Page 1 ZyWALL P1 Internet Security Appliance User’s Guide Version 3.64 8/2005...
Page 3: Federal Communications Commission (Fcc) Interference Statement
ZyWALL P1 User’s Guide Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations.
Page 4: Safety Warnings
ZyWALL P1 User’s Guide Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • To reduce the risk of fire, use only No. 26 AWG (American Wire Gauge) or larger telecommunication line cord.
Page 5: Zyxel Limited Warranty
ZyWALL P1 User’s Guide ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During...
Page 6 ZyWALL P1 User’s Guide • Place connecting cables carefully so that no one will step on them or stumble over them. Do NOT allow anything to rest on the power cord and do NOT locate the product where anyone can walk on the power cord.
Page 7: Customer Support
ZyWALL P1 User’s Guide Customer Support Please have the following information ready when you contact customer support. • Product model and serial number. • Warranty Information. • Date that you received your device. • Brief description of the problem and the steps you took to solve it. .
Page 8 ZyWALL P1 User’s Guide METHOD SUPPORT E-MAIL TELEPHONE WEB SITE REGULAR MAIL SALES E-MAIL FTP SITE LOCATION support@zyxel.co.uk +44 (0) 1344 303044 www.zyxel.co.uk ZyXEL Communications UK 08707 555779 (UK only) Ltd.,11 The Courtyard, UNITED KINGDOM Eastern Road, Bracknell, sales@zyxel.co.uk +44 (0) 1344 303034 ftp.zyxel.co.uk...
Page 9 ZyWALL P1 User’s Guide Customer Support...
Page 10: Table Of Contents
ZyWALL P1 User’s Guide Table of Contents Copyright ........................1 Federal Communications Commission (FCC) Interference Statement ....2 Safety Warnings ....................... 3 ZyXEL Limited Warranty..................4 Customer Support....................6 Preface ........................29 Chapter 1 Getting to Know Your ZyWALL ................31 1.1 Overview ......................31...
Page 11 ZyWALL P1 User’s Guide Chapter 3 Wizard Setup ......................51 3.1 Overview ......................51 3.2 Internet Access Wizard Setup ................51 3.2.1 ISP Parameters ..................51 3.2.2 WAN and DNS ..................51 3.2.2.1 WAN IP Address Assignment ............51 3.2.2.2 IP Address and Subnet Mask ............52 3.2.2.3 DNS Server Address Assignment ...........52...
Page 12 ZyWALL P1 User’s Guide 4.3.3 RIP Setup ....................74 4.3.4 Multicast ....................75 4.4 Configuring LAN ....................75 4.5 Configuring Static DHCP ..................77 Chapter 5 WAN Screens......................79 5.1 WAN Overview ....................79 5.1.1 TCP/IP Priority (Metric) ................79 5.1.2 WAN MAC Address ..................79 5.2 WAN Route Setup ....................79 5.3 Configuring WAN Setup ..................80...
Page 13 ZyWALL P1 User’s Guide 6.7.2 Firewall ....................102 6.7.2.1 When To Use The Firewall ............102 Chapter 7 Firewall Screens....................103 7.1 Access Methods ....................103 7.2 Firewall Policies Overview ................103 7.3 Rule Logic Overview ..................104 7.3.1 Rule Checklist ..................104 7.3.2 Security Ramifications ................104 7.3.3 Key Fields For Configuring Rules ............105...
Page 14 ZyWALL P1 User’s Guide 8.1.4.2 Accessing Network Resources When NAT Is Enabled ....124 8.1.4.3 Unsupported IP Applications ............124 8.2 IPSec Architecture ...................125 8.2.1 IPSec Algorithms ..................125 8.2.2 Key Management ..................125 8.3 Encapsulation ....................125 8.3.1 Transport Mode ..................126 8.3.2 Tunnel Mode ...................126 8.4 IPSec and NAT ....................126...
Page 15 ZyWALL P1 User’s Guide 10.3 Configuration Summary .................152 10.4 My Certificates ....................152 10.5 Certificate File Formats ..................154 10.6 Importing a Certificate ..................155 10.7 Creating a Certificate ..................156 10.8 My Certificate Details ..................158 10.9 Trusted CAs ....................161 10.10 Importing a Trusted CA’s Certificate .............163 10.11 Trusted CA Certificate Details ..............164...
Page 16 ZyWALL P1 User’s Guide Chapter 13 Remote Management ................... 191 13.1 Remote Management Overview ..............191 13.1.1 Remote Management Limitations ............191 13.1.2 Remote Management and NAT ............192 13.1.3 System Timeout ...................192 13.2 Introduction to HTTPS ..................192 13.3 Configuring WWW ..................193 13.4 HTTPS Example ....................194 13.4.1 Internet Explorer Warning Messages ...........195...
Page 17 ZyWALL P1 User’s Guide 14.5.1 Installing UPnP in Windows Me ............219 14.5.2 Installing UPnP in Windows XP ............220 14.6 Using UPnP in Windows XP Example ............220 14.6.1 Auto-discover Your UPnP-enabled Network Device ......221 14.6.2 Web Configurator Easy Access ............223 Chapter 15 Logs Screens......................
Page 18 ZyWALL P1 User’s Guide 17.3.6 GUI-based TFTP Clients ..............253 17.4 Restore Configuration ..................253 17.4.1 Restore Using FTP ................253 17.4.2 Restore Using FTP Session Example ..........254 17.5 Uploading Firmware and Configuration Files ..........254 17.5.1 Firmware File Upload ................254 17.5.2 FTP File Upload Command from the Command Prompt Example ..254 17.5.3 FTP Session Example of Firmware File Upload ........255...
Page 19 ZyWALL P1 User’s Guide Appendix H Importing Certificates ..................317 Appendix I Command Interpreter................... 329 Appendix J Firewall Commands ..................... 331 Appendix K NetBIOS Filter Commands .................. 337 Appendix L Certificates Commands ..................341 Appendix M Brute-Force Password Guessing Protection............. 345 Appendix N Log Descriptions....................
