Page 1 ZyWALL 2 Series Internet Security Gateway User’s Guide Version 3.62 February 2004...
Page 2 Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others.
Page 3 Certifications 1. Go to www.zyxel.com 2. Select your product from the drop-down list box on the ZyXEL home page to go to that product's page. 3. Select the certification you wish to view from this page...
Page 4: Information For Canadian Users
ZyWALL 2 Series User’s Guide Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction. Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company.
Page 5: Zyxel Limited Warranty
Any returned products without proof of purchase or those with an out-dated warranty will be repaired or replaced (at the discretion of ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products will be shipped by ZyXEL to the corresponding return address, Postage Paid.
Page 6: Customer Support
Brief description of the problem and the steps you took to solve it. METHOD SUPPORT E-MAIL TELEPHONE WEB SITE REGULAR MAIL SALES E-MAIL FTP SITE LOCATION WORLDWIDE support@zyxel.com.tw +886-3-578-3942 www.zyxel.com ZyXEL Communications Corp. 6 Innovation Road II www.europe.zyxel.com Science Park Hsinchu 300 sales@zyxel.com.tw +886-3-578-2439 ftp.zyxel.com Taiwan ftp.europe.zyxel.com NORTH AMERICA support@zyxel.com +1-800-255-4101 www.us.zyxel.com...
Page 7: Table Of Contents
ZyWALL 2 Series User’s Guide Table of Contents Copyright..............................ii Federal Communications Commission (FCC) Interference Statement..........iii Information for Canadian Users .......................iv ZyXEL Limited Warranty ..........................v Customer Support ............................vi List of Figures ............................xv List of Tables ............................xxii Preface ..............................xxvi Getting Started ..............................I Chapter 1 Getting to Know Your ZyWALL ..................
Page 8 ZyWALL 2 Series User’s Guide Configuring IP ..........................5-3 Configuring Static DHCP ......................5-6 Configuring IP Alias ........................5-7 WAN and Wireless LAN..........................III Chapter 6 WAN Screens...........................6-1 WAN Overview ..........................6-1 TCP/IP Priority (Metric) ......................6-1 WAN IP Address Assignment ....................6-1 Configuring Route ........................6-2 Configuring WAN ISP........................6-3 Configuring WAN IP........................6-9 Configuring WAN MAC ......................6-13...
Page 9 ZyWALL 2 Series User’s Guide 10.3 Introduction to Nortel Networks Firewall ................10-2 10.4 Denial of Service........................10-3 10.5 Stateful Inspection........................ 10-7 10.6 Guidelines For Enhancing Security With Your Firewall ........... 10-11 10.7 Packet Filtering Vs Firewall....................10-11 Chapter 11 Firewall Screens ........................11-1 11.1 Access Methods ........................
Page 10 ZyWALL 2 Series User’s Guide 14.13 Configuring Advanced IKE Setup ..................14-24 14.14 Manual Key Setup.......................14-28 14.15 Configuring Edit Manual Setup ..................14-28 14.16 SA Monitor .........................14-33 14.17 Global Settings........................14-34 14.18 Telecommuter VPN/IPSec Examples .................14-35 14.19 VPN and Remote Management...................14-38 Certificates ..............................VII Chapter 15 Certificates ..........................15-1 15.1 Certificates Overview ......................15-1...
Page 11 ZyWALL 2 Series User’s Guide 17.9 Secure Telnet Using SSH Examples .................. 17-16 17.10 Secure FTP Using SSH Example ..................17-18 17.11 Telnet ..........................17-19 17.12 Configuring TELNET ......................17-20 17.13 Configuring FTP ........................ 17-21 17.14 Configuring SNMP ......................17-22 17.15 Configuring DNS .......................
Page 12 ZyWALL 2 Series User’s Guide 23.3 Configuring Dial Backup in Menu 2..................23-2 23.4 Advanced WAN Setup......................23-3 23.5 Remote Node Profile (Backup ISP) ..................23-5 23.6 Editing PPP Options ......................23-8 23.7 Editing TCP/IP Options ......................23-9 23.8 Editing Login Script......................23-11 23.9 Remote Node Filter......................23-12 Chapter 24 LAN Setup...........................24-1 24.1 Introduction to LAN Setup ....................24-1...
Page 13 ZyWALL 2 Series User’s Guide 30.5 Firewall Versus Filters ....................... 30-16 30.6 Applying a Filter ........................ 30-17 Chapter 31 SNMP Configuration ......................31-1 31.1 SNMP Configuration......................31-1 31.2 SNMP Traps......................... 31-2 SMT System Maintenance......................... XIII Chapter 32 System Information & Diagnosis..................32-1 32.1 Introduction to System Status ....................
Page 14 ZyWALL 2 Series User’s Guide Appendix F Types of EAP Authentication ..................... F-1 Appendix G PPPoE ..........................G-1 Appendix H PPTP ...........................H-1 Appendix I IP Subnetting ........................I-1 Appendix J Safety Warnings and Instructions ..................J-1 Command, Log Appendices and Index .....................XVI Appendix K Command Interpreter .......................K-1 Appendix L Firewall Commands ......................
Page 15: List Of Figures
ZyWALL 2 Series User’s Guide List of Figures Figure 1-1 Secure Internet Access via Cable, DSL or Wireless Modem............1-6 Figure 1-2 Secure Internet Access and VPN Application................1-7 Figure 2-1 Change Password Screen......................2-1 Figure 2-2 Replace Certificate Screen ......................2-2 Figure 2-3 Example Xmodem Upload ......................
Page 16 ZyWALL 2 Series User’s Guide Figure 8-3 Multiple Servers Behind NAT Example..................8-6 Figure 8-4 SUA Server ...........................8-7 Figure 8-5 Address Mapping ..........................8-9 Figure 8-6 Address Mapping Rule........................8-10 Figure 8-7 Trigger Port Forwarding Example....................8-12 Figure 8-8 Trigger Port ..........................8-13 Figure 9-1 Example of Static Routing Topology ....................9-1 Figure 9-2 Static Route Screen ........................9-2 Figure 9-3 Edit IP Static Route ........................9-3 Figure 10-1 ZyWALL Firewall Application ....................10-3...
Page 17 ZyWALL 2 Series User’s Guide Figure 14-9 Advanced ....................14-25 IKE VPN Rule Setup Figure 14-10 Manual VPN Rule Setup ...................... 14-29 Figure 14-11 VPN SA Monitor ........................14-33 Figure 14-12 VPN Global Setting......................14-34 Figure 14-13 Telecommuters Sharing One VPN Rule Example ..............14-36 Figure 14-14 Telecommuters Using Unique VPN Rules Example ............
Page 18 ZyWALL 2 Series User’s Guide Figure 17-21 SNMP Management Model....................17-23 Figure 17-22 SNMP............................17-25 Figure 17-23 DNS............................17-27 Figure 17-24 Security ..........................17-28 Figure 18-1 Configuring UPnP........................18-3 Figure 18-2 UPnP Ports ..........................18-4 Figure 19-1 View Log...........................19-2 Figure 19-2 Log Settings ..........................19-4 Figure 19-3 Reports ............................19-7 Figure 19-4 Web Site Hits Report Example....................19-8 Figure 19-5 Protocol/Port Report Example ....................19-9 Figure 19-6 LAN IP Address Report Example ...................19-10...
Page 19 ZyWALL 2 Series User’s Guide Figure 23-9 Menu 11.5: Dial Backup Remote Node Filter ................ 23-13 Figure 24-1 Menu 3: LAN Setup ......................... 24-1 Figure 24-2 Menu 3.1: LAN Port Filter Setup ..................... 24-2 Figure 24-3 Menu 3: TCP/IP and DHCP Setup.................... 24-2 Figure 24-4 Menu 3.2: TCP/IP and DHCP Ethernet Setup ................
Page 20 ZyWALL 2 Series User’s Guide Figure 28-20 Example 4: Menu 15.1.1.1: Address Mapping Rule .............28-16 Figure 28-21 Example 4: Menu 15.1.1: Address Mapping Rules...............28-16 Figure 28-22 Trigger Port Forwarding Process: Example ................28-17 Figure 28-23 Menu 15.3: Trigger Port Setup....................28-18 Figure 29-1 Menu 21: Filter and Firewall Setup...................29-1 Figure 29-2 Menu 21.2: Firewall Setup ......................29-2 Figure 30-1 Outgoing Packet Filtering Process ....................30-2 Figure 30-2 Filter Rule Process ........................30-3...
Page 21 ZyWALL 2 Series User’s Guide Figure 33-12 Successful Restoration Confirmation Screen ............... 33-10 Figure 33-13 Telnet Into Menu 24.7.1: Upload System Firmware..............33-11 Figure 33-14 Telnet Into Menu 24.7.2: System Maintenance ..............33-12 Figure 33-15 FTP Session Example of Firmware File Upload ..............33-13 Figure 33-16 Menu 24.7.1 As Seen Using the Console Port..............
Page 22 ZyWALL 2 Series User’s Guide List of Tables Table 1-1 Model Specific Features .........................1-1 Table 2-1 Web Configurator Screens Summary....................2-4 Table 3-1 Ethernet Encapsulation ........................3-3 Table 3-2 PPPoE Encapsulation........................3-5 Table 3-3 PPTP Encapsulation........................3-7 Table 3-4 Private IP Address Ranges ......................3-8 Table 3-5 Example of Network Properties for LAN Servers with Fixed IP Addresses.........3-10 Table 3-6 Wizard 3............................3-11 Table 4-1 System General Setup........................4-2...
Page 23 ZyWALL 2 Series User’s Guide Table 10-2 ICMP Commands That Trigger Alerts ..................10-6 Table 10-3 Legal NetBIOS Commands ....................... 10-7 Table 10-4 Legal SMTP Commands ......................10-7 Table 11-1 Firewall Rules Summary: First Screen..................11-7 Table 11-2 Creating/Editing A Firewall Rule ....................11-10 Table 11-3 Adding/Editing Source and Destination Addresses..............11-12 Table 11-4 Creating/Editing A Custom Port....................11-13 Table 11-5 Predefined Services........................11-18...
Page 24 ZyWALL 2 Series User’s Guide Table 16-2 RADIUS .............................16-4 Table 17-1 WWW............................17-5 Table 17-2 SSH............................17-16 Table 17-3 Telnet ............................17-20 Table 17-4 FTP ............................17-21 Table 17-5 SNMP Traps..........................17-24 Table 17-6 SNMP ............................17-26 Table 17-7 DNS ............................17-27 Table 17-8 Security.............................17-28 Table 18-1 Configuring UPnP ........................18-3 Table 18-2 UPnP Ports..........................18-4 Table 19-1 View Log ............................19-2 Table 19-2 Log Settings..........................19-5...
Page 25 ZyWALL 2 Series User’s Guide Table 26-1 Menu 11.1: Remote Node Profile for Ethernet Encapsulation ........... 26-2 Table 26-2 Fields in Menu 11.1 (PPPoE Encapsulation Specific) ............... 26-5 Table 26-3 Fields in Menu 11.1 (PPTP Encapsulation)................26-6 Table 26-4 Remote Node Network Layer Options Menu Fields..............26-7 Table 26-5 Menu 11.1: Remote Node Profile (Traffic Redirect Field) ............26-11 Table 26-6 Menu 11.6: Traffic Redirect Setup ...................
Page 26: Preface
Certifications Refer to the product page at www.zyxel.com for information on product certifications. ZyXEL Glossary and Web Site Please refer to www.zyxel.com for an online glossary of networking terms and additional support documentation. User’s Guide Feedback Help us help you. E-mail all User’s Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications...
Page 27 ZyWALL 2 Series User’s Guide • The version number on the title page is the latest firmware version that is documented in this User’s Guide. Earlier versions may also be included. • “Enter” means for you to type one or more characters and press the carriage return. “Select” or “Choose”...
Page 29: Getting Started
Getting Started Part I: Getting Started This part helps you get to know your ZyWALL, introduces the web configurator and covers how to configure the Wizard Setup screens.
Page 31: Chapter 1 Getting To Know Your Zywall
ZyWALL 2 Series User’s Guide Chapter 1 Getting to Know Your ZyWALL This chapter introduces the main features and applications of the ZyWALL. Introducing the ZyWALL The ZyWALL is an ideal secure gateway for all data passing between the Internet and the LAN. By integrating NAT, firewall and VPN capability, the ZyWALL is a complete security solution that protects your Intranet and efficiently manages data traffic on your network.
Page 32: Reset Button
ZyWALL 2 Series User’s Guide 1.2.1 Physical Features 4-Port Switch A combination of switch and router makes your ZyWALL a cost-effective and viable network solution. You can connect up to four computers to the ZyWALL without the cost of a hub. Use a hub to add more than four computers to your LAN.
Page 33: Content Filtering
ZyWALL 2 Series User’s Guide The ZyWALL supports two simultaneous VPN connections. X-Auth (Extended Authentication) X-Auth provides added security for VPN by requiring each VPN client to use a username and password. Certificates The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs.
Page 34: Pptp Encapsulation
ZyWALL 2 Series User’s Guide Universal Plug and Play (UPnP) Using the standard TCP/IP protocol, the ZyWALL and other UPnP enabled devices can dynamically join a network, obtain an IP address and convey its capabilities to other devices on the network. Call Scheduling Configure call time periods to restrict and allow access for users on remote nodes.
Page 35: Traffic Redirect
ZyWALL 2 Series User’s Guide Central Network Management Central Network Management (CNM) allows an enterprise or service provider network administrator to manage your ZyWALL. The enterprise or service provider network administrator can configure your ZyWALL, perform firmware upgrades and do troubleshooting for you. SNMP SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices.
Page 36: Applications For The Zywall
ZyWALL 2 Series User’s Guide Management Terminal) interface. The SMT is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection. RoadRunner Support In addition to standard cable modem services, the ZyWALL supports Time Warner’s RoadRunner Service. Logging and Tracing ♦...
Page 37: Figure 1-2 Secure Internet Access And Vpn Application
ZyWALL 2 Series User’s Guide 1.3.2 Secure Broadband Internet Access and VPN You can connect a cable, DSL or wireless modem to the ZyWALL via Ethernet for broadband Internet access. The ZyWALL also provides IP address sharing and a firewall-protected local network with traffic management.
Page 39: Chapter 2 Introducing The Web Configurator
ZyWALL 2 Series User’s Guide Chapter 2 Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens. Web Configurator Overview The embedded web configurator (ewc) allows you to manage the ZyWALL from anywhere through a browser such as Microsoft Internet Explorer or Netscape Navigator.
Page 40: Resetting The Zywall
ZyWALL 2 Series User’s Guide Step 6. Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. This feature is not available on the ZyWALL 2WE. Figure 2-2 Replace Certificate Screen Step 7.
Page 41: Navigating The Zywall Web Configurator
ZyWALL 2 Series User’s Guide 2.3.2 Uploading a Configuration File Via Console Port Step 3. Download the default configuration file from the Nortel Networks FTP site, unzip it and save it in a folder. Step 4. Turn off the ZyWALL, begin a terminal emulation software session and turn on the ZyWALL again.
Page 42: Figure 2-4 The Main Menu Screen Of The Web Configurator
ZyWALL 2 Series User’s Guide Follow the instructions you see in the MAIN MENU screen or click the icon (located in the top right corner of most screens) to view online help. icon does not appear in the MAIN MENU screen. Click WIZARD for initial configuration including general setup, ISP Parameters for Internet Access and WAN IP/DNS/MAC Address Assignment.
Page 43 ZyWALL 2 Series User’s Guide Table 2-1 Web Configurator Screens Summary LINK FUNCTION SYSTEM General Use this screen to configure general system settings. DDNS Use this screen to configure Dynamic Domain Name System settings. Password Use this screen to change your password. Time Setting Use this screen to change your ZyWALL’s time and date.
Page 44 ZyWALL 2 Series User’s Guide Table 2-1 Web Configurator Screens Summary LINK FUNCTION CONTENT General This screen allows you to enable content filtering and block certain FILTER web features. Categories Use this screen to select which categories of web pages to filter out, as well as to register for external database content filtering and view reports.
Page 45 ZyWALL 2 Series User’s Guide Table 2-1 Web Configurator Screens Summary LINK FUNCTION SNMP Use this screen to configure your ZyWALL’s settings for Simple Network Management Protocol management. Use this screen to configure through which interface(s) and from which IP address(es) users can send DNS queries to the ZyWALL. Security Use this screen to set whether or not the ZyWALL responds to ICMP pings and/or requests for unauthorized services.
Page 47: Chapter 3 Wizard Setup
ZyWALL 2 Series User’s Guide Chapter 3 Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator. Wizard Setup Overview The web configurator’s setup wizard helps you configure your device to access the Internet. The second screen has three variations depending on what encapsulation type you use.
Page 48: Internet Access
ZyWALL 2 Series User’s Guide Figure 3-1 Wizard 1 Internet Access The ZyWALL offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE. 3.3.1 Ethernet Choose Ethernet when the WAN port is used as a regular Ethernet. Wizard Setup...
Page 49: Figure 3-2 Wizard 2: Ethernet Encapsulation
ZyWALL 2 Series User’s Guide Figure 3-2 Wizard 2: Ethernet Encapsulation The following table describes the labels in this screen. Table 3-1 Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access You must choose the Ethernet option when the WAN port is used as a regular Encapsulation Ethernet.
Page 50: Pppoe Encapsulation
ZyWALL 2 Series User’s Guide Table 3-1 Ethernet Encapsulation LABEL DESCRIPTION Login Server IP Type the authentication server IP address here if your ISP gave you one. Address Login Server Type the domain name of the Telia login server, for example “login1.telia.com”. (Telia Login only) Alternatively, click the right mouse button to copy and/or paste the IP address.
Page 51: Figure 3-3 Wizard2: Pppoe Encapsulation
ZyWALL 2 Series User’s Guide Figure 3-3 Wizard2: PPPoE Encapsulation The following table describes the labels in this screen. Table 3-2 PPPoE Encapsulation LABEL DESCRIPTION ISP Parameter for Internet Access Encapsulation Choose an encapsulation method from the pull-down list box. PPPoE forms a dial-up connection.
Page 52 ZyWALL 2 Series User’s Guide Table 3-2 PPPoE Encapsulation LABEL DESCRIPTION Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server. The default time is 100 seconds. Click Next to continue. Next Back Click Back to return to the previous screen.
Page 53: Figure 3-4 Wizard 2: Pptp Encapsulation
ZyWALL 2 Series User’s Guide Figure 3-4 Wizard 2: PPTP Encapsulation The following table describes the labels in this screen. Table 3-3 PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box. User Name Type the user name given to you by your ISP.
Page 54: Wan And Dns
ZyWALL 2 Series User’s Guide Table 3-3 PPTP Encapsulation LABEL DESCRIPTION My IP Address Type the (static) IP address assigned to you by your ISP. My IP Subnet Type the subnet mask assigned to you by your ISP (if given). Mask Server IP Address Type the IP address of the PPTP server.
Page 55: Ip Address And Subnet Mask
Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it.
Page 56: Table 3-5 Example Of Network Properties For Lan Servers With Fixed Ip Addresses
"rom" file (ZyNOS configuration file). It will not change unless you change the setting or upload a different "rom" file. ZyXEL recommends you clone the MAC address from a computer on your LAN even if your ISP does not require MAC address authentication.
Page 57: Figure 3-5 Wizard 3
ZyWALL 2 Series User’s Guide Figure 3-5 Wizard 3 The following table describes the labels in this screen. Table 3-6 Wizard 3 LABEL DESCRIPTION WAN IP Address Assignment Get automatically from Select this option If your ISP did not assign you a fixed IP address. This is the default selection.
Page 58: Basic Setup Complete
ZyWALL 2 Series User’s Guide Table 3-6 Wizard 3 LABEL DESCRIPTION Remote IP Subnet Enter the gateway IP subnet mask (if your ISP gave you one) in this field if you Mask selected Use Fixed IP Address. This field is only available when you select PPTP encapsulation in the previous wizard screen.
Page 59: Figure 3-6 Internet Access Wizard Setup Complete
ZyWALL 2 Series User’s Guide Figure 3-6 Internet Access Wizard Setup Complete Wizard Setup 3-13...
Page 61: System And Lan
System and LAN Part II: System and LAN This part covers configuration of the system, and LAN screens.
Page 63: Chapter 4 System Screens
ZyWALL 2 Series User’s Guide Chapter 4 System Screens This chapter provides information on the System screens. System Overview See the Wizard Setup chapter for more information on the next few screens. Configuring General Setup Click SYSTEM to open the General screen. Figure 4-1 System General Setup The following table describes the fields in this screen.
Page 64: Table 4-1 System General Setup
ZyWALL 2 Series User’s Guide Table 4-1 System General Setup LABEL DESCRIPTION System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name” in this field (see the Wizard Setup chapter for how to find your computer’s name).
Page 65: Dynamic Dns
ZyWALL 2 Series User’s Guide Dynamic DNS Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect.
Page 66: Figure 4-2 Ddns
ZyWALL 2 Series User’s Guide Figure 4-2 DDNS The following table describes the fields in this screen. Table 4-2 DDNS LABEL DESCRIPTION Active Select this check box to use dynamic DNS. Service Provider Select the name of your Dynamic DNS service provider. DDNS Type Select the type of service that you are registered for from your Dynamic DNS service provider.
Page 67: Configuring Password
ZyWALL 2 Series User’s Guide Table 4-2 DDNS LABEL DESCRIPTION Host Names 1~3 Enter the host names in the three fields provided. You can specify up to two host names in each field separated by a comma (","). User Enter your user name. Password Enter the password assigned to you.
