Configuring The Firewall Screen; Figure 212 Using Virtual Interfaces To Avoid Asymmetrical Routes - ZyXEL Communications ZyWALL USG 300 User Manual
Unified security gateway
Hide thumbs
Also See for ZyWALL USG 300:
- User manual (1156 pages) ,
- Quick start manual (128 pages) ,
- Specifications (4 pages)
Table of Contents
Advertisement
You can have the ZyWALL permit the use of asymmetrical route topology on the network
(not reset the connection). However, allowing asymmetrical routes may let traffic from the
WAN go directly to the LAN without passing through the ZyWALL. A better solution is to
use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets. Virtual
interfaces allow you to partition your network into logical sections over the same interface.
See the chapter about interfaces for more information.
By putting LAN 1 and the alternate gateway (A in the figure) in different subnets, all returning
network traffic must pass through the ZyWALL to the LAN. The following steps and figure
describe such a scenario.
1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving
server on the WAN.
2 The ZyWALL reroutes the packet to gateway A, which is in Subnet 2.
3 The reply from the WAN goes to the ZyWALL.
4 The ZyWALL then sends it to the computer on the LAN in Subnet 1.
Figure 212 Using Virtual Interfaces to Avoid Asymmetrical Routes
20.2.1 Configuring the Firewall Screen
Click Firewall to open the Firewall screen. Use this screen to enable or disable the firewall
and asymmetrical routes, set a maximum number of sessions per host, and display the
configured firewall rules. Specify from which zone packets come and to which zone packets
travel to display only the rules specific to the selected direction. Note the following.
• If you enable intra-zone traffic blocking (see the chapter about zones), the firewall
automatically creates (implicit) rules to deny packet passage between the interfaces in the
specified zone.
• Besides configuring the firewall, you also need to configure virtual servers (NAT port
forwarding) to allow computers on the WAN to access LAN devices. See
page 283
• The ZyWALL applies virtual server (Destination NAT) settings before applying the
firewall rules. So for example, if you configure a virtual server that sends WAN traffic to a
LAN IP address, when you configure a corresponding firewall rule to allow the traffic,
you need to set the LAN IP address as the destination. See
example.
• The ordering of your rules is very important as rules are applied in sequence.
ZyWALL USG 300 User's Guide
for more information.
Chapter 20 Firewall
Chapter 16 on
Section 6.6 on page 141
for an
323
Advertisement
Table of Contents
Troubleshooting