Page 20 ZyWALL P1 User’s Guide List of Figures Figure 1 Application: Telecommuters ................35 Figure 2 Application: LAN Network Protection ..............36 Figure 3 Front Panel: LEDs ....................36 Figure 4 Web Configurator: Initial Screen ................40 Figure 5 Web Configurator: Login Screen ................40 Figure 6 Change Password Screen ..................
Page 21 ZyWALL P1 User’s Guide Figure 37 Firewall: Default Rule ..................107 Figure 38 Firewall: Rule Summary ..................108 Figure 39 Firewall: Creating/Editing A Firewall Rule ............110 Figure 40 Firewall: Creating/Editing A Custom Service ............112 Figure 41 Firewall Example: Rule Summary ............... 113 Figure 42 Firewall Example: Rule Edit ................
Page 22 ZyWALL P1 User’s Guide Figure 80 NAT: Port Forwarding ..................184 Figure 81 Trigger Port Forwarding Process: Example ............185 Figure 82 NAT: Port Triggering .................... 186 Figure 83 Example of Static Routing Topology ..............187 Figure 84 Static Route ......................188 Figure 85 Static Route: Edit ....................
Page 23 ZyWALL P1 User’s Guide Figure 123 Synchronization is Successful ................241 Figure 124 Synchronization Fail ..................241 Figure 125 Firmware Upload ....................242 Figure 126 Firmware Upload In Process ................242 Figure 127 Network Temporarily Disconnected ..............243 Figure 128 Firmware Upload Error ..................243 Figure 129 Configuration .....................
Page 24 ZyWALL P1 User’s Guide Figure 166 “Triangle Route” Problem .................. 296 Figure 167 IP Alias ......................297 Figure 168 Gateways on the WAN Side ................297 Figure 169 SIP User Agent Server ..................300 Figure 170 SIP Proxy Server ....................301 Figure 171 SIP Redirect Server ..................
Page 25 ZyWALL P1 User’s Guide List of Figures...
Page 26 ZyWALL P1 User’s Guide List of Tables Table 1 Feature Specifications ................... 31 Table 2 Front Panel LEDs ....................37 Table 3 Web Configurator: HOME ..................43 Table 4 Navigation Panel: Menu Summary ................ 45 Table 5 Home: Show Statistics ................... 47 Table 6 Home: DHCP Table ....................
Page 27 ZyWALL P1 User’s Guide Table 37 VPN and NAT ...................... 127 Table 38 ESP and AH ......................130 Table 39 Local ID Type and Content Fields ............... 133 Table 40 Peer ID Type and Content Fields ................ 133 Table 41 Matching ID Type and Content Configuration Example ........134 Table 42 Mismatching ID Type and Content Configuration Example .........
Page 28 ZyWALL P1 User’s Guide Table 80 View Log ......................226 Table 81 Example Log Description ..................226 Table 82 Log Settings ......................229 Table 83 Reports ........................ 231 Table 84 Web Site Hits Report ................... 232 Table 85 Protocol/ Port Report ................... 233 Table 86 LAN IP Address Report ..................
Page 29 ZyWALL P1 User’s Guide Table 123 System Maintenance Logs ................347 Table 124 System Error Logs ..................... 348 Table 125 Access Control Logs ..................348 Table 126 TCP Reset Logs ....................349 Table 127 Packet Filter Logs ....................349 Table 128 ICMP Logs ......................350 Table 129 CDR Logs ......................
Page 30: Preface
Help us help you. E-mail all User Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Thank you! Syntax Conventions •...
Page 31 • For brevity’s sake, we will use “e.g.,” as a shorthand for “for instance”, and “i.e.,” for “that is” or “in other words” throughout this manual. • The ZyWALL P1 Internet Security Appliance will be referred to as the ZyWALL in this User’s Guide.
Page 32: Getting To Know Your Zywall
ZyWALL P1 User’s Guide H A P T E R Getting to Know Your ZyWALL This chapter introduces the main features and applications of the ZyWALL. 1.1 Overview The ZyWALL can be pre-configured by a network administrator makes an ideal plug-and-...
Page 33: Non-Physical Features
ZyWALL P1 User’s Guide Time and Date The ZyWALL allows you to get the current time and date from an external server when you turn on your ZyWALL. You can also set the time manually. The Real Time Chip (RTC) keeps track of the time and date.
Page 34: Pptp Encapsulation
ZyWALL P1 User’s Guide Firewall The ZyWALL is a stateful inspection firewall with DoS (Denial of Service) protection. By default, when the firewall is activated, all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the LAN. The ZyWALL firewall supports TCP/UDP inspection, DoS detection and prevention, real time alerts, reports and logs.
Page 35: Central Network Management
ZyWALL P1 User’s Guide Central Network Management Central Network Management (CNM) allows an enterprise or service provider network administrator to manage your ZyWALL. The enterprise or service provider network administrator can configure your ZyWALL, perform firmware upgrades and do troubleshooting for you.
Page 36: Applications
ZyWALL P1 User’s Guide • Firewall logs. Upgrade ZyWALL Firmware via LAN The firmware of the ZyWALL can be upgraded via the LAN. Embedded FTP and TFTP Servers The ZyWALL’s embedded FTP and TFTP servers enable fast firmware upgrades as well as configuration file backups and restoration.
Page 37: Zywall Hardware Connection
ZyWALL P1 User’s Guide Figure 2 Application: LAN Network Protection 1.4 ZyWALL Hardware Connection Refer to the Quick Start Guide for information on hardware connection and basic setup. 1.5 Front Panel LED The LED and port labels are on the front panel.
Page 38: Table 2 Front Panel Leds
ZyWALL P1 User’s Guide The following table describes the LEDs. Table 2 Front Panel LEDs COLOR STATUS DESCRIPTION The ZyWALL is turned off. Green The ZyWALL is turned on. Blinking The ZyWALL is starting. The WAN connection is not ready, or has failed.
Page 39 ZyWALL P1 User’s Guide Chapter 1 Getting to Know Your ZyWALL...
