (343) Remote Management (355) UPnP (377) ALG Screen (387)
  • Page 309: Network Address Translation (Nat)

    This refers to the host on the WAN. Local This refers to the packet address (source or destination) as the packet travels on the LAN. Global This refers to the packet address (source or destination) as the packet travels on the WAN. ZyWALL 2 Plus User’s Guide...
  • Page 310: What Nat Does

    Internet. The ZyWALL keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. The following figure illustrates this. Figure 199 How NAT Works ZyWALL 2 Plus User’s Guide...
  • Page 311: Nat Application

    ZyWALL will perform NAT on them and send them to the server at IP address 1, port A. Packets have not been sent from 1, A to 4, E or 5, so they cannot send packets to 1, A. ZyWALL 2 Plus User’s Guide...
  • Page 312: Nat Mapping Types

    • Many to One: In Many-to-One mode, the ZyWALL maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature (the SUA option). • Many to Many Overload: In Many-to-Many Overload mode, the ZyWALL maps the multiple local IP addresses to shared global IP addresses.
  • Page 313: Using Nat

    NAT mapping if you’re using SUA NAT mapping. If this is not your intention, then select Full Feature NAT and don’t configure NAT mapping rules to those computers with public IP addresses on the DMZ. 17.3 NAT Overview Screen Click ADVANCED > NAT to open the NAT Overview screen. ZyWALL 2 Plus User’s Guide...
  • Page 314: Figure 202 Advanced > Nat > Nat Overview

    ZyWALL. The second number shows the maximum number of trigger port rules that can be configured on the ZyWALL. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
  • Page 315: Nat Address Mapping

    9. In the set summary screen, the new rule will be rule 7, not 9. Now if you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so old rules 5, 6 and 7 become new rules 4, 5 and 6. Figure 203 ADVANCED > NAT > Address Mapping ZyWALL 2 Plus User’s Guide...
  • Page 316: Nat Address Mapping Edit

    One-to-One NAT mapping type. 2. Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only.
  • Page 317: Port Forwarding

    A port forwarding set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though NAT makes your whole inside network appear as a single computer to the outside world. ZyWALL 2 Plus User’s Guide...
  • Page 318: Default Server Ip Address

    80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a third (C in the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network appears as a single host on the Internet. ZyWALL 2 Plus User’s Guide...
  • Page 319: Port Translation

    80, but sends it to server B (IP address 192.168.1.34). In this example, anyone wanting to access server A from the Internet must use port 8080. Anyone wanting to access server B from the Internet must use port 8100. Figure 206 Port Translation Example ZyWALL 2 Plus User’s Guide...
  • Page 320: Port Forwarding Screen

    The last port forwarding rule is reserved for Roadrunner services. The rule is activated only when you set the WAN Encapsulation to Ethernet and the Service Type to something other than Standard. Figure 207 ADVANCED > NAT > Port Forwarding ZyWALL 2 Plus User’s Guide...
  • Page 321: Port Triggering

    LAN can use the service in the same manner. This way you do not need to configure a new IP address each time you want a different LAN computer to use the application. For example: ZyWALL 2 Plus User’s Guide...
  • Page 322: Figure 208 Trigger Port Forwarding Process: Example

    TCP/IP (Transfer Control Protocol/Internet Protocol). Click ADVANCED > NAT > Port Triggering to open the following screen. Use this screen to change your ZyWALL’s trigger port settings. Figure 209 ADVANCED > NAT > Port Triggering ZyWALL 2 Plus User’s Guide...
  • Page 323: Table 97 Advanced > Nat > Port Triggering

    Type a port number or the ending port number in a range of port numbers. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
  • Page 324 Chapter 17 Network Address Translation (NAT) ZyWALL 2 Plus User’s Guide...
  • Page 325: Static Route

    The first static route entry is for the default WAN route. You cannot modify or delete a static default route. The default route is disabled after you change the static WAN IP address to a dynamic WAN IP address. ZyWALL 2 Plus User’s Guide...
  • Page 326: Ip Static Route Edit

    18.2.1 IP Static Route Edit Select a static route index number and click Edit. The screen shown next appears. Use this screen to configure the required information for a static route. ZyWALL 2 Plus User’s Guide...
  • Page 327: Figure 212 Advanced > Static Route > Ip Static Route > Edit

    Select this check box to keep this route private and not included in RIP broadcasts. Clear this check box to propagate this route to other hosts through RIP broadcasts. Apply Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL 2 Plus User’s Guide...
  • Page 328 Chapter 18 Static Route ZyWALL 2 Plus User’s Guide...
  • Page 329: Bandwidth Management

    View your configured bandwidth classes and sub-classes in the Class Setup screen (see Section 19.12 on page 336 for details). The total of the configured bandwidth budgets for sub-classes cannot exceed the configured bandwidth budget speed of the parent class. ZyWALL 2 Plus User’s Guide...
  • Page 330: Proportional Bandwidth Allocation

    Table 100 Application and Subnet-based Bandwidth Management Example TRAFFIC TYPE FROM SUBNET A FROM SUBNET B VoIP 64 Kbps 64 Kbps 64 Kbps 64 Kbps 64 Kbps 64 Kbps E-mail 64 Kbps 64 Kbps Video 64 Kbps 64 Kbps ZyWALL 2 Plus User’s Guide...
  • Page 331: Scheduler

    1 Leave some of the interface’s bandwidth unbudgeted. 2 Do not enable the interface’s Maximize Bandwidth Usage option. 3 Do not enable bandwidth borrowing on the sub-classes that have the root class as their parent (see Section 19.8 on page 333). ZyWALL 2 Plus User’s Guide...
  • Page 332: Maximize Bandwidth Usage Example

    • Research requires more bandwidth but only gets its budgeted 2048 kbps because all of the unbudgeted and unused bandwidth goes to the higher priority sales and marketing classes. ZyWALL 2 Plus User’s Guide...
  • Page 333: Bandwidth Borrowing

    The ZyWALL uses the scheduler to divide a parent class’s unused bandwidth among the sub-classes. 19.8.1 Bandwidth Borrowing Example Here is an example of bandwidth management with classes configured for bandwidth borrowing. The classes are set up based on departments and individuals within certain departments. ZyWALL 2 Plus User’s Guide...
  • Page 334: Maximize Bandwidth Usage With Bandwidth Borrowing

    Actual outgoing bandwidth available on the interface: 1000 kbps Root Class: 1500 kbps (same VoIP traffic (Service = SIP): 500 Kbps as Speed setting) NetMeeting traffic (Service = H.323): 500 kbps FTP (Service = FTP): 500 Kbps ZyWALL 2 Plus User’s Guide...
  • Page 335: Configuring Summary

    You can also set this number lower than the interface’s actual transmission speed. If you do not enable Maximize Bandwidth Usage, this will cause the ZyWALL to not use some of the interface’s available bandwidth. ZyWALL 2 Plus User’s Guide...
  • Page 336: Configuring Class Setup

    To add or delete child classes on an interface, click ADVANCED > BW MGMT > Class Setup. The screen is shown here with example classes. Figure 215 ADVANCED > BW MGMT > Class Setup ZyWALL 2 Plus User’s Guide...
  • Page 337: Bandwidth Manager Class Configuration

    Summary screen to enable bandwidth management on an interface before you can configure classes for that interface. Click ADVANCED > BW MGMT > Class Setup > Add Sub-Class or Edit to open the following screen. Use this screen to add a child class. ZyWALL 2 Plus User’s Guide...
  • Page 338: Figure 216 Advanced > Bw Mgmt > Class Setup > Add Sub-Class

    You must enter a value in at least one of the following fields (other than the Subnet Mask fields which are only available when you enter the destination or source IP address). ZyWALL 2 Plus User’s Guide...
  • Page 339 Source Port Enter the starting and ending destination port numbers. Enter the same port number in both fields to specify a single port number. See the following table for some common services and port numbers. ZyWALL 2 Plus User’s Guide...
  • Page 340: Bandwidth Management Statistics

    Click ADVANCED > BW MGMT > Class Setup > Statistics to open the Bandwidth Management Statistics screen. This screen displays the selected bandwidth class’s bandwidth usage and allotments. Figure 217 ADVANCED > BW MGMT > Class Setup > Statistics ZyWALL 2 Plus User’s Guide...
  • Page 341: Bandwidth Manager Monitor

    19.13 Monitor Bandwidth Manager Click ADVANCED > BW MGMT > Monitor to open the following screen. Use this screen to view the device’s bandwidth usage and allotments. Figure 218 ADVANCED > BW MGMT > Monitor ZyWALL 2 Plus User’s Guide...
  • Page 342: Table 111 Advanced > Bw Mgmt > Monitor

    A.If you allocate all the root class’s bandwidth to the bandwidth classes, the default class still displays a budget of 2 kbps (the minimum amount of bandwidth that can be assigned to a bandwidth class). ZyWALL 2 Plus User’s Guide...
  • Page 343: Dns

    2 Use the DNS DHCP screen to configure the DNS server information that the ZyWALL sends to the DHCP client devices on the LAN, DMZ or WLAN. 3 Use the REMOTE MGMT DNS screen to configure the ZyWALL (in router mode) to accept or discard DNS queries. ZyWALL 2 Plus User’s Guide...
  • Page 344: Address Record

    An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain.
  • Page 345: System Screen

    VPN host must use IP addresses to access the computers on the remote private network. 20.6 System Screen Click ADVANCED > DNS to display the following screen. Use this screen to configure your ZyWALL’s DNS address and name server records. Figure 220 ADVANCED > DNS > System DNS ZyWALL 2 Plus User’s Guide...
  • Page 346: Adding An Address Record

    (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain.
  • Page 347: Inserting A Name Server Record

    For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain. IP Address If this entry is for the WAN port on the ZyWALL, select WAN Interface.
  • Page 348: Figure 222 Advanced > Dns > Insert (Name Server Record)

    For example, whenever the ZyWALL receives needs to resolve a zyxel.com.tw domain name, it can send a query to the recorded name server IP address. Leave this field blank if all domain zones are served by the specified DNS server(s).
  • Page 349: Dns Cache

    Select the check box to record the positive DNS resolutions in the cache. Resolutions Caching positive DNS resolutions helps speed up the ZyWALL’s processing of commonly queried domain names and reduces the amount of traffic that the ZyWALL sends out to the WAN. ZyWALL 2 Plus User’s Guide...
  • Page 350: Configuring Dns Dhcp

    Click ADVANCED > DNS > DHCP to open the DNS DHCP screen shown next. Use this screen to configure the DNS server information that the ZyWALL sends to its LAN, DMZ or WLAN DHCP clients. Figure 224 ADVANCED > DNS > DHCP ZyWALL 2 Plus User’s Guide...
  • Page 351: Dynamic Dns

    The Dynamic DNS service provider will give you a password or key. You must go to the Dynamic DNS service provider’s website and register a user account and a domain name before you can use the Dynamic DNS service with your ZyWALL. ZyWALL 2 Plus User’s Guide...
  • Page 352: Dyndns Wildcard

    Enter your user name. You can use up to 31 alphanumeric characters (and the underscore). Spaces are not allowed. Password Enter the password associated with the user name above. You can use up to 31 alphanumeric characters (and the underscore). Spaces are not allowed. My Domain Names ZyWALL 2 Plus User’s Guide...
  • Page 353 IP address if there is an HTTP proxy server between the ZyWALL and the DDNS server. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
  • Page 354 Chapter 20 DNS ZyWALL 2 Plus User’s Guide...
  • Page 355: Remote Management

    The priorities for the different types of remote management sessions are as follows. 1 Console port 2 SSH ZyWALL 2 Plus User’s Guide...
  • Page 356: Remote Management Limitations

    WWW screen). Authenticate Client Certificates is optional and if selected means the SSL- client must send the ZyWALL a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA on the ZyWALL. Please refer to the following figure. ZyWALL 2 Plus User’s Guide...
  • Page 357: Www Configuration

