Page 1 ZyWALL 10W/30W/50/100 Internet Security Gateway User’s Guide Version 3.62 February 2004...
Page 2 ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.
Page 3 ZyWALL Series Internet Security Gateway Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations.
Page 4: Information For Canadian Users
ZyWALL Series Internet Security Gateway Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction. Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company.
Page 5: Zyxel Limited Warranty
ZyWALL Series Internet Security Gateway ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to...
Page 6: Customer Support
ZyWALL Series Internet Security Gateway Customer Support When you contact your customer support representative please have the following information ready: Please have the following information ready when you contact customer support (see the next page for contact information). • Product model and serial number. •...
Page 7 ZyWALL Series Internet Security Gateway METHOD SUPPORT E-MAIL TELEPHONE WEB SITE REGULAR MAIL SALES E-MAIL FTP SITE LOCATION WORLDWIDE support@zyxel.com.tw +886-3-578-3942 www.zyxel.com ZyXEL Communications Corp. 6 Innovation Road II www.europe.zyxel.com Science Park ftp.zyxel.com Hsinchu 300 Taiwan sales@zyxel.com.tw +886-3-578-2439 ftp.europe.zyxel.com NORTH support@zyxel.com +1-800-255-4101 www.us.zyxel.com...
Page 9: Table Of Contents
ZyWALL Series Internet Security Gateway Table of Contents Copyright..............................ii Federal Communications Commission (FCC) Interference Statement..........iii Information for Canadian Users .......................iv ZyXEL Limited Warranty ..........................v Customer Support ............................vi List of Figures ............................xxi List of Tables ............................xxxiii Preface ..............................xxxix Getting Started ..............................I Chapter 1 Getting to Know Your ZyWALL ..................
Page 10 ZyWALL Series Internet Security Gateway Chapter 4 System Screens........................4-1 System Overview ........................4-1 DNS Overview..........................4-1 Configuring General Setup ......................4-1 Dynamic DNS..........................4-3 Configuring Dynamic DNS ......................4-3 Configuring Password.........................4-5 Pre-defined NTP Time Servers List....................4-6 Configuring Time Setting ......................4-7 Chapter 5 LAN Screens ...........................5-1 LAN Overview ...........................5-1 DHCP Setup..........................5-1 LAN TCP/IP ..........................5-1...
Page 11 ZyWALL Series Internet Security Gateway Configuring DMZ ........................7-1 Chapter 8 WAN Screens.......................... 8-1 WAN Overview ......................... 8-1 TCP/IP Priority (Metric) ......................8-1 Configuring Route........................8-1 Configuring WAN ISP ....................... 8-2 Configuring WAN IP ......................... 8-8 Configuring WAN MAC......................8-11 Traffic Redirect ........................
Page 12 ZyWALL Series Internet Security Gateway 11.2 Types of Firewalls.........................11-1 11.3 Introduction to ZyXEL’s Firewall ..................11-2 11.4 Denial of Service........................11-3 11.5 Stateful Inspection ........................11-7 11.6 Guidelines For Enhancing Security With Your Firewall ............11-11 11.7 Packet Filtering Vs Firewall ....................11-12 Chapter 12 Firewall Screens........................12-1 12.1 Access Methods ........................12-1 12.2...
Page 13 ZyWALL Series Internet Security Gateway 14.1 VPN Overview ........................14-1 14.2 IPSec Architecture ....................... 14-2 14.3 Encapsulation ........................14-3 14.4 IPSec and NAT ........................14-4 Chapter 15 VPN Screens ........................15-1 15.1 VPN/IPSec Overview......................15-1 15.2 IPSec Algorithms ......................... 15-1 15.3 My IP Address........................
Page 14 ZyWALL Series Internet Security Gateway 16.3 Configuration Summary......................16-2 16.4 My Certificates ........................16-3 16.5 Certificate File Formats ......................16-6 16.6 Importing a Certificate ......................16-7 16.7 Creating a Certificate ......................16-8 16.8 My Certificate Details......................16-12 16.9 Trusted CAs ........................16-16 16.10 Importing a Trusted CA’s Certificate .................16-18 16.11 Trusted CA Certificate Details....................16-19 16.12...
Page 15 ZyWALL Series Internet Security Gateway 18.7 SSH Implementation on the ZyWALL ................18-16 18.8 Configuring SSH........................ 18-16 18.9 Secure Telnet Using SSH Examples .................. 18-17 18.10 Secure FTP Using SSH Example ..................18-19 18.11 Telnet ..........................18-20 18.12 Configuring TELNET ......................18-21 18.13 Configuring FTP ........................
Page 16 ZyWALL Series Internet Security Gateway 21.5 Configuration Screen ......................21-7 21.6 Restart Screen ........................21-11 SMT General Configuration.........................XI Chapter 22 Introducing the SMT......................22-1 22.1 Introduction to the SMT......................22-1 22.2 Accessing the SMT via the Console Port................22-1 22.3 Navigating the SMT Interface....................22-2 22.4 Changing the System Password ....................22-7 22.5 Resetting the ZyWALL......................22-8...
Page 17 ZyWALL Series Internet Security Gateway 25.5 Wireless LAN Setup ......................25-7 Chapter 26 DMZ Setup ......................... 26-1 26.1 Configuring DMZ Setup ...................... 26-1 26.2 DMZ Port Filter Setup......................26-1 26.3 TCP/IP Setup........................26-2 Chapter 27 Internet Access ........................27-1 27.1 Introduction to Internet Access Setup ..................
Page 18 ZyWALL Series Internet Security Gateway Chapter 32 Filter Configuration ......................32-1 32.1 Introduction to Filters ......................32-1 32.2 Configuring a Filter Set ......................32-4 32.3 Example Filter........................32-13 32.4 Filter Types and NAT ......................32-15 32.5 Firewall Versus Filters......................32-16 32.6 Applying a Filter .........................32-16 Chapter 33 SNMP Configuration......................33-1 33.1 SNMP Configuration ......................33-1 33.2...
Page 19 ZyWALL Series Internet Security Gateway 37.1 Remote Management......................37-1 SMT Advanced Management........................XIV Chapter 38 IP Policy Routing ....................... 38-1 38.1 Introduction to IP Policy Routing ..................38-1 38.2 Benefits ..........................38-1 38.3 Routing Policy........................38-1 38.4 IP Routing Policy Setup ....................... 38-2 38.5 Applying an IP Policy ......................
Page 20 ZyWALL Series Internet Security Gateway Appendix G The Big Picture........................G-1 Appendix H Wireless LAN and IEEE 802.11..................H-1 Appendix I Wireless LAN With IEEE 802.1x ..................I-1 Appendix J Types of EAP Authentication ....................J-1 Appendix K PPPoE ..........................K-1 Appendix L PPTP............................ L-1 Appendix M IP Subnetting ........................
Page 21: List Of Figures
ZyWALL Series Internet Security Gateway List of Figures Figure 1-1 Secure Internet Access via Cable, DSL or Wireless Modem............1-9 Figure 1-2 VPN Application ........................1-10 Figure 2-1 Change Password Screen......................2-1 Figure 2-2 Replace Certificate Screen ......................2-2 Figure 2-3 Example Xmodem Upload ......................2-3 Figure 2-4 Web Configurator MAIN MENU Screen ..................
Page 22 ZyWALL Series Internet Security Gateway Figure 8-1 WAN Setup: Route........................8-2 Figure 8-2 Ethernet Encapsulation........................8-3 Figure 8-3 PPPoE Encapsulation ........................8-5 Figure 8-4 PPTP Encapsulation ........................8-7 Figure 8-5 IP Setup ............................8-9 Figure 8-6 MAC Setup ..........................8-12 Figure 8-7 Traffic Redirect WAN Setup .......................8-12 Figure 8-8 Traffic Redirect LAN Setup ......................8-13 Figure 8-9 Traffic Redirect ...........................8-14 Figure 8-10 Dial Backup Setup ........................8-16...
Page 23 ZyWALL Series Internet Security Gateway Figure 12-2 WAN to LAN Traffic........................ 12-5 Figure 12-3 Application-based Bandwidth Management Example.............. 12-6 Figure 12-4 Subnet-based Bandwidth Management Example ..............12-6 Figure 12-5 Application and Subnet-based Bandwidth Management Example ........... 12-7 Figure 12-6 Firewall Summary ........................12-8 Figure 12-7 Firewall Edit Rule ........................12-11 Figure 12-8 Source and Destination Addresses Add/Edit ................
Page 24 ZyWALL Series Internet Security Gateway Figure 15-7 VPN IKE: Advanced .......................15-22 Figure 15-8 VPN Manual Key........................15-26 Figure 15-9 SA Monitor (ZyWALL 100)....................15-30 Figure 15-10 Global Setting ........................15-31 Figure 15-11 Telecommuters Sharing One VPN Rule Example..............15-32 Figure 15-12 Telecommuters Using Unique VPN Rules Example .............15-33 Figure 16-1 Certificate Configuration Overview..................16-3 Figure 16-2 My Certificates..........................16-4 Figure 16-3 My Certificate Import .......................16-7...
Page 25 ZyWALL Series Internet Security Gateway Figure 18-4 Security Certificate Example (Netscape) ................. 18-7 Figure 18-5 Security Certificate 2 Example (Netscape)................18-8 Figure 18-6 Login Screen Example (Internet Explorer)................18-10 Figure 18-7 Login Screen Example (Netscape) ..................18-11 Figure 18-8 Replace Certificate ......................... 18-12 Figure 18-9 Device-specific Certificate .....................
Page 26 Figure 22-5 Advanced Management SMT Menus ..................22-6 Figure 22-6 Schedule Setup and IPSec VPN Configuration SMT Menus............22-7 Figure 22-7 Menu 23: System Password ......................22-7 Figure 23-1 Menu 1: General Setup (ZyWALL 10W)..................23-1 Figure 23-2 Configure Dynamic DNS......................23-3 Figure 24-1 MAC Address Cloning in WAN Setup..................24-1 Figure 24-2 Menu 2: Dial Backup Setup .....................24-3...
Page 27 ZyWALL Series Internet Security Gateway Figure 24-5 Menu 11.2: Remote Node PPP Options..................24-9 Figure 24-6 Menu 11.3: Remote Node Network Layer Options ..............24-9 Figure 24-7 Menu 11.4: Remote Node Setup Script .................. 24-12 Figure 24-8 Menu 11.5: Dial Backup Remote Node Filter ................ 24-13 Figure 25-1 Menu 3: LAN Setup .........................
Page 28 Figure 30-5 Menu 15.1.255: SUA Address Mapping Rules .................30-5 Figure 30-6 Menu 15.1.1: First Set.......................30-7 Figure 30-7 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set..........30-8 Figure 30-8 Menu 15.2: NAT Server Setup (ZyWALL 10W)..............30-10 Figure 30-9 Server Behind NAT Example ....................30-10 Figure 30-10 NAT Example 1........................30-11 Figure 30-11 Menu 4: Internet Access &...
Page 29 Figure 34-2 Menu 24.1: System Maintenance: Status (ZyWALL 100)............34-2 Figure 34-3 Menu 24.2: System Information and Console Port Speed............34-4 Figure 34-4 Menu 24.2.1: System Maintenance: Information (ZyWALL 10W).......... 34-4 Figure 34-5 Menu 24.2.2: System Maintenance: Change Console Port Speed..........34-5 Figure 34-6 Menu 24.3: System Maintenance: Log and Trace ..............
Page 30 ZyWALL Series Internet Security Gateway Figure 35-5 Backup Configuration Example ....................35-7 Figure 35-6 Successful Backup Confirmation Screen ..................35-8 Figure 35-7 Telnet into Menu 24.6 .......................35-9 Figure 35-8 Restore Using FTP Session Example ..................35-10 Figure 35-9 System Maintenance: Restore Configuration................35-10 Figure 35-10 System Maintenance: Starting Xmodem Download Screen..........35-10 Figure 35-11 Restore Configuration Example ....................35-11 Figure 35-12 Successful Restoration Confirmation Screen ................35-11 Figure 35-13 Telnet Into Menu 24.7.1: Upload System Firmware .............35-12...
Page 31 ZyWALL Series Internet Security Gateway Figure 38-7 IP Routing Policy Example ...................... 38-8 Figure 38-8 IP Routing Policy ........................38-9 Figure 38-9 Applying IP Policies ....................... 38-10 Figure 39-1 Schedule Setup ......................... 39-1 Figure 39-2 Schedule Set Setup ........................39-2 Figure 39-3 Applying Schedule Set(s) to a Remote Node (PPPoE).............
Page 33: List Of Tables
ZyWALL Series Internet Security Gateway List of Tables Table 1-1 Model Specific Features......................... 1-7 Table 2-1Web Configurator Screens Summary....................2-4 Table 3-1 Ethernet Encapsulation ........................3-3 Table 3-2 PPPoE Encapsulation........................3-5 Table 3-3 PPTP Encapsulation ........................3-7 Table 3-4 Private IP Address Ranges ......................3-8 Table 3-5 Example of Network Properties for LAN Servers with Fixed IP Addresses........
Page 34 ZyWALL Series Internet Security Gateway Table 8-6 Traffic Redirect..........................8-14 Table 8-7Dial Backup Setup .........................8-17 Table 8-8 Advanced Setup ..........................8-22 Table 9-1 NAT Definitions..........................9-1 Table 9-2 NAT Table Example........................9-2 Table 9-3 NAT Mapping Types........................9-5 Table 9-4 Services and Port Numbers......................9-6 Table 9-5 SUA Server .............................9-9 Table 9-6 Address Mapping ..........................9-11 Table 9-7 Address Mapping Edit ........................9-12 Table 9-8 Trigger Port...........................9-15...
Page 35 ZyWALL Series Internet Security Gateway Table 14-1 VPN and NAT ..........................14-5 Table 15-1 AH and ESP ..........................15-2 Table 15-2 VPN Rules ..........................15-4 Table 15-3 Local ID Type and Content Fields ..................... 15-9 Table 15-4 Peer ID Type and Content Fields ....................15-9 Table 15-5 Matching ID Type and Content Configuration Example............
Page 36 ZyWALL Series Internet Security Gateway Table 18-2 SSH............................18-17 Table 18-3 Telnet ............................18-22 Table 18-4 FTP ............................18-23 Table 18-5 SNMP Traps..........................18-25 Table 18-6 SNMP ............................18-26 Table 18-7 DNS ............................18-28 Table 18-8 Security.............................18-29 Table 19-1 Configuring UPnP ........................19-3 Table 19-2 UPnP Ports..........................19-4 Table 20-1 View Log ............................20-2 Table 20-2 Log Settings Screen ........................20-5 Table 20-3 Reports............................20-7...
Page 37 ZyWALL Series Internet Security Gateway Table 24-5 Fields in Menu 11.1 Remote Node Profile (Backup ISP) ............24-6 Table 24-6 Remote Node PPP Options Menu Fields ................... 24-9 Table 24-7 Remote Node Network Layer Options Menu Fields..............24-10 Table 24-8 Menu 11.4: Remote Node Script Menu Fields................. 24-13 Table 25-1 DHCP Ethernet Setup Menu Fields....................
Page 38 ZyWALL Series Internet Security Gateway Table 33-1 SNMP Configuration Menu Fields .....................33-1 Table 33-2 SNMP Traps..........................33-2 Table 34-1 System Maintenance: Status Menu Fields ..................34-2 Table 34-2 Fields in System Maintenance: Information ................34-4 Table 34-3 System Maintenance Menu Syslog Logging ................34-8 Table 34-4 System Maintenance Menu Diagnostic ..................34-13 Table 35-1 Filename Conventions ........................35-2 Table 35-2 General Commands for GUI-based FTP Clients ................35-4...
Page 39: Preface
This manual may refer to the ZyWALL Internet Security Gateway as the ZyWALL. This manual covers the ZyWALL 10W, 30W, 50 and 100 models. Supported features and the details of the features, vary from model to model. Not every feature applies to every model;...
Page 40: Syntax Conventions
Help us help you. E-mail all User’s Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Thank you.
Page 41: Getting Started
Getting Started Part I: Getting Started This part helps you get to know your ZyWALL, introduces the web configurator and covers how to configure the Wizard Setup screens.
Page 43: Chapter 1 Getting To Know Your Zywall
The embedded web configurator is easy to operate. 1.1.1 ZyWALL 10W Internet Security Gateway The ZyWALL 10W is wireless ready; thus giving you the option of adding a wireless LAN to your home or small business network. 1.1.2 ZyWALL 30W Internet Security Gateway The ZyWALL 30W adds more firewall protection and gives you the option of adding a wireless LAN to your small office or home office.
Page 44: Reset Button
ZyWALL Series Internet Security Gateway 1.2.1 Physical Features Auto-negotiating 10/100 Mbps Ethernet LAN The LAN interface automatically detects if it’s on a 10 or a 100 Mbps Ethernet. Auto-crossover 10/100 Mbps Ethernet LAN The LAN interface automatically adjusts to either a crossover or straight-through Ethernet cable. This feature is not available on all models.
Page 45 ZyWALL Series Internet Security Gateway 1.2.2 Non-Physical Features Bandwidth Management Lite Bandwidth management lite allows you to use firewall rules to perform basic bandwidth management. Bandwidth management allows you to allocate network resources according to defined policies. This policy- based bandwidth allocation helps your network to better handle real-time applications such as Voice-over-IP (VoIP).
Page 46: Wep Encryption
ZyWALL Series Internet Security Gateway You can also subscribe to category-based content filtering that allows your ZyWALL to check web sites against an external database of dynamically updated ratings of millions of web sites. RADIUS (RFC2138, 2139) RADIUS (Remote Authentication Dial In User Service) server enables authentication, authorization and accounting for your wireless network.
Page 47: Pptp Encapsulation
ZyWALL Series Internet Security Gateway PPPoE PPPoE facilitates the interaction of a host with an Internet modem to achieve access to high-speed data networks via a familiar "dial-up networking" user interface. PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using a TCP/IP-based network.
Page 48: Traffic Redirect
ZyWALL Series Internet Security Gateway Network Address Translation (NAT) Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet).
Page 49: Figure 6-3 Wireless
ZyWALL Series Internet Security Gateway 1.2.3 Model Specific Features This table lists the differences between models; it does not include features that are common to all of the ZyWALL models documented in this user’s guide. Table 1-1 Model Specific Features ZYWALL MODEL FEATURES Firmware Version Number...
Page 50 Table Key: An “O” in a model’s column shows that the model has the specified feature * The ZyWALL 10W and 30W use the same port for console management and for an auxiliary (backup) WAN connection. ** The latest ZyWALL 100 hardware has an auto-crossover 10/100 Mbps Ethernet LAN port and no Uplink button.
Page 51: Applications For The Zywall
ZyWALL Series Internet Security Gateway DMZ port: Attach public servers (Web, FTP, etc.) to the DeMilitarized Zone (DMZ) port. Computers attached to this port are visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death) and can also be accessed from the secure LAN.
Page 52: Figure 1-2 Vpn Application
ZyWALL Series Internet Security Gateway Figure 1-2 VPN Application 1-10 Getting to Know Your ZyWALL...
Page 53: Chapter 2 Introducing The Web Configurator
ZyWALL Series Internet Security Gateway Chapter 2 Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens. Web Configurator Overview The embedded web configurator allows you to manage the ZyWALL from anywhere through a browser such as Microsoft Internet Explorer or Netscape Navigator.
Page 54: Resetting The Zywall
ZyWALL Series Internet Security Gateway Step 6. Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Figure 2-2 Replace Certificate Screen Step 7. You should now see the MAIN MENU screen (see Figure 2-4). The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes).
Page 55: Figure 2-3 Example Xmodem Upload
ZyWALL Series Internet Security Gateway Step 2. Turn the ZyWALL off. Step 3. While pressing the RESET button, turn the ZyWALL on. Step 4. Continue to hold the RESET button. The SYS LED will begin to blink and flicker very quickly after about 10 or 15 seconds.
Page 56: Navigating The Zywall Web Configurator
ZyWALL Series Internet Security Gateway Navigating the ZyWALL Web Configurator The following summarizes how to navigate the web configurator from the MAIN MENU screen. Follow the instructions you see in the MAIN MENU screen or click the icon (located in the top right corner of most screens) to view online help. icon does not appear in the MAIN MENU screen.
Page 57 ZyWALL Series Internet Security Gateway Table 2-1Web Configurator Screens Summary LINK FUNCTION DDNS Use this screen to configure Dynamic Domain Name System settings. Password Use this screen to change your password. Time Setting Use this screen to change your ZyWALL’s time and date. Use this screen to configure LAN DHCP and TCP/IP settings.
Page 58 ZyWALL Series Internet Security Gateway Table 2-1Web Configurator Screens Summary LINK FUNCTION BM Global Use this screen to enable bandwidth management (lite) and set a Setting speed for the WAN port. CONTENT General This screen allows you to enable content filtering and block certain FILTER web features.
Page 59 ZyWALL Series Internet Security Gateway Table 2-1Web Configurator Screens Summary LINK FUNCTION Use this screen to configure through which interface(s) and from which IP address(es) users can use FTP to access the ZyWALL. SNMP Use this screen to configure your ZyWALL’s settings for Simple Network Management Protocol management.
Page 61: Chapter 3 Wizard Setup
ZyWALL Series Internet Security Gateway Chapter 3 Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator. Wizard Setup Overview The web configurator’s setup wizard helps you configure your device to access the Internet. The second screen has three variations depending on what encapsulation type you use.
Page 62: Wizard Setup: Screen 2
ZyWALL Series Internet Security Gateway Figure 3-1 Wizard 1 Wizard Setup: Screen 2 The ZyWALL offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE. 3.3.1 Ethernet Choose Ethernet when the WAN port is used as a regular Ethernet. Wizard Setup...
Page 63: Figure 3-2 Wizard 2: Ethernet Encapsulation
ZyWALL Series Internet Security Gateway Figure 3-2 Wizard 2: Ethernet Encapsulation The following table describes the fields in this screen. Table 3-1 Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Page 64: Pppoe Encapsulation
ZyWALL Series Internet Security Gateway Table 3-1 Ethernet Encapsulation LABEL DESCRIPTION Login Server This field only applies when you select Telia Login in the Service Type field. Type the domain name of the Telia login server, for example “login1.telia.com”. Relogin Period This field only applies when you select Telia Login in the Service Type field.
Page 65: Figure 3-3 Wizard2: Pppoe Encapsulation
ZyWALL Series Internet Security Gateway Figure 3-3 Wizard2: PPPoE Encapsulation The following table describes the fields in this screen. Table 3-2 PPPoE Encapsulation LABEL DESCRIPTION ISP Parameter for Internet Access Encapsulation Choose an encapsulation method from the pull-down list box. PPPoE forms a dial-up connection.
Page 66 ZyWALL Series Internet Security Gateway Table 3-2 PPPoE Encapsulation LABEL DESCRIPTION Next Click Next to continue. Back Click Back to return to the previous screen. 3.3.3 PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables transfers of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.
Page 67: Figure 3-4 Wizard 2: Pptp Encapsulation
ZyWALL Series Internet Security Gateway Figure 3-4 Wizard 2: PPTP Encapsulation The following table describes the fields in this screen. Table 3-3 PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box. User Name Type the user name given to you by your ISP.
Page 68: Table 3-4 Private Ip Address Ranges
ZyWALL Series Internet Security Gateway Table 3-3 PPTP Encapsulation LABEL DESCRIPTION My IP Address Type the (static) IP address assigned to you by your ISP. My IP Subnet Type the subnet mask assigned to you by your ISP (if given). Mask Server IP Address Type the IP address of the PPTP server.
Page 69: Ip Address And Subnet Mask
ZyWALL Series Internet Security Gateway Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space.
Page 70: Table 3-5 Example Of Network Properties For Lan Servers With Fixed Ip Addresses
ZyWALL Series Internet Security Gateway You can configure the WAN port's MAC address by either using the factory default or cloning the MAC address from a computer on your LAN. Once it is successfully configured, the address will be copied to the "rom"...
Page 71: Table 3-6 Wan Setup
ZyWALL Series Internet Security Gateway Table 3-6 WAN Setup LABEL DESCRIPTION WAN IP Address Assignment Get automatically from Select this option If your ISP did not assign you a fixed IP address. This is the default selection. Use fixed IP address Select this option If the ISP assigned a fixed IP address.
Page 72: Basic Setup Complete
ZyWALL Series Internet Security Gateway Table 3-6 WAN Setup LABEL DESCRIPTION WAN MAC Address The MAC address field allows you to configure the WAN port's MAC Address by either using the factory default or cloning the MAC address from a computer on your LAN.
Page 73: System, Lan And Wireless Lan
System, LAN and Wireless LAN Part II: System, LAN and Wireless LAN This part covers configuration of the system, LAN, and wireless LAN screens.
Page 75: Chapter 4 System Screens
ZyWALL Series Internet Security Gateway Chapter 4 System Screens This chapter provides information on the System screens. System Overview See the Wizard Setup chapter for more information on the next few screens. DNS Overview There are three places where you can configure DNS (Domain Name System) setup on the ZyWALL. 1.
Page 76: Table 4-1 System General Setup
ZyWALL Series Internet Security Gateway The following table describes the labels in this screen. Table 4-1 System General Setup LABEL DESCRIPTION System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name” in this field (see the Wizard Setup chapter for how to find your computer’s name).
Page 77: Dynamic Dns
