Internet security gateway for soho/small business (2 pages)
Summary of Contents for ZyXEL Communications ZyWall 10
Page 1
ZyWALL 10/10W/50/100 Internet Security Gateway SMT User’s Guide Versions 3.52 and 3.60 January 2003...
Page 2
ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.
Page 3
ZyWALL 10~100 Series Internet Security Gateway Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations.
Page 4
ZyWALL 10~100 Series Internet Security Gateway Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction.
ZyWALL 10~100 Series Internet Security Gateway ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon...
ZyWALL 10~100 Series Internet Security Gateway Customer Support When you contact your customer support representative please have the following information ready: Please have the following information ready when you contact customer support. • Product model and serial number. • Information in Menu 24.2.1 – System Information.
ZyWALL 10~100 Series Internet Security Gateway Table of Contents Copyright..............................ii Federal Communications Commission (FCC) Interference Statement..........iii Information for Canadian Users .......................iv ZyXEL Limited Warranty ..........................v Customer Support ............................vi List of Figures ............................xii List of Tables ............................xviii Preface ...............................xxi Initial Setup and Configuration........................
Page 8
ZyWALL 10~100 Series Internet Security Gateway Editing PPP Options ........................3-8 Editing TCP/IP Options ......................3-10 Editing Login Script........................3-11 3.10 Remote Node Filter.......................3-13 Chapter 4 LAN Setup..........................4-1 Introduction to LAN Setup ......................4-1 Accessing the LAN Menus ......................4-1 LAN Port Filter Setup.........................4-1 TCP/IP and DHCP Ethernet Setup Menu ...................4-2 Wireless LAN Setup ........................4-6...
Page 9
ZyWALL 10~100 Series Internet Security Gateway Chapter 8 IP Static Route Setup ......................8-1 IP Static Route Setup ......................... 8-1 Chapter 9 Network Address Translation (NAT) ................... 9-1 Using NAT..........................9-1 NAT Setup ..........................9-3 Configuring a Server behind NAT ..................... 9-9 General NAT Examples ......................
Page 10
ZyWALL 10~100 Series Internet Security Gateway Chapter 14 Firmware and Configuration File Maintenance ..............14-1 14.1 Filename Conventions ......................14-1 14.2 Backup Configuration......................14-2 14.3 Restore Configuration......................14-8 14.4 Uploading Firmware and Configuration Files ..............14-11 Chapter 15 System Maintenance & Information.................15-1 15.1 Command Interpreter Mode....................15-1 15.2...
Page 11
ZyWALL 10~100 Series Internet Security Gateway Chapter 20 SA Monitor ......................... 20-1 20.1 Introduction .......................... 20-1 20.2 Using SA Monitor ........................ 20-1 Chapter 21 Troubleshooting ......................... 21-1 23.1 Problems Starting Up the ZyWALL ..................21-1 21.1 Problems with the LAN Interface ..................21-2 21.2...
Page 12
ZyWALL 10~100 Series Internet Security Gateway List of Figures Figure 1-1 Initial Screen ..........................1-1 Figure 1-2 Password Screen ...........................1-2 Figure 1-3 Main Menu (ZyWALL 100) ......................1-3 Figure 1-4 Getting Started and Advanced Applications SMT Menus.............1-5 Figure 1-5 Advanced Management SMT Menus ....................1-6 Figure 1-6 Schedule Setup and IPSec VPN Configuration SMT Menus............1-7...
Page 13
ZyWALL 10~100 Series Internet Security Gateway Figure 4-6 Menu 3.5 – Wireless LAN Setup....................4-6 Figure 5-1 Menu 5: DMZ Setup........................5-1 Figure 5-2 Menu 5.1: DMZ Port Filter Setup ....................5-1 Figure 5-3 Menu 5: TCP/IP Setup........................5-2 Figure 5-4 Menu 5.2: TCP/IP Setup....................... 5-3 Figure 5-5 Menu 5.2.1: IP Alias Setup......................
Page 14
ZyWALL 10~100 Series Internet Security Gateway Figure 9-8 Menu 15.2: NAT Server Setup (ZyWALL 10) ................9-10 Figure 9-9 Multiple Servers Behind NAT Example..................9-10 Figure 9-10 NAT Example 1.........................9-11 Figure 9-11 Menu 4: Internet Access & NAT Example ................9-11 Figure 9-12 NAT Example 2.........................9-12 Figure 9-13 Menu 15.2: Specifying an Inside Server ...................9-13...
Page 15
ZyWALL 10~100 Series Internet Security Gateway Figure 11-11 Example Filter Rules Summary: Menu 21.1.3...............11-15 Figure 11-12 Protocol and Device Filter Sets .....................11-16 Figure 11-13 Filtering LAN Traffic ......................11-17 Figure 11-14Filtering DMZ Traffic......................11-18 Figure 11-15 Filtering Remote Node Traffic....................11-18 Figure 12-1 Menu 22: SNMP Configuration....................12-1 Figure 13-1 Menu 24: System Maintenance ....................
Page 16
ZyWALL 10~100 Series Internet Security Gateway Figure 14-11 Restore Configuration Example ....................14-11 Figure 14-12 Successful Restoration Confirmation Screen ................14-11 Figure 14-13 Telnet Into Menu 24.7.1: Upload System Firmware .............14-12 Figure 14-14 Telnet Into Menu 24.7.2: System Maintenance..............14-13 Figure 14-15 FTP Session Example of Firmware File Upload ..............14-14 Figure 14-16 Menu 24.7.1 As Seen Using the Console Port...............14-16...
Page 17
ZyWALL 10~100 Series Internet Security Gateway Figure 18-3 Applying Schedule Set(s) to a Remote Node (PPPoE)............. 18-4 Figure 18-4 Applying Schedule Set(s) to a Remote Node (PPTP)............... 18-5 Figure 19-1 VPN SMT Menu Tree....................... 19-1 Figure 19-2 Menu 27: VPN/IPSec Setup ..................... 19-2 Figure 19-3 Menu 27.1: IPSec Summary.....................
Page 18
ZyWALL 10~100 Series Internet Security Gateway List of Tables Table 1-1 Main Menu Commands ........................1-2 Table 1-2 Main Menu Summary ........................1-3 Table 2-1 General Setup Menu Field ......................2-1 Table 2-2 Configure Dynamic DNS Menu Fields...................2-3 Table 3-1 MAC Address Cloning in WAN Setup ...................3-2 Table 3-2 Menu 2: Dial Backup Setup......................3-3...
Page 19
ZyWALL 10~100 Series Internet Security Gateway Table 9-1 Applying NAT in Menus 4 & 11.3 ....................9-3 Table 9-2 SUA Address Mapping Rules......................9-5 Table 9-3 Fields in Menu 15.1.1 ........................9-7 Table 9-4 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set ..........9-8 Table 9-5 Menu 15.3—Trigger Port Setup Description ................