    ZyWALL blocks all HTTP connection attempts. 21.3 WWW Configuration Click ADVANCED > REMOTE MGMT to open the WWW screen. Use this screen to configure the ZyWALL’s HTTP and HTTPS management settings. Figure 228 ADVANCED > REMOTE MGMT > WWW ZyWALL 2 Plus User’s Guide...
  • Page 358: Https Example

    If you haven’t changed the default HTTPS port on the ZyWALL, then in your browser enter “https://ZyWALL IP Address/” as the web site address where “ZyWALL IP Address” is the IP address or domain name of the ZyWALL you wish to access. ZyWALL 2 Plus User’s Guide...
  • Page 359: Internet Explorer Warning Messages

    Certificate if you want to verify that the certificate is from the ZyWALL. If Accept this certificate temporarily for this session is selected, then click OK to continue in Netscape. Select Accept this certificate permanently to import the ZyWALL’s certificate into the SSL client. ZyWALL 2 Plus User’s Guide...
  • Page 360: Avoiding The Browser Warning Messages

    HTTPS server certificate that your browser received. Do the following to check the common name specified in the certificate that your ZyWALL sends to HTTPS clients. • Click REMOTE MGMT. Write down the name of the certificate displayed in the Server Certificate field. ZyWALL 2 Plus User’s Guide...
  • Page 361: Login Screen

    Figure 232 Example: Lock Denoting a Secure Connection Click Login and you then see the next screen. The factory default certificate is a common default certificate for all ZyWALL models. ZyWALL 2 Plus User’s Guide...
  • Page 362: Figure 233 Replace Certificate

    Certificates screen. You will see information similar to that shown in the following figure. Figure 234 Device-specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate. You will then see this information in the My Certificates screen. Figure 235 Common ZyWALL Certificate ZyWALL 2 Plus User’s Guide...
  • Page 363: Ssh

    ZyWALL for a management session. Figure 236 SSH Communication Over the WAN Example 21.6 How SSH Works The following table summarizes how a secure connection is established between two remote hosts. Figure 237 How SSH Works 1 Host Identification ZyWALL 2 Plus User’s Guide...
  • Page 364: Ssh Implementation On The Zywall

    ZyWALL over SSH. 21.8 Configuring SSH Click ADVANCED > REMOTE MGMT > SSH to change your ZyWALL’s Secure Shell settings. It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. ZyWALL 2 Plus User’s Guide...
  • Page 365: Secure Telnet Using Ssh Examples

    ZyWALL. 2 Configure the SSH client to accept connection using SSH version 1. 3 A window displays prompting you to store the host key in you computer. Click Yes to continue. ZyWALL 2 Plus User’s Guide...
  • Page 366: Example 2: Linux

    ZyWALL using SSH version 1. If this is the first time you are connecting to the ZyWALL using SSH, a message displays prompting you to save the host information of the ZyWALL. Type “yes” and press [ENTER]. Then enter the password to log in to the ZyWALL. ZyWALL 2 Plus User’s Guide...
  • Page 367: Secure Ftp Using Ssh Example

    Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts. Administrator@192.168.1.1's password: sftp> put firmware.bin ras Uploading firmware.bin to /ras Read from remote host 192.168.1.1: Connection reset by peer Connection closed ZyWALL 2 Plus User’s Guide...
  • Page 368: Telnet

    Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service. Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
  • Page 369: Ftp

    Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service. Apply Click Apply to save your customized settings. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
  • Page 370: Snmp

    Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects. ZyWALL 2 Plus User’s Guide...
  • Page 371: Supported Mibs

    A trap is sent with the message of the fatal code if the system reboots because of fatal errors. 21.14.3 REMOTE MANAGEMENT: SNMP To change your ZyWALL’s SNMP settings, click ADVANCED > REMOTE MGMT > SNMP. The screen appears as shown. ZyWALL 2 Plus User’s Guide...
  • Page 372: Figure 246 Advanced > Remote Mgmt > Snmp

    Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service. Apply Click Apply to save your customized settings. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
  • Page 373: Dns

    Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details. If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not configure the ZyWALL (using either the web configurator, SMT menus or commands) without notifying the Vantage CNM administrator.
  • Page 374: Configuring Cnm

    Vantage CNM server. Refresh Click Refresh to update the registration status and last registration time. Vantage CNM Setup Enable Select this check box to allow Vantage CNM to manage your ZyWALL. ZyWALL 2 Plus User’s Guide...
  • Page 375 LABEL DESCRIPTION Vantage CNM Server If the Vantage server is on the same subnet as the ZyXEL device, enter the Address private or public IP address of the Vantage server. If the Vantage CNM server is on a different subnet to the ZyWALL, enter the public IP address of the Vantage server.
  • Page 376 Chapter 21 Remote Management ZyWALL 2 Plus User’s Guide...
  • Page 377: Upnp

    The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. ZyWALL 2 Plus User’s Guide...
  • Page 378: Upnp And Zyxel

    All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 22.1.4 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device).
  • Page 379: Displaying Upnp Port Mapping

    This field displays the DNS host name or IP address of a client on the LAN. Multiple NAT clients can use a single port simultaneously if the internal client field is set to 255.255.255.255 for UDP mappings. ZyWALL 2 Plus User’s Guide...
  • Page 380: Installing Upnp In Windows Example

    Click Apply to save your changes back to the ZyWALL. Refresh Click Refresh update the screen’s table. 22.4 Installing UPnP in Windows Example This section shows how to install UPnP in Windows Me and Windows XP. ZyWALL 2 Plus User’s Guide...
  • Page 381: Installing Upnp In Windows Me

    3 In the Communications window, select the Universal Plug and Play check box in the Components selection box. 4 Click OK to go back to the Add/ Remove Programs Properties window and click Next. 5 Restart the computer when prompted. ZyWALL 2 Plus User’s Guide...
  • Page 382: Installing Upnp In Windows Xp

    This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL device. Make sure the computer is connected to a LAN port of the ZyXEL device. Turn on your computer and the ZyXEL device.
  • Page 383: Auto-Discover Your Upnp-Enabled Network Device

    Properties. 3 In the Internet Connection Properties You may edit or delete the port mappings or click Add to manually add port mappings. window, click Settings to see the port mappings that were automatically created. ZyWALL 2 Plus User’s Guide...
  • Page 384: Web Configurator Easy Access

    22.5.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first. This is helpful if you do not know the IP address of the ZyXEL device.
  • Page 385 3 Select My Network Places under Other Places. 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click the icon for your ZyXEL device and select Invoke. The web configurator login screen displays. ZyWALL 2 Plus User’s Guide...
  • Page 386 Chapter 22 UPnP 6 Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. ZyWALL 2 Plus User’s Guide...
  • Page 387: Alg Screen

    ZyWALL determines from its inspection of the data payload of the application’s packets. The firewall rule is automatically deleted after the application’s traffic has gone through. ZyWALL 2 Plus User’s Guide...
  • Page 388: Ftp

    H.323 signaling (1) and audio (2) sessions between H.323 devices A and B. Figure 251 H.323 ALG Example • The H.323 ALG operates on TCP packets with a port 1720 destination. • The ZyWALL allows H.323 audio connections. ZyWALL 2 Plus User’s Guide...
  • Page 389: Sip

    • The SIP ALG allows UDP packets with a port 5060 destination to pass through. • The ZyWALL allows SIP audio connections. The following example shows SIP signaling (1) and audio (2) sessions between SIP clients A and B and the SIP server (S). Figure 252 SIP ALG Example ZyWALL 2 Plus User’s Guide...
  • Page 390: Sip Signaling Session Timeout

    ALGs off or on and set the SIP timeout. If the ZyWALL provides an ALG for a service, you must enable the ALG in order to perform bandwidth management on that service’s traffic. Figure 253 ADVANCED > ALG ZyWALL 2 Plus User’s Guide...
  • Page 391: Table 128 Advanced > Alg

    ZyWALL SIP timeout (default 60 minutes), the ZyWALL SIP ALG drops any incoming calls after the timeout period. Enter the SIP signaling session timeout value. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
  • Page 392 Chapter 23 ALG Screen ZyWALL 2 Plus User’s Guide...
  • Page 393: Logs And Maintenance

    Logs and Maintenance Logs Screens (395) Maintenance (427)
  • Page 395: Logs Screens

    Log entries in red indicate system error logs. The log wraps around and deletes the old entries after it fills. Click a column heading to sort the entries. A triangle indicates ascending or descending sort order. Figure 254 LOGS > View Log ZyWALL 2 Plus User’s Guide...
  • Page 396: Log Description Example

    The log was generated due to a NetBIOS packet sent from IP address 172.21.4.187 port 137. destination The NetBIOS packet was sent to the 172.21.255.255 subnet port 137. This was a NetBIOS UDP broadcast packet meant to discover devices on the network. ZyWALL 2 Plus User’s Guide...
  • Page 397: About The Certificate Not Trusted Log

    Follow the steps below to download the certificate from myZyXEL.com. 1 Go to http://www.myZyXEL.com and log in with your account. 2 Click Download Center and then Certificate Download. Figure 255 myZyXEL.com: Download Center 3 Click the link in the Certificate Download screen. ZyWALL 2 Plus User’s Guide...
  • Page 398: Configuring Log Settings

    Alerts are e-mailed as soon as they happen. Logs may be e-mailed as soon as the log is full (see Log Schedule). Selecting many alert and/or log categories (especially Access Control) may result in many e-mails being sent. ZyWALL 2 Plus User’s Guide...
  • Page 399: Figure 257 Logs > Log Settings

    Chapter 24 Logs Screens Figure 257 LOGS > Log Settings ZyWALL 2 Plus User’s Guide...
  • Page 400: Table 131 Logs > Log Settings

    Refer to the documentation of your syslog program for more details. Active Log and Alert Select the categories of logs that you want to record. Logs include alerts. ZyWALL 2 Plus User’s Guide...
  • Page 401: Configuring Reports

    HTTP GET references to other web sites and the ZyWALL may count these as hits, thus the web hit count is not (yet) 100% accurate. Click LOGS > Reports to display the following screen. ZyWALL 2 Plus User’s Guide...
  • Page 402: Figure 258 Logs > Reports

    IP addresses. Refresh Click Refresh to update the report display. The report also refreshes automatically when you close and reopen the screen. Flush Click Flush to discard the old report data and update the report display. ZyWALL 2 Plus User’s Guide...
  • Page 403: Viewing Web Site Hits

    ZyWALL record and display the LAN, DMZ or WLAN IP addresses that the most traffic has been sent to and/or from and how much traffic has been sent to and/or from those IP addresses. ZyWALL 2 Plus User’s Guide...
  • Page 404: Viewing Protocol/Port

    In the Reports screen, select Protocol/Port from the Report Type drop-down list box to have the ZyWALL record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports. ZyWALL 2 Plus User’s Guide...
  • Page 405: Figure 261 Logs > Reports: Protocol/Port Example

    The measurement unit shown (bytes, Kbytes, Mbytes or Gbytes) varies with the amount of traffic for the particular protocol or service port. The count starts over at 0 if a protocol or port passes the bytes count limit (see Table 136 on page 406). ZyWALL 2 Plus User’s Guide...
  • Page 406: System Reports Specifications

    Starting Connectivity Monitor The router got the time and date from the Daytime server. Time initialized by Daytime Server The router got the time and date from the time server. Time initialized by Time server ZyWALL 2 Plus User’s Guide...
  • Page 407 The myZyXEL.com service registration failed due to the error listed. If you are unable to register for services at myZYXEL.com, the error message displayed in this log may be useful when contacting customer support. ZyWALL 2 Plus User’s Guide...
  • Page 408: Table 138 System Error Logs

    A packet from the WAN (TCP or UDP) matched a cone Firewall allowed a packet that NAT session and the device forwarded it to the LAN. matched a NAT session: [ TCP | UDP ] ZyWALL 2 Plus User’s Guide...
  • Page 409: Table 140 Tcp Reset Logs