Page 40: Introducing The Web Configurator
ZyWALL P1 User’s Guide H A P T E R Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens. 2.1 Overview The web configurator is an HTML-based management interface that allows easy ZyWALL setup and management via Internet browser.
Page 41: Figure 4 Web Configurator: Initial Screen
ZyWALL P1 User’s Guide Figure 4 Web Configurator: Initial Screen 6 A login screen displays. Type "1234" (default) as the password and click Login. In some versions, the default password appears automatically - if this is the case, click Login.
Page 42: Resetting The Zywall
ZyWALL P1 User’s Guide Figure 6 Change Password Screen 8 Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Note: If you do not replace the default certificate here or in the CERTIFICATES screen, this screen displays every time you access the web configurator.
Page 43: Procedure To Use The Reset Button
ZyWALL P1 User’s Guide 2.3.1 Procedure to Use the Reset Button Make sure the PWR LED is on (not blinking) before you begin this procedure. 1 Press the RESET button in for about 10 seconds and release it. When the PWR LED starts to blink, the defaults have been restored and the ZyWALL restarts.
Page 44: Figure 8 Web Configurator: Home
ZyWALL P1 User’s Guide Figure 8 Web Configurator: HOME • Use the submenus to configure ZyWALL features. • Click LOGOUT at any time to exit the web configurator. • Click MAINTENANCE to view information about your ZyWALL or upgrade configuration/firmware files. Maintenance includes General, Password, Time and Date, F/W (firmware) Upload, Configuration (Backup, Restore, Default), and Restart.
Page 45: Navigation Panel
ZyWALL P1 User’s Guide Table 3 Web Configurator: HOME (continued) LABEL DESCRIPTION Memory The first number shows how many kilobytes of the heap memory the ZyWALL is using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL Network Operating System) and is thus available for running processes like NAT, VPN and the firewall.
Page 46: Table 4 Navigation Panel: Menu Summary
ZyWALL P1 User’s Guide Table 4 Navigation Panel: Menu Summary LINK FUNCTION HOME This screen shows the ZyWALL’s general device and network status information. Use this screen to access the wizards, statistics and DHCP table. Use this screen to configure LAN DHCP and TCP/IP settings.
Page 47: System Statistics
ZyWALL P1 User’s Guide Table 4 Navigation Panel: Menu Summary (continued) LINK FUNCTION REMOTE MGMT WWW Use this screen to configure through which interface(s) and from which IP address(es) users can use HTTPS or HTTP to manage the ZyWALL. Use this screen to configure through which interface(s) and from which IP address(es) users can use Secure Shell to manage the ZyWALL.
Page 48: Dhcp Table Screen
ZyWALL P1 User’s Guide Figure 9 Home : Show Statistics The following table describes the labels in this screen. Table 5 Home: Show Statistics LABEL DESCRIPTION Port This is the WAN or LAN port. Status This displays the port speed and duplex setting if you’re using Ethernet encapsulation and Down (line is down), Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if you’re using PPPoE encapsulation.
Page 49: Vpn Status
ZyWALL P1 User’s Guide Figure 10 Home: DHCP Table The following table describes the labels in this screen. Table 6 Home: DHCP Table LABEL DESCRIPTION This is the index number of the host computer. IP Address This field displays the IP address relative to the # field listed above.
Page 50: Figure 11 Home : Vpn Status
ZyWALL P1 User’s Guide Figure 11 Home : VPN Status The following table describes the labels in this screen. Table 7 Home: VPN Status LABEL DESCRIPTION This is the security association index number. Name This field displays the identification name for this VPN policy.
Page 51 ZyWALL P1 User’s Guide Chapter 2 Introducing the Web Configurator...
Page 52: Chapter 3 Wizard Setup
ZyWALL P1 User’s Guide H A P T E R Wizard Setup This chapter provides information on the Wizard Setup screens in the advanced web configurator. 3.1 Overview The web configurator's setup wizards help you configure the WAN port on the ZyWALL to access the Internet and edit VPN policies and configure IKE settings to establish a VPN tunnel.
Page 53: Ip Address And Subnet Mask
ZyWALL P1 User’s Guide You can obtain your IP address from the IANA, from an ISP or have it assigned by a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks.
Page 54: Ethernet
ZyWALL P1 User’s Guide 1 The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, manually enter them in the DNS server fields.
Page 55: Pppoe Encapsulation
ZyWALL P1 User’s Guide Table 9 Internet Access Wizard: Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet. Note: You can select a service type in the advanced WAN screen (refer to Section 5.3 on page...
Page 56: Figure 13 Internet Access Wizard: Pppoe Encapsulation
ZyWALL P1 User’s Guide By implementing PPPoE directly on the ZyWALL (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the ZyWALL does that part of the task. Furthermore, with NAT, all of the LAN's computers will have Internet access.
Page 57: Pptp Encapsulation
ZyWALL P1 User’s Guide Table 10 Internet Access Wizard: PPPoE Encapsulation (continued) LABEL DESCRIPTION Nailed-Up Select Nailed-Up Connection if you do not want the connection to time out. Connection Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server.
Page 58: Figure 14 Internet Access Wizard: Pptp Encapsulation
ZyWALL P1 User’s Guide Figure 14 Internet Access Wizard: PPTP Encapsulation The following table describes the related labels in this screen. Table 11 Internet Access Wizard: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box.
Page 59: Internet Access Wizard Setup Complete
ZyWALL P1 User’s Guide Table 11 Internet Access Wizard: PPTP Encapsulation (continued) LABEL DESCRIPTION My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given). Server IP Address Type the IP address of the PPTP server.
Page 60: Ipsec
ZyWALL P1 User’s Guide 3.3.1 IPSec Internet Protocol Security (IPSec) is a standards-based VPN that offers flexible solutions for secure data communications across a public network like the Internet. IPSec is built around a number of standardized cryptographic techniques to provide confidentiality, data integrity and authentication at the IP layer.