ZyWALL Series Internet Security Gateway Dynamic DNS Dynamic DNS (Domain Name System) allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe or other services). This is for people with a dynamic IP address from their ISP or DHCP server that would still like to have a domain name.
Page 78: Figure 4-2 Ddns
ZyWALL Series Internet Security Gateway Figure 4-2 DDNS The following table describes the labels in this screen. Table 4-2 DDNS LABEL DESCRIPTION Active Select this check box to use dynamic DNS. Service Provider Select the name of your Dynamic DNS service provider. DDNS Type Select the type of service that you are registered for from your Dynamic DNS service provider.
Page 79: Configuring Password
ZyWALL Series Internet Security Gateway Table 4-2 DDNS LABEL DESCRIPTION Off Line This option is available when CustomDNS is selected in the DDNS Type field. Check with your Dynamic DNS service provider to have traffic redirected to a URL (that you can specify) while you are off line. Edit Update IP Address: Server Auto Detect Select this option to update the IP address of the host name(s) automatically by...
Page 80: Pre-Defined Ntp Time Servers List
ZyWALL Series Internet Security Gateway Table 4-3 Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field. New Password Type the new password in this field. Retype to Confirm Type the new password again in this field.
Page 81: Configuring Time Setting
ZyWALL Series Internet Security Gateway Configuring Time Setting To change your ZyWALL’s time and date, click SYSTEM, then the Time Setting tab. The screen appears as shown. Use this screen to configure the ZyWALL’s time based on your local time zone. Figure 4-4 Time Setting The following table describes the labels in this screen.
Page 82: Table 4-5 Time Setting
ZyWALL Series Internet Security Gateway Table 4-5 Time Setting LABEL DESCRIPTION Time Protocol Select the time service protocol that your time server sends when you turn on the ZyWALL. Not all time servers support all protocols, so you may have to check with (or Use Time your ISP/network administrator or use trial and error to find a protocol that works.
Page 83: Chapter 5 Lan Screens
ZyWALL Series Internet Security Gateway Chapter 5 LAN Screens This chapter describes how to configure LAN settings. LAN Overview Local Area Network (LAN) is a shared communication system to which many computers are attached. The LAN screens can help you configure a LAN DHCP server, manage IP addresses, and partition your physical network into logical networks.
Page 84: Rip Setup
ZyWALL Series Internet Security Gateway These parameters should work for the majority of installations. If your ISP gives you explicit DNS server address(es), read the embedded web configurator help regarding what fields need to be configured. 5.3.2 IP Address and Subnet Mask Refer to the IP Address and Subnet Mask section in the Wizard Setup chapter for this information.
Page 85: Configuring Ip
ZyWALL Series Internet Security Gateway Configuring IP Click LAN to open the IP screen. Figure 5-1 IP The following table describes the labels in this screen. Table 5-1 IP LABEL DESCRIPTION DHCP Server DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients (computers) to obtain TCP/IP configuration at startup from a server.
Page 86 ZyWALL Series Internet Security Gateway Table 5-1 IP LABEL DESCRIPTION Pool Size This field specifies the size, or count of the IP address pool. DNS Servers Assigned by DHCP Server The ZyWALL passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients.
Page 87 ZyWALL Series Internet Security Gateway Table 5-1 IP LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None.
Page 88: Configuring Static Dhcp
ZyWALL Series Internet Security Gateway Configuring Static DHCP This table allows you to assign IP addresses on the LAN to specific individual computers based on their MAC Addresses. Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.
Page 89: Configuring Ip Alias
ZyWALL Series Internet Security Gateway Configuring IP Alias IP Alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network.
Page 90: Figure 5-5 Ip Alias
ZyWALL Series Internet Security Gateway Figure 5-5 IP Alias The following table describes the labels in this screen. Table 5-3 IP Alias LABEL DESCRIPTION IP Alias 1,2 Select the check box to configure another LAN network for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation.
Page 91 ZyWALL Series Internet Security Gateway Table 5-3 IP Alias LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Page 93: Chapter 6 Wireless Lan Screens
ZyWALL Series Internet Security Gateway Chapter 6 Wireless LAN Screens This chapter discusses how to configure Wireless LAN on the ZyWALL. See the chapter on Authentication Server for the Local User Database and RADIUS screens. Wireless LAN Overview This section introduces the wireless LAN (WLAN) and some basic scenarios. 6.1.1 Additional Installation Requirements for Using 802.1x A computer with an IEEE 802.11b wireless LAN card.
Page 94: Figure 6-1 Rts Threshold
ZyWALL Series Internet Security Gateway 6.2.3 RTS/CTS A hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they cannot “hear”...
Page 95: Wireless Security
ZyWALL Series Internet Security Gateway If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy.
Page 96: Configuring Wireless Lan
ZyWALL Series Internet Security Gateway Use the ZyWALL web configurator to configurator to set up your wireless LAN security settings. Refer to the chapter on using the ZyWALL web configurator to see how to access the web configurator. 6.3.1 WEP WEP provides a mechanism for encrypting data using encryption keys.
Page 97 ZyWALL Series Internet Security Gateway Table 6-1 Wireless LABEL DESCRIPTION Enable The wireless LAN is turned off (No) by default, before you enable the wireless LAN you Wireless should configure some security by setting MAC filters and/or 802.1x security; otherwise your wireless LAN will be vulnerable upon enabling it.
Page 98: Configuring Mac Filter
ZyWALL Series Internet Security Gateway Table 6-1 Wireless LABEL DESCRIPTION Key 1 to If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 characters (ASCII Key 4 string) or 10 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key. If you chose 128-bit WEP in the WEP Encryption field, then enter 13 characters (ASCII string) or 26 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.
Page 99: Figure 6-4 Mac Address Filter
ZyWALL Series Internet Security Gateway Figure 6-4 MAC Address Filter The following table describes the labels in this menu. Table 6-2 MAC Address Filter LABEL DESCRIPTION Active Enable MAC address filtering to have the router allow or deny access to wireless stations based on MAC addresses.
Page 100: Overview
ZyWALL Series Internet Security Gateway 802.1x Overview The IEEE 802.1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management. Authentication can be done using the local user database internal to the ZyWALL or an external RADIUS server for an unlimited number of users. Configuring 802.1X To change your ZyWALL’s Authentication settings, click WIRELESS LAN, then the 802.1X tab.
Page 101 ZyWALL Series Internet Security Gateway Table 6-3 802.1X Authentication LABEL DESCRIPTION Reset Click Reset to begin configuring this screen afresh. Wireless LAN Screens...
Page 103: Dmz And Wan
DMZ and WAN Part III: DMZ and WAN This part covers configuration of the DMZ and WAN screens.
Page 105: Chapter 7 Dmz Screens
ZyWALL Series Internet Security Gateway Chapter 7 DMZ Screens This chapter describes how to configure the ZyWALL’s DMZ. DMZ Overview The DeMilitarized Zone (DMZ) auto-negotiating 10/100 Mbps Ethernet port provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death).
Page 106: Figure 7-1 Dmz (Zywall 100)
ZyWALL Series Internet Security Gateway Figure 7-1 DMZ (ZyWALL 100) The following table describes the labels in this screen. Table 7-1 DMZ LABEL DESCRIPTION DMZ TCP/IP IP Address Type the IP address of your ZyWALL in dotted decimal notation 192.168.1.1 (factory default).
Page 107: Table 7-1 Dmz
ZyWALL Series Internet Security Gateway Table 7-1 DMZ LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Page 109: Chapter 8 Wan Screens
ZyWALL Series Internet Security Gateway Chapter 8 WAN Screens This chapter describes how to configure WAN settings. WAN Overview See the Wizard Setup chapter for more information on the fields in the WAN screens. TCP/IP Priority (Metric) The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost".
Page 110: Configuring Wan Isp
ZyWALL Series Internet Security Gateway Figure 8-1 WAN Setup: Route The following table describes the labels in this screen. Table 8-1 WAN Setup: Route LABEL DESCRIPTION The default WAN connection is "1' as your broadband connection via the WAN port should always be your preferred method of accessing the WAN.
Page 111: Figure 8-2 Ethernet Encapsulation
ZyWALL Series Internet Security Gateway Figure 8-2 Ethernet Encapsulation The following table describes the labels in this screen. Table 8-2 Ethernet Encapsulation LABEL DESCRIPTION Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Page 112 ZyWALL Series Internet Security Gateway Table 8-2 Ethernet Encapsulation LABEL DESCRIPTION Relogin Every This field only applies when you select Telia Login in the Service Type field. The (min) Telia server logs the ZyWALL out if the ZyWALL does not log in periodically. Type the number of minutes from 1 to 59 (30 default) for the ZyWALL to wait between logins.
Page 113: Figure 8-3 Pppoe Encapsulation
ZyWALL Series Internet Security Gateway Figure 8-3 PPPoE Encapsulation The following table describes the labels in this screen. Table 8-3 PPPoE Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation The PPPoE choice is for a dial-up connection using PPPoE. The router supports PPPoE (Point-to-Point Protocol over Ethernet).
Page 114 ZyWALL Series Internet Security Gateway Table 8-3 PPPoE Encapsulation LABEL DESCRIPTION Retype to Type your password again to make sure that you have entered it correctly. Confirm Nailed-Up Select Nailed-Up Connection if you do not want the connection to time out. Connection Idle Timeout This value specifies the time in seconds that elapses before the router automatically...
Page 115: Figure 8-4 Pptp Encapsulation
ZyWALL Series Internet Security Gateway Figure 8-4 PPTP Encapsulation The following table describes the labels in this screen. Table 8-4 PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.
Page 116: Configuring Wan Ip
ZyWALL Series Internet Security Gateway Table 8-4 PPTP Encapsulation LABEL DESCRIPTION Retype to Confirm Type your password again to make sure that you have entered it correctly. Nailed-up Select Nailed-Up Connection if you do not want the connection to time out. Connection Idle Timeout This value specifies the time in seconds that elapses before the ZyWALL...
Page 117: Figure 8-5 Ip Setup
ZyWALL Series Internet Security Gateway Figure 8-5 IP Setup The following table describes the labels in this screen. Table 8-5 IP Setup LABEL DESCRIPTION WAN IP Address Assignment Get automatically Select this option If your ISP did not assign you a fixed IP address. This is the default from ISP selection.
Page 118 ZyWALL Series Internet Security Gateway Table 8-5 IP Setup LABEL DESCRIPTION Gateway IP Enter the gateway IP address (if your ISP gave you one) in this field if you selected Address Use Fixed IP Address. Network Address Network Address Translation (NAT) allows the translation of an Internet protocol Translation address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a...
Page 119: Configuring Wan Mac
ZyWALL Series Internet Security Gateway Table 8-5 IP Setup LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M. RIP-1 is universally supported;...
Page 120: Traffic Redirect
ZyWALL Series Internet Security Gateway Figure 8-6 MAC Setup The MAC address screen allows users to configure the WAN port's MAC Address by either using the factory default or cloning the MAC address from a computer on your LAN. Choose Factory Default to select the factory assigned default MAC Address.
Page 121: Configuring Traffic Redirect
ZyWALL Series Internet Security Gateway The following network topology allows you to avoid triangle route security issues (see the Appendices) when the backup gateway is connected to the LAN or DMZ. Use IP alias to configure the LAN into two or three logical networks with the ZyWALL itself as the gateway for each LAN network.
Page 122: Figure 8-9 Traffic Redirect
ZyWALL Series Internet Security Gateway Figure 8-9 Traffic Redirect The following table describes the labels in this screen. Table 8-6 Traffic Redirect LABEL DESCRIPTION Active Select this check box to have the ZyWALL use traffic redirect if the normal WAN connection goes down.
Page 123: Configuring Dial Backup
ZyWALL Series Internet Security Gateway Table 8-6 Traffic Redirect LABEL DESCRIPTION Fail Tolerance Type the number of times your ZyWALL may attempt and fail to connect to the Internet before traffic is forwarded to the backup gateway. Period (sec) Type the number of seconds for the ZyWALL to wait between checks to see if it can connect to the WAN IP address (Check WAN IP Address field) or default gateway.
Page 124: Figure 8-10 Dial Backup Setup
ZyWALL Series Internet Security Gateway Figure 8-10 Dial Backup Setup 8-16 WAN Screens...
Page 125: Table 8-7Dial Backup Setup
ZyWALL Series Internet Security Gateway The following table describes the labels in this screen. Table 8-7Dial Backup Setup LABEL DESCRIPTION Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name Type the login name assigned by your ISP. Password Type the password assigned by your ISP.
Page 126 ZyWALL Series Internet Security Gateway Table 8-7Dial Backup Setup LABEL DESCRIPTION Get IP Address Type the login name assigned by your ISP for this remote node. Automatically from Remote Server Used Fixed IP Select this check box if your ISP assigned you a fixed IP address, then enter the Address IP address in the following field.
Page 127 ZyWALL Series Internet Security Gateway Table 8-7Dial Backup Setup LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M. RIP-1 is universally supported;...
Page 128: Advanced Modem Setup
ZyWALL Series Internet Security Gateway Table 8-7Dial Backup Setup LABEL DESCRIPTION Configure Budget Select this check box to have the dial backup connection on during the time that you select. Allocated Budget Type the amount of time (in minutes) that the dial backup connection can be used during the time configured in the Period field.
Page 129: Configuring Advanced Modem Setup
ZyWALL Series Internet Security Gateway 8.10.3 Response Strings The response strings tell the ZyWALL the tags, or labels, immediately preceding the various call parameters sent from the WAN device. The response strings have not been standardized; please consult the documentation of your WAN device to find the correct tags. 8.11 Configuring Advanced Modem Setup Click the Edit button in the Dial Backup screen to display the Advanced Setup screen shown next.
Page 130: Table 8-8 Advanced Setup
ZyWALL Series Internet Security Gateway Table 8-8 Advanced Setup LABEL DESCRIPTION EXAMPLE AT Command Strings Dial Type the AT Command string to make a call. atdt Drop Type the AT Command string to drop a call. "~" represents a one ~~+++~~ath second wait, for example, "~~~+++~~ath"...
Page 131 ZyWALL Series Internet Security Gateway Table 8-8 Advanced Setup LABEL DESCRIPTION EXAMPLE Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. WAN Screens 8-23...
Page 133: Nat And Static Route
NAT and Static Route Part IV: NAT and Static Route This part covers Network Address Translation and setting up static routes.
Page 135: Nat Overview
ZyWALL Series Internet Security Gateway Chapter 9 Network Address Translation (NAT) Screens This chapter discusses how to configure NAT on the ZyWALL. NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet.
Page 136: Table 9-2 Nat Table Example
ZyWALL Series Internet Security Gateway NAT never changes the IP address (either local or global) of an outside host. 9.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side.
Page 137: Figure 9-1 How Nat Works
ZyWALL Series Internet Security Gateway Inside Local Inside Global Address (ILA) IP Address (IGA) Figure 9-1 How NAT Works 9.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter.
Page 138: Figure 9-2 Nat Application With Ip Alias
ZyWALL Series Internet Security Gateway Figure 9-2 NAT Application With IP Alias 9.1.5 NAT Mapping Types NAT supports five types of IP/port mapping. They are: One to One: In One-to-One mode, the ZyWALL maps one local IP address to one global IP address.
Page 139: Using Nat
ZyWALL Series Internet Security Gateway Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world although, it is highly recommended that you use the DMZ port for these servers instead. Port numbers do not change for One-to-One and Many-One-to-One NAT mapping types.
Page 140: Sua Server
ZyWALL Series Internet Security Gateway IP addresses to multiple private LAN IP addresses of clients or servers using mapping types. Select either SUA Only or Full Feature in WAN IP. Selecting SUA Only means (latent) multiple WAN-to-LAN and WAN-to-DMZ multiple address translation. That means that computers on your DMZ with public IP addresses will still have to undergo NAT mapping if you’re using SUA Only NAT mapping.
Page 141 ZyWALL Series Internet Security Gateway Table 9-4 Services and Port Numbers SERVICES PORT NUMBER FTP (File Transfer Protocol) SMTP (Simple Mail Transfer Protocol) DNS (Domain Name System) Finger HTTP (Hyper Text Transfer protocol or WWW, Web) POP3 (Post Office Protocol) NNTP (Network News Transport Protocol) SNMP (Simple Network Management Protocol) SNMP trap...
Page 142: Configuring Sua Server
ZyWALL Series Internet Security Gateway IP address assigned by ISP. Figure 9-3 Multiple Servers Behind NAT Example Configuring SUA Server If you do not assign a Default Server IP Address, the ZyWALL discards all packets received for ports that are not specified in this screen or remote management. Click SUA/NAT to open the SUA Server screen.
Page 143: Figure 9-4 Sua Server
ZyWALL Series Internet Security Gateway Figure 9-4 SUA Server The following table describes the labels in this screen. Table 9-5 SUA Server LABEL DESCRIPTION Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen.
Page 144: Configuring Address Mapping
ZyWALL Series Internet Security Gateway Table 9-5 SUA Server LABEL DESCRIPTION Server IP Enter the inside IP address of the server here. Address Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. Configuring Address Mapping Ordering your rules is important because the ZyWALL applies the rules in the order that you specify.
Page 145: Table 9-6 Address Mapping
ZyWALL Series Internet Security Gateway The following table describes the labels in this screen. Table 9-6 Address Mapping LABEL DESCRIPTION Local Start IP This refers to the Inside Local Address (ILA), which is the starting local IP address. If the rule is for all local IP addresses, then this field displays 0.0.0.0 as the Local Start IP address.
Page 146: Figure 9-6Address Mapping Edit
ZyWALL Series Internet Security Gateway Figure 9-6Address Mapping Edit The following table describes the labels in this screen. Table 9-7 Address Mapping Edit LABEL DESCRIPTION Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-one mode maps one local IP address to one global IP address.
Page 147: Trigger Port Forwarding
ZyWALL Series Internet Security Gateway Table 9-7 Address Mapping Edit LABEL DESCRIPTION Global End IP This is the ending Inside Global IP Address (IGA). This field is N/A for One-to-One, Many-to-One and Server mapping types. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh.
Page 148: Configuring Trigger Port Forwarding
ZyWALL Series Internet Security Gateway Figure 9-7 Trigger Port Forwarding Process: Example 1. Jane (A) requests a file from the Real Audio server (port 7070). 2. Port 7070 is a “trigger” port and causes the ZyWALL to record Jane’s computer IP address. The ZyWALL associates Jane's computer IP address with the "incoming"...
Page 149: Figure 9-8 Trigger Port
ZyWALL Series Internet Security Gateway Figure 9-8 Trigger Port The following table describes the labels in this screen. Table 9-8 Trigger Port LABEL DESCRIPTION This is the rule index number (read-only). Name Type a unique name (up to 15 characters) for identification purposes. All characters are permitted - including spaces.
Page 150 ZyWALL Series Internet Security Gateway Table 9-8 Trigger Port LABEL DESCRIPTION Start Port Type a port number or the starting port number in a range of port numbers. End Port Type a port number or the ending port number in a range of port numbers. Apply Click Apply to save your changes back to the ZyWALL.
Page 151: Chapter 10 Static Route Screens
ZyWALL Series Internet Security Gateway Chapter 10 Static Route Screens This chapter shows you how to configure static routes for your ZyWALL. 10.1 Static Route Overview Each remote node specifies only the network to which the gateway is directly connected, and the ZyWALL has no knowledge of the networks beyond.
Page 152: Figure 10-2 Ip Static Route
ZyWALL Series Internet Security Gateway Figure 10-2 IP Static Route The following table describes the labels in this screen. Table 10-1 IP Static Route LABEL DESCRIPTION Number of an individual static route. Name Name that describes or identifies this route. Active This field shows whether this static route is active (Yes) or not (No).
Page 153: Figure 10-3 Edit Ip Static Route
ZyWALL Series Internet Security Gateway 10.2.1 Configuring a Static Route Entry Select a static route index number and click Edit. The screen shown next appears. Fill in the required information for each static route. Figure 10-3 Edit IP Static Route The following table describes the labels in this screen.
Page 154 ZyWALL Series Internet Security Gateway Table 10-2 Edit IP Static Route LABEL DESCRIPTION Metric Metric represents the “cost” of transmission for routing purposes. IP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks.
Page 155: Firewall And Content Filtering
Firewall and Content Filtering Part V: Firewall and Content Filtering This part introduces firewalls in general and the ZyWALL firewall. It also explains how to configure the ZyWALL firewall and content filtering.
Page 157: Chapter 11 Firewalls
ZyWALL Series Internet Security Gateway Chapter 11 Firewalls This chapter gives some background information on firewalls and introduces the ZyWALL firewall. 11.1 Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another.
Page 158: Introduction To Zyxel's Firewall
ZyWALL Series Internet Security Gateway Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems. Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging.
Page 159: Denial Of Service
ZyWALL Series Internet Security Gateway Figure 11-1 ZyWALL Firewall Application 11.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.
Page 160: Figure 18-20 Ftp
ZyWALL Series Internet Security Gateway Table 11-1 Common IP Ports Telnet HTTP SMTP POP3 11.4.2 Types of DoS Attacks There are four types of DoS attacks: 1. Those that exploit bugs in a TCP/IP implementation. 2. Those that exploit weaknesses in the TCP/IP specification. 3.
Page 161: Figure 11-2 Three-Way Handshake
ZyWALL Series Internet Security Gateway Figure 11-2 Three-Way Handshake Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment).
Page 162: Figure 11-4 Smurf Attack
ZyWALL Series Internet Security Gateway 2-b In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself.
Page 163: Stateful Inspection
ZyWALL Series Internet Security Gateway The only legal NetBIOS commands are the following - all others are illegal. Table 11-3 Legal NetBIOS Commands MESSAGE: REQUEST: POSITIVE: NEGATIVE: RETARGET: KEEPALIVE: All SMTP commands are illegal except for those displayed in the following tables. Table 11-4 Legal SMTP Commands AUTH DATA...
Page 164: Figure 11-5 Stateful Inspection
ZyWALL Series Internet Security Gateway Allows all sessions originating from the LAN (local network) to the WAN (Internet). Denies all sessions originating from the WAN to the LAN. User A initiates a telnet session. Return traffic for User A’s telnet session is permitted.
Page 165: Stateful Inspection And The Zywall
ZyWALL Series Internet Security Gateway 3. The packet is inspected by the firewall to determine and record information about the state of the packet's connection. This information is recorded in a new state table entry created for the new connection. If there is not a firewall rule for this packet and it is not an attack, then Firewall Summary screen’s Action for packets that don’t match firewall rules field determines the action for this packet.
Page 166: Tcp Security
ZyWALL Series Internet Security Gateway The ability to define firewall rules is a very powerful tool. Using custom rules, it is possible to disable all firewall protection or block all access to the Internet. Use extreme caution when creating or deleting firewall rules. Test changes after creating them to make sure they work correctly.
Page 167: Guidelines For Enhancing Security With Your Firewall
ZyWALL Series Internet Security Gateway little tracking information. For instance, ICMP redirect packets are never allowed in, since they could be used to reroute traffic through attacking machines. 11.5.5 Upper Layer Protocols Some higher layer protocols (such as FTP and RealAudio) utilize multiple network connections simultaneously.
Page 168: Packet Filtering Vs Firewall
ZyWALL Series Internet Security Gateway 11.7 Packet Filtering Vs Firewall Below are some comparisons between the ZyWALL’s filtering and firewall functions. 11.7.1 Packet Filtering: The router filters packets as they pass through the router’s interface according to the filter rules you designed.
Page 169 ZyWALL Series Internet Security Gateway 2. A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better choice when complex rules are required. 3. To selectively block/allow inbound or outbound traffic between inside host/networks and outside host/networks.
Page 171: Chapter 12 Firewall Screens
ZyWALL Series Internet Security Gateway Chapter 12 Firewall Screens This chapter shows you how to configure your ZyWALL firewall. 12.1 Access Methods The web configurator is, by far, the most comprehensive firewall configuration tool your ZyWALL has to offer. For this reason, it is recommended that you configure your firewall using the web configurator. SMT screens allow you to activate the firewall.
Page 172: Rule Logic Overview
ZyWALL Series Internet Security Gateway This prevents computers on the WAN from using the ZyWALL as a gateway to communicate with other computers on the WAN and/or managing the ZyWALL. • DMZ to LAN • DMZ to DMZ/ZyWALL This prevents computers on the DMZ from communicating between networks or subnets connected to the DMZ interface and/or managing the ZyWALL.
Page 173: Security Ramifications
