Page 1 ZyWALL 2Plus Internet Security Appliance User’s Guide Version 4.00 5/2006 Edition 1...
Page 4: Certifications
ZyWALL 2 Plus User’s Guide Certifications Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations.
Page 5 ZyWALL 2 Plus User’s Guide Certifications...
Page 6: Safety Warnings
ZyWALL 2 Plus User’s Guide Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel can service the device.
Page 7: Zyxel Limited Warranty
ZyWALL 2 Plus User’s Guide ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever...
Page 8: Customer Support
• Brief description of the problem and the steps you took to solve it. METHOD SUPPORT E-MAIL TELEPHONE WEB SITE REGULAR MAIL SALES E-MAIL FTP SITE LOCATION support@zyxel.com.tw +886-3-578-3942 www.zyxel.com ZyXEL Communications Corp. CORPORATE www.europe.zyxel.com 6 Innovation Road II HEADQUARTERS Science Park sales@zyxel.com.tw +886-3-578-2439 ftp.zyxel.com Hsinchu 300 (WORLDWIDE) Taiwan ftp.europe.zyxel.com...
Page 9 +34-902-195-420 www.zyxel.es ZyXEL Communications Arte, 21 5ª planta SPAIN sales@zyxel.es +34-913-005-345 28033 Madrid Spain support@zyxel.se +46-31-744-7700 www.zyxel.se ZyXEL Communications A/S SWEDEN Sjöporten 4, 41764 Göteborg sales@zyxel.se +46-31-744-7701 Sweden support@ua.zyxel.com +380-44-247-69-78 www.ua.zyxel.com ZyXEL Ukraine 13, Pimonenko Str. UKRAINE sales@ua.zyxel.com +380-44-494-49-32...
Page 10 ZyWALL 2 Plus User’s Guide Customer Support...
Page 11: Table Of Contents
ZyWALL 2 Plus User’s Guide Table of Contents Copyright ........................3 Certifications ......................4 Safety Warnings ....................... 6 ZyXEL Limited Warranty..................7 Customer Support....................8 Table of Contents ....................11 List of Figures ......................27 List of Tables ......................37 Preface ........................
Page 12 ZyWALL 2 Plus User’s Guide 2.4.6 VPN Status ....................66 Chapter 3 Wizard Setup ......................69 3.1 Wizard Setup Overview ..................69 3.2 Internet Access ....................69 3.2.1 ISP Parameters ..................69 3.2.1.1 Ethernet ...................69 3.2.1.2 PPPoE Encapsulation ..............71 3.2.1.3 PPTP Encapsulation ...............72 3.2.2 Internet Access Wizard: Second Screen ...........74 3.2.3 Internet Access Wizard: Registration............75 3.3 VPN Wizard Gateway Setting ................78 3.4 VPN Wizard Network Setting ................80...
Page 13 ZyWALL 2 Plus User’s Guide 6.1.1 Bridge Loop ....................103 6.2 Spanning Tree Protocol (STP) .................104 6.2.1 Rapid STP ....................104 6.2.2 STP Terminology ..................104 6.2.3 How STP Works ..................105 6.2.4 STP Port States ..................105 6.3 Configuring Bridge ...................105 Chapter 7 WAN Screens......................109 7.1 WAN Overview ....................109 7.2 TCP/IP Priority (Metric) ..................109 7.3 WAN Route ......................109...
Page 14 ZyWALL 2 Plus User’s Guide 8.11 Threshold Screen ...................145 8.12 Service ......................146 8.12.1 Firewall Edit Custom Service ..............148 8.13 Solving the Asymmetrical Route Problem Example ........149 8.14 My Service Firewall Rule Example ..............150 Chapter 9 Content Filtering Screens ................... 155 9.1 Content Filtering Overview ................155 9.1.1 Restrict Web Features ................155 9.1.2 Create a Filter List ..................155...
Page 15 ZyWALL 2 Plus User’s Guide 11.1.4.2 Encapsulation ................189 11.1.4.3 VPN, NAT, and NAT Traversal .............190 11.1.4.4 SA Life Time ................191 11.1.4.5 IPSec High Availability ..............191 11.2 VPN Rules (IKE) ....................192 11.3 VPN Rules (IKE) Gateway Policy Edit ............194 11.4 VPN Rules (IKE): Network Policy Edit ............200 11.5 VPN Rules (IKE): Network Policy Move ............204 11.6 VPN Rules (Manual) ..................205...
Page 16 ZyWALL 2 Plus User’s Guide 13.3 RADIUS ......................243 13.3.1 Types of RADIUS Messages ..............244 13.4 Local User Database ..................244 13.5 RADIUS ......................246 Chapter 14 Network Address Translation (NAT) ..............249 14.1 NAT Overview ....................249 14.1.1 NAT Definitions ..................249 14.1.2 What NAT Does ..................250 14.1.3 How NAT Works ...................250 14.1.4 NAT Application ..................251 14.1.5 Port Restricted Cone NAT ..............252...
Page 17 ZyWALL 2 Plus User’s Guide 16.7.1 Priority-based Scheduler ..............271 16.7.2 Fairness-based Scheduler ..............271 16.7.3 Maximize Bandwidth Usage ..............271 16.7.4 Reserving Bandwidth for Non-Bandwidth Class Traffic ......272 16.7.5 Maximize Bandwidth Usage Example ..........272 16.7.5.1 Priority-based Allotment of Unused and Unbudgeted Bandwidth 273 16.7.5.2 Fairness-based Allotment of Unused and Unbudgeted Bandwidth ...
Page 18 ZyWALL 2 Plus User’s Guide 18.3 WWW ......................299 18.4 HTTPS Example ....................300 18.4.1 Internet Explorer Warning Messages ...........301 18.4.2 Netscape Navigator Warning Messages ..........301 18.4.3 Avoiding the Browser Warning Messages ..........302 18.4.4 Login Screen ..................303 18.5 SSH ......................306 18.6 How SSH Works ....................306 18.7 SSH Implementation on the ZyWALL .............307 18.7.1 Requirements for Using SSH ..............307 18.8 Configuring SSH ....................307...
Page 19 ZyWALL 2 Plus User’s Guide Chapter 20 ALG Screen......................333 20.1 ALG Introduction ...................333 20.1.1 ALG and NAT ..................333 20.1.2 ALG and the Firewall ................333 20.2 FTP ........................334 20.3 H.323 ......................334 20.4 RTP ........................334 20.4.1 H.323 ALG Details ................334 20.5 SIP .........................335 20.5.1 STUN ....................335 20.5.2 SIP ALG Details ..................335 20.5.3 SIP Signaling Session Timeout ............336...
Page 20 ZyWALL 2 Plus User’s Guide 22.10 F/W Upload Screen ..................361 22.11 Backup and Restore ..................363 22.11.1 Backup Configuration .................364 22.11.2 Restore Configuration ................364 22.11.3 Back to Factory Defaults ..............366 22.12 Restart Screen ....................366 Chapter 23 Introducing the SMT .................... 367 23.1 Introduction to the SMT ..................367 23.2 Accessing the SMT via the Console Port ............367 23.2.1 Initial Screen ..................367...
Page 21 ZyWALL 2 Plus User’s Guide 26.3 LAN Port Filter Setup ..................393 26.4 TCP/IP and DHCP Ethernet Setup Menu ............394 26.4.1 IP Alias Setup ..................397 Chapter 27 Internet Access ....................399 27.1 Introduction to Internet Access Setup ............399 27.2 Ethernet Encapsulation ..................399 27.3 Configuring the PPTP Client ................401 27.4 Configuring the PPPoE Client ................401 27.5 Basic Setup Complete ..................402...
Page 22 ZyWALL 2 Plus User’s Guide 30.4.1 Internet Access Only ................424 30.4.2 Example 2: Internet Access with a Default Server ........426 30.4.3 Example 3: Multiple Public IP Addresses With Inside Servers .....426 30.4.4 Example 4: NAT Unfriendly Application Programs .......430 30.5 Trigger Port Forwarding .................432 30.5.1 Two Points To Remember About Trigger Ports ........432 Chapter 31 Introducing the ZyWALL Firewall ...............
Page 23 ZyWALL 2 Plus User’s Guide 34.3.1 System Information ................457 34.3.2 Console Port Speed ................458 34.4 Log and Trace ....................459 34.4.1 Viewing Error Log .................459 34.4.2 Syslog Logging ..................460 34.4.3 Call-Triggering Packet ................463 34.5 Diagnostic ......................463 34.5.1 WAN DHCP ..................464 Chapter 35 Firmware and Configuration File Maintenance ..........
Page 24 ZyWALL 2 Plus User’s Guide 36.1.1 Command Syntax .................483 36.1.2 Command Usage ..................484 36.2 Call Control Support ..................485 36.2.1 Budget Management ................485 36.2.2 Call History ...................486 36.3 Time and Date Setting ..................487 Chapter 37 Remote Management ................... 491 37.1 Remote Management ..................491 37.1.1 Remote Management Limitations ............493 Chapter 38 Call Scheduling ....................
Page 25 ZyWALL 2 Plus User’s Guide Appendix G Importing Certificates ..................557 Appendix H Command Interpreter................... 569 Appendix I Firewall Commands ..................... 571 Appendix J NetBIOS Filter Commands .................. 577 Appendix K Certificates Commands ..................579 Appendix L Brute-Force Password Guessing Protection............. 583 Appendix M Boot Commands ....................
Page 26 ZyWALL 2 Plus User’s Guide Table of Contents...
Page 27: List Of Figures
ZyWALL 2 Plus User’s Guide List of Figures Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem ........ 51 Figure 2 VPN Application ....................51 Figure 3 Front Panel ......................52 Figure 4 Change Password Screen ..................54 Figure 5 Replace Certificate Screen ...................
Page 28 ZyWALL 2 Plus User’s Guide Figure 39 Bridge Loop: Bridge Connected to Wired LAN ........... 103 Figure 40 Bridge ........................106 Figure 41 WAN Route ......................110 Figure 42 WAN: Ethernet Encapsulation ................113 Figure 43 WAN: PPPoE Encapsulation ................116 Figure 44 WAN: PPTP Encapsulation .................
Page 29 ZyWALL 2 Plus User’s Guide Figure 82 Requested URLs Example .................. 176 Figure 83 Web Page Review Process Screen ..............177 Figure 84 VPN: High-Level Example .................. 179 Figure 85 VPN: IKE SA and IPSec SA ................180 Figure 86 IKE SA: Main Negotiation Mode ................. 181 Figure 87 IKE SA: Aggressive Negotiation Mode ...............
Page 30 ZyWALL 2 Plus User’s Guide Figure 125 NAT Address Mapping Edit ................257 Figure 126 Multiple Servers Behind NAT Example ............. 259 Figure 127 Port Translation Example .................. 259 Figure 128 Port Forwarding ....................260 Figure 129 Port Forwarding ....................262 Figure 130 Trigger Port Forwarding Process: Example ............
Page 31 ZyWALL 2 Plus User’s Guide Figure 168 SNMP ........................ 316 Figure 169 DNS ........................317 Figure 170 CNM ........................318 Figure 171 UPnP ......................... 322 Figure 172 UPnP Ports ....................... 323 Figure 173 H.323 ALG Example ..................334 Figure 174 SIP ALG Example .................... 335 Figure 175 ALG ........................
Page 32 ZyWALL 2 Plus User’s Guide Figure 211 Menu 1.1.1: DDNS Edit Host ................379 Figure 212 MAC Address Cloning in WAN Setup ............... 381 Figure 213 Menu 2: Dial Backup Setup ................383 Figure 214 Menu 2.1: Advanced WAN Setup ..............384 Figure 215 Menu 11.2: Remote Node Profile (Backup ISP) ..........
Page 33 ZyWALL 2 Plus User’s Guide Figure 253 NAT Example 3 ....................427 Figure 254 Example 3: Menu 11.1.2 ................... 428 Figure 255 Example 3: Menu 15.1.1.1 ................428 Figure 256 Example 3: Final Menu 15.1.1 ................429 Figure 257 Example 3: Menu 15.2 ..................430 Figure 258 NAT Example 4 ....................
Page 34 ZyWALL 2 Plus User’s Guide Figure 296 System Maintenance: Restore Configuration ........... 475 Figure 297 System Maintenance: Starting Xmodem Download Screen ......475 Figure 298 Restore Configuration Example ................ 475 Figure 299 Successful Restoration Confirmation Screen ........... 476 Figure 300 Telnet Into Menu 24.7.1: Upload System Firmware .......... 477 Figure 301 Telnet Into Menu 24.7.2: System Maintenance ..........
Page 35 ZyWALL 2 Plus User’s Guide Figure 339 Windows XP: Internet Protocol (TCP/IP) Properties ......... 525 Figure 340 Macintosh OS 8/9: Apple Menu ................ 526 Figure 341 Macintosh OS 8/9: TCP/IP ................526 Figure 342 Macintosh OS X: Apple Menu ................527 Figure 343 Macintosh OS X: Network .................
Page 36 ZyWALL 2 Plus User’s Guide Figure 382 SSL Client Authentication ................. 567 Figure 383 ZyWALL Secure Login Screen ................567 Figure 384 Option to Enter Debug Mode ................585 Figure 385 Boot Module Commands .................. 586 Figure 386 Displaying Log Categories Example ..............604 Figure 387 Displaying Log Parameters Example ..............
Page 37: List Of Tables
ZyWALL 2 Plus User’s Guide List of Tables Table 1 Front Panel Lights ....................52 Table 2 Web Configurator HOME Screen in Router Mode ..........56 Table 3 Web Configurator HOME Screen in Bridge Mode ..........59 Table 4 Bridge and Router Mode Features Comparison ............ 61 Table 5 Screens Summary ....................
Page 38 ZyWALL 2 Plus User’s Guide Table 39 Rule Summary ..................... 138 Table 40 Firewall Edit Rule ....................141 Table 41 Anti-Probing ......................143 Table 42 Firewall Threshold ....................145 Table 43 Firewall Service ....................147 Table 44 Firewall Edit Custom Service ................148 Table 45 Content Filter: General ..................
Page 39 ZyWALL 2 Plus User’s Guide Table 82 NAT Address Mapping ..................256 Table 83 NAT Address Mapping Edit ................. 257 Table 84 Port Forwarding ....................261 Table 85 Port Triggering ..................... 264 Table 86 IP Static Route ..................... 266 Table 87 IP Static Route Edit ....................267 Table 88 Application and Subnet-based Bandwidth Management Example ......
Page 40 ZyWALL 2 Plus User’s Guide Table 125 General Setup ....................352 Table 126 Password Setup ....................353 Table 127 Time and Date ....................354 Table 128 Default Time Servers ..................356 Table 129 MAC-address-to-port Mapping Table ..............358 Table 130 Device Mode (Router Mode) ................359 Table 131 Device Mode (Bridge Mode) ................
Page 41 ZyWALL 2 Plus User’s Guide Table 168 Menu 15.3: Trigger Port Setup ................433 Table 169 Abbreviations Used in the Filter Rules Summary Menu ........442 Table 170 Rule Abbreviations Used ................... 443 Table 171 Menu 21.1.1.1: TCP/IP Filter Rule ..............444 Table 172 Generic Filter Rule Menu Fields ................
Page 42 ZyWALL 2 Plus User’s Guide Table 211 Class C Subnet Planning ................... 538 Table 212 Class B Subnet Planning ................... 539 Table 213 Commonly Used Services ................. 541 Table 214 Firewall Commands ................... 571 Table 215 NetBIOS Filter Default Settings ................. 578 Table 216 Certificates Commands ..................
Page 43: Preface
Help us help you. E-mail all User Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Thank you!
Page 44: Syntax Conventions
ZyWALL 2 Plus User’s Guide Syntax Conventions • “Enter” means for you to type one or more characters. “Select” or “Choose” means for you to use one predefined choices. • The SMT menu titles and labels are in Bold Times New Roman font. Predefined field choices are in Bold Arial font.
Page 45: Getting To Know Your Zywall
ZyWALL 2 Plus User’s Guide H A P T E R Getting to Know Your ZyWALL This chapter introduces the main features and applications of the ZyWALL. ZyWALL Internet Security Appliance Overview The ZyWALL is loaded with security features including VPN, firewall, content filtering and certificates.
Page 46: Non-Physical Features
ZyWALL 2 Plus User’s Guide Time and Date The ZyWALL allows you to get the current time and date from an external server when you turn on your ZyWALL. You can also set the time manually. Reset Button Use the reset button to restore the factory default password to 1234; IP address to 192.168.1.1, subnet mask to 255.255.255.0 and DHCP server enabled with a pool of 32 IP addresses starting at 192.168.1.33.
Page 47 ZyWALL 2 Plus User’s Guide X-Auth (Extended Authentication) X-Auth provides added security for VPN by requiring each VPN client to use a user name and password. Certificates The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs.
Page 48: Pptp Encapsulation
ZyWALL 2 Plus User’s Guide RADIUS (RFC2138, 2139) RADIUS (Remote Authentication Dial In User Service) server enables user authentication, authorization and accounting. IEEE 802.1x for Network Security The ZyWALL supports the IEEE 802.1x standard that works with the IEEE 802.11 to enhance user authentication.
Page 49: Traffic Redirect
ZyWALL 2 Plus User’s Guide IP Alias IP Alias allows you to partition a physical network into logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN, interfaces via its single physical Ethernet LAN interface with the ZyWALL itself as the gateway for each network. Central Network Management Central Network Management (CNM) allows an enterprise or service provider network administrator to manage your ZyWALL.
Page 50: Applications For The Zywall
ZyWALL 2 Plus User’s Guide Full Network Management The embedded web configurator is an all-platform, web-based utility that allows you to easily manage and configure the ZyWALL. Most functions of the ZyWALL are also software configurable via the SMT (System Management Terminal) interface. The SMT is a menu- driven interface that you can access from a terminal emulator through the console port or over a telnet connection.
Page 51: Vpn Application
ZyWALL 2 Plus User’s Guide Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem 1.3.2 VPN Application ZyWALL VPN is an ideal cost-effective way to connect branch offices and business partners over the Internet without the need (and expense) for leased lines between sites. In the following diagram, A is a VPN Client for secure remote management, B is a VPN client for remote access, and C is a remote IPSec router.
Page 52: Front Panel Lights
ZyWALL 2 Plus User’s Guide 1.3.3 Front Panel Lights Figure 3 Front Panel The following table describes the lights. Table 1 Front Panel Lights COLOR STATUS DESCRIPTION The ZyWALL is turned off. Green The ZyWALL is turned on. Flashing The ZyWALL is performing system tests. The power to the ZyWALL is too low.
Page 53: Introducing The Web Configurator
ZyWALL 2 Plus User’s Guide H A P T E R Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens. 2.1 Web Configurator Overview The web configurator is an HTML-based management interface that allows easy ZyWALL setup and management via Internet browser.
Page 54: Resetting The Zywall
ZyWALL 2 Plus User’s Guide Figure 4 Change Password Screen 6 Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Note: If you do not replace the default certificate here or in the CERTIFICATES screen, this screen displays every time you access the web configurator.
Page 55: Procedure To Use The Reset Button
ZyWALL 2 Plus User’s Guide 2.3.1 Procedure To Use The Reset Button Make sure the SYS LED is on (not blinking) before you begin this procedure. 1 Press the RESET button for ten seconds, and then release it. The ZyWALL restarts with the defaults restored.
Page 56: Router Mode
ZyWALL 2 Plus User’s Guide 2.4.1 Router Mode The following screen displays when the ZyWALL is set to router mode. The ZyWALL is set to router mode by default. Figure 7 Web Configurator HOME Screen in Router Mode Use submenus to configure ZyWALL features.
Page 57 ZyWALL 2 Plus User’s Guide Table 2 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Routing Protocol This shows the routing protocol - IP for which the ZyWALL is configured. This field is not configurable. Device Mode This displays whether the ZyWALL is functioning as a router or a bridge. Firewall This displays whether or not the ZyWALL’s firewall is activated.
Page 58: Bridge Mode
ZyWALL 2 Plus User’s Guide Table 2 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Renew If you are using Ethernet encapsulation and the WAN port is configured to get the IP address automatically from the ISP, click Renew to release the WAN port’s dynamically assigned IP address and get the IP address afresh.
Page 59: Figure 8 Web Configurator Home Screen In Bridge Mode
ZyWALL 2 Plus User’s Guide Figure 8 Web Configurator HOME Screen in Bridge Mode The following table describes the labels in this screen. Table 3 Web Configurator HOME Screen in Bridge Mode LABEL DESCRIPTION Wizards for VPN Quick Setup Click VPN to configure a Virtual Private Network (VPN) policy for secure communications between sites.
Page 60 ZyWALL 2 Plus User’s Guide Table 3 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION System Time This field displays your ZyWALL’s present date and time along with the difference from the Greenwich Mean Time (GMT) zone. The difference from GMT is based on the time zone.
Page 61: Navigation Panel
ZyWALL 2 Plus User’s Guide Table 3 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION Show Statistics Click Show Statistics to see bridge performance statistics such as the number of packets sent and number of packets received for each port. VPN Status Click VPN Status to display the active VPN (secure) connections.
Page 62: Table 5 Screens Summary
ZyWALL 2 Plus User’s Guide Table Key: An O in a mode’s column shows that the device mode has the specified feature. The information in this table was correct at the time of writing, although it may be subject to change.
Page 63 ZyWALL 2 Plus User’s Guide Table 5 Screens Summary (continued) LINK FUNCTION CERTIFICATES My Certificates Use this screen to view a summary list of certificates and manage certificates and certification requests. Trusted CAs Use this screen to view and manage the list of the trusted CAs. Trusted Use this screen to view and manage the certificates belonging to Remote Hosts...