    Firewall rule [NOT] match: ICMP (denoted by its number) and was blocked or forwarded <Packet Direction>, <rule:%d>, according to the rule. <type:%d>, <code:%d> The firewall allowed a triangle route session to pass Triangle route packet forwarded: through. ICMP ZyWALL 2 Plus User’s Guide...
  • Page 410: Table 143 Cdr Logs

    The PPP connection’s Link Control Protocol stage is closing. ppp:LCP Closing The PPP connection’s Internet Protocol Control Protocol stage is closing. ppp:IPCP Closing Table 145 UPnP Logs LOG MESSAGE DESCRIPTION UPnP packets can pass through the firewall. UPnP pass through Firewall ZyWALL 2 Plus User’s Guide...
  • Page 411: Table 146 Content Filtering Logs

    ICMP (type:%d, code:%d) The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF land land [ TCP | UDP | IGMP | attack. ESP | GRE | OSPF ] The firewall detected an ICMP land attack. land ICMP (type:%d, code:%d) ZyWALL 2 Plus User’s Guide...
  • Page 412 IP address. It maybe a bounce attack. The fragment packet size is smaller than the MTU size of output Fragment packet size is interface. smaller than the MTU size of output interface. ZyWALL 2 Plus User’s Guide...
  • Page 413: Table 148 Remote Management Logs

    The device sent a ping packet to check the specified VPN tunnel's Rule [%s] sends an echo connectivity. request to peer The device received a ping response when checking the specified Rule [%s] receives an VPN tunnel's connectivity. echo reply from peer ZyWALL 2 Plus User’s Guide...
  • Page 414: Table 150 Ike Logs

    Mode request from <IP> The router started negotiation with the peer. Send <Main or Aggressive> Mode request to <IP> The peer’s “Local IP Address” is invalid. Invalid IP <Peer local> / <Peer local> ZyWALL 2 Plus User’s Guide...
  • Page 415 Rule [%d] Phase 2 protocol the router and the peer. mismatch The listed rule’s IKE phase 2 encryption algorithm did not Rule [%d] Phase 2 encryption match between the router and the peer. algorithm mismatch ZyWALL 2 Plus User’s Guide...
  • Page 416 Remote Gateway Addr has gateway’s IP address changed. changed, tunnel [%s] will be deleted The listed tunnel will be deleted because the ZyWALL’s IP My ZyWALL Addr has changed, address changed. tunnel [%s] will be deleted ZyWALL 2 Plus User’s Guide...
  • Page 417: Table 151 Pki Logs

    The recorded reason codes are cert not trusted: only approximate reasons for not trusting the certificate. Please see <subject name> Table 152 on page 418 for the corresponding descriptions of the codes. ZyWALL 2 Plus User’s Guide...
  • Page 418: Table 152 Certificate Path Verification Failure Reason Codes

    ACL set for packets traveling from the DMZ to the WAN. (W to D) WAN to DMZ ACL set for packets traveling from the WAN to the DMZ. (L to D) LAN to DMZ ACL set for packets traveling from the LAN to the DMZ. ZyWALL 2 Plus User’s Guide...
  • Page 419: Table 154 Icmp Notes

    Redirect Redirect datagrams for the Network Redirect datagrams for the Host Redirect datagrams for the Type of Service and Network Redirect datagrams for the Type of Service and Host Echo Echo message Time Exceeded ZyWALL 2 Plus User’s Guide...
  • Page 420: Table 155 Idp Logs

    The device attempted to check for the latest available signature version. Check signature %s gives details. Either the check was unsuccessful due to the server version - %s. being busy or the device is already using the latest available firmware. ZyWALL 2 Plus User’s Guide...
  • Page 421: Table 156 Av Logs

    %s gives details. Either the check was unsuccessful due to the server version - %s. being busy or the device is already using the latest available firmware. The device updated the signature file successfully. Update the signature file successfully. ZyWALL 2 Plus User’s Guide...
  • Page 422: Table 157 As Logs

    Mail From:Email address external database query failed. Subject:Mail Subject! The listed server IP address has been removed from the list of anti- Remove rating server spam external database servers. [%Rating Server IP Address%] from server list! ZyWALL 2 Plus User’s Guide...
  • Page 423 This is the source and subject of an e-mail for which there was no Mail From:Email address HTTP session and no internal timer mechanism available for Subject:Mail Subject! queuing the external database. ZyWALL 2 Plus User’s Guide...
  • Page 424: Syslog Logs

    The "encode" message ob="0|1" ob_mac="<mac indicates the mail attachments encoding method. The address>" msg="<msg>" definition of messages and notes are defined in the Anti- note="<note>" devID="<mac Virus log descriptions. address>" cat="Anti Virus" encode="< uu | b64 >" ZyWALL 2 Plus User’s Guide...
  • Page 425: Table 159 Rfc-2408 Isakmp Payload Types

    RFC for detailed information on each type. Table 159 RFC-2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE Security Association Proposal PROP Transform TRANS Key Exchange Identification Certificate Certificate Request CER_REQ Hash HASH Signature Nonce NONCE Notification NOTFY Delete Vendor ID ZyWALL 2 Plus User’s Guide...
  • Page 426 Chapter 24 Logs Screens ZyWALL 2 Plus User’s Guide...
  • Page 427: Maintenance

    Computer Name tab. Note the entry in the Full computer name field and enter it as the ZyWALL System Name. 25.2.1 General Setup Click MAINTENANCE to open the General screen. Use this screen to configure administrative and system-related information. ZyWALL 2 Plus User’s Guide...
  • Page 428: Configuring Password

    Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 25.3 Configuring Password Click MAINTENANCE > Password to open the following screen. Use this screen to change the ZyWALL’s management password. ZyWALL 2 Plus User’s Guide...
  • Page 429: Time And Date

    ZyWALL. To change your ZyWALL’s time and date, click MAINTENANCE > Time and Date. The screen appears as shown. Use this screen to configure the ZyWALL’s time based on your local time zone. ZyWALL 2 Plus User’s Guide...
  • Page 430: Figure 264 Maintenance > Time And Date

    When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply. Get from Time Select this radio button to have the ZyWALL get the time and date from the time Server server you specified below. ZyWALL 2 Plus User’s Guide...
  • Page 431 In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
  • Page 432: Pre-Defined Ntp Time Server Pools

    When the System Time and Date Synchronization in Process screen appears, wait up to one minute. Figure 265 Synchronization in Process Click the Return button to go back to the Time and Date screen after the time and date is updated successfully. ZyWALL 2 Plus User’s Guide...
  • Page 433: Introduction To Transparent Bridging

    The bridge gradually builds a host MAC-address-to-port mapping table such as in the following example, during the learning process. Table 163 MAC-address-to-port Mapping Table HOST MAC PORT ADDRESS 00a0c5123456 00a0c5123478 (host A) 1 00a0c512349a 00a0c51234bc 00a0c51234de ZyWALL 2 Plus User’s Guide...
  • Page 434: Transparent Firewalls

    ZyWALL's IP address in order to access the ZyWALL for management. If you connect your computer directly to the ZyWALL, you also need to assign your computer a static IP address in the same subnet as the ZyWALL's IP address in order to access the ZyWALL. ZyWALL 2 Plus User’s Guide...
  • Page 435: Figure 268 Maintenance > Device Mode (Router Mode)

    Click Apply to save your changes back to the ZyWALL. After you click Apply, please wait for one minute and use the IP address you configured in the IP Address field to access the ZyWALL again. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User’s Guide...
  • Page 436: Configuring Device Mode (Bridge)

    Current Device Mode Device Mode This displays whether the ZyWALL is functioning as a router or a bridge. Device Mode Setup Router Select this radio button and click Apply to set the ZyWALL to router mode. ZyWALL 2 Plus User’s Guide...
  • Page 437: F/W Upload Screen

    Click Reset to begin configuring this screen afresh. 25.10 F/W Upload Screen Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, "zywall.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes.
  • Page 438: Figure 270 Maintenance > Firmware Upload

    After you see the Firmware Upload in Process screen, wait two minutes before logging into the ZyWALL again. Figure 271 Firmware Upload In Process The ZyWALL automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. ZyWALL 2 Plus User’s Guide...
  • Page 439: Backup And Restore

    25.11 Backup and Restore Section 40.5 on page 557 for transferring configuration files using FTP/TFTP commands. Click MAINTENANCE > Backup & Restore. Information related to factory defaults, backup configuration, and restoring configuration appears as shown next. ZyWALL 2 Plus User’s Guide...
  • Page 440: Backup Configuration

    Click Browse... to find the file you want to upload. Remember that you must decompress compressed (.ZIP) files before you can upload them. Upload Click Upload to begin the upload process. Do not turn off the ZyWALL while configuration file upload is in progress. ZyWALL 2 Plus User’s Guide...
  • Page 441: Back To Factory Defaults

    Figure 277 Configuration Upload Error 25.11.3 Back to Factory Defaults Click the Reset button to clear all user-entered configuration information and return the ZyWALL to its factory defaults as shown on the screen. The following warning screen appears. ZyWALL 2 Plus User’s Guide...
  • Page 442: Restart Screen

    Click MAINTENANCE > Restart. Click Restart to have the ZyWALL reboot. Restart is different to reset; (see Section 25.11.3 on page 441) reset returns the device to its default configuration. Figure 279 MAINTENANCE > Restart ZyWALL 2 Plus User’s Guide...
  • Page 443: Smt And Troubleshooting

    SMT and Troubleshooting Introducing the SMT (445) SMT Menu 1 - General Setup (453) WAN and Dial Backup Setup (459) LAN Setup (469) Internet Access (475) DMZ Setup (479) Remote Node Setup (487) IP Static Route Setup (497) Network Address Translation (NAT) (499) Introducing the ZyWALL Firewall (517) Filter Configuration (519) SNMP Configuration (535)
  • Page 445: Introducing The Smt

    • No parity, 8 data bits, 1 stop bit, flow control set to none. 26.2.1 Initial Screen When you turn on your ZyWALL, it performs several internal tests as well as line initialization. After the tests, the ZyWALL asks you to press [ENTER] to continue, as shown next. ZyWALL 2 Plus User’s Guide...
  • Page 446: Entering The Password

    Chapter 26 Introducing the SMT Figure 280 Initial Screen Copyright (c) 1994 - 2007 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:A0:C5:01:23:45 initialize ch =1, ethernet address: 00:A0:C5:01:23:46 initialize ch =2, ethernet address: 00:A0:C5:01:23:47 initialize ch =3, ethernet address: 00:A0:C5:01:23:48 initialize ch =4, ethernet address: 00:00:00:00:00:00 AUX port init .
  • Page 447: Main Menu

    26.3.1 Main Menu After you enter the password, the SMT displays the ZyWALL Main Menu, as shown next. Figure 282 Main Menu (Router Mode) Copyright (c) 1994 - 2007 ZyXEL Communications Corp. ZyWALL 2 Plus Main Menu Getting Started Advanced Management 1.
  • Page 448: Figure 283 Main Menu (Bridge Mode)

    Chapter 26 Introducing the SMT Figure 283 Main Menu (Bridge Mode) Copyright (c) 1994 - 2007 ZyXEL Communications Corp. ZyWALL 2 Plus Main Menu Getting Started Advanced Management 1. General Setup 21. Filter and Firewall Setup 22. SNMP Configuration 23. System Password 24.
  • Page 449: Smt Menus Overview

    15.2.x.x - NAT Server Configuration 15.3 Trigger Port Setup 21 Filter and Firewall 21.1 Filter Setup 21.1.x Filter Rules Summary 21.1.x.x Generic Filter Setup Rule 21.1.x.x TCP/IP Filter Rule 21.2 Firewall Setup 22 SNMP Configuration 23 System Password ZyWALL 2 Plus User’s Guide...
  • Page 450: Changing The System Password

    Enter here to CONFIRM or ESC to CANCEL: 2 Type your existing password and press [ENTER]. 3 Type your new system password and press [ENTER]. 4 Re-type your new system password for confirmation and press [ENTER]. ZyWALL 2 Plus User’s Guide...
  • Page 451: Resetting The Zywall