Page 20
ZyWALL 10~100 Series Internet Security Gateway Table 19-2 Menu 27.1.1: IPSec Setup......................19-6 Table 19-3 ......................19-12 Menu 27.1.1.1: IKE Setup Table 19-4 Active Protocol: Encapsulation and Security Protocol .............19-14 Table 19-5 Menu 27.1.1.2: Manual Setup....................19-14 Table 20-1 Menu 27.2: SA Monitor......................20-2 Table 21-1 Troubleshooting the Start-Up of Your ZyWALL ................21-1...
This manual may refer to the ZyWALL 10/10W/50/100 Internet Security Gateway as the ZyWALL. This manual covers the ZyWALL 10, 10W, 50 and 100 models. Supported features and the details of the features, vary from model to model. Not every feature applies to every model; refer to the Model Comparison Chart in chapter 1 of the Web Configurator User’s Guide to see what features are specific to your ZyWALL...
Page 22
ZyWALL 10~100 Series Internet Security Gateway • “Enter” means for you to type one or more characters and press the carriage return. “Select” or “Choose” means for you to use one of the predefined choices. • The SMT menu titles and labels are in Bold Times New Roman font.
Page 23
Initial Setup and Configuration Part I: Initial Setup and Configuration This part covers Introducing the SMT, SMT Menu 1 General Setup, WAN and Dial Backup Setup, LAN Setup, Wireless LAN Security, DMZ Setup, and Internet Access.
When you turn on your ZyWALL, it performs several internal tests as well as line initialization. After the tests, the ZyWALL asks you to press [ENTER] to continue, as shown next. Copyright (c) 1994 - 2002 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:a0:c5:41:51:61 initialize ch =1, ethernet address: 00:a0:c5:41:51:62 Press ENTER to continue...
ZyWALL 10~100 Series Internet Security Gateway For your first login, enter the default password “1234”. As you type the password, the screen displays an “X” for each character you type. Please note that if there is no activity for longer than five minutes after you log in, your ZyWALL will automatically log you out and display a blank screen.
Main Menu After you enter the password, the SMT displays the ZyWALL Main Menu, as shown next. Not all models have all the features shown. Copyright (c) 1994 - 2001 ZyXEL Communications Corp. ZyWALL 100 Main Menu Getting Started Advanced Management 1.
Page 28
ZyWALL 10~100 Series Internet Security Gateway Table 1-2 Main Menu Summary MENU TITLE FUNCTION LAN Setup Use this menu to apply LAN filters, configure LAN DHCP and TCP/IP settings and configure the wireless LAN port (not available on all models).
ZyWALL 10~100 Series Internet Security Gateway 1.3.2 SMT Menus at a Glance The available SMT screens vary by ZyWALL model. The following SMT overview applies to the ZyWALL 100. Figure 1-4 Getting Started and Advanced Applications SMT Menus Introducing the SMT...
ZyWALL 10~100 Series Internet Security Gateway Figure 1-6 Schedule Setup and IPSec VPN Configuration SMT Menus Changing the System Password Change the system password by following the steps shown next. Step 1. Enter 23 in the main menu to open Menu 23 - System Password as shown next.
ZyWALL 10~100 Series Internet Security Gateway Resetting the ZyWALL If you forget your password or cannot access the SMT menu, you will need to reload the factory-default configuration file or use the RESET button the back of the ZyWALL. Uploading this configuration file replaces the current configuration file with the factory-default configuration file.
ZyWALL 10~100 Series Internet Security Gateway 1.5.2 Procedure To Use The Reset Button Make sure the SYS LED is on (not blinking) before you begin this procedure. Step 1. Press the RESET button for ten seconds, and then release it. If the SYS LED begins to blink, the defaults have been restored and the ZyWALL restarts.
ZyWALL 10~100 Series Internet Security Gateway Chapter 2 SMT Menu 1 - General Setup Menu 1 - General Setup contains administrative and system-related information. Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. Configuring General Setup Step 1.
ZyWALL 10~100 Series Internet Security Gateway Table 2-1 General Setup Menu Field FIELD DESCRIPTION EXAMPLE Domain Name Enter the domain name (if you know it) here. If you leave this field zyxel.com.tw blank, the ISP may assign a domain name via DHCP. You can go to menu 24.8 and type "sys domain name"...
ZyWALL 10~100 Series Internet Security Gateway Table 2-2 Configure Dynamic DNS Menu Fields FIELD DESCRIPTION EXAMPLE Service Provider This is the name of your Dynamic DNS service provider. WWW.DynDNS.ORG (default) Active Press [SPACE BAR] to select Yes and then press [ENTER] to make dynamic DNS active.
Page 38
ZyWALL 10~100 Series Internet Security Gateway Table 2-2 Configure Dynamic DNS Menu Fields FIELD DESCRIPTION EXAMPLE Press [SPACE BAR] to select Yes and then press [ENTER] to have the DDNS server automatically update the IP address of the host name(s) with the public IP address that the ZyWALL Use Server uses or is behind.
ZyWALL 10~100 Series Internet Security Gateway Chapter 3 WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1. Dial-backup applies to the ZyWALL 100 and 10W (see Table 1-1 Model Specific Features in the Web Configuration User’s Guide).
ZyWALL 10~100 Series Internet Security Gateway Table 3-1 MAC Address Cloning in WAN Setup FIELD DESCRIPTION EXAMPLE MAC Address Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods IP address to assign a MAC Address. Choose Factory Default to select the factory attached on assigned default MAC Address.
ZyWALL 10~100 Series Internet Security Gateway Menu 2 - WAN Setup MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Phone Number= Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= No Press ENTER to Confirm or ESC to Cancel: Figure 3-2 Menu 2: Dial Backup Setup The following table describes the fields in this screen.
ZyWALL 10~100 Series Internet Security Gateway Table 3-2 Menu 2: Dial Backup Setup FIELD DESCRIPTION EXAMPLE When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel.
ZyWALL 10~100 Series Internet Security Gateway Table 3-3 Advanced WAN Port Setup: AT Commands Fields FIELD DESCRIPTION DEFAULT Drop Enter the AT Command string to drop a call. “~” represents a one +++ath second wait, e.g., “~~~+++~~ath” can be used if your modem has a slow response time.
ZyWALL 10~100 Series Internet Security Gateway Table 3-4 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION DEFAULT Drop Timeout Enter a number of seconds for the ZyWALL to wait before dropping 20 seconds (sec) the DTR signal if it does not receive a positive disconnect confirmation.
Page 45
ZyWALL 10~100 Series Internet Security Gateway Table 3-5 Fields in Menu 11.1 Remote Node Profile (Backup ISP) FIELD DESCRIPTION EXAMPLE Active Press [SPACE BAR] and then [ENTER] to select Yes to enable the remote node or No to disable the remote node.