Page 64: System Statistics
ZyWALL 2 Plus User’s Guide Table 5 Screens Summary (continued) LINK FUNCTION UPnP UPnP Use this screen to enable UPnP on the ZyWALL. Ports Use this screen to view the NAT port mapping rules that UPnP creates on the ZyWALL. Use this screen to allow certain applications to pass through the ZyWALL.
Page 65: Dhcp Table Screen
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 6 Home: Show Statistics LABEL DESCRIPTION Port These are the ZyWALL’s interfaces. Status For the LAN, this displays the port speed and duplex setting. For the WAN and dial backup ports, this displays the port speed and duplex setting if you’re using Ethernet encapsulation and Down (line is down), Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if you’re using PPPoE encapsulation.
Page 66: Vpn Status
ZyWALL 2 Plus User’s Guide Figure 10 Home: DHCP Table The following table describes the labels in this screen. Table 7 Home: DHCP Table LABEL DESCRIPTION Interface Select an interface to show the current DHCP client information for the specified interface.
Page 67: Figure 11 Home: Vpn Status
ZyWALL 2 Plus User’s Guide Figure 11 Home: VPN Status The following table describes the labels in this screen. Table 8 Home: VPN Status LABEL DESCRIPTION This is the security association index number. Name This field displays the identification name for this VPN policy. Local Network This field displays the IP address of the computer using the VPN IPSec feature of your ZyWALL.
Page 68 ZyWALL 2 Plus User’s Guide Chapter 2 Introducing the Web Configurator...
Page 69: Chapter 3 Wizard Setup
ZyWALL 2 Plus User’s Guide H A P T E R Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator. The Internet access wizard is only applicable when the ZyWALL is in router mode. 3.1 Wizard Setup Overview The web configurator's setup wizards help you configure the WAN port to access the Internet and edit VPN policies and configure IKE settings to establish a VPN tunnel.
Page 70: Figure 12 Isp Parameters: Ethernet Encapsulation
ZyWALL 2 Plus User’s Guide Figure 12 ISP Parameters: Ethernet Encapsulation The following table describes the labels in this screen. Table 9 ISP Parameters: Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Page 71: Pppoe Encapsulation
ZyWALL 2 Plus User’s Guide 3.2.1.2 PPPoE Encapsulation Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet Engineering Task Force) standard specifying how a host personal computer interacts with a broadband modem (for example DSL, cable, wireless, etc.) to achieve access to high-speed data networks.
Page 72: Pptp Encapsulation
ZyWALL 2 Plus User’s Guide Table 10 ISP Parameters: PPPoE Encapsulation (continued) LABEL DESCRIPTION Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server. The default time is 100 seconds. WAN IP Address Assignment IP Address Select Dynamic If your ISP did not assign you a fixed IP address.
Page 73: Figure 14 Isp Parameters: Pptp Encapsulation
ZyWALL 2 Plus User’s Guide Note: The ZyWALL supports one PPTP server connection at any given time. Figure 14 ISP Parameters: PPTP Encapsulation The following table describes the labels in this screen. Table 11 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation...
Page 74: Internet Access Wizard: Second Screen
ZyWALL 2 Plus User’s Guide Table 11 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION PPTP Configuration My IP Address Type the (static) IP address assigned to you by your ISP. My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given). Server IP Address Type the IP address of the PPTP server.
Page 75: Internet Access Wizard: Registration
ZyWALL 2 Plus User’s Guide Figure 16 Internet Access Setup Complete 3.2.3 Internet Access Wizard: Registration If you clicked Next in the previous screen (see Figure 15 on page 74), the following screen displays. Note: If you want to activate a standard service with your iCard’s PIN number (license key), use the REGISTRATION Service screen.
Page 76: Figure 18 Internet Access Wizard: Registration In Progress
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 12 Internet Access Wizard: Registration LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com account, only the User Name and Password fields are available. New myZyXEL.com If you haven’t created an account at myZyXEL.com, select this option and account configure the following fields to create an account and register your ZyWALL.
Page 77: Figure 19 Internet Access Wizard: Status
ZyWALL 2 Plus User’s Guide Figure 19 Internet Access Wizard: Status The following screen appears if the registration was not successful. Click Return to go back to the Device Registration screen and check your settings. Figure 20 Internet Access Wizard: Registration Failed If the ZyWALL has been registered, the Device Registration screen is read-only and the Service Activation screen appears indicating what trial applications are activated after you click Next.
Page 78: Vpn Wizard Gateway Setting
ZyWALL 2 Plus User’s Guide Figure 22 Internet Access Wizard: Activated Services 3.3 VPN Wizard Gateway Setting A VPN (Virtual Private Network) tunnel gives you a secure connection to another computer or network. A gateway policy identifies the IPSec routers at either end of a VPN tunnel. A network policy specifies which devices (behind the IPSec routers) can use the VPN tunnel.
Page 79: Figure 24 Ipsec Fields Summary
ZyWALL 2 Plus User’s Guide Figure 24 IPSec Fields Summary Use the VPN wizard screens to configure a VPN rule that uses a pre-shared key. If you want to set the rule to use a certificate, please go to the VPN screens for configuration. Click VPN Wizard in the HOME screen to open the VPN configuration wizard.
Page 80: Vpn Wizard Network Setting
ZyWALL 2 Plus User’s Guide Table 13 VPN Wizard: Gateway Setting LABEL DESCRIPTION My ZyWALL When the ZyWALL is in router mode, enter the WAN IP address or the domain name of your ZyWALL or leave the field set to 0.0.0.0. The ZyWALL uses its current WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0.
Page 81: Table 14 Vpn Wizard: Network Setting
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 14 VPN Wizard: Network Setting LABEL DESCRIPTION Network Policy Property Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel.
Page 82: Vpn Wizard Ike Tunnel Setting (Ike Phase 1)
ZyWALL 2 Plus User’s Guide 3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1) Figure 27 VPN Wizard: IKE Tunnel Setting The following table describes the labels in this screen. Table 15 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotiation Mode Select Main Mode for identity protection.
Page 83: Vpn Wizard Ipsec Setting (Ike Phase 2)
ZyWALL 2 Plus User’s Guide Table 15 VPN Wizard: IKE Tunnel Setting (continued) LABEL DESCRIPTION Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection.
Page 84: Vpn Wizard Status Summary
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 16 VPN Wizard: IPSec Setting LABEL DESCRIPTION Encapsulation Mode Tunnel is compatible with NAT, Transport is not. Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is required for gateway services to provide access to internal systems.
Page 85: Figure 29 Vpn Wizard: Vpn Status
ZyWALL 2 Plus User’s Guide Figure 29 VPN Wizard: VPN Status The following table describes the labels in this screen. Table 17 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This is the name of this VPN gateway policy. Gateway Policy Setting My ZyWALL...
Page 86 ZyWALL 2 Plus User’s Guide Table 17 VPN Wizard: VPN Status (continued) LABEL DESCRIPTION Name This is the name of this VPN network policy. Network Policy Setting Local Network Starting IP Address This is a (static) IP address on the LAN behind your ZyWALL. Ending IP Address/ When the local network is configured for a single IP address, this field is N/A.
Page 87: Vpn Wizard Setup Complete
ZyWALL 2 Plus User’s Guide 3.8 VPN Wizard Setup Complete Congratulations! You have successfully set up the VPN rule after any existing rule(s) for your ZyWALL. Figure 30 VPN Wizard Setup Complete Chapter 3 Wizard Setup...
Page 88 ZyWALL 2 Plus User’s Guide Chapter 3 Wizard Setup...
Page 89: Chapter 4 Registration
ZyWALL 2 Plus User’s Guide H A P T E R Registration 4.1 myZyXEL.com overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. Note: You need to create an account before you can register your device and activate the services at myZyXEL.com.
Page 90: Figure 31 Registration
ZyWALL 2 Plus User’s Guide Figure 31 Registration The following table describes the labels in this screen. Table 18 Registration LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com account, only the User Name and Password fields are available. New myZyXEL.com If you haven’t created an account at myZyXEL.com, select this option and account configure the following fields to create an account and register your ZyWALL.
Page 91: Service
ZyWALL 2 Plus User’s Guide Table 18 Registration LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. Note: If the ZyWALL is registered already, this screen is read-only and indicates whether trial services are activated.
Page 92: Figure 33 Registration: Service
ZyWALL 2 Plus User’s Guide Figure 33 Registration: Service The following table describes the labels in this screen. Table 19 Service LABEL DESCRIPTION Service Management Service This field displays the service name available on the ZyWALL. Status This field displays whether a service is activated (Active) or not (Inactive). Registration Type This field displays whether you applied for a trial application (Trial) or registered a service with your iCard’s PIN number (Standard).
Page 93: Chapter 5 Lan Screens
ZyWALL 2 Plus User’s Guide H A P T E R LAN Screens This chapter describes how to configure LAN settings. This chapter is only applicable when the ZyWALL is in router mode. 5.1 LAN, WAN and the ZyWALL A network is a shared communication system to which many computers are attached. The Local Area Network (LAN) includes the computers and networking devices in your home or office that you connect to the ZyWALL’s LAN ports.
Page 94: Private Ip Addresses
ZyWALL 2 Plus User’s Guide If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established.
Page 95: Dhcp
ZyWALL 2 Plus User’s Guide 5.3 DHCP The ZyWALL can use DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) to automatically assign IP addresses subnet masks, gateways, and some network information like the IP addresses of DNS servers to the computers on your LAN. You can alternatively have the ZyWALL relay DHCP information from another DHCP server.
Page 96: Wins
ZyWALL 2 Plus User’s Guide IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.
Page 97: Figure 35 Lan
ZyWALL 2 Plus User’s Guide Figure 35 LAN The following table describes the labels in this screen. Table 20 LAN LABEL DESCRIPTION LAN TCP/IP IP Address Type the IP address of your ZyWALL in dotted decimal notation. 192.168.1.1 is the factory default.
Page 98: Lan Static Dhcp
ZyWALL 2 Plus User’s Guide Table 20 LAN (continued) LABEL DESCRIPTION Multicast Select IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.
Page 99: Figure 36 Lan Static Dhcp
ZyWALL 2 Plus User’s Guide Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. To change your ZyWALL’s static DHCP settings, click NETWORK > LAN > Static DHCP. The screen appears as shown.
Page 100: Lan Ip Alias
ZyWALL 2 Plus User’s Guide 5.9 LAN IP Alias IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network. When you use IP alias, you can also configure firewall rules to control access between the LAN's logical networks (subnets).
Page 101: Table 22 Lan Ip Alias
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 22 LAN IP Alias LABEL DESCRIPTION Enable IP Alias 1, Select the check box to configure another LAN network for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address.
Page 102 ZyWALL 2 Plus User’s Guide Chapter 5 LAN Screens...
Page 103: Chapter 6 Bridge Screens
ZyWALL 2 Plus User’s Guide H A P T E R Bridge Screens This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyWALL is in bridge mode. 6.1 Bridge The ZyWALL can serve as a transparent firewall (also known as a bridge firewall) in order to provide firewall protection against denial of service attacks without.
Page 104: Spanning Tree Protocol (Stp)
ZyWALL 2 Plus User’s Guide 6.2 Spanning Tree Protocol (STP) STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other STP-compliant bridges in your network to ensure that only one route exists between any two stations on the network. 6.2.1 Rapid STP The ZyWALL uses IEEE 802.1w RSTP (Rapid Spanning Tree Protocol) that allow faster convergence of the spanning tree (while also being backwards compatible with STP-only...
Page 105: How Stp Works
ZyWALL 2 Plus User’s Guide 6.2.3 How STP Works After a bridge determines the lowest cost-spanning tree with STP, it enables the root port and the ports that are the designated ports for connected LANs, and disables all other ports that participate in STP.
Page 106: Figure 40 Bridge
ZyWALL 2 Plus User’s Guide Figure 40 Bridge The following table describes the labels in this screen. Table 25 Bridge LABEL DESCRIPTION Bridge Setup IP Address Type the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask The subnet mask specifies the network number portion of an IP address.
Page 107 ZyWALL 2 Plus User’s Guide Table 25 Bridge (continued) LABEL DESCRIPTION Rapid Spanning Tree Protocol Setup Enable Rapid Spanning Select the check box to activate RSTP on the ZyWALL. Tree Protocol Bridge Priority Enter a number between 0 and 61440 as bridge priority of the ZyWALL. 0 is the highest.
Page 108 ZyWALL 2 Plus User’s Guide Chapter 6 Bridge Screens...
Page 109: Chapter 7 Wan Screens
ZyWALL 2 Plus User’s Guide H A P T E R WAN Screens This chapter describes how to configure WAN settings. 7.1 WAN Overview • Use the WAN Route screen to configure route priority. • Use the WAN screen to configure the WAN port for Internet access. •...
Page 110: Figure 41 Wan Route
ZyWALL 2 Plus User’s Guide Figure 41 WAN Route The following table describes the labels in this screen. Table 26 WAN Route LABEL DESCRIPTION Route Priority The default WAN connection is "1' as your broadband connection via the WAN port should always be your preferred method of accessing the WAN.
Page 111: Wan Ip Address Assignment
ZyWALL 2 Plus User’s Guide 7.4 WAN IP Address Assignment Every computer on the Internet must have a unique IP address. If your networks are isolated from the Internet, for instance, only between your two branch offices, you can assign any IP addresses to the hosts without problems.
Page 112: Wan Mac Address
ZyWALL 2 Plus User’s Guide 7.6 WAN MAC Address Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You can configure the WAN port's MAC address by either using the factory default or cloning the MAC address from a computer on your LAN.
Page 113: Figure 42 Wan: Ethernet Encapsulation
ZyWALL 2 Plus User’s Guide Figure 42 WAN: Ethernet Encapsulation The following table describes the labels in this screen. Table 29 WAN: Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Page 114 ZyWALL 2 Plus User’s Guide Table 29 WAN: Ethernet Encapsulation (continued) LABEL DESCRIPTION Retype to Confirm Type your password again to make sure that you have entered is correctly. Login Server IP Type the authentication server IP address here if your ISP gave you one. Address This field is not available for Telia Login.
Page 115: Pppoe Encapsulation
ZyWALL 2 Plus User’s Guide Table 29 WAN: Ethernet Encapsulation (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M.
Page 116: Figure 43 Wan: Pppoe Encapsulation
ZyWALL 2 Plus User’s Guide Operationally, PPPoE saves significant effort for both you and the ISP or carrier, as it requires no specific configuration of the broadband modem at the customer site. The screen shown next is for PPPoE encapsulation. Figure 43 WAN: PPPoE Encapsulation Chapter 7 WAN Screens...
Page 117: Table 30 Wan: Pppoe Encapsulation
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 30 WAN: PPPoE Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation The PPPoE choice is for a dial-up connection using PPPoE. The router supports PPPoE (Point-to-Point Protocol over Ethernet).
Page 118 ZyWALL 2 Plus User’s Guide Table 30 WAN: PPPoE Encapsulation LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Choose Both, None, In Only or Out Only.
Page 119: Pptp Encapsulation
ZyWALL 2 Plus User’s Guide 7.7.3 PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks. PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet.
Page 120: Table 31 Wan: Pptp Encapsulation
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 31 WAN: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.
Page 121 ZyWALL 2 Plus User’s Guide Table 31 WAN: PPTP Encapsulation LABEL DESCRIPTION Enable NAT Network Address Translation (NAT) allows the translation of an Internet protocol (Network Address address used within one network (for example a private IP address used in a local Translation) network) to a different IP address known within another network (for example a public IP address used on the Internet).
Page 122: Traffic Redirect
ZyWALL 2 Plus User’s Guide 7.8 Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the ZyWALL still provides firewall protection. In the following figure, your ZyWALL is labeled A, the gateway is labeled B and the backup gateway is labeled C.
Page 123: Configuring Dial Backup
ZyWALL 2 Plus User’s Guide Figure 47 Traffic Redirect The following table describes the labels in this screen. Table 32 Traffic Redirect LABEL DESCRIPTION Active Select this check box to have the ZyWALL use traffic redirect if the normal WAN connection goes down.
Page 124: Figure 48 Dial Backup
ZyWALL 2 Plus User’s Guide Click NETWORK > WAN > Dial Backup to display the Dial Backup screen. Use this screen to configure the backup WAN dial-up connection. Figure 48 Dial Backup Chapter 7 WAN Screens...
Page 125: Table 33 Dial Backup
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 33 Dial Backup LABEL DESCRIPTION Dial Backup Setup Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name Type the login name assigned by your ISP. Password Type the password assigned by your ISP.
Page 126 ZyWALL 2 Plus User’s Guide Table 33 Dial Backup (continued) LABEL DESCRIPTION Enable RIP Select this check box to turn on RIP (Routing Information Protocol), which allows a router to exchange routing information with other routers. RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving).
Page 127: Advanced Modem Setup
ZyWALL 2 Plus User’s Guide Table 33 Dial Backup (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 7.11 Advanced Modem Setup 7.11.1 AT Command Strings For regular telephone lines, the default Dial string tells the modem that the line uses tone dialing.
Page 128: Figure 49 Advanced Setup
ZyWALL 2 Plus User’s Guide Figure 49 Advanced Setup The following table describes the labels in this screen. Table 34 Advanced Setup LABEL DESCRIPTION AT Command Strings Dial Type the AT Command string to make a call. Drop Type the AT Command string to drop a call. "~" represents a one second wait, for example, "~~~+++~~ath"...
Page 129 ZyWALL 2 Plus User’s Guide Table 34 Advanced Setup (continued) LABEL DESCRIPTION Dial Timeout (sec) Type a number of seconds for the ZyWALL to try to set up an outgoing call before timing out (stopping). Retry Count Type a number of times for the ZyWALL to retry a busy or no-answer phone number before blacklisting the number.
Page 130 ZyWALL 2 Plus User’s Guide Chapter 7 WAN Screens...
Page 131: Chapter 8 Firewall Screens
ZyWALL 2 Plus User’s Guide H A P T E R Firewall Screens This chapter shows you how to configure your ZyWALL’s firewall. 8.1 Firewall Overview The networking term firewall is a system or group of systems that enforces an access-control policy between two networks.
Page 132: Firewall Connection Directions
ZyWALL 2 Plus User’s Guide Your customized rules take precedence and override the ZyWALL’s default settings. The ZyWALL checks the source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the ZyWALL takes the action specified in the rule.
Page 133: Security Considerations
ZyWALL 2 Plus User’s Guide 8.3 Security Considerations Note: Incorrectly configuring the firewall may block valid access or introduce security risks to the ZyWALL and your protected network. Use caution when creating or deleting firewall rules and test your rules after you configure them. Consider these security ramifications before creating a rule: 1 Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC is blocked, are there users that require this service?
Page 134: Figure 52 Limited Lan To Wan Irc Traffic Example
ZyWALL 2 Plus User’s Guide Your firewall would have the following configuration. Table 35 Blocking All LAN to WAN IRC Traffic Example SOURCE DESTINATION SCHEDULE SERVICE ACTION Drop Default Allow • The first row blocks LAN access to the IRC service on the WAN. •...
Page 135: Firewall Default Rule (Router Mode)
ZyWALL 2 Plus User’s Guide Your firewall would have the following configuration. Table 36 Limited LAN to WAN IRC Traffic Example SOURCE DESTINATION SCHEDULE SERVICE ACTION 192.168.1.7 Allow Drop Default Allow • The first row allows the LAN computer at IP address 192.168.1.7 to access the IRC service on the WAN.
Page 136: Firewall Default Rule (Bridge Mode)
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 37 Default Rule (Router Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. Allow If an alternate gateway on the LAN has an IP address in the same subnet as the Asymmetrical...
Page 137: Figure 54 Default Rule (Bridge Mode)
ZyWALL 2 Plus User’s Guide Figure 54 Default Rule (Bridge Mode) The following table describes the labels in this screen. Table 38 Default Rule (Bridge Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.
Page 138: Firewall Rule Summary
ZyWALL 2 Plus User’s Guide 8.7 Firewall Rule Summary Click SECURITY > FIREWALL > Rule Summary to open the screen. This screen displays a list of the configured firewall rules. Note: The ordering of your rules is very important as rules are applied in the order that they are listed.
Page 139: Firewall Edit Rule
ZyWALL 2 Plus User’s Guide Table 39 Rule Summary LABEL DESCRIPTION Destination This drop-down list box displays the destination addresses or ranges of addresses to Address which this firewall rule applies. Please note that a blank source or destination address is equivalent to Any. Service Type This drop-down list box displays the services to which this firewall rule applies.
Page 140: Figure 56 Firewall Edit Rule
ZyWALL 2 Plus User’s Guide Figure 56 Firewall Edit Rule Chapter 8 Firewall Screens...
Page 141: Table 40 Firewall Edit Rule
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 40 Firewall Edit Rule LABEL DESCRIPTION Rule Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the firewall rule. Spaces are allowed. Edit Source/ Destination Address...
Page 142: Anti-Probing
ZyWALL 2 Plus User’s Guide Table 40 Firewall Edit Rule LABEL DESCRIPTION Action for Use the drop-down list box to select what the firewall is to do with packets that Matched Packets match this rule. Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.
Page 143: Denial Of Service Attacks
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 41 Anti-Probing LABEL DESCRIPTION Respond to PING Select the interface that you want to reply to incoming Ping requests. Select Disable to have the ZyWALL not respond to any incoming Ping requests. Do not respond to Select this option to prevent hackers from finding the ZyWALL by probing for requests for...
Page 144: Firewall Thresholds
ZyWALL 2 Plus User’s Guide 8.10 Firewall Thresholds For DoS attacks, the ZyWALL uses thresholds to determine when to start dropping sessions that do not become fully established (half-open sessions). These thresholds apply globally to all sessions. For TCP, half-open means that the session has not reached the established state-the TCP three- way handshake has not yet been completed.
Page 145: Threshold Screen
ZyWALL 2 Plus User’s Guide If you often use P2P applications such as file sharing with eMule or eDonkey, it’s recommended that you increase the threshold values since lots of sessions will be established during a small period of time and the ZyWALL may classify them as DoS attacks. 8.11 Threshold Screen Click SECURITY >...