    Chapter 26 Introducing the SMT Note that as you type a password, the screen displays an “x” for each character you type. 26.5 Resetting the ZyWALL Section 2.3 on page 51 for directions on resetting the ZyWALL. ZyWALL 2 Plus User’s Guide...
  • Page 452 Chapter 26 Introducing the SMT ZyWALL 2 Plus User’s Guide...
  • Page 453: Smt Menu 1 - General Setup

    The domain name entered by you is given priority over the ISP assigned domain name. If you want to clear this field just press [SPACE BAR] and then [ENTER]. ZyWALL 2 Plus User’s Guide...
  • Page 454: Configuring Dynamic Dns

    MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1 - Configure Dynamic DNS (shown next). ZyWALL 2 Plus User’s Guide...
  • Page 455: Figure 287 Menu 1.1: Configure Dynamic Dns

    3 Press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1 - Configure Dynamic DNS. 4 Press [SPACE BAR] and then [ENTER] to select Yes in the Edit Host field. Press [ENTER] to display Menu 1.1.1 - DDNS Host Summary. ZyWALL 2 Plus User’s Guide...
  • Page 456: Figure 288 Menu 1.1.1: Ddns Host Summary

    5 Select Edit in the Select Command field; type the index number of the DDNS host you want to configure in the Select Rule field and press [ENTER] to open Menu 1.1.1 - DDNS Edit Host (see the next figure). ZyWALL 2 Plus User’s Guide...
  • Page 457: Figure 289 Menu 1.1.1: Ddns Edit Host

    Press [SPACE BAR] to select Yes and then press [ENTER] to update the IP address Defined of the host name(s) to the IP address specified below. Only select Yes if the ZyWALL uses or is behind a static public IP address. ZyWALL 2 Plus User’s Guide...
  • Page 458 When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. The IP address updates when you reconfigure menu 1 or perform DHCP client renewal. ZyWALL 2 Plus User’s Guide...
  • Page 459: Wan And Dial Backup Setup

    Menu 2 - WAN Setup MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= No Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User’s Guide...
  • Page 460: Dial Backup

    3 Menu 11.2 - Remote Node Profile (Backup ISP) as shown next Refer also to the section about traffic redirect for information on an alternate backup WAN connection. 28.4 Configuring Dial Backup in Menu 2 From the main menu, enter 2 to open menu 2. ZyWALL 2 Plus User’s Guide...
  • Page 461: Advanced Wan Setup

    When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. 28.5 Advanced WAN Setup Consult the manual of your WAN device connected to your Dial Backup port for specific AT commands. ZyWALL 2 Plus User’s Guide...
  • Page 462: Figure 292 Menu 2.1: Advanced Wan Setup

    This lets the ZyWALL capture the CLID in the AT response string that comes from the WAN device. CLID is required for CLID authentication. Called Id Enter the keyword preceding the dialed number. Speed Enter the keyword preceding the connection speed. ZyWALL 2 Plus User’s Guide...
  • Page 463: Remote Node Profile (Backup Isp)

    Pri Phone #= 0 Schedules= Sec Phone #= Always On= No Session Options: Edit Filter Sets= No Idle Timeout(sec)= 100 Press ENTER to Confirm or ESC to Cancel: Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User’s Guide...
  • Page 464: Table 180 Menu 11.3: Remote Node Profile (Backup Isp)

    PPP connection. This option only applies when the ZyWALL initiates the call. Once you have configured this menu, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel. ZyWALL 2 Plus User’s Guide...
  • Page 465: Editing Tcp/Ip Options

    RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcasts. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts. ZyWALL 2 Plus User’s Guide...
  • Page 466: Editing Login Script

    “PPP...” but without a “Send” string. Otherwise, the ZyWALL will start PPP prematurely right after sending your password to the server. ZyWALL 2 Plus User’s Guide...
  • Page 467: Remote Node Filter

    You can specify up to four filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field. Note that spaces are accepted in this field. Please refer to Chapter 37 on page 519 for more information on defining the filters. ZyWALL 2 Plus User’s Guide...
  • Page 468: Figure 296 Menu 11.2.4: Remote Node Filter

    Menu 11.2.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: ZyWALL 2 Plus User’s Guide...
  • Page 469: Lan Setup

    This menu allows you to specify the filter sets that you wish to apply to the LAN traffic. You seldom need to filter the LAN traffic, however, the filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. ZyWALL 2 Plus User’s Guide...
  • Page 470: Tcp/Ip And Dhcp Ethernet Setup Menu

    From menu 3, select the submenu option TCP/IP and DHCP Setup and press [ENTER]. The screen now displays Menu 3.2 - TCP/IP and DHCP Ethernet Setup as shown next. Not all fields are available on all models. ZyWALL 2 Plus User’s Guide...
  • Page 471: Figure 300 Menu 3.2: Tcp/Ip And Dhcp Ethernet Setup

    Client IP Pool: Starting Address This field specifies the first of the contiguous addresses in the IP address pool. Size of Client IP This field specifies the size, or count of the IP address pool. Pool ZyWALL 2 Plus User’s Guide...
  • Page 472: Table 184 Menu 3.2: Lan Tcp/Ip Setup Fields

    [SPACE BAR] to select Yes and then press [ENTER] to display menu 3.2.1 When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm…] to save your configuration, or press [ESC] at any time to cancel. ZyWALL 2 Plus User’s Guide...
  • Page 473: Ip Alias Setup

    Enter the filter set(s) you wish to apply to the outgoing traffic between this node and Protocol Filters the ZyWALL. When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm…] to save your configuration, or press [ESC] at any time to cancel. ZyWALL 2 Plus User’s Guide...
  • Page 474 Chapter 29 LAN Setup ZyWALL 2 Plus User’s Guide...
  • Page 475: Internet Access

    Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User’s Guide...
  • Page 476: Table 186 Menu 4: Internet Access Setup (Ethernet)

    Network Address Translation feature. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. ZyWALL 2 Plus User’s Guide...
  • Page 477: Configuring The Pptp Client

    This value specifies the time, in seconds, that elapses before the ZyWALL automatically disconnects from the PPTP server. 30.4 Configuring the PPPoE Client If you enable PPPoE in menu 4, you will see the next screen. ZyWALL 2 Plus User’s Guide...
  • Page 478: Basic Setup Complete

    You may deactivate the firewall in menu 21.2 or via the ZyWALL embedded web configurator. You may also define additional firewall rules or modify existing ones but please exercise extreme caution in doing so. See the chapters on firewall for more information on the firewall. ZyWALL 2 Plus User’s Guide...
  • Page 479: Dmz Setup

    Figure 306 Menu 5.1: DMZ Port Filter Setup Menu 5.1 - DMZ Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User’s Guide...
  • Page 480: Tcp/Ip Setup

    The DHCP and TCP/IP setup fields are the same as the ones in Menu 3.2 - TCP/IP and DHCP Ethernet Setup. Each public server will need a unique IP address. Refer to Section 29.4 on page 470 for information on how to configure these fields. ZyWALL 2 Plus User’s Guide...
  • Page 481: Ip Alias Setup

    RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A Enter here to CONFIRM or ESC to CANCEL: Refer to Table 185 on page 473 for instructions on configuring IP alias parameters. ZyWALL 2 Plus User’s Guide...
  • Page 482 Chapter 31 DMZ Setup ZyWALL 2 Plus User’s Guide...
  • Page 483: Wireless Setup

    2. TCP/IP and DHCP Setup Enter Menu Selection Number: From menu 7, select the submenu option 2. TCP/IP and DHCP Setup and press [ENTER]. The screen now displays Menu 7.2 - TCP/IP and DHCP Ethernet Setup as shown next. ZyWALL 2 Plus User’s Guide...
  • Page 484: Ip Alias Setup

    You must use menu 7.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to configure the second and third network. Pressing [ENTER] opens Menu 7.2.1 - IP Alias Setup, as shown next. ZyWALL 2 Plus User’s Guide...
  • Page 485: Figure 312 Menu 7.2.1: Ip Alias Setup

    IP Alias 2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Enter here to CONFIRM or ESC to CANCEL: Refer to Table 185 on page 473 for instructions on configuring IP alias parameters. ZyWALL 2 Plus User’s Guide...
  • Page 486 Chapter 32 Wireless Setup ZyWALL 2 Plus User’s Guide...
  • Page 487: Remote Node Setup

    Menu 11 - Remote Node Setup 1. ChangeMe (ISP, SUA) 2. -Dial (BACKUP_ISP, SUA) Enter Node # to Edit: 33.3 Remote Node Profile Setup The following explains how to configure the remote node profile menu. ZyWALL 2 Plus User’s Guide...
  • Page 488: Ethernet Encapsulation

    Enter the password assigned by your ISP when the ZyWALL calls this remote node. Valid for PPPoE encapsulation only. Retype to Type your password again to make sure that you have entered it correctly. Confirm ZyWALL 2 Plus User’s Guide...
  • Page 489: Pppoe Encapsulation

    The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet). You can only use PPPoE encapsulation when you’re using the ZyWALL with a DSL modem as the WAN device. If you change the Encapsulation to PPPoE, then you will see the next screen. ZyWALL 2 Plus User’s Guide...
  • Page 490: Figure 315 Menu 11.1: Remote Node Profile For Pppoe Encapsulation

    Do not specify a nailed-up connection unless your telephone company offers flat-rate service or you need a constant connection and the cost is of no concern. The following table describes the fields not already described in Table 189 on page 488. ZyWALL 2 Plus User’s Guide...
  • Page 491: Pptp Encapsulation

    ZyWALL automatically disconnects the PPPoE connection. This option only applies when the ZyWALL initiates the call. 33.3.3 PPTP Encapsulation If you change the Encapsulation to PPTP in menu 11.1, then you will see the next screen. ZyWALL 2 Plus User’s Guide...
  • Page 492: Edit Ip

    Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.1.2 - Remote Node Network Layer Options. Not all fields are available on all models. ZyWALL 2 Plus User’s Guide...
  • Page 493: Figure 317 Menu 11.1.2: Remote Node Network Layer Options For Ethernet Encapsulation

    One-to-One, Many-to-One (SUA/PAT), Many-to-Many Overload, Many- One-to-One and Server. When you select Full Feature you must configure at least one address mapping set. Chapter 17 on page 309 for a full discussion on this feature. ZyWALL 2 Plus User’s Guide...
  • Page 494: Remote Node Filter

    Figure 318 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: ZyWALL 2 Plus User’s Guide...
  • Page 495: Traffic Redirect

    This field sets this route's priority among the routes the ZyWALL uses. Enter a number from 1 to 15 to set this route's priority among the ZyWALL's routes (see Section 8.2 on page 141) The smaller the number, the higher priority the route has. ZyWALL 2 Plus User’s Guide...
  • Page 496 Fail Tolerance field. When you have completed this menu, press [ENTER] at the prompt "Press ENTER to Confirm…" to save your configuration, or press [ESC] at any time to cancel. ZyWALL 2 Plus User’s Guide...
  • Page 497: Ip Static Route Setup

    4. ________ 5. ________ 6. ________ 7. ________ 8. ________ 9. ________ 10. ________ 11. ________ 12. ________ Enter selection number: Now, enter the index number of the static route that you want to configure. ZyWALL 2 Plus User’s Guide...
  • Page 498: Figure 322 Menu 12. 1: Edit Ip Static Route

    If No, the route to this remote node will be propagated to other hosts through RIP broadcasts. Once you have completed filling in this menu, press [ENTER] at the message “Press ENTER to Confirm…” to save your configuration, or press [ESC] to cancel. ZyWALL 2 Plus User’s Guide...
  • Page 499: Network Address Translation (Nat)

    You apply NAT via menus 4 or 11.1.2 as displayed next. The next figure shows you how to apply NAT for Internet access in menu 4. Enter 4 from the main menu to go to Menu 4 - Internet Access Setup. ZyWALL 2 Plus User’s Guide...
  • Page 500: Figure 323 Menu 4: Applying Nat For Internet Access

    IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= 1 Private= N/A RIP Direction= None Version= N/A Multicast= None Enter here to CONFIRM or ESC to CANCEL: ZyWALL 2 Plus User’s Guide...
  • Page 501: Nat Setup

    Configure DMZ, WLAN and LAN IP addresses in NAT menus 15.1 and 15.2. DMZ, WLAN and LAN IP addresses must be on separate subnets. 35.2.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 - Address Mapping Sets. ZyWALL 2 Plus User’s Guide...
  • Page 502: Figure 326 Menu 15.1: Address Mapping Sets

    Global Start IP Global End IP Type --------------- --------------- --------------- --------------- 0.0.0.0 255.255.255.255 0.0.0.0 0.0.0.0 Server Press ENTER to Confirm or ESC to Cancel: The following table explains the fields in this menu. Menu 15.1.255 is read-only. ZyWALL 2 Plus User’s Guide...
  • Page 503: Table 196 Sua Address Mapping Rules

    Note also that the [?] in the Set Name field means that this is a required field and you must enter a name for the set. The entire set will be deleted if you leave the Set Name field blank and press [ENTER] at the bottom of the screen. ZyWALL 2 Plus User’s Guide...
  • Page 504: Figure 328 Menu 15.1.1: First Set

    None disables the Select Rule item. Select When you choose Edit, Insert Before or Delete in the previous field the cursor jumps to Rule this field to allow you to select the rule to apply the action in question. ZyWALL 2 Plus User’s Guide...
  • Page 505: Figure 329 Menu 15.1.1.1: Editing/Configuring An Individual Rule In A Set

    Enter the starting global IP address (IGA). If you have a dynamic IP, enter 0.0.0.0 as the Global IP Start. Note that Global IP Start can be set to 0.0.0.0 only if the types are Many- to-One or Server. ZyWALL 2 Plus User’s Guide...
  • Page 506: Configuring A Server Behind Nat

    3 Select Edit Rule in the Select Command field; type the index number of the NAT server you want to configure in the Select Rule field and press [ENTER] to open Menu 15.2.x - NAT Server Configuration (see the next figure). ZyWALL 2 Plus User’s Guide...
  • Page 507: Table 199 15.2.1: Nat Server Configuration

    FTP, Telnet and SMTP server (ports 21, 23 and 25) at 192.168.1.33. 6 Press [ENTER] at the “Press ENTER to confirm …” prompt to save your configuration after you define all the servers or press [ESC] at any time to cancel. ZyWALL 2 Plus User’s Guide...
  • Page 508: General Nat Examples

    The following are some examples of NAT configuration. 35.4.1 Internet Access Only In the following Internet access example, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP. ZyWALL 2 Plus User’s Guide...
  • Page 509: Figure 334 Nat Example 1

    Translation field. This is the Many-to-One mapping discussed in Section 35.4 on page 508. The SUA Only read-only option from the Network Address Translation field in menus 4 and 11.1.2 is specifically pre-configured to handle this case. ZyWALL 2 Plus User’s Guide...
  • Page 510: Example 2: Internet Access With A Default Server

    IGA to an inside web server and mail server. Four rules need to be configured, two bi- directional and two uni-directional as follows. 1 Map the first IGA to the first inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses). ZyWALL 2 Plus User’s Guide...
  • Page 511: Figure 338 Nat Example 3

    IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= SUA Only Metric= 2 Private= RIP Direction= None Version= N/A Multicast= None Enter here to CONFIRM or ESC to CANCEL: ZyWALL 2 Plus User’s Guide...
  • Page 512: Figure 340 Example 3: Menu 15.1.1.1

    Now configure the IGA3 to map to our web server and mail server on the LAN. 1 Enter 15 from the main menu. 2 Enter 2 to go to menu 15.2 and configure it as shown in Figure 342 on page 513. ZyWALL 2 Plus User’s Guide...
  • Page 513: Example 4: Nat Unfriendly Application Programs

    Figure 343 NAT Example 4 Other applications such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream. These applications won’t work through NAT even when using One-to-One and Many-One-to-One mapping types. ZyWALL 2 Plus User’s Guide...
  • Page 514: Figure 344 Example 4: Menu 15.1.1.1: Address Mapping Rule

    Set Name= Example4 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- 192.168.1.10 192.168.1.12 10.132.50.1 10.132.50.3 M-1-1 Action= Edit Select Rule= Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User’s Guide...
  • Page 515: Trigger Port Forwarding

    LAN can’t trigger it. Only one LAN computer can use a trigger port (range) at a time. Enter 3 in menu 15 to display Menu 15.3 - Trigger Ports and configure trigger port rules for the WAN port. ZyWALL 2 Plus User’s Guide...
  • Page 516: Figure 346 Menu 15.3.1: Trigger Port Setup

    Enter a port number or the ending port number in a range of port numbers. Press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel. ZyWALL 2 Plus User’s Guide...
  • Page 517: Introducing The Zywall Firewall

    Enter option 2 in this menu to bring up the following screen. Press [SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks. Use the web configurator to configure firewall rules. ZyWALL 2 Plus User’s Guide...
  • Page 518: Figure 348 Menu 21.2: Firewall Setup

    Active: Yes You can use the Web Configurator to configure the firewall. Press ENTER to Confirm or ESC to Cancel: Configure the firewall rules using the web configurator or CLI commands. ZyWALL 2 Plus User’s Guide...
  • Page 519: Filter Configuration

    Figure 349 Outgoing Packet Filtering Process For incoming packets, your ZyWALL applies data filters only. Packets are processed depending upon whether a match is found. The following sections describe how to configure filter sets. ZyWALL 2 Plus User’s Guide...
  • Page 520: The Filter Structure Of The Zywall

    A summary of their filter rules is shown in the figures that follow. The following figure illustrates the logic flow when executing a filter rule. See also Figure 355 on page 526 for the logic flow when executing an IP filter. ZyWALL 2 Plus User’s Guide...
  • Page 521: Figure 350 Filter Rule Process

    You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. ZyWALL 2 Plus User’s Guide...
  • Page 522: Configuring A Filter Set

    3 Select the filter set you wish to configure (1-12) and press [ENTER] 4 Enter a descriptive name or comment in the Edit Comments field and press [ENTER]. 5 Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.1 - Filter Rules Summary. ZyWALL 2 Plus User’s Guide...
  • Page 523: Figure 353 Menu 21.1.1: Filter Rules Summary

    “N” means to check the next rule. The protocol dependent filter rules abbreviation are listed as follows: Table 202 Rule Abbreviations Used ABBREVIATION DESCRIPTION Protocol Source Address Source Port number Destination Address Destination Port number ZyWALL 2 Plus User’s Guide...
  • Page 524: Configuring A Filter Rule

    Source: IP Addr= IP Mask= Port #= Port # Comp= None TCP Estab= N/A More= No Log= None Action Matched= Check Next Rule Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User’s Guide...
  • Page 525: Table 203 Menu 21.1.1.1: Tcp/Ip Filter Rule

    When you have Menu 21.1.1.1 - TCP/IP Filter Rule configured, press [ENTER] at the message “Press ENTER to Confirm” to save your configuration, or press [ESC] to cancel. This data will now be displayed on Menu 21.1.1 - Filter Rules Summary. ZyWALL 2 Plus User’s Guide...
  • Page 526: Figure 355 Executing An Ip Filter

    Chapter 37 Filter Configuration The following figure illustrates the logic flow of an IP filter. Figure 355 Executing an IP Filter ZyWALL 2 Plus User’s Guide...
  • Page 527: Configuring A Generic Filter Rule

    If Yes, a matching packet is passed to the next filter rule before an action is taken; else the packet is disposed of according to the action fields. If More is Yes, then Action Matched and Action Not Matched will be No. ZyWALL 2 Plus User’s Guide...
  • Page 528: Example Filter

    5 Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.3 - Filter Rules Summary. 6 Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure. ZyWALL 2 Plus User’s Guide...
  • Page 529: Figure 358 Example Filter: Menu 21.1.3.1

    M = N means an action can be taken immediately. The action is to drop the packet (m = D) if the action is matched and to forward the packet immediately (n = F) if the action is not matched no matter whether there are more rules to be checked (there aren’t in this example). ZyWALL 2 Plus User’s Guide...
  • Page 530: Filter Types And Nat

    • Packet filtering is a powerful tool, yet can be complex to configure and maintain, especially if you need a chain of rules to filter a service. • Packet filtering only checks the header portion of an IP packet. ZyWALL 2 Plus User’s Guide...
  • Page 531: Firewall

    37.6 Applying a Filter This section shows you where to apply the filter(s) after you design it (them). The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections. ZyWALL 2 Plus User’s Guide...
  • Page 532: Applying Lan Filters

    FTP and HTTP connections. Figure 362 Filtering DMZ Traffic Menu 5.1 - DMZ Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User’s Guide...
  • Page 533: Applying Remote Node Filters

    Figure 363 Filtering Remote Node Traffic Menu 11.1.4 - Remote Node Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User’s Guide...
  • Page 534 Chapter 37 Filter Configuration ZyWALL 2 Plus User’s Guide...
  • Page 535: Snmp Configuration

    A blank (default) field means your ZyWALL will respond to all SNMP messages it receives, regardless of source. Trap Community Type the Trap community, which is the password sent with each trap to the SNMP manager. ZyWALL 2 Plus User’s Guide...
  • Page 536: Snmp Traps

    (for example, download new files, CI command "sys reboot", etc.). For fatal error: A trap is sent with the message of the fatal code if the system reboots because of fatal errors. ZyWALL 2 Plus User’s Guide...
  • Page 537: System Information & Diagnosis

    To get to the System Status: 1 Enter number 24 to go to Menu 24 - System Maintenance. 2 In this menu, enter 1 to open System Maintenance - Status. ZyWALL 2 Plus User’s Guide...
  • Page 538: Figure 366 Menu 24.1: System Maintenance: Status

    This is the MAC address of the port listed on the left. IP Address This is the IP address of the port listed on the left. IP Mask This is the IP mask of the port listed on the left. ZyWALL 2 Plus User’s Guide...
  • Page 539: System Information And Console Port Speed

    Menu 24.2.1 - System Maintenance - Information Name: zy2.zyxel.com Routing: IP ZyNOS F/W Version: V4.01(XU.0)b1 | 08/08/2006 Country Code: 255 Ethernet Address: 00:13:49:00:00:01 IP Address: 192.168.1.1 IP Mask: 255.255.255.0 DHCP: Server Press ESC or RETURN to Exit: ZyWALL 2 Plus User’s Guide...
  • Page 540: Console Port Speed

    Name= xxx.baboo.mickey.com Routing Refers to the routing protocol used. ZyNOS F/W Version Refers to the version of ZyXEL's Network Operating System software. Country Code Refers to the country code of the firmware. Ethernet Address Refers to the Ethernet MAC (Media Access Control) address of your ZyWALL.
  • Page 541: Syslog Logging

    Figure 372 Menu 24.3.2: System Maintenance: Syslog Logging Menu 24.3.2 - System Maintenance - Syslog Logging Syslog: Active= No Syslog Server IP Address= 0.0.0.0 Log Facility= Local 1 Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User’s Guide...
  • Page 542: Table 209 System Maintenance Menu Syslog Parameters

    L02 Call Terminated C02 Call Terminated Jul 19 11:19:27 192.168.102.2 ZyXEL: board 0 line 0 channel 0, call 1, C01 Outgoing Call dev=2 ch=0 40002 Jul 19 11:19:32 192.168.102.2 ZyXEL: board 0 line 0 channel 0, call 1, C02 OutCall Connected 64000 40002 Jul 19 11:20:06 192.168.102.2 ZyXEL: board 0 line 0 channel 0, call 1, C02 Call Terminated...
  • Page 543 String = Packet trigger: Protocol=xx Data=xxxxxxxxxx…..x Protocol: (1:IP 2:IPX 3:IPXHC 4:BPDU 5:ATALK 6:IPNG) Data: We will send forty-eight Hex characters to the server Jul 19 11:28:39 192.168.102.2 ZyXEL: Packet Trigger: Protocol=1, Data=4500003c100100001f010004c0a86614ca849a7b08004a5c02000100616263646566676869 6a6b6c6d6e6f7071727374 Jul 19 11:28:56 192.168.102.2 ZyXEL: Packet Trigger: Protocol=1,...
  • Page 544: Call-Triggering Packet