ZyWALL Series Internet Security Gateway 5. What computers on the LAN or DMZ are to be affected (if any)? 6. What computers on the Internet will be affected? The more specific, the better. For example, if traffic is being allowed from the Internet to the LAN, it is better to allow only certain machines on the Internet to access the LAN.
Page 174: Connection Direction Examples
ZyWALL Series Internet Security Gateway Destination Address What is the connection’s destination address; is it on the LAN, DMZ or WAN? Is it a single IP, a range of IPs or a subnet? 12.4 Connection Direction Examples This section describes examples for firewall rules for connections going from LAN to WAN and from WAN to LAN.
Page 175: Bandwidth Management - Lite
ZyWALL Series Internet Security Gateway Figure 12-2 WAN to LAN Traffic 12.5 Bandwidth Management - Lite Bandwidth management lite allows you to use firewall rules to perform basic bandwidth management. You can apply bandwidth management to firewall rules based on applications, IP addresses (including individual IP addresses, ranges or subnets) or a combination of the two.
Page 176: Figure 12-3 Application-Based Bandwidth Management Example
ZyWALL Series Internet Security Gateway Figure 12-3 Application-based Bandwidth Management Example 12.6.2 Subnet-based Bandwidth Management Example The following example uses bandwidth classes based solely on LAN subnets. Each bandwidth class (Subnet A and Subnet B) is allotted 320 Kbps. Figure 12-4 Subnet-based Bandwidth Management Example 12.6.3 Application and Subnet-based Bandwidth Management Example The following example uses bandwidth classes based on LAN subnets and applications (specific applications in each subnet are allotted bandwidth).
Page 177: Alerts
ZyWALL Series Internet Security Gateway Table 12-1 Application and Subnet-based Bandwidth Management Example TRAFFIC TYPE FROM SUBNET A FROM SUBNET B E-mail 64 Kbps 64 Kbps Video 64 Kbps 64 Kbps Figure 12-5 Application and Subnet-based Bandwidth Management Example 12.7 Alerts Alerts are reports on events, such as attacks, that you may want to know about right away.
Page 178: Figure 12-6 Firewall Summary
ZyWALL Series Internet Security Gateway Select this check box to enable the firewall. Figure 12-6 Firewall Summary The following table describes the labels in this screen. Table 12-2 Firewall Summary LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.
Page 179 ZyWALL Series Internet Security Gateway Table 12-2 Firewall Summary LABEL DESCRIPTION Packet Direction Use the drop-down list box to select a direction of travel of packets (LAN to LAN/ZyWALL, LAN to WAN, LAN to DMZ, WAN to WAN/ZyWALL, WAN to LAN, WAN to DMZ, DMZ to DMZ/ZyWALL, DMZ to LAN or DMZ to WAN) for which you want to configure firewall rules.
Page 180: Configuring Firewall Rules
ZyWALL Series Internet Security Gateway Table 12-2 Firewall Summary LABEL DESCRIPTION Insert Type the index number for where you want to put a rule. For example, if you type “6”, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.
Page 181: Figure 12-7 Firewall Edit Rule
ZyWALL Series Internet Security Gateway Figure 12-7 Firewall Edit Rule The following table describes the labels in this screen. Table 12-3 Firewall Edit Rule LABEL DESCRIPTION Check the Active check box to have the ZyWALL use this rule. Leave it unchecked if Active you do not want the ZyWALL to use the rule after you apply it Packet Direction...
Page 182 ZyWALL Series Internet Security Gateway Table 12-3 Firewall Edit Rule LABEL DESCRIPTION Destination Click DestAdd to add a new address, DestEdit to edit an existing one or DestDelete Address to delete one. Please see the following section on adding and editing destination addresses.
Page 183 ZyWALL Series Internet Security Gateway Table 12-3 Firewall Edit Rule LABEL DESCRIPTION Bandwidth for Enter the maximum amount of bandwidth (in Kbps) that you want to allocate for the This Rule traffic that matches this firewall rule. The traffic that matches this rule cannot use more bandwidth than you specify here.
Page 184: Figure 12-8 Source And Destination Addresses Add/Edit
ZyWALL Series Internet Security Gateway 12.8.2 Configuring Source and Destination Addresses To add a new source or destination address, click SrcAdd or DestAdd from the previous screen. To edit an existing source or destination address, select it from the box and click SrcEdit or DestEdit from the previous screen.
Page 185: Figure 12-9 Custom Port Create/Edit
ZyWALL Series Internet Security Gateway Figure 12-9 Custom Port Create/Edit The following table describes the labels in this screen. Table 12-5 Custom Port Create/Edit LABEL DESCRIPTION Service Name Enter a unique name for your custom port. Service Type Choose the IP port (TCP, UDP or Both) that defines your customized port from the drop down list box.
Page 186: Figure 12-10 Bm Global Setting
ZyWALL Series Internet Security Gateway For firewall rules that apply to the WAN port (WAN to LAN, LAN to WAN, WAN to WAN / ZyWALL), you can configure the WAN port’s bandwidth management global setting in the following screen. b. For firewall rules that apply to the LAN port (LAN to WAN, WAN to LAN, LAN to LAN / ZyWALL), the LAN port’s bandwidth management global setting is fixed at 100,000 kbps.
Page 187: Example Firewall Rule
ZyWALL Series Internet Security Gateway Table 12-6 BM Global Setting LABEL DESCRIPTION WAN Port Speed Enter the amount of bandwidth in kbps (2 to 100,000) that you want to allocate for traffic that matches LAN to WAN, WAN to LAN and WAN to WAN / ZyWALL firewall rules with bandwidth management enabled.
Page 188: Figure 12-11 Firewall Edit Rule Screen
ZyWALL Series Internet Security Gateway Select WAN to LAN from the drop-down list box. Figure 12-11 Firewall Edit Rule Screen Step 4. Select Any in the Destination Address box and then click DestEdit. Step 5. Configure the Firewall Rule Edit IP screen as follows and click Apply. Figure 12-12 Firewall Rule Edit IP Example 12-18 Firewall Screens...
Page 189: Figure 12-13 Edit Custom Port Example
ZyWALL Series Internet Security Gateway Step 6. In the firewall rule configuration screen, click Add under Custom Port to open the Edit Custom Port screen. Configure it as follows and click Apply. Figure 12-13 Edit Custom Port Example Step 8. The firewall rule configuration screen displays, use the arrows between Available Services and Selected Services to configure it as shown in the following screen.
Page 190: Figure 12-14 My Service Rule Configuration
ZyWALL Series Internet Security Gateway Custom ports show up with an “*” before their names in the Services list box and the Rule Summary list box. Click Apply after you’ve created your custom port. This is the address range of the “MyService”...
Page 191: Predefined Services
ZyWALL Series Internet Security Gateway On completing the configuration procedure for this Internet firewall rule, the Rule Summary screen should look like the following. Remember to click Apply when you have finished configuring your rule(s) to save your settings back to the ZyWALL. Rule 1: Allows a “My Service”...
Page 192: Table 12-7 Predefined Services
ZyWALL Series Internet Security Gateway defines the service. (Note that there may be more than one IP protocol type. For example, look at the default configuration labeled “(DNS)”. means UDP port 53 and TCP port 53. Custom services may (UDP/TCP:53) also be configured using the Custom Ports function discussed later.
Page 193 ZyWALL Series Internet Security Gateway Table 12-7 Predefined Services SERVICE DESCRIPTION Microsoft Networks’ messenger service uses this protocol. Messenger(TCP:1863) MULTICAST(IGMP:0) Internet Group Multicast Protocol is used when sending packets to a specific group of hosts. NEW-ICQ(TCP:5190) An Internet chat program. NEWS(TCP:144) A protocol for news groups.
Page 194: Configuring Attack Alert
ZyWALL Series Internet Security Gateway Table 12-7 Predefined Services SERVICE DESCRIPTION SNMP- Traps for use with the SNMP (RFC:1215). TRAPS(TCP/UDP:162) SQL-NET(TCP:1521) Structured Query Language is an interface to access data on many different types of database systems, including mainframes, midrange systems, UNIX systems and network servers.
Page 195 ZyWALL Series Internet Security Gateway 2. The minimum capacity of server backlog in your LAN network. 3. The CPU power of servers in your LAN network. 4. Network bandwidth. 5. Type of traffic for certain servers. If your network is slower than average for any of these factors (especially if you have servers that are slow or handle many tasks and are often busy), then the default values should be reduced.
Page 196: Figure 12-16 Attack Alert
ZyWALL Series Internet Security Gateway 2. If the Blocking Time timeout is greater than 0, then the ZyWALL blocks all new connection requests to the host giving the server time to handle the present connections. The ZyWALL continues to block all new connection requests until the Blocking Time expires.
Page 197 ZyWALL Series Internet Security Gateway Table 12-8 Attack Alert LABEL DESCRIPTION DEFAULT VALUES One Minute Low This is the rate of new half-open sessions that 80 existing half-open sessions. causes the firewall to stop deleting half-open sessions. The ZyWALL continues to delete half-open sessions as necessary, until the rate of new connection attempts drops below this number.
Page 198 This is the number of existing half-open TCP 10 existing half-open TCP Incomplete sessions with the same destination host IP sessions (30 in the ZyWALL 10W, address that causes the firewall to start 30W and 100). dropping half-open sessions to that same destination host IP address.
Page 199: Chapter 13 Content Filtering Screens
ZyWALL Series Internet Security Gateway Chapter 13 Content Filtering Screens This chapter provides an overview of content filtering. 13.1 Content Filtering Overview Content filtering allows you to block certain web features, such as Cookies, and/or restrict specific websites. With content filtering, you can do the following: 13.1.1 Restrict Web Features The ZyWALL can block web features such as ActiveX controls, Java applets, cookies and disable web proxies.
Page 200: Figure 13-1 Content Filtering General
ZyWALL Series Internet Security Gateway Figure 13-1 Content Filtering General The following table describes the labels in this screen. Table 13-1 Content Filtering General LABEL DESCRIPTION Enable Content Filter Select this check box to enable the content filter. Restricted Web Select the check box(es) to restrict a feature.
Page 201 ZyWALL Series Internet Security Gateway Table 13-1 Content Filtering General LABEL DESCRIPTION Block Active X is a tool for building dynamic and active web pages and distributed object applications. When you visit an ActiveX web site, ActiveX controls are ActiveX downloaded to your browser, where they remain in case you visit the site again.
Page 202: Content Filtering With An External Server
ZyWALL Series Internet Security Gateway Table 13-1 Content Filtering General LABEL DESCRIPTION Exclude specified Select this checkbox to exempt a specific range of users on your LAN from address ranges from content filter policies. the content filter enforcement Add Address Ranges From Type the beginning IP address (in dotted decimal notation) of the specific range of users on your LAN.
Page 203: A Procedure To Enable External Database Content Filtering
ZyWALL Series Internet Security Gateway Figure 13-2 Content Filtering Lookup Procedure Step 1. A computer sends an HTTP request to a web server. Step 2. The ZyWALL looks up the web site in its local database. If an attempt to access the web site was made in the past, a record of that web site’s rating will be in the ZyWALL’s cache.
Page 204: Checking Content Filtering Activation
ZyWALL Series Internet Security Gateway 13.5 Checking Content Filtering Activation After you register for content filtering, the web site displays a registration successful web page. This does not mean the content filtering is active yet. You need to wait up to ten minutes for the content filtering to be activated.
Page 205: Figure 13-3 Content Filtering Categories
ZyWALL Series Internet Security Gateway Figure 13-3 Content Filtering Categories The following table describes the labels in this screen. Content Filtering Screens 13-7...
Page 206: Table 13-2 Content Filtering Categories
ZyWALL Series Internet Security Gateway Table 13-2 Content Filtering Categories LABEL DESCRIPTION Enable External Database Enable external database content filtering to have the ZyWALL check an Content Filtering external database to find to which category a requested web page belongs. The ZyWALL then blocks or forwards access to the web page depending on the configuration of the rest of this page.
Page 207 ZyWALL Series Internet Security Gateway Table 13-2 Content Filtering Categories LABEL DESCRIPTION Select All Categories Select this check box to restrict access to all site categories listed below. Clear All Categories Select this check box to clear the selected categories below. Adult/Mature Content Selecting this category excludes pages that contain material of adult nature that does not necessarily contain excessive violence, sexual content, or nudity.
Page 208 ZyWALL Series Internet Security Gateway Table 13-2 Content Filtering Categories LABEL DESCRIPTION Violence/Hate/Racism Selecting this category excludes pages that depict extreme physical harm to people or property, or that advocate or provide instructions on how to cause such harm. It also includes pages that advocate, depict hostility or aggression toward, or denigrate an individual or group on the basis of race, religion, gender, nationality, ethnic origin, or other characteristics.
Page 209 ZyWALL Series Internet Security Gateway Table 13-2 Content Filtering Categories LABEL DESCRIPTION Financial Services Selecting this category excludes pages that provide or advertise banking services (online or offline) or other types of financial information, such as loans. It does not include pages that offer market information, brokerage or trading services.
Page 210 ZyWALL Series Internet Security Gateway Table 13-2 Content Filtering Categories LABEL DESCRIPTION Search Engines/Portals Selecting this category excludes pages that support searching the Internet, indices, and directories. Web Communications Selecting this category excludes pages that allow or offer Web-based communication via e-mail, chat, instant messaging, message boards, etc. Job Search/Careers Selecting this category excludes pages that provide assistance in finding employment, and tools for locating prospective employers.
Page 211 ZyWALL Series Internet Security Gateway Table 13-2 Content Filtering Categories LABEL DESCRIPTION Society/Lifestyle Selecting this category excludes pages providing information on matters of daily life. This does not include pages relating to entertainment, sports, jobs, sex or pages promoting alternative lifestyles such as homosexuality. Personal homepages fall within this category if they cannot be classified in another category.
Page 212 ZyWALL Series Internet Security Gateway Table 13-2 Content Filtering Categories LABEL DESCRIPTION Web Hosting Selecting this category excludes pages of organizations that provide top-level domain pages, as well as web communities or hosting services. Advanced/Basic Click Advanced to see an expanded list of categories, or click Basic to see a smaller list.
Page 213: Configuring Customization
ZyWALL Series Internet Security Gateway Table 13-2 Content Filtering Categories LABEL DESCRIPTION Register Click Register to go to a web site where you can register for category-based content filtering (using an external database). You can use a trial application or register your iCard’s PIN.
Page 214: Figure 13-4 Content Filtering Customization
ZyWALL Series Internet Security Gateway Figure 13-4 Content Filtering Customization The following table describes the labels in this screen. Table 13-3 Content Filtering Customization LABEL DESCRIPTION WEB Site List Customization 13-16 Content Filtering Screens...
Page 215 ZyWALL Series Internet Security Gateway Table 13-3 Content Filtering Customization LABEL DESCRIPTION Enable WEB site Select this check box to allow Trusted Domain web sites and block customization Forbidden Domain web sites. Content filter list customization may be enabled and disabled without re-entering the site names. Disable all web traffic When this box is selected, the ZyWALL only allows Web access to sites on except for trusted Web...
Page 216 ZyWALL Series Internet Security Gateway Table 13-3 Content Filtering Customization LABEL DESCRIPTION Keyword Blocking Keyword Blocking allows you to block websites that contain certain keywords. Block Web sites which Select this checkbox to enable keyword blocking. contain these keywords Add Keyword Enter a keyword to block.
Page 217: Vpn/Ipsec
VPN/IPSec Part VI: VPN/IPSec This part provides information on how to configure Virtual Private Networks.
Page 219: Chapter 14 Introduction To Ipsec
ZyWALL Series Internet Security Gateway Chapter 14 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 14.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.
Page 220: Ipsec Architecture
ZyWALL Series Internet Security Gateway Figure 14-1 Encryption and Decryption Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.
Page 221: Encapsulation
ZyWALL Series Internet Security Gateway Figure 14-2 IPSec Architecture 14.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard), AES (Advanced Encryption Standard) and Triple DES algorithms.
Page 222: Ipsec And Nat
ZyWALL Series Internet Security Gateway Figure 14-3 Transport and Tunnel Mode IPSec Encapsulation 14.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
Page 223: Table 14-1 Vpn And Nat
ZyWALL Series Internet Security Gateway match. The VPN device at the receiving end doesn't know about the NAT in the middle, so it assumes that the data has been maliciously altered. IPSec using ESP in Tunnel mode encapsulates the entire original packet (including headers) in a new IP packet.
Page 225: Chapter 15 Vpn Screens
ZyWALL Series Internet Security Gateway Chapter 15 VPN Screens This chapter introduces the VPN Web Configurator. See the Logs chapter for information on viewing logs and the Appendices for IPSec log descriptions. 15.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections.
Page 226: My Ip Address
ZyWALL Series Internet Security Gateway Table 15-1 AH and ESP DES (default) MD5 (default) Data Encryption Standard (DES) is a widely used method MD5 (Message Digest 5) produces a 128-bit of data encryption using a secret key. DES applies a 56-bit digest to authenticate packet data.
Page 227: Vpn Rules Screen
ZyWALL Series Internet Security Gateway You can also enter a remote secure gateway’s domain name in the Secure Gateway Address field if the remote secure gateway has a dynamic WAN IP address and is using DDNS. The ZyWALL has to rebuild the VPN tunnel each time the remote secure gateway’s WAN IP address changes (there may be a delay until the DDNS servers are updated with the remote gateway’s new WAN IP address).
Page 228: Figure 15-2 Vpn Rules
ZyWALL Series Internet Security Gateway Figure 15-2 VPN Rules The following table describes the labels in this screen. Table 15-2 VPN Rules LABEL DESCRIPTION The VPN policy index number Name This field displays the identification name for this VPN policy. Active This field displays whether the VPN policy is active or not.
Page 229 ZyWALL Series Internet Security Gateway Table 15-2 VPN Rules LABEL DESCRIPTION Local Address This is the IP address(es) of computer(s) on your local network behind your ZyWALL. The same (static) IP address is displayed twice when the Local Address Type field in the Configure-IKE (or Manual) screen is configured to Single Address.
Page 230: Keep Alive
ZyWALL Series Internet Security Gateway 15.6 Keep Alive When you initiate an IPSec tunnel with keep alive enabled, the ZyWALL automatically renegotiates the tunnel when the IPSec SA lifetime period expires (see section 15.12 for more on the IPSec SA lifetime). In effect, the IPSec tunnel becomes an “always on”...
Page 231 ZyWALL Series Internet Security Gateway Use IKE keying mode. Enable NAT traversal on both IPSec endpoints. In order for IPSec router A (see the figure) to receive an initiating IPSec packet from IPSec router B, set the NAT router to forward UDP port 500 to IPSec router A. 15.7.2 X-Auth (Extended Authentication) Extended authentication provides added security by allowing you to use usernames and passwords for VPN connections.
Page 232: Id Type And Content
ZyWALL Series Internet Security Gateway Figure 15-4 VPN Host using Intranet DNS Server Example If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote network. 15.8 ID Type and Content With aggressive negotiation mode (see section 15.12.2), the ZyWALL identifies incoming SAs by ID type and content since this identifying information is not encrypted.
Page 233: Table 15-3 Local Id Type And Content Fields
ZyWALL Series Internet Security Gateway The type of ID can be a domain name, an IP address or an e-mail address. The content is the IP address, domain name, or e-mail address. Table 15-3 Local ID Type and Content Fields LOCAL ID TYPE CONTENT Type the IP address of your computer or leave the field blank to have the ZyWALL...
Page 234: Pre-Shared Key
ZyWALL Series Internet Security Gateway Table 15-5 Matching ID Type and Content Configuration Example ZYWALL A ZYWALL B Peer ID type: IP Peer ID type: E-mail Peer ID content: 1.1.1.2 Peer ID content: tom@yourcompany.com The two ZyWALLs in this example cannot complete their negotiation because ZyWALL B’s Local ID type is IP, but ZyWALL A’s Peer ID type is set to E-mail.
Page 235: Figure 15-5 Vpn Ike
ZyWALL Series Internet Security Gateway Figure 15-5 VPN IKE VPN Screens 15-11...
Page 236: Table 15-7 Vpn Ike
ZyWALL Series Internet Security Gateway The following table describes the labels in this screen. Table 15-7 VPN IKE LABEL DESCRIPTION Active Select this check box to activate this VPN tunnel. This option determines whether a VPN rule is applied before a packet leaves the firewall. Keep Alive Enable keep alive to have the ZyWALL automatically re-initiate the SA after the SA lifetime times out, even if there is no traffic.
Page 237 ZyWALL Series Internet Security Gateway Table 15-7 VPN IKE LABEL DESCRIPTION Client Mode Select Client Mode to have your ZyWALL use a username and password when initiating this VPN connection to the extended authentication server ZyWALL. Only a VPN extended authentication client can initiate this VPN connection. User Name Enter a user name for your ZyWALL to be authenticated by the external extended authentication server.
Page 238 ZyWALL Series Internet Security Gateway Table 15-7 VPN IKE LABEL DESCRIPTION Remote Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses. The remote fields do not apply when the Secure Gateway Address field is configured to 0.0.0.0. In this case only the remote IPSec router can initiate the VPN.
Page 239 ZyWALL Series Internet Security Gateway Table 15-7 VPN IKE LABEL DESCRIPTION Pre-shared Key Type your pre-shared key in this field. Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal ("0- 9", "A-F") characters. You must precede a hexadecimal key with a "0x” (zero x), which is not counted as part of the 16 to 62 character range for the key.
Page 240 ZyWALL Series Internet Security Gateway Table 15-7 VPN IKE LABEL DESCRIPTION Peer ID Type Select from the following when you set Authentication Method to Pre-Shared Key. Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the remote IPSec router by a domain name. Select E-mail to identify the remote IPSec router by an e-mail address.
Page 241 ZyWALL Series Internet Security Gateway Table 15-7 VPN IKE LABEL DESCRIPTION Content Peer ID Peer ID Content when you set Authentication Method to Pre-Shared Type Key. Type the IP address of the computer with which you will make the VPN connection.
Page 242 ZyWALL Series Internet Security Gateway Table 15-7 VPN IKE LABEL DESCRIPTION My IP Address Enter the WAN IP address of your ZyWALL. The VPN tunnel has to be rebuilt if this IP address changes. The following applies if this field is configured as 0.0.0.0: The ZyWALL uses the current ZyWALL WAN IP address (static or dynamic) to set up the VPN tunnel.
Page 243: Ike Phases
ZyWALL Series Internet Security Gateway Table 15-7 VPN IKE LABEL DESCRIPTION Encryption Select DES, 3DES, AES or NULL from the drop-down list box. Algorithm The ZyWALL and the remote IPSec router generate an encryption key from the Diffie-Hellman key exchange. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key.
Page 244: Negotiation Mode
ZyWALL Series Internet Security Gateway In phase 1 you must: Choose a negotiation mode. Authenticate the connection by entering a pre-shared key. Choose an encryption algorithm. Choose an authentication algorithm. Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2). Set the IKE SA lifetime.
Page 245: Configuring Advanced Ike Settings
ZyWALL Series Internet Security Gateway 15.12.3 Diffie-Hellman (DH) Key Groups Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA setup to establish session keys.
Page 246: Figure 15-7 Vpn Ike: Advanced
ZyWALL Series Internet Security Gateway Figure 15-7 VPN IKE: Advanced The following table describes the labels in this screen. Table 15-8 VPN IKE: Advanced LABEL DESCRIPTION Protocol Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any protocol.
Page 247 ZyWALL Series Internet Security Gateway Table 15-8 VPN IKE: Advanced LABEL DESCRIPTION Enable Replay As a VPN setup is processing intensive, the system is vulnerable to Denial of Service Detection (DoS) attacks The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks.
Page 248 ZyWALL Series Internet Security Gateway Table 15-8 VPN IKE: Advanced LABEL DESCRIPTION Key Group You must choose a key group for phase 1 IKE setup. DH1 (default) refers to Diffie- Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number.
Page 249: Manual Key Setup
ZyWALL Series Internet Security Gateway 15.14 Manual Key Setup Manual key management is useful if you have problems with IKE key management. 15.14.1 Security Parameter Index (SPI) An SPI is used to distinguish different SAs terminating at the same destination and using the same IPSec protocol.
Page 250: Figure 15-8 Vpn Manual Key
ZyWALL Series Internet Security Gateway Figure 15-8 VPN Manual Key The following table describes the labels in this screen. Table 15-9 VPN Manual Key LABEL DESCRIPTION Active Select this check box to activate this VPN policy. Name Type up to 32 characters to identify this VPN policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
Page 251 ZyWALL Series Internet Security Gateway Table 15-9 VPN Manual Key LABEL DESCRIPTION Local Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses. Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both.
Page 252 ZyWALL Series Internet Security Gateway Table 15-9 VPN Manual Key LABEL DESCRIPTION Ending IP When the Address Type field is configured to Single Address, this field is N/A. Address/Subnet When the Address Type field is configured to Range Address, enter the end (static) Mask IP address, in a range of computers on the network behind the remote IPSec router.