ZyWALL 10~100 Series Internet Security Gateway Table 3-5 Fields in Menu 11.1 Remote Node Profile (Backup ISP) FIELD DESCRIPTION EXAMPLE Allocated Enter the maximum number of minutes that this remote node may be Budget called within the time period configured in the Period field. The default...
ZyWALL 10~100 Series Internet Security Gateway Menu 11.2 - Remote Node PPP Options Encapsulation= Standard PPP Compression= No Enter here to CONFIRM or ESC to CANCEL: Press Space Bar to Toggle. Figure 3-5 Menu 11.2 - Remote Node PPP Options This table describes the Remote Node PPP Options Menu, and contains instructions on how to configure the PPP options fields.
ZyWALL 10~100 Series Internet Security Gateway Editing TCP/IP Options Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Network Layer Options. Menu 11.3 - Remote Node Network Layer Options Rem IP Addr= 0.0.0.0...
ZyWALL 10~100 Series Internet Security Gateway Table 3-6 Remote Node Network Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE Network Press [SPACE BAR] and then [ENTER] to select either Full Feature, None Address None or SUA Only. See the Network Address Translation (NAT) chapter...
Page 50
ZyWALL 10~100 Series Internet Security Gateway upper or lower case. Similarly, you specify “word: ” as the ‘Expect’ string and your password as the ‘Send’ string for the second prompt in set 2. You can use two variables, $USERNAME and $PASSWORD (all UPPER case), to represent the actual user name and password in the script, so they will not show in the clear.
ZyWALL 10~100 Series Internet Security Gateway Menu 11.4 - Remote Node Script Active= No Set 1: Set 5: Expect= Expect= Send= Send= Set 2: Set 6: Expect= Expect= Send= Send= Set 3: Expect= Send= Set 4: Expect= Send= Enter here to CONFIRM or ESC to CANCEL: Figure 3-8 Menu 11.4 –...
ZyWALL 10~100 Series Internet Security Gateway Use menu 11.5 to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the ZyWALL to prevent certain packets from triggering calls. You can specify up to four filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field.
ZyWALL 10~100 Series Internet Security Gateway Chapter 4 LAN Setup This chapter describes how to configure the LAN using Menu 3: LAN Setup. Wireless LAN is available on the ZyWALL 10W and 100 models. Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN and wireless LAN connections.
ZyWALL 10~100 Series Internet Security Gateway Menu 3.1 – LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: Figure 4-2 Menu 3.1: LAN Port Filter Setup...
ZyWALL 10~100 Series Internet Security Gateway Menu 3.2 - TCP/IP and DHCP Ethernet Setup First address in DHCP= Server the IP Pool Configuration: Client IP Pool Starting Address= 192.168.1.33 Size of Client IP Pool= 32 Primary DNS Server= 0.0.0.0 Secondary DNS Server= 0.0.0.0...
ZyWALL 10~100 Series Internet Security Gateway Table 4-1 DHCP Ethernet Setup Menu Fields FIELD DESCRIPTION EXAMPLE DHCP Server If Relay is selected in the DHCP field above, then type the IP address Address of the actual, remote DHCP server here.
ZyWALL 10~100 Series Internet Security Gateway 4.4.1 IP Alias Setup You must use menu 3.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to configure the second and third network.
ZyWALL 10~100 Series Internet Security Gateway Table 4-3 IP Alias Setup Menu Fields FIELD DESCRIPTION EXAMPLE Incoming Enter the filter set(s) you wish to apply to the incoming traffic Protocol Filters between this node and the ZyWALL. Outgoing Enter the filter set(s) you wish to apply to the outgoing traffic Protocol Filters between this node and the ZyWALL.
ZyWALL 10~100 Series Internet Security Gateway The settings of all client stations on the wireless LAN must match those of the ZyWALL. Follow the instructions in the next table on how to configure the wireless LAN parameters. Table 4-4 Wireless LAN Setup Menu Fields...
ZyWALL 10~100 Series Internet Security Gateway Chapter 5 DMZ Setup This chapter describes how to configure the ZyWALL 100’s DMZ using Menu 5: DMZ Setup. Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup.
ZyWALL 10~100 Series Internet Security Gateway TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to the LAN chapter. 5.3.1 IP Address From the main menu, enter 5 to open Menu 5 - DMZ Setup to configure TCP/IP (RFC 1155).
ZyWALL 10~100 Series Internet Security Gateway Menu 5.2 - TCP/IP Ethernet Setup TCP/IP Setup: IP Address= ? IP Subnet Mask= RIP Direction= Both Version= RIP-1 Multicast= None Edit IP Alias= No Press ENTER to Confirm or ESC to Cancel: Figure 5-4 Menu 5.2: TCP/IP Setup The TCP/IP setup fields are the same as the ones in Menu 3.2 TCP/IP Ethernet Setup.
ZyWALL 10~100 Series Internet Security Gateway Menu 5.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A IP Alias 2= No...
ZyWALL 10~100 Series Internet Security Gateway Chapter 6 Internet Access This chapter shows you how to configure your ZyWALL for Internet access. Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet.
ZyWALL 10~100 Series Internet Security Gateway Table 6-1 Menu 4: Internet Access Setup Menu Fields FIELD DESCRIPTION Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet. The encapsulation method influences your choices for the IP Address field. Service Type...
ZyWALL 10~100 Series Internet Security Gateway the Encapsulation field in Menu 4 -Internet Access Setup to choose PPTP as your encapsulation option. This brings up the following screen. Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= PPTP Service Type= N/A...
ZyWALL 10~100 Series Internet Security Gateway Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A...
Page 69
Remote Node, IP Static Route, NAT, Firewall, Filters, SNMP Part II: Remote Node Setup, IP Static Route Setup, NAT, Firewall, Filters, SNMP This part covers Remote Node Setup, IP Static Route Setup and Network Address Translation, the ZyXEL firewall, filters and SNMP.
ZyWALL 10~100 Series Internet Security Gateway Chapter 7 Remote Node Setup This chapter shows you how to configure a remote node. Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection.
ZyWALL 10~100 Series Internet Security Gateway Menu 11 - Remote Node Setup 1. ChangeMe (ISP, SUA) 2. ________ Enter Node # to Edit: Figure 7-1 Menu 11 Remote Node Setup Remote Node Profile Setup The following explains how to configure the remote node profile menu.
ZyWALL 10~100 Series Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= Ethernet Edit IP= No Service Type= Standard Session Options: Service Name= N/A Edit Filter Sets= No Outgoing: My Login= N/A...
ZyWALL 10~100 Series Internet Security Gateway Table 7-1 Fields in Menu 11.1 FIELD DESCRIPTION EXAMPLE My Password Enter the password assigned by your ISP when the ZyWALL calls ***** this remote node. Valid for PPPoE encapsulation only. Retype to Type your password again to make sure that you have entered it...