Page 61: Vpn Wizard: Network Setting
ZyWALL P1 User’s Guide Figure 16 VPN Wizard: Gateway Policy Setting The following table describes the labels in this screen. Table 12 VPN Wizard: Gateway Policy Setting LABEL DESCRIPTION Gateway Policy Property Name Type up to 32 characters to identify this VPN gateway policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
Page 62: Figure 17 Vpn Wizard: Network Setting
ZyWALL P1 User’s Guide Figure 17 VPN Wizard: Network Setting The following table describes the labels in this screen. Table 13 VPN Wizard: Network Setting LABEL DESCRIPTION Network Policy Property Active Select this checkbox to enable this VPN rule. Name Type up to 32 characters to identify this VPN network policy.
Page 63: Ike Phases
ZyWALL P1 User’s Guide Table 13 VPN Wizard: Network Setting (continued) LABEL DESCRIPTION Starting IP When the Remote Network field is configured to Single, enter a (static) IP address Address on the network behind the remote IPSec router. When the Remote Network field is configured to Range IP, enter the beginning (static) IP address, in a range of computers on the network behind the remote IPSec router.
Page 64: Negotiation Mode
ZyWALL P1 User’s Guide In phase 2 you must: • Choose which protocol to use (ESP or AH) for the IKE key exchange. • Choose an encryption algorithm. • Choose an authentication algorithm • Choose whether to enable Perfect Forward Secrecy (PFS) using Diffie-Hellman public- key cryptography (see Section 3.3.7 on page...
Page 65: Perfect Forward Secrecy (Pfs)
ZyWALL P1 User’s Guide 3.3.7.4 Perfect Forward Secrecy (PFS) Enabling PFS means that the key is transient. The key is thrown away and replaced by a brand new key using a new Diffie-Hellman exchange for each new IPSec SA setup. With PFS enabled, if one key is compromised, previous and subsequent keys are not compromised, because subsequent keys are not derived from previous keys.
Page 66: Table 14 Esp And Ah
ZyWALL P1 User’s Guide An added feature of the ESP is payload padding, which further protects communications by concealing the size of the packet being transmitted. Table 14 ESP and AH Encryption DES (default) Data Encryption Standard (DES) is a widely used method of data encryption using a secret key.
Page 67: Ike Tunnel Setting (Ike Phase 1)
ZyWALL P1 User’s Guide 3.4.3 IKE Tunnel Setting (IKE Phase 1) Figure 19 VPN Wizard: IKE Tunnel Setting The following table describes the labels in this screen. Table 15 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotiation Mode Use the radio buttons to select Main Mode or Aggressive Mode. Multiple SAs connecting through a secure gateway must have the same negotiation mode.
Page 68: Ipsec Setting (Ike Phase 2)
ZyWALL P1 User’s Guide Table 15 VPN Wizard: IKE Tunnel Setting (continued) LABEL DESCRIPTION Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called "pre-shared"...
Page 69: Vpn Status Summary
ZyWALL P1 User’s Guide Table 16 VPN Wizard: IPSec Setting (continued) LABEL DESCRIPTION Encryption Algorithm When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code.
Page 70: Figure 21 Vpn Wizard: Vpn Status
ZyWALL P1 User’s Guide Figure 21 VPN Wizard: VPN Status The following table describes the labels in this screen. Table 17 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Setting My ZyWALL This is the WAN IP address or domain name of your ZyWALL.
Page 71: Vpn Wizard Setup Complete
ZyWALL P1 User’s Guide Table 17 VPN Wizard: VPN Status (continued) LABEL DESCRIPTION IKE Tunnel Setting (IKE Phase 1) Negotiation Mode This shows Main Mode or Aggressive Mode. Multiple SAs connecting through a secure gateway must have the same negotiation mode.
Page 72: Figure 22 Vpn Wizard: Complete
ZyWALL P1 User’s Guide Figure 22 VPN Wizard: Complete Chapter 3 Wizard Setup...
Page 73 ZyWALL P1 User’s Guide Chapter 3 Wizard Setup...
Page 74: Chapter 4 Lan Screens
ZyWALL P1 User’s Guide H A P T E R LAN Screens This chapter describes how to configure LAN settings. 4.1 LAN Overview Local Area Network (LAN) is a shared communication system to which many computers are attached. The LAN screens can help you configure a LAN DHCP server and manage IP addresses.
Page 75: Lan Tcp/Ip
ZyWALL P1 User’s Guide 4.3 LAN TCP/IP The ZyWALL has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability. 4.3.1 Factory LAN Defaults The LAN parameters of the ZyWALL are preset in the factory with the following values: •...
Page 76: Multicast
ZyWALL P1 User’s Guide 4.3.4 Multicast Traditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender - 1 recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to a group of hosts on the network - not everybody and not just 1.
Page 77: Table 18 Lan: Lan
ZyWALL P1 User’s Guide The following table describes the labels in this screen. Table 18 LAN: LAN LABEL DESCRIPTION LAN TCP/IP IP Address Type the IP address of your ZyWALL in dotted decimal notation. 192.168.167.1 is the factory default. Alternatively, click the right mouse button to copy and/or paste the IP address.
Page 78: Configuring Static Dhcp
ZyWALL P1 User’s Guide Table 18 LAN: LAN (continued) LABEL DESCRIPTION DNS Servers The ZyWALL passes a DNS (Domain Name System) server IP address (in the Assigned by order you specify here) to the DHCP client. The ZyWALL only passes this DHCP Server information to the LAN DHCP client when you select the DHCP Server check box.
Page 79: Figure 24 Lan: Static Dhcp
ZyWALL P1 User’s Guide Figure 24 LAN: Static DHCP The following table describes the labels in this screen. Table 19 LAN: Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry (row). MAC Address Type the MAC address (with colons) of a computer on your LAN.
Page 80: Chapter 5 Wan Screens
ZyWALL P1 User’s Guide H A P T E R WAN Screens This chapter describes how to configure WAN settings. 5.1 WAN Overview Chapter 3 on page 51 for more information on the fields in the WAN screens. 5.1.1 TCP/IP Priority (Metric) The metric represents the "cost of transmission".