Page 253: Viewing Sa Monitor
ZyWALL Series Internet Security Gateway Table 15-9 VPN Manual Key LABEL DESCRIPTION Authentication When you use SHA1 or MD5, both sender and receiver must know the Algorithm Authentication Key, which can be used to generate and verify a message authentication code. Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data.
Page 254: Figure 15-9 Sa Monitor (Zywall 100)
ZyWALL Series Internet Security Gateway Figure 15-9 SA Monitor (ZyWALL 100) The following table describes the labels in this screen. Table 15-10 SA Monitor LABEL DESCRIPTION Go to page Choose the range of rules from the drop-down list box to display the summary page for the selected rules.
Page 255: Configuring Global Setting
ZyWALL Series Internet Security Gateway Table 15-10 SA Monitor LABEL DESCRIPTION Disconnect Select a security association index number that you want to disconnect and then click Disconnect. Next Page Click Next Page to view more items in the summary (not all ZyWALL models have this feature).
Page 256: Telecommuter Vpn/Ipsec Examples
ZyWALL Series Internet Security Gateway 15.18 Telecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyWALL at headquarters. The telecommuters use IPSec routers with dynamic WAN IP addresses. The ZyWALL at headquarters has a static public IP address. 15.18.1 Telecommuters Sharing One VPN Rule Example See the following figure and table for an example configuration that allows multiple telecommuters (A, B...
Page 257: Figure 15-12 Telecommuters Using Unique Vpn Rules Example
ZyWALL Series Internet Security Gateway Table 15-12 Telecommuters Sharing One VPN Rule Example FIELDS HEADQUARTERS TELECOMMUTERS Remote IP 0.0.0.0 (N/A) 192.168.1.10 Address: 15.18.2 Telecommuters Using Unique VPN Rules Example In this example the telecommuters (A, B and C in the figure) use IPSec routers with domain names that are mapped to their dynamic WAN IP addresses (use Dynamic DNS to do this).
Page 258: Table 15-13 Telecommuters Using Unique Vpn Rules Example
ZyWALL Series Internet Security Gateway Table 15-13 Telecommuters Using Unique VPN Rules Example HEADQUARTERS TELECOMMUTERS All Headquarters Rules: All Telecommuter Rules: My IP Address: bigcompanyhq.com My IP Address 0.0.0.0 Local IP Address: 192.168.1.10 Secure Gateway Address: bigcompanyhq.com Local ID Type: E-mail Remote IP Address: 192.168.1.10 Local ID Content: bob@bigcompanyhq.com Peer ID Type: E-mail...
Page 259: Vpn And Remote Management
ZyWALL Series Internet Security Gateway 15.19 VPN and Remote Management If a VPN tunnel uses Telnet, FTP, WWW SNMP, DNS or ICMP, then you should configure remote management (REMOTE MGNT) to allow access for that service. VPN Screens 15-35...
Page 261: Certificates
Certificates Part VII: Certificates This part provides information and configuration instructions for public-key certificates.
Page 263: Chapter 16 Certificates
ZyWALL Series Internet Security Gateway Chapter 16 Certificates This chapter gives background information about public-key certificates and explains how to use them. 16.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs.
Page 264: Advantages Of Certificates
ZyWALL Series Internet Security Gateway The ZyWALL uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that you send after establishing a connection. The method used to secure the data that you send through an established connection depends on the type of connection. For example, a VPN tunnel might use the triple DES encryption algorithm.
Page 265: My Certificates
ZyWALL Series Internet Security Gateway Use the My Certificate screens to generate and export self-signed certificates or certification requests and import the ZyWALLs’ CA-signed certificates. Use the Trusted CA screens to save CA certificates to the ZyWALL. Use the Trusted Remote Hosts screens to import self-signed certificates.
Page 266: Figure 16-2 My Certificates
ZyWALL Series Internet Security Gateway Figure 16-2 My Certificates The following table describes the labels in this screen. Table 16-1 My Certificates LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 267 ZyWALL Series Internet Security Gateway Table 16-1 My Certificates LABEL DESCRIPTION Replace This button displays when the ZyWALL has the factory default certificate. The factory default certificate is common to all ZyWALLs that use certificates. ZyXEL recommends that you use this button to replace the factory default certificate with one that uses your ZyWALL’s MAC address.
Page 268: Certificate File Formats
ZyWALL Series Internet Security Gateway Table 16-1 My Certificates LABEL DESCRIPTION Select the radio button next to a certificate’s index number and then click Details to Details open a screen with an in-depth list of information about that certificate. Refresh Click this button to display the current validity status of the certificates.
Page 269: Importing A Certificate
ZyWALL Series Internet Security Gateway 16.6 Importing a Certificate Click CERTIFICATES, My Certificates and then Import to open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate to the ZyWALL, see the following figure.
Page 270: Creating A Certificate
ZyWALL Series Internet Security Gateway Table 16-2 My Certificate Import LABEL DESCRIPTION Type in the location of the file you want to upload in this field or click Browse to find it. File Path Browse Click Browse to find the certificate file you want to upload. Apply Click Apply to save the certificate on the ZyWALL.
Page 271: Figure 16-4 My Certificate Create
ZyWALL Series Internet Security Gateway Figure 16-4 My Certificate Create The following table describes the labels in this screen. Table 16-3 My Certificate Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters (not including spaces) to identify this certificate. Certificates 16-9...
Page 272 ZyWALL Series Internet Security Gateway Table 16-3 My Certificate Create LABEL DESCRIPTION Subject Information Use these fields to record information that identifies the owner of the certificate. You do not have to fill in every field, although the Common Name is mandatory.
Page 273 ZyWALL Series Internet Security Gateway Table 16-3 My Certificate Create LABEL DESCRIPTION Select Create a certification request and enroll for a certificate immediately Create a certification request and enroll for online to have the ZyWALL generate a request for a certificate and apply to a a certificate certification authority for a certificate.
Page 274: My Certificate Details
ZyWALL Series Internet Security Gateway After you click Apply in the My Certificate Create screen, you see a screen that tells you the ZyWALL is generating the self-signed certificate or certification request. After the ZyWALL successfully enrolls a certificate or generates a certification request or a self-signed certificate, you see a screen with a Return button that takes you back to the My Certificates screen.
Page 275: Figure 16-5 My Certificate Details
ZyWALL Series Internet Security Gateway Figure 16-5 My Certificate Details The following table describes the labels in this screen. Certificates 16-13...
Page 276: Table 16-4 My Certificate Details
ZyWALL Series Internet Security Gateway Table 16-4 My Certificate Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate. You may use any character (not including spaces).
Page 277 ZyWALL Series Internet Security Gateway Table 16-4 My Certificate Details LABEL DESCRIPTION Issuer This field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same as the Subject Name field. Signature Algorithm This field displays the type of algorithm that was used to sign the certificate.
Page 278: Trusted Cas
ZyWALL Series Internet Security Gateway Table 16-4 My Certificate Details LABEL DESCRIPTION Certificate in PEM This read-only text box displays the certificate or certification request in Privacy (Base-64) Encoded Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the Format binary certificate into a printable form.
Page 279: Figure 16-6 Trusted Cas
ZyWALL Series Internet Security Gateway Figure 16-6 Trusted Cas The following table describes the labels in this screen. Table 16-5 Trusted CAs LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 280: Importing A Trusted Ca's Certificate
ZyWALL Series Internet Security Gateway Table 16-5 Trusted CAs LABEL DESCRIPTION Issuer This field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.
Page 281: Trusted Ca Certificate Details
ZyWALL Series Internet Security Gateway Figure 16-7 Trusted CA Import The following table describes the labels in this screen. Figure 16-8 Trusted CA Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Click Browse to find the certificate file you want to upload.
Page 282: Figure 16-9 Trusted Ca Details
ZyWALL Series Internet Security Gateway Figure 16-9 Trusted CA Details 16-20 Certificates...
Page 283: Table 16-6 Trusted Ca Details
ZyWALL Series Internet Security Gateway The following table describes the labels in this screen. Table 16-6 Trusted CA Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
Page 284 ZyWALL Series Internet Security Gateway Table 16-6 Trusted CA Details LABEL DESCRIPTION Issuer This field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same information as in the Subject Name field.
Page 285: Trusted Remote Hosts
ZyWALL Series Internet Security Gateway Table 16-6 Trusted CA Details LABEL DESCRIPTION SHA1 Fingerprint This is the certificate’s message digest that the ZyWALL calculated using the SHA1 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate. Certificate in PEM This read-only text box displays the certificate or certification request in Privacy (Base-64) Encoded...
Page 286: Figure 16-10 Trusted Remote Hosts
ZyWALL Series Internet Security Gateway Figure 16-10 Trusted Remote Hosts The following table describes the labels in this screen. Table 16-7 Trusted Remote Hosts LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 287: Verifying A Trusted Remote Host's Certificate
ZyWALL Series Internet Security Gateway Table 16-7 Trusted Remote Hosts LABEL DESCRIPTION Valid From This field displays the date that the certificate becomes applicable. The text displays in red and includes a “Not Yet Valid!” message if the certificate has not yet become applicable.
Page 288: Figure 16-11 Remote Host Certificates
ZyWALL Series Internet Security Gateway Figure 16-11 Remote Host Certificates Step 3. Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. Verify (over the phone for example) that the remote host has the same information in the Thumbprint Algorithm and Thumbprint fields.
Page 289: Importing A Trusted Remote Host's Certificate
ZyWALL Series Internet Security Gateway 16.14 Importing a Trusted Remote Host’s Certificate Click CERTIFICATES, Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen. Follow the instructions in this screen to save a trusted host’s certificate to the ZyWALL, see the following figure.
Page 290: Trusted Remote Host Certificate Details
ZyWALL Series Internet Security Gateway 16.15 Trusted Remote Host Certificate Details Click CERTIFICATES, Trusted Remote Hosts to open the Trusted Remote Hosts screen. Select a certificate’s radio button and click Details to open the Trusted Remote Host Details screen. You can use this screen to view in-depth information about the trusted remote host’s certificate and/or change the certificate’s name.
Page 291: Figure 16-14 Trusted Remote Host Details
ZyWALL Series Internet Security Gateway Figure 16-14 Trusted Remote Host Details Certificates 16-29...
Page 292: Table 16-9 Trusted Remote Host Details
ZyWALL Series Internet Security Gateway The following table describes the labels in this screen. Table 16-9 Trusted Remote Host Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
Page 293 ZyWALL Series Internet Security Gateway Table 16-9 Trusted Remote Host Details LABEL DESCRIPTION Key Algorithm This field displays the type of algorithm that was used to generate the certificate’s key pair (the ZyWALL uses RSA encryption) and the length of the key set in bits (1024 bits for example).
Page 294: Directory Servers
ZyWALL Series Internet Security Gateway Table 16-9 Trusted Remote Host Details LABEL DESCRIPTION Click Apply to save your changes back to the ZyWALL. You can only change the Apply name of the certificate. Click Cancel to quit configuring this screen and return to the Trusted Remote Cancel Hosts screen.
Page 295: Add Or Edit A Directory Server
ZyWALL Series Internet Security Gateway Table 16-10 Directory Servers LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is currently in Space in Use use. When you are using 80% or less of the storage space, the bar is green. When the amount of space used is over 80%, the bar is red.
Page 296: Figure 16-16 Directory Server Add
ZyWALL Series Internet Security Gateway Figure 16-16 Directory Server Add The following table describes the labels in this screen. Table 16-11 Directory Server Add LABEL DESCRIPTION Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server.
Page 297 ZyWALL Series Internet Security Gateway Table 16-11 Directory Server Add LABEL DESCRIPTION Server Port This field displays the default server port number of the protocol that you select in the Access Protocol field. You may change the server port number if needed, however you must use the same server port number that the directory server uses.
Page 299: Authentication Server, Remote Management And Upnp
Authentication Server, Remote Management and UPnP Part VIII: Authentication Server, Remote Management and UPnP This part provides information and configuration instructions for configuration of the authentication server screens, remote management and Universal Plug and Play. VIII...
Page 301: Chapter 17 Authentication Server
ZyWALL Series Internet Security Gateway Chapter 17 Authentication Server This chapter discusses how to configure the authentication server on the ZyWALL. 17.1 Authentication Server Overview A ZyWALL set to be a VPN extended authentication server can use either the local user database internal to the ZyWALL or an external RADIUS server for an unlimited number of users.
Page 302: Figure 17-1 Local User Database
ZyWALL Series Internet Security Gateway Figure 17-1 Local User Database 17-2 Authentication Server...
Page 303: Table 17-1 Local User Database
ZyWALL Series Internet Security Gateway The following table describes the labels in this screen. Table 17-1 Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile. User Name Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile.
Page 304: Eap Authentication Overview
ZyWALL Series Internet Security Gateway • Access-Reject Sent by a RADIUS server rejecting access. • Access-Accept Sent by a RADIUS server allowing access. • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message.
Page 305: Configuring Radius
ZyWALL Series Internet Security Gateway The following figure shows an overview of authentication when you specify a RADIUS server on your access point. Figure 17-2 EAP Authentication The details below provide a general description of how IEEE 802.1x EAP authentication works. For an example list of EAP-MD5 authentication steps, see the IEEE 802.1x chapter in the Appendices.
Page 306: Figure 17-3 Radius
ZyWALL Series Internet Security Gateway Figure 17-3 RADIUS The following table describes the labels in this screen. Table 17-2 RADIUS LABEL DESCRIPTION Authentication Server Active Enable this feature to have the ZyWALL use an external authentication server in performing user authentication. Disable this feature if you will not use an external authentication server.
Page 307 ZyWALL Series Internet Security Gateway Table 17-2 RADIUS LABEL DESCRIPTION Port Number The default port of the RADIUS server for authentication is 1812. You need not change this value unless your network administrator instructs you to do so with additional information. Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the access points.
Page 309: Chapter 18 Remote Management Screens
ZyWALL Series Internet Security Gateway Chapter 18 Remote Management Screens This chapter provides information on the Remote Management screens. 18.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.
Page 310: Remote Management Limitations
ZyWALL Series Internet Security Gateway 18.1.1 Remote Management Limitations Remote management over LAN or WAN will not work when: 1. A filter in SMT menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service.
Page 311: Figure 18-1 Https Implementation
ZyWALL Series Internet Security Gateway data), authentication (one party can identify the other party) and data integrity (you know if data has been changed). It relies upon certificates, public keys, and private keys (see the Certificates chapter for more information). HTTPS on the ZyWALL is used so that you may securely access the ZyWALL using the web configurator.
Page 312: Configuring Www
ZyWALL Series Internet Security Gateway If you disable HTTP Server Access (Disable) in the REMOTE MGNT WWW screen, then the ZyWALL blocks all HTTP connection attempts. 18.3 Configuring WWW To change your ZyWALL’s World Wide Web settings, click REMOTE MANAGEMENT, then the WWW tab.
Page 313 ZyWALL Series Internet Security Gateway Table 18-1 WWW LABEL DESCRIPTION Server Select the Server Certificate that the ZyWALL will use to identify itself. The ZyWALL Certificate is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL).
Page 314: Https Login Example
ZyWALL Series Internet Security Gateway 18.4 HTTPS Login Example If you haven’t changed the default HTTPS port on the ZyWALL, then in your browser enter “https://ZyWALL IP Address/” as the web site address where “ZyWALL IP Address” is the IP address or domain name of the ZyWALL you wish to access.
Page 315: Figure 18-4 Security Certificate Example (Netscape)
ZyWALL Series Internet Security Gateway 18.4.2 Netscape Navigator Warning Messages When you attempt to access the ZyWALL HTTPS server, a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate. Click Examine Certificate if you want to verify that the certificate is from the ZyWALL.
Page 316: Figure 18-5 Security Certificate 2 Example (Netscape)
ZyWALL Series Internet Security Gateway Figure 18-5 Security Certificate 2 Example (Netscape) 18.4.3 Avoiding the Browser Warning Messages The following describes the main reasons that your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings. The issuing certificate authority of the ZyWALL’s HTTPS server certificate is not one of the browser’s trusted certificate authorities.
Page 317: Login Screen
ZyWALL Series Internet Security Gateway Step 1. Click REMOTE MGNT and then WWW. Write down the name of the certificate displayed in the Server Certificate field. Step 2. Click CERTIFICATES, My Certificates. Find the certificate and check its Subject column. CN stands for certificate’s common name (see Figure 18-9 for an example). Use this procedure to have the ZyWALL use a certificate with a common name that matches the ZyWALL’s actual IP address.
Page 318: Figure 18-6 Login Screen Example (Internet Explorer)
ZyWALL Series Internet Security Gateway Figure 18-6 Login Screen Example (Internet Explorer) 18-10 Remote Management Screens...
Page 319: Figure 18-7 Login Screen Example (Netscape)
ZyWALL Series Internet Security Gateway Figure 18-7 Login Screen Example (Netscape) Click Login and you then see the next screen. The factory default certificate is a common default certificate for all ZyWALL models. Remote Management Screens 18-11...
Page 320: Figure 18-8 Replace Certificate
ZyWALL Series Internet Security Gateway Figure 18-8 Replace Certificate Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Click CERTIFICATES, My Certificates to open the My Certificates screen.
Page 321: Figure 18-9 Device-Specific Certificate
ZyWALL Series Internet Security Gateway Figure 18-9 Device-specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate. You will then see this information in the My Certificates screen. Remote Management Screens 18-13...
Page 322: Ssh Overview
ZyWALL Series Internet Security Gateway Figure 18-10 Common ZyWALL Certificate 18.5 SSH Overview Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shell) is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network.
Page 323: How Ssh Works
ZyWALL Series Internet Security Gateway Figure 18-11 SSH Communication Example 18.6 How SSH works The following table summarizes how a secure connection is established between two remote hosts. 1. Host Identification The SSH client sends a connection request to the SSH server.
Page 324: Ssh Implementation On The Zywall
ZyWALL Series Internet Security Gateway 18.7 SSH Implementation on the ZyWALL Your ZyWALL supports SSH version 1.5 using RSA authentication and three encryption methods (DES, 3DES and Blowfish). The SSH server is implemented on the ZyWALL for remote SMT management and file transfer on port 22.
Page 325: Secure Telnet Using Ssh Examples
ZyWALL Series Internet Security Gateway Table 18-2 SSH LABEL DESCRIPTION EXAMPLE Server Host Key Select the certificate whose corresponding private key is to be used to identify the ZyWALL for SSH connections. You must have certificates already configured in the My Certificates screen (Click My Certificates and see the Certificates part for details).
Page 326: Figure 18-14 Ssh Example 1: Store Host Key
ZyWALL Series Internet Security Gateway Step 3. Launch the SSH client and specify the connection information (IP address, port number or device name) for the ZyWALL. Step 4. Configure the SSH client to accept connection using SSH version 1. Step 5. A window displays prompting you to store the host key in you computer.
Page 327: Secure Ftp Using Ssh Example
ZyWALL Series Internet Security Gateway Step 2. Enter “ssh –1 192.168.1.1”. This command forces your computer to connect to the ZyWALL using SSH version 1. If this is the first time you are connecting to the ZyWALL using SSH, a message displays prompting you to save the host information of the ZyWALL. Type “yes”...
Page 328: Telnet
ZyWALL Series Internet Security Gateway $ sftp -1 192.168.1.1 Connecting to 192.168.1.1... The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts. Administrator@192.168.1.1's password: sftp>...
Page 329: Configuring Telnet
ZyWALL Series Internet Security Gateway Figure 18-18 Telnet Configuration on a TCP/IP Network 18.12 Configuring TELNET Click REMOTE MANAGEMENT to open the TELNET screen. Figure 18-19 Telnet The following table describes the labels in this screen. Remote Management Screens 18-21...
Page 330: Configuring Ftp
ZyWALL Series Internet Security Gateway Table 18-3 Telnet LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Server Access Select the interface(s) through which a computer may access the ZyWALL using this service.
Page 331: Configuring Snmp
ZyWALL Series Internet Security Gateway Figure 18-20 FTP The following table describes the labels in this screen. Table 18-4 FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Server Access Select the interface(s) through which a computer may access the ZyWALL using this service.
Page 332: Figure 18-21 Snmp Management Model
ZyWALL Series Internet Security Gateway ZyWALL supports SNMP version one (SNMPv1). The next figure illustrates an SNMP management operation. SNMP is only available if TCP/IP is configured. SNMP is only available if TCP/IP is configured. Figure 18-21 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager.
Page 333: Supported Mibs
ZyWALL Series Internet Security Gateway etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects. SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations: •...
Page 334: Figure 18-22 Snmp
ZyWALL Series Internet Security Gateway Table 18-5 SNMP Traps TRAP # TRAP NAME DESCRIPTION For fatal error : A trap is sent with the message of the fatal code if the system reboots because of fatal errors. 18.14.3 REMOTE MANAGEMENT: SNMP To change your ZyWALL’s SNMP settings, click REMOTE MANAGEMENT, then the SNMP tab.
Page 335: Configuring Dns
ZyWALL Series Internet Security Gateway Table 18-6 SNMP LABEL DESCRIPTION Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests. Set Community Enter the Set community, which is the password for incoming Set requests from the management station.
Page 336: Configuring Security
ZyWALL Series Internet Security Gateway Figure 18-23 DNS The following table describes the labels in this screen. Table 18-7 DNS LABEL DESCRIPTION Server Port The DNS service port number is 53 and cannot be changed here. Server Access Select the interface(s) through which a computer may send DNS queries to the ZyWALL.
Page 337: Figure 18-24 Security
ZyWALL Series Internet Security Gateway support anti-probing, which prevents the ICMP response packet from being sent. This keeps outsiders from discovering your ZyWALL when unsupported ports are probed. Figure 18-24 Security The following table describes the labels in this screen. Table 18-8 Security LABEL DESCRIPTION...
Page 338 ZyWALL Series Internet Security Gateway Table 18-8 Security LABEL DESCRIPTION Do not respond Select this option to prevent hackers from finding the ZyWALL by probing for unused to requests for ports. If you select this option, the ZyWALL will not respond to port request(s) for unauthorized unused ports, thus leaving the unused ports and the ZyWALL unseen.
Page 339: Chapter 19 Upnp
ZyWALL Series Internet Security Gateway Chapter 19 UPnP This chapter introduces the Universal Plug and Play feature. 19.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network.
Page 340: Cautions With Upnp
ZyWALL Series Internet Security Gateway 19.1.3 Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. All UPnP-enabled devices may communicate freely with each other without additional configuration.
Page 341: Figure 19-1 Configuring Upnp
ZyWALL Series Internet Security Gateway Figure 19-1 Configuring UPnP The following table describes the labels in this screen. Table 19-1 Configuring UPnP LABEL DESCRIPTION Device Name This identifies this ZyXEL device in UPnP applications. Enable the Universal Plug Select this checkbox to activate UPnP. Be aware that anyone could use a and Play (UPnP) feature UPnP application to open the web configurator's login screen without entering the ZyWALL's IP address (although you must still enter the password to...
Page 342: Displaying Upnp Port Mapping
ZyWALL Series Internet Security Gateway 19.4 Displaying UPnP Port Mapping Click UPnP and then Ports to open the UPnP Ports screen. Use this screen to view the NAT port forwarding entries that UPnP creates on the ZyWALL. Figure 19-2 UPnP Ports The following table describes the labels in this screen.
Page 343: Installing Upnp In Windows Example
ZyWALL Series Internet Security Gateway Table 19-2 UPnP Ports LABEL DESCRIPTION External Port This field displays the port number that the ZyWALL “listens” on (on the WAN port) for connection requests destined for the NAT port forwarding entry’s Internal Port and Internal Client.
Page 344: Installing Upnp In Windows Xp