ZyWALL 10~100 Series Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPPoE Edit IP= No Service Type= Standard Telco Option: Service Name= Allocated Budget(min)= 0 Outgoing: Period(hr)= 0 My Login=...
ZyWALL 10~100 Series Internet Security Gateway Metric See the Metric section in the WAN and Dial Backup Setup chapter for details on the Metric field. Table 7-2 Fields in Menu 11.1 (PPPoE Encapsulation Specific) FIELD DESCRIPTION EXAMPLE Authen This field sets the authentication protocol used for outgoing calls.
ZyWALL 10~100 Series Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Service Name=N/A Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login=...
ZyWALL 10~100 Series Internet Security Gateway Table 7-3 Fields in Menu 11.1 (PPTP Encapsulation) FIELD DESCRIPTION EXAMPLE Nailed-Up Press [SPACE BAR] and then [ENTER] to select Yes if you want to Connections make the connection to this remote node a nailed-up connection.
Page 79
ZyWALL 10~100 Series Internet Security Gateway Table 7-4 Remote Node Network Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE (Rem) IP If you have a Static IP Assignment, enter the subnet mask assigned to Subnet Mask you. Gateway IP This field is applicable to Ethernet encapsulation only. Enter the...
ZyWALL 10~100 Series Internet Security Gateway Table 7-4 Remote Node Network Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE Once you have completed filling in Menu 11.3 Remote Node Network Layer Options, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration and return to menu 11, or press [ESC] at any time to cancel.
ZyWALL 10~100 Series Internet Security Gateway Table 7-5 Menu 11.1: Remote Node Profile (Traffic Redirect Field) FIELD DESCRIPTION EXAMPLE Edit Press [SPACE BAR] to select Yes or No. Traffic Select No (default) if you do not want to configure this feature.
ZyWALL 10~100 Series Internet Security Gateway Table 7-6 Traffic Redirect Setup FIELD DESCRIPTION EXAMPLE Active Press [SPACE BAR] and select Yes (to enable) or No (to disable) traffic redirect setup. The default is No. When the Active field is Yes, you must configure every field in this screen unless you are using PPPoE or PPTP encapsulation (except Check WAN IP Address and Timeout).
Page 84
ZyWALL 10~100 Series Internet Security Gateway Table 7-6 Traffic Redirect Setup FIELD DESCRIPTION EXAMPLE When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen.
ZyWALL 10~100 Series Internet Security Gateway Chapter 8 IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.
ZyWALL 10~100 Series Internet Security Gateway Menu 12.1 - Edit IP Static Route Route #: 1 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to CONFIRM or ESC to CANCEL: Figure 8-2 Menu 12.
Page 87
ZyWALL 10~100 Series Internet Security Gateway Table 8-1 IP Static Route Menu Fields FIELD DESCRIPTION Private This parameter determines if the ZyWALL will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast.
ZyWALL 10~100 Series Internet Security Gateway Chapter 9 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. Using NAT You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL.
ZyWALL 10~100 Series Internet Security Gateway Menu 4 - Internet Access Setup ISP's Name= myISP Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A...
ZyWALL 10~100 Series Internet Security Gateway 11.3, the SMT will use Set 1. When you select SUA Only, the SMT will use the pre-configured Set 255 (read only). The server set is a list of LAN and DMZ servers mapped to external ports. To use this set, a server rule must be set up inside the NAT address mapping set.
ZyWALL 10~100 Series Internet Security Gateway SUA Address Mapping Set Enter 255 to display the next screen (see also section 9.1.1). The fields in this menu cannot be changed. Menu 15.1.255 - Address Mapping Rules Set Name= SUA Local Start IP...
ZyWALL 10~100 Series Internet Security Gateway Table 9-2 SUA Address Mapping Rules FIELD DESCRIPTION EXAMPLE Type These are the mapping types discussed above. Server allows us to Server specify multiple servers of different types behind NAT to this machine. See later for some examples.
ZyWALL 10~100 Series Internet Security Gateway The Type, Local and Global Start/End IPs are configured in menu 15.1.1.1 (described later) and the values are displayed here. Ordering Your Rules Ordering your rules is important because the ZyWALL applies the rules in the order that you specify. When a rule matches the current packet, the ZyWALL takes the corresponding action and the remaining rules are ignored.
ZyWALL 10~100 Series Internet Security Gateway An IP End address must be numerically greater than its corresponding IP Start address. Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= = N/A Global IP: Start= = N/A Press ENTER to Confirm or ESC to Cancel: Figure 9-7 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set...
ZyWALL 10~100 Series Internet Security Gateway Table 9-4 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set FIELD DESCRIPTION EXAMPLE Once you have finished configuring a rule in this menu, press [ENTER] at the message “Press ENTER to Confirm…” to save your configuration, or press [ESC] to cancel.
ZyWALL 10~100 Series Internet Security Gateway General NAT Examples The following are some examples of NAT configuration. 9.4.1 Internet Access Only In the following Internet access example, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP.
ZyWALL 10~100 Series Internet Security Gateway From menu 4 shown above, simply choose the SUA Only option from the Network Address Translation field. This is the Many-to-One mapping discussed in section 9.4. The SUA Only read-only option from the Network Address Translation field in menus 4 and 11.3 is specifically pre-configured to handle this case.
ZyWALL 10~100 Series Internet Security Gateway Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------- Default Default 192.168.1.10 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 1026 1026 RR Reserved Press ENTER to Confirm or ESC to Cancel: Figure 9-13 Menu 15.2: Specifying an Inside Server...
ZyWALL 10~100 Series Internet Security Gateway Figure 9-14 NAT Example 3 Step 1. In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.3) in Figure 9-15.
ZyWALL 10~100 Series Internet Security Gateway Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- ------ 1. 192.168.1.10 10.132.50.1 192.168.1.11 10.132.50.2 3. 0.0.0.0 255.255.255.255...
ZyWALL 10~100 Series Internet Security Gateway 9.4.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not change for Many-One-to-One (and One-to-One) NAT mapping types.
ZyWALL 10~100 Series Internet Security Gateway Menu 15.1.1.1 Address Mapping Rule Type= Many-One-to-One Local IP: Start= 192.168.1.10 = 192.168.1.12 Global IP: Start= 10.132.50.1 = 10.132.50.3 Press ENTER to Confirm or ESC to Cancel: Figure 9-20 Example 4: Menu 15.1.1.1: Address Mapping Rule After you’ve configured your rule, you should be able to check the settings in menu 15.1.1 as shown next.
ZyWALL 10~100 Series Internet Security Gateway the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address. In order to use the same service on a...
ZyWALL 10~100 Series Internet Security Gateway 5. Only Jane can connect to the Real Audio server until the connection is closed or times out. The ZyWALL times out in three minutes with UDP (User Datagram Protocol) or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol).