Page 146: Service
ZyWALL 2 Plus User’s Guide Table 42 Firewall Threshold (continued) LABEL DESCRIPTION One Minute High This is the rate of new half-open sessions per minute that causes the firewall to start deleting half-open sessions. When the rate of new connection attempts rises above this number, the ZyWALL deletes half-open sessions as required to accommodate new connection attempts.
Page 147: Figure 61 Firewall Service
ZyWALL 2 Plus User’s Guide Figure 61 Firewall Service The following table describes the labels in this screen. Table 43 Firewall Service LABEL DESCRIPTION Custom Service This table shows all configured custom services. This is the index number of the custom service. Service Name This is the name of the service.
Page 148: Firewall Edit Custom Service
ZyWALL 2 Plus User’s Guide Table 43 Firewall Service LABEL DESCRIPTION Click this button to bring up the screen that you use to configure a new custom service that is not in the predefined list of services. Predefined This table shows all the services that are already configured for use in firewall Service rules.
Page 149: Solving The Asymmetrical Route Problem Example
ZyWALL 2 Plus User’s Guide Table 44 Firewall Edit Custom Service LABEL DESCRIPTION Type/Code This field is available only when you select ICMP in the IP Protocol field. The ICMP messages are identified by their types and in some cases codes. Enter the type number in the Type field and select the Code radio button and enter the code number if any.
Page 150: My Service Firewall Rule Example
ZyWALL 2 Plus User’s Guide 8.14 My Service Firewall Rule Example The following Internet firewall rule example allows a hypothetical My Service connection from the Internet. 1 In the Service screen, click Add to open the Edit Custom Service screen. Figure 64 My Service Firewall Rule Example: Service 2 Configure it as follows and click Apply.
Page 151: Figure 66 My Service Firewall Rule Example: Rule Summary
ZyWALL 2 Plus User’s Guide Figure 66 My Service Firewall Rule Example: Rule Summary 6 Enter the name of the firewall rule. 7 Select Any in the Destination Address(es) box and then click Delete. 8 Configure the destination address fields as follows and click Add. Figure 67 My Service Firewall Rule Example: Rule Edit 9 In the Edit Rule screen, use the arrows between Available Services and Selected Service(s) to configure it as follows.
Page 152: Figure 68 My Service Firewall Rule Example: Rule Configuration
ZyWALL 2 Plus User’s Guide Note: Custom services show up with an * before their names in the Services list box and the Rule Summary list box. Figure 68 My Service Firewall Rule Example: Rule Configuration Chapter 8 Firewall Screens...
Page 153: Figure 69 My Service Firewall Rule Example: Rule Summary
ZyWALL 2 Plus User’s Guide Rule 1 allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. Figure 69 My Service Firewall Rule Example: Rule Summary Chapter 8 Firewall Screens...
Page 154 ZyWALL 2 Plus User’s Guide Chapter 8 Firewall Screens...
Page 155: Content Filtering Screens
ZyWALL 2 Plus User’s Guide H A P T E R Content Filtering Screens This chapter provides an overview of content filtering. 9.1 Content Filtering Overview Content filtering allows you to block web features such as ActiveX controls, Java applets and cookies and disable web proxies.
Page 156: Figure 70 Content Filter: General
ZyWALL 2 Plus User’s Guide Figure 70 Content Filter: General The following table describes the labels in this screen. Table 45 Content Filter: General LABEL DESCRIPTION General Setup Enable Content Filter Select this check box to enable the content filter. Restrict Web Features Select the check box(es) to restrict a feature.
Page 157: Category Based Content Filtering
ZyWALL 2 Plus User’s Guide Table 45 Content Filter: General LABEL DESCRIPTION Web Proxy A server that acts as an intermediary between a user and the Internet to provide security, administrative control, and caching service. When a proxy server is located on the WAN it is possible for LAN users to circumvent content filtering by pointing to this proxy server.
Page 158: Content Filter Categories
ZyWALL 2 Plus User’s Guide Figure 71 Content Filtering Lookup Procedure 1 A computer behind the ZyWALL tries to access a web site. 2 The ZyWALL looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL’s cache.
Page 159: Figure 72 Content Filter: Categories
ZyWALL 2 Plus User’s Guide Figure 72 Content Filter: Categories The following table describes the labels in this screen. Table 46 Content Filter: Categories LABEL DESCRIPTION Auto Category Setup Enable External Database Enable external database content filtering to have the ZyWALL check an Content Filtering external database to find to which category a requested web page belongs.
Page 160 ZyWALL 2 Plus User’s Guide Table 46 Content Filter: Categories (continued) LABEL DESCRIPTION Unrated Web Pages Select Block to prevent users from accessing web pages that the external database content filtering has not categorized. When the external database content filtering blocks access to a web page, it displays the denied access message that you configured in the CONTENT FILTER General screen along with the category of the blocked web page.
Page 161 ZyWALL 2 Plus User’s Guide Table 46 Content Filter: Categories (continued) LABEL DESCRIPTION Alcohol/Tobacco Selecting this category excludes pages that promote or offer the sale alcohol/tobacco products, or provide the means to create them. It also includes pages that glorify, tout, or otherwise encourage the consumption of alcohol/tobacco.
Page 162 ZyWALL 2 Plus User’s Guide Table 46 Content Filter: Categories (continued) LABEL DESCRIPTION Education Selecting this category excludes pages that offer educational information, distance learning and trade school information or programs. It also includes pages that are sponsored by schools, educational facilities, faculty, or alumni groups.
Page 163 ZyWALL 2 Plus User’s Guide Table 46 Content Filter: Categories (continued) LABEL DESCRIPTION News/Media Selecting this category excludes pages that primarily report information or comments on current events or contemporary issues of the day. It also includes radio stations and magazines. It does not include pages that can be rated in other categories.
Page 164 ZyWALL 2 Plus User’s Guide Table 46 Content Filter: Categories (continued) LABEL DESCRIPTION Humor/Jokes Selecting this category excludes pages that primarily focus on comedy, jokes, fun, etc. This may include pages containing jokes of adult or mature nature. Pages containing humorous Adult/Mature content also have an Adult/Mature category rating.
Page 165: Content Filter Customization
ZyWALL 2 Plus User’s Guide 9.5 Content Filter Customization Click SECURITY > CONTENT FILTER > Customization to display the CONTENT FILTER Customization screen. You can create a list of good (allowed) web site addresses and a list of bad (blocked) web site addresses.
Page 166: Table 47 Content Filter: Customization
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 47 Content Filter: Customization LABEL DESCRIPTION Web Site List Customization Enable Web site Select this check box to allow trusted web sites and block forbidden web customization sites.
Page 167: Customizing Keyword Blocking Url Checking
ZyWALL 2 Plus User’s Guide Table 47 Content Filter: Customization (continued) LABEL DESCRIPTION Click this button when you have finished adding the key words field above. Delete Select a keyword from the Keyword List, and then click this button to delete it from that list.
Page 168: Content Filtering Cache
ZyWALL 2 Plus User’s Guide Use the command ip urlfilter customize actionFlags 8 [disable | enable] to extend (or not extend) the keyword blocking search to include the URL's complete filename. 9.7 Content Filtering Cache Click SECURITY > CONTENT FILTER > Cache to display the CONTENT FILTER Cache screen.
Page 169: Table 48 Content Filter: Cache
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 48 Content Filter: Cache LABEL DESCRIPTION URL Cache Setup Maximum TTL Type the maximum time to live (TTL) (1 to 720 hours). This sets how long the ZyWALL is to allow an entry to remain in the URL cache before discarding it.
Page 170 ZyWALL 2 Plus User’s Guide Chapter 9 Content Filtering Screens...
Page 171: Content Filtering Reports
ZyWALL 2 Plus User’s Guide H A P T E R Content Filtering Reports This chapter describes how to view content filtering reports after you have activated the category-based content filtering subscription service. Chapter 4 on page 89 on how to create a myZyXEL.com account, register your device and activate the subscription services using the REGISTRATION screens.
Page 172: Figure 75 Myzyxel.com: Login
ZyWALL 2 Plus User’s Guide Figure 75 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under Registered ZyXEL Products. You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure 77 on page 173).
Page 173: Figure 77 Myzyxel.com: Service Management
ZyWALL 2 Plus User’s Guide Figure 77 myZyXEL.com: Service Management 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 77 on page 173). Type your myZyXEL.com account password in the Password field.
Page 174: Figure 79 Content Filtering Reports Main Screen
ZyWALL 2 Plus User’s Guide Figure 79 Content Filtering Reports Main Screen 8 Select items under Global Reports or Single User Reports to view the corresponding reports. Figure 80 Blue Coat: Report Home 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen.
Page 175: Figure 81 Global Report Screen Example
ZyWALL 2 Plus User’s Guide Figure 81 Global Report Screen Example 11You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. Chapter 10 Content Filtering Reports...
Page 176: Web Site Submission
ZyWALL 2 Plus User’s Guide Figure 82 Requested URLs Example 10.3 Web Site Submission You may find that a web site has not been accurately categorized or that a web site’s contents have changed and the content filtering category needs to be updated. Use the following procedure to submit the web site for review.
Page 177: Figure 83 Web Page Review Process Screen
ZyWALL 2 Plus User’s Guide Figure 83 Web Page Review Process Screen 3 Type the web site’s URL in the field and click Submit to have the web site reviewed. Chapter 10 Content Filtering Reports...
Page 178 ZyWALL 2 Plus User’s Guide Chapter 10 Content Filtering Reports...
Page 179: Chapter 11 Ipsec Vpn
ZyWALL 2 Plus User’s Guide H A P T E R IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL. 11.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines.
Page 180: Ike Sa
ZyWALL 2 Plus User’s Guide Figure 85 VPN: IKE SA and IPSec SA In some situations, you might want to set up a VPN tunnel quickly and temporarily. In this case, you can create an IPSec SA using manual keys. In this kind of VPN tunnel, there is no IKE SA, and you specify the encryption and authentication keys manually.
Page 181: Figure 86 Ike Sa: Main Negotiation Mode
ZyWALL 2 Plus User’s Guide Main mode is illustrated by the example below, where the ZyWALL (X) is initiating an IKE Figure 86 IKE SA: Main Negotiation Mode One or more proposals, each consisting of: - encryption algorithm (see Section 11.1.4.1 on page 187) - authentication algorithm (see Section 11.1.4.1 on page...
Page 182: Figure 87 Ike Sa: Aggressive Negotiation Mode
ZyWALL 2 Plus User’s Guide Main mode provides better security because your identity is encrypted in steps 5 and 6. The trade-off is the number of steps it takes to establish the IKE SA. In contrast, aggressive mode is faster but does not provide as much security. This mode is illustrated below. Figure 87 IKE SA: Aggressive Negotiation Mode One or more proposals, each consisting of: - encryption algorithm (see...
Page 183: Zywall And Remote Ipsec Router
ZyWALL 2 Plus User’s Guide • authentication method (and extended authentication) - these characteristics control how the ZyWALL and remote IPSec router authenticate each other. • additional properties - these characteristics include the IKE SA life time, NAT traversal, and so on. See Section 11.1.2.3 on page 186 for SA life time, Section 11.1.4.3 on page...
Page 184: Table 49 Vpn Example: Matching Id Type And Content
ZyWALL 2 Plus User’s Guide The ZyWALL and the remote IPSec router authenticate each other using an ID type and content. The ID type can be domain name, IP address, or e-mail address, and the content is a (properly-formatted) domain name, IP address, or e-mail address. The content is only used for identification.
Page 185: Ipsec Sas Using Ike Sas
ZyWALL 2 Plus User’s Guide Extended authentication is helpful when multiple IPSec routers use one VPN rule to connect to a single IPSec router. In extended authentication, one of the routers (the ZyWALL or the remote IPSec router) verifies a user name and password from the other router using the local user database or an external RADIUS server.
Page 186: Local And Remote Network
ZyWALL 2 Plus User’s Guide 11.1.2.2 Local and Remote Network If IPSec SAs have overlapping local networks and overlapping remote networks, only one of these IPSec SAs can be set to active at a time. If a packet has to be routed through an overlapping (inactive) connection, it is dropped.
Page 187: Additional Ipsec Vpn Topics
ZyWALL 2 Plus User’s Guide uniquely identify a particular security association. When an IPSec SA using manual keys is established, the SPI is transmitted from the remote IPSec router to the ZyWALL. The ZyWALL then uses the network, encryption and key values that the administrator associated with the SPI to establish the IPSec SA.
Page 188: Table 51 Vpn: Types Of Encryption And Authentication In Esp And Ah
ZyWALL 2 Plus User’s Guide There is a relationship between the active protocol and the types of encryption and authentication algorithms that are available. This relationship is illustrated in Table 51 on page 188, where more information is also provided about each type of encryption and authentication algorithm.
Page 189: Encapsulation
ZyWALL 2 Plus User’s Guide 11.1.4.2 Encapsulation IPSec VPNs use either transport mode or tunnel mode to encapsulate packets. These modes are illustrated below. Table 52 VPN: Transport and Tunnel Mode Encapsulation Original Packet IP Header Data Header Transport Mode Packet IPSec IP Header Data...
Page 190: Vpn, Nat, And Nat Traversal
ZyWALL 2 Plus User’s Guide 11.1.4.3 VPN, NAT, and NAT Traversal NAT is incompatible with the AH protocol in both transport and tunnel mode. An IPSec SA using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet, but a NAT device between the IPSec endpoints rewrites the source or destination address.
Page 191: Sa Life Time
ZyWALL 2 Plus User’s Guide 11.1.4.4 SA Life Time One characteristic of SAs is the SA life time. The SA lifetime specifies how long the SA lasts until it times out. When an SA times out, the ZyWALL automatically renegotiates the SA in the following situations: •...
Page 192: Vpn Rules (Ike)
ZyWALL 2 Plus User’s Guide Figure 89 IPSec High Availability 11.2 VPN Rules (IKE) A VPN (Virtual Private Network) tunnel gives you a secure connection to another computer or network. A gateway policy identifies the IPSec routers at either end of a VPN tunnel. This is used in setting up the IKE (phase 1) security association (SA).
Page 193: Figure 91 Ipsec Fields Summary
ZyWALL 2 Plus User’s Guide Figure 91 IPSec Fields Summary Click VPN to display the VPN Rules (IKE) screen. Use this screen to manage the ZyWALL’s list of VPN rules (tunnels) that use IKE SAs. Figure 92 VPN Rules (IKE) The following table describes the labels in this screen.
Page 194: Vpn Rules (Ike) Gateway Policy Edit
ZyWALL 2 Plus User’s Guide Table 54 VPN Rules (IKE) (continued) LABEL DESCRIPTION This represents your ZyWALL. ZyWALL The WAN IP address, domain name or dynamic domain name of your ZyWALL displays in router mode. The ZyWALL’s IP address displays in bridge mode. Remote This represents the remote secure gateway.
Page 195: Figure 93 Vpn Rules (Ike): Gateway Policy: Edit
ZyWALL 2 Plus User’s Guide Figure 93 VPN Rules (IKE): Gateway Policy: Edit Chapter 11 IPSec VPN...
Page 196: Table 55 Vpn Rules (Ike): Gateway Policy: Edit
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 55 VPN Rules (IKE): Gateway Policy: Edit LABEL DESCRIPTION Property Name Type up to 32 characters to identify this VPN gateway policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
Page 197 ZyWALL 2 Plus User’s Guide Table 55 VPN Rules (IKE): Gateway Policy: Edit (continued) LABEL DESCRIPTION Fail back to Select this to have the ZyWALL fall back to using the primary remote gateway if Primary Remote the connection becomes available again. Gateway when possible Fail Back Check...
Page 198 ZyWALL 2 Plus User’s Guide Table 55 VPN Rules (IKE): Gateway Policy: Edit (continued) LABEL DESCRIPTION Peer ID Type Select from the following when you set Authentication Key to Pre-shared Key. • Select IP to identify the remote IPSec router by its IP address. •...
Page 199 ZyWALL 2 Plus User’s Guide Table 55 VPN Rules (IKE): Gateway Policy: Edit (continued) LABEL DESCRIPTION Server Mode Select Server Mode to have this ZyWALL authenticate extended authentication clients that request this VPN connection. You must also configure the extended authentication clients’ user names and passwords in the authentication server’s local user database or a RADIUS server (see Chapter 13 on page...
Page 200: Vpn Rules (Ike): Network Policy Edit
ZyWALL 2 Plus User’s Guide Table 55 VPN Rules (IKE): Gateway Policy: Edit (continued) LABEL DESCRIPTION Enable Multiple Select this check box to allow the ZyWALL to use any of its phase 1 or phase 2 Proposals encryption and authentication algorithms when negotiating an IPSec SA. When you enable multiple proposals, the ZyWALL allows the remote IPSec router to select which encryption and authentication algorithms to use for the VPN tunnel, even if they are less secure than the ones you configure for the VPN rule.
Page 201: Figure 94 Vpn Rules (Ike): Network Policy Edit
ZyWALL 2 Plus User’s Guide Figure 94 VPN Rules (IKE): Network Policy Edit Chapter 11 IPSec VPN...
Page 202: Table 56 Vpn Rules (Ike): Network Policy Edit
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 56 VPN Rules (IKE): Network Policy Edit LABEL DESCRIPTION Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel.
Page 203 ZyWALL 2 Plus User’s Guide Table 56 VPN Rules (IKE): Network Policy Edit (continued) LABEL DESCRIPTION Starting IP Address When the Address Type field is configured to Single Address, enter a (static) IP address on the LAN behind your ZyWALL. When the Address Type field is configured to Range Address, enter the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL.
Page 204: Vpn Rules (Ike): Network Policy Move
ZyWALL 2 Plus User’s Guide Table 56 VPN Rules (IKE): Network Policy Edit (continued) LABEL DESCRIPTION Authentication MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash Algorithm algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower.
Page 205: Vpn Rules (Manual)
ZyWALL 2 Plus User’s Guide Figure 95 VPN Rules (IKE): Network Policy Move The following table describes the labels in this screen. Table 57 VPN Rules (IKE): Network Policy Move LABEL DESCRIPTION Network Policy The following fields display the general network settings of this VPN policy. Information Name This field displays the policy name.
Page 206: Figure 96 Vpn Rules (Manual)
ZyWALL 2 Plus User’s Guide Use this screen to manage the ZyWALL’s list of VPN rules (tunnels) that use manual keys. You may want to configure a VPN rule that uses manual key management if you are having problems with IKE key management. Figure 96 VPN Rules (Manual) The following table describes the labels in this screen.
Page 207: Vpn Rules (Manual): Edit
ZyWALL 2 Plus User’s Guide Table 58 VPN Rules (Manual) (continued) LABEL DESCRIPTION IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase ZyWALL processing requirements and communications latency (delay). Remote Gateway This is the static WAN IP address or domain name of the remote IPSec router. Address Modify Click the edit icon to edit the VPN policy.
Page 208: Figure 97 Vpn Rules (Manual): Edit
ZyWALL 2 Plus User’s Guide Figure 97 VPN Rules (Manual): Edit The following table describes the labels in this screen. Table 59 VPN Rules (Manual) Edit LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy. Name Type up to 32 characters to identify this VPN policy.
Page 209 ZyWALL 2 Plus User’s Guide Table 59 VPN Rules (Manual) Edit (continued) LABEL DESCRIPTION Local Network Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses. Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both.
Page 210: Vpn Sa Monitor
ZyWALL 2 Plus User’s Guide Table 59 VPN Rules (Manual) Edit (continued) LABEL DESCRIPTION Remote Gateway Type the WAN IP address or the domain name (up to 31 characters) of the IPSec Addr router with which you're making the VPN connection. Manual Proposal Type a unique SPI (Security Parameter Index) from one to four characters long.
Page 211: Vpn Global Setting
ZyWALL 2 Plus User’s Guide Figure 98 VPN: SA Monitor The following table describes the labels in this screen. Table 60 VPN: SA Monitor LABEL DESCRIPTION This is the security association index number. Name This field displays the identification name for this VPN policy. Local Network This field displays the IP address of the computer using the VPN IPSec feature of your ZyWALL.
Page 212: Figure 99 Vpn: Global Setting
ZyWALL 2 Plus User’s Guide Figure 99 VPN: Global Setting The following table describes the labels in this screen. Table 61 VPN: Global Setting LABEL DESCRIPTION Output Idle Timer When traffic is sent to a remote IPSec router from which no reply is received after the specified time period, the ZyWALL checks the VPN connectivity.
Page 213: Telecommuter Vpn/Ipsec Examples
ZyWALL 2 Plus User’s Guide Table 61 VPN: Global Setting (continued) LABEL DESCRIPTION VPN rules skip applying When you configure a VPN rule, the ZyWALL checks to make sure that the IP to the overlap range of addresses in the local and remote networks do not overlap. Select this check local and remote IP box to disable the check if you need to configure a VPN policy with addresses...
Page 214: Telecommuters Using Unique Vpn Rules Example
ZyWALL 2 Plus User’s Guide Table 62 Telecommuters Sharing One VPN Rule Example FIELDS TELECOMMUTERS HEADQUARTERS My ZyWALL: 0.0.0.0 (dynamic IP address Public static IP address assigned by the ISP) Remote Gateway Public static IP address 0.0.0.0 With this IP address only Address: the telecommuter can initiate the IPSec tunnel.
Page 215: Vpn And Remote Management
ZyWALL 2 Plus User’s Guide Table 63 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS All Telecommuter Rules: All Headquarters Rules: My ZyWALL 0.0.0.0 My ZyWALL: bigcompanyhq.com Remote Gateway Address: bigcompanyhq.com Local Network - Single IP Address: 192.168.1.10 Remote Network - Single IP Address: 192.168.1.10 Local ID Type: E-mail Peer ID Type: E-mail Local ID Content: bob@bigcompanyhq.com Peer ID Content: bob@bigcompanyhq.com...
