Page 1 ZyWALL 100 Internet Security Gateway User’s Guide Version 3.50 May 2002...
Page 2 ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.
Page 3 ZyWALL 100 Internet Security Gateway Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations.
Page 4 ZyWALL 100 Internet Security Gateway Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction.
Page 5: Online Registration
ZyWALL 100 Internet Security Gateway ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon...
Page 6: Customer Support
ZyWALL 100 Internet Security Gateway Customer Support When you contact your customer support representative please have the following information ready: Please have the following information ready when you contact customer support. • Product model and serial number. • Information in Menu 24.2.1 – System Information.
Page 7: Table Of Contents
Getting Started ..............................I Chapter 1 Getting to Know Your ZyWALL ..................1-1 The ZyWALL 100 Internet Security Gateway................1-1 Physical Features of The ZyWALL 100 ..................1-1 Non-Physical Features of The ZyWALL 100 ................1-2 Applications for the ZyWALL 100 .................... 1-5 Chapter 2 Hardware Installation ......................
Page 8 ZyWALL 100 Internet Security Gateway Introduction..........................6-1 LAN Port Filter Setup.........................6-1 TCP/IP and LAN DHCP......................6-2 TCP/IP and DHCP Ethernet Setup Menu ...................6-5 Wireless LAN Setup .........................6-10 Chapter 7 DMZ Setup..........................7-1 Introduction..........................7-1 DMZ Port Filter Setup ........................7-1 TCP/IP Setup ..........................7-2 Chapter 8 Internet Access........................8-1 Internet Access Setup........................8-1...
Page 9 ZyWALL 100 Internet Security Gateway Chapter 12 Network Address Translation (NAT) ................12-1 12.1 Introduction .......................... 12-1 12.2 Using NAT ........................... 12-6 12.3 NAT Setup ........................... 12-8 12.4 NAT Server Sets – Port Forwarding .................. 12-14 12.5 General NAT Examples ..................... 12-17 12.6...
Page 10 ZyWALL 100 Internet Security Gateway 16.2 Rule Logic Overview......................16-2 16.3 Connection Direction Examples ...................16-3 16.4 Rule Summary ........................16-5 16.5 Predefined Services.......................16-7 16.6 Custom Ports........................16-14 16.7 Creating/Editing A Custom Port ..................16-14 16.8 Example Firewall Rule .......................16-16 Chapter 17 Logs............................17-1 17.1 Log Screen ..........................17-1 Chapter 18 Content Filtering ........................18-1...
Page 11 ZyWALL 100 Internet Security Gateway 20.3 SNMP Configuration......................20-3 20.4 SNMP Traps......................... 20-4 Chapter 21 System Information & Diagnosis..................21-5 21.1 System Status ........................21-5 21.2 System Information and Console Port Speed............... 21-7 21.3 Log and Trace ........................21-9 21.4 Diagnostic ..........................
Page 12 ZyWALL 100 Internet Security Gateway 25.1 Introduction...........................25-1 25.2 Benefits ..........................25-1 25.3 Routing Policy ........................25-1 25.4 IP Routing Policy Setup......................25-2 25.5 Applying an IP Policy......................25-6 25.6 IP Policy Routing Example....................25-6 Chapter 26 Call Scheduling ........................26-1 26.1 Introduction...........................26-1 Chapter 27 Introduction to IPSec ......................27-1 27.1...
Page 13 ZyWALL 100 Internet Security Gateway Chapter 31 Troubleshooting ......................... 31-1 31.1 Problems Starting Up the ZyWALL ..................31-1 31.2 Problems with the LAN Interface ..................31-2 31.3 Problems with the DMZ Interface..................31-2 31.4 Problems with the WAN Interface ..................31-3 31.5...
Page 14 Figure 1-1 Secure Internet Access via Cable, DSL or Wireless Modem............1-6 Figure 1-2 VPN Application ...........................1-7 Figure 2-1 Front Panel ............................2-1 Figure 2-2 ZyWALL 100 Rear Panel......................2-3 Figure 2-3 LAN Port Connections........................2-4 Figure 3-1 Initial Screen ..........................3-1 Figure 3-2 Password Screen ...........................3-2 Figure 3-3 ZyWALL Main Menu........................3-3...
Page 15 ZyWALL 100 Internet Security Gateway Figure 7-1 Menu 5 — DMZ Setup........................ 7-1 Figure 7-2 Menu 5.1 — DMZ Port Filter Setup..................... 7-2 Figure 7-3 Menu 5 — TCP/IP Setup......................7-2 Figure 7-4 Menu 5.2 — TCP/IP Setup......................7-3 Figure 7-5 Menu 5.2.1 — IP Alias Setup ....................... 7-4 Figure 8-1 Menu 4 —...
Page 16 ZyWALL 100 Internet Security Gateway Figure 11-1 Example of Static Routing Topology ..................11-1 Figure 11-2 Menu 12 — IP Static Route Setup.....................11-2 Figure 11-3 Menu 12. 1 — Edit IP Static Route ...................11-3 Figure 12-1 How NAT Works ........................12-3 Figure 12-2 NAT Application With IP Alias ....................12-4 Figure 12-3 Menu 4 —...
Page 17 ZyWALL 100 Internet Security Gateway Figure 12-25 Trigger Port Forwarding Process — Example..............12-26 Figure 13-1 ZyWALL Firewall Application....................13-3 Figure 13-2 Three-Way Handshake ......................13-5 Figure 13-3 SYN Flood..........................13-5 Figure 13-4 Smurf Attack ..........................13-6 Figure 13-5 Stateful Inspection ........................13-8 Figure 14-1 Menu 21 —...
Page 18 ZyWALL 100 Internet Security Gateway Figure 19-4 Menu 21 — Filter and Firewall Setup..................19-4 Figure 19-5 Menu 21.1 — Filter Set Configuration ..................19-4 Figure 19-6 Menu 21.1.1.1 — TCP/IP Filter Rule..................19-7 Figure 19-7 Executing an IP Filter......................19-10 Figure 19-8 Menu 21.1.4.1 — Generic Filter Rule..................19-11 Figure 19-9 Telnet Filter Example ......................19-13...
Page 19 ZyWALL 100 Internet Security Gateway Figure 22-3 System Maintenance — Backup Configuration ............... 22-7 Figure 22-4 System Maintenance — Starting Xmodem Download Screen ..........22-7 Figure 22-5 Backup Configuration Example ....................22-7 Figure 22-6 Successful Backup Confirmation Screen.................. 22-7 Figure 22-7 Telnet into Menu 24.6....................... 22-9 Figure 22-8 Restore Using FTP Session Example ..................
Page 20 ZyWALL 100 Internet Security Gateway Figure 25-4 Menu 25.1 — Sample IP Routing Policy Setup ................25-3 Figure 25-5 IP Routing Policy ........................25-4 Figure 25-6 Menu 3.2 — TCP/IP and DHCP Ethernet Setup ...............25-6 Figure 25-7 Example of IP Policy Routing....................25-7 Figure 25-8 IP Routing Policy Example .......................25-8...
Page 21 ZyWALL 100 Internet Security Gateway Figure 30-2 Example VPN Responder IPSec Log ..................30-2 List of Diagrams Diagram 1 Big Picture— Filtering, Firewall, VPN and NAT ................A Diagram 2 Peer-to-Peer Communication in an Ad-hoc Network..............C Diagram 3 ESS Provides Campus-Wide Coverage................... E Diagram 4 Single-PC per Modem Hardware Configuration................G...
Page 22 ZyWALL 100 Internet Security Gateway List of Tables Table 2-1 LED Descriptions .......................... 2-1 Table 3-1 Main Menu Commands ......................... 3-2 Table 3-2 Main Menu Summary ........................3-3 Table 4-1 General Setup Menu Field ......................4-2 Table 4-2 Configure Dynamic DNS Menu Fields..................4-3 Table 5-1 WAN Setup Menu Fields .......................
Page 23 ZyWALL 100 Internet Security Gateway Table 10-1 Fields in Menu 11.1 Remote Node Profile (Backup ISP) ............10-1 Table 10-2 Remote Node Network Layer Options Menu Fields..............10-5 Table 10-3 Remote Node Script Menu Fields ....................10-8 Table 11-1 IP Static Route Menu Fields....................... 11-4 Table 12-1 NAT Definitions.........................
Page 24 ZyWALL 100 Internet Security Gateway Table 19-2 Rule Abbreviations Used ......................19-6 Table 19-3 TCP/IP Filter Rule Menu Fields ....................19-7 Table 19-4 Generic Filter Rule Menu Fields ..................... 19-12 Table 20-1 SNMP Configuration Menu Fields .................... 20-3 Table 20-2 SNMP Traps..........................20-4 Table 21-1 System Maintenance —...
Page 25 ZyWALL 100 Internet Security Gateway Table 29-1 Menu 27.2 — SA Monitor ......................29-2 Table 30-1 Sample IKE Key Exchange Logs....................30-2 Table 30-2 Sample IPSec Logs During Packet Transmission ..............30-4 Table 30-3 RFC-2408 ISAKMP Payload Types................... 30-4 Table 33-1 Troubleshooting the Start-Up of your ZyWALL ................ 31-1 Table 33-2 Troubleshooting the LAN Interface ...................
Page 26 Congratulations on your purchase of the ZyWALL 100 Internet Security Gateway. The ZyWALL 100 is designed to act as a secure gateway for all data passing between the Internet and the LAN or the DMZ. It has three Ethernet ports, one RS-232 auxiliary port and one PCMCIA port (for optional wireless applications), which are used to physically separate the network into three areas.
Page 27 About This User's Manual This manual is designed to guide you through the SMT and web configuration of your ZyWALL 100 for its various applications. Related Documentation...
Page 28: Getting Started
Getting Started Part I: Getting Started Part I covers Getting to Know Your ZyWALL, Hardware Installation, Initial Setup, SMT Menu 1 General Setup, WAN Setup, LAN Setup, DMZ Setup, and Internet Access.
Page 30: Getting To Know Your Zywall
This chapter introduces the main features and applications of the ZyWALL. The ZyWALL 100 Internet Security Gateway The ZyWALL 100 is the ideal secure gateway for all data passing between the Internet and the LAN for small to medium sized businesses.
Page 31: Reset Button
ZyWALL 100 Internet Security Gateway Reset Button The ZyWALL 100 comes with a reset button built into the rear panel. Use this button to restore the factory default password to 1234, IP address to 192.168.1.1, subnet mask to 255.255.255.0 and DHCP server enabled with a pool of 32 IP addresses starting at 192.168.1.33.
Page 32: Packet Filtering
ZyWALL 100 Internet Security Gateway Packet Filtering The packet filtering mechanism blocks unwanted traffic from entering/leaving your network. Call Scheduling Configure call time periods to restrict and allow access for users on remote nodes. PPPoE PPPoE facilitates the interaction of a host with an Internet modem to achieve access to high-speed data networks via a familiar "dial-up networking"...
Page 33: Port Forwarding
The embedded web configurator is an all-platform web-based utility that allows you to easily access the ZyWALL’s management settings and configure the firewall. Most functions of the ZyWALL 100 are also software configurable via the SMT (System Management Terminal) interface. The SMT is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection.
Page 34: Applications For The Zywall
Secure Broadband Internet Access via Cable or DSL Modem You can connect a cable modem, DSL or wireless modem to the ZyWALL 100 for broadband Internet access via Ethernet or wireless port on the modem. The ZyWALL guarantees not only high speed Internet access, but secure internal network protection and traffic management as well.
Page 35: Figure 1-1 Secure Internet Access Via Cable, Dsl Or Wireless Modem
ZyWALL 100 Internet Security Gateway Figure 1-1 Secure Internet Access via Cable, DSL or Wireless Modem Getting to Know Your ZyWALL...
Page 36: Figure 1-2 Vpn Application
ZyWALL 100 Internet Security Gateway 1.4.2 VPN Application ZyWALL VPN is an ideal cost-effective way to connect branch offices and business partners over the Internet without the need (and expense) for leased lines between sites. Figure 1-2 VPN Application Getting to Know Your ZyWALL...
Page 38: Chapter 2 Hardware Installation
ZyWALL 100 Internet Security Gateway Chapter 2 Hardware Installation This chapter explains the LEDs and ports as well as how to connect the hardware. Front Panel LEDs and Back Panel Ports 2.1.1 Front Panel LEDs The LEDs on the front panel indicate the operational status of the ZyWALL.
Page 39: Zywall 100 Rear Panel And Connections
The backup port is connected. Green The auxiliary port is not sending or receiving packets. Flashing The auxiliary port is sending or receiving packets. ZyWALL 100 Rear Panel and Connections The following figure shows the rear panel of your ZyWALL 100. Hardware Installation...
Page 40: Figure 2-2 Zywall 100 Rear Panel