Page 81: Configuring Wan Setup
ZyWALL P1 User’s Guide Figure 25 WAN: Route The following table describes the labels in this screen. Table 21 WAN: Route LABEL DESCRIPTION Route Priority The default WAN connection is "1” as your broadband connection via the WAN port should always be your preferred method of accessing the WAN.
Page 82: Figure 26 Wan: Wan: Ethernet
ZyWALL P1 User’s Guide Figure 26 WAN: WAN: Ethernet The following table describes the labels in this screen. Table 22 WAN: WAN: Ethernet LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Page 83 ZyWALL P1 User’s Guide Table 22 WAN: WAN: Ethernet (continued) LABEL DESCRIPTION Relogin The Telia server logs the ZyWALL out if the ZyWALL does not log in periodically. Every(min) Type the number of minutes from 1 to 59 (30 default) for the ZyWALL to wait (Telia Login only) between logins.
Page 84: Pppoe Encapsulation
ZyWALL P1 User’s Guide Table 22 WAN: WAN: Ethernet (continued) LABEL DESCRIPTION Multicast Version Choose None (default), IGMP-V1 or IGMP-V2. IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group – it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use.
Page 85: Figure 27 Wan: Wan: Pppoe
ZyWALL P1 User’s Guide Figure 27 WAN: WAN: PPPoE The following table describes the labels not previously discussed. Table 23 WAN: WAN: PPPoE LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation The PPPoE choice is for a dial-up connection using PPPoE. The router supports PPPoE (Point-to-Point Protocol over Ethernet).
Page 86: Pptp Encapsulation
ZyWALL P1 User’s Guide Table 23 WAN: WAN: PPPoE (continued) LABEL DESCRIPTION Nailed-Up Select Nailed-Up if you do not want the connection to time out. Idle Timeout This value specifies the time in seconds that elapses before the ZyWALL automatically disconnects from the PPPoE server.
Page 87: Figure 28 Wan: Wan: Pptp
ZyWALL P1 User’s Guide Figure 28 WAN: WAN: PPTP The following table describes the labels not previously discussed. Table 24 WAN: WAN: PPTP LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.
Page 88: Dynamic Dns
ZyWALL P1 User’s Guide Table 24 WAN: WAN: PPTP (continued) LABEL DESCRIPTION Nailed-up Select Nailed-Up if you do not want the connection to time out. Idle Timeout This value specifies the time in seconds that elapses before the ZyWALL automatically disconnects from the PPTP server.
Page 89: Configuring Dynamic Dns
ZyWALL P1 User’s Guide 5.4.2 Configuring Dynamic DNS To change your ZyWALL’s DDNS, click WAN, then the DDNS tab. The screen appears as shown. Figure 29 WAN: DDNS The following table describes the labels in this screen. Table 25 WAN: DDNS...
Page 90 ZyWALL P1 User’s Guide Table 25 WAN: DDNS (continued) LABEL DESCRIPTION Enable off line option This option is applicable when Custom DNS is selected in the DDNS Type field. (Only applies to Check with your Dynamic DNS service provider to have traffic redirected to a custom DNS) URL (that you can specify) while you are off line.
Page 91 ZyWALL P1 User’s Guide Chapter 5 WAN Screens...
Page 92: Chapter 6 Firewalls
ZyWALL P1 User’s Guide H A P T E R Firewalls This chapter gives some background information on firewalls and introduces the ZyWALL firewall. 6.1 Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another.
Page 93: Stateful Inspection Firewalls
ZyWALL P1 User’s Guide 1 Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems. 2 Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging.
Page 94: Denial Of Service
ZyWALL P1 User’s Guide Figure 30 ZyWALL Firewall Application 6.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.
Page 95: Types Of Dos Attacks
ZyWALL P1 User’s Guide 6.4.2 Types of DoS Attacks There are four types of DoS attacks: 1 Those that exploit bugs in a TCP/IP implementation. 2 Those that exploit weaknesses in the TCP/IP specification. 3 Brute-force attacks that flood a network with useless data.
Page 96: Figure 32 Syn Flood
ZyWALL P1 User’s Guide response. While the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue. SYN-ACKs are moved off the queue only when an ACK comes back or when an internal timer (which is set at relatively long intervals) terminates the three-way handshake.
Page 97: Icmp Vulnerability
ZyWALL P1 User’s Guide Figure 33 Smurf Attack 6.4.2.1 ICMP Vulnerability ICMP is an error-reporting protocol that works in concert with IP. The following ICMP types trigger an alert: Table 27 ICMP Commands That Trigger Alerts REDIRECT TIMESTAMP_REQUEST TIMESTAMP_REPLY ADDRESS_MASK_REQUEST ADDRESS_MASK_REPLY 6.4.2.2 Illegal Commands (NetBIOS and SMTP)
Page 98: Traceroute
ZyWALL P1 User’s Guide All SMTP commands are illegal except for those displayed in the following tables. Table 29 Legal SMTP Commands AUTH DATA EHLO ETRN EXPN HELO HELP MAIL NOOP QUIT RCPT RSET SAML SEND SOML TURN VRFY 6.4.2.3 Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints.
Page 99: Stateful Inspection Process
ZyWALL P1 User’s Guide Figure 34 Stateful Inspection The previous figure shows the ZyWALL’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed. However other Telnet traffic initiated from the WAN is blocked.
Page 100: Stateful Inspection And The Zywall
ZyWALL P1 User’s Guide temporary entries might be modified, in order to permit only packets that are valid for the current state of the connection. 8 Any additional inbound or outbound packets that belong to the connection are inspected to update the state table entry and to modify the temporary inbound access list entries as required, and are forwarded through the interface.
Page 101: Udp/Icmp Security
ZyWALL P1 User’s Guide If an initiation packet originates on the LAN, this means that someone is trying to make a connection from the LAN to the Internet. Assuming that this is an acceptable part of the security policy (as is the case with the default policy), the connection will be allowed. A cache entry is added which includes connection information such as IP addresses, TCP ports, sequence numbers, etc.