Page 216: Figure 102 Vpn For Remote Management Example
ZyWALL 2 Plus User’s Guide In the following example, the VPN rule’s local network (A) includes the ZyWALL’s LAN IP address of 192.168.1.7. Someone in the remote network (B) can use a service (like HTTP for example) through the VPN tunnel to access the ZyWALL’s LAN interface. Remote management must also be configured to allow HTTP access on the ZyWALL’s LAN interface.
Page 217: Chapter 12 Certificates
ZyWALL 2 Plus User’s Guide H A P T E R Certificates This chapter gives background information about public-key certificates and explains how to use them. 12.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs.
Page 218: Advantages Of Certificates
ZyWALL 2 Plus User’s Guide Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can check a peer’s certificate against a directory server’s list of revoked certificates.
Page 219: My Certificates
ZyWALL 2 Plus User’s Guide 12.4 My Certificates Click SECURITY > CERTIFICATES > My Certificates to open the My Certificates screen. This is the ZyWALL’s summary list of certificates and certification requests. Certificates display in black and certification requests display in gray. Figure 104 My Certificates The following table describes the labels in this screen.
Page 220 ZyWALL 2 Plus User’s Guide Table 64 My Certificates (continued) LABEL DESCRIPTION Type This field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request.
Page 221: My Certificate Import
ZyWALL 2 Plus User’s Guide 12.5 My Certificate Import Click SECURITY > CERTIFICATES > My Certificates > Import to open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate to the ZyWALL. Note: You can only import a certificate that matches a corresponding certification request that was generated by the ZyWALL.
Page 222: My Certificate Create
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 65 My Certificate Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload.
Page 223: Table 66 My Certificate Create
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 66 My Certificate Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters (not including spaces) to identify this certificate. Subject Information Use these fields to record information that identifies the owner of the certificate.
Page 224: My Certificate Details
ZyWALL 2 Plus User’s Guide Table 66 My Certificate Create (continued) LABEL DESCRIPTION Enrollment Protocol Select the certification authority’s enrollment protocol from the drop-down list box. Simple Certificate Enrollment Protocol (SCEP) is a TCP-based enrollment protocol that was developed by VeriSign and Cisco. Certificate Management Protocol (CMP) is a TCP-based enrollment protocol that was developed by the Public Key Infrastructure X.509 working group of the Internet Engineering Task Force (IETF) and is specified in RFC 2510.
Page 225: Figure 107 My Certificate Details
ZyWALL 2 Plus User’s Guide Figure 107 My Certificate Details Chapter 12 Certificates...
Page 226: Table 67 My Certificate Details
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 67 My Certificate Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate. You may use any character (not including spaces).
Page 227: Trusted Cas
ZyWALL 2 Plus User’s Guide Table 67 My Certificate Details (continued) LABEL DESCRIPTION Subject Alternative This field displays the certificate owner‘s IP address (IP), domain name (DNS) or Name e-mail address (EMAIL). Key Usage This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature”...
Page 228: Figure 108 Trusted Cas
ZyWALL 2 Plus User’s Guide Figure 108 Trusted CAs The following table describes the labels in this screen. Table 68 Trusted CAs LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 229: Trusted Ca Import
ZyWALL 2 Plus User’s Guide Table 68 Trusted CAs (continued) LABEL DESCRIPTION Modify Click the details icon to open a screen with an in-depth list of information about the certificate. Click the delete icon to remove the certificate. A window displays asking you to confirm that you want to delete the certificates.
Page 230: Trusted Ca Details
ZyWALL 2 Plus User’s Guide 12.10 Trusted CA Details Click SECURITY > CERTIFICATES > Trusted CAs to open the Trusted CAs screen. Click the details icon to open the Trusted CA Details screen. Use this screen to view in-depth information about the certification authority’s certificate, change the certificate’s name and set whether or not you want the ZyWALL to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority.
Page 231: Table 70 Trusted Ca Details
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 70 Trusted CA Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
Page 232: Trusted Remote Hosts
ZyWALL 2 Plus User’s Guide Table 70 Trusted CA Details (continued) LABEL DESCRIPTION Subject Alternative This field displays the certificate’s owner‘s IP address (IP), domain name (DNS) Name or e-mail address (EMAIL). Key Usage This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature”...
Page 233: Figure 111 Trusted Remote Hosts
ZyWALL 2 Plus User’s Guide Figure 111 Trusted Remote Hosts The following table describes the labels in this screen. Table 71 Trusted Remote Hosts LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 234: Verifying A Trusted Remote Host's Certificate
ZyWALL 2 Plus User’s Guide Table 71 Trusted Remote Hosts (continued) LABEL DESCRIPTION Import Click Import to open a screen where you can save the certificate of a remote host (which you trust) from your computer to the ZyWALL. Refresh Click this button to display the current validity status of the certificates.
Page 235: Trusted Remote Hosts Import
ZyWALL 2 Plus User’s Guide Figure 113 Certificate Details Verify (over the phone for example) that the remote host has the same information in the Thumbprint Algorithm and Thumbprint fields. 12.13 Trusted Remote Hosts Import Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen.
Page 236: Trusted Remote Host Certificate Details
ZyWALL 2 Plus User’s Guide Figure 114 Trusted Remote Host Import The following table describes the labels in this screen. Table 72 Trusted Remote Host Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload.
Page 237: Figure 115 Trusted Remote Host Details
ZyWALL 2 Plus User’s Guide Figure 115 Trusted Remote Host Details The following table describes the labels in this screen. Table 73 Trusted Remote Host Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate.
Page 238 ZyWALL 2 Plus User’s Guide Table 73 Trusted Remote Host Details (continued) LABEL DESCRIPTION Certificate Information These read-only fields display detailed information about the certificate. Type This field displays general information about the certificate. With trusted remote host certificates, this field always displays CA-signed. The ZyWALL is the Certification Authority that signed the certificate.
Page 239: Directory Servers
ZyWALL 2 Plus User’s Guide Table 73 Trusted Remote Host Details (continued) LABEL DESCRIPTION Certificate in PEM This read-only text box displays the certificate or certification request in Privacy (Base-64) Encoded Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the Format binary certificate into a printable form.
Page 240: Directory Server Add Or Edit
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 74 Directory Servers LABEL DESCRIPTION PKI Storage Space This bar displays the percentage of the ZyWALL’s PKI storage space that is in Use currently in use. The bar turns from green to red when the maximum is being approached.
Page 241: Table 75 Directory Server Add
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 75 Directory Server Add LABEL DESCRIPTION Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server. Access Protocol Use the drop-down list box to select the access protocol used by the directory server.
Page 242 ZyWALL 2 Plus User’s Guide Chapter 12 Certificates...
Page 243: Authentication Server
ZyWALL 2 Plus User’s Guide H A P T E R Authentication Server This chapter discusses how to configure the ZyWALL’s authentication server feature. 13.1 Authentication Server Overview A ZyWALL set to be a VPN extended authentication server can use either the local user database internal to the ZyWALL or a RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) server for an unlimited number of users.
Page 244: Types Of Radius Messages
ZyWALL 2 Plus User’s Guide 13.3.1 Types of RADIUS Messages The following types of RADIUS messages are exchanged between the ZyWALL and the RADIUS server for user authentication: • Access-Request Sent by an access point requesting authentication. • Access-Reject Sent by a RADIUS server rejecting access. •...
Page 245: Figure 118 Local User Database
ZyWALL 2 Plus User’s Guide Figure 118 Local User Database Chapter 13 Authentication Server...
Page 246: Radius
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 76 Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile. User Name Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile.
Page 247: Table 77 Radius
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 77 RADIUS LABEL DESCRIPTION Authentication Server Active Select the check box to enable user authentication through an external authentication server. Clear the check box to enable user authentication using the local user profile on the ZyWALL.
Page 248 ZyWALL 2 Plus User’s Guide Chapter 13 Authentication Server...
Page 249: Network Address Translation (Nat)
ZyWALL 2 Plus User’s Guide H A P T E R Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 14.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet.
Page 250: What Nat Does
ZyWALL 2 Plus User’s Guide 14.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host.
Page 251: Nat Application
ZyWALL 2 Plus User’s Guide 14.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter. In this example, corporation A’s networks are labeled A, and Corporation B’s networks are labeled B.
Page 252: Port Restricted Cone Nat
ZyWALL 2 Plus User’s Guide 14.1.5 Port Restricted Cone NAT At the time of writing ZyWALL ZyNOS version 4.00 uses port restricted cone NAT. Port restricted cone NAT maps all outgoing packets from an internal IP address and port to a single IP address and port on the external network.
Page 253: Using Nat
ZyWALL 2 Plus User’s Guide • Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world. Note: Port numbers do not change for One-to-One and Many-One-to-One NAT mapping types. The following table summarizes these types.
Page 254: Nat Overview
ZyWALL 2 Plus User’s Guide 14.3 NAT Overview Click ADVANCED > NAT to open the NAT Overview screen. Figure 123 NAT Overview The following table describes the labels in this screen. Table 81 NAT Overview LABEL DESCRIPTION Global Settings Max. Concurrent This read-only field displays the highest number of NAT sessions that the ZyWALL Sessions will permit at one time.
Page 255: Nat Address Mapping
ZyWALL 2 Plus User’s Guide 14.4 NAT Address Mapping Ordering your rules is important because the ZyWALL applies the rules in the order that you specify. When a rule matches the current packet, the ZyWALL takes the corresponding action and the remaining rules are ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules.
Page 256: Nat Address Mapping Edit
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 82 NAT Address Mapping LABEL DESCRIPTION SUA Address This read-only table displays the default address mapping rules. Mapping Rules Full Feature Address Mapping Rules This is the rule index number. Local Start IP This refers to the Inside Local Address (ILA), which is the starting local IP address.
Page 257: Figure 125 Nat Address Mapping Edit
ZyWALL 2 Plus User’s Guide Figure 125 NAT Address Mapping Edit The following table describes the labels in this screen. Table 83 NAT Address Mapping Edit LABEL DESCRIPTION Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-One mode maps one local IP address to one global IP address.
Page 258: Port Forwarding
ZyWALL 2 Plus User’s Guide 14.5 Port Forwarding A port forwarding set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though NAT makes your whole inside network appear as a single computer to the outside world.
Page 259: Port Translation
ZyWALL 2 Plus User’s Guide Figure 126 Multiple Servers Behind NAT Example 14.5.4 Port Translation The ZyWALL can translate the destination port number or a range of port numbers of packets coming from the WAN to another destination port number or range of port numbers on the LAN.
Page 260: Port Forwarding Screen
ZyWALL 2 Plus User’s Guide 14.6 Port Forwarding Screen Note: If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup. Click ADVANCED > NAT > Port Forwarding to open the Port Forwarding screen. Refer to Appendix E on page 541 for port numbers commonly used for particular services.
Page 261: Port Forwarding Wan To Lan Http Rule Example
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 84 Port Forwarding LABEL DESCRIPTION Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen. If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup.
Page 262: Port Triggering
ZyWALL 2 Plus User’s Guide Figure 129 Port Forwarding 14.8 Port Triggering Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN).
Page 263: Figure 130 Trigger Port Forwarding Process: Example
ZyWALL 2 Plus User’s Guide For example: Figure 130 Trigger Port Forwarding Process: Example 1 Jane’s computer, labeled J in the figure, requests a file from the Real Audio server (port 7070) labeled S in the figure. 2 Port 7070 is a “trigger” port and causes the ZyWALL to record Jane’s computer IP address.
Page 264: Figure 131 Port Triggering
ZyWALL 2 Plus User’s Guide Figure 131 Port Triggering The following table describes the labels in this screen. Table 85 Port Triggering LABEL DESCRIPTION This is the rule index number (read-only). Name Type a unique name (up to 15 characters) for identification purposes. All characters are permitted - including spaces.
Page 265: Chapter 15 Static Route
ZyWALL 2 Plus User’s Guide H A P T E R Static Route This chapter shows you how to configure static routes for your ZyWALL. 15.1 IP Static Route Each remote node specifies only the network to which the gateway is directly connected, and the ZyWALL has no knowledge of the networks beyond.
Page 266: Ip Static Route Edit
ZyWALL 2 Plus User’s Guide Figure 133 IP Static Route The following table describes the labels in this screen. Table 86 IP Static Route LABEL DESCRIPTION This is the number of an individual static route. Name This is the name that describes or identifies this route. Active This field shows whether this static route is active (Yes) or not (No).
Page 267: Figure 134 Ip Static Route Edit
ZyWALL 2 Plus User’s Guide Figure 134 IP Static Route Edit The following table describes the labels in this screen. Table 87 IP Static Route Edit LABEL DESCRIPTION Route Name Enter the name of the IP static route. Leave this field blank to delete this static route. Active This field allows you to activate/deactivate this static route.
Page 268 ZyWALL 2 Plus User’s Guide Chapter 15 Static Route...
Page 269: Chapter 16 Bandwidth Management
ZyWALL 2 Plus User’s Guide H A P T E R Bandwidth Management This chapter describes the functions and configuration of bandwidth management with multiple levels of sub-classes. 16.1 Bandwidth Management Overview Bandwidth management allows you to allocate an interface’s outgoing capacity to specific types of traffic.
Page 270: Proportional Bandwidth Allocation
ZyWALL 2 Plus User’s Guide 16.3 Proportional Bandwidth Allocation Bandwidth management allows you to define how much bandwidth each class gets; however, the actual bandwidth allotted to each class decreases or increases in proportion to actual available bandwidth. 16.4 Application-based Bandwidth Management You can create bandwidth classes based on individual applications (like VoIP, Web, FTP, E- mail and Video for example).
Page 271: Application And Subnet-Based Bandwidth Management
ZyWALL 2 Plus User’s Guide 16.6 Application and Subnet-based Bandwidth Management You could also create bandwidth classes based on a combination of a subnet and an application. The following example table shows bandwidth allocations for application specific traffic from separate LAN subnets. Table 88 Application and Subnet-based Bandwidth Management Example TRAFFIC TYPE FROM SUBNET A...
Page 272: Reserving Bandwidth For Non-Bandwidth Class Traffic
ZyWALL 2 Plus User’s Guide When you enable maximize bandwidth usage, the ZyWALL first makes sure that each bandwidth class gets up to its bandwidth allotment. Next, the ZyWALL divides up an interface’s available bandwidth (bandwidth that is unbudgeted or unused by the classes) depending on how many bandwidth classes require more bandwidth and on their priority levels.
Page 273: Priority-Based Allotment Of Unused And Unbudgeted Bandwidth
ZyWALL 2 Plus User’s Guide 16.7.5.1 Priority-based Allotment of Unused and Unbudgeted Bandwidth The following table shows the priorities of the bandwidth classes and the amount of bandwidth that each class gets. Table 90 Priority-based Allotment of Unused and Unbudgeted Bandwidth Example BANDWIDTH CLASSES, PRIORITIES AND ALLOTMENTS Root Class: 10240 kbps Administration: Priority 4, 1024 kbps...
Page 274: Bandwidth Borrowing
ZyWALL 2 Plus User’s Guide 16.8 Bandwidth Borrowing Bandwidth borrowing allows a sub-class to borrow unused bandwidth from its parent class, whereas maximize bandwidth usage allows bandwidth classes to borrow any unused or unbudgeted bandwidth on the whole interface. Enable bandwidth borrowing on a sub-class to allow the sub-class to use its parent class’s unused bandwidth.
Page 275: Maximize Bandwidth Usage With Bandwidth Borrowing
ZyWALL 2 Plus User’s Guide • The Bill class cannot borrow unused bandwidth from the Root class because the Sales class has bandwidth borrowing disabled. • The Amy class cannot borrow unused bandwidth from the Sales USA class because the Amy class has bandwidth borrowing disabled.
Page 276: Figure 136 Bandwidth Management: Summary
ZyWALL 2 Plus User’s Guide Figure 136 Bandwidth Management: Summary The following table describes the labels in this screen. Table 93 Bandwidth Management: Summary LABEL DESCRIPTION Class These read-only labels represent the physical interfaces. Select an interface’s check box to enable bandwidth management on that interface. Bandwidth management applies to all traffic flowing out of the router through the interface, regardless of the traffic’s source.
Page 277: Configuring Class Setup
ZyWALL 2 Plus User’s Guide 16.11 Configuring Class Setup The Class Setup screen displays the configured bandwidth classes by individual interface. Select an interface and click the buttons to perform the actions described next. Click “+” to expand the class tree or click “-“ to collapse the class tree. Each interface has a permanent root class.
Page 278: Bandwidth Manager Class Configuration
ZyWALL 2 Plus User’s Guide Table 94 Bandwidth Management: Class Setup (continued) LABEL DESCRIPTION Edit Click Edit to configure the selected class. You cannot edit the root class. Delete Click Delete to delete the class and all its sub-classes. You cannot delete the root class.
Page 279: Figure 138 Bandwidth Management: Edit Class
ZyWALL 2 Plus User’s Guide Figure 138 Bandwidth Management: Edit Class The following table describes the labels in this screen. Table 95 Bandwidth Management: Edit Class LABEL DESCRIPTION Class Configuration Class Name Use the auto-generated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces.
Page 280 ZyWALL 2 Plus User’s Guide Table 95 Bandwidth Management: Edit Class (continued) LABEL DESCRIPTION Enable Bandwidth Select Enable Bandwidth Filter to have the ZyWALL use this bandwidth filter Filter when it performs bandwidth management. You must enter a value in at least one of the following fields (other than the Subnet Mask fields which are only available when you enter the destination or source IP address).
Page 281: Bandwidth Management Statistics
ZyWALL 2 Plus User’s Guide Table 95 Bandwidth Management: Edit Class (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. Table 96 Services and Port Numbers SERVICES PORT NUMBER ECHO...
Page 282: Configuring Monitor
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 97 Bandwidth Management: Statistics LABEL DESCRIPTION Class Name This field displays the name of the class the statistics page is showing. Budget (kbps) This field displays the amount of bandwidth allocated to the class. Tx Packets This field displays the total number of packets transmitted.
Page 283: Table 98 Bandwidth Management: Monitor
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 98 Bandwidth Management: Monitor LABEL DESCRIPTION Interface Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes. Class This field displays the name of the bandwidth class.
Page 284 ZyWALL 2 Plus User’s Guide Chapter 16 Bandwidth Management...
Page 285: Chapter 17 Dns
ZyWALL 2 Plus User’s Guide H A P T E R This chapter shows you how to configure the DNS screens. 17.1 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it.
Page 286: Address Record
ZyWALL 2 Plus User’s Guide 17.4 Address Record An address record contains the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www”...
Page 287: System Screen
ZyWALL 2 Plus User’s Guide Figure 141 Private DNS Server Example Note: If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote private network.
Page 288: Adding An Address Record
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 99 System DNS LABEL DESCRIPTION Address Record An address record specifies the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain.
Page 289: Inserting A Name Server Record
ZyWALL 2 Plus User’s Guide Figure 143 System DNS: Add Address Record The following table describes the labels in this screen. Table 100 System DNS: Add Address Record LABEL DESCRIPTION FQDN Type a fully qualified domain name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name.
Page 290: Figure 144 System Dns: Insert Name Server Record
ZyWALL 2 Plus User’s Guide Figure 144 System DNS: Insert Name Server Record The following table describes the labels in this screen. Table 101 System DNS: Insert Name Server Record LABEL DESCRIPTION Domain Zone This field is optional. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.
Page 291: Dns Cache
ZyWALL 2 Plus User’s Guide 17.7 DNS Cache DNS cache is the temporary storage area where a router stores responses from DNS servers. When the ZyWALL receives a positive or negative response for a DNS query, it records the response in the DNS cache. A positive response means that the ZyWALL received the IP address for a domain name that it checked with a DNS server within the five second DNS timeout period.
Page 292: Configuring Dns Dhcp
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 102 DNS Cache LABEL DESCRIPTION DNS Cache Setup Cache Positive DNS Select the check box to record the positive DNS resolutions in the cache. Resolutions Caching positive DNS resolutions helps speed up the ZyWALL’s processing of commonly queried domain names and reduces the amount of traffic that the ZyWALL sends out to the WAN.
Page 293: Figure 146 Dns Dhcp
ZyWALL 2 Plus User’s Guide Figure 146 DNS DHCP The following table describes the labels in this screen. Table 103 DNS DHCP LABEL DESCRIPTION DNS Servers The ZyWALL passes a DNS (Domain Name System) server IP address to the Assigned by DHCP DHCP clients.
Page 294: Dynamic Dns
ZyWALL 2 Plus User’s Guide 17.10 Dynamic DNS Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect.
Page 295: Figure 147 Ddns
ZyWALL 2 Plus User’s Guide Figure 147 DDNS The following table describes the labels in this screen. Table 104 DDNS LABEL DESCRIPTION Account Setup Active Select this check box to use dynamic DNS. Service Provider This is the name of your Dynamic DNS service provider. Username Enter your user name.
Page 296 ZyWALL 2 Plus User’s Guide Table 104 DDNS LABEL DESCRIPTION IP Address Update Select Use WAN IP Address to have the ZyWALL update the domain name Policy with the WAN port's IP address. Select Use User-Defined and enter the IP address if you have a static IP address.
Page 297: Chapter 18 Remote Management
ZyWALL 2 Plus User’s Guide H A P T E R Remote Management This chapter provides information on the Remote Management screens. 18.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. Note: When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.
Page 298: System Timeout
ZyWALL 2 Plus User’s Guide 2 You have disabled that service in one of the remote management screens. 3 The IP address in the Secure Client IP Address field does not match the client IP address. If it does not match, the ZyWALL will disconnect the session immediately. 4 There is already another remote management session with an equal or higher priority running.