Figure 2-2 ZyWALL 100 Rear Panel This section outlines how to connect your ZyWALL 100. If you want to connect a cable modem, you must connect the coaxial cable from your cable service to the threaded coaxial cable connector on the back of the cable modem.
Page 41: Additional Installation Requirements
ZyWALL 100 Internet Security Gateway Step 5. Connecting the Ethernet LAN When the ZyWALL is on and properly connected to a computer or a hub, the corresponding LAN LED on the front panel turns on. Figure 2-3 LAN Port Connections...
Page 42: Chapter 3 Initial Setup
When you turn on your ZyWALL, it performs several internal tests as well as line initialization. After the tests, the ZyWALL asks you to press [ENTER] to continue, as shown next. Copyright (c) 1994 - 2001 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:a0:c5:41:51:61 initialize ch =1, ethernet address: 00:a0:c5:41:51:62 Press ENTER to continue...
Page 43: Navigating The Smt Interface
ZyWALL 100 Internet Security Gateway Enter Password : XXXX Figure 3-2 Password Screen Navigating the SMT Interface The SMT (System Management Terminal) is the interface that you use to configure your ZyWALL. Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below.
Page 44: Figure 3-3 Zywall Main Menu
[ENTER]. SMT interface. 3.2.1 Main Menu After you enter the password, the SMT displays the ZyWALL Main Menu, as shown next. Copyright (c) 1994 - 2001 ZyXEL Communications Corp. ZyWALL 100 Main Menu Getting Started Advanced Management 1. General Setup 21.
Page 45 ZyWALL 100 Internet Security Gateway MENU TITLE FUNCTION Remote Node Setup Use this menu to configure detailed remote node settings (your ISP is also a remote node) as well as apply WAN filters. Static Routing Setup Configure IP static routes in this menu.
Page 46: Figure 3-4 Getting Started And Advanced Applications Smt Menus
ZyWALL 100 Internet Security Gateway 3.2.3 SMT Menus at a Glance Figure 3-4 Getting Started and Advanced Applications SMT Menus Initial Setup...
Page 47: Figure 3-5 Advanced Management Smt Menus
ZyWALL 100 Internet Security Gateway Figure 3-5 Advanced Management SMT Menus Initial Setup...
Page 48: Changing The System Password
ZyWALL 100 Internet Security Gateway Figure 3-6 Schedule Setup and IPSec VPN Configuration SMT Menus Changing the System Password Change the default system password by following the steps shown next. Step 1. Enter 23 in the main menu to open Menu 23 - System Password as shown next.
Page 49: Resetting The Zywall
ZyWALL 100 Internet Security Gateway Resetting the ZyWALL If you forget your password or cannot access the ZyWALL, you will need to reload the factory-default configuration file. Uploading this configuration file replaces the current configuration file with the factory- default configuration file. This means that you will lose all configurations that you had previously and the speed of the console port will be reset to the default of 9600bps with 8 data bit, no parity, one stop bit and flow control set to none.
Page 50: Chapter 4 Smt Menu 1 - General Setup
ZyWALL 100 Internet Security Gateway Chapter 4 SMT Menu 1 - General Setup Menu 1 - General Setup contains administrative and system-related information. System Name System Name is for identification purposes. ZyXEL recommends you enter your computer’s “Computer name”. •...
Page 51: Dyndns Wildcard
ZyWALL 100 Internet Security Gateway 4.2.1 DYNDNS Wildcard Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use for example, www.yourhost.dyndns.org and still reach your hostname.
Page 52: Figure 4-2 Configure Dynamic Dns
ZyWALL 100 Internet Security Gateway 4.3.1 Configuring Dynamic DNS To configure Dynamic DNS, go to Menu 1 — General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1— Configure Dynamic DNS (shown next).
Page 53 ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION EXAMPLE USER Enter your user name. Password Enter the password assigned to you. Enable Wildcard Your ZyWALL supports DYNDNS Wildcard. Press [SPACE BAR] and then [ENTER] to select Yes or No This field is N/A when you choose DDNS client as your service provider.
Page 54: Chapter 5 Wan Setup
ZyWALL 100 Internet Security Gateway Chapter 5 WAN Setup This chapter describes how to configure the WAN using Menu 2 — WAN Setup. Cloning The MAC Address The MAC address field allows users to configure the WAN port's MAC address by using either the factory default or cloning the MAC address from a computer on your LAN.
Page 55: Figure 5-1 Menu 2 - Wan Setup
ZyWALL 100 Internet Security Gateway Menu 2 - WAN Setup MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Phone Number= Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= No Press ENTER to Confirm or ESC to Cancel: Figure 5-1 Menu 2 —...
Page 56: Advanced Wan Setup
ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION EXAMPLE Port Speed Press [SPACE BAR] and then press [ENTER] to select the speed of the 115200 connection between the Dial Backup port and the external device. Available speeds are: 9600, 19200, 38400, 57600, 115200 or 230400 bps.
Page 57: Figure 5-2 Menu 2.1 Advanced Wan Setup
ZyWALL 100 Internet Security Gateway 5.4.3 Response Strings The response strings tell the ZyWALL the tags, or labels, immediately preceding the various call parameters sent from the WAN device. The response strings have not been standardized; please consult the documentation of your WAN device to find the correct tags.
Page 58: Table 5-3 Advanced Wan Port Setup - Call Control Parameters
ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION DEFAULT AT Response String: CLID (Calling Line Enter the keyword that precedes the CLID (Calling Line Identification) NMBR = Identification) in the AT response string. This lets the ZyWALL capture the CLID in the AT response string that comes from the WAN device.
Page 60: Chapter 6 Lan Setup
ZyWALL 100 Internet Security Gateway Chapter 6 LAN Setup This chapter describes how to configure the LAN using Menu 3 — LAN Setup. Introduction From the main menu, enter 3 to open Menu 3 – LAN Setup. Menu 3 - LAN Setup 1.
Page 61: Tcp/Ip And Lan Dhcp
ZyWALL 100 Internet Security Gateway Menu 3.1 – LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: Figure 6-2 Menu 3.1 — LAN Port Filter Setup...
Page 62: Ip Address And Subnet Mask
ZyWALL 100 Internet Security Gateway There are two ways that an ISP disseminates the DNS server addresses. The first is for an ISP to tell a customer the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, enter them in the DNS Server fields in DHCP Setup.
Page 63: Rip Setup
ZyWALL 100 Internet Security Gateway Table 6-2 Private IP Address Ranges 10.0.0.0 — 10.255.255.255 172.16.0.0 — 172.31.255.255 192.168.0.0 — 192.168.255.255 You can obtain your IP address from the IANA, from an ISP or have it assigned by a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks.
Page 64: Tcp/Ip And Dhcp Ethernet Setup Menu
ZyWALL 100 Internet Security Gateway information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255.
Page 65: Figure 6-5 Menu 3 - Tcp/Ip And Dhcp Setup
ZyWALL 100 Internet Security Gateway Menu 3 - LAN Setup 1. LAN Port Filter Setup 2. TCP/IP and DHCP Setup 5. Wireless LAN Setup Enter Menu Selection Number: Figure 6-5 Menu 3 — TCP/IP and DHCP Setup From menu 3, select the submenu option TCP/IP and DHCP Setup and press [ENTER]. The screen now displays Menu 3.2 —...
Page 66: Table 6-3 Dhcp Ethernet Setup Menu Fields
ZyWALL 100 Internet Security Gateway Follow the instructions in the next table on how to configure the DHCP fields. Table 6-3 DHCP Ethernet Setup Menu Fields FIELD DESCRIPTION EXAMPLE DHCP This field enables/disables the DHCP server. Server If set to Server, your ZyWALL will act as a DHCP server.
Page 67: Ip Alias Setup
ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION EXAMPLE RIP Direction Press [SPACE BAR] and then [ENTER] to select the RIP direction. Both Options are: Both, In Only, Out Only or None. (default) Version Press [SPACE BAR] and then [ENTER] to select the RIP version.
Page 68: Figure 6-7 Menu 3.2.1 - Ip Alias Setup
ZyWALL 100 Internet Security Gateway Menu 3.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A IP Alias 2= No IP Address= N/A...
Page 69: Wireless Lan Setup
ZyWALL 100 Internet Security Gateway When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm…] to save your configuration, or press [ESC] at any time to cancel. Wireless LAN Setup The next-generation wireless LAN device – 11 Mbps wireless LAN brings Ethernet-like performance to the wireless realm.
Page 70: Table 6-6 Wireless Lan Setup Menu Fields
ZyWALL 100 Internet Security Gateway Follow the instructions in the next table on how to configure the wireless LAN parameters. Table 6-6 Wireless LAN Setup Menu Fields FIELD DESCRIPTION EXAMPLE ESSID (Extended Service Set IDentification) The ESSID identifies the Service Set Wireless the station is to connect to.
Page 71 ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION EXAMPLE hexadecimal digits ("0-9", "A-F") preceded by 0x for each Key (1-4). If you chose 128-bit WEP, then enter 13 characters (ASCII string) or 26 hexadecimal digits ("0-9", "A-F") preceded by 0x for each Key (1-4).
Page 72: Figure 6-9 Menu 3.5.1 - Wlan Mac Address Filter
ZyWALL 100 Internet Security Gateway Menu 3.5.1 - WLAN MAC Address Filter Active= Yes Filter Action= Allowed Association MAC Address Filter Address 1= 00:60:b3:f1:f5:df Address 2= 00:00:00:00:00:00 Address 3= 00:a0:c5:15:0f:be Address 4= 00:00:00:00:00:00 Address 5= 00:00:00:00:00:00 Address 6= 00:00:00:00:00:00 Address...
Page 74: Chapter 7 Dmz Setup
ZyWALL 100 Internet Security Gateway Chapter 7 DMZ Setup This chapter describes how to configure the DMZ using Menu 5 — DMZ Setup. Introduction The DeMilitarized Zone (DMZ) auto-negotiating 10/100 Mbps Ethernet port provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death).
Page 75: Tcp/Ip Setup
ZyWALL 100 Internet Security Gateway Menu 5.1 – DMZ Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: Figure 7-2 Menu 5.1 — DMZ Port Filter Setup TCP/IP Setup 7.3.1...
Page 76: Figure 7-4 Menu 5.2 - Tcp/Ip Setup
ZyWALL 100 Internet Security Gateway Menu 5.2 - TCP/IP Ethernet Setup TCP/IP Setup: IP Address= ? IP Subnet Mask= RIP Direction= Both Version= RIP-1 Multicast= None Edit IP Alias= No Press ENTER to Confirm or ESC to Cancel: Figure 7-4 Menu 5.2 — TCP/IP Setup The TCP/IP setup fields are the same as the ones in Menu 3.2 TCP/IP Ethernet Setup.
Page 77: Figure 7-5 Menu 5.2.1 - Ip Alias Setup
ZyWALL 100 Internet Security Gateway Menu 5.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A IP Alias 2= No IP Address= N/A...
Page 78: Chapter 8 Internet Access
ZyWALL 100 Internet Security Gateway Chapter 8 Internet Access This chapter shows you how to configure your ZyWALL for Internet access. Internet Access Setup You will see three different menu 4 screens depending on whether you chose Ethernet, PPTP or PPPoE Encapsulation.
Page 79 ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet. The encapsulation method influences your choices for the IP Address field. Service Type Press [SPACE BAR] and then [ENTER] to select Standard, RR-Toshiba (RoadRunner Toshiba authentication method), RR-Manager (RoadRunner Manager authentication method) or RR-Telstra.
Page 80: Figure 8-2 Internet Access Setup (Pptp)
ZyWALL 100 Internet Security Gateway The ZyWALL 100 supports only one PPTP server connection at any given time. 8.1.3 Configuring the PPTP Client To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
Page 81: Figure 8-3 Internet Access Setup (Pppoe)
ZyWALL 100 Internet Security Gateway For the service provider, PPPoE offers an access and authentication method that works with existing access control systems (for example Radius). PPPoE provides a login and authentication method that the existing Microsoft Dial-Up Networking software can activate, and therefore requires no new learning or procedures for Windows users.
Page 82: Basic Setup Complete
ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION EXAMPLE Idle Timeout This value specifies the time in seconds that elapses before the ZyWALL automatically disconnects from the PPPoE server. (default) If you need a PPPoE service name to identify and reach the PPPoE server, please go to menu 11 and enter the PPPoE service name provided to you in the Service Name field.
Page 83: Advanced Applications
Advanced Applications Part II: Advanced Applications Part II covers Remote Node Setup, Backup Remote Node Setup, IP Static Route Setup and Network Address Translation.
Page 84: Chapter 9 Remote Node Setup
ZyWALL 100 Internet Security Gateway Chapter 9 Remote Node Setup This chapter shows you how to configure a remote node. A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. Note that when you use menu 4 to set up Internet access, you are actually configuring a remote node.
Page 85: Remote Node Profile