    Proto = LCP / ATCP / BACP / BCP / CBCP / CCP / CHAP/ PAP / IPCP / IPXCP Jul 19 11:42:44 192.168.102.2 ZyXEL: ppp:LCP Closing Jul 19 11:42:49 192.168.102.2 ZyXEL: ppp:IPCP Closing Jul 19 11:42:54 192.168.102.2 ZyXEL: ppp:CCP Closing...
  • Page 545: Diagnostic

    Follow the procedure below to get to Menu 24.4 - System Maintenance - Diagnostic. 1 From the main menu, select option 24 to open Menu 24 - System Maintenance. 2 From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic. ZyWALL 2 Plus User’s Guide...
  • Page 546: Wan Dhcp

    WAN. Enter its IP address in the Host IP Address field below. WAN DHCP Release Enter 2 to release your WAN DHCP settings. WAN DHCP Renewal Enter 3 to renew your WAN DHCP settings. ZyWALL 2 Plus User’s Guide...
  • Page 547 If you entered 1in the Enter Menu Selection Number field, then enter the IP address of the computer you want to ping in this field. Enter the number of the selection you would like to perform or press [ESC] to cancel. ZyWALL 2 Plus User’s Guide...
  • Page 548 Chapter 39 System Information & Diagnosis ZyWALL 2 Plus User’s Guide...
  • Page 549: Firmware And Configuration File Maintenance

    The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc. It arrives from ZyXEL with a “rom” filename extension. Once you have customized the ZyWALL's settings, they can be saved back to your computer under a filename of your choosing.
  • Page 550: Backup Configuration

    Please note that terms “download” and “upload” are relative to the computer. Download means to transfer from the ZyWALL to the computer, while upload means from your computer to the ZyWALL. 40.3.1 Backup Configuration Follow the instructions as shown in the next screen. ZyWALL 2 Plus User’s Guide...
  • Page 551: Using The Ftp Command From The Command Line

    6 Use “get” to transfer files from the ZyWALL to the computer, for example, “get rom-0 config.rom” transfers the configuration file on the ZyWALL to your computer and renames it “config.rom”. See earlier in this chapter for more information on filename conventions. 7 Enter “quit” to exit the ftp prompt. ZyWALL 2 Plus User’s Guide...
  • Page 552: Example Of Ftp Commands From The Command Line

    4 The IP you entered in the Secured Client IP field in menu 24.11 does not match the client IP. If it does not match, the ZyWALL will disconnect the Telnet session immediately. 5 You have an SMT console session running. ZyWALL 2 Plus User’s Guide...
  • Page 553: Backup Configuration Using Tftp

    Use “Send” to upload the file to the ZyWALL and “Fetch” to back up the file on your computer. Local File Enter the path and name of the firmware file (*.bin extension) or configuration file (*.rom extension) on your computer. ZyWALL 2 Plus User’s Guide...
  • Page 554: Backup Via Console Port

    Type a location for storing the configuration file or click Browse to look for one. Choose the Xmodem protocol. Then click Receive. 4 After a successful backup you will see the following screen. Press any key to return to the SMT menu. ZyWALL 2 Plus User’s Guide...
  • Page 555: Restore Configuration

    For details on FTP commands, please consult the documentation of your FTP client program. For details on restoring using TFTP (note that you must remain on this menu to restore using TFTP), please see your router manual. Press ENTER to Exit: ZyWALL 2 Plus User’s Guide...
  • Page 556: Restore Using Ftp Session Example

    2 The following screen indicates that the Xmodem download has started. Figure 385 System Maintenance: Starting Xmodem Download Screen Starting XMODEM download (CRC mode) ...CCCCCCCCC 3 Run the HyperTerminal program by clicking Transfer, then Send File as shown in the following screen. ZyWALL 2 Plus User’s Guide...
  • Page 557: Uploading Firmware And Configuration Files

    FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client. When you telnet into the ZyWALL, you will see the following screens for uploading firmware and the configuration file using FTP. ZyWALL 2 Plus User’s Guide...
  • Page 558: Configuration File Upload

    FTP client program. For details on uploading configuration file using TFTP (note that you must remain on this menu to upload configuration file using TFTP), please see your manual. Press ENTER to Exit: To upload the firmware and the configuration file, follow these examples ZyWALL 2 Plus User’s Guide...
  • Page 559: Ftp File Upload Command From The Dos Prompt Example

    1 Use telnet from your computer to connect to the ZyWALL and log in. Because TFTP does not have any security checks, the ZyWALL records the IP address of the telnet client and accepts TFTP requests only from this address. ZyWALL 2 Plus User’s Guide...
  • Page 560: Tftp Upload Command Example

    40.5.8 Uploading Firmware File Via Console Port 1 Select 1 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.1 - System Maintenance - Upload System Firmware, and then follow the instructions as shown in the following screen. ZyWALL 2 Plus User’s Guide...
  • Page 561: Example Xmodem Firmware Upload Using Hyperterminal

    40.5.10 Uploading Configuration File Via Console Port 1 Select 2 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.2 - System Maintenance - Upload System Configuration File. Follow the instructions as shown in the next screen. ZyWALL 2 Plus User’s Guide...
  • Page 562: Example Xmodem Configuration Upload Using Hyperterminal

    40.5.11 Example Xmodem Configuration Upload Using HyperTerminal Click Transfer, then Send File to display the following screen. Figure 394 Example Xmodem Upload After the configuration upload process has completed, restart the ZyWALL by entering “atgo”. ZyWALL 2 Plus User’s Guide...
  • Page 563: System Maintenance Menus 8 To 10

    Enter the CI from the SMT by selecting menu 24.8. Access can be by Telnet or by a serial connection to the console port, although some commands are only available with a serial connection. See the included disk or zyxel.com for more detailed information on CI commands. Enter 8 from Menu 24 - System Maintenance.
  • Page 564: Command Syntax

    A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Figure 396 Valid Commands Copyright (c) 1994 - 2007 ZyXEL Communications Corp. ras> ? Valid commands are:...
  • Page 565: Call Control Support

    24.9 - System Maintenance - Call Control to bring up the following menu. Figure 398 Budget Management Menu 24.9.1 - Budget Management Remote Node Connection Time/Total Budget Elapsed Time/Total Period 1.ChangeMe No Budget No Budget 2.Dial No Budget No Budget Reset Node (0 to update screen): ZyWALL 2 Plus User’s Guide...
  • Page 566: Call History

    Enter Entry to Delete(0 to exit): The following table describes the fields in this screen. Table 216 Call History FIELD DESCRIPTION Phone Number The PPPoE service names are shown here. This shows whether the call was incoming or outgoing. ZyWALL 2 Plus User’s Guide...
  • Page 567: Time And Date Setting

    Enter Menu Selection Number: Enter 10 to go to Menu 24.10 - System Maintenance - Time and Date Setting to update the time and date settings of your ZyWALL as shown in the following screen. ZyWALL 2 Plus User’s Guide...
  • Page 568: Figure 401 Menu 24.10 System Maintenance: Time And Date Setting

    Daylight Saving Time is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daylight time in the evenings. If you use daylight savings time, then choose Yes. ZyWALL 2 Plus User’s Guide...
  • Page 569 GMT or UTC (GMT+1). Once you have filled in this menu, press [ENTER] at the message “Press ENTER to Confirm or ESC to Cancel“ to save your configuration, or press [ESC] to cancel. ZyWALL 2 Plus User’s Guide...
  • Page 570 Chapter 41 System Maintenance Menus 8 to 10 ZyWALL 2 Plus User’s Guide...
  • Page 571: Remote Management

    You can also disable a service on the ZyWALL by not allowing access for the service/protocol through any of the ZyWALL interfaces. To disable remote management of a service, select Disable in the corresponding Access field. Enter 11 from menu 24 to bring up Menu 24.11 - Remote Management Control. ZyWALL 2 Plus User’s Guide...
  • Page 572: Figure 402 Menu 24.11 - Remote Management Control

    Press [SPACE BAR] and then [ENTER] to select the certificate that the ZyWALL will use to identify itself. The ZyWALL is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL). ZyWALL 2 Plus User’s Guide...
  • Page 573: Remote Management Limitations

    5 There is already another remote management session with an equal or higher priority running. You may only have one remote management session running at one time. 6 There is a firewall rule that blocks it. ZyWALL 2 Plus User’s Guide...
  • Page 574 Chapter 42 Remote Management ZyWALL 2 Plus User’s Guide...
  • Page 575: Call Scheduling

    Set 2 will take precedence over set 3 and 4, and so on. You can design up to 12 schedule sets but you can only apply up to four schedule sets for a remote node. ZyWALL 2 Plus User’s Guide...
  • Page 576: Figure 404 Schedule Set Setup

    Enter the start date when you wish the set to take effect in year -month-date format. Valid dates are from the present to 2036-February-5. Once: Date If you selected Once in the How Often field above, then enter the date the set should activate here in year-month-date format. Weekdays: ZyWALL 2 Plus User’s Guide...
  • Page 577: Figure 405 Applying Schedule Set(S) To A Remote Node (Pppoe)

    Edit Traffic Redirect= No Press ENTER to Confirm or ESC to Cancel: You can apply up to four schedule sets, separated by commas, for one remote node. Change the schedule set numbers to your preference(s). ZyWALL 2 Plus User’s Guide...
  • Page 578: Figure 406 Applying Schedule Set(S) To A Remote Node (Pptp)

    Authen= CHAP/PAP PPTP: Session Options: My IP Addr= Edit Filter Sets= No My IP Mask= Idle Timeout(sec)= 100 Server IP Addr= Connection ID/Name= Edit Traffic Redirect= No Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User’s Guide...
  • Page 579: Troubleshooting

    H A P T E R Troubleshooting This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. • Power, Hardware Connections, and LEDs • ZyWALL Access and Login • Internet Access •...
  • Page 580: Zywall Access And Login

    Chapter 44 Troubleshooting 44.2 ZyWALL Access and Login I forgot the IP address for the ZyWALL. 1 The default IP address is 192.168.1.1. 2 Use the console port to log in to the ZyWALL. 3 If you changed the IP address and have forgotten it, you might get the IP address of the ZyWALL by looking up the IP address of the default gateway for your computer.
  • Page 581 Chapter 44 Troubleshooting 6 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. Advanced Suggestions • You may also need to clear your Internet browser’s cache. In Internet Explorer, click Tools and then Internet Options to open the Internet Options screen.
  • Page 582: Internet Access

    Chapter 44 Troubleshooting See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser. I cannot use the console port to access the ZyWALL. 1 Check to see if the ZyWALL is connected to your computer's console port. 2 Check to see if the communications program is configured correctly.
  • Page 583 Chapter 44 Troubleshooting The username and password apply to PPPoE and PPPoA encapsulation only. Make sure that you have entered the correct Service Type, User Name and Password (be sure to use the correct casing). Refer to the WAN setup chapter (web configurator or SMT). 2 Disconnect all the cables from your device, and follow the directions in the Quick Start Guide again.
  • Page 584: Wireless Router/Ap Troubleshooting

    Chapter 44 Troubleshooting interfering with the wireless network (for example, microwaves, other wireless networks, and so on). 3 Reboot the ZyWALL. 4 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. Advanced Suggestions •...
  • Page 585 Chapter 44 Troubleshooting Restart your computer. I cannot open special applications such as white board, file transfer and video when I use the MSN messenger. 1 Wait more than three minutes. 2 Restart the applications. [Document Title]...
  • Page 586 Chapter 44 Troubleshooting [Document Title]...
  • Page 587: Appendices And Index