Page 299: Www
ZyWALL 2 Plus User’s Guide Figure 148 HTTPS Implementation Note: If you disable HTTP Server Access (Disable) in the REMOTE MGMT WWW screen, then the ZyWALL blocks all HTTP connection attempts. 18.3 WWW Click ADVANCED > REMOTE MGMT to open the WWW screen. Use this screen to change your ZyWALL’s web settings.
Page 300: Https Example
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 105 WWW LABEL DESCRIPTION HTTPS Server Select the Server Certificate that the ZyWALL will use to identify itself. The Certificate ZyWALL is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL).
Page 301: Internet Explorer Warning Messages
ZyWALL 2 Plus User’s Guide 18.4.1 Internet Explorer Warning Messages When you attempt to access the ZyWALL HTTPS server, a Windows dialog box pops up asking if you trust the server certificate. Click View Certificate if you want to verify that the certificate is from the ZyWALL.
Page 302: Avoiding The Browser Warning Messages
ZyWALL 2 Plus User’s Guide Figure 151 Security Certificate 1 (Netscape) Figure 152 Security Certificate 2 (Netscape) 18.4.3 Avoiding the Browser Warning Messages The following describes the main reasons that your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings. •...
Page 303: Login Screen
ZyWALL 2 Plus User’s Guide • The actual IP address of the HTTPS server (the IP address of the ZyWALL’s port that you are trying to access) does not match the common name specified in the ZyWALL’s HTTPS server certificate that your browser received. Do the following to check the common name specified in the certificate that your ZyWALL sends to HTTPS clients.
Page 304: Figure 154 Login Screen (Netscape)
ZyWALL 2 Plus User’s Guide Figure 154 Login Screen (Netscape) Click Login and you then see the next screen. The factory default certificate is a common default certificate for all ZyWALL models. Figure 155 Replace Certificate Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device.
Page 305: Figure 156 Device-Specific Certificate
ZyWALL 2 Plus User’s Guide Figure 156 Device-specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate. You will then see this information in the My Certificates screen. Figure 157 Common ZyWALL Certificate Chapter 18 Remote Management...
Page 306: Ssh
ZyWALL 2 Plus User’s Guide 18.5 SSH Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shell) is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. The SSH server is labeled A, and the SSH client is labeled B.
Page 307: Ssh Implementation On The Zywall
ZyWALL 2 Plus User’s Guide The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server. The client automatically saves any new server public keys.
Page 308: Secure Telnet Using Ssh Examples
ZyWALL 2 Plus User’s Guide Figure 159 SSH The following table describes the labels in this screen. Table 107 SSH LABEL DESCRIPTION Server Host Key Select the certificate whose corresponding private key is to be used to identify the ZyWALL for SSH connections. You must have certificates already configured in the My Certificates screen (Click My Certificates and see Chapter 12 on page 217 details).
Page 309: Example 2: Linux
ZyWALL 2 Plus User’s Guide 2 Configure the SSH client to accept connection using SSH version 1. 3 A window displays prompting you to store the host key in you computer. Click Yes to continue. Figure 160 SSH Example 1: Store Host Key Enter the password to log in to the ZyWALL.
Page 310: Secure Ftp Using Ssh Example
ZyWALL 2 Plus User’s Guide Figure 162 SSH Example 2: Log in $ ssh –1 192.168.1.1 The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts.
Page 311: Telnet
ZyWALL 2 Plus User’s Guide 18.11 Telnet You can configure your ZyWALL for remote Telnet access as shown next. The computer using telnet to access the LAN is labeled A, and the arrow shows the direction of incoming traffic. Figure 164 Telnet Configuration on a TCP/IP Network 18.12 Configuring TELNET Click ADVANCED >...
Page 312: Ftp
ZyWALL 2 Plus User’s Guide Table 108 Telnet (continued) LABEL DESCRIPTION Secure Client IP A secure client is a “trusted” computer that is allowed to communicate with the Address ZyWALL using this service. Select All to allow any computer to access the ZyWALL using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service.
Page 313: Snmp
ZyWALL 2 Plus User’s Guide Table 109 FTP LABEL DESCRIPTION Secure Client IP A secure client is a “trusted” computer that is allowed to communicate with the Address ZyWALL using this service. Select All to allow any computer to access the ZyWALL using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service.
Page 314: Table 110 Snmp Traps
ZyWALL 2 Plus User’s Guide An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions.
Page 315: Supported Mibs
ZyWALL 2 Plus User’s Guide 18.14.3 REMOTE MANAGEMENT: SNMP To change your ZyWALL’s SNMP settings, click ADVANCED > REMOTE MGMT > SNMP. The screen appears as shown. Figure 168 SNMP The following table describes the labels in this screen. Table 111 SNMP LABEL DESCRIPTION SNMP...
Page 316: Figure 169 Dns
ZyWALL 2 Plus User’s Guide Table 111 SNMP (continued) LABEL DESCRIPTION Secure Client IP A secure client is a “trusted” computer that is allowed to communicate with the Address ZyWALL using this service. Select All to allow any computer to access the ZyWALL using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service.
Page 317: Dns
ZyWALL 2 Plus User’s Guide Table 112 DNS LABEL DESCRIPTION Apply Click Apply to save your customized settings. Reset Click Reset to begin configuring this screen afresh. 18.16 Introducing Vantage CNM Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide.
Page 318: Configuring Cnm
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 113 CNM LABEL DESCRIPTION Registration Information Registration Status This read only field displays Not Registered when Enable is not selected. It displays Registering when the ZyWALL first connects with the Vantage CNM server and then Registered after it has been successfully registered with the Vantage CNM server.
Page 319 ZyWALL 2 Plus User’s Guide Chapter 18 Remote Management...
Page 320 ZyWALL 2 Plus User’s Guide Chapter 18 Remote Management...
Page 321: Chapter 19 Upnp
ZyWALL 2 Plus User’s Guide H A P T E R UPnP This chapter introduces the Universal Plug and Play feature. This chapter is only applicable when the ZyWALL is in router mode. 19.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.
Page 322: Upnp And Zyxel
ZyWALL 2 Plus User’s Guide All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 19.1.4 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP™...
Page 323: Displaying Upnp Port Mapping
ZyWALL 2 Plus User’s Guide Table 114 UPnP LABEL DESCRIPTION Allow users to make Select this check box to allow UPnP-enabled applications to automatically configuration configure the ZyWALL so that they can communicate through the ZyWALL, changes through for example by using NAT traversal, UPnP applications automatically reserve UPnP a NAT forwarding port in order to communicate with another UPnP enabled device;...
Page 324: Installing Upnp In Windows Example
ZyWALL 2 Plus User’s Guide Table 115 UPnP Ports (continued) LABEL DESCRIPTION Remote Host This field displays the source IP address (on the WAN) of inbound IP packets. Since this is often a wildcard, the field may be blank. When the field is blank, the ZyWALL forwards all traffic sent to the External Port on the WAN interface to the Internal Client on the Internal Port.
Page 325: Installing Upnp In Windows Me
ZyWALL 2 Plus User’s Guide 19.4.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windows Me. 1 Click Start > Settings > Control Panel. Double-click Add/Remove Programs. 2 Click Windows Setup and select Communication in the Components selection box.
Page 326: Installing Upnp In Windows Xp
ZyWALL 2 Plus User’s Guide 19.4.2 Installing UPnP in Windows XP Follow the steps below to install UPnP in Windows XP. 1 Click Start > Settings > Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components ….
Page 327: Auto-Discover Your Upnp-Enabled Network Device
ZyWALL 2 Plus User’s Guide 19.5.1 Auto-discover Your UPnP-enabled Network Device 1 Click Start > Control Panel. Double- click Network Connections. An icon displays under Internet Gateway. 2 Right-click the icon and select Properties. 3 In the Internet Connection Properties You may edit or delete the port mappings or click Add to manually add port mappings.
Page 328: Web Configurator Easy Access
ZyWALL 2 Plus User’s Guide Note: When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 4 Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray.
Page 329 ZyWALL 2 Plus User’s Guide Follow the steps below to access the web configurator. 1 Click Start > Control Panel. 2 Double-click Network Connections. 3 Select My Network Places under Other Places. 4 An icon with the description for each UPnP-enabled device displays under Local Network.
Page 330 ZyWALL 2 Plus User’s Guide 6 Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. Chapter 19 UPnP...
Page 331 ZyWALL 2 Plus User’s Guide Chapter 19 UPnP...
Page 332 ZyWALL 2 Plus User’s Guide Chapter 19 UPnP...
Page 333: Chapter 20 Alg Screen
ZyWALL 2 Plus User’s Guide H A P T E R ALG Screen This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL. 20.1 ALG Introduction The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT un- friendly applications (such as SIP) to operate properly through the ZyWALL.
Page 334: Ftp
ZyWALL 2 Plus User’s Guide 20.2 FTP File Transfer Protocol (FTP) is an Internet file transfer service that operates on the Internet and over TCP/IP networks. A system running the FTP server accepts commands from a system running an FTP client. The service allows users to send commands to the server for uploading and downloading files.
Page 335: Sip
ZyWALL 2 Plus User’s Guide 20.5 SIP The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet. SIP is used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol.
Page 336: Sip Signaling Session Timeout
ZyWALL 2 Plus User’s Guide 20.5.3 SIP Signaling Session Timeout Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL. If the SIP client does not have this mechanism and makes no calls during the ZyWALL SIP timeout default (60 minutes), the ZyWALL SIP ALG drops any incoming calls after the timeout period.
Page 337 ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 116 ALG LABEL DESCRIPTION Enable FTP Select this check box to allow FTP sessions to pass through the ZyWALL. FTP (File Transfer Program) is a program that enables fast transfer of files, including large files that may not be possible by e-mail.
Page 338 ZyWALL 2 Plus User’s Guide Chapter 20 ALG Screen...
Page 339: Chapter 21 Logs Screens
ZyWALL 2 Plus User’s Guide H A P T E R Logs Screens This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to Appendix N on page 587 for example log message explanations. 21.1 Configuring View Log The web configurator allows you to look at all of the ZyWALL’s logs in one location.
Page 340: Log Description Example
ZyWALL 2 Plus User’s Guide Table 117 View Log (continued) LABEL DESCRIPTION Time This field displays the time the log was recorded. See Section 22.4 on page 353 configure the ZyWALL’s time and date. Message This field states the reason for the log. Source This field lists the source IP address and the port number of the incoming packet.
Page 341: Certificate Not Trusted Log Note
ZyWALL 2 Plus User’s Guide 21.2.1 Certificate Not Trusted Log Note myZyXEL.com and the update server use certificate signed by VeriSign to identify themselves. The default configuration file includes a trusted CA certificate signed by VeriSign. If the ZyWALL does not have a CA certificate signed by VeriSign as a trusted CA, the ZyWALL will not trust the certificate from myZyXEL.com and the update server.
Page 342: Configuring Log Settings
ZyWALL 2 Plus User’s Guide Figure 178 myZyXEL.com: Certificate Download 21.3 Configuring Log Settings To change your ZyWALL’s log settings, click LOGS > Log Settings. The screen appears as shown. Use the Log Settings screen to configure to where the ZyWALL is to send logs; the schedule for when the ZyWALL is to send the logs and which logs and/or immediate alerts the ZyWALL is to send.
Page 343: Figure 179 Log Settings
ZyWALL 2 Plus User’s Guide Figure 179 Log Settings Chapter 21 Logs Screens...
Page 344: Table 119 Log Settings
ZyWALL 2 Plus User’s Guide The following table describes the labels in this screen. Table 119 Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below.
Page 345: Configuring Reports
ZyWALL 2 Plus User’s Guide Table 119 Log Settings (continued) LABEL DESCRIPTION Send Immediate Alert Select the categories of alerts for which you want the ZyWALL to instantly e- mail alerts to the e-mail address specified in the Send Alerts To field. Log Consolidation Active Some logs (such as the Attacks logs) may be so numerous that it becomes...
Page 346: Figure 180 Reports
ZyWALL 2 Plus User’s Guide Figure 180 Reports Note: Enabling the ZyWALL’s reporting function decreases the overall throughput by about 1 Mbps. The following table describes the labels in this screen. Table 120 Reports LABEL DESCRIPTION Collect Statistics Select the check box and click Apply to have the ZyWALL record report data. Send Raw Select the check box and click Apply to have the ZyWALL send unprocessed traffic Traffic Statistics...
Page 347: Viewing Web Site Hits
ZyWALL 2 Plus User’s Guide 21.4.1 Viewing Web Site Hits In the Reports screen, select Web Site Hits from the Report Type drop-down list box to have the ZyWALL record and display which web sites have been visited the most often and how many times they have been visited.
Page 348: Viewing Host Ip Address
ZyWALL 2 Plus User’s Guide Figure 182 Protocol/Port Report Example The following table describes the labels in this screen. Table 122 Protocol/ Port Report LABEL DESCRIPTION Protocol/Port This column lists the protocols or service ports for which the most traffic has gone through the ZyWALL.
Page 349: Reports Specifications
ZyWALL 2 Plus User’s Guide Figure 183 Host IP Address Report Example The following table describes the labels in this screen. Table 123 Host IP Address Report LABEL DESCRIPTION IP Address This column lists the LAN IP addresses to and/or from which the most traffic has been sent.
Page 350 ZyWALL 2 Plus User’s Guide Chapter 21 Logs Screens...
Page 351: Chapter 22 Maintenance
ZyWALL 2 Plus User’s Guide H A P T E R Maintenance This chapter displays information on the maintenance screens. 22.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyWALL. 22.2 General Setup 22.2.1 General Setup and System Name General Setup contains administrative and system-related information.
Page 352: Configuring Password
ZyWALL 2 Plus User’s Guide Figure 184 General Setup The following table describes the labels in this screen. Table 125 General Setup LABEL DESCRIPTION General Setup System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name”...
Page 353: Time And Date
ZyWALL 2 Plus User’s Guide Figure 185 Password Setup The following table describes the labels in this screen. Table 126 Password Setup LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field.
Page 354: Figure 186 Time And Date
ZyWALL 2 Plus User’s Guide Figure 186 Time and Date The following table describes the labels in this screen. Table 127 Time and Date LABEL DESCRIPTION Current Time and Date Current Time This field displays the ZyWALL’s present time. Current Date This field displays the ZyWALL’s present date.
Page 355 ZyWALL 2 Plus User’s Guide Table 127 Time and Date (continued) LABEL DESCRIPTION Get from Time Select this radio button to have the ZyWALL get the time and date from the time Server server you specified below. Time Protocol Select the time service protocol that your time server uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 356: Pre-Defined Ntp Time Servers List
ZyWALL 2 Plus User’s Guide 22.5 Pre-defined NTP Time Servers List When you turn on the ZyWALL for the first time, the date and time start at 2000-01-01 00:00:00. The ZyWALL then attempts to synchronize with one of the following pre-defined list of NTP time servers.
Page 357: Figure 187 Synchronization In Process
ZyWALL 2 Plus User’s Guide When the System Time and Date Synchronization in Process screen appears, wait up to one minute. Figure 187 Synchronization in Process Click the Return button to go back to the Time and Date screen after the time and date is updated successfully.
Page 358: Introduction To Transparent Bridging
ZyWALL 2 Plus User’s Guide 22.6 Introduction To Transparent Bridging A transparent bridge is invisible to the operation of a network in that it does not modify the frames it forwards. The bridge checks the source address of incoming frames on the port and learns MAC addresses to associate with that port.
Page 359: Configuring Device Mode (Router)
ZyWALL 2 Plus User’s Guide 3 As a transparent bridge does not modify the frames it forwards, it is effectively “stealth” as it is invisible to attackers. Bridging devices are most useful in complex environments that require a rapid or new firewall deployment.
Page 360: Configuring Device Mode (Bridge)
ZyWALL 2 Plus User’s Guide Table 130 Device Mode (Router Mode) (continued) LABEL DESCRIPTION Bridge Select this radio button and configure the following fields, then click Apply to set the ZyWALL to bridge mode. IP Address Enter the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask Enter the IP subnet mask of the ZyWALL.
Page 361: F/W Upload Screen
ZyWALL 2 Plus User’s Guide Table 131 Device Mode (Bridge Mode) (continued) LABEL DESCRIPTION Device Mode Setup Router Select this radio button and click Apply to set the ZyWALL to router mode. LAN Interface IP Enter the IP address of your ZyWALL’ s LAN port in dotted decimal notation. Address 192.168.1.1 is the factory default.
Page 362: Figure 192 Firmware Upload
ZyWALL 2 Plus User’s Guide Figure 192 Firmware Upload The following table describes the labels in this screen. Table 132 Firmware Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse...
Page 363: Backup And Restore
ZyWALL 2 Plus User’s Guide Figure 194 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the HOME screen. If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen.
Page 364: Backup Configuration
ZyWALL 2 Plus User’s Guide Figure 196 Backup and Restore 22.11.1 Backup Configuration Backup Configuration allows you to back up (save) the ZyWALL’s current configuration to a file on your computer. Once your ZyWALL is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes.
Page 365: Figure 197 Configuration Upload Successful
ZyWALL 2 Plus User’s Guide Note: Do not turn off the ZyWALL while configuration file upload is in progress. After you see a “restore configuration successful” screen, you must then wait one minute before logging into the ZyWALL again. Figure 197 Configuration Upload Successful The ZyWALL automatically restarts in this time causing a temporary network disconnect.
Page 366: Back To Factory Defaults
ZyWALL 2 Plus User’s Guide 22.11.3 Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the ZyWALL to its factory defaults as shown on the screen. The following warning screen will appear. Figure 200 Reset Warning Message You can also press the RESET button on the rear panel to reset the factory defaults of your ZyWALL.
Page 367: Chapter 23 Introducing The Smt
ZyWALL 2 Plus User’s Guide H A P T E R Introducing the SMT This chapter explains how to access the System Management Terminal and gives an overview of its menus. 23.1 Introduction to the SMT The ZyWALL’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection.
Page 368: Entering The Password
ZyWALL 2 Plus User’s Guide Figure 202 Initial Screen Copyright (c) 1994 - 2006 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:A0:C5:01:23:45 initialize ch =1, ethernet address: 00:A0:C5:01:23:46 AUX port init . done Modem init . inactive Press ENTER to continue...
Page 369: Main Menu
ZyWALL 2 Plus User’s Guide Table 134 Main Menu Commands OPERATION KEYSTROKES DESCRIPTION Move the [ENTER] or [UP]/ Within a menu, press [ENTER] to move to the next field. You can cursor [DOWN] arrow also use the [UP]/[DOWN] arrow keys to move to the previous and keys the next field, respectively.
Page 370: Figure 204 Main Menu (Router Mode)
ZyWALL 2 Plus User’s Guide Figure 204 Main Menu (Router Mode) Copyright (c) 1994 - 2005 ZyXEL Communications Corp. ZyWALL 2 Plus Main Menu Getting Started Advanced Management 1. General Setup 21. Filter and Firewall Setup 2. WAN Setup 22. SNMP Configuration 3.
Page 371: Smt Menus Overview
ZyWALL 2 Plus User’s Guide The following table describes the fields in this menu. Table 135 Main Menu Summary NO. MENU TITLE FUNCTION General Setup Use this menu to set up device mode, dynamic DNS and administrative information. WAN Setup Use this menu to clone a MAC address from a computer on your LAN and configure the backup WAN dial-up connection.
Page 372 ZyWALL 2 Plus User’s Guide Table 136 SMT Menus Overview (continued) MENUS SUB MENUS 11 Remote Node Setup 11.1 Remote Node Profile 11.1.2 Remote Node Network Layer Options 11.1.4 Remote Node Filter 11.1.5 Traffic Redirect Setup 11.2 Remote Node Profile 11.2.1 Remote Node PPP (Backup ISP) Options...
Page 373: Changing The System Password
ZyWALL 2 Plus User’s Guide Table 136 SMT Menus Overview (continued) MENUS SUB MENUS 24 System Maintenance 24.1 System Status 24.2 System Information and 24.2.1 System Information Console Port Speed 24.2.2 Console Port Speed 24.3 Log and Trace 24.3.1 View Error Log 24.3.2 Syslog Logging 24.3.4 Call-Triggering Packet 24.4 Diagnostic...
Page 374: Resetting The Zywall
ZyWALL 2 Plus User’s Guide 3 Type your new system password and press [ENTER]. 4 Re-type your new system password for confirmation and press [ENTER]. Note that as you type a password, the screen displays an “x” for each character you type. 23.5 Resetting the ZyWALL Section 2.3 on page 54 for directions on resetting the ZyWALL.
Page 375: Smt Menu 1 - General Setup
ZyWALL 2 Plus User’s Guide H A P T E R SMT Menu 1 - General Setup Menu 1 - General Setup contains administrative and system-related information. 24.1 Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. 24.2 Configuring General Setup 1 Enter 1 in the main menu to open Menu 1 - General Setup.
Page 376: Figure 208 Menu 1: General Setup (Bridge Mode)
ZyWALL 2 Plus User’s Guide Table 137 Menu 1: General Setup (Router Mode) (continued) FIELD DESCRIPTION Edit Dynamic Press [SPACE BAR] and then [ENTER] to select Yes or No (default). Select Yes to configure Menu 1.1: Configure Dynamic DNS discussed next. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…”...
Page 377: Configuring Dynamic Dns
ZyWALL 2 Plus User’s Guide 24.2.1 Configuring Dynamic DNS To configure Dynamic DNS, set the ZyWALL to router mode in menu 1 or in the MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1 - Configure Dynamic DNS (shown next).