ZyWALL 100 Internet Security Gateway Remote Node Profile 9.2.1 Ethernet Encapsulation There are two variations of menu 11.1 depending on whether you choose Ethernet Encapsulation or PPPoE Encapsulation. You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Page 86 IP address here. Route This field refers to the protocol that will be routed by your ZyWALL – IP is the only option for the ZyWALL 100. Edit IP This field leads to a “hidden” menu. Press [SPACE BAR] to select Yes and press [ENTER] to go to Menu 11.3 - Remote Node...
Page 87: Figure 9-3 Menu 11.1 - Remote Node Profile For Pppoe Encapsulation
ZyWALL 100 Internet Security Gateway 9.2.2 PPPoE Encapsulation The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet). You can only use PPPoE encapsulation when you’re using the ZyWALL with an xDSL modem as the WAN device. If you change the Encapsulation to PPPoE, then you will see the next screen. Please see the Appendices for more information on PPPoE.
Page 88: Table 9-2 Fields In Menu 11.1 (Pppoe Encapsulation Specific)
ZyWALL 100 Internet Security Gateway Do not specify a nailed-up connection unless your telephone company offers flat-rate service or you need a constant connection and the cost is of no concern. The following table describes the fields not already described in Table 9-1.
Page 89 ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION EXAMPLE Period(hr) This field is the time period that the budget should be reset. For example, if we are allowed to call this remote node for a maximum of 10 (default) minutes every hour, then the Allocated Budget is (10 minutes) and the Period(hr) is 1 (hour).
Page 90: Figure 9-4 Menu 11.1 - Remote Node Profile For Pptp Encapsulation
ZyWALL 100 Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Service Name=N/A Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login= Schedules=...
Page 91: Editing Tcp/Ip Options (With Ethernet Encapsulation)
ZyWALL 100 Internet Security Gateway Editing TCP/IP Options (with Ethernet Encapsulation) Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Network Layer Options. Menu 11.3 - Remote Node Network Layer Options...
Page 92 ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION EXAMPLE Metric Enter a number from 1 to 15 to set this route’s priority among the three routes the ZyWALL uses (see also Traffic Redirect and Backup Remote Node Setup).) The smaller the number, the higher priority the route has.
Page 93: Figure 9-6 Menu 11.3 - Remote Node Network Layer Options For Pptp Encapsulation
ZyWALL 100 Internet Security Gateway 9.3.1 Editing TCP/IP Options (with PPTP Encapsulation) Make sure that Encapsulation is set to PPTP in menu 11.1. Then move the cursor to the Edit IP field in menu 11.1, press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Network Layer Options.
Page 94 ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION EXAMPLE My WAN Addr Some implementations, especially the UNIX derivatives, require the 0.0.0.0 WAN link to have a separate IP network number from the LAN and each end must have a unique address within the WAN network number.
Page 95: Remote Node Filter
ZyWALL 100 Internet Security Gateway Remote Node Filter Move the cursor to the field Edit Filter Sets in menu 11.1, then press [SPACE BAR] to set the value to Yes. Press [ENTER] to open Menu 11.5 - Remote Node Filter.
Page 96: Traffic Redirect
ZyWALL 100 Internet Security Gateway Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect to the Internet through its normal gateway, thus acting as an auxiliary backup when your regular WAN connection fails. You can connect the backup gateway on the WAN so that the ZyWALL still provides firewall protection.
Page 97: Figure 9-10 Traffic Redirect Lan Setup
ZyWALL 100 Internet Security Gateway Figure 9-10 Traffic Redirect LAN Setup To configure the parameters for traffic redirect, enter 11 from the main menu to display Menu 11.1— Remote Node Profile as shown next. Menu 11.1 - Remote Node Profile...
Page 98: Figure 9-12 Menu 11.6 - Traffic Redirect Setup
ZyWALL 100 Internet Security Gateway Table 9-6 Menu 11.1 — Remote Node Profile (Traffic Redirect Field) FIELD DESCRIPTION EXAMPLE Edit Traffic Press [SPACE BAR] to select Yes or No. Redirect Select No (default) if you do not want to configure this feature.
Page 99 ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION EXAMPLE Configuration: Backup Enter the IP address of your backup gateway in dotted decimal notation. 0.0.0.0 Gateway IP The ZyWALL automatically forwards traffic to this IP address if the Address ZyWALL’s Internet connection terminates.
Page 100: Chapter 10 Backup Remote Node Setup
ZyWALL 100 Internet Security Gateway Chapter 10 Backup Remote Node Setup This chapter shows you how to configure a remote node for a dial-backup connection. 10.1 Remote Node Profile (Backup ISP) Enter 2 in Menu 11 Remote Node Setup to open Menu 11.1 Remote Node Profile (Backup ISP) (shown below) and configure the setup for your Dial Backup port connection.
Page 101 ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION EXAMPLE Outgoing My Login Enter the login name assigned by your ISP for this remote node. My Password Enter the password assigned by your ISP for this remote node. ***** Authen This field sets the authentication protocol used for outgoing calls.
Page 102: Editing Ppp Options
ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION EXAMPLE reset. For example, to allow calls to this remote node for a maximum (default) of 10 minutes every hour, set the Allocated Budget to 10 (minutes) and the Period to 1 (hour).
Page 103: Figure 10-2 Menu 11.2 - Remote Node Ppp Options
ZyWALL 100 Internet Security Gateway Menu 11.2 - Remote Node PPP Options Encapsulation= Standard PPP Compression= No Enter here to CONFIRM or ESC to CANCEL: Press Space Bar to Toggle. Figure 10-2 Menu 11.2 - Remote Node PPP Options This table describes the Remote Node PPP Options Menu, and contains instructions on how to configure the PPP options fields.
Page 104: Editing Tcp/Ip Options
ZyWALL 100 Internet Security Gateway 10.3 Editing TCP/IP Options Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Network Layer Options. Menu 11.3 - Remote Node Network Layer Options Rem IP Addr= 0.0.0.0...
Page 105: Editing Login Script
ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION EXAMPLE Network Press [SPACE BAR] and then [ENTER] to select either Full Feature, None Address None or SUA Only. See the Network Address Translation (NAT) chapter (default) Translation for a full discussion on this feature.
Page 106 ZyWALL 100 Internet Security Gateway To handle the first prompt, you specify “ogin: ” as the ‘Expect’ string and “myLogin” as the ‘Send’ string in set 1. The reason for leaving out the leading “L” is to avoid having to know exactly whether it is upper or lower case.
Page 107: Remote Node Filter
ZyWALL 100 Internet Security Gateway Menu 11.4 - Remote Node Script Active= No Set 1: Set 5: Expect= Expect= Send= Send= Set 2: Set 6: Expect= Expect= Send= Send= Set 3: Expect= Send= Set 4: Expect= Send= Enter here to CONFIRM or ESC to CANCEL: Figure 10-5 Menu 11.4 –...
Page 108: Figure 10-6 Menu 11.5 - Remote Node Filter (Ethernet)
ZyWALL 100 Internet Security Gateway Use menu 11.5 to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the ZyWALL to prevent certain packets from triggering calls. You can specify up to four filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field.
Page 110: Chapter 11 Ip Static Route Setup
ZyWALL 100 Internet Security Gateway Chapter 11 IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. Static routes tell the ZyWALL routing information that it cannot learn automatically through other means. This can arise in cases where RIP is disabled on the LAN.
Page 111: Figure 11-2 Menu 12 - Ip Static Route Setup
ZyWALL 100 Internet Security Gateway 11.1 IP Static Route Setup You configure IP static routes in menu 12. 1, by selecting one of the IP static routes as shown below. Enter 12 from the main menu. Menu 12 - IP Static Route Setup 1.
Page 112: Figure 11-3 Menu 12. 1 - Edit Ip Static Route
ZyWALL 100 Internet Security Gateway Menu 12.1 - Edit IP Static Route Route #: 1 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to CONFIRM or ESC to CANCEL: Figure 11-3 Menu 12.
Page 113: Table 11-1 Ip Static Route Menu Fields
ZyWALL 100 Internet Security Gateway Table 11-1 IP Static Route Menu Fields FIELD DESCRIPTION Route # This is the index number of the static route that you chose in menu 12. Route Name Enter a descriptive name for this route. This is for identification purposes only.
Page 114: Chapter 12 Network Address Translation (Nat)
ZyWALL 100 Internet Security Gateway Chapter 12 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 12.1 Introduction NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet.
Page 115: How Nat Works
ZyWALL 100 Internet Security Gateway NAT never changes the IP address (either local or global) of an outside host. 12.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side.
Page 116: Figure 12-1 How Nat Works
ZyWALL 100 Internet Security Gateway Figure 12-1 How NAT Works 12-3...
Page 117: Figure 12-2 Nat Application With Ip Alias
ZyWALL 100 Internet Security Gateway 12.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter.
Page 118: Table 12-2 Nat Mapping Types
ZyWALL 100 Internet Security Gateway 2. Many to One: In Many-to-One mode, the ZyWALL maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL’s Single User Account feature (the SUA Only option).
Page 119: Using Nat
ZyWALL 100 Internet Security Gateway TYPE IP MAPPING SMT ABBREVIATION Many-One-to-One ILA1 IGA1 M-1-1 ILA2 IGA2 ILA3 IGA3 … Server Server 1 IP IGA1 Server Server 2 IP IGA1 Server 3 IP IGA1 12.2 Using NAT You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL.
Page 120: Figure 12-3 Menu 4 - Applying Nat For Internet Access
ZyWALL 100 Internet Security Gateway Menu 4 - Internet Access Setup ISP's Name= myISP Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A...
Page 121: Nat Setup
ZyWALL 100 Internet Security Gateway Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= N/A Private= N/A RIP Direction= None...
Page 122: Figure 12-5 Menu 15 - Nat Setup
ZyWALL 100 Internet Security Gateway 15.1. You can only configure Set 1. Set 255 is used for SUA. When you select Full Feature in menu 4 or 11.3, the SMT will use Set 1, which supports all mapping types as outlined in Table 12-2. When you select SUA Only, the SMT will use the pre-configured Set 255 (read only).
Page 123: Figure 12-7 Menu 15.1.255 - Sua Address Mapping Rules
ZyWALL 100 Internet Security Gateway Menu 15.1.255 - Address Mapping Rules Set Name= SUA Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- ------ 0.0.0.0 255.255.255.255 0.0.0.0 0.0.0.0 Server Press ENTER to Confirm or ESC to Cancel: Figure 12-7 Menu 15.1.255 —...
Page 124: Figure 12-8 Menu 15.1.1 - First Set
ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION EXAMPLE Type These are the mapping types discussed above (see Table 12-2). Server Server allows us to specify multiple servers of different types behind NAT to this machine. See later for some examples.
Page 125 ZyWALL 100 Internet Security Gateway The Type, Local and Global Start/End IPs are configured in menu 15.1.1.1 (described later) and the values are displayed here. Ordering Your Rules Ordering your rules is important because the ZyWALL applies the rules in the order that you specify. When a rule matches the current packet, the ZyWALL takes the corresponding action and the remaining rules are ignored.
Page 126: Figure 12-9 Menu 15.1.1.1 - Editing/Configuring An Individual Rule In A Set
ZyWALL 100 Internet Security Gateway An IP End address must be numerically greater than its corresponding IP Start address. Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= = N/A Global IP: Start= = N/A Press ENTER to Confirm or ESC to Cancel: Figure 12-9 Menu 15.1.1.1 —...
Page 127: Nat Server Sets - Port Forwarding
NAT makes your whole inside network appear as a single machine to the outside world. The ZyWALL 100 provides the additional safety of a DMZ port for connecting your publicly accessible servers. This makes the LAN more secure by physically separating it from your public servers.
Page 128: Configuring A Server Behind Nat
ZyWALL 100 Internet Security Gateway SERVICES PORT NUMBER Finger HTTP (Hyper Text Transfer protocol or WWW, Web) POP3 (Post Office Protocol) NNTP (Network News Transport Protocol) SNMP (Simple Network Management Protocol) SNMP trap PPTP (Point-to-Point Tunneling Protocol) 1723 12.4.1 Configuring a Server behind NAT Follow these steps to configure a server behind NAT: Step 1.
Page 129: Figure 12-10 Menu 15.2 - Nat Server Setup
ZyWALL 100 Internet Security Gateway Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------- Default Default 0.0.0.0 192.168.1.33 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 1026 1026 RR Reserved Press ENTER to Confirm or ESC to Cancel: Figure 12-10 Menu 15.2 —...
Page 130: General Nat Examples
ZyWALL 100 Internet Security Gateway 12.5 General NAT Examples 12.5.1 Internet Access Only In the following Internet access example, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP.
Page 131: Figure 12-14 Nat Example 2