    Appendices and Index Product Specifications (589) Setting up Your Computer’s IP Address (593) Pop-up Windows, JavaScripts and Java Permissions (609) IP Addresses and Subnetting (615) Common Services (623) Importing Certificates (627) Command Interpreter (639) Firewall Commands (647) NetBIOS Filter Commands (653) Certificates Commands (655) Brute-Force Password Guessing Protection (659) Boot Commands (661)
  • Page 589: Appendix A Product Specifications

    Use the web configurator to easily configure the rich range of features on the ZyWALL. Firmware Upgrade Download new firmware (when available) from the ZyXEL web site and use the web configurator, an FTP or a TFTP tool to put it on the ZyWALL.
  • Page 590 DNS servers to computers on your network. Dynamic DNS Support With Dynamic DNS (Domain Name System) support, you can use a fixed URL, www.zyxel.com for example, with a dynamic IP address. You must register for this service with a Dynamic DNS service provider. IP Multicast IP multicast is used to send traffic to a specific group of computers.
  • Page 591: Figure 407 Console/Dial Backup Cable Db-9 End Pin Layout

    The console cable and dial backup cable each have an RJ-45 connector and a DB-9 connector. The pin layout for the DB-9 connector end of the cables is as follows. Figure 407 Console/Dial Backup Cable DB-9 End Pin Layout Pins 2,3 and 5 are used. ZyWALL 2 Plus User’s Guide...
  • Page 592: Table 224 Console Cable Pin Assignments

    1 IRD + 2 IRD - 2 OTD - 2 IRD - 2 IRD - 3 OTD 3 IRD + 3 OTD + 3 OTD 6 OTD - 6 IRD - 6 OTD - 6 OTD - ZyWALL 2 Plus User’s Guide...
  • Page 593: Appendix B Setting Up Your Computer's Ip Address

    If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the ZyWALL’s LAN port. Windows 95/98/Me Click Start, Settings, Control Panel and double-click the Network icon to open the Network window. ZyWALL 2 Plus User’s Guide...
  • Page 594: Figure 408 Windows 95/98/Me: Network: Configuration

    2 Select Client and then click Add. 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click 5 Restart your computer so the changes you made take effect. ZyWALL 2 Plus User’s Guide...
  • Page 595: Figure 409 Windows 95/98/Me: Tcp/Ip Properties: Ip Address

    • If you do not know your DNS information, select Disable DNS. • If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in). ZyWALL 2 Plus User’s Guide...
  • Page 596: Figure 410 Windows 95/98/Me: Tcp/Ip Properties: Dns Configuration

    3 Select your network adapter. You should see your computer's IP address, subnet mask and default gateway. Windows 2000/NT/XP The following example figures use the default Windows XP GUI theme. 1 Click start (Start in Windows 2000/NT), Settings, Control Panel. ZyWALL 2 Plus User’s Guide...
  • Page 597: Figure 411 Windows Xp: Start Menu

    Figure 411 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 412 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties. ZyWALL 2 Plus User’s Guide...
  • Page 598: Figure 413 Windows Xp: Control Panel: Network Connections: Properties

    • If you have a dynamic IP address click Obtain an IP address automatically. • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. • Click Advanced. ZyWALL 2 Plus User’s Guide...
  • Page 599: Figure 415 Windows Xp: Internet Protocol (Tcp/Ip) Properties

    To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric. • Click Add. • Repeat the previous three steps for each default gateway you want to add. • Click OK when finished. ZyWALL 2 Plus User’s Guide...
  • Page 600: Figure 416 Windows Xp: Advanced Tcp/Ip Properties

    • If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields. If you have previously configured DNS servers, click Advanced and then the DNS tab to order them. ZyWALL 2 Plus User’s Guide...
  • Page 601: Figure 417 Windows Xp: Internet Protocol (Tcp/Ip) Properties

    Network Connections, right-click a network connection, click Status and then click the Support tab. Macintosh OS 8/9 1 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. ZyWALL 2 Plus User’s Guide...
  • Page 602: Figure 418 Macintosh Os 8/9: Apple Menu

    2 Select Ethernet built-in from the Connect via list. Figure 419 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: ZyWALL 2 Plus User’s Guide...
  • Page 603: Figure 420 Macintosh Os X: Apple Menu

    2 Click Network in the icon bar. • Select Automatic from the Location list. • Select Built-in Ethernet from the Show list. • Click the TCP/IP tab. 3 For dynamically assigned settings, select Using DHCP from the Configure list. ZyWALL 2 Plus User’s Guide...
  • Page 604: Figure 421 Macintosh Os X: Network

    Check your TCP/IP properties in the Network window. Linux This section shows you how to configure your computer’s TCP/IP settings in Red Hat Linux 9.0. Procedure, screens and file location may vary depending on your Linux distribution and release version. ZyWALL 2 Plus User’s Guide...
  • Page 605: Figure 422 Red Hat 9.0: Kde: Network Configuration: Devices

    Figure 422 Red Hat 9.0: KDE: Network Configuration: Devices 2 Double-click on the profile of the network card you wish to configure. The Ethernet Device General screen displays as shown. Figure 423 Red Hat 9.0: KDE: Ethernet Device: General ZyWALL 2 Plus User’s Guide...
  • Page 606: Figure 424 Red Hat 9.0: Kde: Network Configuration: Dns

    Ethernet card). Open the eth0 eth0 configuration file with any plain text editor. • If you have a dynamic IP address, enter in the field. The dhcp BOOTPROTO= following figure shows an example. ZyWALL 2 Plus User’s Guide...
  • Page 607: Figure 426 Red Hat 9.0: Dynamic Ip Address Setting In Ifconfig-Eth0

    Shutting down interface eth0: [OK] Shutting down loopback interface: [OK] Setting network parameters: [OK] Bringing up loopback interface: [OK] Bringing up interface eth0: [OK] Verifying Settings Enter in a terminal screen to check your TCP/IP properties. ifconfig ZyWALL 2 Plus User’s Guide...
  • Page 608: Figure 430 Red Hat 9.0: Checking Tcp/Ip Properties

    Bcast:172.23.19.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:717 errors:0 dropped:0 overruns:0 frame:0 TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:730412 (713.2 Kb) TX bytes:1570 (1.5 Kb) Interrupt:10 Base address:0x1000 [root@localhost]# ZyWALL 2 Plus User’s Guide...
  • Page 609: Appendix C Pop-Up Windows, Javascripts And Java Permissions

    1 In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 431 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. 1 In Internet Explorer, select Tools, Internet Options, Privacy. ZyWALL 2 Plus User’s Guide...
  • Page 610: Figure 432 Internet Options

    Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab. 2 Select Settings…to open the Pop-up Blocker Settings screen. ZyWALL 2 Plus User’s Guide...
  • Page 611: Figure 433 Internet Options

    3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1. 4 Click Add to move the IP address to the list of Allowed sites. Figure 434 Pop-up Blocker Settings ZyWALL 2 Plus User’s Guide...
  • Page 612: Figure 435 Internet Options

    3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default). 6 Click OK to close the window. ZyWALL 2 Plus User’s Guide...
  • Page 613: Figure 436 Security Settings - Java Scripting

    2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected. 5 Click OK to close the window. Figure 437 Security Settings - Java ZyWALL 2 Plus User’s Guide...
  • Page 614: Figure 438 Java (Sun)

    1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 make sure that Use Java 2 for <applet> under Java (Sun) is selected. 3 Click OK to close the window. Figure 438 Java (Sun) ZyWALL 2 Plus User’s Guide...
  • Page 615: Appendix D Ip Addresses And Subnetting

    Therefore, each octet has a possible range of 00000000 to 11111111 in binary, or 0 to 255 in decimal. The following figure shows an example IP address in which the first three octets (192.168.1) are the network number, and the fourth octet (16) is the host ID. ZyWALL 2 Plus User’s Guide...
  • Page 616: Figure 439 Network Number And Host Id

    Subnet masks can be referred to by the size of the network number part (the bits with a “1” value). For example, an “8-bit mask” means that the first 8 bits of the mask are ones and the remaining 24 bits are zeroes. ZyWALL 2 Plus User’s Guide...
  • Page 617: Table 228 Subnet Masks

    For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with subnet mask 255.255.255.128. The following table shows some possible subnet masks using both notations. Table 230 Alternative Subnet Mask Notation ALTERNATIVE LAST OCTET LAST OCTET SUBNET MASK NOTATION (BINARY) (DECIMAL) 255.255.255.0 0000 0000 255.255.255.128 1000 0000 ZyWALL 2 Plus User’s Guide...
  • Page 618: Figure 440 Subnetting Example: Before Subnetting

    The “borrowed” host ID bit can have a value of either 0 or 1, allowing two subnets; 192.168.1.0 /25 and 192.168.1.128 /25. The following figure shows the company network after subnetting. There are now two sub- networks, A and B. ZyWALL 2 Plus User’s Guide...
  • Page 619: Figure 441 Subnetting Example: After Subnetting

    LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE IP Address (Decimal) 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 00000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: Lowest Host ID: 192.168.1.1 192.168.1.0 Broadcast Address: Highest Host ID: 192.168.1.62 192.168.1.63 ZyWALL 2 Plus User’s Guide...
  • Page 620: Table 232 Subnet 2

    Similarly, use a 27-bit mask to create eight subnets (000, 001, 010, 011, 100, 101, 110 and 111). The following table shows IP address last octet values for each subnet. Table 235 Eight Subnets SUBNET LAST BROADCAST SUBNET FIRST ADDRESS ADDRESS ADDRESS ADDRESS ZyWALL 2 Plus User’s Guide...
  • Page 621: Table 236 24-Bit Network Number Subnet Planning

    255.255.128.0 (/17) 32766 255.255.192.0 (/18) 16382 255.255.224.0 (/19) 8190 255.255.240.0 (/20) 4094 255.255.248.0 (/21) 2046 255.255.252.0 (/22) 1022 255.255.254.0 (/23) 255.255.255.0 (/24) 255.255.255.128 (/25) 255.255.255.192 (/26) 1024 255.255.255.224 (/27) 2048 255.255.255.240 (/28) 4096 255.255.255.248 (/29) 8192 ZyWALL 2 Plus User’s Guide...
  • Page 622 Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. ZyWALL 2 Plus User’s Guide...
  • Page 623: Appendix E Common Services

    User-Defined The IPSEC ESP (Encapsulation Security (IPSEC_TUNNEL) Protocol) tunneling protocol uses this service. FINGER Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. ZyWALL 2 Plus User’s Guide...
  • Page 624 This is the data channel. RCMD Remote Command Service. REAL_AUDIO 7070 A streaming audio service that enables real time sound over the web. REXEC Remote Execution Daemon. RLOGIN Remote Login. ZyWALL 2 Plus User’s Guide...
  • Page 625 TFTP Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). VDOLIVE 7000 Another videoconferencing solution. ZyWALL 2 Plus User’s Guide...
  • Page 626 Appendix E Common Services ZyWALL 2 Plus User’s Guide...
  • Page 627: Appendix F Importing Certificates

    The following example procedure shows how to import the ZyWALL’s (self-signed) server certificate into your operating system as a trusted certification authority. 1 In Internet Explorer, double click the lock shown in the following screen. ZyWALL 2 Plus User’s Guide...
  • Page 628: Figure 443 Login Screen

    Appendix F Importing Certificates Figure 443 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 444 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard. ZyWALL 2 Plus User’s Guide...
  • Page 629: Figure 445 Certificate Import Wizard 1

    Figure 445 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 446 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard. ZyWALL 2 Plus User’s Guide...
  • Page 630: Figure 447 Certificate Import Wizard 3

    Appendix F Importing Certificates Figure 447 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store. Figure 448 Root Certificate Store ZyWALL 2 Plus User’s Guide...
  • Page 631: Figure 449 Certificate General Information After Import

    You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details). Apply for a certificate from a Certification Authority (CA) that is trusted by the ZyWALL (see the ZyWALL’s Trusted CA web configurator screen). ZyWALL 2 Plus User’s Guide...
  • Page 632: Figure 450 Zywall Trusted Ca Screen