ZyWALL Series Internet Security Gateway Step 1. Click Start and Control Panel. Double-click Add/Remove Programs. Step 2. Click on the Windows Setup tab and select Communication in the Components selection box. Click Details. Step 3. In the Communications window, select the Universal Plug and Play check box in the Components selection box.
Page 345: Using Upnp In Windows Xp Example
ZyWALL Series Internet Security Gateway Step 4. Select Networking Service in the Components selection box and click Details. Step 5. In the Networking Services window, select the Universal Plug and Play check box. Step 6. Click OK to go back to the Windows Optional Networking Component Wizard window and click Next.
Page 346 ZyWALL Series Internet Security Gateway 19.6.1 Auto-discover Your UPnP-enabled Network Device Step 1. Click Start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway. Step 2. Right-click the icon and select Properties. Step 3. In the Internet Connection Properties Step 4.
Page 347: Web Configurator Easy Access
ZyWALL Series Internet Security Gateway When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. Step 5. Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray Step 6.
Page 348 ZyWALL Series Internet Security Gateway Follow the steps below to access the web configurator. Step 1. Click Start and then Control Panel. Step 2. Double-click Network Connections. Step 3. Select My Network Places under Other Places. Step 4. An icon with the description for each UPnP-enabled device displays under Local Network.
Page 349 ZyWALL Series Internet Security Gateway Step 6. Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. UPnP 19-11...
Page 351: Logs
Logs Part IX: Logs This part provides information and instructions for the logs and reports.
Page 353: Chapter 20 Logs Screens
ZyWALL Series Internet Security Gateway Chapter 20 Logs Screens This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to the Appendices for example log message explanations. 20.1 Configuring View Log The web configurator allows you to look at all of the ZyWALL’s logs in one location. Click LOGS to open the View Log screen.
Page 354: Figure 20-1 View Log
ZyWALL Series Internet Security Gateway Figure 20-1 View Log The following table describes the labels in this screen. Table 20-1 View Log LABEL DESCRIPTION Display The categories that you select in the Log Settings page (see section 20.2) display in the drop-down list box.
Page 355: Configuring Log Settings
ZyWALL Series Internet Security Gateway Table 20-1 View Log LABEL DESCRIPTION Time This field displays the time the log was recorded. See the chapter on system maintenance and information to configure the ZyWALL’s time and date. Message This field states the reason for the log. Source This field lists the source IP address and the port number of the incoming packet.
Page 356: Figure 20-2 Log Settings
ZyWALL Series Internet Security Gateway Figure 20-2 Log Settings 20-4 Log Screens...
Page 357: Table 20-2 Log Settings Screen
ZyWALL Series Internet Security Gateway The following table describes the labels in this screen. Table 20-2 Log Settings Screen LABEL DESCRIPTION Address Info Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below.
Page 358: Configuring Reports
ZyWALL Series Internet Security Gateway Table 20-2 Log Settings Screen LABEL DESCRIPTION Select the categories of logs that you want to record. Logs include alerts. Send Immediate Alert Select the categories of alerts for which you want the ZyWALL to instantly e-mail alerts to the e-mail address specified in the Send Alerts To field.
Page 359: Figure 20-3 Reports
ZyWALL Series Internet Security Gateway Figure 20-3 Reports Enabling the ZyWALL’s reporting function decreases the overall throughput by about 1 Mbps. The following table describes the labels in this screen. Table 20-3 Reports LABEL DESCRIPTION Report Type Use the drop-down list box to select the type of reports to display. Web Site Hits displays the web sites that have been visited the most often from the LAN and how many times they have been visited.
Page 360: Figure 20-4 Web Site Hits Report Example
ZyWALL Series Internet Security Gateway All of the recorded reports data is erased when you turn off the ZyWALL. 20.3.1 Viewing Web Site Hits In the Reports screen, select Web Site Hits from the Report Type drop-down list box to have the ZyWALL record and display which web sites have been visited the most often and how many times they have been visited.
Page 361: Figure 20-5 Protocol/Port Report Example
ZyWALL Series Internet Security Gateway 20.3.2 Viewing Protocol/Port In the Reports screen, select Protocol/Port from the Report Type drop-down list box to have the ZyWALL record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports.
Page 362: Figure 20-6 Lan Ip Address Report Example
ZyWALL Series Internet Security Gateway 20.3.3 Viewing LAN IP Address In the Reports screen, select LAN IP Address from the Report Type drop-down list box to have the ZyWALL record and display the LAN IP addresses that the most traffic has been sent to and/or from and how much traffic has been sent to and/or from those IP addresses.
Page 363: Table 20-7 Report Specifications
ZyWALL Series Internet Security Gateway 20.3.4 Reports Specifications The following table lists detailed specifications on the reports feature. Table 20-7 Report Specifications LABEL DESCRIPTION Number of web sites/protocols or ports/IP addresses listed: Hit count limit: Up to 2 hits can be counted per web site. The count starts over at 0 if it passes four billion.
Page 365: Maintenance
Maintenance Part X: Maintenance This part covers the maintenance screens.
Page 367: Chapter 21 Maintenance
ZyWALL Series Internet Security Gateway Chapter 21 Maintenance This chapter displays system information such as ZyNOS firmware, port IP addresses and port traffic statistics. 21.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyWALL.
Page 368: System Statistics
ZyWALL Series Internet Security Gateway Table 21-1 System Status LABEL DESCRIPTION System Name This is the System Name you chose in the first Internet Access Wizard screen. It is for identification purposes Model Name The model name identifies your device type. The model name should also be on a sticker on your device.
Page 369: Figure 21-2 System Status: Show Statistics
ZyWALL Series Internet Security Gateway Figure 21-2 System Status: Show Statistics The following table describes the labels in this screen. Table 21-2 System Status: Show Statistics LABEL DESCRIPTION Port This is the WAN, LAN, DMZ or Wireless LAN port. Status This displays the port speed and duplex setting if you're using Ethernet encapsulation and down (line is down), idle (line (ppp) idle), dial (starting to trigger a call) and drop (dropping a call) if you're using PPPoE encapsulation.
Page 370: Dhcp Table Screen
ZyWALL Series Internet Security Gateway Table 21-2 System Status: Show Statistics LABEL DESCRIPTION Stop Click Stop to stop refreshing statistics, click Stop. 21.3 DHCP Table Screen DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server.
Page 371: F/W Upload Screen
ZyWALL Series Internet Security Gateway Table 21-3 DHCP Table LABEL DESCRIPTION MAC Address This field shows the MAC address of the computer with the name in the Host Name field. Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.
Page 372: Figure 21-5 Firmware Upload
ZyWALL Series Internet Security Gateway The following table describes the labels in this screen. Figure 21-5 Firmware Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse...
Page 373: Configuration Screen
ZyWALL Series Internet Security Gateway After two minutes, log in again and check your new firmware version in the System Status screen. If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen.
Page 374: Figure 21-9 Configuration
ZyWALL Series Internet Security Gateway Figure 21-9 Configuration 21.5.1 Backup Configuration Backup Configuration allows you to back up (save) the device’s current configuration to a file on your computer. Once your device is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes.
Page 375: Figure 21-10 Configuration Upload Successful
ZyWALL Series Internet Security Gateway 21.5.2 Restore Configuration Restore Configuration allows you to upload a new or previously saved configuration file from your computer to your ZyWALL. Table 21-4 Restore Configuration LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Click Browse...
Page 376: Figure 21-12 Configuration Upload Error
ZyWALL Series Internet Security Gateway If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default device IP address (192.168.1.1). See your Quick Start Guide for details on how to set up your computer’s IP address.
Page 377: Restart Screen
ZyWALL Series Internet Security Gateway Figure 21-13 Reset Warning Message You can also press the RESET button on the rear panel to reset the factory defaults of your ZyWALL. Refer to the Introducing the Web Configurator chapter for more information on the RESET button. 21.6 Restart Screen System restart allows you to reboot the ZyWALL without turning the power off.
Page 379: Smt General Configuration
SMT General Configuration Part XI: SMT General Configuration This part introduces the System Management Terminal and covers the General setup menu, WAN and dial backup setup, LAN and wireless LAN setup, DMZ setup, and Internet access. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Page 381: Chapter 22 Introducing The Smt
When you turn on your ZyWALL, it performs several internal tests as well as line initialization. After the tests, the ZyWALL asks you to press [ENTER] to continue, as shown next. Copyright (c) 1994 - 2002 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:a0:c5:41:51:61 initialize ch =1, ethernet address: 00:a0:c5:41:51:62 Press ENTER to continue...
Page 382: Navigating The Smt Interface
ZyWALL Series Internet Security Gateway 22.2.2 Entering the Password The login screen appears after you press [ENTER], prompting you to enter the password, as shown below. For your first login, enter the default password “1234”. As you type the password, the screen displays an “X” for each character you type.
Page 383: Figure 22-3 Main Menu (Zywall 100)
Main Menu After you enter the password, the SMT displays the ZyWALL Main Menu, as shown next. Not all models have all the features shown. Copyright (c) 1994 - 2001 ZyXEL Communications Corp. ZyWALL 100 Main Menu Getting Started Advanced Management 1.
Page 384: Table 22-2 Main Menu Summary
ZyWALL Series Internet Security Gateway Table 22-2 Main Menu Summary Menu Title FUNCTION General Setup Use this menu to set up dynamic DNS and administrative information. WAN Setup Use this menu to clone a MAC address from a computer on your LAN and configure the backup WAN dial-up connection.
Page 385: Figure 22-4 Getting Started And Advanced Applications Smt Menus
ZyWALL Series Internet Security Gateway 22.3.2 SMT Menus at a Glance The available SMT screens vary by ZyWALL model. The following SMT overview applies to the ZyWALL 100. Figure 22-4 Getting Started and Advanced Applications SMT Menus Introducing the SMT 22-5...
Page 386: Figure 22-5 Advanced Management Smt Menus
ZyWALL Series Internet Security Gateway Figure 22-5 Advanced Management SMT Menus 22-6 Introducing the SMT...
Page 387: Changing The System Password
ZyWALL Series Internet Security Gateway Figure 22-6 Schedule Setup and IPSec VPN Configuration SMT Menus 22.4 Changing the System Password Change the system password by following the steps shown next. Menu 23 - System Password Old Password= ? New Password= ? Retype to confirm= ? Enter here to CONFIRM or ESC to CANCEL: Step 1.
Page 388: Resetting The Zywall
ZyWALL Series Internet Security Gateway Step 3. Type your new system password and press [ENTER]. Step 4. Re-type your new system password for confirmation and press [ENTER]. Note that as you type a password, the screen displays an “X” for each character you type. 22.5 Resetting the ZyWALL If you forget your password or cannot access the SMT menu, refer to the section on resetting the ZyWALL in the web configurator part of this guide.
Page 389: Chapter 23 Smt Menu 1 - General Setup
Third System DNS Server= None IP Address= N/A Edit Dynamic DNS= No Press ENTER to Confirm or ESC to Cancel: Figure 23-1 Menu 1: General Setup (ZyWALL 10W) The following table describes the fields in this screen. SMT Menu 1 – General Setup 23-1...
Page 390: Table 23-1 General Setup Menu Field
ZyWALL Series Internet Security Gateway Table 23-1 General Setup Menu Field FIELD DESCRIPTION EXAMPLE System Name Choose a descriptive name for identification purposes. It is ZyWALL recommended you enter your computer’s “Computer name” in this field. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes “-”...
Page 391: Figure 23-2 Configure Dynamic Dns
ZyWALL Series Internet Security Gateway 23.2.1 Configuring Dynamic DNS To configure Dynamic DNS, go to Menu 1: General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1— Configure Dynamic DNS (shown next). Not all models have every field shown.
Page 392 ZyWALL Series Internet Security Gateway Table 23-2 Configure Dynamic DNS FIELD DESCRIPTION EXAMPLE USER Enter your user name. Password Enter the password assigned to you. Enable Wildcard Your ZyWALL supports DYNDNS Wildcard. Press [SPACE BAR] and then [ENTER] to select Yes or No This field is N/A when you choose DDNS client as your service provider.
Page 393: Chapter 24 Wan And Dial Backup Setup
ZyWALL Series Internet Security Gateway Chapter 24 WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1. 24.1 Introduction to WAN and Dial Backup Setup This chapter explains how to configure settings for your WAN port and how to configure the ZyWALL for a dial backup connection.
Page 394: Dial Backup
ZyWALL Series Internet Security Gateway FIELD DESCRIPTION EXAMPLE MAC Address Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods IP address to assign a MAC Address. Choose Factory Default to select the factory attached on assigned default MAC Address.
Page 395: Figure 24-2 Menu 2: Dial Backup Setup
ZyWALL Series Internet Security Gateway Menu 2 - WAN Setup MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Phone Number= Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= No Press ENTER to Confirm or ESC to Cancel: Figure 24-2 Menu 2: Dial Backup Setup The following table describes the fields in this screen.
Page 396: Advanced Wan Setup
ZyWALL Series Internet Security Gateway Table 24-2 Menu 2: Dial Backup Setup FIELD DESCRIPTION EXAMPLE Edit Advanced To edit the advanced setup for the Dial Backup port, move the cursor to Setup this field; press the [SPACE BAR] to select Yes and then press [ENTER] to go to Menu 2.1: Advanced Setup.
Page 397: Table 24-4 Advanced Wan Port Setup: Call Control Parameters
ZyWALL Series Internet Security Gateway Table 24-3 Advanced WAN Port Setup: AT Commands Fields FIELD DESCRIPTION DEFAULT Dial Enter the AT Command string to make a call. atdt Drop Enter the AT Command string to drop a call. “~” represents a one +++ath second wait, e.g., “~~~+++~~ath”...
Page 398: Remote Node Profile (Backup Isp)
ZyWALL Series Internet Security Gateway Table 24-4 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION DEFAULT Drop Timeout (sec) Enter a number of seconds for the ZyWALL to wait before dropping 20 seconds the DTR signal if it does not receive a positive disconnect confirmation.
Page 399 ZyWALL Series Internet Security Gateway Table 24-5 Fields in Menu 11.1 Remote Node Profile (Backup ISP) FIELD DESCRIPTION EXAMPLE Active Press [SPACE BAR] and then [ENTER] to select Yes to enable the remote node or No to disable the remote node. Outgoing My Login Enter the login name assigned by your ISP for this remote node.
Page 400: Editing Ppp Options
ZyWALL Series Internet Security Gateway Table 24-5 Fields in Menu 11.1 Remote Node Profile (Backup ISP) FIELD DESCRIPTION EXAMPLE Allocated Enter the maximum number of minutes that this remote node may be Budget called within the time period configured in the Period field. The default (default) for this field is 0 meaning there is no budget control and no time limit for accessing this remote node.
Page 401: Editing Tcp/Ip Options
ZyWALL Series Internet Security Gateway Menu 11.2 - Remote Node PPP Options Encapsulation= Standard PPP Compression= No Enter here to CONFIRM or ESC to CANCEL: Press Space Bar to Toggle. Figure 24-5 Menu 11.2: Remote Node PPP Options This table describes the Remote Node PPP Options Menu, and contains instructions on how to configure the PPP options fields.
Page 402: Table 24-7 Remote Node Network Layer Options Menu Fields
ZyWALL Series Internet Security Gateway The following table describes the fields in this screen. Table 24-7 Remote Node Network Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE Rem IP Leave this field set to 0.0.0.0 to have the ISP or other remote router 0.0.0.0 Address dynamically (automatically) send its IP address if you do not know it.
Page 403: Editing Login Script
ZyWALL Series Internet Security Gateway Table 24-7 Remote Node Network Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE RIP Direction Press [SPACE BAR] and then [ENTER] to select the RIP direction from Both Both/ None/In Only/Out Only and None. (default) Version Press [SPACE BAR] and then [ENTER] to select the RIP version from RIP-1 RIP-1/RIP-2B/RIP-2M.
Page 404: Figure 24-7 Menu 11.4: Remote Node Setup Script
ZyWALL Series Internet Security Gateway Please note that the ordering of the sets is significant, i.e., starting from set 1, the ZyWALL will wait until the ‘Expect’ string is matched before it proceeds to set 2, and so on for the rest of the script. When both the ‘Expect’...
Page 405: Remote Node Filter
ZyWALL Series Internet Security Gateway Table 24-8 Menu 11.4: Remote Node Script Menu Fields FIELD DESCRIPTION EXAMPLE Active Press [SPACE BAR] and then [ENTER] to select either Yes to enable the AT strings or No to disable them. (default) Set 1-6: Enter an Expect string to match.
Page 407: Chapter 25 Lan Setup
ZyWALL Series Internet Security Gateway Chapter 25 LAN Setup This chapter describes how to configure the LAN using Menu 3: LAN Setup. 25.1 Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN and wireless LAN connections. 25.2 Accessing the LAN Menus From the main menu, enter 3 to open Menu 3 –...
Page 408: Tcp/Ip And Dhcp Ethernet Setup Menu
ZyWALL Series Internet Security Gateway Menu 3.1 – LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: Figure 25-2 Menu 3.1: LAN Port Filter Setup 25.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup.
Page 409: Figure 25-4 Menu 3.2: Tcp/Ip And Dhcp Ethernet Setup
ZyWALL Series Internet Security Gateway Menu 3.2 - TCP/IP and DHCP Ethernet Setup First address in the IP Pool DHCP= Server TCP/IP Setup: Client IP Pool: Starting Address= 192.168.2.33 IP Address= 192.168.2.1 Size of Client IP Pool= 32 IP Subnet Mask= 255.255.255.0 First DNS Server= From ISP RIP Direction= Both Size of the IP...
Page 410: Table 25-2 Lan Tcp/Ip Setup Menu Fields
ZyWALL Series Internet Security Gateway Table 25-1 DHCP Ethernet Setup Menu Fields FIELD DESCRIPTION EXAMPLE First DNS The ZyWALL passes a DNS (Domain Name System) server IP address Server (in the order you specify here) to the DHCP clients. Second DNS Select From ISP if your ISP dynamically assigns DNS server information Server (and the ZyWALL's WAN IP address).
Page 411 ZyWALL Series Internet Security Gateway Table 25-2 LAN TCP/IP Setup Menu Fields FIELD DESCRIPTION EXAMPLE IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based 255.255.255.0 on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL. Both RIP Direction Press [SPACE BAR] and then [ENTER] to select the RIP direction.
Page 412: Figure 25-5 Menu 3.2.1: Ip Alias Setup
ZyWALL Series Internet Security Gateway Menu 3.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A IP Alias 2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A...
Page 413: Wireless Lan Setup
ZyWALL Series Internet Security Gateway 25.5 Wireless LAN Setup Use menu 3.5 to set up your ZyWALL as the wireless access point. See the web configurator parts of this User’s Guide for instructions on WEP and configuring the MAC address filter. If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL’s ESSID or WEP settings, you will lose your wireless connection when you press [ENTER] to confirm.
Page 414 ZyWALL Series Internet Security Gateway Table 25-4 Wireless LAN Setup Menu Fields FIELD DESCRIPTION EXAMPLE ESSID (Extended Service Set IDentification) The ESSID identifies the Service Set Wireless the station is to connect to. Wireless clients associating to the Access Point must have the same ESSID.
Page 415 ZyWALL Series Internet Security Gateway Table 25-4 Wireless LAN Setup Menu Fields FIELD DESCRIPTION EXAMPLE Key 1 to Key 4 The WEP keys are used to encrypt data. Both the ZyWALL and the wireless 0x12345abcde stations must use the same WEP key for data transmission. If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 ASCII characters or 10 hexadecimal characters ("0-9", "A-F").
Page 416: Figure 25-7 Menu 3.5.1: Wlan Mac Address Filter
ZyWALL Series Internet Security Gateway Menu 3.5.1 - WLAN MAC Address Filter Active= No Filter Action= Allowed Association MAC Address Filter Address 1= 00:00:00:00:00:00 Address 2= 00:00:00:00:00:00 Address 3= 00:00:00:00:00:00 Address 4= 00:00:00:00:00:00 Address 5= 00:00:00:00:00:00 Address 6= 00:00:00:00:00:00 Address 7= 00:00:00:00:00:00 Address 8= 00:00:00:00:00:00...
Page 417: Chapter 26 Dmz Setup
ZyWALL Series Internet Security Gateway Chapter 26 DMZ Setup This chapter describes how to configure the ZyWALL’s DMZ using Menu 5: DMZ Setup. 26.1 Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup. Menu 5 - DMZ Setup 1.
Page 418: Tcp/Ip Setup
ZyWALL Series Internet Security Gateway 26.3 TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to the LAN chapter. 26.3.1 IP Address From the main menu, enter 5 to open Menu 5 - DMZ Setup to configure TCP/IP (RFC 1155). Menu 5 - DMZ Setup 1.
Page 419: Figure 26-5 Menu 5.2.1: Ip Alias Setup
ZyWALL Series Internet Security Gateway DMZ and LAN IP addresses must be on separate subnets. You must also configure NAT for the DMZ port (see the NAT chapter) in menus 15.1 and 15.2. 26.3.2 IP Alias Setup You must use menu 5.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to configure the second and third network.
Page 421: Chapter 27 Internet Access
ZyWALL Series Internet Security Gateway Chapter 27 Internet Access This chapter shows you how to configure your ZyWALL for Internet access. 27.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet.
Page 422 ZyWALL Series Internet Security Gateway Table 27-1 Menu 4: Internet Access Setup Menu Fields FIELD DESCRIPTION Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet. The encapsulation method influences your choices for the IP Address field. Service Type Press [SPACE BAR] and then [ENTER] to select Standard, RR-Toshiba (RoadRunner Toshiba authentication method), RR-Manager (RoadRunner Manager authentication method) or RR-Telstra.
Page 423: Configuring The Pptp Client
ZyWALL Series Internet Security Gateway Table 27-1 Menu 4: Internet Access Setup Menu Fields FIELD DESCRIPTION Network Address Network Address Translation (NAT) allows the translation of an Internet protocol Translation address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet).
Page 424: Configuring The Pppoe Client
ZyWALL Series Internet Security Gateway Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= PPTP Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel:...
Page 425: Basic Setup Complete
ZyWALL Series Internet Security Gateway Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel:...
Page 426 ZyWALL Series Internet Security Gateway When the firewall is activated, the default policy allows all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet. You may deactivate the firewall in menu 21.2 or via the ZyWALL embedded web configurator. You may also define additional firewall rules or modify existing ones but please exercise extreme caution in doing so.
Page 427: Smt Advanced Applications
SMT Advanced Applications Part XII: SMT Advanced Applications This part covers setting up remote nodes, IP static routes and Network Address Translation. It also covers the SMT firewall menu, filters and SNMP. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Page 429: Chapter 28 Remote Node Setup
ZyWALL Series Internet Security Gateway Chapter 28 Remote Node Setup This chapter shows you how to configure a remote node. 28.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection.
Page 430: Remote Node Profile Setup
ZyWALL Series Internet Security Gateway Menu 11 - Remote Node Setup 1. ChangeMe (ISP, SUA) 2. ________ Enter Node # to Edit: Figure 28-1 Menu 11 Remote Node Setup 28.3 Remote Node Profile Setup The following explains how to configure the remote node profile menu. 28.3.1 Ethernet Encapsulation There are two variations of menu 11.1 depending on whether you choose Ethernet Encapsulation or PPPoE Encapsulation.
Page 431: Figure 28-2 Menu 11.1: Remote Node Profile For Ethernet Encapsulation
ZyWALL Series Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= Ethernet Edit IP= No Service Type= Standard Session Options: Service Name= N/A Edit Filter Sets= No Outgoing: My Login= N/A My Password= N/A Edit Traffic Redirect= No Retype to Confirm= N/A...
Page 432 ZyWALL Series Internet Security Gateway Table 28-1 Fields in Menu 11.1 FIELD DESCRIPTION EXAMPLE Retype to Type your password again to make sure that you have entered it ***** Confirm correctly. Server This field is valid only when RoadRunner is selected in the Service Type field.
Page 433: Figure 28-3 Menu 11.1: Remote Node Profile For Pppoe Encapsulation
ZyWALL Series Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPPoE Edit IP= No Service Type= Standard Telco Option: Service Name= Allocated Budget(min)= 0 Outgoing: Period(hr)= 0 My Login= Schedules= My Password= ******** Nailed-Up Connection= No Retype to Confirm= ********...
Page 434: Table 28-2 Fields In Menu 11.1 (Pppoe Encapsulation Specific)
ZyWALL Series Internet Security Gateway Metric See the Metric section in the WAN and Dial Backup Setup chapter for details on the Metric field. Table 28-2 Fields in Menu 11.1 (PPPoE Encapsulation Specific) FIELD DESCRIPTION EXAMPLE Service Name If you are using PPPoE encapsulation, then type the name of your poellc PPPoE service here.
Page 435: Figure 28-4 Menu 11.1: Remote Node Profile For Pptp Encapsulation
ZyWALL Series Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Service Name=N/A Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login= Schedules= My Password= ******** Nailed-up Connections= Retype to Confirm= ********...
Page 436: Edit Ip
ZyWALL Series Internet Security Gateway Table 28-3 Fields in Menu 11.1 (PPTP Encapsulation) FIELD DESCRIPTION EXAMPLE Nailed-Up Press [SPACE BAR] and then [ENTER] to select Yes if you want to Connections make the connection to this remote node a nailed-up connection. 28.4 Edit IP Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes.