Page 68: Pre-Defined Ntp Time Servers List
ZyWALL 2 Series User’s Guide Figure 4-3 Password The following table describes the fields in this screen. Table 4-3 Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field. New Password Type the new password in this field.
Page 69: Configuring Time Setting
ZyWALL 2 Series User’s Guide Table 4-4 Default Time Servers ntp1.cs.wisc.edu ntp1.gbg.netnod.se ntp2.cs.wisc.edu tock.usno.navy.mil ntp3.cs.wisc.edu ntp.cs.strath.ac.uk ntp1.sp.se time1.stupi.se tick.stdtime.gov.tw tock.stdtime.gov.tw time.stdtime.gov.tw Configuring Time Setting To change your ZyWALL’s time and date, click SYSTEM, then the Time Setting tab. The screen appears as shown.
Page 70: Figure 4-4 Time Setting
ZyWALL 2 Series User’s Guide Figure 4-4 Time Setting The following table describes the fields in this screen. Table 4-5 Time Setting LABEL DESCRIPTION Time Protocol Select the time service protocol that your time server sends when you turn on the ZyWALL.
Page 71 ZyWALL 2 Series User’s Guide Table 4-5 Time Setting LABEL DESCRIPTION Time Server Enter the address of your time server. Check with your ISP/network administrator if Address you are unsure of this information (the default is tick.stdtime.gov.tw). Synchronize Now Click this button to get the time and date from the time server you specified above. Current Time This field displays the time of your ZyWALL.
Page 73: Chapter 5 Lan Screens
ZyWALL 2 Series User’s Guide Chapter 5 LAN Screens This chapter describes how to configure LAN settings. LAN Overview Local Area Network (LAN) is a shared communication system to which many computers are attached. The LAN screens can help you configure a LAN DHCP server, manage IP addresses, and partition your physical network into logical networks.
Page 74: Dns Server Address Assignment
ZyWALL 2 Series User’s Guide three numbers specify the network number while the last number identifies an individual computer on that network. Once you have decided on the network number, pick an IP address that is easy to remember, for instance, 192.168.1.1, for your ZyWALL, but make sure that no other device on your network is using that IP address.
Page 75: Configuring Ip
ZyWALL 2 Series User’s Guide RIP Version controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M send routing data in RIP-2 format;...
Page 76: Figure 5-1 Ip
ZyWALL 2 Series User’s Guide Figure 5-1 IP The following table describes the fields in this screen. Table 5-1 IP LABEL DESCRIPTION DHCP Setup...
Page 77 ZyWALL 2 Series User’s Guide Table 5-1 IP LABEL DESCRIPTION DHCP Server DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients (workstations) to obtain TCP/IP configuration at startup from a server. Unless you are instructed by your ISP, leave the DHCP Server check box selected.
Page 78: Configuring Static Dhcp
ZyWALL 2 Series User’s Guide Table 5-1 IP LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Page 79: Configuring Ip Alias
ZyWALL 2 Series User’s Guide Figure 5-2 Static DHCP The following table describes the fields in this screen. Table 5-2 Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry (row). MAC Address Type the MAC address (with colons) of a computer on your LAN. IP Address Type the IP address to be assigned to the device with the MAC address entered above.
Page 80: Figure 5-3 Physical Network Figure 5-4 Partitioned Logical Networks
ZyWALL 2 Series User’s Guide When you use IP alias, you can also configure firewall rules to control access between the LAN's logical networks (subnets). The following figure shows a LAN divided into subnets A, B, and C. Figure 5-3 Physical Network Figure 5-4 Partitioned Logical Networks.
Page 81: Table 5-3 Ip Alias
ZyWALL 2 Series User’s Guide The following table describes the fields in this screen. Table 5-3 IP Alias LABEL DESCRIPTION IP Alias 1,2 Select the check box to configure another LAN for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign.
Page 83: Wan And Wireless Lan
WAN and Wireless LAN Part III: WAN and Wireless LAN This part covers configuration of the WAN and Wireless LAN screens.
Page 85: Chapter 6 Wan Screens
ZyWALL 2 Series User’s Guide Chapter 6 WAN Screens This chapter describes how to configure WAN settings. WAN Overview See the LAN chapter for information about Primary and Secondary DNS Server, DNS Server Address Assignment and IP Address and Subnet Mask. TCP/IP Priority (Metric) The metric represents the "cost of transmission".
Page 86: Configuring Route
ZyWALL 2 Series User’s Guide Table 6-1 Private IP Address Ranges 10.0.0.0 10.255.255.255 172.16.0.0 172.31.255.255 192.168.0.0 192.168.255.255 You can obtain your IP address from the IANA, from an ISP or have it assigned by a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks.
Page 87: Configuring Wan Isp
ZyWALL 2 Series User’s Guide Figure 6-1 WAN Setup: Route The following table describes the fields in this screen. Table 6-3 WAN Setup: Route LABEL DESCRIPTION The default WAN connection is "1” as your broadband connection via the WAN port should always be your preferred method of accessing the WAN.
Page 88: Figure 6-2 Ethernet Encapsulation
ZyWALL 2 Series User’s Guide Figure 6-2 Ethernet Encapsulation The following table describes the fields in this screen. Table 6-4 Ethernet Encapsulation LABEL DESCRIPTION Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Page 89 ZyWALL 2 Series User’s Guide Table 6-4 Ethernet Encapsulation LABEL DESCRIPTION Reset Click Reset to begin configuring this screen afresh. 6.5.2 PPPoE Encapsulation The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.) connection.
Page 90: Figure 6-3 Pppoe Encapsulation
ZyWALL 2 Series User’s Guide Figure 6-3 PPPoE Encapsulation The following table describes the fields in this screen. Table 6-5 PPPoE Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation The PPPoE choice is for a dial-up connection using PPPoE. The router supports PPPoE (Point-to-Point Protocol over Ethernet).
Page 91 ZyWALL 2 Series User’s Guide Table 6-5 PPPoE Encapsulation LABEL DESCRIPTION Password Type the password associated with the User Name above. Retype to Type your password again to make sure that you have entered is correctly. Confirm Nailed-Up Select Nailed-Up Connection if you do not want the connection to time out. Connection Idle Timeout This value specifies the time in seconds that elapses before the router automatically...
Page 92: Figure 6-4 Pptp Encapsulation
ZyWALL 2 Series User’s Guide Figure 6-4 PPTP Encapsulation The following table describes the fields in this screen. Table 6-6 PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.
Page 93: Configuring Wan Ip
ZyWALL 2 Series User’s Guide Table 6-6 PPTP Encapsulation LABEL DESCRIPTION User Name Type the user name given to you by your ISP. Password Type the password associated with the User Name above. Retype to Confirm Type your password again to make sure that you have entered is correctly. Nailed-up Select Nailed-Up Connection if you do not want the connection to time out.
Page 94: Figure 6-5 Ip Setup
ZyWALL 2 Series User’s Guide Figure 6-5 IP Setup The following table describes the fields in this screen. Table 6-7 IP Setup LABEL DESCRIPTION WAN IP Address Assignment Get automatically from Select this option If your ISP did not assign you a fixed IP address. This is the default selection.
Page 95 ZyWALL 2 Series User’s Guide Table 6-7 IP Setup LABEL DESCRIPTION My WAN IP Address (or Enter your WAN IP address in this field if you selected Use Fixed IP Address. IP Address) My WAN IP Subnet Type your network's IP subnet mask. Mask (Ethernet encapsulation only) Remote IP Address (or...
Page 96 ZyWALL 2 Series User’s Guide Table 6-7 IP Setup LABEL DESCRIPTION Private (PPPoE and This parameter determines if the ZyWALL will include the route to this remote PPTP only) node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast.
Page 97: Configuring Wan Mac
ZyWALL 2 Series User’s Guide Table 6-7 IP Setup LABEL DESCRIPTION Windows Networking (NetBIOS over TCP/IP): Windows Networking (NetBIOS over TCP/IP): NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.
Page 98: Traffic Redirect
ZyWALL 2 Series User’s Guide The MAC address screen allows users to configure the WAN port's MAC Address by either using the factory default or cloning the MAC address from a computer on your LAN. Choose Factory Default to select the factory assigned default MAC Address.
Page 99: Configuring Traffic Redirect
ZyWALL 2 Series User’s Guide Figure 6-8 Traffic Redirect LAN Setup Configuring Traffic Redirect To change your ZyWALL’s Traffic Redirect settings, click WAN, then the Traffic Redirect tab. The screen appears as shown. WAN Screens 6-15...
Page 100: Figure 6-9 Traffic Redirect
ZyWALL 2 Series User’s Guide Figure 6-9 Traffic Redirect The following table describes the fields in this screen. Table 6-8 Traffic Redirect LABEL DESCRIPTION Active Select this check box to have the ZyWALL use traffic redirect if the normal WAN connection goes down.
Page 101: Configuring Dial Backup
ZyWALL 2 Series User’s Guide Table 6-8 Traffic Redirect LABEL DESCRIPTION Check WAN Configuration of this field is optional. If you do not enter an IP address here, the ZyWALL IP Address will use the default gateway IP address. Configure this field to test your ZyWALL's WAN accessibility.
Page 102: Figure 6-10 Dial Backup Setup
ZyWALL 2 Series User’s Guide Figure 6-10 Dial Backup Setup 6-18 WAN Screens...
Page 103: Table 6-9 Dial Backup Setup
ZyWALL 2 Series User’s Guide The following table describes the labels in this screen. Table 6-9 Dial Backup Setup LABEL DESCRIPTION Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name Type the login name assigned by your ISP. Password Type the password assigned by your ISP.
Page 104 ZyWALL 2 Series User’s Guide Table 6-9 Dial Backup Setup LABEL DESCRIPTION Get IP Address Type the login name assigned by your ISP for this remote node. Automatically from Remote Server Used Fixed IP Select this check box if your ISP assigned you a fixed IP address, then enter the Address IP address in the following field.
Page 105 ZyWALL 2 Series User’s Guide Table 6-9 Dial Backup Setup LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M. RIP-1 is universally supported;...
Page 106: Advanced Modem Setup
ZyWALL 2 Series User’s Guide Table 6-9 Dial Backup Setup LABEL DESCRIPTION Configure Budget Select this check box to have the dial backup connection on during the time that you select. Allocated Budget Type the amount of time (in minutes) that the dial backup connection can be used during the time configured in the Period field.
Page 107: Configuring Advanced Modem Setup
ZyWALL 2 Series User’s Guide 6.11.3 Response Strings The response strings tell the ZyWALL the tags, or labels, immediately preceding the various call parameters sent from the WAN device. The response strings have not been standardized; please consult the documentation of your WAN device to find the correct tags. 6.12 Configuring Advanced Modem Setup Click the Edit button in the Dial Backup screen to display the Advanced Setup screen shown next.
Page 108: Figure 6-11 Advanced Setup
ZyWALL 2 Series User’s Guide Figure 6-11 Advanced Setup The following table describes the labels in this screen. Table 6-10 Advanced Setup LABEL DESCRIPTION EXAMPLE AT Command Strings Dial Type the AT Command string to make a call. atdt 6-24 WAN Screens...
Page 109 ZyWALL 2 Series User’s Guide Table 6-10 Advanced Setup LABEL DESCRIPTION EXAMPLE Drop Type the AT Command string to drop a call. "~" represents a one ~~+++~~ath second wait, for example, "~~~+++~~ath" can be used if your modem has a slow response time. Answer Type the AT Command string to answer a call.
Page 111: Chapter 7 Wireless Lan Screens
ZyWALL 2 Series User’s Guide Chapter 7 Wireless LAN Screens This chapter discusses how to configure Wireless LAN on the ZyWALL 2WE. Wireless LAN Overview This section introduces the wireless LAN (WLAN) and some basic scenarios. 7.1.1 Additional Installation Requirements for Using 802.1x A computer with an IEEE 802.11b wireless LAN card.
Page 112: Figure 7-1 Rts Threshold
ZyWALL 2 Series User’s Guide is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other. A and B do not hear each other. They can hear the AP. Figure 7-1 RTS Threshold When station A sends data to the ZyWALL, it might not know that the station B is already using the channel.
Page 113: Wireless Security
ZyWALL 2 Series User’s Guide A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS Threshold size.
Page 114: Configuring Wireless Lan
ZyWALL 2 Series User’s Guide Configuring Wireless LAN If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL’s ESSID or WEP settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the ZyWALL’s new settings.
Page 115: Table 7-1 Wireless
ZyWALL 2 Series User’s Guide Table 7-1 Wireless LABEL DESCRIPTION Enable Wireless The wireless LAN is turned off by default, before you enable the wireless LAN you should configure some security by setting MAC filters and/or 802.1x security; otherwise your wireless LAN will be vulnerable upon enabling it. Select the check box to enable the wireless LAN.
Page 116: Configuring Mac Filter
ZyWALL 2 Series User’s Guide Configuring MAC Filter The MAC filter screen allows you to configure the ZyWALL to give exclusive access to specific devices (Allow Association) or exclude specific devices from accessing the ZyWALL (Deny Association). Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.
Page 117: Overview
ZyWALL 2 Series User’s Guide Table 7-2 MAC Address Filter LABEL DESCRIPTION Active Select or clear the check box to enable or disable MAC address filtering. Enable MAC address filtering to have the router allow or deny access to wireless stations based on MAC addresses.
Page 118: Eap Authentication Overview
ZyWALL 2 Series User’s Guide • Access-Request Sent by the ZyWALL requesting authentication. • Access-Reject Sent by a RADIUS server rejecting access. • Access-Accept Sent by a RADIUS server allowing access. • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message.
Page 119: Local User Database
ZyWALL 2 Series User’s Guide Figure 7-5 EAP Authentication The details below provide a general description of how IEEE 802.1x EAP authentication works. For an example list of EAP-MD5 authentication steps, see the IEEE 802.1x chapter in the Appendices. • The wireless station sends a “start”...
Page 120: Figure 7-6 802.1X Authentication
ZyWALL 2 Series User’s Guide Figure 7-6 802.1X Authentication The following table describes the fields in this screen. Table 7-3 802.1X Authentication LABEL DESCRIPTION Authentication Select Authentication Required, No Access or No Authentication Required from Type the drop-down list box. Select Authentication Required to authenticate all wireless stations before they can access the wired network.
Page 121: Nat And Static Route
NAT and Static Route Part IV: NAT and Static Route This part covers Network Address Translation and setting up static routes.
Page 123: Chapter 8 Network Address Translation (Nat)
ZyWALL 2 Series User’s Guide Chapter 8 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet.
Page 124: Figure 8-1 How Nat Works
ZyWALL 2 Series User’s Guide local address before forwarding it to the original inside host. Note that the IP address (either local or global) of an outside host is never changed. The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP. In addition, you can designate servers (for example a web server and a telnet server) on your local network and make them accessible to the outside world.
Page 125: Figure 8-2 Nat Application With Ip Alias
ZyWALL 2 Series User’s Guide 8.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter. Figure 8-2 NAT Application With IP Alias 8.1.5 NAT Mapping Types NAT supports five types of IP/port mapping.
Page 126: Using Nat
ZyWALL 2 Series User’s Guide Many to One: In Many-to-One mode, the ZyWALL maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), the Single User Account feature (the SUA Only option). Many to Many Overload: In Many-to-Many Overload mode, the ZyWALL maps the multiple local IP addresses to shared global IP addresses.
Page 127: Sua Server
ZyWALL 2 Series User’s Guide 8.2.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is an implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. The ZyWALL also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types.
Page 128: Figure 8-3 Multiple Servers Behind Nat Example
ZyWALL 2 Series User’s Guide Table 8-3 Services and Port Numbers SERVICES PORT NUMBER DNS (Domain Name System) Finger HTTP (Hyper Text Transfer protocol or WWW, Web) POP3 (Post Office Protocol) NNTP (Network News Transport Protocol) SNMP (Simple Network Management Protocol) SNMP trap PPTP (Point-to-Point Tunneling Protocol) 1723...
Page 129: Configuring Sua Server
ZyWALL 2 Series User’s Guide Configuring SUA Server If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup. Click SUA/NAT to open the SUA Server screen. Refer to the firewall chapters for port numbers commonly used for particular services.
Page 130: Configuring Address Mapping
ZyWALL 2 Series User’s Guide Table 8-4 SUA Server LABEL DESCRIPTION Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen. If you do not assign a default server IP address, then all packets received for ports not specified in this screen will be discarded.
Page 131: Figure 8-5 Address Mapping
ZyWALL 2 Series User’s Guide Figure 8-5 Address Mapping The following table describes the fields in this screen. Table 8-5 Address Mapping LABEL DESCRIPTION Local Start IP This refers to the Inside Local Address (ILA), that is the starting local IP address. Local IP addresses are N/A for Server port mapping.
Page 132: Figure 8-6 Address Mapping Rule
ZyWALL 2 Series User’s Guide Table 8-5 Address Mapping LABEL DESCRIPTION Type 1. One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for the One-to-one NAT mapping type. 2. Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), the Single User Account feature.
Page 133: Configuring Trigger Port
ZyWALL 2 Series User’s Guide Table 8-6 Address Mapping Rule LABEL DESCRIPTION Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-one mode maps one local IP address to one global IP address. Note that port numbers do not change for One-to-one NAT mapping type. 2.
Page 134: Figure 8-7 Trigger Port Forwarding Example
ZyWALL 2 Series User’s Guide receives a response with a specific port number and protocol ("incoming" port), the ZyWALL forwards the traffic to the LAN IP address of the computer that sent the request. After that computer’s connection for that service closes, another computer on the LAN can use the service in the same manner.
Page 135: Figure 8-8 Trigger Port
ZyWALL 2 Series User’s Guide Figure 8-8 Trigger Port The following table describes the fields in this screen. Table 8-7 Trigger Port LABEL DESCRIPTION This is the rule index number (read-only). Name Type a unique name (up to 15 characters) for identification purposes. All characters are permitted - including spaces.
Page 136 ZyWALL 2 Series User’s Guide Table 8-7 Trigger Port LABEL DESCRIPTION Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The ZyWALL forwards the traffic with this port (or range of ports) to the client computer on the LAN that requested the service.
Page 137: Chapter 9 Static Route Screens
ZyWALL 2 Series User’s Guide Chapter 9 Static Route Screens This chapter shows you how to configure static routes for your ZyWALL. Static Route Overview Each remote node specifies only the network to which the gateway is directly connected, and the ZyWALL has no knowledge of the networks beyond.
Page 138: Figure 9-2 Static Route Screen
ZyWALL 2 Series User’s Guide Figure 9-2 Static Route Screen The following table describes the fields in this screen. Table 9-1 IP Static Route Summary LABEL DESCRIPTION Number of an individual static route. Name Name that describes or identifies this route. This field shows whether this static route is active (Yes) or not (No).
Page 139: Figure 9-3 Edit Ip Static Route
ZyWALL 2 Series User’s Guide Table 9-1 IP Static Route Summary LABEL DESCRIPTION Gateway This is the IP address of the gateway. The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your ZyWALL;...
Page 140 ZyWALL 2 Series User’s Guide Table 9-2 Edit IP Static Route LABEL DESCRIPTION Active This field allows you to activate/deactivate this static route. Destination IP This parameter specifies the IP network address of the final destination. Routing is Address always based on network number. If you need to specify a route to a single host, use a subnet mask of 255.255.255.255 in the subnet mask field to force the network number to be identical to the host ID.
Page 141: Firewall And Content Filters
Firewall and Content Filters Part V: Firewall and Content Filters This part introduces firewalls in general and the ZyWALL firewall. It also explains how to configure the ZyWALL firewall and content filtering.
Page 143: Chapter 10 Firewalls
ZyWALL 2 Series User’s Guide Chapter 10 Firewalls This chapter gives some background information on firewalls and introduces the ZyWALL firewall. 10.1 Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another.
Page 144: Introduction To Nortel Networks Firewall
ZyWALL 2 Series User’s Guide Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems. Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging.
Page 145: Denial Of Service
ZyWALL 2 Series User’s Guide Figure 10-1 ZyWALL Firewall Application 10.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.
Page 146: Table 10-1 Common Ip Ports
ZyWALL 2 Series User’s Guide Table 10-1 Common IP Ports Telnet HTTP SMTP POP3 10.4.2 Types of DoS Attacks There are four types of DoS attacks: 1. Those that exploit bugs in a TCP/IP implementation. 2. Those that exploit weaknesses in the TCP/IP specification. 3.
Page 147: Figure 10-2 Three-Way Handshake
ZyWALL 2 Series User’s Guide Figure 10-2 Three-Way Handshake Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established.
Page 148: Figure 10-4 Smurf Attack
ZyWALL 2 Series User’s Guide 2-b In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself.
Page 149: Stateful Inspection
ZyWALL 2 Series User’s Guide Illegal Commands (NetBIOS and SMTP) The only legal NetBIOS commands are the following - all others are illegal. Table 10-3 Legal NetBIOS Commands MESSAGE: REQUEST: POSITIVE: NEGATIVE: RETARGET: KEEPALIVE: All SMTP commands are illegal except for those displayed in the following tables. Table 10-4 Legal SMTP Commands AUTH DATA...
Page 150: Figure 10-5 Stateful Inspection