ZyWALL 10~100 Series Internet Security Gateway Table 9-5 Menu 15.3—Trigger Port Setup Description FIELD DESCRIPTION EXAMPLE Rule This is the rule index number. Name Enter a unique name for identification purposes. You may enter up to 15 Real Audio characters in this field. All characters are permitted - including spaces.
ZyWALL 10~100 Series Internet Security Gateway Chapter 10 Introducing the ZyWALL Firewall This chapter shows you how to get started with the ZyWALL firewall. 10.1 Using ZyWALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next.
ZyWALL 10~100 Series Internet Security Gateway 10.1.1 Activating the Firewall Enter option 2 in this menu to bring up the following screen. Press [SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks.
ZyWALL 10~100 Series Internet Security Gateway Chapter 11 Filter Configuration This chapter shows you how to create and apply filters. 11.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering.
ZyWALL 10~100 Series Internet Security Gateway Call Filtering Active Data Built-in User-defined match match match Outgoing Initiate call default Data Call Filters Packet if line not up Call Filters (if applicable) Filtering Send packet and reset Idle Timer Match Match...
ZyWALL 10~100 Series Internet Security Gateway Start Packet into filter Fetch First Filter Set Filter Set Fetch Next Fetch First Filter Set Filter Rule Fetch Next Filter Rule Next filter Next Filter Set Rule Active? Available? Available? Execute Filter Rule...
ZyWALL 10~100 Series Internet Security Gateway You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
ZyWALL 10~100 Series Internet Security Gateway Step 4. Enter a descriptive name or comment in the Edit Comments field and press [ENTER]. Step 5. Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.1 - Filter Rules Summary.
ZyWALL 10~100 Series Internet Security Gateway Table 11-2 Rule Abbreviations Used ABBREVIATION DESCRIPTION Protocol Source Address Source Port number Destination Address Destination Port number Offset Length Refer to the next section for information on configuring the filter rules. 11.2.1 Configuring a Filter Rule To configure a filter rule, type its number in Menu 21.1.1 - Filter Rules Summary and press [ENTER] to...
ZyWALL 10~100 Series Internet Security Gateway To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.1.1 - TCP/IP Filter Rule, as shown next. Menu 21.1.1.1 - TCP/IP Filter Rule Filter #: 1,1...
Page 120
ZyWALL 10~100 Series Internet Security Gateway Table 11-3 TCP/IP Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Port # Enter the destination port of the packets that you wish to filter. 0-65535 The range of this field is 0 to 65535. This field is ignored if it is...
Page 121
ZyWALL 10~100 Series Internet Security Gateway Table 11-3 TCP/IP Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS None Press [SPACE BAR] and then [ENTER] to select a logging option from the following: Action None – No packets will be logged. Matched Action Matched - Only packets that match the rule parameters will be logged.
ZyWALL 10~100 Series Internet Security Gateway Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src Not Matched IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest Not Matched IP Addr Matched Check Not Matched IP Protocol Matched Check Src &...
ZyWALL 10~100 Series Internet Security Gateway 11.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly.
Page 124
ZyWALL 10~100 Series Internet Security Gateway Table 11-4 Generic Filter Rule Menu Fields Filter Use [SPACE BAR] and then [ENTER] to select a rule type. Parameters Generic Filter Type displayed below each type will be different. TCP/IP filter rules are used to Rule filter IP packets while generic filter rules allow filtering of non-IP packets.
ZyWALL 10~100 Series Internet Security Gateway 11.3 Example Filter Let’s look at an example to block outside users from accessing the ZyWALL via telnet. Please see our included disk for more example filters. Figure 11-9 Telnet Filter Example Step 1.
ZyWALL 10~100 Series Internet Security Gateway Step 6. Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure. Press [SPACE BAR] and then Menu 21.1.3.1 - TCP/IP Filter Rule...
ZyWALL 10~100 Series Internet Security Gateway Menu 21.1.3 - Filter Rules Summary # A Type Filter Rules M m n - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F This shows you that you have M = N means an action can be taken immediately.
ZyWALL 10~100 Series Internet Security Gateway Address Translation) is enabled, the inside IP address and port number are replaced on a connection-by- connection basis, which makes it impossible to know the exact address and port on the wire. Therefore, the ZyWALL applies the protocol filters to the “native”...
ZyWALL 10~100 Series Internet Security Gateway If you do not activate the firewall, it is advisable to apply filters. 11.6.1 Applying LAN Filters LAN traffic filter sets may be useful to block certain packets, reduce traffic and prevent security breaches.
ZyWALL 10~100 Series Internet Security Gateway Menu 5.1 – DMZ Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: Figure 11-14Filtering DMZ Traffic 11.6.3 Applying Remote Node Filters Go to menu 11.5 (shown below –...
ZyWALL 10~100 Series Internet Security Gateway Chapter 12 SNMP Configuration This chapter explains SNMP configuration menu 22. SNMP is only available if TCP/IP is configured. 12.1 SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next.
ZyWALL 10~100 Series Internet Security Gateway Table 12-1 SNMP Configuration Menu Fields FIELD DESCRIPTION EXAMPLE Public Trap Type the Trap community, which is the password sent with each trap to the SNMP manager. Community Destination Type the IP address of the station to send your SNMP traps to.
System Maintenance Part III: System Maintenance This part covers system information and diagnosis, firmware and configuration file maintenance, as well as providing information on the system maintenance and information functions and how to configure remote management.
ZyWALL 10~100 Series Internet Security Gateway Chapter 13 System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. DMZ applies to the ZyWALL 100. Wireless LAN and dial-backup apply to the ZyWALL 100 and 10W (see Table 1-1 Model Specific Features in the Web Configuration User’s Guide).
ZyWALL 10~100 Series Internet Security Gateway monitor your ZyWALL. Specifically, it gives you information on your system firmware version, number of packets sent and number of packets received. To get to the System Status: Step 1. Enter number 24 to go to Menu 24 - System Maintenance.
ZyWALL 10~100 Series Internet Security Gateway Table 13-1 System Maintenance: Status Menu Fields FIELD DESCRIPTION Shows the port speed and duplex setting if you’re using Ethernet Encapsulation Status and Down (line is down), idle (line (ppp) idle), dial (starting to trigger a call) and drop (dropping a call) if you’re using PPPoE Encapsulation.
ZyWALL 10~100 Series Internet Security Gateway Step 1. Enter 24 to go to Menu 24 – System Maintenance. Step 2. Enter 2 to open Menu 24.2 - System Information and Console Port Speed. Step 3. From this menu you have two choices as shown in the next figure: Menu 24.2 - System Information and Console Port Speed...
ZyWALL 10~100 Series Internet Security Gateway Table 13-2 Fields in System Maintenance: Information FIELD DESCRIPTION Name This is the ZyWALL's system name + domain name assigned in menu 1. For example, System Name= xxx; Domain Name= baboo.mickey.com Name= xxx.baboo.mickey.com Routing Refers to the routing protocol used.