Page 437 ZyWALL Series Internet Security Gateway Table 28-4 Remote Node Network Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE (Rem) IP If you have a static IP Assignment, enter the subnet mask assigned to Subnet Mask you. Gateway IP This field is applicable to Ethernet encapsulation only. Enter the Addr gateway IP address assigned to you if you are using a static IP address.
Page 438: Remote Node Filter
ZyWALL Series Internet Security Gateway Table 28-4 Remote Node Network Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE RIP Direction Press [SPACE BAR] and then [ENTER] to select the RIP direction from None Both/ None/In Only/Out Only. See the LAN Setup chapter for more (default) information on RIP.
Page 439: Figure 28-6 Menu 11.5: Remote Node Filter (Ethernet Encapsulation)
ZyWALL Series Internet Security Gateway Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 28-6 Menu 11.5: Remote Node Filter (Ethernet Encapsulation) Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters=...
Page 440: Figure 28-8 Menu 11.1: Remote Node Profile
ZyWALL Series Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ? Route= IP Active= Yes Encapsulation= Ethernet Edit IP= No Service Type= Standard Session Options: Service Name= N/A Edit Filter Sets= No Outgoing: My Login= N/A My Password= N/A Edit Traffic Redirect= Yes Retype to Confirm= N/A...
Page 441: Figure 28-9 Menu 11.6: Traffic Redirect Setup
ZyWALL Series Internet Security Gateway Menu 11.6 - Traffic Redirect Setup Active= Yes Configuration: Backup Gateway IP Address= 0.0.0.0 Metric= 15 Check WAN IP Address= 0.0.0.0 Fail Tolerance= 2 Period (sec)= 5 Timeout (sec)= 3 Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
Page 442 ZyWALL Series Internet Security Gateway Table 28-6 Menu 11.6: Traffic Redirect Setup FIELD DESCRIPTION EXAMPLE Fail Tolerance Enter the number of times your ZyWALL may attempt and fail to connect to the Internet before traffic is forwarded to the backup gateway. Two to five is usually a good number.
Page 443: Chapter 29 Ip Static Route Setup
ZyWALL Series Internet Security Gateway Chapter 29 IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. 29.1 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.
Page 444: Figure 29-2 Menu 12. 1: Edit Ip Static Route
ZyWALL Series Internet Security Gateway Menu 12.1 - Edit IP Static Route Route #: 1 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to CONFIRM or ESC to CANCEL: Figure 29-2 Menu 12.
Page 445 ZyWALL Series Internet Security Gateway Table 29-1 IP Static Route Menu Fields FIELD DESCRIPTION Private This parameter determines if the ZyWALL will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast.
Page 447: Chapter 30 Network Address Translation (Nat)
ZyWALL Series Internet Security Gateway Chapter 30 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 30.1 Using NAT You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL. 30.1.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.
Page 448: Figure 30-1 Menu 4: Applying Nat For Internet Access
ZyWALL Series Internet Security Gateway Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only...
Page 449: Figure 30-2 Menu 11.3: Applying Nat To The Remote Node
ZyWALL Series Internet Security Gateway Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= N/A Private= N/A RIP Direction= None Version= N/A Multicast= None Enter here to CONFIRM or ESC to CANCEL:...
Page 450: Nat Setup
ZyWALL Series Internet Security Gateway 30.2 NAT Setup Use the address mapping sets menus and submenus to create the mapping table used to assign global addresses to computers on the LAN and the DMZ. You can see two NAT address mapping sets in menu 15.1.
Page 451: Figure 30-4 Menu 15.1: Address Mapping Sets
ZyWALL Series Internet Security Gateway Menu 15.1 — Address Mapping Sets 255. SUA (read only) Enter Menu Selection Number: Figure 30-4 Menu 15.1: Address Mapping Sets SUA Address Mapping Set Enter 255 to display the next screen (see also section 30.1.1). The fields in this menu cannot be changed. Menu 15.1.255 - Address Mapping Rules Set Name= SUA Local Start IP...
Page 452: Table 30-2 Sua Address Mapping Rules
ZyWALL Series Internet Security Gateway Menu 15.1.255 is read-only. Table 30-2 SUA Address Mapping Rules FIELD DESCRIPTION EXAMPLE Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create. This is the index or rule number.
Page 453: Figure 30-6 Menu 15.1.1: First Set
ZyWALL Series Internet Security Gateway The entire set will be deleted if you leave the Set Name field blank and press [ENTER] are the bottom of the screen. Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Local Start IP Local End IP Global Start IP Global End IP...
Page 454: Figure 30-7 Menu 15.1.1.1: Editing/Configuring An Individual Rule In A Set
ZyWALL Series Internet Security Gateway Table 30-3 Fields in Menu 15.1.1 FIELD DESCRIPTION EXAMPLE Action The default is Edit. Edit means you want to edit a selected rule (see Edit following field). Insert Before means to insert a rule before the rule selected. The rules after the selected rule will then be moved down by one rule.
Page 455: Configuring A Server Behind Nat
ZyWALL Series Internet Security Gateway Table 30-4 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set FIELD DESCRIPTION EXAMPLE Type Press [SPACE BAR] and then [ENTER] to select from a total of five types. One-to- These are the mapping types discussed in the web configurator parts of this User’s Guide.
Page 456: General Nat Examples
0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Figure 30-8 Menu 15.2: NAT Server Setup (ZyWALL 10W) You assign the private network IP addresses. The NAT network appears as a single host on the Internet. A is the FTP/Telnet/SMTP server.
Page 457: Figure 30-10 Nat Example 1
ZyWALL Series Internet Security Gateway 30.4.1 Internet Access Only In the following Internet access example, you only need one rule where the ILAs (Inside Local Addresses) of computers A through D map to one dynamic IGA (Inside Global Address) assigned by your ISP. Figure 30-10 NAT Example 1 Menu 4 - Internet Access Setup ISP's Name= ChangeMe...
Page 458: Figure 30-12 Nat Example 2
ZyWALL Series Internet Security Gateway 30.4.2 Example 2: Internet Access with an Inside Server The dynamic Inside Global Address is assigned by the ISP. Figure 30-12 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2 to specify the Inside Server behind the NAT as shown in the next figure.
Page 459: Figure 30-14 Nat Example 3
ZyWALL Series Internet Security Gateway 30.4.3 Example 3: Multiple Public IP Addresses With Inside Servers In this example, there are 3 IGAs from our ISP. There are many departments but two have their own FTP server. All departments share the same router. The example will reserve one IGA for each department with an FTP server and all departments use the other IGA.
Page 460: Figure 30-15 Example 3: Menu 11.3
ZyWALL Series Internet Security Gateway Step 4. Enter 1 to begin configuring this new set. Enter a Set Name, choose the Edit Action and then enter 1 for the Select Rule field. Press [ENTER] to confirm. Step 5. Select Type as One-to-One (direct mapping for packets going both ways), and enter the local Start IP as 192.168.1.10 (the IP address of FTP Server 1), the global Start IP as 10.132.50.1 (our first IGA).
Page 461: Figure 30-16 Example 3: Menu 15.1.1.1
ZyWALL Series Internet Security Gateway Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= 192.168.1.10 = N/A Global IP: Start= 10.132.50.1 = N/A Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Figure 30-16 Example 3: Menu 15.1.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Local Start IP...
Page 462: Figure 30-18 Example 3: Menu 15.2
ZyWALL Series Internet Security Gateway Step 9. Now enter 2 from this menu and configure it as shown in Figure 30-18. Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------- Default Default 0.0.0.0 192.168.1.21 192.168.1.20 0.0.0.0...
Page 463: Figure 30-20 Example 4: Menu 15.1.1.1: Address Mapping Rule
ZyWALL Series Internet Security Gateway Other applications such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream. These applications won’t work through NAT even when using One-to-One and Many-One-to-One mapping types. Follow the steps outlined in example 3 above to configure these two menus as follows. Menu 15.1.1.1 Address Mapping Rule Type= Many-One-to-One Local IP:...
Page 464: Configuring Trigger Port Forwarding
ZyWALL Series Internet Security Gateway Menu 15.1.1 - Address Mapping Rules Set Name= Example4 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- ------ 192.168.1.10 192.168.1.12 10.132.50.1 10.132.50.3 M-1-1 Action= Edit Select Rule= Press ENTER to Confirm or ESC to Cancel: Figure 30-21 Example 4: Menu 15.1.1: Address Mapping Rules 30.5 Configuring Trigger Port Forwarding...
Page 465: Figure 30-22 Menu 15.3: Trigger Port Setup
ZyWALL Series Internet Security Gateway Menu 15.3 - Trigger Port Setup Incoming Trigger Rule Name Start Port End Port Start Port End Port ---------------------------------------------------------------------- Real Audio 6970 7170 7070 7070 Press ENTER to Confirm or ESC to Cancel: Figure 30-22 Menu 15.3: Trigger Port Setup The following table describes the fields in this screen.
Page 467: Chapter 31 Introducing The Zywall Firewall
ZyWALL Series Internet Security Gateway Chapter 31 Introducing the ZyWALL Firewall This chapter shows you how to get started with the ZyWALL firewall. 31.1 Using ZyWALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next.
Page 468: Figure 31-2 Menu 21.2: Firewall Setup
ZyWALL Series Internet Security Gateway Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User’s Guide for details about the firewall default policies.
Page 469: Chapter 32 Filter Configuration
ZyWALL Series Internet Security Gateway Chapter 32 Filter Configuration This chapter shows you how to create and apply filters. 32.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering.
Page 470: Figure 32-1 Outgoing Packet Filtering Process
ZyWALL Series Internet Security Gateway Call Filtering Active Data Built-in User-defined Data match match match Outgoing Initiate call default Call Filters Packet if line not up Call Filters (if applicable) Filtering Send packet and reset Idle Timer Match Match Match Drop Drop packet Drop packet...
Page 471: Figure 32-2 Filter Rule Process
ZyWALL Series Internet Security Gateway Start Packet into filter Fetch First Filter Set Filter Set Fetch Next Fetch First Filter Set Filter Rule Fetch Next Filter Rule Next filter Next Filter Set Rule Active? Available? Available? Execute Filter Rule Check Next Rule Forward...
Page 472: Configuring A Filter Set
ZyWALL Series Internet Security Gateway You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. 32.2 Configuring a Filter Set The ZyWALL includes filtering for NetBIOS over TCP/IP packets by default.
Page 473: Table 32-1 Abbreviations Used In The Filter Rules Summary Menu
ZyWALL Series Internet Security Gateway Step 4. Enter a descriptive name or comment in the Edit Comments field and press [ENTER]. Step 5. Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.1 - Filter Rules Summary. This screen shows the summary of the existing rules in the filter set.
Page 474: Table 32-2 Rule Abbreviations Used
ZyWALL Series Internet Security Gateway Table 32-2 Rule Abbreviations Used ABBREVIATION DESCRIPTION Protocol Source Address Source Port number Destination Address Destination Port number Offset Length Refer to the next section for information on configuring the filter rules. 32.2.1 Configuring a Filter Rule To configure a filter rule, type its number in Menu 21.1.1 - Filter Rules Summary and press [ENTER] to open menu 21.1.1.1 for the rule.
Page 475: Figure 32-6 Menu 21.1.1.1: Tcp/Ip Filter Rule
ZyWALL Series Internet Security Gateway To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.1.1 - TCP/IP Filter Rule, as shown next. Menu 21.1.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0...
Page 476 ZyWALL Series Internet Security Gateway Table 32-3 TCP/IP Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Port # Enter the destination port of the packets that you wish to filter. 0-65535 The range of this field is 0 to 65535. This field is ignored if it is Port # Comp Press [SPACE BAR] and then [ENTER] to select the None...
Page 477 ZyWALL Series Internet Security Gateway Table 32-3 TCP/IP Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS None Press [SPACE BAR] and then [ENTER] to select a logging option from the following: Action None – No packets will be logged. Matched Action Matched - Only packets that match the rule parameters will be logged.
Page 478: Figure 32-7 Executing An Ip Filter
ZyWALL Series Internet Security Gateway Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src Not Matched IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest Not Matched IP Addr Matched Check Not Matched IP Protocol Matched Check Src &...
Page 479: Figure 32-8 Menu 21.1.4.1: Generic Filter Rule
ZyWALL Series Internet Security Gateway 32.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the ZyWALL treats a packet as a byte stream as opposed to an IP or IPX packet.
Page 480 ZyWALL Series Internet Security Gateway Table 32-4 Generic Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Generic Filter Filter Use [SPACE BAR] and then [ENTER] to select a rule type. Parameters Type displayed below each type will be different. TCP/IP filter rules are used to Rule filter IP packets while generic filter rules allow filtering of non-IP packets.
Page 481: Example Filter
ZyWALL Series Internet Security Gateway 32.3 Example Filter Let’s look at an example to block outside users from accessing the ZyWALL via telnet. Figure 32-9 Telnet Filter Example Step 1. Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup. Step 2.
Page 482: Figure 32-10 Example Filter: Menu 21.1.3.1
ZyWALL Series Internet Security Gateway Step 6. Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure. Press [SPACE BAR] and then Menu 21.1.3.1 - TCP/IP Filter Rule [ENTER] to choose this filter rule Filter #: 3,1 type.
Page 483: Filter Types And Nat
ZyWALL Series Internet Security Gateway Menu 21.1.3 - Filter Rules Summary # A Type Filter Rules M m n - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F This shows you that you have M = N means an action can be taken immediately.
Page 484: Firewall Versus Filters
ZyWALL Series Internet Security Gateway Address Translation) is enabled, the inside IP address and port number are replaced on a connection-by- connection basis, which makes it impossible to know the exact address and port on the wire. Therefore, the ZyWALL applies the protocol filters to the “native” IP address and port number before NAT for outgoing packets and after NAT for incoming packets.
Page 485: Figure 32-13 Filtering Lan Traffic
ZyWALL Series Internet Security Gateway If you do not activate the firewall, it is advisable to apply filters. 32.6.1 Applying LAN Filters LAN traffic filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. Go to menu 3.1 (shown next) and enter the number(s) of the filter set(s) that you want to apply as appropriate.
Page 486: Figure 32-14Filtering Dmz Traffic
ZyWALL Series Internet Security Gateway Menu 5.1 – DMZ Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: Figure 32-14Filtering DMZ Traffic 32.6.3 Applying Remote Node Filters Go to menu 11.5 (shown below –...
Page 487: Chapter 33 Snmp Configuration
ZyWALL Series Internet Security Gateway Chapter 33 SNMP Configuration This chapter explains SNMP configuration menu 22. SNMP is only available if TCP/IP is configured. 33.1 SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next.
Page 488: Snmp Traps
ZyWALL Series Internet Security Gateway Table 33-1 SNMP Configuration Menu Fields FIELD DESCRIPTION EXAMPLE Public Trap Type the Trap community, which is the password sent with each trap to the SNMP manager. Community Destination Type the IP address of the station to send your SNMP traps to. 0.0.0.0 When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel”...
Page 489: Smt System Maintenance
SMT System Maintenance Part XIII: SMT System Maintenance This part covers system information and diagnosis, firmware and configuration file maintenance, as well as providing information on the system maintenance and information functions and how to configure remote management. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Page 491: Chapter 34 System Information & Diagnosis
ZyWALL Series Internet Security Gateway Chapter 34 System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 34.1 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trace capabilities.
Page 492: Figure 34-2 Menu 24.1: System Maintenance: Status (Zywall 100)
ZyWALL Series Internet Security Gateway To get to the System Status: Step 1. Enter number 24 to go to Menu 24 - System Maintenance. Step 2. In this menu, enter 1 to open System Maintenance - Status. Step 3. There are three commands in Menu 24.1 - System Maintenance - Status. Entering 1 drops the WAN connection, 9 resets the counters and [ESC] takes you back to the previous screen.
Page 493: System Information And Console Port Speed
ZyWALL Series Internet Security Gateway Table 34-1 System Maintenance: Status Menu Fields FIELD DESCRIPTION RxPkts The number of received packets on this port. Cols The number of collisions on this port. Tx B/s Shows the transmission speed in Bytes per second on this port. Rx B/s Shows the reception speed in Bytes per second on this port.
Page 494: Figure 34-3 Menu 24.2: System Information And Console Port Speed
Ethernet Address: 00:A0:C5:00:00:01 IP Address: 192.168.1.1 IP Mask: 255.255.255.0 DHCP: Server Press ESC or RETURN to Exit: Figure 34-4 Menu 24.2.1: System Maintenance: Information (ZyWALL 10W) Table 34-2 Fields in System Maintenance: Information FIELD DESCRIPTION Name This is the ZyWALL's system name + domain name assigned in menu 1. For example, System Name= xxx;...
Page 495: Log And Trace
ZyWALL Series Internet Security Gateway Table 34-2 Fields in System Maintenance: Information Routing Refers to the routing protocol used. ZyNOS F/W Version Refers to the version of ZyXEL's Network Operating System software. Ethernet Address Refers to the Ethernet MAC (Media Access Control) address of your ZyWALL. IP Address This is the IP address of the ZyWALL in dotted decimal notation.
Page 496: Figure 34-6 Menu 24.3: System Maintenance: Log And Trace
ZyWALL Series Internet Security Gateway 34.4.1 Viewing Error Log The first place you should look for clues when something goes wrong is the error/trace log. Follow the procedure below to view the local error/trace log: Step 1. Select option 24 from the main menu to open Menu 24 - System Maintenance. Step 2.
Page 497: Figure 34-7 Examples Of Error And Information Messages
ZyWALL Series Internet Security Gateway 0 Wed Aug 22 21:23:26 2001 PP17 INFO getDateTime fail: no server available 1 Wed Aug 22 21:23:26 2001 PP17 INFO adjtime task pause 60 seconds 2 Wed Aug 22 21:23:54 2001 PINI INFO SMT Session Begin 3 Wed Aug 22 21:24:26 2001 PP0d INFO No DNS server available...
Page 498: Table 34-3 System Maintenance Menu Syslog Logging
ZyWALL Series Internet Security Gateway You need to configure the syslog parameters described in the following table to activate syslog then choose what you want to log. Table 34-3 System Maintenance Menu Syslog Logging PARAMETER DESCRIPTION Syslog: Active Press [SPACE BAR] and then [ENTER] to turn syslog on or off. Syslog Server IP Enter the IP Address of the server that will log the CDR (Call Detail Record) and Address...
Page 499: Filter Log
ZyWALL Series Internet Security Gateway 2. Packet triggered Packet triggered Message Format SdcmdSyslogSend( SYSLOG_PKTTRI, SYSLOG_NOTICE, String ); String = Packet trigger: Protocol=xx Data=xxxxxxxxxx…..x Protocol: (1:IP 2:IPX 3:IPXHC 4:BPDU 5:ATALK 6:IPNG) Data: We will send forty-eight Hex characters to the server Jul 19 11:28:39 192.168.102.2 ZyXEL: Packet Trigger: Protocol=1, Data=4500003c100100001f010004c0a86614ca849a7b08004a5c020001006162636465666768696a6b6c6d6e6f707172 7374...
Page 500 ZyWALL Series Internet Security Gateway 5. Firewall log Firewall Log Message Format SdcmdSyslogSend(SYSLOG_FIREWALL, SYSLOG_NOTICE, buf); buf = IP[Src=xx.xx.xx.xx : spo=xxxx Dst=xx.xx.xx.xx : dpo=xxxx | prot | rule | action] Src: Source Address spo: Source port (empty means no source port information) Dst: Destination Address dpo: Destination port (empty means no destination port information) prot: Protocol (“TCP”,”UDP”,”ICMP”, ”IGMP”, ”GRE”, ”ESP”)
Page 501: Diagnostic
ZyWALL Series Internet Security Gateway IP Frame: ENET0-RECV Size: Time: 17:02:44.262 Frame Type: IP Header: IP Version Header Length = 20 Type of Service = 0x00 (0) Total Length = 0x002C (44) Identification = 0x0002 (2) Flags = 0x00 Fragment Offset = 0x00 Time to Live = 0xFE (254)
Page 502: Figure 34-10 Menu 24.4: System Maintenance: Diagnostic
ZyWALL Series Internet Security Gateway Step 2. From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic. Menu 24.4 - System Maintenance - Diagnostic TCP/IP Ping Host WAN DHCP Release WAN DHCP Renewal Internet Setup Test System 11.
Page 503: Figure 34-11 Lan & Wan Dhcp
ZyWALL Series Internet Security Gateway Figure 34-11 LAN & WAN DHCP The following table describes the diagnostic tests available in menu 24.4 for your ZyWALL and associated connections. Table 34-4 System Maintenance Menu Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LAN or WAN. Enter its IP address in the Host IP Address field below.
Page 505: Chapter 35 Firmware And Configuration File Maintenance
ZyWALL Series Internet Security Gateway Chapter 35 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 35.1 Introduction Use the instructions in this chapter to change the ZyWALL’s configuration file or upgrade its firmware. After you configure your ZyWALL, you can backup the configuration file to a computer.
Page 506: Backup Configuration
ZyWALL Series Internet Security Gateway This is a sample FTP session showing the transfer of the computer file " firmware.bin" to the ZyWALL. ftp> get rom-0 config.cfg This is a sample FTP session saving the current configuration to the computer file “config.cfg”. If your (T)FTP client does not allow you to have a destination filename different than the source, you will need to rename them as the ZyWALL only recognizes “rom-0”...
Page 507: Figure 35-1 Telnet Into Menu 24.5
ZyWALL Series Internet Security Gateway preferred method for backing up your current configuration to your computer since it is faster. You can also perform backup and restore using menu 24 through the console port. Any serial communications program should work fine; however, you must use Xmodem protocol to perform the download/upload and you don’t have to rename the files.
Page 508: Figure 35-2 Ftp Session Example
ZyWALL Series Internet Security Gateway Step 6. Use “get” to transfer files from the ZyWALL to the computer, for example, “get rom-0 config.rom” transfers the configuration file on the ZyWALL to your computer and renames it “config.rom”. See earlier in this chapter for more information on filename conventions. Step 7.
Page 509: Backup Configuration Using Tftp
ZyWALL Series Internet Security Gateway Table 35-2 General Commands for GUI-based FTP Clients COMMAND DESCRIPTION Initial Local Directory Specify the default local directory (path). 35.3.5 File Maintenance Over WAN Limitations TFTP, FTP and Telnet over the WAN will not work when: 1.
Page 510: Tftp Command Example
ZyWALL Series Internet Security Gateway Step 5. Use the TFTP client (see the example below) to transfer files between the ZyWALL and the computer. The file name for the configuration file is “rom-0” (rom-zero, not capital o). Note that the telnet connection must be active and the SMT in CI mode before and during the TFTP transfer.
Page 511: Figure 35-3 System Maintenance: Backup Configuration
ZyWALL Series Internet Security Gateway 35.3.9 Backup Via Console Port Back up configuration via console port by following the HyperTerminal procedure shown next. Procedures using other serial communications programs should be similar. Step 1. Display menu 24.5 and enter “y” at the following screen. Ready to backup Configuration via Xmodem.
Page 512: Restore Configuration
ZyWALL Series Internet Security Gateway ** Backup Configuration completed. OK. ### Hit any key to continue.### Figure 35-6 Successful Backup Confirmation Screen 35.4 Restore Configuration This section shows you how to restore a previously saved configuration. Note that this function erases the current configuration before restoring a previous back up configuration;...
Page 513: Figure 35-7 Telnet Into Menu 24.6
ZyWALL Series Internet Security Gateway Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root" and SMT password as requested.
Page 514: Figure 35-8 Restore Using Ftp Session Example
ZyWALL Series Internet Security Gateway 35.4.2 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec. ftp>quit Figure 35-8 Restore Using FTP Session Example Refer to section 35.3.5 to read about configurations that disallow TFTP and FTP over WAN.
Page 515: Uploading Firmware And Configuration Files
ZyWALL Series Internet Security Gateway Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Figure 35-11 Restore Configuration Example Step 4. After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu.
Page 516: Figure 35-13 Telnet Into Menu 24.7.1: Upload System Firmware
ZyWALL Series Internet Security Gateway WARNING! Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR ZyWALL. 35.5.1 Firmware File Upload FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client.
Page 517: Figure 35-14 Telnet Into Menu 24.7.2: System Maintenance
ZyWALL Series Internet Security Gateway 35.5.2 Configuration File Upload You see the following screen when you telnet into menu 24.7.2. Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload the system configuration file, follow the procedure below: 1.
Page 518: Figure 35-15 Ftp Session Example Of Firmware File Upload
ZyWALL Series Internet Security Gateway transfers the configuration file on the ZyWALL to your computer and renames it “config.rom.” See earlier in this chapter for more information on filename conventions. Step 7. Enter “quit” to exit the ftp prompt. 35.5.4 FTP Session Example of Firmware File Upload 331 Enter PASS command Password: 230 Logged in...
Page 519: Tftp Upload Command Example
ZyWALL Series Internet Security Gateway Step 3. Enter the command “sys stdio 0” to disable the console timeout, so the TFTP transfer will not be interrupted. Enter “command sys stdio 5” to restore the five-minute console timeout (default) when the file transfer is complete. Step 4.
Page 520: Figure 35-16 Menu 24.7.1 As Seen Using The Console Port
ZyWALL Series Internet Security Gateway 35.5.8 Uploading Firmware File Via Console Port Step 1. Select 1 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.1 - System Maintenance - Upload System Firmware, and then follow the instructions as shown in the following screen.
Page 521: Figure 35-17 Example Xmodem Upload