ZyWALL 2 Series User’s Guide all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet. In summary, stateful inspection: Allows all sessions originating from the LAN (local network) to the WAN (Internet). Denies all sessions originating from the WAN to the LAN.
Page 151: Stateful Inspection And The Zywall
ZyWALL 2 Series User’s Guide 4. Based on the obtained state information, a firewall rule creates a temporary access list entry that is inserted at the beginning of the WAN interface's inbound extended access list. This temporary access list entry is designed to permit inbound packets of the same connection as the outbound packet just inspected.
Page 152: Tcp Security
ZyWALL 2 Series User’s Guide Below is a brief technical description of how these connections are tracked. Connections may either be defined by the upper protocols (for instance, TCP), or by the ZyWALL itself (as with the "virtual connections" created for UDP and ICMP). 10.5.3 TCP Security The ZyWALL uses state information embedded in TCP packets.
Page 153: Guidelines For Enhancing Security With Your Firewall
ZyWALL 2 Series User’s Guide 10.5.5 Upper Layer Protocols Some higher layer protocols (such as FTP and RealAudio) utilize multiple network connections simultaneously. In general terms, they usually have a "control connection" which is used for sending commands between endpoints, and then "data connections" which are used for transmitting bulk information. Consider the FTP protocol.
Page 154: When To Use Filtering
ZyWALL 2 Series User’s Guide 10.7.1 Packet Filtering: The router filters packets as they pass through the router’s interface according to the filter rules you designed. Packet filtering is a powerful tool, yet can be complex to configure and maintain, especially if you need a chain of rules to filter a service.
Page 155 ZyWALL 2 Series User’s Guide 3. To selectively block/allow inbound or outbound traffic between inside host/networks and outside host/networks. Remember that filters cannot distinguish traffic originating from an inside host or an outside host by IP address. 4. The firewall performs better than filtering if you need to check many rules. 5.
Page 157: Chapter 11 Firewall Screens
ZyWALL 2 Series User’s Guide Chapter 11 Firewall Screens This chapter shows you how to configure your ZyWALL firewall. 11.1 Access Methods The web configurator is, by far, the most comprehensive firewall configuration tool your ZyWALL has to offer. For this reason, it is recommended that you configure your firewall using the web configurator. SMT screens allow you to activate the firewall.
Page 158: Rule Logic Overview
ZyWALL 2 Series User’s Guide If you configure firewall rules without a good understanding of how they work, you might inadvertently introduce security risks to the firewall and to the protected network. Make sure you test your rules after you configure them. For example, you may create rules to: ♦...
Page 159: Connection Direction Examples
ZyWALL 2 Series User’s Guide 1. Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC is blocked, are there users that require this service? 2. Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will a rule that blocks just certain users be more effective? 3.
Page 160: Figure 11-1 Lan To Wan Traffic
ZyWALL 2 Series User’s Guide policies for managing the ZyWALL through the LAN interface) and policies for LAN-to-LAN (the policies that control routing between two subnets on the LAN). Similarly, WAN to WAN/ZyWALL polices apply in the same way to the WAN ports. 11.4.1 LAN to WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed non-restricted access to the WAN.
Page 161: Alerts
ZyWALL 2 Series User’s Guide Figure 11-2 WAN to LAN Traffic 11.5 Alerts Alerts are reports on events, such as attacks, that you may want to know about right away. You can choose to generate an alert when an attack is detected in the Attack Alert screen (Figure 11-12 - check the Generate alert when attack detected checkbox) or when a rule is matched in the Edit Rule screen (see Figure 11-4) Configure the Log Settings screen to have the ZyWALL send an immediate e-mail message to you when an event generates an alert.
Page 162: Figure 11-3 Enabling The Firewall
ZyWALL 2 Series User’s Guide Select this check box to enable the firewall. Figure 11-3 Enabling the Firewall The following table describes the fields in this screen. 11-6 Firewall Screens...
Page 163: Table 11-1 Firewall Rules Summary: First Screen
ZyWALL 2 Series User’s Guide Table 11-1 Firewall Rules Summary: First Screen LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. Bypass Triangle Select this check box to have the ZyWALL firewall ignore the use of triangle route Route...
Page 164: Configuring Firewall Rules
ZyWALL 2 Series User’s Guide Table 11-1 Firewall Rules Summary: First Screen LABEL DESCRIPTION This field shows you if a log is created for packets that match the rule (Match), don't match the rule (Not Match), both (Both) or no log is created (None). Alert This field tells you whether this rule generates an alert (Yes) or not (No) when the rule is matched.
Page 165: Figure 11-4 Creating/Editing A Firewall Rule
ZyWALL 2 Series User’s Guide Figure 11-4 Creating/Editing A Firewall Rule Firewall Screens 11-9...
Page 166: Table 11-2 Creating/Editing A Firewall Rule
ZyWALL 2 Series User’s Guide The following table describes the fields in this screen. Table 11-2 Creating/Editing A Firewall Rule LABEL DESCRIPTION Active Check the Active check box to have the ZyWALL use this rule. Leave it unchecked if you do not want the ZyWALL to use the rule after you apply it Packet Use the drop-down list box to select the direction of packet travel to which you want Direction...
Page 167: Figure 11-5 Adding/Editing Source And Destination Addresses
ZyWALL 2 Series User’s Guide Table 11-2 Creating/Editing A Firewall Rule LABEL DESCRIPTION This field determines if a log is created for packets that match the rule (Match), don't match the rule (Not Match), both (Both) or no log is created (None). Go to the Log Settings page and select the Access Control logs category to have the ZyWALL record these logs.
Page 168: Figure 11-6 Creating/Editing A Custom Port
ZyWALL 2 Series User’s Guide Table 11-3 Adding/Editing Source and Destination Addresses LABEL DESCRIPTION Address Type Do you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address? Select an option from the drop-down list box that includes: Single Address, Range Address, Subnet Address and Any Address.
Page 169: Example Firewall Rule
ZyWALL 2 Series User’s Guide Table 11-4 Creating/Editing A Custom Port LABEL DESCRIPTION Service Name Enter a unique name for your custom port. Service Type Choose the IP port (TCP, UDP or Both) that defines your customized port from the drop down list box.
Page 170: Figure 11-7 Firewall Ip Config Screen
ZyWALL 2 Series User’s Guide Select WAN to LAN from the drop-down list box Figure 11-7 Firewall IP Config Screen Step 4. Select Any in the Destination Address box and then click DestDelete. 11-14 Firewall Screens...
Page 171: Figure 11-8 Firewall Rule Edit Ip Example
ZyWALL 2 Series User’s Guide Step 5. Click DestAdd under the Source Address box. Step 6. Configure the Firewall Rule Edit IP screen as follows and click Apply. Figure 11-8 Firewall Rule Edit IP Example Step 7. In the firewall rule configuration screen, click Add under Custom Port to open the Edit Custom Port screen.
Page 172: Figure 11-10 Myservice Rule Configuration
ZyWALL 2 Series User’s Guide Custom ports show up with an “*” before their names in the Services list box and the Rule Summary list box. Click Apply after you’ve created your custom port. This is the address range of servers.
Page 173: Figure 11-11 My Service Example Rule Summary
ZyWALL 2 Series User’s Guide On completing the configuration procedure for this Internet firewall rule, the Rule Summary screen should look like the following. Remember to click Apply when you have finished configuring your rule(s) to save your settings back to the ZyWALL. Rule 1: Allows a “My Service”...
Page 174: Predefined Services
ZyWALL 2 Series User’s Guide 11.8 Predefined Services The Available Services list box in the Rule Config(uration) screen (see Figure 11-4) displays all predefined services that the ZyWALL already supports. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP).
Page 175 ZyWALL 2 Series User’s Guide Table 11-5 Predefined Services SERVICE DESCRIPTION IPSEC_TUNNEL(ESP:0) The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service. IRC(TCP/UDP:6667) This is another popular Internet chat program. Microsoft Networks’ messenger service uses this protocol. Messenger(TCP:1863) MULTICAST(IGMP:0) Internet Group Multicast Protocol is used when sending packets to a specific group of hosts.
Page 176: Configuring Attack Alert
ZyWALL 2 Series User’s Guide Table 11-5 Predefined Services SERVICE DESCRIPTION SMTP(TCP:25) Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another. SNMP(TCP/UDP:161) Simple Network Management Program. SNMP- Traps for use with the SNMP (RFC:1215).
Page 177: Threshold Values
ZyWALL 2 Series User’s Guide 11.9.1 Threshold Values Tune these parameters when something is not working and after you have checked the firewall counters. These default values should work fine for normal small offices with ADSL bandwidth. Factors influencing choices for threshold values are: 1.
Page 178: Figure 11-12 Attack Alert
ZyWALL 2 Series User’s Guide Whenever the number of half-open sessions with the same destination host address rises above a threshold (TCP Maximum Incomplete), the ZyWALL starts deleting half-open sessions according to one of the following methods: 1. If the Blocking Period timeout is 0 (the default), then the ZyWALL deletes the oldest existing half-open session for the host for every new connection request to the host.
Page 179: Table 11-6 Attack Alert
ZyWALL 2 Series User’s Guide Table 11-6 Attack Alert LABEL DESCRIPTION DEFAULT VALUES Generate alert when A detected attack automatically generates a attack detected log entry. Check this box to generate an alert (as well as a log) whenever an attack is detected.
Page 180 ZyWALL 2 Series User’s Guide Table 11-6 Attack Alert LABEL DESCRIPTION DEFAULT VALUES Maximum Incomplete This is the number of existing half-open 100 existing half-open sessions. High sessions that causes the firewall to start The above values causes the deleting half-open sessions. When the ZyWALL to start deleting half- number of existing half-open sessions rises open sessions when the number...
Page 181: Chapter 12 Content Filtering Screens
ZyWALL 2 Series User’s Guide Chapter 12 Content Filtering Screens This chapter provides a brief overview of content filtering using the web embedded configurator 12.1 Introduction to Content Filtering Internet content filtering allows you to create and enforce Internet access policies tailored to their needs. Content filtering is the ability to block certain web features or specific URL keywords and should not be confused with packet filtering via SMT menu 21.1.
Page 182: Figure 12-1 Content Filter : General
ZyWALL 2 Series User’s Guide Figure 12-1 Content Filter : General The following table describes the labels in this screen. 12-2 Content Filtering Screens...
Page 183: Table 12-1 Content Filter : General
ZyWALL 2 Series User’s Guide Table 12-1 Content Filter : General LABEL DESCRIPTION Enable Content Filter Select this check box to enable the content filter. Restrict Web Features : Select the check box(es) to restrict a feature. When you download a page containing a restricted feature, that part of the web page will appear blank or grayed out.
Page 184: Content Filtering With An External Server
ZyWALL 2 Series User’s Guide Table 12-1 Content Filter : General LABEL DESCRIPTION Exclude specified Select this checkbox to exempt a specific range of users on your LAN from address ranges from content filter policies. the content filter enforcement Add Address Ranges From Type the beginning IP address (in dotted decimal notation) of the specific range of users on your LAN.
Page 185: Checking Content Filtering Activation
ZyWALL 2 Series User’s Guide Step 1. A computer sends an HTTP request to a web server. Step 2. The ZyWALL looks up the web site in its local database. If an attempt to access the web site was made in the past, a record of that web site’s rating will be in the ZyWALL’s cache. The ZyWALL will either block or forward the request based on the rating policy you configure.
Page 186: Figure 12-3 Content Filter : Categories
ZyWALL 2 Series User’s Guide Figure 12-3 Content Filter : Categories 12-6 Content Filtering Screens...
Page 187: Table 12-2 Content Filter : Categories
ZyWALL 2 Series User’s Guide The following table describes the labels in this screen. Table 12-2 Content Filter : Categories LABEL DESCRIPTION Enable Web Site Auto Enable external database content filtering to have the ZyWALL check an Categorization external database to find to which category a requested web page belongs. The ZyWALL then blocks or forwards access to the web page depending on the configuration of the rest of this page.
Page 188 ZyWALL 2 Series User’s Guide Table 12-2 Content Filter : Categories LABEL DESCRIPTION Select Categories Select All Categories Select this check box to restrict access to all site categories listed below. Clear All Categories Select this check box to clear the selected categories below. Adult/Mature Content Selecting this category excludes pages that contain material of adult nature that does not necessarily contain excessive violence, sexual content, or...
Page 189 ZyWALL 2 Series User’s Guide Table 12-2 Content Filter : Categories LABEL DESCRIPTION Gambling Selecting this category excludes pages where a user can place a bet or participate in a betting pool (including lotteries) online. It also includes pages that provide information, assistance, recommendations, or training on placing bets or participating in games of chance.
Page 190 ZyWALL 2 Series User’s Guide Table 12-2 Content Filter : Categories LABEL DESCRIPTION Education Selecting this category excludes pages that offer educational information, distance learning and trade school information or programs. It also includes pages that are sponsored by schools, educational facilities, faculty, or alumni groups.
Page 191 ZyWALL 2 Series User’s Guide Table 12-2 Content Filter : Categories LABEL DESCRIPTION Computers/Internet Selecting this category excludes pages that sponsor or provide information on computers, technology, the Internet and technology-related organizations and companies. Hacking/Proxy Avoidance Pages providing information on illegal or questionable access to or the use of communications equipment/software, or provide information on how to bypass proxy server features or gain access to URLs in any way that bypasses the proxy server.
Page 192 ZyWALL 2 Series User’s Guide Table 12-2 Content Filter : Categories LABEL DESCRIPTION Shopping Selecting this category excludes pages that provide or advertise the means to obtain goods or services. It does not include pages that can be classified in other categories (such as vehicles or weapons).
Page 193 ZyWALL 2 Series User’s Guide Table 12-2 Content Filter : Categories LABEL DESCRIPTION Software Downloads Selecting this category excludes pages that are dedicated to the electronic download of software packages, whether for payment or at no charge. Pay to Surf Selecting this category excludes pages that pay users in the form of cash or prizes, for clicking on or reading specific links, email, or web pages.
Page 194: Configuring Customization
ZyWALL 2 Series User’s Guide Table 12-2 Content Filter : Categories LABEL DESCRIPTION Register Click Register to go to a web site where you can register for category-based content filtering (using an external database). You can use a trial application or register your iCard’s PIN.
Page 195: Figure 12-4 Content Filter : Customization
ZyWALL 2 Series User’s Guide Figure 12-4 Content Filter : Customization Content Filtering Screens 12-15...
Page 196: Table 12-3 Content Filter : Customization
Enter host names such as “www.good-site.com” into this text field. Do not enter the complete URL of the site – that is, do not include “http://”. All subdomains are allowed. For example, entering “zyxel.com” also allows “www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, etc.
Page 197 ZyWALL 2 Series User’s Guide Table 12-3 Content Filter : Customization LABEL DESCRIPTION Delete Select a web site name from the Forbidden Web Site List, and then click this button to delete it from that list. Keyword Blocking Keyword Blocking allows you to block websites that contain certain keywords.
Page 199: Vpn/Ipsec
VPN/IPSec Part VI: VPN/IPSec This part provides information on how to configure VPN/IPSec.
Page 201: Chapter 13 Introduction To Ipsec
ZyWALL 2 Series User’s Guide Chapter 13 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 13.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.
Page 202: Figure 13-1 Encryption And Decryption
ZyWALL 2 Series User’s Guide Figure 13-1 Encryption and Decryption Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.
Page 203: Ipsec Architecture
ZyWALL 2 Series User’s Guide 13.2 IPSec Architecture The overall IPSec architecture is shown as follows. Figure 13-2 IPSec Architecture 13.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms).
Page 204: Encapsulation
ZyWALL 2 Series User’s Guide 13.3 Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 13-3 Transport and Tunnel Mode IPSec Encapsulation 13.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
Page 205: Ipsec And Nat
ZyWALL 2 Series User’s Guide 13.4 IPSec and NAT Read this section if you are running IPSec on a host computer behind the ZyWALL. NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet.
Page 207: Chapter 14 Vpn Screens
ZyWALL 2 Series User’s Guide Chapter 14 VPN Screens This chapter introduces the VPN Web configurator. See the Logs chapter for information on viewing logs and the appendix for IPSec log descriptions. 14.1 VPN/IPSec Overview Use the screens documented in this chapter to configuring and managing a VPN connection. 14.2 IPSec Algorithms The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec VPN.
Page 208: My Ip Address
ZyWALL 2 Series User’s Guide Table 14-1 AH and ESP DES (default) MD5 (default) Data Encryption Standard (DES) is a widely used method MD5 (Message Digest 5) produces a 128-bit of data encryption using a private (secret) key. DES digest to authenticate packet data. applies a 56-bit key to each 64-bit block of data.
Page 209: Summary Screen
ZyWALL 2 Series User’s Guide You can also enter a remote secure gateway’s domain name in the Secure Gateway Address field if the remote secure gateway has a dynamic WAN IP address and is using DDNS. The ZyWALL has to rebuild the VPN tunnel each time the remote secure gateway’s WAN IP address changes (there may be a delay until the DDNS servers are updated with the remote gateway’s new WAN IP address).
Page 210: Figure 14-2 Vpn Rules
ZyWALL 2 Series User’s Guide Figure 14-2 VPN Rules The following table describes the fields in this screen. Table 14-2 VPN Rules LABEL DESCRIPTION This field displays the VPN rule number. Name This field displays the identification name for this VPN policy. Active Y signifies that this VPN rule is active.
Page 211: Keep Alive
ZyWALL 2 Series User’s Guide Table 14-2 VPN Rules LABEL DESCRIPTION Remote IP This is the IP address(es) of computer(s) on the remote network behind the remote IPSec Address router. This field displays N/A when the Secure Gateway Address field displays 0.0.0.0. In this case only the remote IPSec router can initiate the VPN.
Page 212: Nat Traversal
ZyWALL 2 Series User’s Guide When there is outbound traffic with no inbound traffic, the ZyWALL automatically drops the tunnel after two minutes. 14.7 NAT Traversal NAT traversal allows you to set up a VPN connection when there are NAT routers between IPSec routers A and B.
Page 213: Figure 14-4 Vpn Host Using Intranet Dns Server Example
ZyWALL 2 Series User’s Guide 14.7.2 X-Auth (Extended Authentication) Extended authentication provides added security by allowing you to use usernames and passwords for VPN connections. This is especially helpful when multiple ZyWALLs use one VPN rule to connect to a single ZyWALL.
Page 214: Id Type And Content
ZyWALL 2 Series User’s Guide If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote network. 14.8 ID Type and Content With aggressive negotiation mode (see section 14.12.1), the ZyWALL identifies incoming SAs by ID type and content since this identifying information is not encrypted.
Page 215: Table 14-4 Peer Id Type And Content Fields
ZyWALL 2 Series User’s Guide Table 14-4 Peer ID Type and Content Fields PEER ID TYPE= CONTENT= Type the IP address of the computer with which you will make the VPN connection or leave the field blank to have the ZyWALL automatically use the address in the Secure Gateway field.
Page 216: Pre-Shared Key
ZyWALL 2 Series User’s Guide Table 14-6 Mismatching ID Type and Content Configuration Example ZYWALL A ZYWALL B Peer ID type: E-mail Peer ID type: IP Peer ID content: aa@yahoo.com Peer ID content: N/A 14.9 Pre-Shared Key A pre-shared key identifies a communicating party during a phase 1 IKE negotiation (see section 14.10 for more on IKE phases).
Page 217: Configuring Basic Ike Vpn Rule Setup
ZyWALL 2 Series User’s Guide Figure 14-6 Site-to-Site VPN Example 14.11 Configuring Basic IKE VPN Rule Setup Select one of the VPN rules in the VPN Rules screen and click Edit or click the Rule Setup tab on the ZyWALL 2WE to configure the rule’s settings. The basic IKE rule setup screen is shown next. VPN Screens 14-11...
Page 218: Figure 14-7 Basic Ike Vpn Rule Edit
ZyWALL 2 Series User’s Guide Figure 14-7 Basic IKE VPN Rule Edit 14-12 VPN Screens...
Page 219: Table 14-7 Basic Ike Vpn Rule Edit
ZyWALL 2 Series User’s Guide The following table describes the fields in this screen. Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Select this check box to activate this VPN tunnel. This option determines whether a VPN Active rule is applied before a packet leaves the firewall. Select this check box to turn on the keep alive feature for this SA.
Page 220 ZyWALL 2 Series User’s Guide Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Select Server Mode to have this ZyWALL authenticate extended authentication clients Server Mode that request this VPN connection. You must also configure the extended authentication clients’ usernames and passwords in the auth server’s local user database or a RADIUS server (see the Authentication Server section).