ZyWALL 10~100 Series Internet Security Gateway 13.4 Log and Trace There are two logging facilities in the ZyWALL. The first is the error logs and trace records that are stored locally. The second is the UNIX syslog facility for message logging.
ZyWALL 10~100 Series Internet Security Gateway 0 Wed Aug 22 21:23:26 2001 PP17 INFO getDateTime fail: no server available 1 Wed Aug 22 21:23:26 2001 PP17 INFO adjtime task pause 60 seconds 2 Wed Aug 22 21:23:54 2001 PINI INFO...
ZyWALL 10~100 Series Internet Security Gateway You need to configure the UNIX syslog parameters described in the following table to activate syslog then choose what you want to log. Table 13-3 System Maintenance Menu Syslog Parameters PARAMETER DESCRIPTION UNIX Syslog: Active Press [SPACE BAR] and then [ENTER] to turn syslog on or off.
ZyWALL 10~100 Series Internet Security Gateway IP Frame: ENET0-RECV Size: Time: 17:02:44.262 Frame Type: IP Header: IP Version Header Length = 20 Type of Service = 0x00 (0) Total Length = 0x002C (44) Identification = 0x0002 (2) Flags = 0x00...
ZyWALL 10~100 Series Internet Security Gateway Step 2. From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic. Figure 13-10 Menu 24.4: System Maintenance: Diagnostic Menu 24.4 - System Maintenance - Diagnostic TCP/IP...
ZyWALL 10~100 Series Internet Security Gateway Figure 13-11 WAN & LAN DHCP The following table describes the diagnostic tests available in menu 24.4 for your ZyWALL and associated connections. Table 13-4 System Maintenance Menu Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LAN or WAN.
ZyWALL 10~100 Series Internet Security Gateway Chapter 14 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 14.1 Filename Conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc.
ZyWALL 10~100 Series Internet Security Gateway local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 - System Maintenance - Information to confirm that you have uploaded the correct firmware version.
ZyWALL 10~100 Series Internet Security Gateway 14.2.1 Backup Configuration Follow the instructions as shown in the next screen. Menu 24.5 - System Maintenance - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation.
ZyWALL 10~100 Series Internet Security Gateway 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
ZyWALL 10~100 Series Internet Security Gateway 1. The firewall is active (turn the firewall off in menu 21.2 or create a firewall rule to allow access from the WAN). 2. You have disabled Telnet service in menu 24.11. 3. You have applied a filter in menu 3.1 (LAN) or in menu 11.5 (WAN) to block Telnet service.
ZyWALL 10~100 Series Internet Security Gateway 14.2.7 TFTP Command Example The following is an example TFTP command: tftp [-i] host get rom-0 config.rom Where “i” specifies binary image transfer mode (use this mode when transferring binary files), “host” is the ZyWALL IP address, “get”...
ZyWALL 10~100 Series Internet Security Gateway Ready to backup Configuration via Xmodem. Do you want to continue (y/n): Figure 14-3 System Maintenance: Backup Configuration Step 2. The following screen indicates that the Xmodem download has started. You can enter ctrl-x to terminate operation any time.
ZyWALL 10~100 Series Internet Security Gateway 14.3 Restore Configuration This section shows you how to restore a previously saved configuration. Note that this function erases the current configuration before restoring a previous back up configuration; please do not attempt to restore unless you have a backup configuration file stored on disk.
ZyWALL 10~100 Series Internet Security Gateway Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root" and SMT password as requested.
ZyWALL 10~100 Series Internet Security Gateway 14.3.2 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec.
ZyWALL 10~100 Series Internet Security Gateway Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Figure 14-11 Restore Configuration Example Step 4. After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu.
ZyWALL 10~100 Series Internet Security Gateway WARNING! Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR ZyWALL. 14.4.1 Firmware File Upload FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client.
ZyWALL 10~100 Series Internet Security Gateway 14.4.2 Configuration File Upload You see the following screen when you telnet into menu 24.7.2. Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload the system configuration file, follow the procedure below: 1.
ZyWALL 10~100 Series Internet Security Gateway transfers the configuration file on the ZyWALL to your computer and renames it “config.rom.” See earlier in this chapter for more information on filename conventions. Step 7. Enter “quit” to exit the ftp prompt.
ZyWALL 10~100 Series Internet Security Gateway Step 3. Enter the command “sys stdio 0” to disable the console timeout, so the TFTP transfer will not be interrupted. Enter “command sys stdio 5” to restore the five-minute console timeout (default) when the file transfer is complete.
ZyWALL 10~100 Series Internet Security Gateway 14.4.8 Uploading Firmware File Via Console Port Step 1. Select 1 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.1 - System Maintenance - Upload System Firmware, and then follow the instructions as shown in the following screen.
ZyWALL 10~100 Series Internet Security Gateway 14.4.9 Example Xmodem Firmware Upload Using HyperTerminal Click Transfer, then Send File to display the following screen. Type the firmware file’s location, or click Browse to look for it. Choose the Xmodem protocol. Then click Send.
ZyWALL 10~100 Series Internet Security Gateway Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1. Enter "y" at the prompt below to go into debug mode. 2. Enter "atlc" after "Enter Debug Mode" message.
ZyWALL 10~100 Series Internet Security Gateway Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Figure 14-19 Example Xmodem Upload After the configuration upload process has completed, restart the ZyWALL by entering “atgo”.
ZyWALL 10~100 Series Internet Security Gateway Chapter 15 System Maintenance & Information This chapter leads you through SMT menus 24.8 to 24.10. The Real Time Chip (RTC) applies to the ZyWALL 100, 50 and 10W. 15.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions.
A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Copyright (c) 1994 - 2003 ZyXEL Communications Corp. ras> ?
ZyWALL 10~100 Series Internet Security Gateway Table 15-1 Valid Commands These commands display dial backup information and control dial backup connections. These commands display IP information and configure IP settings. ipsec These commands display IPSec information and configure IPSec settings.
ZyWALL 10~100 Series Internet Security Gateway 15.2.1 Budget Management Menu 24.9.1 shows the budget management statistics for outgoing calls. Enter 1 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu. Menu 24.9.1 - Budget Management...
ZyWALL 10~100 Series Internet Security Gateway 15.2.2 Call History This is the second option in Menu 24.9 - System Maintenance - Call Control. It displays information about past incoming and outgoing calls. Enter 2 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu.
ZyWALL 10~100 Series Internet Security Gateway 15.3 Time and Date Setting The Real Time Chip (RTC) keeps track of the time and date (Not available on all models). There is also a software mechanism to set the time manually or get the current time and date from an external server when you turn on your ZyWALL.
ZyWALL 10~100 Series Internet Security Gateway Menu 24.10 - System Maintenance - Time and Date Setting Use Time Server when Bootup= NTP (RFC-1305) Time Server Address= tick.stdtime.gov.tw Current Time: 00 : 00 : 00 New Time (hh:mm:ss): 11 : 23 : 16...