Page 102: Guidelines For Enhancing Security With Your Firewall
ZyWALL P1 User’s Guide Any protocol that operates in this way must be supported on a case-by-case basis. You can use the web configurator’s Custom Services feature to do this (refer to Section 7.6.3 on page 112 for more information).
Page 103: Firewall
ZyWALL P1 User’s Guide 6.7.2 Firewall • The firewall inspects packet contents as well as their source and destination addresses. Firewalls of this type employ an inspection module, applicable to all protocols, that understands data in the packet is intended for other layers, from the network layer (IP headers) up to the application layer.
Page 104: Chapter 7 Firewall Screens
ZyWALL P1 User’s Guide H A P T E R Firewall Screens This chapter shows you how to configure your ZyWALL firewall. 7.1 Access Methods The web configurator is, by far, the most comprehensive firewall configuration tool your ZyWALL has to offer. For this reason, it is recommended that you configure your firewall using the web configurator.
Page 105: Rule Logic Overview
ZyWALL P1 User’s Guide Note: If you configure firewall rules without a good understanding of how they work, you might inadvertently introduce security risks to the firewall and to the protected network. Make sure you test your rules after you configure them.
Page 106: Key Fields For Configuring Rules
ZyWALL P1 User’s Guide 3 Does a rule that allows Internet users access to resources on the LAN create a security vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN, Internet users may be able to connect to computers with running FTP servers.
Page 107: Lan To Wan Rules
ZyWALL P1 User’s Guide 7.4.1 LAN To WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed non- restricted access to the WAN. When you configure a LAN to WAN rule, you in essence want to limit some or all users from accessing certain services on the WAN.
Page 108: Configuring Firewall
ZyWALL P1 User’s Guide 7.6 Configuring Firewall Click FIREWALL to open the Default Rule screen. Enable (or activate) the firewall by selecting the Enable Firewall check box as seen in the following screen. Figure 37 Firewall: Default Rule The following table describes the labels in this screen.
Page 109: Figure 38 Firewall: Rule Summary
ZyWALL P1 User’s Guide Click FIREWALL, then the Rule Summary tab to open the screen. Figure 38 Firewall: Rule Summary The following table describes the labels in this screen. Table 31 Firewall: Rule Summary LABEL DESCRIPTION Firewall Rules This read-only bar shows how much of the ZyWALL's memory for recording firewall Storage Space rules it is currently using.
Page 110: Configuring Firewall Rules
ZyWALL P1 User’s Guide Table 31 Firewall: Rule Summary (continued) LABEL DESCRIPTION This field shows you whether a log is created when packets match this rule (Enabled) or not (Disable). Alert This field tells you whether this rule generates an alert (Yes) or not (No) when the rule is matched.
Page 111: Figure 39 Firewall: Creating/Editing A Firewall Rule
ZyWALL P1 User’s Guide Figure 39 Firewall: Creating/Editing A Firewall Rule The following table describes the labels in this screen. Chapter 7 Firewall Screens...
Page 112: Table 32 Firewall: Creating/Editing A Firewall Rule
ZyWALL P1 User’s Guide Table 32 Firewall: Creating/Editing A Firewall Rule LABEL DESCRIPTION Edit Source/ Destination Address Address Type Do you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address? Select an option from the drop-down list box that includes: Single Address, Range Address, Subnet Address and Any Address.
Page 113: Configuring Custom Services
ZyWALL P1 User’s Guide Table 32 Firewall: Creating/Editing A Firewall Rule (continued) LABEL DESCRIPTION Apply Click Apply to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. 7.6.3 Configuring Custom Services Configure customized ports for services not predefined by the ZyWALL (See Section 7.8 on...
Page 114: Figure 41 Firewall Example: Rule Summary
ZyWALL P1 User’s Guide 1 Click the FIREWALL link and then the Rule Summary tab. Select WAN to LAN from the Packet Direction drop-down list box. Figure 41 Firewall Example: Rule Summary 2 In the Rule Summary screen, type the index number for where you want to put the rule.
Page 115: Figure 43 Firewall Example: Edit Custom Service
ZyWALL P1 User’s Guide 6 In the Edit Rule screen, click Add under Custom Service to open the Edit Custom Service screen. Configure it as follows and click Apply. Figure 43 Firewall Example: Edit Custom Service 7 In the Edit Rule screen, use the arrows between Available Services and Selected Service(s) to configure it as follows.
Page 116: Figure 44 Firewall Example: My Service Rule Configuration
ZyWALL P1 User’s Guide Figure 44 Firewall Example: My Service Rule Configuration Chapter 7 Firewall Screens...
Page 117: Predefined Services
ZyWALL P1 User’s Guide Figure 45 Firewall Example: My Service Example Rule Summary Rule 1: Allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. 7.8 Predefined Services The Available Services list box in the Edit Rule screen (see...
Page 118 ZyWALL P1 User’s Guide Table 34 Predefined Services (continued) SERVICE DESCRIPTION FINGER(TCP:79) Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. FTP(TCP:20.21) File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail.
Page 119: Anti-Probing
ZyWALL P1 User’s Guide Table 34 Predefined Services (continued) SERVICE DESCRIPTION SFTP(TCP:115) Simple File Transfer Protocol. SMTP(TCP:25) Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.
Page 120: Configuring Attack Alert
ZyWALL P1 User’s Guide Figure 46 Firewall: Anti-Probing The following table describes the labels in this screen. Table 35 Firewall: Anti-Probing LABEL DESCRIPTION Respond to PING The ZyWALL does not respond to any incoming Ping requests when Disable is selected. Select LAN to reply to incoming LAN Ping requests. Select WAN to reply to incoming WAN Ping requests.
Page 121: Threshold Values
ZyWALL P1 User’s Guide 7.10.1 Threshold Values Tune these parameters when something is not working and after you have checked the firewall counters. These default values should work fine for normal small offices with ADSL bandwidth. Factors influencing choices for threshold values are: 1 The maximum number of opened sessions.