Page 221 ZyWALL 2 Series User’s Guide Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Local IP Address Enter a static local IP address. The local IP address must correspond to the remote IPSec router's configured remote IP addresses. Site to Site Select this radio button to establish a VPN between two sites (groups of IP addresses).
Page 222 ZyWALL 2 Series User’s Guide Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION When the Address Type field is configured to Single Address, this field is N/A. When the Ending IP Address/ Subnet Address Type field is configured to Range Address, enter the end (static) IP address, in Mask a range of computers on the network behind the remote IPSec router.
Page 223 ZyWALL 2 Series User’s Guide Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Local ID Type Select IP to identify this ZyWALL by its IP address. Select DNS to identify this ZyWALL by a domain name. Select E-mail to identify this ZyWALL by an e-mail address. You do not configure the local ID type and content when you set Authentication Method to Certificate.
Page 224 ZyWALL 2 Series User’s Guide Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Select from the following when you set Authentication Method to Pre-shared Key. Peer ID Type Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the remote IPSec router by a domain name.
Page 225 ZyWALL 2 Series User’s Guide Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Content The configuration of the peer content depends on the peer ID type. Do the following when you set Authentication Method to Pre-shared Key. For IP, type the IP address of the computer with which you will make the VPN connection.
Page 226 ZyWALL 2 Series User’s Guide Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION My IP Address Enter the WAN IP address of your ZyWALL. The VPN tunnel has to be rebuilt if this IP address changes. The following applies if this field is configured as 0.0.0.0: The ZyWALL uses the current ZyWALL WAN IP address (static or dynamic) to set up the VPN tunnel.
Page 227: Ike Phases
ZyWALL 2 Series User’s Guide Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Encryption Select DES, 3DES, AES or NULL from the drop-down list box. Algorithm When you use one of these encryption algorithms for data communications, both the sending device and the receiving device must use the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code.
Page 228: Figure 14-8 Two Phases To Set Up The Ipsec Sa
ZyWALL 2 Series User’s Guide Figure 14-8 Two Phases to Set Up the IPSec SA In phase 1 you must: Choose a negotiation mode. Authenticate the connection by entering a pre-shared key. Choose an encryption algorithm. Choose an authentication algorithm. Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2).
Page 229: Negotiation Mode
ZyWALL 2 Series User’s Guide IPSec SA lifetime period expires. The ZyWALL also automatically renegotiates the IPSec SA if both IPSec routers have keep alive enabled, even if there is no traffic. If an IPSec SA times out, then the IPSec router must renegotiate the SA the next time someone attempts to send traffic.
Page 230: Configuring Advanced Ike Setup
ZyWALL 2 Series User’s Guide 14.12.5 Perfect Forward Secrecy (PFS) Enabling PFS means that the key is transient. The key is thrown away and replaced by a brand new key using a new Diffie-Hellman exchange for each new IPSec SA setup. With PFS enabled, if one key is compromised, previous and subsequent keys are not compromised, because subsequent keys are not derived from previous keys.
Page 231: Figure 14-9 Advanced Ike Vpn Rule Setup
ZyWALL 2 Series User’s Guide Figure 14-9 Advanced IKE VPN Rule Setup The following table describes the fields in this screen. Table 14-8 Advanced IKE VPN Rule Setup LABEL DESCRIPTION Protocol Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any protocol. VPN Screens 14-25...
Page 232: Table 14-8 Advanced Ike Vpn Rule Setup
ZyWALL 2 Series User’s Guide Table 14-8 Advanced IKE VPN Rule Setup LABEL DESCRIPTION Enable Replay As a VPN setup is processing intensive, the system is vulnerable to Denial of Service Detection (DoS) attacks The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks.
Page 233 ZyWALL 2 Series User’s Guide Table 14-8 Advanced IKE VPN Rule Setup LABEL DESCRIPTION Authentication Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 Algorithm algorithm is generally considered stronger than MD5, but is slower.
Page 234: Manual Key Setup
ZyWALL 2 Series User’s Guide Table 14-8 Advanced IKE VPN Rule Setup LABEL DESCRIPTION SA Life Time Define the length of time before an IKE SA automatically renegotiates in this field. It may (seconds) range from 180 to 3,000,000 seconds (almost 35 days). A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys.
Page 235: Figure 14-10 Manual Vpn Rule Setup
ZyWALL 2 Series User’s Guide Select Manual Key (or Manual) in the Key Management (or IPSec Keying Mode) field to display the manual VPN rule setup screen. Figure 14-10 Manual VPN Rule Setup VPN Screens 14-29...
Page 236: Table 14-9 Vpn Manual Setup
ZyWALL 2 Series User’s Guide The following table describes the labels in this screen. Table 14-9 VPN Manual Setup LABEL DESCRIPTION Active Select this check box to activate this VPN policy. Name Type up to 32 characters to identify this VPN policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
Page 237 ZyWALL 2 Series User’s Guide Table 14-9 VPN Manual Setup LABEL DESCRIPTION Remote: Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses. Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both.
Page 238 ZyWALL 2 Series User’s Guide Table 14-9 VPN Manual Setup LABEL DESCRIPTION Secure Gateway Type the WAN IP address or the URL (up to 31 characters) of the IPSec router with Addr which you're making the VPN connection. Type a unique SPI (Security Parameter Index) from one to four characters long. Valid Characters are "0, 1, 2, 3, 4, 5, 6, 7, 8, and 9".
Page 239: Sa Monitor
ZyWALL 2 Series User’s Guide Table 14-9 VPN Manual Setup LABEL DESCRIPTION Authentication Type a unique authentication key to be used by IPSec if applicable. Enter 16 characters for MD5 authentication or 20 characters for SHA-1 authentication. Any characters may be used, including spaces, but trailing spaces are truncated. Click Apply to save your changes back to the ZyWALL.
Page 240: Global Settings
ZyWALL 2 Series User’s Guide The following table describes the fields in this screen. Table 14-10 VPN SA Monitor LABEL DESCRIPTION This is the security association index number. Name This field displays the identification name for this VPN policy. Encapsulation This field displays Tunnel or Transport mode.
Page 241: Telecommuter Vpn/Ipsec Examples
ZyWALL 2 Series User’s Guide Table 14-11 VPN Global Setting LABEL DESCRIPTION Windows Networking (NetBIOS over TCP/IP) NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. It may sometimes be necessary to allow NetBIOS packets to pass through VPN tunnels in order to allow local computers to find computers on the remote network and vice versa.
Page 242: Figure 14-13 Telecommuters Sharing One Vpn Rule Example
ZyWALL 2 Series User’s Guide Figure 14-13 Telecommuters Sharing One VPN Rule Example Table 14-12 Telecommuters Sharing One VPN Rule Example FIELDS TELECOMMUTERS HEADQUARTERS My IP Address: 0.0.0.0 (dynamic IP address Public static IP address assigned by the ISP) Secure Gateway Public static IP address 0.0.0.0 With this IP address only the...
Page 243: Figure 14-14 Telecommuters Using Unique Vpn Rules Example
ZyWALL 2 Series User’s Guide See the following table and figure for an example where three telecommuters each use a different VPN rule for a VPN connection with a ZyWALL located at headquarters. The ZyWALL at headquarters (HQ in the figure) identifies each incoming SA by its ID type and content and uses the appropriate VPN rule to establish the VPN connection.
Page 244: Vpn And Remote Management
ZyWALL 2 Series User’s Guide Table 14-13 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS Local IP Address: 192.168.2.12 Secure Gateway Address: telecommuter1.com Remote Address 192.168.2.12 Telecommuter B (telecommuterb.dydns.org) Headquarters ZyWALL Rule 2: Local ID Type: DNS Peer ID Type: DNS Local ID Content: telecommuterb.com Peer ID Content: telecommuterb.com Local IP Address: 192.168.3.2...
Page 245: Certificates
VPN/IPSec Part VII: Certificates This part provides information and configuration instructions for public-key certificates.
Page 247: Chapter 15 Certificates
ZyWALL 2 Series User’s Guide Chapter 15 Certificates This chapter gives background information about public-key certificates and explains how to use them. This chapter is only applicable to the ZyWALL 2. 15.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs.
Page 248: Self-Signed Certificates
ZyWALL 2 Series User’s Guide Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can check a peer’s certificate against a directory server’s list of revoked certificates.
Page 249: My Certificates
ZyWALL 2 Series User’s Guide 15.4 My Certificates Click CERTIFICATES, My Certificates to open the ZyWALL’s summary list of certificates and certification requests. Certificates display in black and certification requests display in gray. See the following figure. Figure 15-2 My Certificates The following table describes the labels in this screen.
Page 250: Table 15-1 My Certificates
Replace This button displays when the ZyWALL has the factory default certificate. The factory default certificate is common to all ZyWALLs that use certificates. ZyXEL recommends that you use this button to replace the factory default certificate with one that uses your ZyWALL's MAC address.
Page 251: Certificate File Formats
ZyWALL 2 Series User’s Guide Table 15-1 My Certificates LABEL DESCRIPTION Details Select the radio button next to a certificate’s index number and then click Details to open a screen with an in-depth list of information about that certificate. Refresh Click this button to display the current validity status of the certificates.
Page 252: Importing A Certificate
ZyWALL 2 Series User’s Guide 15.6 Importing a Certificate Click CERTIFICATES, My Certificates and then Import to open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate to the ZyWALL, see the following figure. 1.
Page 253: Creating A Certificate
ZyWALL 2 Series User’s Guide Table 15-2 My Certificate Import LABEL DESCRIPTION Apply Click Apply to save the certificate on the ZyWALL. Cancel Click Cancel to quit and return to the My Certificates screen. 15.7 Creating a Certificate Click CERTIFICATES, My Certificates and then Create to open the My Certificate Create screen. Use this screen to have the ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request, see the following figure.
Page 254: Table 15-3 My Certificate Create
ZyWALL 2 Series User’s Guide The following table describes the labels in this screen. Table 15-3 My Certificate Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters (not including spaces) to identify this certificate. Subject Information Use these fields to record information that identifies the owner of the certificate. You do not have to fill in every field, although the Common Name is mandatory.
Page 255 ZyWALL 2 Series User’s Guide Table 15-3 My Certificate Create LABEL DESCRIPTION Create a certification Select Create a certification request and enroll for a certificate immediately request and enroll for online to have the ZyWALL generate a request for a certificate and apply to a a certificate certification authority for a certificate.
Page 256: My Certificate Details
ZyWALL 2 Series User’s Guide After you click Apply in the My Certificate Create screen, you see a screen that tells you the ZyWALL is generating the self-signed certificate or certification request. After the ZyWALL successfully enrolls a certificate or generates a certification request or a self-signed certificate, you see a screen with a Return button that takes you back to the My Certificates screen.
Page 257: Figure 15-5 My Certificate Details
ZyWALL 2 Series User’s Guide Figure 15-5 My Certificate Details Certificates 15-11...
Page 258: Table 15-4 My Certificate Details
ZyWALL 2 Series User’s Guide The following table describes the labels in this screen. Table 15-4 My Certificate Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate. You may use any character (not including spaces).
Page 259 ZyWALL 2 Series User’s Guide Table 15-4 My Certificate Details LABEL DESCRIPTION Signature Algorithm This field displays the type of algorithm that was used to sign the certificate. The ZyWALL uses rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Some certification authorities may use ras-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).
Page 260: Trusted Cas
ZyWALL 2 Series User’s Guide Table 15-4 My Certificate Details LABEL DESCRIPTION Certificate in PEM This read-only text box displays the certificate or certification request in Privacy (Base-64) Encoded Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the binary Format certificate into a printable form.
Page 261: Figure 15-6 Trusted Cas
ZyWALL 2 Series User’s Guide Figure 15-6 Trusted CAs The following table describes the labels in this screen. Table 15-5 Trusted CAs LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is currently Space in Use in use.
Page 262: Importing A Trusted Ca's Certificate
ZyWALL 2 Series User’s Guide Table 15-5 Trusted CAs LABEL DESCRIPTION Issuer This field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.
Page 263: Trusted Ca Certificate Details
ZyWALL 2 Series User’s Guide You must remove any spaces from the certificate’s filename before you can import the certificate. Figure 15-7 Trusted CA Import The following table describes the labels in this screen. Table 15-6 Trusted CA Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it.
Page 264: Figure 15-8 Trusted Ca Details
ZyWALL 2 Series User’s Guide Figure 15-8 Trusted CA Details 15-18 Certificates...
Page 265: Table 15-7 Trusted Ca Details
ZyWALL 2 Series User’s Guide The following table describes the labels in this screen. Table 15-7 Trusted CA Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
Page 266 ZyWALL 2 Series User’s Guide Table 15-7 Trusted CA Details LABEL DESCRIPTION Signature Algorithm This field displays the type of algorithm that was used to sign the certificate. Some certification authorities use rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Other certification authorities may use ras-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).
Page 267: Trusted Remote Hosts
ZyWALL 2 Series User’s Guide Table 15-7 Trusted CA Details LABEL DESCRIPTION Certificate in PEM This read-only text box displays the certificate or certification request in Privacy (Base-64) Encoded Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the binary Format certificate into a printable form.
Page 268: Figure 15-9 Trusted Remote Hosts
ZyWALL 2 Series User’s Guide Figure 15-9 Trusted Remote Hosts The following table describes the labels in this screen. Table 15-8 Trusted Remote Hosts LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is currently Space in Use in use.
Page 269: Verifying A Trusted Remote Host's Certificate
ZyWALL 2 Series User’s Guide Table 15-8 Trusted Remote Hosts LABEL DESCRIPTION Subject This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.
Page 270: Importing A Trusted Remote Host's Certificate
ZyWALL 2 Series User’s Guide Table 15-9 Remote Host Certificates Step 3. Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. Verify (over the phone for example) that the remote host has the same information in the Thumbprint Algorithm and Thumbprint fields.
Page 271: Trusted Remote Host Certificate Details
ZyWALL 2 Series User’s Guide The trusted remote host certificate must be a self-signed certificate; and you must remove any spaces from its filename before you can import it. Figure 15-10 Trusted Remote Host Import The following table describes the labels in this screen. Table 15-11 Trusted Remote Host Import LABEL DESCRIPTION...
Page 272: Figure 15-11 Trusted Remote Host Details
ZyWALL 2 Series User’s Guide Figure 15-11 Trusted Remote Host Details 15-26 Certificates...
Page 273: Table 15-12 Trusted Remote Host Details
ZyWALL 2 Series User’s Guide The following table describes the labels in this screen. Table 15-12 Trusted Remote Host Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
Page 274 ZyWALL 2 Series User’s Guide Table 15-12 Trusted Remote Host Details LABEL DESCRIPTION Key Algorithm This field displays the type of algorithm that was used to generate the certificate’s key pair (the ZyWALL uses RSA encryption) and the length of the key set in bits (1024 bits for example).
Page 275: Directory Servers
ZyWALL 2 Series User’s Guide 15.16 Directory Servers Click CERTIFICATES, Directory Servers to open the Directory Servers screen. This screen displays a summary list of directory servers (that contain lists of valid and revoked certificates) that have been saved into the ZyWALL. If you decide to have the ZyWALL check incoming certificates against the issuing certification authority’s list of revoked certificates, the ZyWALL first checks the server(s) listed in the CRL Distribution Points field of the incoming certificate.
Page 276: Add Or Edit A Directory Server
ZyWALL 2 Series User’s Guide Table 15-13 Directory Servers LABEL DESCRIPTION Port This field displays the port number that the directory server uses. Protocol This field displays the protocol that the directory server uses. Click Add to open a screen where you can configure information about a directory server so that the ZyWALL can access it.
Page 277: Table 15-14 Directory Server Add
ZyWALL 2 Series User’s Guide Table 15-14 Directory Server Add LABEL DESCRIPTION Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server. Access Protocol Use the drop-down list box to select the access protocol used by the directory server. LDAP (Lightweight Directory Access Protocol) is a protocol over TCP that specifies how clients access directories certificates and lists of revoked certificates.
Page 279: Authentication Server, Remote Management And Upnp
Remote Management and UPnP Part VIII: Authentication Server, Remote Management and UPnP This part provides information and configuration instructions for configuration of the authentication server screens, remote management and Universal Plug and Play. VIII...
Page 281: Chapter 16 Authentication Server
ZyWALL 2 Series User’s Guide Chapter 16 Authentication Server This chapter discusses how to configure the authentication server on the ZyWALL. 16.1 Authentication Server Overview A ZyWALL set to be a VPN extended authentication server can use either the local user database internal to the ZyWALL or an external RADIUS server for an unlimited number of users.
Page 282: Figure 16-1 Local User Database
ZyWALL 2 Series User’s Guide Figure 16-1 Local User Database 16-2 Authentication Server...
Page 283: Configuring Radius
ZyWALL 2 Series User’s Guide The following table describes the fields in this screen. Table 16-1 Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile. User Name Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile.
Page 284: Figure 16-2 Radius
ZyWALL 2 Series User’s Guide Figure 16-2 RADIUS The following table describes the fields in this screen. Table 16-2 RADIUS LABEL DESCRIPTION Authentication Server Active Enable this feature to have the ZyWALL use an external authentication server in performing user authentication. Disable this feature if you will not use an external authentication server.
Page 285 ZyWALL 2 Series User’s Guide Table 16-2 RADIUS LABEL DESCRIPTION Port Number The default port of the RADIUS server for authentication is 1812. You need not change this value unless your network administrator instructs you to do so with additional information. Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the access points.
Page 287: Chapter 17 Remote Management Screens
ZyWALL 2 Series User’s Guide Chapter 17 Remote Management Screens This chapter provides information on the Remote Management screens. 17.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.
Page 288: Introduction To Https
ZyWALL 2 Series User’s Guide 17.1.1 Remote Management Limitations Remote management over LAN or WAN will not work when: 1. A filter in SMT menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service.
Page 289: Figure 17-1 Https Implementation
ZyWALL 2 Series User’s Guide data), authentication (one party can identify the other party) and data integrity (you know if data has been changed). It relies upon certificates, public keys, and private keys (see the Certificates chapter for more information). HTTPS on the ZyWALL is used so that you may securely access the ZyWALL using the web configurator.
Page 290: Configuring Www
ZyWALL 2 Series User’s Guide If you disable HTTP Server Access (Disable) in the REMOTE MGMT WWW screen, then the ZyWALL blocks all HTTP connection attempts. 17.3 Configuring WWW To change your ZyWALL’s web settings, click REMOTE MGNT, then the WWW tab. The screen appears as shown.
Page 291: Table 17-1 Www
ZyWALL 2 Series User’s Guide Table 17-1 WWW LABEL DESCRIPTION HTTPS: This feature is not available on the ZyWALL 2WE. Server Select the Server Certificate that the ZyWALL will use to identify itself. The ZyWALL Certificate is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL).
Page 292: Https Example
ZyWALL 2 Series User’s Guide Table 17-1 WWW LABEL DESCRIPTION Reset Click Reset to begin configuring this screen afresh. 17.4 HTTPS Example If you haven’t changed the default HTTPS port on the ZyWALL, then in your browser enter “https://ZyWALL IP Address/” as the web site address where “ZyWALL IP Address” is the IP address or domain name of the ZyWALL you wish to access.
Page 293: Figure 17-4 Security Certificate 1 (Netscape)
ZyWALL 2 Series User’s Guide 17.4.2 Netscape Navigator Warning Messages When you attempt to access the ZyWALL HTTPS server, a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate. Click Examine Certificate if you want to verify that the certificate is from the ZyWALL.
Page 294: Figure 17-5 Security Certificate 2 (Netscape)
ZyWALL 2 Series User’s Guide Figure 17-5 Security Certificate 2 (Netscape) 17.4.3 Avoiding the Browser Warning Messages The following describes the main reasons that your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings. The issuing certificate authority of the ZyWALL’s HTTPS server certificate is not one of the browser’s trusted certificate authorities.
Page 295: Login Screen