ZyWALL 10~100 Series Internet Security Gateway Table 15-4 Time and Date Setting Fields FIELD DESCRIPTION Time Zone Press [SPACE BAR] and then [ENTER] to set the time difference between your time zone and Greenwich Mean Time (GMT). Daylight Saving Daylight Saving Time is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daylight time in the evenings.
ZyWALL 10~100 Series Internet Security Gateway Chapter 16 Remote Management This chapter covers remote management found in SMT menu 24.11. 16.1 Remote Management Remote management control is for managing Telnet, Web and FTP services. You can customize the service port, access interface and the secured client IP address to enhance security and flexibility.
ZyWALL 10~100 Series Internet Security Gateway To disable remote management of a service, select Disable in the corresponding Server Access field. Enter 11 from menu 24 to bring up Menu 24.11 – Remote Management Control. Menu 24.11 - Remote Management Control...
ZyWALL 10~100 Series Internet Security Gateway 16.1.1 Remote Management Limitations Remote management over LAN or WAN will not work when: 1. A filter in menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service.
IP Policy Routing, Call Scheduling, VPN/IPSec, and Troubleshooting Part IV: IP Policy Routing, Call Scheduling, VPN/IPSec, and Troubleshooting This part provides information on how to configure IP Policy Routing, call scheduling, VPN/IPSec and Troubleshooting.
ZyWALL 10~100 Series Internet Security Gateway Chapter 17 IP Policy Routing This chapter covers setting and applying policies used for IP routing. IP Policy Routing applies to the ZyWALL 100. 17.1 Introduction to IP Policy Routing Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet.
ZyWALL 10~100 Series Internet Security Gateway address and port, ToS and precedence (fields in the IP header) and length. The inclusion of length criterion is to differentiate between interactive and bulk traffic. Interactive applications, e.g., telnet, tend to have short packets, while bulk traffic, e.g., file transfer, tends to have large packets.
ZyWALL 10~100 Series Internet Security Gateway Step 2. Type the index of the policy set you want to configure to open Menu 25.1 – IP Routing Policy Setup. Menu 25.1 shows the summary of a policy set, including the criteria and the action of a single policy, and whether a policy is active or not.
ZyWALL 10~100 Series Internet Security Gateway Table 17-1 IP Routing Policy Setup ABBREVIATION MEANING Outgoing Type of service Outgoing Precedence Service Normal Minimum Delay Maximum Throughput Maximum Reliability Minimum Cost Type a number from 1 to 6 to display Menu 25.1.1 – IP Routing Policy (see the next figure). This menu allows you to configure a policy rule.
Page 187
ZyWALL 10~100 Series Internet Security Gateway Table 17-2 IP Routing Policy FIELD DESCRIPTION Active Press [SPACE BAR] and then [ENTER] to select Yes to activate the policy. Criteria IP Protocol Enter a number that represents an IP layer 4 protocol, for example, UDP=17, TCP=6, ICMP=1 and Don’t care=0.
ZyWALL 10~100 Series Internet Security Gateway Table 17-2 IP Routing Policy FIELD DESCRIPTION When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen.
ZyWALL 10~100 Series Internet Security Gateway 17.6 IP Policy Routing Example If a network has both Internet and remote node connections, you can route Web packets to the Internet using one policy and route FTP packets to a remote network using another policy. See the next figure.
ZyWALL 10~100 Series Internet Security Gateway Menu 25.1.1 - IP Routing Policy Policy Set Name= set1 Active= Yes Criteria: IP Protocol Type of Service= Don't Care Packet length= 10 Precedence = Don't Care Len Comp= N/A Source: addr start= 192.168.1.2 end= 192.168.1.64...
ZyWALL 10~100 Series Internet Security Gateway Step 5. Create a rule in menu 25.1.1 for this set to route packets from any host (IP=0.0.0.0 means any host) with protocol TCP and port FTP access through another gateway (192.168.1.100). Menu 25.1.1 - IP Routing Policy...
ZyWALL 10~100 Series Internet Security Gateway Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP Setup DHCP= Server Client IP Pool Starting Address= 192.168.1.33 Size of Client IP Pool= 64 Primary DNS Server= 0.0.0.0 Secondary DNS Server= 0.0.0.0 Remote DHCP Server= N/A TCP/IP Setup: IP Address= 192.168.1.1...
ZyWALL 10~100 Series Internet Security Gateway Chapter 18 Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 18.1 Introduction to Call Scheduling The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long.
ZyWALL 10~100 Series Internet Security Gateway To set up a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next. Menu 26.1 - Schedule Set Setup Active= Yes Start Date(yyyy/mm/dd) = 2000 –...
Page 195
ZyWALL 10~100 Series Internet Security Gateway Table 18-1Schedule Set Setup Fields FIELD DESCRIPTION OPTIONS Weekday: If you selected Weekly in the How Often field above, then select the day(s) when the set should activate (and recur) by going to that day(s) and pressing [SPACE BAR] to select Yes, then press [ENTER].
ZyWALL 10~100 Series Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPPoE Edit IP= No Service Type= Standard Telco Option: Service Name= Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login=...
ZyWALL 10~100 Series Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Service Name=N/A Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login=...
ZyWALL 10~100 Series Internet Security Gateway Chapter 19 VPN/IPSec Setup This chapter introduces the VPN SMT menus. 19.1 Introduction The VPN/IPSec main SMT menu has these main submenus: 1. Define VPN policies in menu 27.1 submenus, including security policies, endpoint IP addresses, peer IPSec router IP address and key management.
ZyWALL 10~100 Series Internet Security Gateway Menu 27 - VPN/IPSec Setup 1. IPSec Summary 2. SA Monitor Enter Menu Selection Number: Figure 19-2 Menu 27: VPN/IPSec Setup 19.2 IPSec Summary Screen Type 1 in menu 27 and then press [ENTER] to display Menu 27.1 — IPSec Summary. This is a summary read-only menu of your IPSec rules (tunnels).
ZyWALL 10~100 Series Internet Security Gateway Table 19-1 Menu 27.1: IPSec Summary FIELD DESCRIPTION EXAMPLE This is the VPN policy index number. Name This field displays the unique identification name for this VPN rule. The Taiwan name may be up to 32 characters long but only 10 characters will be displayed here.
Page 202
ZyWALL 10~100 Series Internet Security Gateway Table 19-1 Menu 27.1: IPSec Summary FIELD DESCRIPTION EXAMPLE IPSec This field displays the security protocols used for an SA. ESP provides ESP DES MD5 Algorithm confidentiality and integrity of data by encrypting the data and encapsulating it into IP packets.
Page 203
ZyWALL 10~100 Series Internet Security Gateway Table 19-1 Menu 27.1: IPSec Summary FIELD DESCRIPTION EXAMPLE Remote When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to 172.16.2.46 Addr End Single, this is the same (static) IP address as in the Remote Addr Start field.