Page 122: Figure 47 Firewall: Threshold
ZyWALL P1 User’s Guide Whenever the number of half-open sessions with the same destination host address rises above a threshold (TCP Maximum Incomplete), the ZyWALL starts deleting half-open sessions according to one of the following methods: 1 If the Blocking Time timeout is 0 (the default), then the ZyWALL deletes the oldest existing half-open session for the host for every new connection request to the host.
Page 123 ZyWALL P1 User’s Guide Table 36 Firewall: Threshold (continued) LABEL DESCRIPTION One Minute High This is the rate of new half-open sessions that causes the firewall to start deleting half-open sessions. When the rate of new connection attempts rises above this number, the ZyWALL deletes half-open sessions as required to accommodate new connection attempts.
Page 124: Introduction To Ipsec
ZyWALL P1 User’s Guide H A P T E R Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 8.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.
Page 125: Data Confidentiality
ZyWALL P1 User’s Guide Figure 48 Encryption and Decryption 8.1.3.2 Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. 8.1.3.3 Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.
Page 126: Ipsec Architecture
ZyWALL P1 User’s Guide 8.2 IPSec Architecture The overall IPSec architecture is shown as follows. Figure 49 IPSec Architecture 8.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms).
Page 127: Transport Mode
ZyWALL P1 User’s Guide Figure 50 Transport and Tunnel Mode IPSec Encapsulation 8.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
Page 128: Table 37 Vpn And Nat
ZyWALL P1 User’s Guide NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted.
Page 129 ZyWALL P1 User’s Guide Chapter 8 Introduction to IPSec...
Page 130: Chapter 9 Vpn Screens
ZyWALL P1 User’s Guide H A P T E R VPN Screens This chapter introduces the VPN Web Configurator. See Chapter 15 on page 225 information on viewing logs and Appendix N on page 347 for IPSec log descriptions. 9.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections.
Page 131: My Zywall
ZyWALL P1 User’s Guide Table 38 ESP and AH Encryption DES (default) Data Encryption Standard (DES) is a widely used method of data encryption using a secret key. DES applies a 56-bit key to each 64-bit block of data. 3DES...
Page 132: Dynamic Secure Gateway Address
ZyWALL P1 User’s Guide You can also enter a remote secure gateway’s domain name in the Secure Gateway Address field if the remote secure gateway has a dynamic WAN IP address and is using DDNS. The ZyWALL has to rebuild the VPN tunnel each time the remote secure gateway’s WAN IP address changes (there may be a delay until the DDNS servers are updated with the remote gateway’s new WAN IP address).
Page 133: Nat Traversal Configuration
ZyWALL P1 User’s Guide Figure 51 NAT Router Between IPSec Routers Normally you cannot set up a VPN connection with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet. In the previous figure, IPSec router A sends an IPSec packet in an attempt to initiate a VPN.
Page 134: Id Type And Content
ZyWALL P1 User’s Guide 9.6 ID Type and Content With aggressive negotiation mode (see Section 3.3.7.1 on page 63), the ZyWALL identifies incoming SAs by ID type and content since this identifying information is not encrypted. This enables the ZyWALL to distinguish between multiple rules for SAs that connect from remote IPSec routers that have dynamic WAN IP addresses.
Page 135: Id Type And Content Examples
ZyWALL P1 User’s Guide Table 40 Peer ID Type and Content Fields PEER ID TYPE= CONTENT= Subject Name Type the subject name (up to 255 characters) by which to identify the remote IPSec router. This option is available only when you set Authentication Method to Certificate.
Page 136: Ike Vpn Rule Summary Screen
ZyWALL P1 User’s Guide 9.8 IKE VPN Rule Summary Screen The following figure helps explain the main fields in the web configurator. Figure 52 IPSec Summary Fields Note: Local and remote IP addresses must be static. Click VPN display the VPN Rules (IKE) screen. This is a read-only menu of your IPSec rule (tunnel).
Page 137: Figure 54 Vpn Rules (Ike): Gateway Policy
ZyWALL P1 User’s Guide Figure 54 VPN Rules (IKE): Gateway Policy The following table describes the labels in this screen. . Table 43 VPN Rules (IKE): Gateway Policy LABEL DESCRIPTION Property NAT Traversal Select this check box to enable NAT traversal. NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec routers.
Page 138 ZyWALL P1 User’s Guide Table 43 VPN Rules (IKE): Gateway Policy (continued) LABEL DESCRIPTION Gateway Policy Information My ZyWALL This field identifies the WAN IP address of the ZyWALL. You can enter the ZyWALL's static WAN IP address (if it has one) or leave the field set to 0.0.0.0.
Page 139 ZyWALL P1 User’s Guide Table 43 VPN Rules (IKE): Gateway Policy (continued) LABEL DESCRIPTION Peer ID Type Select from the following when you set Authentication Method to Pre-shared Key. • Select IP to identify the remote IPSec router by its IP address.
Page 140 ZyWALL P1 User’s Guide Table 43 VPN Rules (IKE): Gateway Policy (continued) LABEL DESCRIPTION Authenticated by Select XAUTH to to have the remote IPSec router authenticate user(s) that request this VPN connection. Note: You must also configure extended authentication on the remote IPsec router.
Page 141: Configuring An Ike Vpn Policy
ZyWALL P1 User’s Guide Table 43 VPN Rules (IKE): Gateway Policy (continued) LABEL DESCRIPTION Name This field displays the policy name. Local Network This field displays one or a range of IP address(es) of the computer(s) behind the ZyWALL. Remote Network This field displays one or a range of IP address(es) of the remote network behind the remote IPsec router.
Page 142: Figure 55 Vpn Rules (Ike): Network Policy
ZyWALL P1 User’s Guide Figure 55 VPN Rules (IKE): Network Policy The following table describes the labels in this screen. Table 44 VPN Rules (IKE): Add Policy LABEL DESCRIPTION Active Select this check box to activate this VPN tunnel. This option determines whether a VPN rule is applied.