    The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next. ZyWALL 2 Plus User’s Guide...
  • Page 633: Figure 451 Ca Certificate Example

    You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard. ZyWALL 2 Plus User’s Guide...
  • Page 634: Figure 452 Personal Certificate Import Wizard 1

    2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 453 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA. ZyWALL 2 Plus User’s Guide...
  • Page 635: Figure 454 Personal Certificate Import Wizard 3

    4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 455 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process. ZyWALL 2 Plus User’s Guide...
  • Page 636: Figure 456 Personal Certificate Import Wizard 5

    2 When Authenticate Client Certificates is selected on the ZyWALL, the following screen asks you to select a personal certificate to send to the ZyWALL. This screen displays even if you only have a single certificate as in the example. ZyWALL 2 Plus User’s Guide...
  • Page 637: Figure 459 Ssl Client Authentication

    Appendix F Importing Certificates Figure 459 SSL Client Authentication 3 You next see the ZyWALL login screen. Figure 460 ZyWALL Secure Login Screen ZyWALL 2 Plus User’s Guide...
  • Page 638 Appendix F Importing Certificates ZyWALL 2 Plus User’s Guide...
  • Page 639: Appendix G Command Interpreter

    Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands. Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable.
  • Page 640: Figure 461 Displaying Log Categories Example

    • Use the command to show the logs in an sys logs display [log category] individual ZyWALL log category. • Use the command to erase all of the ZyWALL’s logs. sys logs clear ZyWALL 2 Plus User’s Guide...
  • Page 641: Log Command Example

    IP addresses connected to the LAN, DMZ or WLAN. By default the ZyWALL routes traffic that does not match a NAT rule out through the DMZ interface. The following command example sets the ZyWALL to route traffic that does not match a NAT rule through the WLAN interface. ZyWALL 2 Plus User’s Guide...
  • Page 642: Figure 463 Routing Command Example

    ARP requests. One day gateway A shuts down and the backup gateway (B) comes online using the same static IP address as gateway A. Gateway B broadcasts a gratuitous ARP request to ask which host is using its IP address. If ackGratuitous ZyWALL 2 Plus User’s Guide...
  • Page 643: Figure 464 Backup Gateway

    IP address of the computer to which it is sending the packets. The following figure shows an example of this. The ZyWALL uses the IP addresses of computers A and B to manage the bandwidth of the VPN traffic for their respective IPSec ZyWALL 2 Plus User’s Guide...
  • Page 644: Figure 465 Managing The Bandwidth Of An Ipsec Sa

    With this setting the bandwidth management applies to ESP or AH packets so you can only specify IP addresses. You cannot specify a service or port numbers. Setting the Key Length for Phase 2 IPSec AES Encryption Syntax: ipsec ipsecConfig encryKeyLen <0:128 | 1:192 | 2:256> ZyWALL 2 Plus User’s Guide...
  • Page 645: Figure 467 Routing Command Example

    Enable Replay Detection= No Key Management= IKE Phase 2 - Active Protocol= ESP Encryption Algorithm= AES Authentication Algorithm= SHA1 Encryption Key Length = 192 SA Life Time (Seconds)= 28800 Encapsulation= Tunnel Perfect Forward Secrecy (PFS)= None ras> ZyWALL 2 Plus User’s Guide...
  • Page 646 Appendix G Command Interpreter ZyWALL 2 Plus User’s Guide...
  • Page 647: Appendix H Firewall Commands

    This command shows all of the attack response settings. config display firewall e-mail This command shows all of the e-mail settings. This command shows all of the available config display firewall ? firewall sub commands. ZyWALL 2 Plus User’s Guide...
  • Page 648 This command sets the number of minutes for config edit firewall attack new sessions to be blocked when the tcp- block-minute <0-255> max-incomplete threshold is reached. This command is only valid when block is set to yes. ZyWALL 2 Plus User’s Guide...
  • Page 649 <seconds> This command sets how long the ZyWALL Config edit firewall set <set leaves a TCP session open after the firewall #> fin-wait-timeout <seconds> detects a FIN-exchange (indicating the end of the TCP session). ZyWALL 2 Plus User’s Guide...
  • Page 650 <start ip address> <end ip address> This command sets the rule to have the config edit firewall set <set ZyWALL check for traffic with this individual #> rule <rule #> destaddr- destination address. single <ip address> ZyWALL 2 Plus User’s Guide...
  • Page 651 This command removes the specified set config delete firewall set from the firewall configuration. <set #> This command removes the specified rule in a config delete firewall set firewall configuration set. <set #> rule<rule #> ZyWALL 2 Plus User’s Guide...
  • Page 652 Appendix H Firewall Commands ZyWALL 2 Plus User’s Guide...
  • Page 653: Appendix I Netbios Filter Commands

    This command gives a read-only list of the current NetBIOS filter modes for The ZyWALL. NetBIOS Display Filter Settings Command Example =========== NetBIOS Filter Status =========== Between LAN and WAN: Block Between LAN and DMZ: Block Between WAN and DMZ: Block IPSec Packets: Forward Trigger Dial: Disabled ZyWALL 2 Plus User’s Guide...
  • Page 654: Table 240 Netbios Filter Default Settings

    This command forwards LAN to DMZ and DMZ to LAN NetBIOS sys filter netbios config 1 off packets. This command blocks IPSec NetBIOS packets. sys filter netbios config 3 on This command stops NetBIOS commands from initiating calls. sys filter netbios config 4 off ZyWALL 2 Plus User’s Guide...
  • Page 655: Appendix J Certificates Commands

    (required). The format is "subject-name- dn;{ip,dns,email}=value". If the name contains spaces, please put it in quotes. [key size] specifies the key size. It has to be an integer from 512 to 2048. The default is 1024 bits. ZyWALL 2 Plus User’s Guide...
  • Page 656 Create a certificate using your device MAC replace_fac address that will be specific to this device. The tory factory default certificate is a common default certificate for all ZyWALL models. ZyWALL 2 Plus User’s Guide...
  • Page 657 (optional). The default timeout value is 20 seconds. Delete the specified trusted remote host delete <name> certificate. <name> specifies the name of the certificate to be deleted. List all trusted remote host certificate names list and basic information. ZyWALL 2 Plus User’s Guide...
  • Page 658 <old name> name> specifies the name of the directory <new name> server to be renamed. <new name> specifies the new name as which the directory server is to be saved. cert_manager Reinitialize the certificate manager. reinit ZyWALL 2 Plus User’s Guide...
  • Page 659: Appendix K Brute-Force Password Guessing Protection

    1 to 60) minutes after the third time an incorrect password is entered. Example sys pwderrtm 5 This command sets the password protection to block all access attempts for five minutes after the third time an incorrect password is entered. ZyWALL 2 Plus User’s Guide...
  • Page 660 Appendix K Brute-Force Password Guessing Protection ZyWALL 2 Plus User’s Guide...
  • Page 661: Appendix L Boot Commands

    ATSH command shows product related information such as boot module version, vendor name, product model, RAS code revision, etc. ATGO allows you to continue booting the system. Most other commands aid in advanced troubleshooting and should only be used by qualified engineers. ZyWALL 2 Plus User’s Guide...
  • Page 662 ATTD download router configuration to PC via XMODEM ATUR upload router firmware to flash ROM ATLC upload router configuration file to flash ROM ATXSx xmodem select: x=0: CRC mode(default); x=1: checksum mode ATSR system reboot ZyWALL 2 Plus User’s Guide...
  • Page 663: Appendix M Legal Information

    Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others.
  • Page 664: Zyxel Limited Warranty

    Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.
  • Page 665 Appendix M Legal Information ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty gives you specific legal rights, and you may also have other rights that vary from country to country.
  • Page 666 Appendix M Legal Information ZyWALL 2 Plus User’s Guide...
  • Page 667: Appendix N Customer Support

    • Telephone: +506-2017878 • Fax: +506-2015098 • Web Site: www.zyxel.co.cr • FTP Site: ftp.zyxel.co.cr • Regular Mail: ZyXEL Costa Rica, Plaza Roble Escazú, Etapa El Patio, Tercer Piso, San José, Costa Rica Czech Republic • E-mail: info@cz.zyxel.com • Telephone: +420-241-091-350 •...
  • Page 668 • E-mail: info@zyxel.fr • Telephone: +33-4-72-52-97-97 • Fax: +33-4-72-52-19-20 • Web Site: www.zyxel.fr • Regular Mail: ZyXEL France, 1 rue des Vergers, Bat. 1 / C, 69760 Limonest, France Germany • Support E-mail: support@zyxel.de • Sales E-mail: sales@zyxel.de • Telephone: +49-2405-6909-69 •...
  • Page 669 • Sales E-mail: sales@zyxel.com • Telephone: +1-800-255-4101, +1-714-632-0882 • Fax: +1-714-632-0858 • Web Site: www.us.zyxel.com • FTP Site: ftp.us.zyxel.com • Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St., Anaheim, CA 92806- 2001, U.S.A. Norway • Support E-mail: support@zyxel.no • Sales E-mail: sales@zyxel.no •...
  • Page 670 Appendix N Customer Support • Web Site: www.zyxel.es • Regular Mail: ZyXEL Communications, Arte, 21 5ª planta, 28033 Madrid, Spain Sweden • Support E-mail: support@zyxel.se • Sales E-mail: sales@zyxel.se • Telephone: +46-31-744-7700 • Fax: +46-31-744-7701 • Web Site: www.zyxel.se • Regular Mail: ZyXEL Communications A/S, Sjöporten 4, 41764 Göteborg, Sweden Ukraine •...
  • Page 671: Index

    464, 490 certificate certificates and IKE SA thumbprint algorithms thumbprints verifying fingerprints backup configuration 440, 550 TFTP Certification Authority. See CA. bandwidth class certifications notices bandwidth filter viewing bandwidth management changing the password address type ZyWALL 2 Plus User’s Guide...
  • Page 672 239, 245 DDNS and active protocol configuration 454, 455 host entering information offline type and transport mode use server detected IP ESSID wildcard Ethernet default configuration encapsulation 68, 475, 488 default server IP address ZyWALL 2 Plus User’s Guide...
  • Page 673 VPN 85, 89 and certificates service type and RADIUS SMT menus authentication algorithms 239, 245 stateful inspection Diffie-Hellman key group TCP maximum incomplete encryption algorithms 239, 245 three-way handshake extended authentication threshold ID content ZyWALL 2 Plus User’s Guide...
  • Page 674 VPN tunnel mode application when IKE SA is disconnected 244, 251 configuring IPSec SA. See also VPN. default server IP address definitions IPSec. See also VPN. examples ISP parameters how NAT works in the SMT ZyWALL 2 Plus User’s Guide...
  • Page 675 FTP using SSH ping secure telnet using SSH Point-to-Point Protocol over Ethernet. See PPPoE SNMP Point-to-Point Tunneling Protocol. See PPTP. SSH implementation pool of IP addresses 125, 128 system timeout port filter setup Telnet ZyWALL 2 Plus User’s Guide...
  • Page 676 325, 497 stop bit BPDU Hello BPDU how it works Max Age life time port states safety warnings STUN schedule 489, 492 duration subnet scheduler subnet mask 123, 616 secure FTP using SSH ZyWALL 2 Plus User’s Guide...
  • Page 677 VPN. See also IKE SA, IPSec SA. traffic VT100 terminal emulation redirect transparent firewall 55, 137, 434, 436 triangle routes vs virtual interfaces trigger port forwarding Trivial File Transfer Protocol. See TFTP. file maintenance ZyWALL 2 Plus User’s Guide...
  • Page 678 WINS 126, 128 WINS server wireless channel wireless LAN wireless security wizard setup WLAN IP alias setup TCP/IP setup www.dyndns.org Xmodem file upload protocol ZyNOS 540, 550 ZyWALL registration ZyXEL’s Network Operating System. See ZyNOS. ZyWALL 2 Plus User’s Guide...

Table of Contents