Page 378: Figure 210 Menu 1.1.1: Ddns Host Summary
ZyWALL 2 Plus User’s Guide Figure 210 Menu 1.1.1: DDNS Host Summary Menu 1.1.1 DDNS Host Summary Summary --- - ------------------------------------------------------------------------ Hostname=MyDevice, Type=Dynamic,WC=No,Offline=No,Policy=WAN IP, _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
Page 379: Figure 211 Menu 1.1.1: Ddns Edit Host
ZyWALL 2 Plus User’s Guide Figure 211 Menu 1.1.1: DDNS Edit Host Menu 1.1.1 - DDNS Edit Host Hostname= MyDevice DDNS Type= DynamicDNS Enable Wildcard Option= No Enable Off Line Option= N/A IP Address Update Policy: Let DDNS Server Auto Detect= No Use User-Defined= No Use WAN IP Address= N/A Press ENTER to Confirm or ESC to Cancel:...
Page 380 ZyWALL 2 Plus User’s Guide Table 141 Menu 1.1.1: DDNS Edit Host (continued) FIELD DESCRIPTION Let DDNS Only select this option when there are one or more NAT routers between the ZyWALL Server Auto and the DDNS server. Press [SPACE BAR] to select Yes and then press [ENTER] to Detect have the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address.
Page 381: Wan And Dial Backup Setup
ZyWALL 2 Plus User’s Guide H A P T E R WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1. 25.1 Introduction to WAN and Dial Backup Setup This chapter explains how to configure settings for your WAN port and how to configure the ZyWALL for a dial backup connection.
Page 382: Dial Backup
ZyWALL 2 Plus User’s Guide The following table describes the fields in this screen. Table 142 MAC Address Cloning in WAN Setup FIELD DESCRIPTION MAC Address Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address.
Page 383: Advanced Wan Setup
ZyWALL 2 Plus User’s Guide Figure 213 Menu 2: Dial Backup Setup Menu 2 - WAN Setup MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= Yes Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
Page 384: Figure 214 Menu 2.1: Advanced Wan Setup
ZyWALL 2 Plus User’s Guide Figure 214 Menu 2.1: Advanced WAN Setup Menu 2.1 - Advanced WAN Setup AT Command Strings: Call Control: Dial= atdt Dial Timeout(sec)= 60 Drop= ~~+++~~ath Retry Count= 0 Answer= ata Retry Interval(sec)= N/A Drop Timeout(sec)= 20 Drop DTR When Hang Up= Yes Call Back Delay(sec)= 15 AT Response Strings:...
Page 385: Remote Node Profile (Backup Isp)
ZyWALL 2 Plus User’s Guide Table 145 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION Call Control Dial Timeout (sec) Enter a number of seconds for the ZyWALL to keep trying to set up an outgoing call before timing out (stopping). The ZyWALL times out and stops if it cannot set up an outgoing call within the timeout value.
Page 386: Figure 215 Menu 11.2: Remote Node Profile (Backup Isp)
ZyWALL 2 Plus User’s Guide Figure 215 Menu 11.2: Remote Node Profile (Backup ISP) Menu 11.2 - Remote Node Profile (Backup ISP) Rem Node Name= Edit PPP Options= No Active= No Edit IP= No Outgoing: Edit Script Options= No My Login= ChangeMe My Password= ******** Telco Option: Retype to Confirm= ********...
Page 387: Editing Ppp Options
ZyWALL 2 Plus User’s Guide Table 146 Menu 11.2: Remote Node Profile (Backup ISP) (continued) FIELD DESCRIPTION Edit IP This field leads to a “hidden” menu. Press [SPACE BAR] to select Yes and press [ENTER] to go to Menu 11.2.2 - Remote Node Network Layer Options. See Section 25.8 on page 388 for more information.
Page 388: Editing Tcp/Ip Options
ZyWALL 2 Plus User’s Guide Figure 216 Menu 11.2.1: Remote Node PPP Options Menu 11.2.1 - Remote Node PPP Options Encapsulation= Standard PPP Compression= No Enter here to CONFIRM or ESC to CANCEL: This table describes the Remote Node PPP Options Menu, and contains instructions on how to configure the PPP options fields.
Page 389: Figure 217 Menu 11.2.2: Remote Node Network Layer Options
ZyWALL 2 Plus User’s Guide Figure 217 Menu 11.2.2: Remote Node Network Layer Options Menu 11.2.2 - Remote Node Network Layer Options IP Address Assignment= Static Rem IP Addr= 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 Network Address Translation= SUA Only Metric= 15 Private= No RIP Direction= None...
Page 390: Editing Login Script
ZyWALL 2 Plus User’s Guide Table 148 Menu 11.2.2: Remote Node Network Layer Options FIELD DESCRIPTION Version Press [SPACE BAR] and then [ENTER] to select the RIP version from RIP-1, RIP-2B and RIP-2M. Multicast IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group.
Page 391: Remote Node Filter
ZyWALL 2 Plus User’s Guide after you enter the password, then you should create a third set to match the final “PPP...” but without a “Send” string. Otherwise, the ZyWALL will start PPP prematurely right after sending your password to the server. If there are errors in the script and it gets stuck at a set for longer than the “Dial Timeout”...
Page 392: Figure 219 Menu 11.2.4: Remote Node Filter
ZyWALL 2 Plus User’s Guide Use menu 11.2.4 to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the ZyWALL to prevent certain packets from triggering calls. You can specify up to four filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field.
Page 393: Chapter 26 Lan Setup
ZyWALL 2 Plus User’s Guide H A P T E R LAN Setup This chapter describes how to configure the LAN using Menu 3 - LAN Setup. 26.1 Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN connections. 26.2 Accessing the LAN Menus From the main menu, enter 3 to open Menu 3 - LAN Setup.
Page 394: Tcp/Ip And Dhcp Ethernet Setup Menu
ZyWALL 2 Plus User’s Guide Figure 221 Menu 3.1: LAN Port Filter Setup Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 26.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup.
Page 395: Figure 223 Menu 3.2: Tcp/Ip And Dhcp Ethernet Setup
ZyWALL 2 Plus User’s Guide Figure 223 Menu 3.2: TCP/IP and DHCP Ethernet Setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server TCP/IP Setup: Client IP Pool: Starting Address= 192.168.1.33 IP Address= 192.168.1.1 Size of Client IP Pool= 128 IP Subnet Mask= 255.255.255.0 First DNS Server= From ISP...
Page 396: Table 151 Menu 3.2: Lan Tcp/Ip Setup Fields
ZyWALL 2 Plus User’s Guide Table 150 Menu 3.2: DHCP Ethernet Setup Fields FIELD DESCRIPTION First DNS Server The ZyWALL passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. Second DNS Server Select From ISP if your ISP dynamically assigns DNS server information (and the ZyWALL's WAN IP address).
Page 397: Ip Alias Setup
ZyWALL 2 Plus User’s Guide 26.4.1 IP Alias Setup IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network. You must use menu 3.2 to configure the first network.
Page 398 ZyWALL 2 Plus User’s Guide Table 152 Menu 3.2.1: IP Alias Setup (continued) FIELD DESCRIPTION Outgoing Enter the filter set(s) you wish to apply to the outgoing traffic between this node and Protocol Filters the ZyWALL. When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm…] to save your configuration, or press [ESC] at any time to cancel.
Page 399: Chapter 27 Internet Access
ZyWALL 2 Plus User’s Guide H A P T E R Internet Access This chapter shows you how to configure your ZyWALL for Internet access. 27.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet.
Page 400: Table 153 Menu 4: Internet Access Setup (Ethernet)
ZyWALL 2 Plus User’s Guide The following table describes the fields in this menu. Table 153 Menu 4: Internet Access Setup (Ethernet) FIELD DESCRIPTION ISP’s Name This is the descriptive name of your ISP for identification purposes. Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet. The encapsulation method influences your choices for the IP Address field.
Page 401: Configuring The Pptp Client
ZyWALL 2 Plus User’s Guide 27.3 Configuring the PPTP Client Note: The ZyWALL supports only one PPTP server connection at any given time. To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
Page 402: Basic Setup Complete
ZyWALL 2 Plus User’s Guide Figure 227 Internet Access Setup (PPPoE) Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A...
Page 403: Chapter 28 Remote Node Setup
ZyWALL 2 Plus User’s Guide H A P T E R Remote Node Setup This chapter shows you how to configure a remote node. 28.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection.
Page 404: Ethernet Encapsulation
ZyWALL 2 Plus User’s Guide 28.3.1 Ethernet Encapsulation There are three variations of menu 11.x depending on whether you choose Ethernet Encapsulation, PPPoE Encapsulation or PPTP Encapsulation. You must choose the Ethernet option when the WAN port is used as a regular Ethernet. The first menu 11.x screen you see is for Ethernet encapsulation shown next.
Page 405: Pppoe Encapsulation
ZyWALL 2 Plus User’s Guide Table 156 Menu 11.1: Remote Node Profile for Ethernet Encapsulation (continued) FIELD DESCRIPTION My Login This field is applicable for PPPoE encapsulation only. Enter the login name assigned by your ISP when the ZyWALL calls this remote node. Some ISPs append this field to the Service Name field above (e.g., jim@poellc) to access the PPPoE server.
Page 406: Outgoing Authentication Protocol
ZyWALL 2 Plus User’s Guide Figure 230 Menu 11.1: Remote Node Profile for PPPoE Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Bridge= No Encapsulation= PPPoE Edit IP= No Service Type= Standard Telco Option: Service Name= Allocated Budget(min)= 0 Outgoing:...
Page 407: Metric
ZyWALL 2 Plus User’s Guide 28.3.2.3 Metric Section 7.2 on page 109 for details on the Metric field. Table 157 Fields in Menu 11.1 (PPPoE Encapsulation Specific) FIELD DESCRIPTION Service Name If you are using PPPoE encapsulation, then type the name of your PPPoE service here.
Page 408: Edit Ip
ZyWALL 2 Plus User’s Guide Figure 231 Menu 11.1: Remote Node Profile for PPTP Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Bridge= No Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Service Name= N/A Allocated Budget(min)= 0 Outgoing:...
Page 409: Figure 232 Menu 11.1.2: Remote Node Network Layer Options For Ethernet Encapsulation
ZyWALL 2 Plus User’s Guide Figure 232 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic Rem IP Addr= N/A Rem Subnet Mask= N/A My WAN Addr= N/A Network Address Translation= SUA Only NAT Lookup Set= 255 Metric= 1...
Page 410: Remote Node Filter
ZyWALL 2 Plus User’s Guide Table 159 Remote Node Network Layer Options Menu Fields (continued) FIELD DESCRIPTION NAT Lookup If you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1. If you select Full Feature or None in the Network Address Translation field, it displays 1, 2 or 3 and indicates the SMT will use the pre-configured Set 1 in menu 15.1 for the first WAN port, Set 2 in menu 15.1 for the second WAN port and Set 3 for the...
Page 411: Traffic Redirect
ZyWALL 2 Plus User’s Guide Figure 233 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 234 Menu 11.1.4: Remote Node Filter (PPPoE or PPTP Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets:...
Page 412: Figure 235 Menu 11.1.5: Traffic Redirect Setup
ZyWALL 2 Plus User’s Guide Figure 235 Menu 11.1.5: Traffic Redirect Setup Menu 11.1.5 - Traffic Redirect Setup Active= Yes Configuration: Backup Gateway IP Address= 0.0.0.0 Metric= 14 Check WAN IP Address= 0.0.0.0 Fail Tolerance= 10 Period(sec)= 300 Timeout(sec)= 8 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
Page 413: Chapter 29 Ip Static Route Setup
ZyWALL 2 Plus User’s Guide H A P T E R IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. 29.1 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.1.
Page 414: Figure 237 Menu 12. 1: Edit Ip Static Route
ZyWALL 2 Plus User’s Guide Figure 237 Menu 12. 1: Edit IP Static Route Menu 12.1 - Edit IP Static Route Route #: 3 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to CONFIRM or ESC to CANCEL:...
Page 415: Network Address Translation (Nat)
ZyWALL 2 Plus User’s Guide H A P T E R Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 30.1 Using NAT Note: You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL.
Page 416: Figure 238 Menu 4: Applying Nat For Internet Access
ZyWALL 2 Plus User’s Guide Figure 238 Menu 4: Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= IP Address Assignment= Dynamic IP Address= N/A...
Page 417: Nat Setup
ZyWALL 2 Plus User’s Guide The following table describes the fields in this menu. Table 162 Applying NAT in Menus 4 & 11.1.2 FIELD DESCRIPTION OPTIONS Network When you select this option the SMT will use Address Mapping Set 1 Full Feature Address (menu 15.1 - see...
Page 418: Sua Address Mapping Set
ZyWALL 2 Plus User’s Guide Figure 241 Menu 15.1: Address Mapping Sets Menu 15.1 - Address Mapping Sets 1. NAT_SET 255. SUA (read only) Enter Menu Selection Number: 30.2.1.1 SUA Address Mapping Set Enter 255 to display the next screen (see also Section 30.1.1 on page 415).
Page 419: User-Defined Address Mapping Sets
ZyWALL 2 Plus User’s Guide Table 163 SUA Address Mapping Rules FIELD DESCRIPTION Local End IP Local End IP is the ending local IP address (ILA). If the rule is for all local IPs, then the start IP is 0.0.0.0 and the end IP is 255.255.255.255. Global Start IP This is the starting global IP address (IGA).
Page 420: Ordering Your Rules
ZyWALL 2 Plus User’s Guide 30.2.1.3 Ordering Your Rules Ordering your rules is important because the ZyWALL applies the rules in the order that you specify. When a rule matches the current packet, the ZyWALL takes the corresponding action and the remaining rules are ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules.
Page 421: Figure 244 Menu 15.1.1.1: Editing/Configuring An Individual Rule In A Set
ZyWALL 2 Plus User’s Guide Figure 244 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= = N/A Global IP: Start= = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
Page 422: Configuring A Server Behind Nat
ZyWALL 2 Plus User’s Guide 30.3 Configuring a Server Behind NAT Note: If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup. Follow these steps to configure a server behind NAT: 1 Enter 15 in the main menu to go to Menu 15 - NAT Setup.
Page 423: Figure 246 15.2.X: Nat Server Configuration
ZyWALL 2 Plus User’s Guide Figure 246 15.2.x: NAT Server Configuration 15.2.3 - NAT Server Configuration Index= 2 ------------------------------------------------ Name= 1 Active= Yes Start port= 21 End port= 25 IP Address= 192.168.1.33 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen.
Page 424: General Nat Examples
ZyWALL 2 Plus User’s Guide Figure 247 Menu 15.2: NAT Server Setup Menu 15.2 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address ------------------------------------------------------ 0.0.0.0 192.168.1.33 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel:...
Page 425: Figure 249 Nat Example 1
ZyWALL 2 Plus User’s Guide Figure 249 NAT Example 1 Figure 250 Menu 4: Internet Access & NAT Example Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= IP Address Assignment= Dynamic...
Page 426: Example 2: Internet Access With A Default Server
ZyWALL 2 Plus User’s Guide 30.4.2 Example 2: Internet Access with a Default Server Figure 251 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2 to specify the Default Server behind the NAT as shown in the next figure.
Page 427: Figure 253 Nat Example 3
ZyWALL 2 Plus User’s Guide 1 Map the first IGA to the first inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses). 2 Map the second IGA to our second inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses).
Page 428: Figure 254 Example 3: Menu 11.1.2
ZyWALL 2 Plus User’s Guide 7 When finished, menu 15.1.1 should look like as shown in Figure 256 on page 429. Figure 254 Example 3: Menu 11.1.2 Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= SUA Only...
Page 429: Figure 256 Example 3: Final Menu 15.1.1
ZyWALL 2 Plus User’s Guide Figure 256 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- 1. 192.168.1.10 10.132.50.1 192.168.1.11 10.132.50.2...
Page 430: Example 4: Nat Unfriendly Application Programs
ZyWALL 2 Plus User’s Guide Figure 257 Example 3: Menu 15.2 Menu 15.2 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address ------------------------------------------------------ 192.168.1.21 192.168.1.20 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: 30.4.4 Example 4: NAT Unfriendly Application Programs...
Page 431: Figure 259 Example 4: Menu 15.1.1.1: Address Mapping Rule
ZyWALL 2 Plus User’s Guide Follow the steps outlined in example 3 above to configure these two menus as follows. Figure 259 Example 4: Menu 15.1.1.1: Address Mapping Rule Menu 15.1.1.1 Address Mapping Rule Type= Many-One-to-One Local IP: Start= 192.168.1.10 = 192.168.1.12 Global IP: Start= 10.132.50.1...
Page 432: Trigger Port Forwarding
ZyWALL 2 Plus User’s Guide Figure 260 Example 4: Menu 15.1.1: Address Mapping Rules Menu 15.1.1 - Address Mapping Rules Set Name= Example4 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- 192.168.1.10 192.168.1.12 10.132.50.1...
Page 433: Figure 261 Menu 15.3: Trigger Port Setup
ZyWALL 2 Plus User’s Guide Note: Only one LAN computer can use a trigger port (range) at a time. Enter 3 in menu 15 to display Menu 15.3 - Trigger Ports. Figure 261 Menu 15.3: Trigger Port Setup Menu 15.3 - Trigger Port Setup Incoming Trigger Rule...
Page 434 ZyWALL 2 Plus User’s Guide Chapter 30 Network Address Translation (NAT)
Page 435: Introducing The Zywall Firewall
ZyWALL 2 Plus User’s Guide H A P T E R Introducing the ZyWALL Firewall This chapter shows you how to get started with the ZyWALL firewall. 31.1 Accessing the Firewall Settings The web configurator is, by far, the most comprehensive firewall configuration tool your ZyWALL has to offer.
Page 436: Figure 263 Menu 21.2: Firewall Setup
ZyWALL 2 Plus User’s Guide Figure 263 Menu 21.2: Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User's Guide for details about the firewall default policies.
Page 437: Chapter 32 Filter Configuration
ZyWALL 2 Plus User’s Guide H A P T E R Filter Configuration This chapter shows you how to create and apply filters. 32.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call.
Page 438: The Filter Structure Of The Zywall
ZyWALL 2 Plus User’s Guide 32.1.1 The Filter Structure of the ZyWALL A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The ZyWALL allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system.
Page 439: Figure 265 Filter Rule Process
ZyWALL 2 Plus User’s Guide Figure 265 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
Page 440: Packet Filtering Versus Firewall
ZyWALL 2 Plus User’s Guide 32.2 Packet Filtering Versus Firewall Below are some comparisons between the ZyWALL’s filtering and firewall functions. 32.2.1 Packet Filtering Packet filtering restricts access based on the source/destination computer network address of a packet and the type of application. •...
Page 441: When To Use The Firewall
ZyWALL 2 Plus User’s Guide 32.2.2.1 When To Use The Firewall 1 To prevent DoS attacks and prevent hackers cracking your network. 2 A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better choice when complex rules are required.
Page 442: Figure 267 Menu 21.1: Filter Set Configuration
ZyWALL 2 Plus User’s Guide Figure 267 Menu 21.1: Filter Set Configuration Menu 21.1 - Filter Set Configuration Filter Filter Set # Comments Set # Comments ------ ----------------- ------ ----------------- _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ Enter Filter Set Number to Configure= 0...
Page 443: Configuring A Filter Rule
ZyWALL 2 Plus User’s Guide The protocol dependent filter rules abbreviation are listed as follows: Table 170 Rule Abbreviations Used ABBREVIATION DESCRIPTION Pr Protocol SA Source Address SP Source Port number DA Destination Address DP Destination Port number Off Offset Len Length Refer to the next section for information on configuring the filter rules.
Page 444: Figure 268 Menu 21.1.1.1: Tcp/Ip Filter Rule
ZyWALL 2 Plus User’s Guide Figure 268 Menu 21.1.1.1: TCP/IP Filter Rule Menu 21.1.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0 IP Source Route= No Destination: IP Addr= IP Mask= Port #= Port # Comp= None Source: IP Addr=...
Page 445 ZyWALL 2 Plus User’s Guide Table 171 Menu 21.1.1.1: TCP/IP Filter Rule FIELD DESCRIPTION Port # Enter the source port of the packets that you wish to filter. The range of this field is 0 to 65535. This field is ignored if it is 0. Port # Comp Press [SPACE BAR] and then [ENTER] to select the comparison to apply to the source port in the packet against the value given in Source: Port #.
Page 446: Configuring A Generic Filter Rule
ZyWALL 2 Plus User’s Guide Figure 269 Executing an IP Filter 32.3.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is Chapter 32 Filter Configuration...
Page 447: Figure 270 Menu 21.1.1.1: Generic Filter Rule
ZyWALL 2 Plus User’s Guide to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the ZyWALL treats a packet as a byte stream as opposed to an IP or IPX packet.
Page 448: Example Filter
ZyWALL 2 Plus User’s Guide Table 172 Generic Filter Rule Menu Fields FIELD DESCRIPTION More If Yes, a matching packet is passed to the next filter rule before an action is taken; else the packet is disposed of according to the action fields. If More is Yes, then Action Matched and Action Not Matched will be No.
Page 449: Figure 272 Example Filter: Menu 21.1.3.1
ZyWALL 2 Plus User’s Guide 5 Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.3 - Filter Rules Summary. 6 Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure.
Page 450: Filter Types And Nat
ZyWALL 2 Plus User’s Guide Figure 273 Example Filter Rules Summary: Menu 21.1.3 Menu 21.1.3 - Filter Rules Summary # A Type Filter Rules M m n - - ---- ----------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F Enter Filter Rule Number (1-6) to Configure: 1 This shows you that you have configured and activated (A = Y) a TCP/IP filter rule (Type =...
Page 451: Firewall Versus Filters
ZyWALL 2 Plus User’s Guide Figure 274 Protocol and Device Filter Sets 32.6 Firewall Versus Filters Firewall configuration is discussed in Chapter 8 on page 131. Further comparisons are also made between filtering, NAT and the firewall. 32.7 Applying a Filter This section shows you where to apply the filter(s) after you design it (them).
Page 452: Applying Remote Node Filters
ZyWALL 2 Plus User’s Guide Figure 275 Filtering LAN Traffic Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 32.7.2 Applying Remote Node Filters Go to menu 11.1.4 (shown below –...