ZyWALL 10~100 Series Internet Security Gateway 19.3 IPSec Setup Select Edit in the Select Command field; type the index number of a rule in the Select Rule field and press [ENTER] to edit the VPN using the menu shown next.
Page 205
ZyWALL 10~100 Series Internet Security Gateway Table 19-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Keep Alive Press [SPACE BAR] to choose either Yes or No. Choose Yes and press [ENTER] to have the ZyWALL automatically re-initiate the SA after the SA lifetime times out, even if there is no traffic.
Page 206
ZyWALL 10~100 Series Internet Security Gateway Table 19-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Peer ID type Press [SPACE BAR] to choose IP, DNS, or E-mail and press [ENTER]. Select IP to identify the remote IPSec router by its IP address.
Page 207
ZyWALL 10~100 Series Internet Security Gateway Table 19-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE IP Addr Start When the Addr Type field is configured to Single, enter a static IP 192.168.1.35 address on the LAN behind your ZyWALL. When the Addr Type field is configured to Range, enter the beginning (static) IP address, in a range of computers on your LAN behind your ZyWALL.
Page 208
ZyWALL 10~100 Series Internet Security Gateway Table 19-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE IP Addr Start When the Addr Type field is configured to Single, enter a static IP 4.4.4.4 address on the network behind the remote IPSec router.
ZyWALL 10~100 Series Internet Security Gateway Table 19-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Press [SPACE BAR] to choose either IKE or Manual and then press Management [ENTER]. Manual is useful for troubleshooting if you have problems using IKE key management.
ZyWALL 10~100 Series Internet Security Gateway Table 19-3 Menu 27.1.1.1: IKE Setup FIELD DESCRIPTION EXAMPLE Phase 1 Press [SPACE BAR] to choose from Main or Aggressive and then press Main Negotiation Mode [ENTER]. See earlier for a discussion of these modes. Multiple SAs connecting through a secure gateway must have the same negotiation mode.
ZyWALL 10~100 Series Internet Security Gateway Table 19-3 Menu 27.1.1.1: IKE Setup FIELD DESCRIPTION EXAMPLE Key Group You must choose a key group for phase 1 IKE setup. DH1 (default) refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number.
ZyWALL 10~100 Series Internet Security Gateway Table 19-4 Active Protocol: Encapsulation and Security Protocol MODE SECURITY PROTOCOL Tunnel Transport 19.5.2 Security Parameter Index (SPI) To edit this menu, move the cursor to the Edit Manual Setup field in Menu 27.1.1 – IPSec Setup press [SPACE BAR] to select Yes and then press [ENTER] to go to Menu 27.1.1.2 –...
Page 213
ZyWALL 10~100 Series Internet Security Gateway Table 19-5 Menu 27.1.1.2: Manual Setup FIELD DESCRIPTION EXAMPLE Encryption Press [SPACE BAR] to choose from NULL, 3DES or DES and then press Algorithm [ENTER]. Fill in the Key1 field below when you choose DES and fill in fields Key1 to Key3 when you choose 3DES.
ZyWALL 10~100 Series Internet Security Gateway Chapter 20 SA Monitor This chapter teaches you how to manage your SAs by using the SA Monitor in SMT menu 27.2. 20.1 Introduction A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This menu (shown next) displays active VPN connections.
ZyWALL 10~100 Series Internet Security Gateway Table 20-1 Menu 27.2: SA Monitor FIELD DESCRIPTION EXAMPLE This is the security association index number. Name This field displays the identification name for this VPN policy. This name is Taiwan unique for each connection where the secure gateway IP address is a public static IP address.
ZyWALL 10~100 Series Internet Security Gateway Chapter 21 Troubleshooting This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see the included disk for further information. DMZ applies to the ZyWALL 100.
ZyWALL 10~100 Series Internet Security Gateway 21.1 Problems with the LAN Interface Table 21-2 Troubleshooting the LAN Interface PROBLEM CORRECTIVE ACTION Cannot access Check your Ethernet cable type and connections. Refer to the Rear Panel and the ZyWALL Connections section in the Web Configurator User’s Guide for LAN connection from the LAN.
ZyWALL 10~100 Series Internet Security Gateway 21.3 Problems with the WAN Interface Table 21-4 Troubleshooting the WAN interface PROBLEM CORRECTIVE ACTION Cannot get The WAN IP is provided when the ISP recognizes the user as an authorized user after WAN IP from verifying the MAC address, Host Name or User ID.
ZyWALL 10~100 Series Internet Security Gateway 23.2 Problems with the Password Table 21-6 Troubleshooting the Password PROBLEM CORRECTIVE ACTION Cannot The Password field is case sensitive. Make sure that you enter the correct password access the using the proper casing.
Page 221
Index Part V: Index This part provides an index of key terms.
Page 223
ZyWALL 10~100 Series Internet Security Gateway Index Command Line ..........14-3 Access Point............. 4-7 Community ............ 12-1 Active..........3-7, 3-9, 7-3 Configuration File Allocated Budget ........3-8, 7-6 Backup ............14-2 AT command ........3-3, 3-4, 14-2 Maintenance..........14-1 Authen............3-7, 7-6 Connection ID/Name ........7-7 Authentication........3-7, 7-5, 7-6...
Page 225
ZyWALL 10~100 Series Internet Security Gateway IP Policy Routing (IPPR) Gateway IP Addr..........7-9 Applying an IP Policy........ 17-6 Gateway IP Address........6-2, 8-2 Ethernet IP Policies........17-6 General Setup........... 2-1 Gateway ............. 17-5 IP Pool ............. 4-3 Hidden Menus..........1-2 IP Ports ..........
Page 226
ZyWALL 10~100 Series Internet Security Gateway Log Facility............ 13-8 Network Address Translation......6-2 Login Name ......See My Login Name Network Address Translation (NAT) ....9-1 Login Screen........See Password Offline ..............2-3 MAC Address ........3-1, 3-2, 21-3 Outgoing Protocol Filters .........4-6 MAC service data unit ........4-7 Main Menu ............
Page 227
ZyWALL 10~100 Series Internet Security Gateway Rem IP Address ..........3-10 Server IP ............7-4 Rem Node Name........3-6, 3-9, 7-3 Service Name........... 7-3 Remote Management ........16-1 Service Set ............4-7 Remote Management Limitations ....16-3 Service Type ........6-2, 7-3, 21-3 Remote Node ...........
Page 228
ZyWALL 10~100 Series Internet Security Gateway TCP/IP filter rule ........... 11-6 WAN Interface ...........21-3 Terminal Emulation ......... 1-1 Type of Service ......17-1, 17-4, 17-5 TFTP.............. 14-5 File Upload ..........14-14 UNIX Syslog ........13-7, 13-8 GUI-based Clients ........14-6 Upload Firmware..........14-11...