ZyWALL 2 Series User’s Guide Step 2. Click CERTIFICATES. Find the certificate and check its Subject column. CN stands for certificate’s common name (see Figure 17-9 for an example). Use this procedure to have the ZyWALL use a certificate with a common name that matches the ZyWALL’s actual IP address.
Page 296: Figure 17-6 Login Screen (Internet Explorer)
ZyWALL 2 Series User’s Guide Figure 17-6 Login Screen (Internet Explorer) 17-10 Remote Management Screens...
Page 297: Figure 17-7 Login Screen (Netscape)
ZyWALL 2 Series User’s Guide Figure 17-7 Login Screen (Netscape) Click Login and you then see the next screen. The factory default certificate is a common default certificate for all ZyWALL models. Remote Management Screens 17-11...
Page 298: Figure 17-8 Replace Certificate
ZyWALL 2 Series User’s Guide Figure 17-8 Replace Certificate Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Click CERTIFICATES to open the My Certificates screen. You will see information similar to that shown in the following figure.
Page 299: Ssh Overview
ZyWALL 2 Series User’s Guide Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate. You will then see this information in the My Certificates screen. Figure 17-10 Common ZyWALL Certificate 17.5 SSH Overview Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shell) is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network.
Page 300: How Ssh Works
ZyWALL 2 Series User’s Guide Figure 17-11 SSH Communication Example 17.6 How SSH works The following table summarizes how a secure connection is established between two remote hosts. 1. Host Identification The SSH client sends a connection request to the SSH server.
Page 301: Ssh Implementation On The Zywall
ZyWALL 2 Series User’s Guide 17.7 SSH Implementation on the ZyWALL Your ZyWALL supports SSH version 1.5 using RSA authentication and three encryption methods (DES, 3DES and Blowfish). The SSH server is implemented on the ZyWALL for remote SMT management and file transfer on port 22.
Page 302: Secure Telnet Using Ssh Examples
ZyWALL 2 Series User’s Guide Table 17-2 SSH LABEL DESCRIPTION Server Host Key Select the certificate whose corresponding private key is to be used to identify the ZyWALL for SSH connections. You must have certificates already configured in the My Certificates screen (Click My Certificates and see the Certificates part for details).
Page 303: Figure 17-14 Ssh Example 1: Store Host Key
ZyWALL 2 Series User’s Guide Step 3. A window displays prompting you to store the host key in you computer. Click Yes to continue. Figure 17-14 SSH Example 1: Store Host Key Enter the password to log in to the ZyWALL. The SMT main menu displays next. 17.9.2 Example 2: Linux This section describes how to access the ZyWALL using the OpenSSH client program that comes with most Linux distributions.
Page 304: Secure Ftp Using Ssh Example
ZyWALL 2 Series User’s Guide Step 2. Enter “ssh –1 192.168.1.1”. This command forces your computer to connect to the ZyWALL using SSH version 1. If this is the first time you are connecting to the ZyWALL using SSH, a message displays prompting you to save the host information of the ZyWALL.
Page 305: Telnet
ZyWALL 2 Series User’s Guide Step 3. Use the “put” command to upload a new firmware to the ZyWALL. $ sftp -1 192.168.1.1 Connecting to 192.168.1.1... The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts.
Page 306: Configuring Telnet
ZyWALL 2 Series User’s Guide 17.12 Configuring TELNET Click REMOTE MGNT to open the TELNET screen. Figure 17-19 Telnet The following table describes the labels in this screen. Table 17-3 Telnet LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Page 307: Configuring Ftp
ZyWALL 2 Series User’s Guide 17.13 Configuring FTP You can upload and download the ZyWALL’s firmware and configuration files using FTP, please see the chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP client.
Page 308: Configuring Snmp
ZyWALL 2 Series User’s Guide Table 17-4 FTP LABEL DESCRIPTION Secure Client IP A secure client is a “trusted” computer that is allowed to communicate with the Address ZyWALL using this service. Select All to allow any computer to access the ZyWALL using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service.
Page 309: Figure 17-21 Snmp Management Model
ZyWALL 2 Series User’s Guide Figure 17-21 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP.
Page 310: Table 17-5 Snmp Traps
ZyWALL 2 Series User’s Guide • Get - Allows the manager to retrieve an object variable from the agent. • GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.
Page 311 ZyWALL 2 Series User’s Guide 17.14.3 REMOTE MANAGEMENT: SNMP To change your ZyWALL’s SNMP settings, click REMOTE MGNT, then the SNMP tab. The screen appears as shown. Figure 17-22 SNMP The following table describes the fields in this screen. Remote Management Screens 17-25...
Page 312: Configuring Dns
ZyWALL 2 Series User’s Guide Table 17-6 SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests. Set Community Enter the Set community, which is the password for incoming Set requests from the management station.
Page 313: Figure 17-23 Dns
ZyWALL 2 Series User’s Guide To change your ZyWALL’s DNS settings, click REMOTE MGNT, then the DNS tab. The screen appears as shown. Figure 17-23 DNS The following table describes the fields in this screen. Table 17-7 DNS LABEL DESCRIPTION Service Port The DNS service port number is 53 and cannot be changed here.
Page 314: Configuring Security
ZyWALL 2 Series User’s Guide 17.16 Configuring Security To change your ZyWALL’s Security settings, click REMOTE MGNT, then the Security tab. The screen appears as shown. If an outside user attempts to probe an unsupported port on your ZyWALL, an ICMP response packet is automatically returned.
Page 315 ZyWALL 2 Series User’s Guide Table 17-8 Security LABEL DESCRIPTION Respond to Ping The ZyWALL will not respond to any incoming Ping requests when Disable is selected. Select LAN to reply to incoming LAN Ping requests. Select WAN to reply to incoming WAN Ping requests.
Page 317: Chapter 18 Upnp
ZyWALL 2 Series User’s Guide Chapter 18 UPnP This chapter introduces the Universal Plug and Play feature. 18.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network.
Page 318: Upnp Implementation
ZyWALL 2 Series User’s Guide 18.1.3 Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. All UPnP-enabled devices may communicate freely with each other without additional configuration.
Page 319: Figure 18-1 Configuring Upnp
ZyWALL 2 Series User’s Guide Figure 18-1 Configuring UPnP The following table describes the fields in this screen. Table 18-1 Configuring UPnP FIELD DESCRIPTION Device Name This identifies the device in UPnP applications. Enable the Universal Plug Select this checkbox to activate UPnP. Be aware that anyone could use a and Play (UPnP) feature UPnP application to open the web configurator's login screen without entering the ZyWALL's IP address (although you must still enter the...
Page 320: Displaying Upnp Port Mapping
ZyWALL 2 Series User’s Guide Table 18-1 Configuring UPnP FIELD DESCRIPTION Reset Click Reset to begin configuring this screen afresh 18.4 Displaying UPnP Port Mapping Click UPnP and then Ports to display the screen as shown next. Use this screen to view the NAT port mapping rules that UPnP creates on the ZyWALL.
Page 321: Installing Upnp In Windows Example
ZyWALL 2 Series User’s Guide Table 18-2 UPnP Ports LABEL DESCRIPTION This is the index number of the UPnP-created NAT mapping rule entry. Remote Host This field displays the source IP address (on the WAN) of inbound IP packets. Since this is often a wildcard, the field may be blank.
Page 322: Installing Upnp In Windows Xp
ZyWALL 2 Series User’s Guide 18.5.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windows Me. Click Start and Control Panel. Double-click Add/Remove Programs. Click on the Windows Setup tab and select Communication in the Components selection box.
Page 323 ZyWALL 2 Series User’s Guide Step 1. Click Start and Control Panel. Step 2. Double-click Network Connections. Step 3. In the Network Connections window, click Advanced in the main menu and select Optional Networking Components …. The Windows Optional Networking Components Wizard window displays.
Page 324: Using Upnp In Windows Xp Example
ZyWALL 2 Series User’s Guide 18.6 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the device. Make sure the computer is connected to a LAN port of the device.
Page 325 ZyWALL 2 Series User’s Guide Step 4. You may edit or delete the port mappings or click Add to manually add port mappings. When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. Step 5. Select the Show icon in notification area when connected check box and click OK.
Page 326: Web Configurator Easy Access
ZyWALL 2 Series User’s Guide 18.6.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator without first finding out its IP address. This is helpful if you do not know the IP address of your ZyWALL. Follow the steps below to access the web configurator. Step 1.
Page 327: Logs
Logs Part IX: Logs This part provides information and instructions for the logs and reports.
Page 329: Chapter 19 Logs Screens
ZyWALL 2 Series User’s Guide Chapter 19 Logs Screens This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to appendices for example log message explanations. 19.1 Configuring View Log The web configurator allows you to look at all of the ZyWALL’s logs in one location. Click LOGS to open the View Log screen.
Page 330: Figure 19-1 View Log
ZyWALL 2 Series User’s Guide Figure 19-1 View Log The following table describes the labels in this screen. Table 19-1 View Log LABEL DESCRIPTION Display The categories that you select in the Log Settings page (see section 19.2) display in the drop-down list box.
Page 331: Configuring Log Settings
ZyWALL 2 Series User’s Guide Table 19-1 View Log LABEL DESCRIPTION Note This field displays additional information about the log entry. Email Log Now Click Email Log Now to send the log screen to the e-mail address specified in the Log Settings page (make sure that you have first filled in the Address Info fields in Log Settings, see section 19.2).
Page 332: Figure 19-2 Log Settings
ZyWALL 2 Series User’s Guide Figure 19-2 Log Settings 19-4 Log Screens...
Page 333: Table 19-2 Log Settings
ZyWALL 2 Series User’s Guide The following table describes the labels in this screen. Table 19-2 Log Settings LABEL DESCRIPTION Address Info Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail.
Page 334: Configuring Reports
ZyWALL 2 Series User’s Guide Table 19-2 Log Settings LABEL DESCRIPTION Time for Sending Enter the time of the day in 24-hour format (for example 23:00 equals 11:00 pm) to send the logs. Select the categories of logs that you want to record. Logs include alerts. Send Immediate Select the categories of alerts for which you want the ZyWALL to instantly e-mail Alert...
Page 335: Figure 19-3 Reports
ZyWALL 2 Series User’s Guide The ZyWALL records web site hits by counting the HTTP GET packets. Many web sites include HTTP GET references to other web sites and the ZyWALL may count these as hits, thus the web hit count is not (yet) 100% accurate.
Page 336: Figure 19-4 Web Site Hits Report Example
ZyWALL 2 Series User’s Guide Table 19-3 Reports LABEL DESCRIPTION Refresh Click Refresh to update the report display. The report also refreshes automatically when you close and reopen the screen. All of the recorded reports data is erased when you turn off the ZyWALL. 19.3.1 Viewing Web Site Hits In the Reports screen, select Web Site Hits from the Report Type drop-down list box to have the ZyWALL record and display which web sites have been visited the most often and how many times they have been...
Page 337: Figure 19-5 Protocol/Port Report Example
ZyWALL 2 Series User’s Guide Table 19-4 Web Site Hits Report LABEL DESCRIPTION Web Site This column lists the domain names of the web sites visited most often from computers on the LAN. The names are ranked by the number of visits to each web site and listed in descending order with the most visited web site listed first.
Page 338: Figure 19-6 Lan Ip Address Report Example
ZyWALL 2 Series User’s Guide Table 19-5 Protocol/ Port Report LABEL DESCRIPTION Protocol/Port This column lists the protocols or service ports for which the most traffic has gone through the ZyWALL. The protocols or service ports are listed in descending order with the most used protocol or service port listed first.
Page 339: Table 19-6 Lan Ip Address Report
ZyWALL 2 Series User’s Guide The following table describes the labels in this screen. Table 19-6 LAN IP Address Report LABEL DESCRIPTION IP Address This column lists the LAN IP addresses to and/or from which the most traffic has been sent.
Page 341: Maintenance
Maintenance Part X: Maintenance This part covers the maintenance screens.
Page 343: Chapter 20 Maintenance
ZyWALL 2 Series User’s Guide Chapter 20 Maintenance This chapter displays system information such as firmware, port IP addresses and port traffic statistics. 20.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyWALL.
Page 344: Table 20-1 System Status
ZyWALL 2 Series User’s Guide The following table describes the labels in this screen. Table 20-1 System Status LABEL DESCRIPTION System Name This is the System Name you chose in the first Internet Access Wizard screen. It is for identification purposes Model Name The model name identifies your device type.
Page 345: Figure 20-2 System Status: Show Statistics
ZyWALL 2 Series User’s Guide Figure 20-2 System Status: Show Statistics The following table describes the labels in this screen. Table 20-2 System Status: Show Statistics LABEL DESCRIPTION Port This is the WAN or LAN port. Status This displays the port speed and duplex setting if you're using Ethernet encapsulation and down (line is down), idle (line (ppp) idle), dial (starting to trigger a call) and drop (dropping a call) if you're using PPPoE encapsulation.
Page 346: Dhcp Table Screen
ZyWALL 2 Series User’s Guide Table 20-2 System Status: Show Statistics LABEL DESCRIPTION Stop Click Stop to stop refreshing statistics, click Stop. 20.3 DHCP Table Screen DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server.
Page 347: F/W Upload Screen
Click Refresh to renew the screen. 20.4 F/W Upload Screen Find firmware at www.ZyXEL.com in a file that (usually) uses the system model name with a "*.bin" extension, e.g., "ZyWALL.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes.
Page 348: Figure 20-5 Firmware Upload
ZyWALL 2 Series User’s Guide The following table describes the fields in this screen. Figure 20-5 Firmware Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse...
Page 349: Configuration Screen
ZyWALL 2 Series User’s Guide Figure 20-7 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the System Status screen. If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen.
Page 350: Figure 20-9 Configuration
ZyWALL 2 Series User’s Guide Figure 20-9 Configuration 20.5.1 Backup Configuration Backup Configuration allows you to backup (save) the current system (ZyWALL) configuration to your computer. Backup is highly recommended once your ZyWALL is functioning properly. Click Backup to save your current ZyWALL configuration to your computer. 20-8 Maintenance...
Page 351: Figure 20-10 Configuration Upload Successful
ZyWALL 2 Series User’s Guide 20.5.2 Restore Configuration Restore Configuration allows you to restore a previously saved configuration file from your computer to your ZyWALL. Table 20-4 Restore Configuration LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Click Browse to find the file you want to upload.
Page 352: Figure 20-12 Configuration Upload Error
ZyWALL 2 Series User’s Guide If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default device IP address (192.168.1.1). See your Quick Start Guide for details on how to set up your computer’s IP address.
Page 353: Restart Screen
ZyWALL 2 Series User’s Guide You can also press the RESET button on the rear panel to reset the factory defaults of your ZyWALL. Refer to the section on resetting the ZyWALL for more information on the RESET button. 20.6 Restart Screen System restart allows you to reboot the ZyWALL without turning the power off.
Page 355: Smt General Configuration
SMT General Configuration Part XI: SMT General Configuration This part introduces the System Management Terminal and covers the General setup menu, WAN, LAN and wireless LAN setup, and Internet access. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Page 357: Chapter 21 Introducing The Smt
When you turn on your ZyWALL, it performs several internal tests as well as line initialization. After the tests, the ZyWALL asks you to press [ENTER] to continue, as shown next. Copyright (c) 1994 - 2003 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:A0:C5:00:00:01 initialize ch =1, ethernet address: 00:A0:C5:00:00:02 Press ENTER to continue...
Page 358: Navigating The Smt Interface
ZyWALL 2 Series User’s Guide 21.2.2 Entering the Password The login screen appears after you press [ENTER], prompting you to enter the password, as shown below. For your first login, enter the default password “1234”. As you type the password, the screen displays an “X” for each character you type.
Page 359: Figure 21-3 Main Menu
[ENTER]. SMT interface. 21.3.1 Main Menu After you enter the password, the SMT displays the ZyWALL Main Menu, as shown next. Copyright (c) 1994 - 2003 ZyXEL Communications Corp. ZyWALL 2 Main Menu Getting Started Advanced Management 1. General Setup 21.
Page 360: Table 21-2 Main Menu Summary
ZyWALL 2 Series User’s Guide Table 21-2 Main Menu Summary Menu Title FUNCTION General Setup Use this menu to set up dynamic DNS and administrative information. WAN Setup Use this menu to clone a MAC address from a computer on your LAN and configure the backup WAN dial-up connection.
Page 361: Figure 21-4 Zywall 2 Smt Menu Overview Example
ZyWALL 2 Series User’s Guide ZyWALL Main Menu Menu 2 Menu 3 Menu 4 Menu 11 Menu 12 Menu 15 Menu 1 WAN Setup LAN Setup Internet Access Remote Node Setup Static Routing Setup NAT Setup General Setup Setup Menu 12.1 Menu 1.1 Menu 2.1 Menu 3.1...
Page 362: Changing The System Password
ZyWALL 2 Series User’s Guide 21.4 Changing the System Password Change the system password by following the steps shown next. Step 1. Enter 23 in the main menu to open Menu 23 - System Password as shown next. Menu 23 - System Password Old Password= ? New Password= ? Retype to confirm= ?
Page 363: Chapter 22 Smt Menu 1 - General Setup
ZyWALL 2 Series User’s Guide Chapter 22 SMT Menu 1 - General Setup Menu 1 - General Setup contains administrative and system-related information. 22.1 Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. 22.2 Configuring General Setup Step 1.
Page 364 ZyWALL 2 Series User’s Guide Table 22-1 Menu 1: General Setup FIELD DESCRIPTION EXAMPLE Domain Name Enter the domain name (if you know it) here. If you leave this field blank, the ISP may assign a domain name via DHCP. You can go to menu 24.8 and type "sys domain name"...
Page 365: Figure 22-2 Configure Dynamic Dns
ZyWALL 2 Series User’s Guide Menu 1.1 - Configure Dynamic DNS Service Provider= WWW.DynDNS.ORG Active= No DDNSType= DynamicDNS Host1= Host2= Host3= USER= Password= ******** Enable Wildcard= No Offline= N/A Edit Update IP Address: Use Server Detected IP= No User Specified IP Address= No IP Address= N/A Press ENTER to Confirm or ESC to Cancel: Figure 22-2 Configure Dynamic DNS...
Page 366 ZyWALL 2 Series User’s Guide Table 22-2 Configure Dynamic DNS FIELD DESCRIPTION EXAMPLE Offline This field is only available when CustomDNS is selected in the DDNS Type field. Press [SPACE BAR] and then [ENTER] to http://www.dyndns.org/ select Yes. When Yes is selected, traffic is redirected to a URL that you have previously specified (see www.dyndns.org...
Page 367: Chapter 23 Wan And Dial Backup Setup
ZyWALL 2 Series User’s Guide Chapter 23 WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1. 23.1 Introduction to WAN This chapter explains how to configure settings for your WAN port. From the main menu, enter 2 to open menu 2.
Page 368: Dial Backup
ZyWALL 2 Series User’s Guide Table 23-1 MAC Address Cloning in WAN Setup FIELD DESCRIPTION EXAMPLE IP Address This field is applicable only if you choose the IP address attached on 192.168.1.35 LAN method in the Assigned By field. Enter the IP address of the computer on the LAN whose MAC you are cloning.
Page 369: Advanced Wan Setup
ZyWALL 2 Series User’s Guide The following table describes the fields in this menu. Table 23-2 Menu 2: Dial Backup Setup FIELD DESCRIPTION EXAMPLE Dial-Backup: Active Use this field to turn the dial-backup feature on (Yes) or off (No). Phone Enter the telephone number assigned to your line by your telephone 1234567 Number...
Page 370: Figure 23-3 Menu 2.1 Advanced Wan Setup
ZyWALL 2 Series User’s Guide Menu 2.1 - Advanced WAN Setup AT Command Strings: Call Control: Dial= Dial Timeout(sec)= 0 Drop= Retry Count= 0 Answer= Retry Interval(sec)= N/A Drop Timeout(sec)= 0 Drop DTR When Hang Up= No Call Back Delay(sec)= 0 AT Response Strings: CLID= Called Id=...
Page 371: Remote Node Profile (Backup Isp)
ZyWALL 2 Series User’s Guide Table 23-4 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION DEFAULT Call Control Dial Timeout Enter a number of seconds for the ZyWALL to keep trying to set 60 seconds (sec) up an outgoing call before timing out (stopping). The ZyWALL times out and stops if it cannot set up an outgoing call within the timeout value.
Page 372: Figure 23-4 Menu 11.1 Remote Node Profile (Backup Isp)
ZyWALL 2 Series User’s Guide Menu 11.1 - Remote Node Profile (Backup ISP) Rem Node Name= ? Edit PPP Options= No Active= Yes Rem IP Addr= ? Edit IP= No Outgoing: Edit Script Options= No My Login= My Password= ******** Telco Option: Retype to Confirm= ******** Allocated Budget(min)= 0...
Page 373 ZyWALL 2 Series User’s Guide Table 23-5 Menu 11.1 Remote Node Profile (Backup ISP) FIELD DESCRIPTION EXAMPLE Pri Phone # Enter the first (primary) phone number from the ISP for this remote node. If the Primary Phone number is busy or does not answer, your Sec Phone # ZyWALL dials the Secondary Phone number if available.
Page 374: Editing Ppp Options
ZyWALL 2 Series User’s Guide Table 23-5 Menu 11.1 Remote Node Profile (Backup ISP) FIELD DESCRIPTION EXAMPLE Idle Timeout Enter the number of seconds of idle time (when there is no traffic from 100 seconds the ZyWALL to the remote node) that can elapse before the ZyWALL (default) automatically disconnects the PPP connection.
Page 375: Editing Tcp/Ip Options
ZyWALL 2 Series User’s Guide 23.7 Editing TCP/IP Options Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Remote Node Network Layer Options. Menu 11.3 - Remote Node Network Layer Options Rem IP Addr= 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0...