Page 453: Chapter 33 Snmp Configuration
ZyWALL 2 Plus User’s Guide H A P T E R SNMP Configuration This chapter explains SNMP configuration menu 22. 33.1 SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get, Set and Trap fields is SNMP terminology for password.
Page 454: Snmp Traps
ZyWALL 2 Plus User’s Guide Table 173 SNMP Configuration Menu Fields (continued) FIELD DESCRIPTION Destination Type the IP address of the station to send your SNMP traps to. When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel”...
Page 455: System Information & Diagnosis
ZyWALL 2 Plus User’s Guide H A P T E R System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 34.1 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trace capabilities.
Page 456: Figure 279 Menu 24.1: System Maintenance: Status
ZyWALL 2 Plus User’s Guide 3 There are three commands in Menu 24.1 - System Maintenance - Status. Entering 1 drops the WAN connection, 9 resets the counters and [ESC] takes you back to the previous screen. Figure 279 Menu 24.1: System Maintenance: Status Menu 24.1 - System Maintenance - Status 07:15:51 Fri.
Page 457: System Information And Console Port Speed
ZyWALL 2 Plus User’s Guide Table 175 System Maintenance: Status Menu Fields (continued) FIELD DESCRIPTION IP Address This is the IP address of the port listed on the left. IP Mask This is the IP mask of the port listed on the left. DHCP This is the DHCP setting of the port listed on the left.
Page 458: Console Port Speed
ZyWALL 2 Plus User’s Guide Figure 281 Menu 24.2.1: System Maintenance: Information Menu 24.2.1 - System Maintenance - Information Name: Routing: IP ZyNOS F/W Version: V4.00(WM.0)b2 | 07/25/2005 Country Code: 255 Ethernet Address: 00:A0:C5:01:23:45 IP Address: 192.168.1.1 IP Mask: 255.255.255.0 DHCP: Server Press ESC or RETURN to Exit: The following table describes the fields in this screen.
Page 459: Log And Trace
ZyWALL 2 Plus User’s Guide Figure 282 Menu 24.2.2: System Maintenance: Change Console Port Speed Menu 24.2.2 - System Maintenance - Change Console Port Speed Console Port Speed: 9600 Press ENTER to Confirm or ESC to Cancel:Press Space Bar to Toggle. 34.4 Log and Trace There are two logging facilities in the ZyWALL.
Page 460: Syslog Logging
ZyWALL 2 Plus User’s Guide Figure 284 Examples of Error and Information Messages 53 Thu Jul 1 05:54:53 2004 PINI INFO Channel 0 ok 54 Thu Jul 1 05:54:56 2004 PP05 -WARN SNMP TRAP 3: interface 3: link up 55 Thu Jul 1 05:54:56 2004 PP0d INFO LAN promiscuous mode <0>...
Page 461 ZyWALL 2 Plus User’s Guide 1 CDR CDR Message Format SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String ); String = board xx line xx channel xx, call xx, str board = the hardware board ID line = the WAN ID in a board Channel = channel ID within the WAN call = the call reference number which starts from 1 and increments by 1 for each new call...
Page 462 ZyWALL 2 Plus User’s Guide Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D). Src: Source Address Dst: Destination Address prot: Protocol ("TCP","UDP","ICMP")
Page 463: Call-Triggering Packet
ZyWALL 2 Plus User’s Guide 34.4.3 Call-Triggering Packet Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equivalent information is available in menu 24.1 in hex format. An example is shown next. Figure 286 Call-Triggering Packet Example IP Frame: ENET0-RECV Size: Time: 17:02:44.262...
Page 464: Wan Dhcp
ZyWALL 2 Plus User’s Guide 1 From the main menu, select option 24 to open Menu 24 - System Maintenance. 2 From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic. Figure 287 Menu 24.4: System Maintenance: Diagnostic Menu 24.4 - System Maintenance - Diagnostic TCP/IP 1.
Page 465 ZyWALL 2 Plus User’s Guide Table 178 System Maintenance Menu Diagnostic FIELD DESCRIPTION Host IP Address If you entered 1in the Enter Menu Selection Number field, then enter the IP address of the computer you want to ping in this field. Enter the number of the selection you would like to perform or press [ESC] to cancel.
Page 466 ZyWALL 2 Plus User’s Guide Chapter 34 System Information & Diagnosis...
Page 467: Firmware And Configuration File Maintenance
ZyWALL 2 Plus User’s Guide H A P T E R Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 35.1 Introduction Use the instructions in this chapter to change the ZyWALL’s configuration file or upgrade its firmware.
Page 468: Backup Configuration
ZyWALL 2 Plus User’s Guide The following table is a summary. Please note that the internal filename refers to the filename on the ZyWALL and the external filename refers to the filename not on the ZyWALL, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 - System Maintenance - Information to confirm that you have uploaded the correct firmware version.
Page 469: Using The Ftp Command From The Command Line
ZyWALL 2 Plus User’s Guide Figure 288 Telnet into Menu 24.5 Menu 24.5 - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root"...
Page 470: Example Of Ftp Commands From The Command Line
ZyWALL 2 Plus User’s Guide 35.3.3 Example of FTP Commands from the Command Line Figure 289 FTP Session Example 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds...
Page 471: Backup Configuration Using Tftp
ZyWALL 2 Plus User’s Guide 4 The IP you entered in the Secured Client IP field in menu 24.11 does not match the client IP. If it does not match, the ZyWALL will disconnect the Telnet session immediately. 5 You have an SMT console session running. 35.3.6 Backup Configuration Using TFTP The ZyWALL supports the up/downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN.
Page 472: Gui-Based Tftp Clients
ZyWALL 2 Plus User’s Guide 35.3.8 GUI-based TFTP Clients The following table describes some of the fields that you may see in GUI-based TFTP clients. Table 181 General Commands for GUI-based TFTP Clients COMMAND DESCRIPTION Host Enter the IP address of the ZyWALL. 192.168.1.1 is the ZyWALL’s default IP address when shipped.
Page 473: Restore Configuration
ZyWALL 2 Plus User’s Guide Figure 292 Backup Configuration Example Type a location for storing the configuration file or click Browse to look for one. Choose the Xmodem protocol. Then click Receive. 4 After a successful backup you will see the following screen. Press any key to return to the SMT menu.
Page 474: Figure 294 Telnet Into Menu 24.6
ZyWALL 2 Plus User’s Guide Figure 294 Telnet into Menu 24.6 Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2.
Page 475: Restore Using Ftp Session Example
ZyWALL 2 Plus User’s Guide 35.4.2 Restore Using FTP Session Example Figure 295 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec.
Page 476: Uploading Firmware And Configuration Files
ZyWALL 2 Plus User’s Guide 4 After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu. Figure 299 Successful Restoration Confirmation Screen Save to ROM Hit any key to start system reboot. 35.5 Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files.
Page 477: Configuration File Upload
ZyWALL 2 Plus User’s Guide Figure 300 Telnet Into Menu 24.7.1: Upload System Firmware Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2.
Page 478: Ftp File Upload Command From The Dos Prompt Example
ZyWALL 2 Plus User’s Guide 35.5.3 FTP File Upload Command from the DOS Prompt Example 1 Launch the FTP client on your computer. 2 Enter “open”, followed by a space and the IP address of your ZyWALL. 3 Press [ENTER] when prompted for a user name. 4 Enter your password as requested (the default is “1234”).
Page 479: Tftp Upload Command Example
ZyWALL 2 Plus User’s Guide 1 Use telnet from your computer to connect to the ZyWALL and log in. Because TFTP does not have any security checks, the ZyWALL records the IP address of the telnet client and accepts TFTP requests only from this address. 2 Put the SMT in command interpreter (CI) mode by entering 8 in Menu 24 –...
Page 480: Example Xmodem Firmware Upload Using Hyperterminal
ZyWALL 2 Plus User’s Guide Figure 303 Menu 24.7.1 As Seen Using the Console Port Menu 24.7.1 - System Maintenance - Upload System Firmware To upload system firmware: 1. Enter "y" at the prompt below to go into debug mode. 2.
Page 481: Example Xmodem Configuration Upload Using Hyperterminal
ZyWALL 2 Plus User’s Guide Figure 305 Menu 24.7.2 As Seen Using the Console Port Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1. Enter "y" at the prompt below to go into debug mode. 2.
Page 482 ZyWALL 2 Plus User’s Guide Chapter 35 Firmware and Configuration File Maintenance...
Page 483: System Maintenance Menus 8 To 10
ZyWALL 2 Plus User’s Guide H A P T E R System Maintenance Menus 8 to This chapter leads you through SMT menus 24.8 to 24.10. 36.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions.
Page 484: Command Usage
A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Figure 308 Valid Commands Copyright (c) 1994 - 2005 ZyXEL Communications Corp. ras> ? Valid commands are:...
Page 485: Call Control Support
ZyWALL 2 Plus User’s Guide 36.2 Call Control Support The ZyWALL provides two call control functions: budget management and call history. Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1. The budget management function allows you to set a limit on the total outgoing call time of the ZyWALL within certain times.
Page 486: Call History
ZyWALL 2 Plus User’s Guide Figure 310 Budget Management Menu 24.9.1 - Budget Management Remote Node Connection Time/Total Budget Elapsed Time/Total Period 1.ChangeMe No Budget No Budget 2.Dial No Budget No Budget Reset Node (0 to update screen): The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked.
Page 487: Time And Date Setting
ZyWALL 2 Plus User’s Guide Figure 311 Call History Menu 24.9.2 - Call History Phone Number Rate #call Total Enter Entry to Delete(0 to exit): The following table describes the fields in this screen. Table 184 Call History FIELD DESCRIPTION Phone Number The PPPoE service names are shown here.
Page 488: Figure 312 Menu 24: System Maintenance
ZyWALL 2 Plus User’s Guide Figure 312 Menu 24: System Maintenance Menu 24 - System Maintenance System Status System Information and Console Port Speed Log and Trace Diagnostic Backup Configuration Restore Configuration Upload Firmware Command Interpreter Mode Call Control 10. Time and Date Setting 11.
Page 489: Table 185 Menu 24.10 System Maintenance: Time And Date Setting
ZyWALL 2 Plus User’s Guide Table 185 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION Time Protocol Enter the time service protocol that your timeserver uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 490 ZyWALL 2 Plus User’s Guide Table 185 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION End Date (mm- Configure the day and time when Daylight Saving Time ends if you selected Yes in nth-week-hr) the Daylight Saving field. The hr field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time ends in the United States on the last Sunday of October.
Page 491: Chapter 37 Remote Management
ZyWALL 2 Plus User’s Guide H A P T E R Remote Management This chapter covers remote management found in SMT menu 24.11. 37.1 Remote Management Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. You may manage your ZyWALL from a remote location via: •...
Page 492: Figure 314 Menu 24.11 - Remote Management Control
ZyWALL 2 Plus User’s Guide Figure 314 Menu 24.11 – Remote Management Control Menu 24.11 - Remote Management Control TELNET Server: Port = 23 Access = ALL Secure Client IP = 0.0.0.0 FTP Server: Port = 21 Access = ALL Secure Client IP = 0.0.0.0 SSH Server: Certificate = auto_generated_self_signed_cert...
Page 493: Remote Management Limitations
ZyWALL 2 Plus User’s Guide 37.1.1 Remote Management Limitations Remote management over LAN or WAN will not work when: 1 A filter in menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service. 2 You have disabled that service in menu 24.11.
Page 494 ZyWALL 2 Plus User’s Guide Chapter 37 Remote Management...
Page 495: Chapter 38 Call Scheduling
ZyWALL 2 Plus User’s Guide H A P T E R Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 38.1 Introduction to Call Scheduling The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long.
Page 496: Figure 316 Schedule Set Setup
ZyWALL 2 Plus User’s Guide Figure 316 Schedule Set Setup Menu 26.1 - Schedule Set Setup Active= Yes How Often= Once Start Date(yyyy-mm-dd) = N/A Once: Date(yyyy-mm-dd)= 2000 - 01 - 01 Weekdays: Sunday= N/A Monday= N/A Tuesday= N/A Wednesday= N/A Thursday= N/A Friday= N/A Saturday= N/A...
Page 497: Figure 317 Applying Schedule Set(S) To A Remote Node (Pppoe)
ZyWALL 2 Plus User’s Guide Table 187 Schedule Set Setup (continued) FIELD DESCRIPTION Action Forced On means that the connection is maintained whether or not there is a demand call on the line and will persist for the time period specified in the Duration field. Forced Down means that the connection is blocked whether or not there is a demand call on the line.
Page 498: Figure 318 Applying Schedule Set(S) To A Remote Node (Pptp)
ZyWALL 2 Plus User’s Guide Figure 318 Applying Schedule Set(s) to a Remote Node (PPTP) Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login=...
Page 499: Chapter 39 Troubleshooting
ZyWALL 2 Plus User’s Guide H A P T E R Troubleshooting This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our included disk for further information.
Page 500: Problems With The Wan Interface
ZyWALL 2 Plus User’s Guide 39.3 Problems with the WAN Interface Table 190 Troubleshooting the WAN Interface PROBLEM CORRECTIVE ACTION Cannot get WAN IP The ISP provides the WAN IP address after authentication. Authentication may address from the be through the user name and password, the MAC address or the host name. ISP.
Page 501: Pop-Up Windows, Javascripts And Java Permissions
ZyWALL 2 Plus User’s Guide Table 191 Troubleshooting Accessing the ZyWALL PROBLEM CORRECTIVE ACTION Cannot access the Make sure that there is not an SMT console session running. web configurator. Use the ZyWALL’s WAN IP address when configuring from the WAN. Refer to the instructions on checking your WAN connection.
Page 502: Figure 319 Pop-Up Blocker
ZyWALL 2 Plus User’s Guide 39.4.1.1.1 Disable pop-up Blockers 1 In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 319 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab.
Page 503: Figure 321 Internet Options: Privacy
ZyWALL 2 Plus User’s Guide 39.4.1.1.2 Enable pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools > Internet Options> Privacy. 2 Select Settings…to open the Pop-up Blocker Settings screen. Figure 321 Internet Options: Privacy 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”.
Page 504: Javascripts
ZyWALL 2 Plus User’s Guide Figure 322 Pop-up Blocker Settings 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. 39.4.1.2 JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed.
Page 505: Figure 323 Internet Options: Security
ZyWALL 2 Plus User’s Guide Figure 323 Internet Options: Security 2 Click the Custom Level... button. 3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default). 6 Click OK to close the window.
Page 506: Java Permissions
ZyWALL 2 Plus User’s Guide Figure 324 Security Settings - Java Scripting 39.4.1.3 Java Permissions 1 From Internet Explorer, click Tools > Internet Options > Security. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected. 5 Click OK to close the window.
Page 507: Figure 325 Security Settings - Java
ZyWALL 2 Plus User’s Guide Figure 325 Security Settings - Java 39.4.1.3.1 JAVA (Sun) 1 From Internet Explorer, click Tools > Internet Options > Advanced. 2 Make sure that Use Java 2 for <applet> under Java (Sun) is selected. 3 Click OK to close the window. Chapter 39 Troubleshooting...
Page 508: Packet Flow
ZyWALL 2 Plus User’s Guide Figure 326 Java (Sun) 39.5 Packet Flow The following is the packet check flow on the ZyWALL. LAN to WAN: LAN Data and Call Filtering (in SMT menu 21) -> Firewall -> Remote Node Data Filtering (in SMT menu 21) -> Content Filtering -> NAT WAN to LAN: Remote Node Data Filtering (in SMT menu 21) ->...
Page 509: Product Specifications
ZyWALL 2 Plus User’s Guide P P E N D I X Product Specifications See also the Introduction chapter for a general overview of the key features. Specification Tables Table 192 Device Specifications Default LAN IP Address 192.168.1.1 Default Subnet Mask 255.255.255.0 (24 bits) Default Password 1234...
Page 510: Table 194 Firmware Features
ZyWALL 2 Plus User’s Guide Table 193 Performance (continued) (continued) CATEGORY PERFORMANCE Concurrent Sessions 3000 Simultaneous IPSec VPN Connections Table 194 Firmware Features Modes of Operation Routing/NAT/SUA Mode Transparent Mode Firewall (ICSA Certified) IP Protocol/Packet Filter DoS and DDoS Protections Stateful Packet Inspection Real time E-mail alerts Reports and Logs...
Page 511: Table 195 Feature Specifications
ZyWALL 2 Plus User’s Guide Table 194 Firmware Features (continued) Other Protocol Support PPP (Point-to-Point Protocol) link layer protocol. Transparent bridging for unsupported network layer protocols. DHCP Server/Client/Relay RIP I/RIP II ICMP SNMP v1 and v2c with MIB II support (RFC 1213) IP Multicasting IGMP v1 and v2 IGMP Proxy UPnP...
Page 512: Figure 327 Console/Dial Backup Cable Db-9 End Pin Layout
ZyWALL 2 Plus User’s Guide Figure 327 Console/Dial Backup Cable DB-9 End Pin Layout Table 196 Console Cable Pin Assignments PIN DEFINITION RJ-45 END DB-9M (MALE) END Table 197 Console Cable Pin Assignments PIN DEFINITION RJ-45 END DB-9M (MALE) END Appendix A Product Specifications...
Page 513: Figure 328 Ethernet Cable Pin Assignments
ZyWALL 2 Plus User’s Guide Figure 328 Ethernet Cable Pin Assignments Wall Mounting Specifications Use two M4 x 30 mm screws to wall-mount the ZyWALL. The holes for the wall-mounting screws should be 108 mm apart. Power Adaptor Specifications Table 198 Power Adaptor Specifications AC Power Adapter Model PSA18R-120P Input Power...
Page 514 ZyWALL 2 Plus User’s Guide Appendix A Product Specifications...
Page 515: Wall-Mounting Instructions
ZyWALL 2 Plus User’s Guide P P E N D I X Wall-mounting Instructions Do the following to hang your ZyWALL on a wall. Note: See the product specifications appendix for the size of screws to use and how far apart to place them. 1 Locate a high position on wall that is free of obstructions.
Page 516 ZyWALL 2 Plus User’s Guide Appendix B Wall-mounting Instructions...
Page 517: Setting Up Your Computer's Ip Address
ZyWALL 2 Plus User’s Guide P P E N D I X Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer.
Page 518: Figure 330 Windows 95/98/Me: Network: Configuration
ZyWALL 2 Plus User’s Guide Figure 330 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add.
Page 519: Figure 331 Windows 95/98/Me: Tcp/Ip Properties: Ip Address
ZyWALL 2 Plus User’s Guide 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click 5 Restart your computer so the changes you made take effect. Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab.
Page 520: Figure 332 Windows 95/98/Me: Tcp/Ip Properties: Dns Configuration
ZyWALL 2 Plus User’s Guide Figure 332 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. • If you do not know your gateway’s IP address, remove previously installed gateways. • If you have a gateway IP address, type it in the New gateway field and click Add.
Page 521: Figure 333 Windows Xp: Start Menu
ZyWALL 2 Plus User’s Guide Figure 333 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 334 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties. Appendix C Setting up Your Computer’s IP Address...
Page 522: Figure 335 Windows Xp: Control Panel: Network Connections: Properties
ZyWALL 2 Plus User’s Guide Figure 335 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 336 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP).
Page 523: Figure 337 Windows Xp: Internet Protocol (Tcp/Ip) Properties
ZyWALL 2 Plus User’s Guide • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. • Click Advanced. Figure 337 Windows XP: Internet Protocol (TCP/IP) Properties 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK.
Page 524: Figure 338 Windows Xp: Advanced Tcp/Ip Properties
ZyWALL 2 Plus User’s Guide Figure 338 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). •...
Page 525: Figure 339 Windows Xp: Internet Protocol (Tcp/Ip) Properties
ZyWALL 2 Plus User’s Guide Figure 339 Windows XP: Internet Protocol (TCP/IP) Properties 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window. 10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT).
Page 526: Figure 340 Macintosh Os 8/9: Apple Menu
ZyWALL 2 Plus User’s Guide Figure 340 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 341 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. Appendix C Setting up Your Computer’s IP Address...
Page 527: Figure 342 Macintosh Os X: Apple Menu
ZyWALL 2 Plus User’s Guide 4 For statically assigned settings, do the following: • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. •...
Page 528: Figure 343 Macintosh Os X: Network
ZyWALL 2 Plus User’s Guide Figure 343 Macintosh OS X: Network 4 For statically assigned settings, do the following: • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. •...
Page 529: Figure 344 Red Hat 9.0: Kde: Network Configuration: Devices
ZyWALL 2 Plus User’s Guide Note: Make sure you are logged in as the root administrator. Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Setting and click Network.
Page 530: Figure 346 Red Hat 9.0: Kde: Network Configuration: Dns
ZyWALL 2 Plus User’s Guide • If you have a dynamic IP address, click Automatically obtain IP address settings with and select dhcp from the drop down list. • If you have a static IP address, click Statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields.
Page 531: Figure 348 Red Hat 9.0: Dynamic Ip Address Setting In Ifconfig-Eth0
ZyWALL 2 Plus User’s Guide 1 Assuming that you have only one network card on the computer, locate the ifconfig- configuration file (where is the name of the Ethernet card). Open the eth0 eth0 configuration file with any plain text editor. •...
Page 532: Figure 351 Red Hat 9.0: Restart Ethernet Card
ZyWALL 2 Plus User’s Guide Figure 351 Red Hat 9.0: Restart Ethernet Card [root@localhost init.d]# network restart Shutting down interface eth0: [OK] Shutting down loopback interface: [OK] Setting network parameters: [OK] Bringing up loopback interface: [OK] Bringing up interface eth0: [OK] Verifying Settings Enter...
Page 533: Ip Subnetting
ZyWALL 2 Plus User’s Guide P P E N D I X IP Subnetting IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1.