ZyWALL Series Internet Security Gateway 35.5.9 Example Xmodem Firmware Upload Using HyperTerminal Click Transfer, then Send File to display the following screen. Type the firmware file’s location, or click Browse to look for it. Choose the Xmodem protocol. Then click Send. Figure 35-17 Example Xmodem Upload After the firmware upload process has completed, the ZyWALL will automatically restart.
Page 522: Figure 35-18 Menu 24.7.2 As Seen Using The Console Port
ZyWALL Series Internet Security Gateway Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1. Enter "y" at the prompt below to go into debug mode. 2. Enter "atlc" after "Enter Debug Mode" message. 3.
Page 523: Figure 35-19 Example Xmodem Upload
ZyWALL Series Internet Security Gateway Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Figure 35-19 Example Xmodem Upload After the configuration upload process has completed, restart the ZyWALL by entering “atgo”. Firmware and Configuration File Maintenance 35-19...
Page 525: Chapter 36 System Maintenance Menus 8 To 10
ZyWALL Series Internet Security Gateway Chapter 36 System Maintenance Menus 8 to 10 This chapter leads you through SMT menus 24.8 to 24.10. 36.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions.
Page 526: Figure 36-2 Valid Commands
A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Copyright (c) 1994 - 2003 ZyXEL Communications Corp. ras> ?
Page 527: Call Control Support
ZyWALL Series Internet Security Gateway Table 36-1 Valid Commands COMMAND DESCRIPTION bridge These commands display bridge information. These commands configure bandwidth management settings and display bandwidth management information. certificates These commands display certificate information and configure certificate settings. 8021x These commands configure 802.1x settings and display 802.1x information. radius These commands display RADIUS information and configure RADIUS settings.
Page 528: Figure 36-4 Budget Management
ZyWALL Series Internet Security Gateway 36.2.1 Budget Management Menu 24.9.1 shows the budget management statistics for outgoing calls. Enter 1 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu. Menu 24.9.1 - Budget Management Remote Node Connection Time/Total Budget Elapsed Time/Total Period...
Page 529: Figure 36-5 Call History
ZyWALL Series Internet Security Gateway 36.2.2 Call History This is the second option in Menu 24.9 - System Maintenance - Call Control. It displays information about past incoming and outgoing calls. Enter 2 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu.
Page 530: Time And Date Setting
ZyWALL Series Internet Security Gateway 36.3 Time and Date Setting The Real Time Chip (RTC) keeps track of the time and date (not available on all models). There is also a software mechanism to set the time manually or get the current time and date from an external server when you turn on your ZyWALL.
Page 531: Figure 36-7 Menu 24.10 System Maintenance: Time And Date Setting
ZyWALL Series Internet Security Gateway Menu 24.10 - System Maintenance - Time and Date Setting Use Time Server when Bootup= NTP (RFC-1305) Time Server Address= tick.stdtime.gov.tw Current Time: 00 : 00 : 00 New Time (hh:mm:ss): 11 : 23 : 16 Current Date: 2000 - 01 - 01 New Date (yyyy-mm-dd):...
Page 532: Resetting The Time
ZyWALL Series Internet Security Gateway Table 36-4 Time and Date Setting Fields FIELD DESCRIPTION Time Zone Press [SPACE BAR] and then [ENTER] to set the time difference between your time zone and Greenwich Mean Time (GMT). Daylight Saving Daylight Saving Time is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daylight time in the evenings.
Page 533: Chapter 37 Remote Management
ZyWALL Series Internet Security Gateway Chapter 37 Remote Management This chapter covers remote management found in SMT menu 24.11. 37.1 Remote Management Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. You may manage your ZyWALL from a remote location via: Internet (WAN only) ALL (LAN and WAN)
Page 534: Figure 37-1 Menu 24.11 - Remote Management Control
ZyWALL Series Internet Security Gateway To disable remote management of a service, select Disable in the corresponding Server Access field. Enter 11 from menu 24 to bring up Menu 24.11 – Remote Management Control. Menu 24.11 - Remote Management Control TELNET Server: Port = 23 Access = ALL...
Page 535 ZyWALL Series Internet Security Gateway Table 37-1 Menu 24.11 – Remote Management Control FIELD DESCRIPTION EXAMPLE Secured Client The default 0.0.0.0 allows any client to use this service or protocol to 0.0.0.0 access the ZyWALL. Enter an IP address to restrict access to a client with a matching IP address.
Page 537: Smt Advanced Management
SMT Advanced Management Part XIV: SMT Advanced Management This part provides information on how to configure IP Policy Routing, call scheduling, and VPN/IPSec. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Page 539: Chapter 38 Ip Policy Routing
ZyWALL Series Internet Security Gateway Chapter 38 IP Policy Routing This chapter covers setting and applying policies used for IP routing. 38.1 Introduction to IP Policy Routing Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet.
Page 540: Ip Routing Policy Setup
ZyWALL Series Internet Security Gateway is to differentiate between interactive and bulk traffic. Interactive applications, e.g., telnet, tend to have short packets, while bulk traffic, e.g., file transfer, tends to have large packets. The actions that can be taken include: •...
Page 541: Figure 38-3 Menu 25.1: Sample Ip Routing Policy Setup
ZyWALL Series Internet Security Gateway Menu 25.1 shows the summary of a policy set, including the criteria and the action of a single policy, and whether a policy is active or not. Each policy contains two lines. The former part is the criteria of the incoming packet and the latter is the action.
Page 542: Figure 38-4 Ip Routing Policy
ZyWALL Series Internet Security Gateway Table 38-1 IP Routing Policy Setup ABBREVIATION MEANING Service Normal Minimum Delay Maximum Throughput Maximum Reliability Minimum Cost Type a number from 1 to 6 to display Menu 25.1.1 – IP Routing Policy (see the next figure). This menu allows you to configure a policy rule.
Page 543 ZyWALL Series Internet Security Gateway Table 38-2 IP Routing Policy FIELD DESCRIPTION IP Protocol Enter a number that represents an IP layer 4 protocol, for example, UDP=17, TCP=6, ICMP=1 and Don’t care=0. Type of Service Prioritize incoming network traffic by choosing from Don’t Care, Normal, Min Delay, Max Thruput or Max Reliable.
Page 544: Applying An Ip Policy
ZyWALL Series Internet Security Gateway 38.5 Applying an IP Policy This section shows you where to apply the IP policies after you design them. 38.5.1 Ethernet IP Policies From Menu 3 – Ethernet Setup, type 2 to go to Menu 3.2 – TCP/IP and DHCP Ethernet Setup. You can choose up to four IP policy sets (from 12) by typing their numbers separated by commas, for example, 2, 4, 7, 9.
Page 545: Figure 38-6 Example Of Ip Policy Routing
ZyWALL Series Internet Security Gateway Figure 38-6 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the WAN port of the ZyWALL, follow the steps as shown next. Step 1.
Page 546: Figure 38-7 Ip Routing Policy Example
ZyWALL Series Internet Security Gateway Menu 25.1.1 - IP Routing Policy Policy Set Name= set1 Active= Yes Criteria: IP Protocol Type of Service= Don't Care Packet length= 10 Precedence = Don't Care Len Comp= N/A Source: addr start= 192.168.1.2 end= 192.168.1.64 port start= 0 end= N/A Destination:...
Page 547: Figure 38-8 Ip Routing Policy
ZyWALL Series Internet Security Gateway Step 5. Create a rule in menu 25.1.1 for this set to route packets from any host (IP=0.0.0.0 means any host) with protocol TCP and port FTP access through another gateway (192.168.1.100). Menu 25.1.1 - IP Routing Policy Policy Set Name= set2 Active= Yes Criteria:...
Page 548: Figure 38-9 Applying Ip Policies
ZyWALL Series Internet Security Gateway Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP Setup DHCP= Server Client IP Pool Starting Address= 192.168.1.33 Size of Client IP Pool= 64 Primary DNS Server= 0.0.0.0 Secondary DNS Server= 0.0.0.0 Remote DHCP Server= N/A TCP/IP Setup: IP Address= 192.168.1.1 IP Subnet Mask= 255.255.255.0...
Page 549: Chapter 39 Call Scheduling
ZyWALL Series Internet Security Gateway Chapter 39 Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 39.1 Introduction to Call Scheduling The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long.
Page 550: Figure 39-2 Schedule Set Setup
ZyWALL Series Internet Security Gateway To set up a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next. Menu 26.1 - Schedule Set Setup Active= Yes Start Date(yyyy/mm/dd) = 2000 –...
Page 551 ZyWALL Series Internet Security Gateway Table 39-1Schedule Set Setup Fields FIELD DESCRIPTION OPTIONS Weekday: If you selected Weekly in the How Often field above, then select the day(s) when the set should activate (and recur) by going to that day(s) and pressing [SPACE BAR] to select Yes, then press [ENTER].
Page 552: Figure 39-3 Applying Schedule Set(S) To A Remote Node (Pppoe)
ZyWALL Series Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPPoE Edit IP= No Service Type= Standard Telco Option: Service Name= Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login= Schedules= 1,2,3,4 My Password= ******** Nailed-Up Connection= No Authen= CHAP/PAP...
Page 553: Figure 39-4 Applying Schedule Set(S) To A Remote Node (Pptp)
ZyWALL Series Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Service Name=N/A Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login= Schedules= 1,2,3,4 My Password= ******** Nailed-up Connections= Authen= CHAP/PAP...
Page 555: Chapter 40 Vpn/Ipsec Setup
ZyWALL Series Internet Security Gateway Chapter 40 VPN/IPSec Setup This chapter introduces the VPN SMT menus. 40.1 Introduction The VPN/IPSec main SMT menu has these main submenus: 1. Define VPN policies in menu 27.1 submenus, including security policies, endpoint IP addresses, peer IPSec router IP address and key management.
Page 556: Ipsec Summary Screen
ZyWALL Series Internet Security Gateway Menu 27 - VPN/IPSec Setup 1. IPSec Summary 2. SA Monitor Enter Menu Selection Number: Figure 40-2 Menu 27: VPN/IPSec Setup 40.2 IPSec Summary Screen Type 1 in menu 27 and then press [ENTER] to display Menu 27.1 — IPSec Summary. This is a summary read-only menu of your IPSec rules (tunnels).
Page 557 ZyWALL Series Internet Security Gateway Table 40-1 Menu 27.1: IPSec Summary FIELD DESCRIPTION EXAMPLE Name This field displays the unique identification name for this VPN rule. The Taiwan name may be up to 32 characters long but only 10 characters will be displayed here.
Page 558 ZyWALL Series Internet Security Gateway Table 40-1 Menu 27.1: IPSec Summary FIELD DESCRIPTION EXAMPLE Key Mgt This field displays the SA’s type of key management, (IKE or Manual). Remote When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to 172.16.2.40 Addr Start Single, this is a static IP address on the network behind the remote IPSec...
Page 559: Ipsec Setup
ZyWALL Series Internet Security Gateway Table 40-1 Menu 27.1: IPSec Summary FIELD DESCRIPTION EXAMPLE Select Press [SPACE BAR] to choose from None, Edit, Delete, Go To Rule, None Command Next Page or Previous Page and then press [ENTER]. You must select a rule in the next field when you choose the Edit, Delete or Go To commands.
Page 560: Figure 40-4 Menu 27.1.1: Ipsec Setup
ZyWALL Series Internet Security Gateway Menu 27.1.1 – IPSec Setup Index= 1 Name= Taiwan Active= Yes Keep Alive= No NAT Traversal= No Local ID type Content: My IP Addr= 0.0.0.0 Peer ID type Content: Secure Gateway Address= zw50test.zyxel.com.tw Protocol= 0 Local: Addr Type= SINGLE IP Addr Start= 1.1.1.1...
Page 561 ZyWALL Series Internet Security Gateway Table 40-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Select this check box to enable NAT traversal. NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec routers.
Page 562 ZyWALL Series Internet Security Gateway Table 40-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE My IP Addr Enter the IP address of your ZyWALL. The ZyWALL uses its current WAN 0.0.0.0 IP address (static or dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0.
Page 563 ZyWALL Series Internet Security Gateway Table 40-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Content Peer ID Peer ID Content when you set Authentication Method to Type Pre-Shared Key. Type the IP address of the computer with which you will make the VPN connection.
Page 564 ZyWALL Series Internet Security Gateway Table 40-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Addr Type Press [SPACE BAR] to choose SINGLE, RANGE, or SUBNET and press SINGLE [ENTER]. Select SINGLE with a single IP address. Select RANGE for a specific range of IP addresses.
Page 565 ZyWALL Series Internet Security Gateway Table 40-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE IP Addr Start When the Addr Type field is configured to Single, enter a static IP 4.4.4.4 address on the network behind the remote IPSec router. When the Addr Type field is configured to Range, enter the beginning (static) IP address, in a range of computers on the network behind the remote IPSec router.
Page 566: Ike Setup
ZyWALL Series Internet Security Gateway Table 40-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Press [SPACE BAR] to choose either IKE or Manual and then press Management [ENTER]. Manual is useful for troubleshooting if you have problems using IKE key management. Edit Key Press [SPACE BAR] to change the default No to Yes and then press Management...
Page 567 ZyWALL Series Internet Security Gateway Table 40-3 Menu 27.1.1.1: IKE Setup FIELD DESCRIPTION EXAMPLE Phase 1 Negotiation Press [SPACE BAR] to choose from Main or Aggressive and then press Main Mode [ENTER]. See earlier for a discussion of these modes. Multiple SAs connecting through a secure gateway must have the same negotiation mode.
Page 568: Manual Setup
ZyWALL Series Internet Security Gateway Table 40-3 Menu 27.1.1.1: IKE Setup FIELD DESCRIPTION EXAMPLE SA Life Time Define the length of time before an IKE Security Association automatically 28800 (Seconds) renegotiates in this field. It may range from 60 to 3,000,000 seconds (almost (default) 35 days).
Page 569: Figure 40-6 Menu 27.1.1.2: Manual Setup
ZyWALL Series Internet Security Gateway 40.5.1 Active Protocol This field is a combination of mode and security protocols used for the VPN. See the web configurator parts of this User’s Guide for more information on these parameters. Table 40-4 Active Protocol: Encapsulation and Security Protocol MODE SECURITY PROTOCOL Tunnel...
Page 570 ZyWALL Series Internet Security Gateway Table 40-5 Menu 27.1.1.2: Manual Setup FIELD DESCRIPTION EXAMPLE Encryption Press [SPACE BAR] to choose from NULL, DES and 3DES and then press Algorithm [ENTER]. Fill in the Key1 field below when you choose DES and fill in fields Key1 to Key3 when you choose 3DES.
Page 571: Chapter 41 Sa Monitor
ZyWALL Series Internet Security Gateway Chapter 41 SA Monitor This chapter teaches you how to manage your SAs by using the SA Monitor in SMT menu 27.2. 41.1 Introduction A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This menu (shown next) displays active VPN connections.
Page 572: Table 41-1 Menu 27.2: Sa Monitor
ZyWALL Series Internet Security Gateway Table 41-1 Menu 27.2: SA Monitor FIELD DESCRIPTION EXAMPLE This is the security association index number. Name This field displays the identification name for this VPN policy. This name is Taiwan unique for each connection where the secure gateway IP address is a public static IP address.
Page 573: Troubleshooting And Hardware Appendices
Troubleshooting and Hardware Appendices Part XV: Troubleshooting and Hardware Appendices This part provides information about troubleshooting, hardware specifications, safety warnings and how to change a ZyWALL 100 fuse.
Page 575: Appendix A Troubleshooting
ZyWALL Series Internet Security Gateway Appendix A Troubleshooting This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our included disk for further information. Problems Starting Up the ZyWALL Chart A-1 Troubleshooting the Start-Up of Your ZyWALL PROBLEM...
Page 576: Problems With The Lan Interface
ZyWALL Series Internet Security Gateway Problems with the LAN Interface Chart A-2 Troubleshooting the LAN Interface PROBLEM CORRECTIVE ACTION Cannot access Check your Ethernet cable type and connections. Refer to the Quick Start Guide or the ZyWALL Compact Guide for LAN connection instructions. from the LAN.
Page 577: Problems With The Wan Interface
ZyWALL Series Internet Security Gateway Problems with the WAN Interface Chart A-4 Troubleshooting the WAN Interface PROBLEM CORRECTIVE ACTION Cannot get The ISP provides the WAN IP address after authentication. Authentication may be through WAN IP the user name and password, the MAC address or the host name. Use the following address from corrective actions to make sure the ISP can authenticate your connection.
Page 578: Problems With The Password
ZyWALL Series Internet Security Gateway Problems Accessing an Internet Web Site Chart A-6 Troubleshooting Web Site Internet Access PROBLEM CORRECTIVE ACTION Cannot Disable content filtering and clear your browser cache. connect to a Try connecting to the web site again. If you can now connect to this site, then the content web site on filter may have blocked original access.
Page 579: Problems With Remote Management
ZyWALL Series Internet Security Gateway Problems with Remote Management Chart A-8 Troubleshooting Telnet PROBLEM CORRECTIVE ACTION Cannot access Refer to the Remote Management Limitations section in the Remote Management the ZyWALL chapter for scenarios when remote management may not be possible. from the LAN When NAT is enabled: or WAN.
Page 581: Appendix B Hardware Specifications
Chart B-1 General Specifications Power Specification 100-240 VAC, 50/60Hz (ZyWALL 100) Power Specification I/P AC 120V / 60Hz; O/P DC 12V 1200 mA (ZyWALL 10W, 30W, 50) Power Consumption 16 Watts maximum (ZyWALL 100) Power Current (ZyWALL 1.9 Amps 100) Fuse Rating (ZyWALL 100) 0.5 Amps, 250 VAC...
Page 582 ZyWALL Series Internet Security Gateway Cable Pin Assignments In a serial communications connection, generally a computer is DTE (Data Terminal Equipment) and a modem is DCE (Data Circuit-terminating Equipment). The ZyWALL is DCE when you connect a computer to the console port. The ZyWALL is DTE when you connect a modem to the dial backup port. Pin 5 Pin 1 Pin 9...
Page 583 3 OTD + OTD - IRD - OTD - 6 OTD - Power Adaptor Specifications (ZyWALL 10W/30W/50) Chart B-4 North American AC Power Adaptor Specifications AC Power Adapter model AD48-1201200DUY Input power: AC120Volts/60Hz/0.25A Output power: DC12Volts/1.2A Power consumption: 10 W Plug: North American standards Safety standards: UL, CUL (UL 1950, CSA C22.2 No.234-M90)
Page 584 ZyWALL Series Internet Security Gateway Chart -B-5 European Union AC Power Adaptor Specifications Output power: DC12Volts/1.2A Power consumption: 10 W Plug: European Union standards Safety standards: TUV, CE (EN 60950) AC Power Adapter model JAD-121200E Input power: AC230Volts/50Hz, Output power: DC12Volts/1.2A Power consumption: 9 W Plug: European Union standards Safety standards: TUV, CE (EN 60950)
Page 585 ZyWALL Series Internet Security Gateway Chart B-8 Australia and New Zealand AC Power Adaptor Specifications AC Power Adapter model AD-1201200Ds or AD-121200DS Input power: AC240Volts/50Hz/0.2A Output power: DC12Volts/1.2A Power consumption: 10 W Plug: Australia and New Zealand standards Safety standards: NATA (AS 3260) Hardware Specifications...
Page 587: Appendix C Safety Warnings And Instructions
ZyWALL Series Internet Security Gateway Appendix C Safety Warnings and Instructions 1. Be sure to read and follow all warning notices and instructions. 2. The maximum recommended ambient temperature for the ZyWALL is 40º Celsius (104º Fahrenheit). Care must be taken to allow sufficient air circulation or space between units when the ZyWALL is installed inside a closed rack assembly.
Page 589: Appendix D Removing And Installing A Zywall 100 Fuse
ZyWALL Series Internet Security Gateway Appendix D Removing and Installing a ZyWALL 100 Fuse This appendix shows you how to remove and install fuses for the ZyWALL 100. The ZyWALL 100 uses a 0.5 Amp, 250 VAC fuse. The ZyWALL-100 comes from the factory; with two fuses installed in the fuse housing.
Page 591: General Appendices
General Appendices Part XVI: General Appendices This part provides background information about setting up your computer’s IP address, triangle route, how functions are related, wireless LAN, 802.1x, EAP authentication, PPPoE, PPTP and IP subnetting.
Page 593: Appendix E Setting Up Your Computer's Ip Address
ZyWALL Series Internet Security Gateway Appendix E Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer.
Page 594 ZyWALL Series Internet Security Gateway The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: In the Network window, click Add. Select Adapter and then click Add.
Page 595 ZyWALL Series Internet Security Gateway Click the IP Address tab. -If your IP address is dynamic, select Obtain an IP address automatically. -If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields. Click the DNS Configuration tab.
Page 596 ZyWALL Series Internet Security Gateway Click the Gateway tab. -If you do not know your gateway’s IP address, remove previously installed gateways. -If you have a gateway IP address, type it in the New gateway field and click Add. Click OK to save and close the TCP/IP Properties window. Click OK to close the Network window.
Page 597 ZyWALL Series Internet Security Gateway For Windows XP, click start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. For Windows XP, click Network Right-click Local Area Connection and Connections. For Windows 2000/NT, click then click Properties. Network and Dial-up Connections. Setting Up Your Computer’s IP Address...
Page 598 ZyWALL Series Internet Security Gateway Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). -If you have a dynamic IP address click Obtain an IP address automatically.
Page 599 ZyWALL Series Internet Security Gateway -If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: -In the IP Settings tab, in IP addresses, click Add.
Page 600 ZyWALL Series Internet Security Gateway In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): -Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). -If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.
Page 601 ZyWALL Series Internet Security Gateway Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Select Ethernet built-in from the Connect via list. For dynamically assigned settings, select Using DHCP Server from the Configure: list. Setting Up Your Computer’s IP Address...
Page 602: Macintosh Os X
ZyWALL Series Internet Security Gateway For statically assigned settings, do the following: -From the Configure box, select Manually. -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your ZyWALL in the Router address box. Close the TCP/IP Control Panel.
Page 603 ZyWALL Series Internet Security Gateway Click Network in the icon bar. - Select Automatic from the Location list. - Select Built-in Ethernet from the Show list. - Click the TCP/IP tab. For dynamically assigned settings, select Using DHCP from the Configure list. For statically assigned settings, do the following: -From the Configure box, select Manually.
Page 605: Appendix F Triangle Route
ZyWALL Series Internet Security Gateway Appendix F Triangle Route The Ideal Setup When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyWALL to protect your LAN against attacks.
Page 606 ZyWALL Series Internet Security Gateway Diagram F-2 “Triangle Route” Problem The “Triangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your ZyWALL supports up to three logical LAN interfaces with the ZyWALL being the gateway for each logical network.
Page 607 ZyWALL Series Internet Security Gateway Gateways on the WAN Side A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your ZyWALL to your LAN.
Page 609: Appendix G The Big Picture
ZyWALL Series Internet Security Gateway Appendix G The Big Picture The following figure gives an overview of how filtering, the firewall, VPN and NAT are related. Diagram G-1 Big Picture— Filtering, Firewall, VPN and NAT The Big Picture...
Page 611: Benefits Of A Wireless Lan
ZyWALL Series Internet Security Gateway Appendix H Wireless LAN and IEEE 802.11 A wireless LAN (WLAN) provides a flexible data communications system that you can use to access various services (navigating the Internet, email, printer services, etc.) without the use of a cabled connection. In effect a wireless LAN environment provides you the freedom to stay connected to the network while roaming around in the coverage area.
Page 612: Infrastructure Wireless Lan Configuration
ZyWALL Series Internet Security Gateway The IEEE 802.11 specifies three different transmission methods for the PHY, the layer responsible for transferring data between nodes. Two of the methods use spread spectrum RF signals, Direct Sequence Spread Spectrum (DSSS) and Frequency-Hopping Spread Spectrum (FHSS), in the 2.4 to 2.4825 GHz unlicensed ISM (Industrial, Scientific and Medical) band.
Page 613 ZyWALL Series Internet Security Gateway Points can provide wireless coverage for an entire building or campus. All communications between stations or between a station and a wired network client go through the Access Point. The Extended Service Set (ESS) shown in the next figure consists of a series of overlapping BSSs (each containing an Access Point) connected together by means of a Distribution System (DS).
Page 615: Appendix I Wireless Lan With Ieee 802.1X
ZyWALL Series Internet Security Gateway Appendix I Wireless LAN With IEEE 802.1x As wireless networks become popular for both portable computing and corporate networks, security is now a priority. Security Flaws with IEEE 802.11 Wireless networks based on the original IEEE 802.11 have a poor reputation for safety. The IEEE 802.11b wireless access standard, first published in 1999, was based on the MAC address.
Page 616 ZyWALL Series Internet Security Gateway • Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server. • Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients.
Page 617: Appendix J Types Of Eap Authentication
ZyWALL Series Internet Security Gateway Appendix J Types of EAP Authentication This appendix discusses three popular EAP authentication types: EAP-MD5, EAP-TLS and EAP-TTLS. The type of authentication you use depends on the RADIUS server or the AP. Consult your network administrator for more information.
Page 618 ZyWALL Series Internet Security Gateway EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP- TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS- CHAP v2.
Page 619: Appendix Kpppoe
ZyWALL Series Internet Security Gateway Appendix K PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit), which connects to a DSL Access Concentrator where the PPP session terminates (see the next figure).
Page 620: How Pppoe Works