Page 376 ZyWALL 2 Series User’s Guide Table 23-6 Menu 11.3: Remote Node Network Layer Options FIELD DESCRIPTION EXAMPLE Network Network Address Translation (NAT) allows the translation of an Internet None Address protocol address used within one network (for example a private IP (default) Translation address used in a local network) to a different IP address known within...
Page 377: Editing Login Script
ZyWALL 2 Series User’s Guide 23.8 Editing Login Script For some remote gateways, text login is required before PPP negotiation is started. The ZyWALL provides a script facility for this purpose. The script has six programmable sets; each set is composed of an ‘Expect’ string and a ‘Send’...
Page 378: Remote Node Filter
ZyWALL 2 Series User’s Guide Menu 11.4 - Remote Node Script Active= No Set 1: Set 5: Expect= Expect= Send= Send= Set 2: Set 6: Expect= Expect= Send= Send= Set 3: Expect= Send= Set 4: Expect= Send= Enter here to CONFIRM or ESC to CANCEL: Figure 23-8 Menu 11.4: Remote Node Script The following table describes the fields in this menu.
Page 379: Figure 23-9 Menu 11.5: Dial Backup Remote Node Filter
ZyWALL 2 Series User’s Guide Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 23-9 Menu 11.5: Dial Backup Remote Node Filter WAN and Dial Backup Setup 23-13...
Page 381: Chapter 24 Lan Setup
ZyWALL 2 Series User’s Guide Chapter 24 LAN Setup This chapter describes how to configure the LAN using Menu 3: LAN Setup. 24.1 Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN connections. 24.2 Accessing the LAN Menus From the main menu, enter 3 to open Menu 3 –...
Page 382: Tcp/Ip And Dhcp Ethernet Setup Menu
ZyWALL 2 Series User’s Guide Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: Figure 24-2 Menu 3.1: LAN Port Filter Setup 24.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup.
Page 383: Figure 24-4 Menu 3.2: Tcp/Ip And Dhcp Ethernet Setup
ZyWALL 2 Series User’s Guide Size of the IP Menu 3.2 - TCP/IP and DHCP Ethernet Setup First address in Pool the IP Pool DHCP= Server TCP/IP Setup: Client IP Pool: Starting Address= 192.168.1.33 IP Address= 192.168.1.1 Size of Client IP Pool= 32 IP Subnet Mask= 255.255.255.0 First DNS Server= From ISP RIP Direction= Both...
Page 384: Table 24-2 Lan Tcp/Ip Setup Menu Fields
ZyWALL 2 Series User’s Guide Table 24-2 LAN TCP/IP Setup Menu Fields FIELD DESCRIPTION EXAMPLE TCP/IP Setup: IP Address Enter the IP address of your ZyWALL in dotted decimal notation 192.168.1.1 (default) IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based 255.255.255.0 on the IP address that you assign.
Page 385: Figure 24-7 Menu 3.2.1: Ip Alias Setup
ZyWALL 2 Series User’s Guide Figure 24-5 Physical Network Figure 24-6 Partitioned Logical Network You must use menu 3.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to configure the second and third network. Press [ENTER] to open Menu 3.2.1 - IP Alias Setup, as shown next.
Page 386: Wireless Lan Setup
ZyWALL 2 Series User’s Guide Table 24-3 Menu 3.2.1: IP Alias Setup FIELD DESCRIPTION DEFAULT IP Address Enter the IP address of your ZyWALL in dotted decimal notation. 192.168.2.1 IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based 255.255.255.0 on the IP address that you assign.
Page 387: Figure 24-8 Menu 3.5: Wireless Lan Setup
ZyWALL 2 Series User’s Guide Menu 3.5 - Wireless LAN Setup Enable Wireless LAN= No ESSID= Wireless Hide ESSID= No Channel ID= CH01 2412MHz RTS Threshold= 2432 Frag. Threshold= 2432 WEP= Disable Default Key= N/A Key1= N/A Key2= N/A Key3= N/A Key4= N/A Edit MAC Address Filter= No Press ENTER to Confirm or ESC to Cancel:...
Page 388 ZyWALL 2 Series User’s Guide Table 24-4 Menu 3.5: Wireless LAN Setup FIELD DESCRIPTION EXAMPLE Frag. The threshold (number of bytes) for the fragmentation boundary for 2432 Threshold directed messages. It is the maximum data fragment size that can be (default) sent.
Page 389: Figure 24-9 Menu 3.5.1: Wlan Mac Address Filter
ZyWALL 2 Series User’s Guide Step 3. In the Edit MAC Address Filter field, press [SPACE BAR] to select Yes and press [ENTER]. Menu 3.5.1 – WLAN MAC Address Filter displays as shown next. Menu 3.5.1 - WLAN MAC Address Filter Active= No Filter Action= Allowed Association MAC Address Filter...
Page 391: Chapter 25 Internet Access
ZyWALL 2 Series User’s Guide Chapter 25 Internet Access This chapter shows you how to configure your ZyWALL for Internet access. 25.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet.
Page 392 ZyWALL 2 Series User’s Guide Table 25-1 Menu 4: Internet Access Setup (Ethernet) FIELD DESCRIPTION Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet. The encapsulation method influences your choices for the IP Address field. Service Type Press [SPACE BAR] and then [ENTER] to select Standard, RR-Toshiba (RoadRunner Toshiba authentication method), RR-Manager (RoadRunner Manager authentication method), RR-Telstra or Telia Login.
Page 393: Pptp Encapsulation
ZyWALL 2 Series User’s Guide 25.3 PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks. PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet.
Page 394: Pppoe Encapsulation
ZyWALL 2 Series User’s Guide Table 25-2 New Fields in Menu 4 (PPTP) Screen FIELD DESCRIPTION EXAMPLE Encapsulation Press [SPACE BAR] and then press [ENTER] to choose PPTP. The PPTP encapsulation method influences your choices for the IP Address field. Idle Timeout This value specifies the time, in seconds, that elapses before the ZyWALL automatically disconnects from the PPTP server.
Page 395: Basic Setup Complete
ZyWALL 2 Series User’s Guide Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel:...
Page 397: Smt Advanced Applications
SMT Advanced Applications Part XII: SMT Advanced Applications This part covers setting up remote nodes, IP static routes and Network Address Translation. It also covers the SMT firewall menu, filters, SNMP, schedules and VPN setup. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Page 399: Chapter 26 Remote Node Setup
ZyWALL 2 Series User’s Guide Chapter 26 Remote Node Setup This chapter shows you how to configure a remote node. 26.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection.
Page 400: Figure 26-1Menu 11.1: Remote Node Profile For Ethernet Encapsulation
ZyWALL 2 Series User’s Guide Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= Ethernet Edit IP= No Service Type= Standard Session Options: Service Name= N/A Edit Filter Sets= No Outgoing: My Login= N/A My Password= N/A Edit Traffic Redirect= No Retype to Confirm= N/A...
Page 401 ZyWALL 2 Series User’s Guide Table 26-1 Menu 11.1: Remote Node Profile for Ethernet Encapsulation FIELD DESCRIPTION EXAMPLE My Password Enter the password assigned by your ISP when the ZyWALL calls ***** this remote node. Valid for PPPoE encapsulation only. Retype to Type your password again to make sure that you have entered it *****...
Page 402: Figure 26-2 Menu 11.1: Remote Node Profile For Pppoe Encapsulation
ZyWALL 2 Series User’s Guide Encapsulation to PPPoE, then you will see the next screen. Please see the appendix for more information on PPPoE. Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPPoE Edit IP= No Service Type= Standard Telco Option:...
Page 403: Table 26-2 Fields In Menu 11.1 (Pppoe Encapsulation Specific)
ZyWALL 2 Series User’s Guide Do not specify a nailed-up connection unless your telephone company offers flat-rate service or you need a constant connection and the cost is of no concern. The following table describes the fields not already described in Table 26-1. Metric See the Metric section in the WAN and Dial Backup Setup chapter for details on the Metric field.
Page 404: Figure 26-3 Menu 11.1: Remote Node Profile For Pptp Encapsulation
ZyWALL 2 Series User’s Guide 26.2.3 PPTP Encapsulation If you change the Encapsulation to PPTP in menu 11.1, then you will see the next screen. Please see the appendix for information on PPTP. Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP...
Page 405: Edit Ip
ZyWALL 2 Series User’s Guide 26.3 Edit IP Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Network Layer Options. Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A...
Page 406 ZyWALL 2 Series User’s Guide Table 26-4 Remote Node Network Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE My WAN Addr This field is applicable to PPPoE and PPTP encapsulations only. Some implementations, especially the UNIX derivatives, require the WAN link to have a separate IP network number from the LAN and each end must have a unique address within the WAN network number.
Page 407: Remote Node Filter
ZyWALL 2 Series User’s Guide Table 26-4 Remote Node Network Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE Multicast IGMP (Internet Group Multicast Protocol) is a session-layer protocol used None to establish membership in a Multicast group. The ZyWALL supports both (default) IGMP version 1 (IGMP-v1) and version 2 (IGMP-v2).
Page 408: Traffic Redirect
ZyWALL 2 Series User’s Guide Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 26-6 Menu 11.5: Remote Node Filter (PPPoE or PPTP Encapsulation) 26.5 Traffic Redirect To configure the parameters for traffic redirect, enter 11 from the main menu to display Menu 11.1—...
Page 409: Figure 26-8 Menu 11.6: Traffic Redirect Setup
ZyWALL 2 Series User’s Guide Table 26-5 Menu 11.1: Remote Node Profile (Traffic Redirect Field) FIELD DESCRIPTION EXAMPLE Edit Traffic Press [SPACE BAR] to select Yes or No. Redirect Select No (default) if you do not want to configure this feature. Select Yes and press [ENTER] to configure Menu 11.6 —...
Page 410: Table 26-6 Menu 11.6: Traffic Redirect Setup
ZyWALL 2 Series User’s Guide Table 26-6 Menu 11.6: Traffic Redirect Setup FIELD DESCRIPTION EXAMPLE Active Press [SPACE BAR] and select Yes (to enable) or No (to disable) traffic redirect setup. The default is No. When the Active field is Yes, you must configure every field in this screen unless you are using PPPoE or PPTP encapsulation (except Check WAN IP Address and Timeout).
Page 411 ZyWALL 2 Series User’s Guide Table 26-6 Menu 11.6: Traffic Redirect Setup FIELD DESCRIPTION EXAMPLE When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. Remote Node Setup 26-13...
Page 413: Chapter 27 Ip Static Route Setup
ZyWALL 2 Series User’s Guide Chapter 27 IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. 27.1 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.
Page 414: Figure 27-2 Menu 12. 1: Edit Ip Static Route
ZyWALL 2 Series User’s Guide Menu 12.1 - Edit IP Static Route Route #: 1 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to Confirm or ESC to Cancel: Figure 27-2 Menu 12.
Page 415: Chapter 28 Network Address Translation (Nat)
ZyWALL 2 Series User’s Guide Chapter 28 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 28.1 Using NAT You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL. 28.1.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is an implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.
Page 416: Figure 28-1 Menu 4: Applying Nat For Internet Access
ZyWALL 2 Series User’s Guide Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A...
Page 417: Nat Setup
ZyWALL 2 Series User’s Guide Table 28-1 Applying NAT in Menus 4 & 11.3 FIELD DESCRIPTION OPTIONS Network When you select this option the SMT will use Address Mapping Set 1 Full Feature Address (menu 15.1 - see section 28.2.1 for further discussion). You can Translation configure any of the mapping types described in the Web Configurator User’s Guide.
Page 418: Figure 28-4 Menu 15.1: Address Mapping Sets
ZyWALL 2 Series User’s Guide Configure LAN IP addresses in NAT menus 15.1 and 15.2. 28.2.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 — Address Mapping Sets. Menu 15.1 - Address Mapping Sets 255. SUA (read only) Enter Menu Selection Number: Figure 28-4 Menu 15.1: Address Mapping Sets SUA Address Mapping Set...
Page 419: Table 28-2 Sua Address Mapping Rules
ZyWALL 2 Series User’s Guide Table 28-2 SUA Address Mapping Rules FIELD DESCRIPTION EXAMPLE Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create. This is the index or rule number.
Page 420: Figure 28-6 Menu 15.1.1: First Set
ZyWALL 2 Series User’s Guide Menu 15.1.1 - Address Mapping Rules Set Name= ? Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- ------ Action= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: Figure 28-6 Menu 15.1.1: First Set The Type, Local and Global Start/End IPs are configured in menu 15.1.1.1 (described later) and the values are displayed here.
Page 421: Figure 28-7 Menu 15.1.1.1: Editing/Configuring An Individual Rule In A Set
ZyWALL 2 Series User’s Guide Table 28-3 Fields in Menu 15.1.1 FIELD DESCRIPTION EXAMPLE Set Name Enter a name for this set of rules. This is a required field. If this field is left NAT_SET blank, the entire set will be deleted. Action The default is Edit.
Page 422: Configuring A Server Behind Nat
ZyWALL 2 Series User’s Guide The following table describes the fields in this screen. Table 28-4 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set FIELD DESCRIPTION EXAMPLE Type Press [SPACE BAR] and then [ENTER] to select from a total of five types. One-to-One These are the mapping types discussed in the Web Configurator User’s Guide.
Page 423: General Nat Examples
ZyWALL 2 Series User’s Guide Step 5. Press [ENTER] at the “Press ENTER to confirm …” prompt to save your configuration after you define all the servers or press [ESC] at any time to cancel. Menu 15.2 - NAT Server Setup Rule Start Port No.
Page 424: Figure 28-10 Nat Example 1
ZyWALL 2 Series User’s Guide 28.4.1 Internet Access Only In the following Internet access example, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP. Figure 28-10 NAT Example 1 Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet...
Page 425: Figure 28-12 Nat Example 2
ZyWALL 2 Series User’s Guide 28.4.2 Example 2: Internet Access with an Inside Server Figure 28-12 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2 to specify the Inside Server behind the NAT as shown in the next figure. Menu 15.2 - NAT Server Setup Rule Start Port No.
Page 426: Figure 28-14 Nat Example 3
ZyWALL 2 Series User’s Guide other LAN traffic to the remaining IGA. Map the third IGA to an inside web server and mail server. Four rules need to be configured, two bi-directional and two uni-directional as follows. Rule 1. Map the first IGA to the first inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses).
Page 427: Figure 28-15 Example 3: Menu 11.3
ZyWALL 2 Series User’s Guide Step 5. Select Type as One-to-One (direct mapping for packets going both ways), and enter the local Start IP as 192.168.1.10 (the IP address of FTP Server 1), the global Start IP as 10.132.50.1 (our first IGA).
Page 428: Figure 28-17 Example 3: Final Menu 15.1.1
ZyWALL 2 Series User’s Guide Menu 15.1.1 - Address Mapping Rules Example3 Set Name= Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- ------ 1. 192.168.1.10 10.132.50.1 2. 192.168.1.11 10.132.50.2 3. 0.0.0.0 255.255.255.255 10.132.50.3 10.132.50.3...
Page 429: Figure 28-19 Nat Example 4
ZyWALL 2 Series User’s Guide 28.4.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not change for Many-One-to-One (and One-to-One) NAT mapping types.
Page 430: Trigger Port Forwarding
ZyWALL 2 Series User’s Guide Menu 15.1.1.4 Address Mapping Rule Type= Many-One-to-One Local IP: 192.168.1.10 Start= 192.168.1.12 Global IP: 10.132.50.1 Start= 10.132.20.3 Press ENTER to Confirm or ESC to Cancel: Figure 28-20 Example 4: Menu 15.1.1.1: Address Mapping Rule After you’ve configured your rule, you should be able to check the settings in menu 15.1.1 as shown next. Menu 15.1.1 - Address Mapping Rules Set Name= Example4 Local Start IP...
Page 431: Figure 28-22 Trigger Port Forwarding Process: Example
ZyWALL 2 Series User’s Guide LAN computer, you have to manually replace the LAN computer's IP address in the forwarding port with another LAN computer's IP address, Trigger port forwarding solves this problem by allowing computers on the LAN to dynamically take turns using the service.
Page 432: Figure 28-23 Menu 15.3: Trigger Port Setup
ZyWALL 2 Series User’s Guide 5. Only A can connect to the Real Audio server until the connection is closed or times out. The ZyWALL times out in three minutes with UDP (User Datagram Protocol) or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol).
Page 433: Table 28-5 Menu 15.3: Trigger Port Setup
ZyWALL 2 Series User’s Guide Table 28-5 Menu 15.3: Trigger Port Setup FIELD DESCRIPTION EXAMPLE Rule This is the rule index number. Name Enter a unique name for identification purposes. You may enter up to 15 Real Audio characters in this field. All characters are permitted - including spaces. Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service.
Page 435: Chapter 29 Introducing The Firewall
ZyWALL 2 Series User’s Guide Chapter 29 Introducing the Firewall This chapter shows you how to get started with the firewall. 29.1 Using SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next.
Page 436: Figure 29-2 Menu 21.2: Firewall Setup
ZyWALL 2 Series User’s Guide Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User's Guide for details about the firewall default policies.
Page 437: Chapter 30 Filter Configuration
ZyWALL 2 Series User’s Guide Chapter 30 Filter Configuration This chapter shows you how to create and apply filters. 30.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering.
Page 438: Figure 30-1 Outgoing Packet Filtering Process
ZyWALL 2 Series User’s Guide Call Filtering Active Data Built-in User-defined match match match Outgoing Initiate call default Call Filters Data Packet if line not up Call Filters (if applicable) Send packet and reset Idle Timer Match Match Match Drop Drop packet Drop packet packet...
Page 439: Figure 30-2 Filter Rule Process
ZyWALL 2 Series User’s Guide Start Packet into filter Fetch First Filter Set Filter Set Fetch Next Fetch First Filter Set Filter Rule Fetch Next Filter Rule Next filter Next Filter Set Rule Active? Available? Available? Execute Filter Rule Check Next Rule Forward...
Page 440: Configuring A Filter Set
ZyWALL 2 Series User’s Guide You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. 30.2 Configuring a Filter Set The ZyWALL includes filtering for NetBIOS over TCP/IP packets by default.
Page 441: Table 30-1 Abbreviations Used In The Filter Rules Summary Menu
ZyWALL 2 Series User’s Guide Step 4. Enter a descriptive name or comment in the Edit Comments field and press [ENTER]. Step 5. Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.1 - Filter Rules Summary. This screen shows the summary of the existing rules in the filter set.
Page 442: Table 30-2 Rule Abbreviations Used
ZyWALL 2 Series User’s Guide Table 30-2 Rule Abbreviations Used ABBREVIATION DESCRIPTION Protocol Source Address Source Port number Destination Address Destination Port number Offset Length Refer to the next section for information on configuring the filter rules. 30.2.1 Configuring a Filter Rule To configure a filter rule, type its number in Menu 21.1.1 - Filter Rules Summary and press [ENTER] to open menu 21.1.1.1 for the rule.
Page 443: Figure 30-5 Menu 21.1.1.1: Tcp/Ip Filter Rule
ZyWALL 2 Series User’s Guide To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.1.1 - TCP/IP Filter Rule, as shown next. Menu 21.1.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0...
Page 444 ZyWALL 2 Series User’s Guide Table 30-3 TCP/IP Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Port # Enter the destination port of the packets that you wish to filter. 0-65535 The range of this field is 0 to 65535. This field is ignored if it is Port # Comp Press [SPACE BAR] and then [ENTER] to select the None...
Page 445 ZyWALL 2 Series User’s Guide Table 30-3 TCP/IP Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Press [SPACE BAR] and then [ENTER] to select a logging None option from the following: Action Matched None – No packets will be logged. Action Matched - Only packets that match the rule Action Not parameters will be logged.
Page 446: Figure 30-6 Executing An Ip Filter
ZyWALL 2 Series User’s Guide Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src Not Matched IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest Not Matched IP Addr Matched Check Not Matched IP Protocol Matched Check Src &...
Page 447: Figure 30-7 Menu 21.1.1.1: Generic Filter Rule
ZyWALL 2 Series User’s Guide 30.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the ZyWALL treats a packet as a byte stream as opposed to an IP or IPX packet.
Page 448 ZyWALL 2 Series User’s Guide Table 30-4 Menu 21.1.1.1: Generic Filter Rule FIELD DESCRIPTION OPTIONS Filter Use [SPACE BAR] and then [ENTER] to select a rule type. Parameters Generic Filter Type displayed below each type will be different. TCP/IP filter rules are used to Rule filter IP packets while generic filter rules allow filtering of non-IP packets.
Page 449: Example Filter
ZyWALL 2 Series User’s Guide 30.3 Example Filter Let’s look at an example to block outside users from accessing the ZyWALL via telnet. Please see our included disk for more example filters. Figure 30-8 Telnet Filter Example Step 1. Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup. Step 2.
Page 450: Figure 30-9 Example Filter: Menu 21.1.3.1
ZyWALL 2 Series User’s Guide Press [SPACE BAR] and then Menu 21.1.3.1 - TCP/IP Filter Rule [ENTER] to choose this filter rule Filter #: 3,1 type. The first filter rule type Filter Type= TCP/IP Filter Rule Active= Yes determines all subsequent filter IP Protocol= 6 IP Source Route= No types within a set.
Page 451: Figure 30-10 Example Filter Rules Summary: Menu 21.1.3
ZyWALL 2 Series User’s Guide Menu 21.1.3 - Filter Rules Summary # A Type Filter Rules M m n - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F This shows you that you have M = N means an action can be taken immediately.
Page 452: Filter Types And Nat
ZyWALL 2 Series User’s Guide 30.4 Filter Types and NAT There are two classes of filter rules, Generic Filter (Device) rules and protocol filter (TCP/IP) rules. Generic filter rules act on the raw data from/to LAN and WAN. Protocol filter rules act on the IP packets. Generic and TCP/IP filter rules are discussed in more detail in the next section.
Page 453: Applying A Filter
ZyWALL 2 Series User’s Guide 30.6 Applying a Filter This section shows you where to apply the filter(s) after you design it (them). The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections.
Page 454: Figure 30-13 Filtering Remote Node Traffic
ZyWALL 2 Series User’s Guide Menu 11.5 – Remote Node Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: Figure 30-13 Filtering Remote Node Traffic 30-18 Filter Configuration...