ZyWALL 100 Internet Security Gateway From menu 4 shown above, simply choose the SUA Only option from the Network Address Translation field. This is the Many-to-One mapping discussed in section 12.5. The SUA Only read-only option from the Network Address Translation field in menus 4 and 11.3 is specifically pre-configured to handle this case.
Page 132: Figure 12-15 Menu 15.2 - Specifying An Inside Server
ZyWALL 100 Internet Security Gateway Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------- Default Default 192.168.1.10 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 1026 1026 RR Reserved Press ENTER to Confirm or ESC to Cancel: Figure 12-15 Menu 15.2 —...
Page 133: Figure 12-16 Nat Example 3
ZyWALL 100 Internet Security Gateway Figure 12-16 NAT Example 3 Step 1. In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.3) in Figure 12-17.
Page 134: Figure 12-17 Example 3: Menu 11.3
ZyWALL 100 Internet Security Gateway Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= N/A Private= N/A RIP Direction= None...
Page 135: Figure 12-19 Example 3: Final Menu 15.1.1
ZyWALL 100 Internet Security Gateway Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- ------ 1. 192.168.1.10 10.132.50.1 192.168.1.11 10.132.50.2 3. 0.0.0.0 255.255.255.255 10.132.50.3...
Page 136: Figure 12-21 Nat Example 4
ZyWALL 100 Internet Security Gateway 12.5.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not change for Many-One-to-One (and One-to-One) NAT mapping types.
Page 137: Trigger Port Forwarding
ZyWALL 100 Internet Security Gateway Menu 15.1.1.1 Address Mapping Rule Type= Many-One-to-One Local IP: Start= 192.168.1.10 = 192.168.1.12 Global IP: Start= 10.132.50.1 = 10.132.50.3 Press ENTER to Confirm or ESC to Cancel: Figure 12-22 Example 4: Menu 15.1.1.1 — Address Mapping Rule After you’ve configured your rule, you should be able to check the settings in menu 15.1.1 as shown next.
Page 138: Figure 12-24 Menu 15.3-Trigger Port Setup
ZyWALL 100 Internet Security Gateway the requested data comes back, the ZyWALL applies the port mapping rules and uses the recorded IP address to get the data back to the proper computer. LAN computers dynamically take turns using the mapping based on the trigger port. There is no need to reconfigure a new IP address each time you want a different computer (as you would with Port Forwarding) to use the application.
Page 139: Figure 12-25 Trigger Port Forwarding Process - Example
ZyWALL 100 Internet Security Gateway Table 12-8 Menu 15.3—Trigger Port Setup Description FIELD DESCRIPTION EXAMPLE Rule This is the rule index number. Name Enter a unique name for identification purposes. You may enter up to 15 Real Audio characters in this field. All characters are permitted - including spaces.
Page 140 ZyWALL 100 Internet Security Gateway 3. The Real Audio server responds using a port number ranging between 6970-7170. 4. The ZyWALL associates this “incoming” port with the trigger port, remembers Jane’s computer IP address and then forwards the traffic to her computer.
Page 141: Firewall And Content Filters
Firewall and Content Filters Part III: Firewall and Content Filters Part III introduces firewalls in general and the ZyWALL firewall. It also explains custom ports and logs and gives example firewall rules and an overview of content filtering.
Page 143: Chapter 13 Firewalls
ZyWALL 100 Internet Security Gateway Chapter 13 Firewalls This chapter gives some background information on firewalls and explains how to get started with the ZyWALL firewall. 13.1 What Is a Firewall? Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another.
Page 144: Introduction To Zyxel's Firewall
ZyWALL 100 Internet Security Gateway Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems. Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging.
Page 145: Denial Of Service
ZyWALL 100 Internet Security Gateway Figure 13-1 ZyWALL Firewall Application 13.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.
Page 146: Table 13-1 Common Ip Ports
ZyWALL 100 Internet Security Gateway for use over a single port, such as Web on port 80, other ports are also active. If the person configuring or managing the computer is not careful, a hacker could attack it over an unprotected port.
Page 147: Figure 13-2 Three-Way Handshake
ZyWALL 100 Internet Security Gateway Figure 13-2 Three-Way Handshake Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment).
Page 148: Figure 13-4 Smurf Attack
ZyWALL 100 Internet Security Gateway 2-b In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself.
Page 149: Stateful Inspection
ZyWALL 100 Internet Security Gateway Table 13-3 Legal NetBIOS Commands MESSAGE: REQUEST: POSITIVE: NEGATIVE: RETARGET: KEEPALIVE: All SMTP commands are illegal except for those displayed in the following tables. Table 13-4 Legal SMTP Commands AUTH DATA EHLO ETRN EXPN HELO...
Page 150 ZyWALL 100 Internet Security Gateway Denies all sessions originating from the WAN to the LAN. Figure 13-5 Stateful Inspection The previous figure shows the ZyWALL’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed.
Page 151 ZyWALL 100 Internet Security Gateway 3. The packet is inspected by a firewall rule to determine and record information about the state of the packet's connection. This information is recorded in a new state table entry created for the new connection.
Page 152 ZyWALL 100 Internet Security Gateway The ability to define firewall rules is a very powerful tool. Using custom rules, it is possible to disable all firewall protection or block all access to the Internet. Use extreme caution when creating or deleting firewall rules. Test changes after creating them to make sure they work correctly.
Page 153: Guidelines For Enhancing Security With Your Firewall
ZyWALL 100 Internet Security Gateway little tracking information. For instance, ICMP redirect packets are never allowed in, since they could be used to reroute traffic through attacking machines. 13.5.5 Upper Layer Protocols Some higher layer protocols (such as FTP and RealAudio) utilize multiple network connections simultaneously.
Page 154: Packet Filtering Vs Firewall
ZyWALL 100 Internet Security Gateway 13.6.1 Security In General You can never be too careful! Factors outside your firewall, filtering or NAT can cause security breaches. Below are some generalizations about what you can do to minimize them. 1. Encourage your company or organization to develop a comprehensive security plan. Good network administration takes into account what hackers can do and prepares against attacks.
Page 155 ZyWALL 100 Internet Security Gateway 13.7.1 Packet Filtering: The router filters packets as they pass through the router’s interface according to the filter rules you designed. Packet filtering is a powerful tool, yet can be complex to configure and maintain, especially if you need a chain of rules to filter a service.
Page 156 ZyWALL 100 Internet Security Gateway 3. To selectively block/allow inbound or outbound traffic between inside host/networks and outside host/networks. Remember that filters cannot distinguish traffic originating from an inside host or an outside host by IP address. 4. The firewall performs better than filtering if you need to check many rules.
Page 157: Chapter 14 Introducing The Zywall Firewall
ZyWALL 100 Internet Security Gateway Chapter 14 Introducing the ZyWALL Firewall This chapter shows you how to get started with the ZyWALL firewall. 14.1 Remote Management and the Firewall When SMT menu 24.11 is configured to allow management from the WAN, it overrides the firewall. See the Remote Management chapter for details.
Page 158: Figure 14-2 Menu 21.2 - Firewall Setup
ZyWALL 100 Internet Security Gateway 14.3.1 Activating the Firewall Enter option 2 in this menu to bring up the following screen. Press [SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks.
Page 159: Table 14-1 View Firewall Log
ZyWALL 100 Internet Security Gateway An “End of Log” message displays for each mail in which a complete log has been sent. The following is an example of a log sent by e-mail. Table 14-1 View Firewall Log FIELD DESCRIPTION EXAMPLES This is the index number of the firewall log.
Page 161: Chapter 15 Using The Zywall Web Configurator
ZyWALL 100 Internet Security Gateway Chapter 15 Using the ZyWALL Web Configurator This chapter shows you how to configure your firewall with the web configurator. 15.1 Web Configurator Login and Main Menu Screens Use the ZyWALL web configurator, to configure your firewall. To get started, follow the steps shown next.
Page 162: E-Mail
ZyWALL 100 Internet Security Gateway Figure 15-1 Enabling the Firewall 15.3 E-mail The E-mail screen show next, allows you to specify your mail server, where e-mail alerts should be sent as well as when and how often they should be sent.
Page 163: Figure 15-2 E-Mail Screen
ZyWALL 100 Internet Security Gateway 15.3.2 Logs A log is a detailed record that you create for packets that either match a rule, don’t match a rule or both when you are creating/editing a firewall rule (see Figure 16-4). You can also choose not to create a log for a rule in this screen.
Page 164: Table 15-1 E-Mail
ZyWALL 100 Internet Security Gateway Table 15-1 E-mail FIELD DESCRIPTION OPTIONS Address Info Mail Server Enter the IP address of your mail server in dotted decimal notation. Your Internet Service Provider (ISP) should be able to provide this information. If this field is left blank, log and alert messages will not be sent via e-mail.
Page 165: Table 15-2 Smtp Error Messages
ZyWALL 100 Internet Security Gateway 15.3.3 SMTP Error Messages If there are difficulties in sending e-mail the following error messages appear. Please see the Support Notes on the included disk for information on other types of error messages. E-mail error messages appear in SMT menu 24.3.1 as "SMTP action request failed. ret= ??". The “??"are described in the following table.
Page 166: Attack Alert
ZyWALL 100 Internet Security Gateway Subject: You may edit the Firewall Alert From ZyWALL Date: subject title The date format here Fri, 07 Apr 2000 10:05:42 From: is Day-Month-Year. user@zyxel.com user@zyxel.com 1|Apr 7 00 |From:192.168.1.1 To:192.168.1.255 |default permit The date format here...
Page 167 ZyWALL 100 Internet Security Gateway 1. The maximum number of opened sessions. 2. The minimum capacity of server backlog in your LAN network. 3. The CPU power of servers in your LAN network. 4. Network bandwidth. 5. Type of traffic for certain servers.
Page 168: Figure 15-4 Attack Alert
ZyWALL 100 Internet Security Gateway 1. If the Blocking Time timeout is 0 (the default), then the ZyWALL deletes the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half- open sessions to a given host will never exceed the threshold.
Page 169 ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION DEFAULT VALUES Denial of Service Thresholds One Minute Low This is the rate of new half-open sessions 80 existing half-open sessions. that causes the firewall to stop deleting half-open sessions. The ZyWALL continues to delete half-open sessions as...
Page 170 ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION DEFAULT VALUES same destination host IP address. Enter a number between 1 and 250. As a general rule, you should choose a smaller number for a smaller network, a slower system or limited bandwidth.
Page 171: Chapter 16 Creating Custom Rules
ZyWALL 100 Internet Security Gateway Chapter 16 Creating Custom Rules This chapter contains instructions for defining both Local Network and Internet rules. 16.1 Rules Overview Firewall rules are grouped based on the direction of travel of packets to which they apply, whether WAN to LAN, LAN to WAN, WAN to DMZ, DMZ to WAN, DMZ to LAN, LAN to DMZ, WAN to WAN, LAN to LAN or DMZ to DMZ.
Page 172: Rule Logic Overview
ZyWALL 100 Internet Security Gateway 16.2 Rule Logic Overview Study these points carefully before configuring rules. 16.2.1 Rule Checklist 1. State the intent of the rule. For example, “This restricts all IRC access from the LAN to the Internet.” Or, “This allows a remote Lotus Notes server to synchronize over the Internet to an inside Notes server.”...
Page 173: Connection Direction Examples
ZyWALL 100 Internet Security Gateway 16.2.3 Key Fields For Configuring Rules Action Should the action be to Block or Forward? “Block” means the firewall silently discards the packet. Service Select the service from the Service scrolling list box. If the service is not listed, it is necessary to first define it.
Page 174: Figure 16-1 Lan To Wan Traffic
ZyWALL 100 Internet Security Gateway Figure 16-1 LAN to WAN Traffic 16.3.2 WAN to LAN Rules The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If you wish to allow certain WAN users to have access to your LAN, you will need to create custom rules to allow it.
Page 175: Rule Summary
ZyWALL 100 Internet Security Gateway 16.4 Rule Summary Click Advanced, Firewall and the Summary tab to display the following screen. This screen is a summary of the existing rules. Note the order in which the rules are listed. The ordering of your rules is very important as rules are applied in turn.