ZyWALL Series Internet Security Gateway How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.
Page 621: Appendix Lpptp
ZyWALL Series Internet Security Gateway Appendix L PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the short haul between the PC and the modem over Ethernet.
Page 622 ZyWALL Series Internet Security Gateway PPTP Protocol Overview PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F (Cisco’s Layer 2 Forwarding). Conceptually, there are three parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Access Concentrator) and the PPTP user.
Page 623 ZyWALL Series Internet Security Gateway Diagram L-3 Example Message Exchange between PC and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header. PPTP...
Page 625: Appendix M Ip Subnetting
ZyWALL Series Internet Security Gateway Appendix M IP Subnetting IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1.
Page 626: Subnet Masks
ZyWALL Series Internet Security Gateway A class “B” address (16 host bits) can have 2 –2 or 65534 hosts. A class “A” address (24 host bits) can have 2 –2 hosts (approximately 16 million hosts). Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127.
Page 627 ZyWALL Series Internet Security Gateway With subnetting, the class arrangement of an IP address is ignored. For example, a class C address no longer has to have 24 bits of network number and 8 bits of host ID. With subnetting, some of the host ID bits are converted into network number bits.
Page 628 ZyWALL Series Internet Security Gateway The first three octets of the address make up the network number (class “C”). You want to have two separate networks. Divide the network 192.168.1.0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit.
Page 629 ZyWALL Series Internet Security Gateway 192.168.1.0 with mask 255.255.255.128 is the subnet itself, and 192.168.1.127 with mask 255.255.255.128 is the directed broadcast address for the first subnet. Therefore, the lowest IP address that can be assigned to an actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126. Similarly the host ID range for the second subnet is 192.168.1.129 to 192.168.1.254.
Page 630: Example Eight Subnets
ZyWALL Series Internet Security Gateway Subnet Address: 192.168.1.128 Lowest Host ID: 192.168.1.129 Broadcast Address: 192.168.1.191 Highest Host ID: 192.168.1.190 Chart M-10 Subnet 4 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 11000000 11000000 Subnet Mask (Binary) 11111111.11111111.11111111.
Page 631: Subnetting With Class A And Class B Networks
ZyWALL Series Internet Security Gateway Chart M-12 Class C Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) Subnetting With Class A and Class B Networks. For class “A”...
Page 632 ZyWALL Series Internet Security Gateway Chart M-13 Class B Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 255.255.255.128 (/25) 255.255.255.192 1024 (/26) 255.255.255.224 2048 (/27) 255.255.255.240 4096 (/28) 255.255.255.248 8192 (/29) 255.255.255.252 16384 (/30) 255.255.255.254 32768 (/31)
Page 633: Command, Log, Content Filtering And Certificates Appendices And Index
Command, Log and Content Filtering Appendices and Index Part XVII: Command, Log, Content Filtering and Certificates Appendices and Index This part provides information on the command interpreter interface, firewall NetBIOS and certificate commands and logs and password protection, content filtering registration and reports and importing certificates.
Page 635: Appendix N Command Interpreter
ZyWALL Series Internet Security Gateway Appendix N Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands.
Page 637: Appendix O Firewall Commands
ZyWALL Series Internet Security Gateway Appendix O Firewall Commands The following describes the firewall commands. See the Command Interpreter appendix for information on the command structure. Chart O-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall active This command turns the firewall on or off. <yes | no>...
Page 638 ZyWALL Series Internet Security Gateway Chart O-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config display firewall attack This command shows all of the attack response settings. config display firewall e-mail This command shows all of the e-mail settings. config display firewall ? This command shows all of the available firewall sub commands.
Page 639 ZyWALL Series Internet Security Gateway Chart O-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall e-mail This command sets the hour when the firewall hour <0-23> log is sent through e- mail if the ZyWALL is set to send it on an hourly, daily or weekly basis.
Page 640 ZyWALL Series Internet Security Gateway Chart O-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall attack This command sets the threshold of half-open minute-low <0-255> sessions where the ZyWALL stops deleting half-opened sessions. config edit firewall attack This command sets the threshold of half-open max-incomplete-high <0-255>...
Page 641 ZyWALL Series Internet Security Gateway Chart O-1 Firewall Commands FUNCTION COMMAND DESCRIPTION Config edit firewall set <set This command sets how long ZyWALL waits #> connection-timeout <seconds> for a TCP session to be established before dropping the session. Config edit firewall set <set This command sets how long the ZyWALL #>...
Page 642 ZyWALL Series Internet Security Gateway Chart O-1 Firewall Commands FUNCTION COMMAND DESCRIPTION Config edit firewall set <set This command sets the ZyWALL to log traffic #> rule <rule #> log <none | that matches the rule, doesn't match, both or match | not-match | both>...
Page 643 ZyWALL Series Internet Security Gateway Chart O-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall set <set This command sets a rule to have the #> rule <rule #> destaddr-range ZyWALL check for traffic going to this range of <start ip address> <end ip addresses.
Page 644 ZyWALL Series Internet Security Gateway Chart O-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config delete firewall set <set This command removes the specified set from #> the firewall configuration. config delete firewall set <set This command removes the specified rule in a #>...
Page 645: Appendix P Netbios Filter Commands
ZyWALL Series Internet Security Gateway Appendix P NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See the Command Interpreter appendix for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN.
Page 646: Netbios Filter Configuration
ZyWALL Series Internet Security Gateway Chart P-1 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN This field displays whether NetBIOS packets are blocked or forwarded Forward and WAN from the LAN to the WAN or from the WAN to the LAN. IPSec This field displays whether NetBIOS packets sent through a VPN Forward...
Page 647 ZyWALL Series Internet Security Gateway sys filter netbios config 4 off Command: This command stops NetBIOS commands from initiating calls. NetBIOS Filter Commands...
Page 649: Appendix Q Certificate Commands
ZyWALL Series Internet Security Gateway Appendix Q Certificate Commands The following describes the certificate commands. See the Command Interpreter appendix for information on the command structure. All of these commands start with certificate. Chart Q-1 Certificate Commands COMMAND DESCRIPTION my_cert create create selfsigned...
Page 650 ZyWALL Series Internet Security Gateway Chart Q-1 Certificate Commands COMMAND DESCRIPTION create scep_enrol Create a certificate request and enroll for a certificate l <name> immediately online using SCEP protocol. <name> specifies a <CA addr> descriptive name for the enrolled certificate. <CA addr> <CA cert>...
Page 651 ZyWALL Series Internet Security Gateway Chart Q-1 Certificate Commands COMMAND DESCRIPTION verify <name> Verify the certification path of the specified local host [timeout] certificate. <name> specifies the name of the certificate to be verified. [timeout] specifies the timeout value in seconds (optional).
Page 652 ZyWALL Series Internet Security Gateway Chart Q-1 Certificate Commands COMMAND DESCRIPTION rename <old name> Rename the specified trusted CA certificate. <old name> <new name> specifies the name of the certificate to be renamed. <new name> specifies the new name as which the certificate is to be saved.
Page 653 ZyWALL Series Internet Security Gateway Chart Q-1 Certificate Commands COMMAND DESCRIPTION <name> Add a new directory service. <name> specifies a descriptive <addr[:por name as which the added directory server is to be saved. t]> <addr[:port]> specifies the server address (required) and port [login:psw (optional).
Page 655: Appendix R Boot Commands
ZyWALL Series Internet Security Gateway Appendix R Boot Commands The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware (ZyNOS) is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen.
Page 656 ZyWALL Series Internet Security Gateway just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) change system date to year/month/day or show current date ATDS...
Page 657: Appendix S Log Descriptions
ZyWALL Series Internet Security Gateway Appendix S Log Descriptions Chart S-1 System Maintenance Logs LOG MESSAGE DESCRIPTION Time calibration is The router has adjusted its time based on information from the time server. successful Time calibration failed The router failed to get information from the time server. A WAN interface got a new IP address from the DHCP, WAN interface gets IP: %s PPPoE, PPTP or dial-up server.
Page 658 ZyWALL Series Internet Security Gateway Chart S-1 System Maintenance Logs LOG MESSAGE DESCRIPTION Time initialized by The router got the time and date from the Daytime server. Daytime Server Time initialized by Time The router got the time and date from the time server. server Time initialized by NTP The router got the time and date from the NTP server.
Page 659 ZyWALL Series Internet Security Gateway Chart S-2 System Error Logs LOG MESSAGE DESCRIPTION %s exceeds the max. This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host. number of session per host! The router failed to allocate memory for the NetBIOS filter setNetBIOSFilter: calloc error...
Page 660 ZyWALL Series Internet Security Gateway Chart S-4 TCP Reset Logs LOG MESSAGE DESCRIPTION Under SYN flood The router sent a TCP reset packet when a host was under a SYN attack, sent TCP RST flood attack (the TCP incomplete count is per destination host.) The router sent a TCP reset packet when the number of TCP Exceed TCP MAX incomplete connections exceeded the user configured threshold.
Page 661 ZyWALL Series Internet Security Gateway Chart S-5 Packet Filter Logs LOG MESSAGE DESCRIPTION [ TCP | UDP | ICMP | IGMP | Attempted access matched a configured filter rule (denoted by its set and rule number) and was blocked or Generic ] packet filter matched forwarded according to the rule.
Page 662 ZyWALL Series Internet Security Gateway Chart S-7 CDR Logs LOG MESSAGE DESCRIPTION The router received the setup requirements for a call. “call” is the reference (count) number of the call. “dev” is the device type (3 is board %d line %d channel for dial-up, 6 is for PPPoE, 10 is for PPTP).
Page 663 ZyWALL Series Internet Security Gateway Chart S-9 UPnP Logs LOG MESSAGE DESCRIPTION UPnP pass through UPnP packets can pass through the firewall. Firewall Chart S-10 Content Filtering Logs LOG MESSAGE DESCRIPTION %s: Keyword blocking The content of a requested web page matched a user defined keyword. %s: Not in trusted The web site is not in a trusted domain, and the router blocks all traffic except trusted domain sites.
Page 664 ZyWALL Series Internet Security Gateway Chart S-11 Attack Logs LOG MESSAGE DESCRIPTION attack [ TCP | UDP | IGMP | ESP | The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF attack. GRE | OSPF ] The firewall detected an ICMP attack, see the section on attack ICMP (type:%d, code:%d) ICMP messages for type and code details.
Page 665 ZyWALL Series Internet Security Gateway Chart S-11 Attack Logs LOG MESSAGE DESCRIPTION vulnerability ICMP (type:%d, The firewall detected an ICMP vulnerability attack, see the code:%d) section on ICMP messages for type and code details. The firewall detected an ICMP traceroute attack, see the traceroute ICMP (type:%d, code:%d) section on ICMP messages for type and code details.
Page 666 ZyWALL Series Internet Security Gateway Chart S-13 IKE Logs LOG MESSAGE DESCRIPTION The connection failed during IKE phase 2 because the Verifying Local ID failed: router and the peer’s Local/Remote Addresses don’t match. The router retransmitted the last packet sent because there IKE Packet Retransmit was no response from the peer.
Page 667 ZyWALL Series Internet Security Gateway Chart S-13 IKE Logs LOG MESSAGE DESCRIPTION IKE uses ISAKMP to transmit data. Each ISAKMP packet contains many different types of payloads. All of them show Recv <packet> in the LOG. Refer to RFC2408 – ISAKMP for a list of all ISAKMP payload types.
Page 668 ZyWALL Series Internet Security Gateway Chart S-13 IKE Logs LOG MESSAGE DESCRIPTION The router automatically changed the TCP Maximum Adjust TCP MSS to %d Segment Size value after establishing a tunnel. Rule <%d> input idle time out, The tunnel for the listed rule was dropped because there disconnect was no inbound traffic within the idle timeout period.
Page 669 ZyWALL Series Internet Security Gateway Chart S-13 IKE Logs LOG MESSAGE DESCRIPTION The listed rule’s IKE phase 1 ID did not match between the Rule [%d] Phase 1 ID mismatch router and the peer. The listed rule’s IKE phase 1 hash did not match between Rule [%d] Phase 1 hash mismatch the router and the peer.
Page 670 ZyWALL Series Internet Security Gateway Chart S-14 PKI Logs LOG MESSAGE DESCRIPTION The SCEP online certificate enrollment was successful. The Enrollment successful Destination field records the certification authority server IP address and port. The SCEP online certificate enrollment failed. The Destination field Enrollment failed records the certification authority server’s IP address and port.
Page 671 ZyWALL Series Internet Security Gateway Chart S-14 PKI Logs LOG MESSAGE DESCRIPTION The router received a corrupted CRL (Certificate Revocation List) Failed to decode the from the LDAP server whose address and port are recorded in the received CRL Source field. The router received a corrupted ARL (Authority Revocation List) Failed to decode the from the LDAP server whose address and port are recorded in the...
Page 672 ZyWALL Series Internet Security Gateway Chart S-15 Certificate Path Verification Failure Reason Codes CODE DESCRIPTION Certificate decoding failed. Certificate was not found (anywhere). Certificate chain looped (did not find trusted root). Certificate contains critical extension that was not handled. Certificate issuer was not valid (CA specific information missing). (Not used) CRL is too old.
Page 673 ZyWALL Series Internet Security Gateway Chart S-16 802.1X Logs LOG MESSAGE DESCRIPTION Local User Database reports user A user was not authenticated by the local user database credential error. because of an incorrect user password. Local User Database does not find A user was not authenticated by the local user database user`s credential.
Page 674 ZyWALL Series Internet Security Gateway Chart S-16 802.1X Logs LOG MESSAGE DESCRIPTION Local User Database does not find A user was not authenticated by the local user database user`s credential. because the user is not listed in the local user database. Chart S-17 ACL Setting Notes PACKET DIRECTION...
Page 675 ZyWALL Series Internet Security Gateway Chart S-18 ICMP Notes TYPE CODE DESCRIPTION Protocol unreachable Port unreachable A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) Source route failed Source Quench A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network.
Page 676 ZyWALL Series Internet Security Gateway Chart S-18 ICMP Notes TYPE CODE DESCRIPTION Information request message Information Reply Information reply message Chart S-19 Syslog Logs LOG MESSAGE DESCRIPTION <Facility*8 + Severity>Mon This message is sent by the system ("RAS" displays as the system name if you haven’t configured one) when the router dd hr:mm:ss hostname generates a syslog.
Page 677: Log Commands
ZyWALL Series Internet Security Gateway Chart S-20 RFC-2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE Signature NONCE Nonce NOTFY Notification Delete Vendor ID Log Commands Go to the command interpreter interface (the Command Interpreter Appendix explains how to access and use the commands).
Page 678: Displaying Logs
ZyWALL Series Internet Security Gateway ras> sys logs category access Usage: [0:none/1:log/2:alert/3:both] Diagram S-2 Displaying Log Parameters Example Step 4. Use sys logs category followed by a log category and a parameter to decide what to record. Use 0 to not record logs for that category, 1 to record only logs for that category, 2 to record only alerts for that category, and 3 to record both logs and alerts for that category.
Page 679 ZyWALL Series Internet Security Gateway message 0|11/11/2002 15:10:12 |172.22.3.80:137 |172.22.255.255:137 |ACCESS BLOCK Firewall default policy: UDP(set:8) 1|11/11/2002 15:10:12 |172.21.4.17:138 |172.21.255.255:138 |ACCESS BLOCK Firewall default policy: UDP(set:8) 2|11/11/2002 15:10:11 |172.17.2.1 |224.0.1.60 |ACCESS BLOCK Firewall default policy: IGMP(set:8) 3|11/11/2002 15:10:11 |172.22.3.80:137 |172.22.255.255:137 |ACCESS BLOCK Firewall default policy: UDP(set:8) 4|11/11/2002 15:10:10 |192.168.10.1:520...
Page 681: Appendix T Brute-Force Password Guessing Protection
ZyWALL Series Internet Security Gateway Appendix T Brute-Force Password Guessing Protection The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See the Command Interpreter appendix for information on the command structure. Chart T-1 Brute-Force Password Guessing Protection Commands COMMAND DESCRIPTION...
Page 683: Appendix U Importing Certificates
ZyWALL Series Internet Security Gateway Appendix U Importing Certificates This appendix shows examples of importing certificates. Importing the ZyWALL’s Certificate into Netscape Navigator In Netscape Navigator, you can permanently trust the ZyWALL’s server certificate by importing it into your operating system as a trusted certification authority. Select Accept This Certificate Permanently in the following screen to do this.
Page 684 ZyWALL Series Internet Security Gateway The following example procedure shows how to import the ZyWALL’s (self-signed) server certificate into your operating system as a trusted certification authority. Step 1. In Internet Explorer, double click the lock shown in the following screen. Diagram U-2 Login Screen Importing Certificates...
Page 685 ZyWALL Series Internet Security Gateway Step 2. Click Install Certificate to open the Install Certificate wizard. Diagram U-3 Certificate General Information Before Import Importing Certificates...
Page 686 ZyWALL Series Internet Security Gateway Step 3. Click Next to begin the Install Certificate wizard. Diagram U-4 Certificate Import Wizard 1 Importing Certificates...
Page 687 ZyWALL Series Internet Security Gateway Step 4. Select where you would like to store the certificate and then click Next. Diagram U-5 Certificate Import Wizard 2 Importing Certificates...
Page 688 ZyWALL Series Internet Security Gateway Step 5. Click Finish to complete the Import Certificate wizard. Diagram U-6 Certificate Import Wizard 3 Step 6. Click Yes to add the ZyWALL’s certificate to the root store. Diagram U-7 Root Certificate Store Importing Certificates...
Page 689: Enrolling And Importing Ssl Client Certificates
ZyWALL Series Internet Security Gateway Diagram U-8 Certificate General Information after Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the part on certificates for details).
Page 690 ZyWALL Series Internet Security Gateway Diagram U-9 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s certificate(s), your personal certificate(s) and a password to install the personal certificate(s). Installing the CA’s Certificate Step 1. Double click the CA’s certificate to produce a screen similar to the one shown next. Importing Certificates...
Page 691 ZyWALL Series Internet Security Gateway Diagram U-10 CA Certificate Example Step 2. Click Install Certificate and follow the wizard as shown in the Importing the ZyWALL’s Certificate into the SSL Client section. Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment.
Page 692 ZyWALL Series Internet Security Gateway Diagram U-11 Personal Certificate Import Wizard 1 Step 2. The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Diagram U-12 Personal Certificate Import Wizard 2 U-10 Importing Certificates...
Page 693 ZyWALL Series Internet Security Gateway Step 3. Enter the password. Diagram U-13 Personal Certificate Import Wizard 3 Step 4. Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Importing Certificates U-11...
Page 694 ZyWALL Series Internet Security Gateway Diagram U-14 Personal Certificate Import Wizard 4 Step 5. Click Finish to complete the wizard and begin the import process. Diagram U-15 Personal Certificate Import Wizard 5 U-12 Importing Certificates...
Page 695: Using A Certificate When Accessing The Zywall Example
ZyWALL Series Internet Security Gateway Step 6. You should see the following screen when the certificate is correctly installed on your computer. Diagram U-16 Personal Certificate Import Wizard 6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS. Step 1.
Page 696 ZyWALL Series Internet Security Gateway Step 2. When Authenticate Client Certificates is selected on the ZyWALL, the following screen asks you to select a personal certificate to send to the ZyWALL. This screen displays even if you only have a single certificate as in the example. Diagram U-18 SSL Client Authentication Step 3.
Page 697: Appendix V Index
ZyWALL Series Internet Security Gateway Appendix V Index 10/100 Mbps Ethernet WAN ......1-2 Backup ..........21-8, 35-2 Backup WAN ..........1-2 Access Point........... 25-8 Bandwidth Management ........1-3 Action for Matched Packets ......12-12 Basic Service Set ..........H-2 Active...........24-7, 24-9, 28-3 Big Picture ............G-1 Address Assignment .........3-8, 3-9 Blocking Time .......
Page 698 ZyWALL Series Internet Security Gateway Precedence ..........39-1 Customizing..........13-15 Call-Trigerring Packet ......... 34-10 Days and Times ..........13-1 Canada ..............iv Filter List ............13-1 Caution..............iv Restrict Web Features.........13-1 Certificate Authority......... See CA Copyright.............ii Certificate Commands ........Q-1 Custom Ports Changing the Password........22-7 Creating/Editing ........12-14 Channel ID..........
Page 699 ZyWALL Series Internet Security Gateway Distribution System......... H-3 EAP..............6-3 DMZ..............7-1 EAP Authentication .........XVI, J-1 And the Firewall .......... 7-1 MD5..............J-1 IP Alias ............26-3 TLS ...............J-1 IP Alias Setup ......See IP Alias Setup TTLS.............J-1 Port Filter Setup ......... 26-1 ECHO ..............
Page 700 ZyWALL Series Internet Security Gateway Factory LAN Defaults ........5-1 Creating/Editing Rules ......12-10 Fail Tolerance ..........28-14 Custom Ports ..See Custom Ports. See Custom Ports FCC..............iii Enabling .............12-1 FHSS...See Frequency-Hopping Spread Spectrum Firewall Vs Filters ........11-12 Filename Conventions ........35-1 Guidelines For Enhancing Security ..11-11 Filter .....
Page 701 ZyWALL Series Internet Security Gateway FTP Server ..........1-6, 30-14 Security Flaws ..........I-1 Full Network Management ......1-6 IEEE 802.11b........... 1-2 Fuse IEEE 802.1x..........1-4, I-1 Rating............B-1 Advantages ........... I-1 Replacement..........D-1 IGMP ............... 5-2 Type ............D-1 Incoming Protocol Filters ......25-6 Independent Basic Service Set......H-2 Gateway IP Addr..........
Page 702 ZyWALL Series Internet Security Gateway IP Alias ........... 1-5, 25-6 Name ............29-2 IP Alias Setup ........25-5, 25-6 Route Number ..........29-2 IP Classes............M-1 IP Subnet Mask ........24-10, 25-6 IP Multicast............1-5 Remote .............24-10 Internet Group Management Protocol (IGMP) IPSec standard ..........1-3 ..............
Page 703 ZyWALL Series Internet Security Gateway MAC Address Filtering........6-6 Nailed-Up Connection ......24-8, 28-6 MAC service data unit ......6-5, 25-8 Nailed-Up Connections........28-8 Main Menu............. 22-3 NAT....3-4, 3-9, 9-6, 9-8, 24-10, 28-9, 32-15 Main Menu Commands........22-2 Applying NAT in the SMT Menus .... 30-1 Management Information Base (MIB)..
Page 704 ZyWALL Series Internet Security Gateway Operation Temperature ........B-1 Client ..........27-3, 27-4 Outgoing Protocol Filters....... 25-6 Configuring a Client ......27-3, 27-4 Outside............. 9-1 PPTP Encapsulation ......1-5, 3-6, 28-6 Precedence..........38-1, 38-5 Packet Filtering........1-4, 11-12 Private....... 10-4, 24-10, 28-9, 29-3 Packet Filtering Firewalls ......
Page 705 ZyWALL Series Internet Security Gateway Remote Management and NAT ..... 18-2 Rule Summary ..........12-21 Remote Management Limitations ..18-2, 37-3 Rules ............. 12-1, 12-4 Remote Node ..........28-1 Checklist ............ 12-2 Profile (Traffic Redirect Field) ....28-12 Creating Custom ........12-1 Remote Node Filter......
Page 706 ZyWALL Series Internet Security Gateway SMT Menus at a Glance ........ 22-5 SYN-ACK ............11-5 SMTP............... 9-7 Syntax Conventions..........xl Smurf ............. 11-6 Syslog .............34-7 SNMP ........... 9-7, 18-23 Syslog ..........12-17, 34-8 Community ..........33-1 Syslog IP Address ..........34-8 Configuration..........33-1 System Information .....
Page 707 ZyWALL Series Internet Security Gateway TFTP and FTP over WAN ......35-5 WAN Interface..........A-3 TFTP and FTP over WAN Will Not Work Trusted Network ........See LAN When…............35-5 TTLS..............J-1 TFTP and FTP Over WAN} ....18-2, 37-3 Tunneled Transport Layer Service..See TTLS TFTP Restrictions ......18-2, 35-5, 37-3 Type of Service......
Page 708 ZyWALL Series Internet Security Gateway Web..............18-4 Web Configurator 2-1, 2-4, 11-2, 11-11, 12-3, 31- Xmodem File Upload ..........35-17 Web Site Hits........20-7, 20-8 XMODEM Protocol ........35-3 WEP Encryption ..........6-5 Wireless LAN .......... 1-2, H-1 ZyNOS ........34-3, 34-5, 35-2 Benefits............H-1 ZyNOS F/W Version....

This manual is also suitable for:

Zywall 30w Zywall 50 Zywall 100

ZyXEL Communications ZyWALL 10W User Manual

Chapter 1 Getting to Know Your Zywall

Chapter 2 Introducing the Web Configurator

Chapter 3 Wizard Setup

Chapter 4 System Screens

Chapter 5 LAN Screens

Chapter 6 Wireless LAN Screens

Chapter 7 DMZ Screens

Chapter 8 WAN Screens

Chapter 9 Network Address Translation (NAT) Screens

Chapter 10 Static Route Screens

Chapter 11 Firewalls

Chapter 12 Firewall Screens

Chapter 13 Content Filtering Screens

Chapter 14 Introduction to Ipsec

Chapter 15 VPN Screens

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZyWALL 10W

Summary of Contents for ZyXEL Communications ZyWALL 10W