Page 455: Chapter 31 Snmp Configuration
ZyWALL 2 Series User’s Guide Chapter 31 SNMP Configuration This chapter explains SNMP configuration menu 22. 31.1 SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get, Set and Trap fields is SNMP terminology for password. Menu 22 - SNMP Configuration SNMP: Get Community= public...
Page 456: Snmp Traps
ZyWALL 2 Series User’s Guide Table 31-1 Menu 22: SNMP Configuration FIELD DESCRIPTION EXAMPLE Trap Type the Trap community, which is the password sent with each Public trap to the SNMP manager. Community Destination Type the IP address of the station to send your SNMP traps to. 0.0.0.0 When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel”...
Page 457: Smt System Maintenance
SMT System Maintenance Part XIII: SMT System Maintenance This part covers system information and diagnosis, firmware and configuration file maintenance, as well as providing information on the system maintenance and information functions and how to configure remote management and VPN. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Page 459: Chapter 32 System Information & Diagnosis
ZyWALL 2 Series User’s Guide Chapter 32 System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 32.1 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trace capabilities.
Page 460: Figure 32-2 Menu 24.1: System Maintenance: Status
ZyWALL 2 Series User’s Guide Status is a tool that can be used to monitor your ZyWALL. Specifically, it gives you information on your system firmware version, number of packets sent and number of packets received. To get to the System Status: Step 1.
Page 461: System Information And Console Port Speed
Routing Refers to the routing protocol used. ZyNOS F/W Version Refers to the ZyNOS (ZyXEL Network Operating System) system firmware version. ZyNOS is a registered trademark of ZyXEL Communications Corporation. You may enter 1 to drop the WAN connection, 9 to reset the counters or [ESC] to return to menu 24.
Page 462: Figure 32-3 Menu 24.2: System Information And Console Port Speed
ZyWALL 2 Series User’s Guide Step 2. Enter 2 to open Menu 24.2 - System Information and Console Port Speed. Step 3. From this menu you have two choices as shown in the next figure: Menu 24.2 - System Information and Console Port Speed 1.
Page 463: Log And Trace
Table 32-2 Fields in System Maintenance: Information FIELD DESCRIPTION ZyNOS F/W Refers to the ZyNOS (ZyXEL Network Operating System) system firmware version. Version ZyNOS is a registered trademark of ZyXEL Communications Corporation. Ethernet Address Refers to the Ethernet MAC (Media Access Control) address of your ZyWALL.
Page 464: Figure 32-6 Menu 24.3: System Maintenance: Log And Trace
ZyWALL 2 Series User’s Guide Menu 24.3 - System Maintenance - Log and Trace 2. UNIX Syslog 4. Call-Triggering Packet Press ENTER to Confirm or ESC to Cancel Figure 32-6 Menu 24.3: System Maintenance: Log and Trace 32.4.1 UNIX Syslog The ZyWALL uses the UNIX syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server.
Page 465: Filter Log
ZyWALL 2 Series User’s Guide Table 32-3 System Maintenance Menu Syslog Parameters PARAMETER DESCRIPTION Log Facility Press [SPACE BAR] and then [ENTER] to select a location. The log facility allows you to log the messages to different files in the syslog server. Refer to the documentation of your syslog program for more details When finished configuring this screen, press [ENTER] to confirm or [ESC] to cancel.
Page 466: Firewall Log
ZyWALL 2 Series User’s Guide Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D).
Page 467: Figure 32-8 Call-Triggering Packet Example
ZyWALL 2 Series User’s Guide 32.4.2 Call-Triggering Packet Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equivalent information is available in menu 24.1 in hex format. An example is shown next. IP Frame: ENET0-RECV Size: Time: 17:02:44.262 Frame Type:...
Page 468: Figure 32-9 Menu 24.4: System Maintenance: Diagnostic
ZyWALL 2 Series User’s Guide Follow the procedure below to get to Menu 24.4 - System Maintenance – Diagnostic. Step 1. From the main menu, select option 24 to open Menu 24 - System Maintenance. Step 2. From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic.
Page 469: Figure 32-10 Wan & Lan Dhcp
ZyWALL 2 Series User’s Guide Figure 32-10 WAN & LAN DHCP The following table describes the diagnostic tests available in menu 24.4 for your ZyWALL and associated connections. Table 32-4 System Maintenance Menu Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LAN or WAN. Enter its IP address in the Host IP Address field below.
Page 471: Chapter 33 Firmware And Configuration File Maintenance
ZyWALL 2 User’s Guide Chapter 33 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 33.1 Introduction Use the instructions in this chapter to change the ZyWALL’s configuration file or upgrade its firmware. After you configure your ZyWALL, you can backup the configuration file to a computer.
Page 472: Backup Configuration
ZyWALL 2 User’s Guide ftp> get rom-0 config.cfg This is a sample FTP session saving the current configuration to the computer file “config.cfg”. If your (T)FTP client does not allow you to have a destination filename different than the source, you will need to rename them as the ZyWALL only recognizes “rom-0”...
Page 473: Figure 33-1 Telnet Into Menu 24.5
ZyWALL 2 User’s Guide preferred method for backing up your current configuration to your computer since it is faster. You can also perform backup and restore using menu 24 through the console port. Any serial communications program should work fine; however, you must use Xmodem protocol to perform the download/upload and you don’t have to rename the files.
Page 474: Figure 33-2 Ftp Session Example
ZyWALL 2 User’s Guide Step 6. Use “get” to transfer files from the ZyWALL to the computer, for example, “get rom-0 config.rom” transfers the configuration file on the ZyWALL to your computer and renames it “config.rom”. See earlier in this chapter for more information on filename conventions. Step 7.
Page 475: File Maintenance Over Wan
ZyWALL 2 User’s Guide 33.3.5 File Maintenance Over WAN TFTP, FTP and Telnet over the WAN will not work when: 1. The firewall is active (turn the firewall off in menu 21.2 or create a firewall rule to allow access from the WAN).
Page 476: Table 33-3 General Commands For Gui-Based Tftp Clients
ZyWALL 2 User’s Guide TFTP client program. For UNIX, use “get” to transfer from the ZyWALL to the computer and “binary” to set binary transfer mode. 33.3.7 TFTP Command Example The following is an example TFTP command: tftp [-i] host get rom-0 config.rom Where “i”...
Page 477: Figure 33-3 System Maintenance: Backup Configuration
ZyWALL 2 User’s Guide Step 1. Display menu 24.5 and enter “y” at the following screen. Ready to backup Configuration via Xmodem. Do you want to continue (y/n): Figure 33-3 System Maintenance: Backup Configuration Step 2. The following screen indicates that the Xmodem download has started. You can enter ctrl-x to terminate operation any time.
Page 478: Restore Configuration
ZyWALL 2 User’s Guide 33.4 Restore Configuration This section shows you how to restore a previously saved configuration. Note that this function erases the current configuration before restoring a previous back up configuration; please do not attempt to restore unless you have a backup configuration file stored on disk. FTP is the preferred method for restoring your current computer configuration to your ZyWALL since FTP is faster.
Page 479: Figure 33-8 Restore Using Ftp Session Example
ZyWALL 2 User’s Guide Step 1. Launch the FTP client on your computer. Step 2. Enter “open”, followed by a space and the IP address of your ZyWALL. Step 3. Press [ENTER] when prompted for a username. Step 4. Enter your password as requested (the default is “1234”). Step 5.
Page 480: Figure 33-9 System Maintenance: Restore Configuration
ZyWALL 2 User’s Guide Step 1. Display menu 24.6 and enter “y” at the following screen. Ready to restore Configuration via Xmodem. Do you want to continue (y/n): Figure 33-9 System Maintenance: Restore Configuration Step 2. The following screen indicates that the Xmodem download has started. Starting XMODEM download (CRC mode) ...
Page 481: Uploading Firmware And Configuration Files
ZyWALL 2 User’s Guide 33.5 Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files. You can upload configuration files by following the procedure in the previous Restore Configuration section or by following the instructions in Menu 24.7.2 - System Maintenance - Upload System Configuration File (for console port).
Page 482: Figure 33-14 Telnet Into Menu 24.7.2: System Maintenance
ZyWALL 2 User’s Guide 33.5.2 Configuration File Upload You see the following screen when you telnet into menu 24.7.2. Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload the system configuration file, follow the procedure below: 1. Launch the FTP client on your workstation. 2.
Page 483: Figure 33-15 Ftp Session Example Of Firmware File Upload
ZyWALL 2 User’s Guide transfers the configuration file on the ZyWALL to your computer and renames it “config.rom.” See earlier in this chapter for more information on filename conventions. Step 7. Enter “quit” to exit the ftp prompt. 33.5.4 FTP Session Example of Firmware File Upload 331 Enter PASS command Password: 230 Logged in...
Page 484: Tftp Upload Command Example
ZyWALL 2 User’s Guide Step 3. Enter the command “sys stdio 0” to disable the console timeout, so the TFTP transfer will not be interrupted. Enter “command sys stdio 5” to restore the five-minute console timeout (default) when the file transfer is complete. Step 4.
Page 485: Figure 33-16 Menu 24.7.1 As Seen Using The Console Port
ZyWALL 2 User’s Guide 33.5.8 Uploading Firmware File Via Console Port Step 1. Select 1 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.1 - System Maintenance - Upload System Firmware, and then follow the instructions as shown in the following screen.
Page 486: Figure 33-17 Example Xmodem Upload
ZyWALL 2 User’s Guide Type the firmware file’s location, or click Browse to look for it. Choose the Xmodem protocol. Then click Send. Figure 33-17 Example Xmodem Upload After the firmware upload process has completed, the ZyWALL will automatically restart. 33.5.10 Uploading Configuration File Via Console Port Step 1.
Page 487: Figure 33-18 Menu 24.7.2 As Seen Using The Console Port
ZyWALL 2 User’s Guide Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1. Enter "y" at the prompt below to go into debug mode. 2. Enter "atlc" after "Enter Debug Mode" message. 3. Wait for "Starting XMODEM upload" message before activating Xmodem upload on your terminal.
Page 488: Figure 33-19 Example Xmodem Upload
ZyWALL 2 User’s Guide Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Figure 33-19 Example Xmodem Upload After the configuration upload process has completed, restart the ZyWALL by entering “atgo”. 33-18 Firmware and Configuration File Maintenance...
Page 489: Chapter 34 System Maintenance Menus 8 To 10
ZyWALL 2 User’s Guide Chapter 34 System Maintenance Menus 8 to 10 This chapter leads you through SMT menus 24.8 to 24.10. 34.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions.
Page 490: Figure 34-2 Valid Commands
A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Copyright (c) 1994 - 2003 ZyXEL Communications Corp. ras> ?
Page 491: Call Control Support
ZyWALL 2 User’s Guide Table 34-1 Valid Commands ether These commands display Ethernet information and configure Ethernet settings. These commands display dial backup information and control dial backup connections. These commands display IP information and configure IP settings. ipsec These commands display IPSec information and configure IPSec settings. 34.2 Call Control Support The ZyWALL provides two call control functions: budget management and call history.
Page 492: Figure 34-4 Budget Management
ZyWALL 2 User’s Guide Menu 24.9.3 - Budget Management Remote Node Connection Time/Total Budget Elapsed Time/Total Period 1.ChangeMe No Budget No Budget 2.-------- Reset Node (0 to update screen): Figure 34-4 Budget Management The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked.
Page 493: Time And Date Setting
ZyWALL 2 User’s Guide Menu 24.9.4 - Call History Phone Number Rate #call Total Enter Entry to Delete(0 to exit): Figure 34-5 Call History The following table describes the fields in this screen. Table 34-3 Call History Fields FIELD DESCRIPTION Phone Number The PPPoE service names are shown here.
Page 494: Figure 34-6 Menu 24: System Maintenance
ZyWALL 2 User’s Guide Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown next. Menu 24 - System Maintenance System Status System Information and Console Port Speed Log and Trace Diagnostic Backup Configuration Restore Configuration Upload Firmware Command Interpreter Mode...
Page 495: Table 34-4 Menu 24.10 System Maintenance: Time And Date Setting
ZyWALL 2 User’s Guide Table 34-4 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION Time Protocol Enter the time service protocol that your timeserver sends when you turn on the ZyWALL. Not all timeservers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 496 ZyWALL 2 User’s Guide When the ZyWALL starts up, if there is a timeserver configured in menu 24.10. iii. 24-hour intervals after starting. 34-8 System Maintenance & Information...
Page 497: Chapter 35 Remote Management
ZyWALL 2 User’s Guide Chapter 35 Remote Management This chapter covers remote management found in SMT menu 24.11. 35.1 Remote Management Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. You may manage your ZyWALL from a remote location via: Internet (WAN only) ALL (LAN and WAN) LAN only,...
Page 498: Figure 35-1 Menu 24.11 - Remote Management Control
ZyWALL 2 User’s Guide Menu 24.11 - Remote Management Control TELNET Server: Port = 23 Access = ALL Secure Client IP = 0.0.0.0 FTP Server: Port = 21 Access = ALL Secure Client IP = 0.0.0.0 SSH Server: Certificate = auto_generated_self_signed_cert Port = 0 Access = ALL Secure Client IP = 0.0.0.0...
Page 499: Remote Management Limitations
ZyWALL 2 User’s Guide Table 35-1 Menu 24.11 – Remote Management Control FIELD DESCRIPTION EXAMPLE Once you have filled in this menu, press [ENTER] at the message "Press ENTER to Confirm or ESC to Cancel" to save your configuration, or press [ESC] to cancel. 35.1.1 Remote Management Limitations Remote management over LAN or WAN will not work when: 1.
Page 501: Smt Advanced Management
SMT Advanced Management Part XIV: SMT Advanced Management This part provides information on how to configure call scheduling, and VPN/IPSec. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Page 503: Chapter 36 Call Scheduling
ZyWALL 2 Series User’s Guide Chapter 36 Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 36.1 Introduction to Call Scheduling The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long.
Page 504: Figure 36-2 Schedule Set Setup
ZyWALL 2 Series User’s Guide To set up a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next. Menu 26.1 - Schedule Set Setup Active= Yes Start Date(yyyy/mm/dd) = 2000 –...
Page 505 ZyWALL 2 Series User’s Guide Table 36-1 Schedule Set Setup FIELD DESCRIPTION OPTIONS If you selected Weekly in the How Often field above, then select the day(s) when the set should activate (and recur) by going to that day(s) and pressing [SPACE BAR] to select Yes, then press [ENTER].
Page 506: Figure 36-3 Applying Schedule Set(S) To A Remote Node (Pppoe)
ZyWALL 2 Series User’s Guide Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPPoE Edit IP= No Service Type= Standard Telco Option: Service Name= Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login= Schedules= 1,2,3,4 My Password= ******** Nailed-Up Connection= No Authen= CHAP/PAP...
Page 507: Chapter 37 Vpn/Ipsec Setup
ZyWALL 2 Series User’s Guide Chapter 37 VPN/IPSec Setup This chapter introduces the VPN SMT menus. 37.1 Introduction The VPN/IPSec main SMT menu has these main submenus: 1. Define VPN policies in menu 27.1 submenus, including security policies, endpoint IP addresses, peer IPSec router IP address and key management.
Page 508: Ipsec Summary Screen
002 zw2 1.1.1.1 1.1.1.1 Tunnel AH SHA1 4.4.4.4 255.255.0.0 zw2test.zyxel Select Command= None Select Rule= Press ENTER to Confirm or ESC to Cancel: Figure 37-3 Menu 27.1: IPSec Summary The following table describes the fields in this screen. Table 37-1 Menu 27.1: IPSec Summary...
Page 509 ZyWALL 2 Series User’s Guide Table 37-1 Menu 27.1: IPSec Summary FIELD DESCRIPTION EXAMPLE Name This field displays the unique identification name for this VPN rule. The Taiwan name may be up to 32 characters long but only 10 characters will be displayed here.
Page 510 ZyWALL 2 Series User’s Guide Table 37-1 Menu 27.1: IPSec Summary FIELD DESCRIPTION EXAMPLE Key Mgt This field displays the SA’s type of key management, (IKE or Manual). Remote When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to 172.16.2.40 Addr Start Single, this is a static IP address on the network behind the remote IPSec...
Page 511: Ipsec Setup
ZyWALL 2 Series User’s Guide Table 37-1 Menu 27.1: IPSec Summary FIELD DESCRIPTION EXAMPLE Select Press [SPACE BAR] to choose from None, Edit, Delete, Go To Rule, None Command Next Page or Previous Page and then press [ENTER]. You must select a rule in the next field when you choose the Edit, Delete or Go To commands.
Page 512: Figure 37-4 Menu 27.1.1: Ipsec Setup
Keep Alive= No Nat Traversal= No Local ID type= IP Content= My IP Addr= 0.0.0.0 Peer ID type= IP Content= Secure Gateway Address= zw2test.zyxel Protocol= 0 DNS Server= 0.0.0.0 Local: Addr Type= SINGLE IP Addr Start= 1.1.1.1 End/Subnet Mask= N/A...
Page 513 ZyWALL 2 Series User’s Guide Table 37-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE NAT Traversal Select this check box to enable NAT traversal. NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec routers.
Page 514 ZyWALL 2 Series User’s Guide Table 37-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Peer ID type Press [SPACE BAR] to choose IP, DNS, or E-mail and press [ENTER]. Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the remote IPSec router by a domain name.
Page 515 ZyWALL 2 Series User’s Guide Table 37-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Local Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses. Two active SAs can have the same configured local or remote IP address, but not both.
Page 516 ZyWALL 2 Series User’s Guide Table 37-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE End Enter a port number in this field to define a port range. This port number must be greater than that specified in the previous field. This field is N/A when 0 is configured in the Port Start field.
Page 517: Ike Setup
ZyWALL 2 Series User’s Guide Table 37-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Port Start 0 is the default and signifies any port. Type a port number from 0 to 65535. Someone behind the remote IPSec router cannot create a VPN tunnel when attempting to connect using a port number that does not match this port number or range of port numbers.
Page 518: Figure 37-5 Menu 27.1.1.1: Ike Setup
ZyWALL 2 Series User’s Guide Menu 27.1.1.1 - IKE Setup Phase 1 Negotiation Mode= Main Authentication Method= PreShare Key PSK= qwer1234 Certificate= N/A Encryption Algorithm= DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 300 Key Group= DH1 Phase 2 Active Protocol= ESP Encryption Algorithm= DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 2880...
Page 519 ZyWALL 2 Series User’s Guide Table 37-3 Menu 27.1.1.1: IKE Setup FIELD DESCRIPTION EXAMPLE Encryption When DES is used for data communications, both sender and receiver must Algorithm know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code.
Page 520: Manual Setup
ZyWALL 2 Series User’s Guide Table 37-3 Menu 27.1.1.1: IKE Setup FIELD DESCRIPTION EXAMPLE Encapsulation Press [SPACE BAR] to choose from Tunnel mode or Transport mode and Tunnel then press [ENTER]. See earlier for a discussion of these. Perfect Perfect Forward Secrecy (PFS) is disabled (None) by default in phase 2 None Forward IPSec SA setup.
Page 521: Figure 37-6 Menu 27.1.1.2: Manual Setup
ZyWALL 2 Series User’s Guide To edit this menu, move the cursor to the Edit Manual Setup field in Menu 27.1.1 – IPSec Setup press [SPACE BAR] to select Yes and then press [ENTER] to go to Menu 27.1.1.2 – Manual Setup. Menu 27.1.1.2 –...
Page 522 ZyWALL 2 Series User’s Guide Table 37-5 Menu 27.1.1.2: Manual Setup FIELD DESCRIPTION EXAMPLE Key3 Enter a unique eight-character key. It can be comprised of any character including spaces (but trailing spaces are truncated). Authentication Press [SPACE BAR] to choose from MD5 or SHA1 and then press [ENTER]. Algorithm Key Enter the authentication key to be used by IPSec if applicable.
Page 523: Chapter 38 Sa Monitor
ZyWALL 2 Series User’s Guide Chapter 38 SA Monitor This chapter teaches you how to manage your SAs by using the SA Monitor in SMT menu 27.2. 38.1 Introduction A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This menu (shown next) displays active VPN connections.
Page 524: Table 38-1 Menu 27.2: Sa Monitor
ZyWALL 2 Series User’s Guide Table 38-1 Menu 27.2: SA Monitor FIELD DESCRIPTION EXAMPLE This is the security association index number. Name This field displays the identification name for this VPN policy. This name is Taiwan unique for each connection where the secure gateway IP address is a public static IP address.
Page 525: General Appendices
General Appendices Part XV: General Appendices This part provides background information about troubleshooting, setting up your computer’s IP address, triangle route, how functions are related, PPPoE, PPTP, wireless LAN, 802.1x, EAP authentication, IP subnetting and safety warnings.
Page 527: Appendix A Troubleshooting
ZyWALL 2 Series User’s Guide Appendix A Troubleshooting This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our included disk for further information. Problems Starting Up the ZyWALL Chart 1 Troubleshooting the Start-Up of Your ZyWALL PROBLEM...
Page 528 ZyWALL 2 Series User’s Guide Problems with the LAN Interface Chart 3 Troubleshooting the LAN Interface PROBLEM CORRECTIVE ACTION Cannot access Check your Ethernet cable type and connections. Refer to the Quick Start Guide for LAN the ZyWALL connection instructions. from the LAN.
Page 529 ZyWALL 2 Series User’s Guide Problems with Internet Access Chart 5 Troubleshooting Internet Access PROBLEM CORRECTIVE ACTION Cannot Connect your cable/DSL modem with the ZyWALL using the appropriate cable. access the Check with the manufacturer of your cable/DSL device about your cable requirement Internet.