Page 176: Table 16-1 Firewall Rules Summary - First Screen
ZyWALL 100 Internet Security Gateway The following table describes the fields in the firewall summary screen. Table 16-1 Firewall Rules Summary — First Screen FIELD DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.
Page 177: Predefined Services
ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION Action This is the specified action for that rule, either Block or Forward. Note that Block means the firewall silently discards the packet. This field shows you if a log is created for packets that match the rule (Match), don't match the rule (Not Match), both (Both) or no log is created (None).
Page 178 ZyWALL 100 Internet Security Gateway SERVICE DESCRIPTION BOOTP_CLIENT(UDP:68) DHCP Client. BOOTP_SERVER(UDP:67) DHCP Server. A popular videoconferencing solution from White Pines Software. SEEME(TCP/UDP:7648, 24032) DNS(UDP/TCP:53) Domain Name Server, a service that matches web names (e.g. www.zyxel.com) to IP numbers. FINGER(TCP:79) Finger is a UNIX or Internet related command that can be used to find out if a user is logged on.
Page 179 ZyWALL 100 Internet Security Gateway SERVICE DESCRIPTION NNTP(TCP:119) Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service. PING(ICMP:0) Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable.
Page 180 ZyWALL 100 Internet Security Gateway SERVICE DESCRIPTION System). TELNET(TCP:23) Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems.
Page 181: Figure 16-4 Creating/Editing A Firewall Rule
ZyWALL 100 Internet Security Gateway Figure 16-4 Creating/Editing A Firewall Rule Creating Custom Rules 16-11...
Page 182: Table 16-3 Creating/Editing A Firewall Rule
ZyWALL 100 Internet Security Gateway Table 16-3 Creating/Editing A Firewall Rule FIELD DESCRIPTION OPTIONS Active Check the Active check box to have the ZyWALL use this rule. Leave it unchecked if you do not want the ZyWALL to use the rule after you apply it...
Page 183: Figure 16-5 Adding/Editing Source And Destination Addresses
ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION OPTIONS Matched forwarded? Make your choice from the drop down list box. Forward Packets Note that Block means the firewall silently discards the packet. This field determines if a log is created for packets that Match match the rule, don’t match the rule, both or no log is...
Page 184: Custom Ports
ZyWALL 100 Internet Security Gateway Table 16-4 Adding/Editing Source and Destination Addresses FIELD DESCRIPTION OPTIONS Address Type Do you want your rule to apply to packets with a particular Single Address (single) IP address, a range of IP addresses (e.g., Range Address 192.168.1.10 to 192.169.1.50), a subnet or any IP...
Page 185: Figure 16-6 Creating/Editing A Custom Port
ZyWALL 100 Internet Security Gateway Figure 16-6 Creating/Editing A Custom Port The next table describes the fields in this screen. Table 16-5 Creating/Editing A Custom Port FIELD DESCRIPTION OPTIONS Service Name Enter a unique name for your custom port. Service Type Choose the IP port (TCP, UDP or Both) that defines your customized port from the drop down list box.
Page 186: Example Firewall Rule
ZyWALL 100 Internet Security Gateway 16.8 Example Firewall Rule The following Internet firewall rule example allows a syslog connection from the Internet. Step 1. Click the Firewall link and then the Summary tab. Step 2. Click the option button for a rule and then Edit to display the firewall rule configuration screen.
Page 187: Figure 16-8 Firewall Ip Config Screen
ZyWALL 100 Internet Security Gateway Figure 16-8 Firewall IP Config Screen Step 6. In the firewall rule configuration screen, click Custom Port to open the Custom Port Configuration screen. Configure it as follows and click Apply. Syslog is now a predefined service.
Page 188: Figure 16-9 Custom Port For Syslog
ZyWALL 100 Internet Security Gateway Figure 16-9 Custom Port for Syslog Step 7. The firewall rule configuration screen displays, use the arrows between Available Services and Selected Services to configure it as follows. Click Apply when you are done. Custom ports show up with an “*” before their names in the Services list box and the Rule Summary list box.
Page 189: Figure 16-10 Syslog Rule Configuration
ZyWALL 100 Internet Security Gateway This is the address range of This is your Syslog Click Apply when the syslog servers. custom port. finished. Figure 16-10 Syslog Rule Configuration Creating Custom Rules 16-19...
Page 190: Figure 16-11 Example 3: Rule Summary
ZyWALL 100 Internet Security Gateway Step 8. On completing the configuration procedure for this Internet firewall rule, the Rule Summary screen should look like the following. Remember to click Apply when you have finished configuring your rule(s) to save your settings back to the ZyWALL.
Page 191: Chapter 17 Logs
ZyWALL 100 Internet Security Gateway Chapter 17 Logs This chapter contains information about using the log screen to view the results of the rules you have configured. 17.1 Log Screen When you configure a new rule you also have the option to log events that match, don’t match (or both) this rule (see Figure 16-4).
Page 192: Table 17-1 Log Screen
ZyWALL 100 Internet Security Gateway Table 17-1 Log Screen FIELD DESCRIPTION EXAMPLES This is the index number of the firewall log. 128 entries are available numbered from 0 to 127. Once they are all used, the log will wrap around and the old logs will be lost.
Page 193: Chapter 18 Content Filtering
ZyWALL 100 Internet Security Gateway Chapter 18 Content Filtering This chapter provides a brief overview of content filtering using the web embedded configurator. For more detailed information, consult the embedded HTML help. Internet content filtering allows schools and businesses to create and enforce Internet access policies tailored to their needs.
Page 194: Customizing
ZyWALL 100 Internet Security Gateway 18.4 Customizing Customize the content filter list by adding or removing specific sites from the filter list. 18.5 Keywords The ZyWALL can also be configured to block certain Web sites by using URL keywords. 18.6 Logs...
Page 195: Advanced Management
Advanced Management Part IV: Advanced Management Part IV provides information on Filter Configuration, SNMP Configuration, System Information and Diagnosis, Firmware and Configuration File Maintenance, System Maintenance and Information and Remote Management.
Page 196: Chapter 19 Filter Configuration
ZyWALL 100 Internet Security Gateway Chapter 19 Filter Configuration This chapter shows you how to create and apply filters. 19.1 About Filtering Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering.
Page 197: Figure 19-1 Outgoing Packet Filtering Process
ZyWALL 100 Internet Security Gateway Call Filtering Active Data Built-in User-defined match match match Outgoing Initiate call default Call Filters Data Packet if line not up Call Filters (if applicable) Send packet and reset Idle Timer Match Match Match Drop...
Page 198: Figure 19-2 Filter Rule Process
ZyWALL 100 Internet Security Gateway Start Packet into filter Fetch First Filter Set Filter Set Fetch Next Fetch First Filter Set Filter Rule Fetch Next Filter Rule Next filter Next Filter Set Rule Active? Available? Available? Execute Filter Rule Check...
Page 199: Configuring A Filter Set
ZyWALL 100 Internet Security Gateway You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
Page 200: Table 19-1 Abbreviations Used In The Filter Rules Summary Menu
ZyWALL 100 Internet Security Gateway Step 3. Select the filter set you wish to configure ( 1-12) and press [ENTER] Step 4. Enter a descriptive name or comment in the Edit Comments field and press [ENTER]. Step 5. Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.1 - Filter Rules Summary.
Page 201: Configuring A Filter Rule
ZyWALL 100 Internet Security Gateway Table 19-2 Rule Abbreviations Used ABBREVIATION DESCRIPTION Protocol Source Address Source Port number Destination Address Destination Port number Offset Length Refer to the next section for information on configuring the filter rules. 19.2.1 Configuring a Filter Rule To configure a filter rule, type its number in Menu 21.1.1 - Filter Rules Summary and press [ENTER] to...
Page 202: Figure 19-6 Menu 21.1.1.1 - Tcp/Ip Filter Rule
ZyWALL 100 Internet Security Gateway To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.1.1 - TCP/IP Filter Rule, as shown next. Menu 21.1.1.1 - TCP/IP Filter Rule Filter #: 1,1...
Page 203 ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION OPTIONS IP Mask Enter the IP mask to apply to the Destination: IP Addr. 0.0.0.0 Port # Enter the destination port of the packets that you wish to filter. 0-65535 The range of this field is 0 to 65535. This field is ignored if it is...
Page 204 ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION OPTIONS Both Both – All packets will be logged. Action Matched Press [SPACE BAR] and then [ENTER] to select the action for Check Next Rule a matching packet. Forward Drop Action Not Press [SPACE BAR] and then [ENTER] to select the action for...
Page 205: Figure 19-7 Executing An Ip Filter
ZyWALL 100 Internet Security Gateway Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src Not Matched IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest Not Matched IP Addr Matched Check Not Matched IP Protocol Matched Check Src &...
Page 206: Figure 19-8 Menu 21.1.4.1 - Generic Filter Rule
ZyWALL 100 Internet Security Gateway 19.2.3 Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly.
Page 207: Table 19-4 Generic Filter Rule Menu Fields
ZyWALL 100 Internet Security Gateway Table 19-4 Generic Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Filter # This is the filter set, filter rule co-ordinates, i.e., 2,3 refers to the second filter set and the third rule of that set.
Page 208: Example Filter
ZyWALL 100 Internet Security Gateway 19.3 Example Filter Let’s look at an example to block outside users from telnetting into the ZyWALL. Please see our included disk for more example filters. Figure 19-9 Telnet Filter Example Step 1. Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup.
Page 209: Figure 19-10 Example Filter - Menu 21.1.3.1
ZyWALL 100 Internet Security Gateway Step 6. Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure. Press [SPACE BAR] and then Menu 21.1.3.1 - TCP/IP Filter Rule...
Page 210: Figure 19-11 Example Filter Rules Summary — Menu 21.1.3
ZyWALL 100 Internet Security Gateway Menu 21.1.3 - Filter Rules Summary # A Type Filter Rules M m n - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F This shows you that you have M = N means an action can be taken immediately.
Page 211: Filter Types And Nat
ZyWALL 100 Internet Security Gateway 19.4 Filter Types and NAT There are two classes of filter rules, Generic Filter (Device) rules and protocol filter (TCP/IP) rules. Generic filter rules act on the raw data from/to LAN and WAN. Protocol filter rules act on the IP packets.
Page 212: Applying A Filter And Factory Defaults
ZyWALL 100 Internet Security Gateway 19.6 Applying a Filter and Factory Defaults This section shows you where to apply the filter(s) after you design it (them). The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections.
Page 213: Figure 19-14Filtering Dmz Traffic
ZyWALL 100 Internet Security Gateway outgoing traffic from the ZyWALL. The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections. Menu 5.1 – DMZ Port Filter Setup Input Filter Sets:...
Page 214: Chapter 20 Snmp Configuration
ZyWALL 100 Internet Security Gateway Chapter 20 SNMP Configuration This chapter explains SNMP configuration menu 22. SNMP is only available if TCP/IP is configured. 20.1 About SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices.
Page 215: Figure 20-1 Snmp Management Model
ZyWALL 100 Internet Security Gateway Figure 20-1 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP.
Page 216: Supported Mibs
ZyWALL 100 Internet Security Gateway • GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.
Page 217: Snmp Traps
ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION EXAMPLE Set Community Type the Set community, which is the password for incoming Set Public requests from the management station. Trusted Host If you enter a trusted host, your ZyWALL will only respond to 0.0.0.0...
Page 218: Chapter 21 System Information & Diagnosis
ZyWALL 100 Internet Security Gateway Chapter 21 System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trace capabilities.
Page 219: Figure 21-2 Menu 24.1 - System Maintenance - Status
ZyWALL 100 Internet Security Gateway Step 2. In this menu, enter 1 to open System Maintenance - Status. Step 3. There are three commands in Menu 24.1 - System Maintenance - Status. Entering 1 drops the WAN connection, 9 resets the counters and [ESC] takes you back to the previous screen.
Page 220: System Information And Console Port Speed
ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION Tx B/s Shows the transmission speed in Bytes per second on this port. Rx B/s Shows the reception speed in Bytes per second on this port. Up Time Total amount of time the line has been up.
Page 221: Figure 21-4 Menu 24.2.1 - System Maintenance - Information
ZyWALL 100 Internet Security Gateway 21.2.1 System Information System Information gives you information about your system as shown below. More specifically, it gives you information on your routing protocol, Ethernet address, IP address, etc. Menu 24.2.1 - System Maintenance - Information Name: xxx.baboo.mickey.com...
Page 222: Log And Trace
ZyWALL 100 Internet Security Gateway 21.2.2 Console Port Speed You can change the speed of the console port through Menu 24.2.2 – Console Port Speed. Your ZyWALL supports 9600 (default), 19200, 38400, 57600, and 115200 bps for the console port. Press [SPACE BAR] and then [ENTER] to select the desired speed in menu 24.2.2, as shown below.
Page 223: Figure 21-6 Menu 24.3 - System Maintenance - Log And Trace
ZyWALL 100 Internet Security Gateway Menu 24.3 - System Maintenance - Log and Trace 1. View Error Log 2. UNIX Syslog 4. Call-Triggering Packet Please enter selection Figure 21-6 Menu 24.3 — System Maintenance — Log and Trace Examples of typical error and information messages are presented in the following figure.
Page 224: Figure 21-8 Menu 24.3.2 - System Maintenance - Unix Syslog
ZyWALL 100 Internet Security Gateway Menu 24.3.2 - System Maintenance - UNIX Syslog Syslog: Active= No Syslog IP Address= ? Log Facility= Local 1 Types: CDR= No Packet Triggered= No Filter log= No PPP log= No Firewall log= No Press ENTER to Confirm or ESC to Cancel Figure 21-8 Menu 24.3.2 —...
Page 225 ZyWALL 100 Internet Security Gateway Your ZyWALL sends five types of syslog messages. Some examples (not all ZyWALL specific) of these syslog messages with their message formats are shown next: 1. CDR CDR Message Format SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String );...
Page 226 ZyWALL 100 Internet Security Gateway 3. Filter log Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D).
Page 227: Diagnostic
ZyWALL 100 Internet Security Gateway 21.3.3 Call-Triggering Packet Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equivalent information is available in menu 24.1 in hex format. An example is shown next.
Page 228: Figure 21-10 Menu 24.4 - System Maintenance - Diagnostic
ZyWALL 100 Internet Security Gateway Follow the procedure below to get to Menu 24.4 - System Maintenance – Diagnostic. Step 1. From the main menu, select option 24 to open Menu 24 - System Maintenance. Step 2. From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic.
Page 229: Figure 21-11 Wan & Lan Dhcp
ZyWALL 100 Internet Security Gateway Figure 21-11 WAN & LAN DHCP The following table describes the diagnostic tests available in menu 24.4 for your ZyWALL and associated connections. Table 21-4 System Maintenance Menu Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LAN or WAN.
Page 230: Chapter 22 Firmware And Configuration File Maintenance
ZyWALL 100 Internet Security Gateway Chapter 22 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 22.1 Filename Conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc.
Page 231: Backup Configuration
ZyWALL 100 Internet Security Gateway local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 - System Maintenance - Information to confirm that you have uploaded the correct firmware version.
Page 232: Using The Ftp Command From The Command Line
ZyWALL 100 Internet Security Gateway 22.2.1 Backup Configuration Follow the instructions as shown in the next screen. Menu 24.5 - System Maintenance - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation.
Page 233: Figure 22-2 Ftp Session Example
ZyWALL 100 Internet Security Gateway 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
Page 234: Backup Configuration Using Tftp
ZyWALL 100 Internet Security Gateway 1. The firewall is active (turn the firewall off in menu 21.2 or create a firewall rule to allow access from the WAN). 2. You have disabled Telnet service in menu 24.11. 3. You have applied a filter in menu 3.1 (LAN) or in menu 11.5 (WAN) to block Telnet service.
Page 235: Table 22-3 General Commands For Gui-Based Tftp Clients
ZyWALL 100 Internet Security Gateway 22.2.7 TFTP Command Example The following is an example TFTP command: tftp [-i] host get rom-0 config.rom where “i” specifies binary image transfer mode (use this mode when transferring binary files), “host” is the ZyWALL IP address, “get” transfers the file source on the ZyWALL (rom-0, name of the configuration file on the ZyWALL) to the file destination on the computer and renames it config.rom.
Page 236: Figure 22-3 System Maintenance - Backup Configuration
ZyWALL 100 Internet Security Gateway Ready to backup Configuration via Xmodem. Do you want to continue (y/n): Figure 22-3 System Maintenance — Backup Configuration Step 2. The following screen indicates that the Xmodem download has started. You can enter ctrl-x to terminate operation any time.
Page 237: Restore Configuration
ZyWALL 100 Internet Security Gateway 22.3 Restore Configuration This section shows you how to restore a previously saved configuration. Note that this function erases the current configuration before restoring a previous back up configuration; please do not attempt to restore unless you have a backup configuration file stored on disk.
Page 238: Figure 22-7 Telnet Into Menu 24.6
ZyWALL 100 Internet Security Gateway Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root" and SMT password as requested.
Page 239: Figure 22-8 Restore Using Ftp Session Example
ZyWALL 100 Internet Security Gateway 22.3.2 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec.
Page 240: Uploading Firmware And Configuration Files
ZyWALL 100 Internet Security Gateway Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Figure 22-11 Restore Configuration Example Step 4. After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu.
Page 241: Figure 22-13 Telnet Into Menu 24.7.1 - Upload System Firmware
ZyWALL 100 Internet Security Gateway WARNING! Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR ZyWALL. 22.4.1 Firmware File Upload FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client.
Page 242: Figure 22-14 Telnet Into Menu 24.7.2 - System Maintenance
ZyWALL 100 Internet Security Gateway 22.4.2 Configuration File Upload You see the following screen when you telnet into menu 24.7.2. Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload the system configuration file, follow the procedure below: 1.
Page 243: Figure 22-15 Ftp Session Example Of Firmware File Upload
ZyWALL 100 Internet Security Gateway transfers the configuration file on the ZyWALL to your computer and renames it “config.rom.” See earlier in this chapter for more information on filename conventions. Step 7. Enter “quit” to exit the ftp prompt. 22.4.4 FTP Session Example of Firmware File Upload...
Page 244: Tftp Upload Command Example
ZyWALL 100 Internet Security Gateway Step 3. Enter the command “sys stdio 0” to disable the console timeout, so the TFTP transfer will not be interrupted. Enter “command sys stdio 5” to restore the five-minute console timeout (default) when the file transfer is complete.
Page 245: Figure 22-16 Menu 24.7.1 As Seen Using The Console Port
ZyWALL 100 Internet Security Gateway 22.4.8 Uploading Firmware File Via Console Port Step 1. Select 1 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.1 - System Maintenance - Upload System Firmware, then follow the instructions as shown in the following screen.
Page 246: Figure 22-17 Example Xmodem Upload
ZyWALL 100 Internet Security Gateway 22.4.9 Example Xmodem Firmware Upload Using HyperTerminal Click Transfer, then Send File to display the following screen. Type the firmware file’s location, or click Browse to look for it. Choose the Xmodem protocol. Then click Send.
Page 247: Figure 22-18 Menu 24.7.2 As Seen Using The Console Port
ZyWALL 100 Internet Security Gateway Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1. Enter "y" at the prompt below to go into debug mode. 2. Enter "atlc" after "Enter Debug Mode" message.
Page 248: Figure 22-19 Example Xmodem Upload
ZyWALL 100 Internet Security Gateway Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Figure 22-19 Example Xmodem Upload After the configuration upload process has completed, restart the ZyWALL by entering “atgo”.
Page 250: Chapter 23 System Maintenance & Information
ZyWALL 100 Internet Security Gateway Chapter 23 System Maintenance & Information This chapter leads you through SMT menus 24.8 to 24.10. 23.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions.
Page 251: Call Control Support
ZyWALL 100 Internet Security Gateway Copyright (c) 1994 - 2001 ZyXEL Communications Corp. ras> ? Valid commands are: exit device ether pptp ipsec hdap ras> Figure 23-2 Valid Commands 23.2 Call Control Support The ZyWALL provides two call control functions: budget management and call history. Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1.
Page 252: Figure 23-4 Budget Management
ZyWALL 100 Internet Security Gateway 23.2.1 Budget Management Menu 24.9.1 shows the budget management statistics for outgoing calls. Enter 1 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu. Menu 24.9.1 - Budget Management...
Page 253: Figure 23-5 Call History
ZyWALL 100 Internet Security Gateway 23.2.2 Call History This is the second option in Menu 24.9 - System Maintenance - Call Control. It displays information about past incoming and outgoing calls. Enter 2 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu.
Page 254: Time And Date Setting
ZyWALL 100 Internet Security Gateway Table 23-2 Call History Fields FIELD DESCRIPTION Phone Number The PPPoE service names are shown here. This shows whether the call was incoming or outgoing. Rate This is the transfer rate of the call. #call This is the number of calls made to or received from that telephone number.
Page 255: Figure 23-7 Menu 24.10 System Maintenance - Time And Date Setting
ZyWALL 100 Internet Security Gateway Enter 10 to go to Menu 24.10 - System Maintenance - Time and Date Setting to update the time and date settings of your ZyWALL as shown in the following screen. Menu 24.10 - System Maintenance - Time and Date Setting Use Time Server when Bootup= NTP (RFC-1305) Time Server Address= tick.stdtime.gov.tw...
Page 256 ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION New Date Enter the new date in year, month and day format. Time Zone Press [SPACE BAR] and then [ENTER] to set the time difference between your time zone and Greenwich Mean Time (GMT).
Page 258: Chapter 24 Remote Management
ZyWALL 100 Internet Security Gateway Chapter 24 Remote Management This chapter covers remote management found in SMT menu 24.11. 24.1 Telnet The only way to configure the ZyWALL for remote management is through an SMT session using the console port. Once your ZyWALL is configured, you can use telnet to configure it remotely as shown next.
Page 259: Web
ZyWALL 100 Internet Security Gateway 24.3 Web You can use the ZyWALL’s embedded web configurator for configuration and file management. See the Using the ZyWALL Web Configurator chapter for an introduction to the web configurator. 24.4 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices.
Page 260: Figure 24-2 Menu 24.11 - Remote Management Control
ZyWALL 100 Internet Security Gateway Menu 24.11 - Remote Management Control TELNET Server: Port = 23 Access = LAN only Secured Client IP = 0.0.0.0 FTP Server: Port = 21 Access = LAN only Secured Client IP = 0.0.0.0 Web Server:...
Page 261: Remote Management And Nat
ZyWALL 100 Internet Security Gateway 24.6.1 Remote Management Limitations Remote management over LAN or WAN will not work when: 1. A filter in menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service.
Page 262: Ip Policy Routing, Call Scheduling And Vpn/Ipsec
IPPR, Call Scheduling and VPN/IPSec Part V: IP Policy Routing, Call Scheduling and VPN/IPSec Part V provides information about IP Policy Routing, Call Scheduling and VPN/IPSec.
Page 264: Chapter 25 Ip Policy Routing
ZyWALL 100 Internet Security Gateway Chapter 25 IP Policy Routing This chapter covers setting and applying policies used for IP routing. 25.1 Introduction Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet.
Page 265: Ip Routing Policy Setup
ZyWALL 100 Internet Security Gateway is to differentiate between interactive and bulk traffic. Interactive applications, e.g., telnet, tend to have short packets, while bulk traffic, e.g., file transfer, tends to have large packets. The actions that can be taken include: •...
Page 266: Figure 25-4 Menu 25.1 - Sample Ip Routing Policy Setup
ZyWALL 100 Internet Security Gateway Menu 25.1 shows the summary of a policy set, including the criteria and the action of a single policy, and whether a policy is active or not. Each policy contains two lines. The former part is the criteria of the incoming packet and the latter is the action.
Page 267: Figure 25-5 Ip Routing Policy