Page 534: Table 200 Allowed Ip Address Range By Class
ZyWALL 2 Plus User’s Guide Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127. Similarly the first octet of a class “B” must begin with “10”, therefore the first octet of a class “B”...
Page 535: Table 202 Alternative Subnet Mask Notation
ZyWALL 2 Plus User’s Guide Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet. This is usually specified by writing a “/”...
Page 536: Table 204 Subnet 1
ZyWALL 2 Plus User’s Guide Note: In the following charts, shaded/bolded last octet bit values indicate host ID bits “borrowed” to form network ID bits. The number of “borrowed” host ID bits determines the number of subnets you can have. The remaining number of host ID bits (after “borrowing”) determines the number of hosts you can have on each subnet.
Page 537: Table 206 Subnet 1
ZyWALL 2 Plus User’s Guide Example: Four Subnets The above example illustrated using a 25-bit subnet mask to divide a class “C” address space into two subnets. Similarly to divide a class “C” address into four subnets, you need to “borrow”...
Page 538: Table 209 Subnet 4
ZyWALL 2 Plus User’s Guide Table 209 Subnet 4 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 11000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: Lowest Host ID: 192.168.1.193 192.168.1.192 Broadcast Address: Highest Host ID: 192.168.1.254 192.168.1.255 Example Eight Subnets Similarly use a 27-bit mask to create 8 subnets (001, 010, 011, 100, 101, 110).
Page 539: Table 212 Class B Subnet Planning
ZyWALL 2 Plus User’s Guide Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet mask also determines which bits are part of the network number and which are part of the host ID. A class “B”...
Page 540 ZyWALL 2 Plus User’s Guide Appendix D IP Subnetting...
Page 541: Appendix E Common Services
ZyWALL 2 Plus User’s Guide Appendix E Common Services The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. •...
Page 542 ZyWALL 2 Plus User’s Guide Table 213 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION HTTP Hyper Text Transfer Protocol - a client/ server protocol for the world wide web. HTTPS HTTPS is a secured http session often used in e-commerce. ICMP User-Defined Internet Control Message Protocol is often...
Page 543 ZyWALL 2 Plus User’s Guide Table 213 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION SFTP Simple File Transfer Protocol. SMTP Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.
Page 544 ZyWALL 2 Plus User’s Guide Appendix E Common Services...
Page 545: Appendix Fvpn Setup
ZyWALL 2 Plus User’s Guide P P E N D I X VPN Setup This appendix will help you to quickly create a IPSec/VPN connection between two ZyXEL IPSec routers. It should be considered a quick reference for experienced users. General Notes •...
Page 546: Figure 353 Vpn Rules
ZyWALL 2 Plus User’s Guide The following pages show a typical configuration that builds a tunnel between two private networks. One network is the headquarters (HQ) and the other is a branch office. Both sites have static (fixed) public addresses. Replace the Remote Gateway Address and Local/ Remote Starting IP Address settings with your own values.
Page 547: Figure 354 Headquarters Gateway Policy Edit
ZyWALL 2 Plus User’s Guide Figure 354 Headquarters Gateway Policy Edit The IP address of the branch office IPSec router. Appendix F VPN Setup...
Page 548: Figure 355 Branch Office Gateway Policy Edit
ZyWALL 2 Plus User’s Guide Figure 355 Branch Office Gateway Policy Edit The IP address of the headquarters IPSec router. 3 Click the add network policy ( ) icon next to the BRANCH gateway policy to configure a VPN policy. Appendix F VPN Setup...
Page 549: Figure 356 Headquarters Vpn Rule
ZyWALL 2 Plus User’s Guide Figure 356 Headquarters VPN Rule Figure 357 Branch Office VPN Rule 4 Configure the screens in the headquarters and the branch office as follows and click Apply. Appendix F VPN Setup...
Page 550: Figure 358 Headquarters Network Policy Edit
ZyWALL 2 Plus User’s Guide Figure 358 Headquarters Network Policy Edit Activate the network policy. IP addresses on different subnets. Appendix F VPN Setup...
Page 551: Figure 359 Branch Office Network Policy Edit
ZyWALL 2 Plus User’s Guide Figure 359 Branch Office Network Policy Edit Activate the network policy. IP addresses on different subnets. Dialing the VPN Tunnel via Web Configurator To test whether the IPSec routers can build the VPN tunnel, click the dial ( ) icon in the VPN Rules (IKE) screen to have the IPSec routers set up the tunnel.
Page 552: Figure 360 Vpn Rule Configured
ZyWALL 2 Plus User’s Guide Figure 360 VPN Rule Configured The following screen displays. Figure 361 VPN Dial This screen displays later if the IPSec routers can build the VPN tunnel. Figure 362 VPN Tunnel Established Appendix F VPN Setup...
Page 553: Vpn Troubleshooting
ZyWALL 2 Plus User’s Guide VPN Troubleshooting If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into the web configurators of both ZyXEL IPSec routers. Check the settings in each field methodically and slowly. VPN Log The system log can often help to identify a configuration problem.
Page 554: Figure 363 Vpn Log Example
ZyWALL 2 Plus User’s Guide Figure 363 VPN Log Example ras> sys log disp ike ipsec .time source destination notes message 0|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 |IKE Rule [ex-1] Tunnel built successfully 1|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 |IKE The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA 2|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 |IKE...
Page 555: Figure 364 Ike/Ipsec Debug Example
ZyWALL 2 Plus User’s Guide IPSec Debug If you are having difficulty building an IPSec tunnel to a non-ZyXEL IPSec router, advanced users may wish to examine the IPSec debug feature (Menu 24.8). Note: If any of your VPN rules have an active network policy set to nailed-up, using the IPSec debug feature may cause the ZyWALL to continuously display new information.
Page 556 ZyWALL 2 Plus User’s Guide Use a VPN Tunnel A VPN tunnel gives you a secure connection to another computer or network. The VPN Status screen displays whether or not your VPN tunnel is connected. Example VPN tunnel uses are securely sending and retrieving files, and accessing corporate network drives, web servers and email.
Page 557: Importing Certificates
ZyWALL 2 Plus User’s Guide P P E N D I X Importing Certificates This appendix shows importing certificates examples using Internet Explorer 5. Import ZyWALL Certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the ZyWALL’s server certificate by importing it into your operating system as a trusted certification authority.
Page 558: Figure 366 Login Screen
ZyWALL 2 Plus User’s Guide Figure 366 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 367 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard. Appendix G Importing Certificates...
Page 559: Figure 368 Certificate Import Wizard 1
ZyWALL 2 Plus User’s Guide Figure 368 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 369 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard. Appendix G Importing Certificates...
Page 560: Figure 370 Certificate Import Wizard 3
ZyWALL 2 Plus User’s Guide Figure 370 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store. Figure 371 Root Certificate Store Appendix G Importing Certificates...
Page 561: Figure 372 Certificate General Information After Import
ZyWALL 2 Plus User’s Guide Figure 372 Certificate General Information after Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).
Page 562: Figure 373 Zywall Trusted Ca Screen
ZyWALL 2 Plus User’s Guide Figure 373 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next.
Page 563: Figure 374 Ca Certificate Example
ZyWALL 2 Plus User’s Guide Figure 374 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment.
Page 564: Figure 375 Personal Certificate Import Wizard 1
ZyWALL 2 Plus User’s Guide Figure 375 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 376 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA.
Page 565: Figure 377 Personal Certificate Import Wizard 3
ZyWALL 2 Plus User’s Guide Figure 377 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 378 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process.
Page 566: Figure 379 Personal Certificate Import Wizard 5
ZyWALL 2 Plus User’s Guide Figure 379 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer. Figure 380 Personal Certificate Import Wizard 6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS.
Page 567: Figure 382 Ssl Client Authentication
ZyWALL 2 Plus User’s Guide Figure 382 SSL Client Authentication 3 You next see the ZyWALL login screen. Figure 383 ZyWALL Secure Login Screen Appendix G Importing Certificates...
Page 568 ZyWALL 2 Plus User’s Guide Appendix G Importing Certificates...
Page 569: Command Interpreter
ZyWALL 2 Plus User’s Guide P P E N D I X Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode.
Page 570 ZyWALL 2 Plus User’s Guide Appendix H Command Interpreter...
Page 571: Firewall Commands
ZyWALL 2 Plus User’s Guide P P E N D I X Firewall Commands The following describes the firewall commands. See Appendix H on page 569 for information on the command structure. Table 214 Firewall Commands FUNCTION COMMAND DESCRIPTION Firewall Set-Up This command turns the firewall on or off.
Page 572 ZyWALL 2 Plus User’s Guide Table 214 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION E-mail This command sets the IP address to which config edit firewall e-mail the e-mail messages are sent. mail-server <ip address of mail server> This command sets the source e-mail address config edit firewall e-mail of the firewall e-mails.
Page 573 ZyWALL 2 Plus User’s Guide Table 214 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command sets the threshold rate of new config edit firewall attack half-open sessions per minute where the minute-high <0-255> ZyWALL starts deleting old half-opened sessions until it gets them down to the minute- low threshold.
Page 574 ZyWALL 2 Plus User’s Guide Table 214 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command sets how long ZyWALL lets an Config edit firewall set <set inactive TCP connection remain open before #> tcp-idle-timeout <seconds> considering it closed. This command sets whether or not the Config edit firewall set <set ZyWALL creates logs for packets that match #>...
Page 575 ZyWALL 2 Plus User’s Guide Table 214 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command sets a rule to have the config edit firewall set <set ZyWALL check for traffic with a particular #> rule <rule #> destaddr- subnet destination (defined by IP address and subnet <ip address>...
Page 576 ZyWALL 2 Plus User’s Guide Appendix I Firewall Commands...
Page 577: Netbios Filter Commands
ZyWALL 2 Plus User’s Guide P P E N D I X NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See Appendix H on page 569 for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN.
Page 578: Table 215 Netbios Filter Default Settings
ZyWALL 2 Plus User’s Guide The filter types and their default settings are as follows. Table 215 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN This field displays whether NetBIOS packets are blocked or forwarded Block and WAN between the LAN and the WAN. IPSec Packets This field displays whether NetBIOS packets sent through a VPN Forward connection are blocked or forwarded.
Page 579: Certificates Commands
ZyWALL 2 Plus User’s Guide P P E N D I X Certificates Commands The following describes the certificate commands. See Appendix H on page 569 information on the command structure. All of these commands start with certificates. Table 216 Certificates Commands COMMAND DESCRIPTION my_cert...
Page 580 ZyWALL 2 Plus User’s Guide Table 216 Certificates Commands (continued) COMMAND DESCRIPTION Create a certificate request and enroll for a create cmp_enroll certificate immediately online using CMP <name> <CA protocol. <name> specifies a descriptive name addr> <CA for the enrolled certificate. <CA addr> specifies cert>...
Page 581 ZyWALL 2 Plus User’s Guide Table 216 Certificates Commands (continued) COMMAND DESCRIPTION Create a certificate using your device MAC replace_fact address that will be specific to this device. The factory default certificate is a common default certificate for all ZyWALL models. ca_trusted Import the PEM-encoded certificate from stdin.
Page 582 ZyWALL 2 Plus User’s Guide Table 216 Certificates Commands (continued) COMMAND DESCRIPTION Delete the specified trusted remote host delete <name> certificate. <name> specifies the name of the certificate to be deleted. List all trusted remote host certificate names and list basic information.
Page 583: Appendix L Brute-Force Password Guessing Protection
ZyWALL 2 Plus User’s Guide P P E N D I X Brute-Force Password Guessing Protection Brute-force password guessing protection allows you to specify a wait-time that must expire before entering a fourth password after three incorrect passwords have been entered. The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password.
Page 584 ZyWALL 2 Plus User’s Guide Appendix L Brute-Force Password Guessing Protection...
Page 585: Boot Commands
ZyWALL 2 Plus User’s Guide P P E N D I X Boot Commands The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen.
Page 586: Figure 385 Boot Module Commands
ZyWALL 2 Plus User’s Guide Figure 385 Boot Module Commands just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) change system date to year/month/day or show...
Page 587: Log Descriptions
ZyWALL 2 Plus User’s Guide P P E N D I X Log Descriptions This appendix provides descriptions of example log messages. Table 218 System Maintenance Logs LOG MESSAGE DESCRIPTION The router has adjusted its time based on information from the Time calibration is time server.
Page 588: Table 219 System Error Logs
ZyWALL 2 Plus User’s Guide Table 218 System Maintenance Logs (continued) LOG MESSAGE DESCRIPTION The router is saving configuration changes. Configuration Change: PC = 0x%x, Task ID = 0x%x Someone has logged on to the router’s SSH server. Successful SSH login Someone has failed to log on to the router’s SSH server.
Page 589: Table 220 Access Control Logs
ZyWALL 2 Plus User’s Guide Table 219 System Error Logs (continued) LOG MESSAGE DESCRIPTION The LAN subnet, LAN alias 1, or LAN alias 2 was changed and the DHCP Server cannot assign specified static DHCP IP addresses are no longer valid. the static IP %S (out of range).
Page 590: Table 222 Packet Filter Logs
ZyWALL 2 Plus User’s Guide Table 221 TCP Reset Logs (continued) LOG MESSAGE DESCRIPTION The router sent a TCP reset packet when a TCP connection state Peer TCP state out of was out of order.Note: The firewall refers to RFC793 Figure 6 to order, sent TCP RST check the TCP state.
Page 591: Table 224 Cdr Logs
ZyWALL 2 Plus User’s Guide Table 223 ICMP Logs (continued) LOG MESSAGE DESCRIPTION The router blocked a packet that didn’t have a Packet without a NAT table entry corresponding NAT table entry. blocked: ICMP The firewall does not support this kind of ICMP packets or Unsupported/out-of-order ICMP: the ICMP packets are out of order.
Page 592: Table 227 Content Filtering Logs
ZyWALL 2 Plus User’s Guide Table 227 Content Filtering Logs LOG MESSAGE DESCRIPTION The content of a requested web page matched a user defined keyword. %s: Keyword blocking The web site is not in a trusted domain, and the router blocks all traffic %s: Not in trusted web except trusted domain sites.
Page 593 ZyWALL 2 Plus User’s Guide Table 228 Attack Logs (continued) LOG MESSAGE DESCRIPTION The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF land land [ TCP | UDP | IGMP | attack. ESP | GRE | OSPF ] The firewall detected an ICMP land attack. land ICMP (type:%d, code:%d) The firewall detected an IP spoofing attack on the WAN port.
Page 594: Table 229 Remote Management Logs
ZyWALL 2 Plus User’s Guide Table 228 Attack Logs (continued) LOG MESSAGE DESCRIPTION The IP address in an FTP port command is different from the client IP address in FTP port IP address. It may be a bounce attack. command is different from the client IP address.
Page 595: Table 231 Ike Logs
ZyWALL 2 Plus User’s Guide Table 230 IPSec Logs (continued) LOG MESSAGE DESCRIPTION The router dropped a connection that had outbound traffic and no Rule <%d> idle time out, inbound traffic for a certain time period. You can use the "ipsec timer disconnect chk_conn"...
Page 596 ZyWALL 2 Plus User’s Guide Table 231 IKE Logs (continued) LOG MESSAGE DESCRIPTION The router couldn’t resolve the IP address from the domain Cannot resolve Secure Gateway name that was used for the secure gateway address. Addr for rule <%d> The displayed ID information did not match between the two Peer ID: <peer id>...
Page 597 ZyWALL 2 Plus User’s Guide Table 231 IKE Logs (continued) LOG MESSAGE DESCRIPTION The router was not able to use extended authentication to XAUTH fail! Username: authenticate the listed user name. <Username> The listed rule’s IKE phase 1 negotiation mode did not match Rule[%d] Phase 1 negotiation between the router and the peer.
Page 598: Table 232 Pki Logs
ZyWALL 2 Plus User’s Guide Table 231 IKE Logs (continued) LOG MESSAGE DESCRIPTION The listed rule’s IKE phase 2 did not match between the router Rule [%d] phase 2 mismatch and the peer. The listed rule’s IKE phase 2 key lengths (with the AES Rule [%d] Phase 2 key length encryption algorithm) did not match between the router and mismatch...
Page 599: Table 233 Certificate Path Verification Failure Reason Codes
ZyWALL 2 Plus User’s Guide Table 232 PKI Logs (continued) LOG MESSAGE DESCRIPTION The router received a corrupted user certificate from the LDAP server Failed to decode the whose address and port are recorded in the Source field. received user cert The router received a corrupted CRL (Certificate Revocation List) from Failed to decode the the LDAP server whose address and port are recorded in the Source...
Page 600: Table 234 802.1X Logs
ZyWALL 2 Plus User’s Guide Table 233 Certificate Path Verification Failure Reason Codes (continued) CODE DESCRIPTION CRL decoding failed. CRL is not currently valid, but in the future. CRL contains duplicate serial numbers. Time interval is not continuous. Time information not available. Database method failed due to timeout.
Page 601: Table 235 Acl Setting Notes
ZyWALL 2 Plus User’s Guide Table 234 802.1X Logs (continued) LOG MESSAGE DESCRIPTION The local user database is operating as the Use Local User Database to authentication server. authenticate user. Use RADIUS to authenticate user. The RADIUS server is operating as the authentication server.
Page 602 ZyWALL 2 Plus User’s Guide Table 236 ICMP Notes (continued) TYPE CODE DESCRIPTION Redirect datagrams for the Type of Service and Network Redirect datagrams for the Type of Service and Host Echo Echo message Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error...
Page 603: Table 237 Syslog Logs
ZyWALL 2 Plus User’s Guide Syslog Logs There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session"...
Page 604: Figure 386 Displaying Log Categories Example
ZyWALL 2 Plus User’s Guide Table 238 RFC-2408 ISAKMP Payload Types (continued) LOG DISPLAY PAYLOAD TYPE Transform TRANS Key Exchange Identification Certificate Certificate Request CER_REQ Hash HASH Signature Nonce NONCE Notification NOTFY Delete Vendor ID Log Commands This section provides some general examples of how to use the log commands. The items that display with your device may vary but the basic function should be the same.
Page 605: Figure 387 Displaying Log Parameters Example
ZyWALL 2 Plus User’s Guide Figure 387 Displaying Log Parameters Example ras> sys logs category access Usage: [0:none/1:log/2:alert/3:both] [0:don't show debug type/ 1:show debug type] 4 Use followed by a log category and a parameter to decide what to sys logs category record.
Page 606 ZyWALL 2 Plus User’s Guide Log Command Example This example shows how to set the ZyWALL to record the access logs and alerts and then view the results. ras> sys logs load ras> sys logs category access 3 ras> sys logs save ras>...
Page 607: Index
ZyWALL 2 Plus User’s Guide Index Numerics 10/100 Mbps Ethernet WAN Backup 364, 468 Backup VPN Connection Backup WAN Bandwidth Borrowing Bandwidth Class Bandwidth Filter 269, 280 Action for Matched Packets Bandwidth Management 46, 269 Active 386, 388, 404 Bandwidth Management Statistics Active Protocol Bandwidth Manager Class Configuration Bandwidth Manager Class Setup...
Page 608 ZyWALL 2 Plus User’s Guide Connection ID/Name Console Port 457, 458, 459 Configuration File Upload Edit IP 387, 405 File Backup Enable Wildcard File Upload Restoring Files Encapsulating Security Payload. See ESP. Contact Information Encapsulation 400, 404, 408 and Active Protocol Content Filter Categories and NAT Content Filter General...
Page 609 ZyWALL 2 Plus User’s Guide SMT Menus Client Mode (Extended Authentication) When To Use Content Diffie-Hellman Key Group Firewall Threshold Encryption Algorithms Firmware File Extended Authentication Maintenance ID Type Flow Control IP Address, Remote IPSec Router 294, 297, 312, 469, 493 IP Address, ZyXEL Device File Upload Local Identity...
Page 610 ZyWALL 2 Plus User’s Guide IPSec High Availability Many to One IPSec SA Max Age Active Protocol 185, 187 Maximize Bandwidth Usage 271, 276 and NetBIOS Maximum Incomplete High Authentication Algorithms Maximum Incomplete Low Authentication Key (for manual keys) Metric 109, 267, 389, 407, 410, 414 Encapsulation 185, 189...
Page 611 ZyWALL 2 Plus User’s Guide Offline RADIUS 48, 243 and IKE SA One Minute High Shared Secret Key One Minute Low RADIUS Message Types One to One RADIUS Messages Outgoing Protocol Filters Rapid STP Outside Real time Transport Protocol Redundant VPN Connection Registration Product Related Documentation...
Page 612 ZyWALL 2 Plus User’s Guide Safety Warnings System Name 352, 375 Schedule Sets System Statistics Duration System Status Scheduler 271, 276 System Timeout Schedules 405, 407, 408 Screws Secure FTP Using SSH Example Secure Telnet Using SSH Example Server 253, 355, 356, 400, 405, 417, 419, 421, 422, 424, 426, 427, 489 TCP Maximum Incomplete Server IP...
Page 613 ZyWALL 2 Plus User’s Guide ZyNOS F/W Version 458, 468 Virtual Private Network Virtual Private Network. See VPN. 119, 179 Active Protocol and NAT and Remote Management Established in Two Phases IKE SA. See IKE SA. IPSec IPSec SA. See IPSec SA. Local Network Manual Keys Proposal...

ZyXEL Communications ZyWALL 2Plus User Manual

Chapter 1 Getting to Know Your Zywall

Chapter 2 Introducing the Web Configurator

Chapter 3 Wizard Setup

Chapter 4 Registration

Chapter 5 LAN Screens

Chapter 6 Bridge Screens

Chapter 7 WAN Screens

Chapter 8 Firewall Screens

Chapter 9 Content Filtering Screens

Chapter 10 Content Filtering Reports

Chapter 11 Ipsec VPN

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZyWALL 2Plus

Summary of Contents for ZyXEL Communications ZyWALL 2Plus