Page 531: Appendix B Setting Up Your Computer's Ip Address
ZyWALL 2 Series User’s Guide Appendix B Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer.
Page 532 ZyWALL 2 Series User’s Guide The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: In the Network window, click Add. Select Adapter and then click Add.
Page 533 ZyWALL 2 Series User’s Guide Click the IP Address tab. -If your IP address is dynamic, select Obtain an IP address automatically. -If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields. Click the DNS Configuration tab.
Page 534 ZyWALL 2 Series User’s Guide Click the Gateway tab. -If you do not know your gateway’s IP address, remove previously installed gateways. -If you have a gateway IP address, type it in the New gateway field and click Add. Click OK to save and close the TCP/IP Properties window. Click OK to close the Network window.
Page 535 ZyWALL 2 Series User’s Guide For Windows XP, click Start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. For Windows XP, click Network Right-click Local Area Connection and Connections. For Windows 2000/NT, click then click Properties. Network and Dial-up Connections. Setting Up Your Computer’s IP Address...
Page 536 ZyWALL 2 Series User’s Guide Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). -If you have a dynamic IP address click Obtain an IP address automatically.
Page 537 ZyWALL 2 Series User’s Guide -If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: -In the IP Settings tab, in IP addresses, click Add.
Page 538 ZyWALL 2 Series User’s Guide In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): -Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). -If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.
Page 539 ZyWALL 2 Series User’s Guide Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Select Ethernet built-in from the Connect via list. For dynamically assigned settings, select Using DHCP Server from the Configure: list. Setting Up Your Computer’s IP Address...
Page 540 ZyWALL 2 Series User’s Guide For statically assigned settings, do the following: -From the Configure box, select Manually. -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your ZyWALL in the Router address box. Close the TCP/IP Control Panel.
Page 541 ZyWALL 2 Series User’s Guide Click Network in the icon bar. - Select Automatic from the Location list. - Select Built-in Ethernet from the Show list. - Click the TCP/IP tab. For dynamically assigned settings, select Using DHCP from the Configure list. For statically assigned settings, do the following: -From the Configure box, select Manually.
Page 543: Appendix C Triangle Route
ZyWALL 2 Series User’s Guide Appendix C Triangle Route The Ideal Setup When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyWALL to protect your LAN against attacks.
Page 544 ZyWALL 2 Series User’s Guide Diagram 2 “Triangle Route” Problem The “Triangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your ZyWALL supports up to three logical LAN interfaces with the ZyWALL being the gateway for each logical network.
Page 545 ZyWALL 2 Series User’s Guide Diagram 3 IP Alias Gateways on the WAN Side A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your ZyWALL to your LAN.
Page 546 ZyWALL 2 Series User’s Guide Step 3. Use the following commands to allow/disallow triangle route. sys firewall ignore triangle all off This command allows triangle route. sys firewall ignore triangle all on This command disallows triangle route. Triangle Route...
Page 547 ZyWALL 2 Series User’s Guide Appendix D Wireless LAN and IEEE 802.11 A wireless LAN (WLAN) provides a flexible data communications system that you can use to access various services (navigating the Internet, email, printer services, etc.) without the use of a cabled connection. In effect a wireless LAN environment provides you the freedom to stay connected to the network while roaming around in the coverage area.
Page 548: Infrastructure Wireless Lan Configuration
ZyWALL 2 Series User’s Guide Spread Spectrum (DSSS) and Frequency-Hopping Spread Spectrum (FHSS), in the 2.4 to 2.4825 GHz unlicensed ISM (Industrial, Scientific and Medical) band. The third method is infrared technology, using very high frequencies, just below visible light in the electromagnetic spectrum to carry data. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless nodes or stations (STA), which is called a Basic Service Set (BSS).
Page 549 ZyWALL 2 Series User’s Guide could be any type of network, it is almost invariably an Ethernet LAN. Mobile nodes can roam between Access Points and seamless campus-wide coverage is possible. Diagram D-2 ESS Provides Campus-Wide Coverage Wireless LAN and IEEE 802.11...
Page 551: Appendix E Wireless Lan With Ieee 802.1X
ZyWALL 2 Series User’s Guide Appendix E Wireless LAN With IEEE 802.1x As wireless networks become popular for both portable computing and corporate networks, security is now a priority. Security Flaws with IEEE 802.11 Wireless networks based on the original IEEE 802.11 have a poor reputation for safety. The IEEE 802.11b wireless access standard, first published in 1999, was based on the MAC address.
Page 552: Radius Server Authentication Sequence
ZyWALL 2 Series User’s Guide RADIUS Server Authentication Sequence The following figure depicts a typical wireless network with a remote RADIUS server for user authentication using EAPOL (EAP Over LAN). Client computer access authorized. Client computer access not authorized. Diagram E-1 Sequences for EAP MD5–Challenge Authentication Wireless LAN with IEEE 802.1x...
Page 553: Appendix F Types Of Eap Authentication
ZyWALL 2 Series User’s Guide Appendix F Types of EAP Authentication This appendix discusses three popular EAP authentication types: EAP-MD5, EAP-TLS and EAP-TTLS. The type of authentication you use depends on the RADIUS server or the AP. Consult your network administrator for more information.
Page 554 ZyWALL 2 Series User’s Guide TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS- CHAP v2. EAP-MD5 EAP-TLS EAP-TTLS Mutual Authentication Certificate – Client Optional Certificate – Server Dynamic Key Exchange Credential Security None Strong Strong Deployment...
Page 555: Appendix Gpppoe
ZyWALL 2 Series User’s Guide Appendix G PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit), which connects to a DSL Access Concentrator where the PPP session terminates (see the next figure).
Page 556 ZyWALL 2 Series User’s Guide The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.
Page 557: Appendix Hpptp
ZyWALL 2 Series User’s Guide Appendix H PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the short haul between the PC and the modem over Ethernet.
Page 558 ZyWALL 2 Series User’s Guide PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F (Cisco’s Layer 2 Forwarding). Conceptually, there are three parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Access Concentrator) and the PPTP user.
Page 559 ZyWALL 2 Series User’s Guide Diagram H-3 Example Message Exchange between PC and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header. PPTP...
Page 561 ZyWALL 2 Series User’s Guide Appendix I IP Subnetting IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1.
Page 562: Appendix I Ip Subnetting
ZyWALL 2 Series User’s Guide A class “A” address (24 host bits) can have 2 –2 hosts (approximately 16 million hosts). Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127.
Page 563 ZyWALL 2 Series User’s Guide of ones beginning from the left most bit of the mask, followed by a continuous sequence of zeros, for a total number of 32 bits. Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet.
Page 564 ZyWALL 2 Series User’s Guide Divide the network 192.168.1.0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit. The “borrowed” host ID bit can be either “0” or “1” thus giving two subnets;...
Page 565 ZyWALL 2 Series User’s Guide actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126. Similarly the host ID range for the second subnet is 192.168.1.129 to 192.168.1.254. Example: Four Subnets The above example illustrated using a 25-bit subnet mask to divide a class “C” address space into two subnets.
Page 566 ZyWALL 2 Series User’s Guide Chart I-10 Subnet 4 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 11000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: 192.168.1.192 Lowest Host ID: 192.168.1.193 Broadcast Address: 192.168.1.255 Highest Host ID: 192.168.1.254 Example Eight Subnets Similarly use a 27-bit mask to create 8 subnets (001, 010, 011, 100, 101, 110).
Page 567 ZyWALL 2 Series User’s Guide 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet mask also determines which bits are part of the network number and which are part of the host ID.
Page 568 ZyWALL 2 Series User’s Guide Chart I-13 Class B Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET (/29) 255.255.255.252 16384 (/30) 255.255.255.254 32768 (/31) IP Subnetting...
Page 569: Appendix J Safety Warnings And Instructions
ZyWALL 2 Series User’s Guide Appendix J Safety Warnings and Instructions 1. Be sure to read and follow all warning notices and instructions. 2. The maximum recommended ambient temperature for the ZyWALL is 40º Celsius (104º Fahrenheit). Care must be taken to allow sufficient air circulation or space between units when the ZyWALL is installed inside a closed rack assembly.
Page 571: Command, Log Appendices And Index
Command, Log Appendices and Index Part XVI: Command, Log Appendices and Index This part provides information on the command line interface, firewall and NetBIOS commands, logs and password protection. There is also an index of key terms.
Page 573: Appendix K Command Interpreter
The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands. Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable.
Page 575: Appendix L Firewall Commands
ZyWALL 2 Series User’s Guide Appendix L Firewall Commands The following describes the firewall commands. See the Command Interpreter appendix for information on the command structure. Chart L-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall active <yes | This command turns the firewall on or off. no>...
Page 576 ZyWALL 2 User’s Guide Chart L-1 Firewall Commands FUNCTION COMMAND DESCRIPTION This command shows all of the e-mail settings. config display firewall e-mail config display firewall ? This command shows all of the available firewall sub commands. This command sets the IP address to which the e- config edit firewall e-mail mail- server <ip address of mail server>...
Page 577: Firewall Commands
ZyWALL 2 Series User’s Guide Chart L-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall attack block Set this command to yes to block new traffic after <yes | no> the tcp-max-incomplete threshold is exceeded. Set it to no to delete the oldest half-open session when traffic exceeds the tcp-max-incomplete threshold.
Page 578 ZyWALL 2 User’s Guide Chart L-1 Firewall Commands FUNCTION COMMAND DESCRIPTION Config edit firewall set <set #> This command sets whether a packet is dropped or default-permit <forward | block> allowed through, when it does not meet a rule within the set.
Page 579 ZyWALL 2 Series User’s Guide Chart L-1 Firewall Commands FUNCTION COMMAND DESCRIPTION Config edit firewall set <set #> This command sets the protocol specification rule <rule #> protocol <integer number made in this rule for ICMP. protocol value > Config edit firewall set <set #> This command sets the ZyWALL to log traffic that rule <rule #>...
Page 580 ZyWALL 2 User’s Guide Chart L-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall set <set #> This command sets a rule to have the ZyWALL rule <rule #> TCP destport-single check for TCP traffic with this destination address. <port #> You may repeat this command to enter various, non-consecutive port numbers.
Page 581: Appendix M Netbios Filter Commands
ZyWALL 2 Series User’s Guide Appendix M NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See the Command Interpreter appendix for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN.
Page 582 ZyWALL 2 User’s Guide Chart M-1 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN This field displays whether NetBIOS packets are blocked or forwarded Forward and WAN between the LAN and the WAN. IPSec Packets This field displays whether NetBIOS packets sent through a VPN Forward connection are blocked or forwarded.
Page 583 ZyWALL 2 Series User’s Guide sys filter netbios config 4 off Command: This command stops NetBIOS commands from initiating calls. NetBIOS Filter Commands...
Page 585: Appendix N Boot Commands
ZyWALL 2 Series User’s Guide Appendix N Boot Commands The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware (ZyNOS) is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen.
Page 586 ZyWALL 2 User’s Guide just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) change system date to year/month/day or show current date ATDS...
Page 587: Appendix O Log Descriptions
ZyWALL 2 Series User’s Guide Appendix O Log Descriptions Chart O-1 System Error Logs LOG MESSAGE DESCRIPTION %s exceeds the max. This attempt to create a SUA/NAT session exceeds the maximum number of SUA/NAT session table entries allowed to be created per number of session per host.
Page 588 ZyWALL 2 User’s Guide Chart O-2 System Maintenance Logs TELNET Login Fail Someone has failed to log on to the router via telnet. FTP Login Someone has logged on to the router via ftp. Successfully FTP Login Fail Someone has failed to log on to the router via ftp. NAT Session Table is The maximum number of SUA/NAT session table entries has been exceeded and the table is full.
Page 589 ZyWALL 2 Series User’s Guide Chart O-5 Attack Logs LOG MESSAGE DESCRIPTION attack IGMP The firewall detected an IGMP attack. attack ESP The firewall detected an ESP attack. attack GRE The firewall detected a GRE attack. attack OSPF The firewall detected an OSPF attack. attack ICMP (type:%d, The firewall detected an ICMP attack;...
Page 590 ZyWALL 2 User’s Guide Chart O-5 Attack Logs LOG MESSAGE DESCRIPTION syn flood TCP The firewall detected a TCP syn flood attack. ports scan TCP The firewall detected a TCP port scan attack. teardrop TCP The firewall detected a TCP teardrop attack. teardrop UDP The firewall detected an UDP teardrop attack.
Page 591 ZyWALL 2 Series User’s Guide Chart O-6 Access Logs LOG MESSAGE DESCRIPTION Firewall default TCP access matched the default policy of the listed ACL set and the ZyWALL blocked or forwarded it according to the ACL set’s policy: TCP (set:%d) configuration.
Page 592 ZyWALL 2 User’s Guide Chart O-6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule match: ESP access matched the listed firewall rule and the ZyWALL blocked or forwarded it according to the rule’s configuration. ESP (set:%d, rule:%d) Firewall rule match: GRE access matched the listed firewall rule and the ZyWALL blocked or forwarded it according to the rule’s configuration.
Page 593 ZyWALL 2 Series User’s Guide Chart O-6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule NOT Access did not match the listed firewall rule and the ZyWALL logged match: (set:%d, rule:%d) Filter default policy TCP access matched a default filter policy and the ZyWALL dropped the packet to block access.
Page 594 ZyWALL 2 User’s Guide Chart O-6 Access Logs LOG MESSAGE DESCRIPTION Filter match DROP <set Access matched the listed filter rule and the ZyWALL dropped the packet to block access. %d/rule %d> Filter match DROP <set Access matched the listed filter rule (denied LAN IP) and the ZyWALL dropped the packet to block access.
Page 595 ZyWALL 2 Series User’s Guide Chart O-6 Access Logs LOG MESSAGE DESCRIPTION Packet without a NAT The router blocked a packet that did not have a corresponding SUA/NAT table entry. table entry blocked Out of order TCP The router blocked a TCP handshake packet that came out of the proper order handshake packet blocked...
Page 596 ZyWALL 2 User’s Guide Chart O-8 ICMP Notes TYPE CODE DESCRIPTION Destination Unreachable Net unreachable Host unreachable Protocol unreachable Port unreachable A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) Source route failed Source Quench A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network.
Page 597 ZyWALL 2 Series User’s Guide Chart O-8 ICMP Notes TYPE CODE DESCRIPTION Timestamp Reply Timestamp reply message Information Request Information request message Information Reply Information reply message Chart O-9 Sys log LOG MESSAGE DESCRIPTION Mon dd hr:mm:ss hostname This message is sent by the "RAS" when this syslog is generated.
Page 598: Vpn Responder Ipsec Log
ZyWALL 2 User’s Guide Index: Date/Time: Log: ------------------------------------------------------------ 01 Jan 08:02:22 Send Main Mode request to <192.168.200.101> 01 Jan 08:02:22 Send:<SA> 01 Jan 08:02:22 Recv:<SA> 01 Jan 08:02:24 Send:<KE><NONCE> 01 Jan 08:02:24 Recv:<KE><NONCE> 01 Jan 08:02:26 Send:<ID><HASH> 01 Jan 08:02:26 Recv:<ID><HASH>...
Page 599 ZyWALL 2 Series User’s Guide A PYLD_MALFORMED packet usually means that the two ends of the VPN tunnel are not using the same pre-shared key. Chart O-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION Send <Symbol> Mode request to <IP> The ZyWALL has started negotiation with the peer.
Page 600 ZyWALL 2 User’s Guide Chart O-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION !! Invalid IP <IP start>/<IP end> The peer’s “Local IP Addr” range is invalid. !! Remote IP <IP start> / <IP end> If the security gateway is “0.0.0.0”, the ZyWALL will conflicts use the peer’s “Local Addr”...
Page 601 ZyWALL 2 Series User’s Guide Chart O-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION vs. My Local <IP address> The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the local router.
Page 602 ZyWALL 2 User’s Guide The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Chart O-12 RFC-2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE Security Association PROP Proposal TRANS Transform...
Page 603 ZyWALL 2 Series User’s Guide Chart O-13 Log Categories and Available Settings LOG CATEGORIES AVAILABLE PARAMETERS attack 0, 1, 2, 3 error 0, 1, 2, 3 0, 1, 2, 3 ipsec 0, 1, 2, 3 javablocked 0, 1, 2, 3 mten 0, 1 upnp...
Page 604 ZyWALL 2 User’s Guide ras> sys logs display access .time source destination notes message 0|11/11/2002 15:10:12 |172.22.3.80:137 |172.22.255.255:137 |ACCESS BLOCK Firewall default policy: UDP(set:8) 1|11/11/2002 15:10:12 |172.21.4.17:138 |172.21.255.255:138 |ACCESS BLOCK Firewall default policy: UDP(set:8) 2|11/11/2002 15:10:11 |172.17.2.1 |224.0.1.60 |ACCESS BLOCK Firewall default policy: IGMP(set:8) 3|11/11/2002 15:10:11 |172.22.3.80:137 |172.22.255.255:137...
Page 605: Appendix P Brute-Force Password Guessing Protection
ZyWALL 2 Series User’s Guide Appendix P Brute-Force Password Guessing Protection The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See the Command Interpreter appendix for information on the command structure. Chart P-1 Brute-Force Password Guessing Protection Commands COMMAND DESCRIPTION...
Page 607: Appendix Q Index
ZyWALL 2 Series User’s Guide Appendix Q Index Brute-force Attack, ........10-6 BSS ........See Basic Service Set Budget Management......34-3, 34-4 10/100 Mbps Ethernet WAN ......1-2 Bypass Triangle Route........11-7 4-Port Switch ........... 1-2 CA..............F-1 Cable Modem ........10-2, A-3 Call Back Delay..........
Page 608 ZyWALL 2 Series User’s Guide Configuration File Upload........ 33-16 Drop Timeout ..........23-5 File Backup ............33-6 DS........See Distribution System File Upload............33-15 DSL Modem ........1-6, 26-3, A-3 Restoring Files ........... 33-9 DSSS ..See Direct Sequence Spread Spectrum Content Filtering........1-3, 12-1 DTR............
Page 609 ZyWALL 2 Series User’s Guide Filter......... 23-12, 24-1, 26-9, 30-1 FTP File Transfer......... 33-11 Applying ............30-17 FTP Restrictions ......17-2, 33-5, 35-3 Configuration ............. 30-1 FTP Server..........1-6, 28-13 Configuring............30-4 Full Feature..........See NAT Example ............30-13 Full Network Management ......1-5 Generic Filter Rule...........
Page 610 ZyWALL 2 Series User’s Guide Inside Local Address ........8-1 LAN TCP/IP.............5-2 Internet Access..........25-1 LAN to WAN Rules ........11-4 ISP's Name ............25-1 LAND........... 10-4, 10-6 Internet Access Setup ....25-1, 28-2, A-2 Local..............8-1 Internet Control Message Protocol (ICMP) ... 10-6 Log ..............32-5 Internet Security Gateway ......xxvii Log Descriptions ..........O-1...
Page 611 ZyWALL 2 Series User’s Guide Period(hr)..........23-7, 26-5 Ping.............. 32-11 Nailed-up Connection ........26-4 Ping of Death ..........10-4 Nailed-Up Connection ......23-7, 26-5 Point-to-Point Tunneling Protocol..3-6, 8-6. See NAT ..3-4, 3-9, 5-1, 8-5, 8-6, 23-10, 26-8, 30-16 PPTP. See PPTP Application............
Page 612 ZyWALL 2 Series User’s Guide Replacement ............v Service Name ..........26-2 Reports............19-6 Service Set............7-5 Required fields..........21-3 Service Type...... 11-13, 25-2, 26-2, A-2 Reset Button ............ 1-2 Services ............8-5 Resetting the Time ......... 34-7 Set Up a Schedule...........36-2 Restore ............20-9 SMT..
Page 613 ZyWALL 2 Series User’s Guide System Management Terminal ...... 21-2 Trigger Port Forwarding ......28-16 Process..............28-17 System Name ..........4-2, 22-1 Trivial File Transfer Protocol ....See TFTP System Status ..........32-1 Troubleshooting..........A-1 System Timeout ..........17-2 Internet Access.............A-3 LAN Interface............A-2 WAN Interface.............A-2 TTLS..............
Page 614 Wireless LAN Setup ........24-6 Wizard Setup ........... 3-1 ZyNOS F/W Version........33-2 WLAN ........See Wireless LAN ZyWALL Firewall Application ......10-3 www.dyndns.org..........22-4 ZyXEL Limited Warranty www.zyxel.com ...........v Note................v ZyXEL website............ v ZyXEL’s Firewall Introduction............10-2 xDSL Modem ..........1-7 Xmodem File Upload............

This manual is also suitable for:

Zywall 2 Zywall 2we

ZyXEL Communications ZYWALL2 ET 2WE User Manual

Chapter 1 Getting to Know Your Zywall

Chapter 2 Introducing the Web Configurator

Chapter 3 Wizard Setup

Chapter 4 System Screens

Chapter 5 LAN Screens

Chapter 6 WAN Screens

Chapter 7 Wireless LAN Screens

Chapter 8 Network Address Translation (NAT)

Chapter 9 Static Route Screens

Chapter 10 Firewalls

Chapter 11 Firewall Screens

Chapter 12 Content Filtering Screens

Chapter 13 Introduction to Ipsec

Chapter 14 VPN Screens

Quick Links

Related Manuals for ZyXEL Communications ZYWALL2 ET 2WE

Summary of Contents for ZyXEL Communications ZYWALL2 ET 2WE