ZyWALL 100 Internet Security Gateway ABBREVIATION MEANING Outgoing Precedence Service Normal Minimum Delay Maximum Throughput Maximum Reliability Minimum Cost Type a number from 1 to 6 to display Menu 25.1.1 – IP Routing Policy (see the next figure). This menu allows you to configure a policy rule.
Page 268 ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION Criteria IP Protocol Enter a number that represents an IP layer 4 protocol, for example, UDP=17, TCP,=6 ICMP=1 and Don’t care=0. Type of Service Prioritize incoming network traffic by choosing from Don’t Care, Normal, Min Delay, Max Thruput or Max Reliable.
Page 269: Applying An Ip Policy
ZyWALL 100 Internet Security Gateway 25.5 Applying an IP Policy This section shows you where to apply the IP policies after you design them. 25.5.1 Ethernet IP Policies From Menu 3 – Ethernet Setup, type 2 to go to Menu 3.2 – TCP/IP and DHCP Ethernet Setup.
Page 270: Figure 25-7 Example Of Ip Policy Routing
ZyWALL 100 Internet Security Gateway Figure 25-7 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the WAN port of the ZyWALL, follow the steps as shown next.
Page 271: Figure 25-8 Ip Routing Policy Example
ZyWALL 100 Internet Security Gateway Menu 25.1.1 - IP Routing Policy Policy Set Name= set1 Active= Yes Criteria: IP Protocol Type of Service= Don't Care Packet length= 10 Precedence = Don't Care Len Comp= N/A Source: addr start= 192.168.1.2 end= 192.168.1.64...
Page 272: Figure 25-9 Ip Routing Policy
ZyWALL 100 Internet Security Gateway Step 5. Create a rule in menu 25.1.1 for this set to route packets from any host (IP=0.0.0.0 means any host) with protocol TCP and port FTP access through another gateway (192.168.1.100). Menu 25.1.1 - IP Routing Policy...
Page 273: Figure 25-10 Applying Ip Policies
ZyWALL 100 Internet Security Gateway Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP Setup DHCP= Server Client IP Pool Starting Address= 192.168.1.33 Size of Client IP Pool= 64 Primary DNS Server= 0.0.0.0 Secondary DNS Server= 0.0.0.0 Remote DHCP Server= N/A TCP/IP Setup: IP Address= 192.168.1.1...
Page 274: Chapter 26 Call Scheduling
ZyWALL 100 Internet Security Gateway Chapter 26 Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 26.1 Introduction The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long.
Page 275: Figure 26-2 Schedule Set Setup
ZyWALL 100 Internet Security Gateway To delete a schedule set, enter the set number and press [SPACE BAR] and then [ENTER] or [DEL] in the Edit Name field. To set up a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next.
Page 276 ZyWALL 100 Internet Security Gateway FIELD DESCRIPTION OPTIONS Once: If you selected Once in the How Often field above, then enter the date the set should activate here in year-month-date format. Date Weekday If you selected Weekly in the How Often field above, then select the day(s) when the set should activate (and recur) by going to that day(s) and pressing [SPACE BAR] to select Yes, then press [ENTER].
Page 277: Figure 26-3 Applying Schedule Set(S) To A Remote Node (Pppoe)
ZyWALL 100 Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPPoE Edit IP= No Service Type= Standard Telco Option: Service Name= Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login= Schedules= 1,2,3,4...
Page 278: Chapter 27 Introduction To Ipsec
ZyWALL 100 Internet Security Gateway Chapter 27 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 27.1 Introduction 27.1.1 VPN A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.
Page 279: Figure 27-1 Encryption And Decryption
The IPSec receiver can verify the source of IPSec packets. This service depends on the data integrity service. 27.1.5 VPN Applications The ZyWALL 100 supports 100 Security Associations (SAs). Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites.
Page 280: Ipsec Architecture
ZyWALL 100 Internet Security Gateway Figure 27-2 VPN Application 27.2 IPSec Architecture The overall IPSec architecture is shown as follows. Introduction to IPSec 27-3...
Page 281: Figure 27-3 Ipsec Architecture
ZyWALL 100 Internet Security Gateway Figure 27-3 IPSec Architecture 27.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms).
Page 282: Encapsulation
ZyWALL 100 Internet Security Gateway 27.3 Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 27-4 Transport and Tunnel Mode IPSec Encapsulation 27.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
Page 283: Table 27-1 Vpn And Nat
ZyWALL 100 Internet Security Gateway A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesn't match.
Page 284: Chapter 28 Vpn/Ipsec Setup
ZyWALL 100 Internet Security Gateway Chapter 28 VPN/IPSec Setup This chapter introduces the VPN SMT menus. 28.1 VPN/IPSec Setup The VPN/IPSec main SMT menu has three main submenus. 1. Define VPN policies in menu 27.1 submenus, including security policies, endpoint IP addresses, peer IPSec router IP address and key management.
Page 285: Ipsec Algorithms
ZyWALL 100 Internet Security Gateway Menu 27 - VPN/IPSec Setup 1. IPSec Summary 2. SA Monitor 3. View IPSec Log Enter Menu Selection Number: Figure 28-2 Menu 27 — VPN/IPSec Setup 28.2 IPSec Algorithms The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec VPN.
Page 286: Ipsec Summary
ZyWALL 100 Internet Security Gateway Table 28-1 AH and ESP Select DES for minimal security and 3DES for maximum. Select MD5 for minimal security and SHA-1 for Select NULL to set up a tunnel without encryption. maximum security. DES (default)
Page 287: Table 28-2 Telecommuter And Headquarters Configuration Example
ZyWALL 100 Internet Security Gateway 28.3.1 My IP Address My IP Addr is the WAN IP address of the ZyWALL. If this field is configured as 0.0.0.0, then the ZyWALL will use the current ZyWALL WAN IP address (static or dynamic) to set up the VPN tunnel. The ZyWALL has to rebuild the VPN tunnel if the My IP Addr changes after setup.
Page 288: Figure 28-4 Telecommuter's Zywall Configuration
ZyWALL 100 Internet Security Gateway Figure 28-4 Telecommuter’s ZyWALL Configuration Figure 28-5 Headquarters ZyWALL Configuration The Secure Gateway IP Address may be configured as 0.0.0.0 only when using IKE key management and not Manual key management. A ZyWALL with Secure Gateway Address set to 0.0.0.0 can receive multiple VPN connection requests using the same VPN rule at the same time.
Page 289: Figure 28-6 Menu 27.1 - Ipsec Summary
ZyWALL 100 Internet Security Gateway Menu 27.1 – IPSec Summary # Name Local Addr Start - Local Addr End Encap IPSec Algorithm Key Mgt Remote Addr Start - Remote Addr End Secure GW Addr - ------ ----------------- --------------- ------ ------------------ Taiwan 192.168.1.35...
Page 290 ZyWALL 100 Internet Security Gateway Table 28-3 Menu 27.1 — IPSec Summary FIELD DESCRIPTION EXAMPLE Local Addr When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to 192.168.1.38 Single, this is the same (static) IP address as in the Local Addr Start field.
Page 291 ZyWALL 100 Internet Security Gateway Table 28-3 Menu 27.1 — IPSec Summary FIELD DESCRIPTION EXAMPLE Remote When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to 172.16.2.46 Addr End Single, this is the same (static) IP address as in the Remote Addr Start field.
Page 292: Ipsec Setup
ZyWALL 100 Internet Security Gateway 28.4 IPSec Setup Select Edit in the Select Command field, type the index number of a rule in the Select Rule field and press [ENTER] to edit the VPN using the menu shown next. Menu 27.1.1 – IPSec Setup...
Page 293 ZyWALL 100 Internet Security Gateway Table 28-4 Menu 27.1.1 — IPSec Setup FIELD DESCRIPTION EXAMPLE My IP Addr Enter the WAN IP address of your ZyWALL. The ZyWALL uses its current 0.0.0.0 WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0.
Page 294: Table 28-4 Menu 27.1.1 — Ipsec Setup
ZyWALL 100 Internet Security Gateway Table 28-4 Menu 27.1.1 — IPSec Setup FIELD DESCRIPTION EXAMPLE Port Start 0 is the default and signifies any port. Type a port number from 0 to 65535. Some of the most common IP ports are: 21, FTP;...
Page 295: Ike Setup
ZyWALL 100 Internet Security Gateway Table 28-4 Menu 27.1.1 — IPSec Setup FIELD DESCRIPTION EXAMPLE Port Start 0 is the default and signifies any port. Type a port number from 0 to 65535. Some of the most common IP ports are: 21, FTP;...
Page 296: Figure 28-8 Two Phases To Set Up The Ipsec Sa
ZyWALL 100 Internet Security Gateway Figure 28-8 Two Phases to set up the IPSec SA In phase 1 you must: Choose a negotiation mode. Authenticate the connection by entering a pre-shared key. Choose an encryption algorithm. Choose an authentication algorithm.
Page 297 ZyWALL 100 Internet Security Gateway Aggressive Mode is quicker than Main Mode because it eliminates several steps when the communicating parties are negotiating authentication (phase 1). However the trade-off is that faster speed limits its negotiating power and it also does not provide identity protection. It is useful in remote access situations where the address of the initiator is not know by the responder and both parties want to use pre-shared key authentication.
Page 298: Figure 28-9 Menu
ZyWALL 100 Internet Security Gateway Menu 27.1.1.1 - IKE Setup Phase 1 Negotiation Mode= Main Pre-Shared Key= Encryption Algorithm = DES Authentication Algorithm = SHA1 SA Life Time (Seconds)= 28800 Key Group= DH1 Phase 2 Active Protocol = ESP Encryption Algorithm...
Page 299 ZyWALL 100 Internet Security Gateway Table 28-5 — Menu 27.1.1.1 IKE Setup FIELD DESCRIPTION EXAMPLE Authentication MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash SHA1 Algorithm algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slightly slower.
Page 300: Manual Setup
ZyWALL 100 Internet Security Gateway 28.6 Manual Setup You only configure Menu 27.1.1.2 – Manual Setup when you select Manual in the Key Management field in Menu 27.1.1 – IPSec Setup. Manual key management is useful if you have problems with IKE key management.
Page 301: Figure 28-10 Menu 27.1.1.2 - Manual Setup
ZyWALL 100 Internet Security Gateway Menu 27.1.1.2 – Manual Setup Active Protocol= ESP Tunnel ESP Setup SPI= Encryption Algorithm= DES Key1= Key2= N/A Key3= N/A Authentication Algorithm= MD5 Key= N/A AH Setup SPI (Decimal)= N/A Authentication Algorithm= N/A Key= Press ENTER to Confirm or ESC to Cancel: Figure 28-10 Menu 27.1.1.2 —...
Page 302 ZyWALL 100 Internet Security Gateway Table 28-7 Menu 27.1.1.2 — Manual Setup FIELD DESCRIPTION EXAMPLE Key3 Enter a unique eight-character key. It can be comprised of any character including spaces (but trailing spaces are truncated). Authentication Press [SPACE BAR] to choose from MD5 or SHA1 and then press [ENTER].
Page 304: Chapter 29 Sa Monitor
ZyWALL 100 Internet Security Gateway Chapter 29 SA Monitor This chapter teaches you how to manage your SAs by using the SA Monitor in SMT menu 27.2. 29.1 Introduction A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This menu (shown next) displays active VPN connections.
Page 305 ZyWALL 100 Internet Security Gateway Table 29-1 Menu 27.2 — SA Monitor FIELD DESCRIPTION EXAMPLE This is the security association index number. Name This field displays the identification name for this VPN policy. This name is Taiwan unique for each connection where the secure gateway IP address is a public static IP address.
Page 306: Chapter 30 Ipsec Log
ZyWALL 100 Internet Security Gateway Chapter 30 IPSec Log This chapter interprets common IPSec log messages. 30.1 VPN Initiator IPSec Log To view the IPSec and IKE connection log, type 3 in menu 27 and press [ENTER] to display the IPSec log as shown next.
Page 307: Vpn Responder Ipsec Log
ZyWALL 100 Internet Security Gateway 30.2 VPN Responder IPSec Log The following figure shows a typical log from the VPN connection peer. Index: Date/Time: Log: ------------------------------------------------------------ 01 Jan 08:08:07 Recv Main Mode request from <192.168.100.100> 01 Jan 08:08:07 Recv:<SA> 01 Jan 08:08:08 Send:<SA>...
Page 308 ZyWALL 100 Internet Security Gateway Table 30-1 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION Send:<Symbol><Symbol> IKE uses the ISAKMP protocol (refer to RFC2408 – ISAKMP) to transmit data. Each ISAKMP packet Recv:<Symbol><Symbol> contains payloads of different types that show in the log - see Table 30-3.
Page 309 ZyWALL 100 Internet Security Gateway Table 30-1 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION !! IKE Packet Retransmit The ZyWALL did not receive a response from the peer and so retransmits the last packet sent. !! Failed to send IKE Packet The ZyWALL cannot send IKE packets due to a network error.
Page 310 ZyWALL 100 Internet Security Gateway Table 30-3 RFC-2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE TRANS Transform Key Exchange Identification Certificate CER_REQ Certificate Request HASH Hash Signature NONCE Nonce NOTFY Notification Delete Vendor ID IPSec Log 30-5...
Page 311: Troubleshooting, Appendices And Index
Troubleshooting, Appendices and Index Part VI: Troubleshooting, Appendices and Index Part VI provides Troubleshooting, followed by some Appendices and an Index.
Page 313: Chapter 31 Troubleshooting
ZyWALL 100 Internet Security Gateway Chapter 31 Troubleshooting This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our included disk for further information.
Page 314: Problems With The Lan Interface
ZyWALL 100 Internet Security Gateway 31.2 Problems with the LAN Interface Table 31-2 Troubleshooting the LAN Interface PROBLEM CORRECTIVE ACTION Cannot access Check your Ethernet cable type and connections. Refer to the Rear Panel and the ZyWALL Connections section for LAN connection instructions.
Page 315: Problems With The Wan Interface
ZyWALL 100 Internet Security Gateway 31.4 Problems with the WAN Interface Table 31-4 Troubleshooting the WAN interface PROBLEM CORRECTIVE ACTION Cannot get The WAN IP is provided when the ISP recognizes the user as an authorized user after WAN IP from verifying the MAC address, Host Name or User ID.
Page 316: Problems With The Password
ZyWALL 100 Internet Security Gateway 31.6 Problems with the Password Table 31-6 Troubleshooting the Password PROBLEM CORRECTIVE ACTION Cannot The Password field is case sensitive. Make sure that you enter the correct password access the using the proper casing. ZyWALL.
Page 317: Diagram 1 Big Picture- Filtering, Firewall, Vpn And Nat
ZyWALL 100 Internet Security Gateway Appendix A The Big Picture The following figure gives an overview of how filtering, the firewall, VPN and NAT are related. Diagram 1 Big Picture— Filtering, Firewall, VPN and NAT The Big Picture...
Page 318 ZyWALL 100 Internet Security Gateway Appendix B Wireless LAN and IEEE 802.11 A wireless LAN (WLAN) provides a flexible data communications system that you can use to access various services (navigating the Internet, email, printer services, etc.) without the use of a cabled connection. In effect a wireless LAN environment provides you the freedom to stay connected to the network while roaming around in the coverage area.
Page 319: Diagram 2 Peer-To-Peer Communication In An Ad-Hoc Network
ZyWALL 100 Internet Security Gateway Spread Spectrum (DSSS) and Frequency-Hopping Spread Spectrum (FHSS), in the 2.4 to 2.4825 GHz unlicensed ISM (Industrial, Scientific and Medical) band. The third method is infrared technology, using very high frequencies, just below visible light in the electromagnetic spectrum to carry data.
Page 320 ZyWALL 100 Internet Security Gateway Infrastructure Wireless LAN Configuration For Infrastructure WLANs, multiple Access Points (APs) link the WLAN to the wired network and allow users to efficiently share network resources. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood.
Page 321: Diagram 3 Ess Provides Campus-Wide Coverage
ZyWALL 100 Internet Security Gateway Diagram 3 ESS Provides Campus-Wide Coverage Wireless LAN and IEEE 802.11...
Page 323: Diagram 4 Single-Pc Per Modem Hardware Configuration
ZyWALL 100 Internet Security Gateway Appendix C PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit), which connects to an xDSL Access Concentrator where the PPP session terminates (see the next figure).
Page 324: Diagram 5 Zywall As A Pppoe Client
ZyWALL 100 Internet Security Gateway The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.
Page 325: Diagram 6 Transport Ppp Frames Over Ethernet
ZyWALL 100 Internet Security Gateway Appendix D PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the short haul between the PC and the modem over Ethernet.
Page 326: Diagram 7 Pptp Protocol Overview
ZyWALL 100 Internet Security Gateway Access Concentrator) and the PPTP user. The PNS is the box that hosts both the PPP and the PPTP stacks and forms one end of the PPTP tunnel. The PAC is the box that dials/answers the phone calls and relays the PPP frames to the PNS.
Page 327 ZyWALL 100 Internet Security Gateway The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header.
Page 328: Hardware Specifications
ZyWALL 100 Internet Security Gateway Appendix E Hardware Specifications Power Specification 100-240 VAC, 50/60Hz Power Consumption 16 Watts maximum Power Current 1.9 Amps Fuse Rating 0.5 Amps, 250 VAC MTBF 100000 hrs (Mean Time Between Failures) Operation Temperature 0º C ~ 40º C...
Page 329: Diagram 9 Wan/Lan Cable Pin Layout
ZyWALL 100 Internet Security Gateway Pin1 Pin 6 Pin 9 Diagram 9 WAN/LAN Cable Pin Layout WAN/LAN Cable Pin Layout: Straight-Through Crossover (Switch) (Adapter) (Switch) (Switch) IRD + OTD + IRD + IRD + IRD - OTD - IRD -...
Page 330 ZyWALL 100 Internet Security Gateway Appendix F Safety Warnings and Instructions 1. Be sure to read and follow all warning notices and instructions. 2. The maximum recommended ambient temperature for the ZyWALL is 40º Celsius (104º Fahrenheit). Care must be taken to allow sufficient air circulation or space between units when the ZyWALL is installed inside a closed rack assembly.
Page 331 ZyWALL 100 Internet Security Gateway Appendix G Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands.
Page 332 ZyWALL 100 Internet Security Gateway Appendix H Firewall Commands The following describes the firewall commands. See the Command Interpreter appendix for information on the command structure. FUNCTION COMMAND DESCRIPTION config edit firewall active <yes | This command turns the firewall on or off.
Page 333 ZyWALL 100 Internet Security Gateway FUNCTION COMMAND DESCRIPTION config display firewall ? This command shows all of the available firewall sub commands. config edit firewall e-mail mail- This command sets the IP address to which the e- server <ip address of mail server>...
Page 334 ZyWALL 100 Internet Security Gateway FUNCTION COMMAND DESCRIPTION config edit firewall attack block Set this command to to block new traffic after <yes | no> the tcp-max-incomplete threshold is exceeded. Set it to to delete the oldest half-open session when traffic exceeds the tcp-max-incomplete threshold.
Page 335 ZyWALL 100 Internet Security Gateway FUNCTION COMMAND DESCRIPTION Config edit firewall set <set #> This command sets the time period to allow an icmp-timeout <seconds> ICMP session to wait for the ICMP response. Config edit firewall set <set #> This command sets how long a UDP connection is udp-idle-timeout <seconds>...
Page 336 ZyWALL 100 Internet Security Gateway FUNCTION COMMAND DESCRIPTION Config edit firewall set <set #> This command sets the ZyWALL to log traffic that rule <rule #> log <none | match | matches the rule, doesn't match, both or neither. not-match | both>...
Page 337 ZyWALL 100 Internet Security Gateway FUNCTION COMMAND DESCRIPTION config edit firewall set <set #> This command sets a rule to have the ZyWALL rule <rule #> TCP destport-range check for TCP traffic with a destination port in this <start port #> <end port #>...
Page 338 ZyWALL 100 Internet Security Gateway Firewall Commands...
Page 339: Diagram 10 Netbios Display Filter Settings Command
ZyWALL 100 Internet Security Gateway Appendix I NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See the Command Interpreter appendix for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN.
Page 340 ZyWALL 100 Internet Security Gateway The filter types and their default settings are as follows. NAME DESCRIPTION DEFAULT LAN to WAN This field displays whether NetBIOS packets are blocked or Forward forwarded from the LAN to the WAN. LAN to DMZ...
Page 341 ZyWALL 100 Internet Security Gateway sys filter netbios config 1 off Command: This command forwards LAN to DMZ NetBIOS packets Command: sys filter netbios config 2 on This command blocks IPSec NetBIOS packets Command: sys filter netbios config 3 off This command stops NetBIOS commands from initiating calls.
Page 342: Diagram 11 Option To Enter Debug Mode
ZyWALL 100 Internet Security Gateway Appendix J Boot Commands The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware (ZyNOS) is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen.
Page 343: Diagram 12 Boot Module Commands
ZyWALL 100 Internet Security Gateway just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time...
Page 344 This appendix shows you how to remove and install fuses for the ZYWALL 100. The ZYWALL 100 uses a 0.5 Amps, 250 VAC fuse. The ZYWALL-100 comes from the factory; with two fuses installed in the fuse housing. If you need to install a new fuse, follow the procedure below.
Page 345 ZyWALL 100 Internet Security Gateway Index 10/100 Mbps Ethernet WAN........1-1 Backup ..............22-2 11 Mbps wireless LAN........... 6-10 Basic Service Set............C Blocking Time........15-7, 15-8, 15-10 Bold Times font ...... See Syntax Conventions Access Point ............6-11 Boot commands............Z Action for Matched Packets .........
Page 346 ZyWALL 100 Internet Security Gateway CLI Commands............P Custom Ports Cloning the MAC address......... 5-1 Creating/Editing 16-14 COM port....See Connecting the Console Port Customer Support............vi COM1 ......See Connecting the Console Port Command Interpreter Mode........23-1 DDNS Command Line ............22-3 Configuration Community .............
Page 347 ZyWALL 100 Internet Security Gateway TCP/IP Setup See TCP/IP 15-3 DMZ 100M LED............2-2 EMAIL..............4-3 DMZ 10M LED............2-2 E-mail Address............4-3 DMZ Port Connections..........2-3 E-mail Alerts ............15-4 DMZ Setup............... 7-1 Enable Wildcard............4-4 DNS............4-1, 6-2, 24-2 Encapsulation ..........8-2, 9-3, 9-7...
Page 348 ZyWALL 100 Internet Security Gateway Filter log 21-11 Rule Checklist 16-2 Generic Filter Rule 19-11 Rule Logic 16-2 Generic Rule 19-11 Rule Precedence 16-5 NAT 19-16 Rule Security Ramifications 16-2 Remote Node 19-18 Services 16-7 Structure 19-2 SMT Menus 14-1...
Page 349 ZyWALL 100 Internet Security Gateway Gateway IP Address ........8-2, 11-4 Initial Screen .............3-1 General Setup ............4-1 Inside...............12-1 Global..............12-1 Inside Global Address ..........12-1 Inside Local Address..........12-1 Installation Requirements..........2-4 Half-Open Sessions ..........15-7 Installing Fuses ............BB Hardware Installation ..........2-1 Interactive Applications ..........25-2...
Page 350 ZyWALL 100 Internet Security Gateway IP Pool ...............6-2, 6-7 LAN Defaults ............6-2 Setup 6-2 LAN Port Filter Setup ..........6-1 IP Ports ..........13-4, 28-11, 28-12 LAN Setup............6-1, 6-5 IP Protocol .............. 25-5 LAN to WAN Rules ..........16-3 IP Routing Policy............
Page 351 ZyWALL 100 Internet Security Gateway Mean Time Between Failures........L Network Address Translation (NAT) ....1-4, 12-1 Metric ........9-5, 9-9, 9-11, 10-6, 11-4 Network Interface Card..........2-4 MSDU ..............6-11 NIC........See Network Interface Card MTBF....... See Mean Time Between Failures Notice................iii Multicast..........6-8, 9-9, 9-11, 10-6...
Page 352 ZyWALL 100 Internet Security Gateway Port Configuration ..........16-15 Rear Panel ............2-2, 2-3 Port Forwarding............1-4 Related Documentation ......... xxvii Power Consumption............. L Relay ................ 6-7 Power Cord ............... 2-4 Rem IP Address........9-10, 10-5, 10-8 Power Current.............. L Rem Node Name ........9-3, 10-1, 10-4...
Page 353: Figure 13-5 Stateful Inspection
ZyWALL 100 Internet Security Gateway Routing Policy............25-1 Service..............v, 16-3 RTC....See Real Time Chip. See Real Time Chip Service Name ............9-3 RTS/CTS handshake ..........6-11 Service Set ..............6-11 Rule Summary..........16-5, 16-20 Service Type ......... 8-2, 9-3, 16-15, 31-3 Rules.............. 16-1, 16-4 Services Supported..........16-7...
Page 354 ZyWALL 100 Internet Security Gateway Subnet Mask ..6-3, 6-7, 8-2, 9-8, 9-10, 10-5, 10-8, 11-4, TFTP ..............22-5 16-14 File Upload 22-14 Support Disk ............xxvii GUI-based Clients 22-6 SYN Flood............. 13-4, 13-5 TFTP and FTP over WAN........22-4 SYN-ACK .............. 13-5 TFTP and FTP over WAN Will Not Work When….
Page 355 ZyWALL 100 Internet Security Gateway Trusted Network..........See LAN Wired Equivalent Privacy ........6-11 Turning On ............... 3-1 Wireless LAN ............1-2, B Type of Service ........25-1, 25-3, 25-5 Benefits Wireless LAN Setup ..........6-10 Wireless Modem ............2-3 UDP/ICMP Security..........13-10 WLAN..........See Wireless LAN Unicast..............

ZyXEL Communications ZyWall 100 User Manual

Chapter 1 Getting to Know Your Zywall

Chapter 2 Hardware Installation

Chapter 3 Initial Setup

Chapter 4 SMT Menu 1 - General Setup

Chapter 5 WAN Setup

Chapter 6 LAN Setup

Chapter 7 DMZ Setup

Chapter 8 Internet Access

Chapter 9 Remote Node Setup

Chapter 10 Backup Remote Node Setup

Chapter 11 IP Static Route Setup

Chapter 12 Network Address Translation (NAT)

Chapter 13 Firewalls

Chapter 14 Introducing the Zywall Firewall

Chapter 15 Using the Zywall Web Configurator

Chapter 16 Creating Custom Rules

Chapter 17 Logs

Chapter 18 Content Filtering

Chapter 19 Filter Configuration

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZyWall 100

Summary of Contents for ZyXEL Communications ZyWall 100