Page 143 ZyWALL P1 User’s Guide Table 44 VPN Rules (IKE): Add Policy (continued) LABEL DESCRIPTION Nailed-Up Select this check box to turn on the nailed up feature for this SA. Turn on nailed up to have the ZyWALL automatically reinitiate the SA after the SA lifetime times out, even if there is no traffic.
Page 144 ZyWALL P1 User’s Guide Table 44 VPN Rules (IKE): Add Policy (continued) LABEL DESCRIPTION Address Type Use the drop-down list box to choose Single Address, Range Address, or Subnet Address. Select Single Address with a single IP address. Select Range Address for a specific range of IP addresses. Select Subnet Address to specify IP addresses on a network by their subnet mask.
Page 145: Activating A Vpn Connection
ZyWALL P1 User’s Guide Table 44 VPN Rules (IKE): Add Policy (continued) LABEL DESCRIPTION Enable Multiple Select this check box to allow the ZyWALL to use any of its phase 1 or phase 2 Proposal encryption and authentication algorithms when negotiating an IKE SA.
Page 146: Configuring Global Setting
ZyWALL P1 User’s Guide Note: When there is outbound traffic but no inbound traffic, the SA times out automatically after two minutes. A tunnel with no outbound or inbound traffic is "idle" and does not timeout until the SA lifetime period expires. See Section 9.4.2 on page 131...
Page 147: Telecommuter Vpn/Ipsec Examples
ZyWALL P1 User’s Guide Figure 58 VPN: Global Setting The following table describes the labels in this screen. Table 47 VPN: Global Setting LABEL DESCRIPTION Output Idle Timer Enter the time period (between 30 and 3600 seconds) to wait before the ZyWALL checks the VPN connection to the remote IPSec router.
Page 148: Telecommuters Sharing One Vpn Rule Example
ZyWALL P1 User’s Guide 9.11.1 Telecommuters Sharing One VPN Rule Example See the following figure and table for an example configuration that allows multiple telecommuters (A, B and C in the figure) to use one VPN rule to simultaneously access a ZyWALL at headquarters (HQ in the figure).
Page 149: Figure 60 Telecommuters Using Unique Vpn Rules Example
ZyWALL P1 User’s Guide See the following table and figure for an example where three telecommuters each use a different VPN rule for a VPN connection with a ZyWALL located at headquarters. The ZyWALL at headquarters (HQ in the figure) identifies each incoming SA by its ID type and content and uses the appropriate VPN rule to establish the VPN connection.
Page 150: Vpn And Remote Management
ZyWALL P1 User’s Guide Table 49 Telecommuters Using Unique VPN Rules Example (continued) TELECOMMUTERS HEADQUARTERS Telecommuter C (telecommuterc.dydns.org) Headquarters ZyWALL Rule 3: Local ID Type: E-mail Peer ID Type: E-mail Local ID Content: myVPN@myplace.com Peer ID Content: myVPN@myplace.com Local IP Address: 192.168.4.15 Secure Gateway Address: telecommuterc.com...
Page 151 ZyWALL P1 User’s Guide Chapter 9 VPN Screens...
Page 152: Chapter 10 Certificates
ZyWALL P1 User’s Guide H A P T E R Certificates This chapter gives background information about public-key certificates and explains how to use them. 10.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs.
Page 153: Advantages Of Certificates
ZyWALL P1 User’s Guide Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can check a peer’s certificate against a directory server’s list of revoked certificates.
Page 154: Figure 62 Vpn: My Certificates
ZyWALL P1 User’s Guide Figure 62 VPN: My Certificates The following table describes the labels in this screen. Table 50 Certificate: My Certificates LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 155: Certificate File Formats
ZyWALL P1 User’s Guide Table 50 Certificate: My Certificates (continued) LABEL DESCRIPTION Issuer This field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.
Page 156: Importing A Certificate
ZyWALL P1 User’s Guide • PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses 64 ASCII characters to convert a binary PKCS#7 certificate into a printable form. 10.6 Importing a Certificate Click CERTIFICATES, My Certificates and then Import to open the My Certificate Import screen.
Page 157: Creating A Certificate
ZyWALL P1 User’s Guide 10.7 Creating a Certificate Click CERTIFICATES, My Certificates and then Create to open the My Certificate Create screen. Use this screen to have the ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request, see the following figure.
Page 158 ZyWALL P1 User’s Guide Table 52 Certificate: My Certificate: Create (continued) LABEL DESCRIPTION Common Name Select a radio button to identify the certificate’s owner by IP address, domain name or e-mail address. Type the IP address (in dotted decimal notation), domain name or e-mail address in the field provided.
Page 159: My Certificate Details
ZyWALL P1 User’s Guide Table 52 Certificate: My Certificate: Create (continued) LABEL DESCRIPTION Request When you select Create a certification request and enroll for a certificate Authentication immediately online, the certification authority may want you to include a reference number and key to identify you when you send a certification request.
Page 160: Figure 65 Certificate: My Certificate: Details
ZyWALL P1 User’s Guide Figure 65 Certificate: My Certificate: Details The following table describes the labels in this screen. Chapter 10 Certificates...
Page 161: Table 53 Certificate: My Certificate: Details
ZyWALL P1 User’s Guide Table 53 Certificate: My Certificate: Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate. You may use any character (not including spaces).
Page 162: Trusted Cas
ZyWALL P1 User’s Guide Table 53 Certificate: My Certificate: Details (continued) LABEL DESCRIPTION Subject Alternative This field displays the certificate owner‘s IP address (IP), domain name (DNS) or Name e-mail address (EMAIL). Key Usage This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature”...
Page 163: Figure 66 Certificates: Trusted Cas
ZyWALL P1 User’s Guide Figure 66 Certificates: Trusted CAs The following table describes the labels in this screen. Table 54 Certificates: Trusted CAs LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 164: Importing A Trusted Ca's Certificate
ZyWALL P1 User’s Guide Table 54 Certificates: Trusted CAs (continued) LABEL DESCRIPTION CRL Issuer This field displays Yes if the certification authority issues Certificate Revocation Lists for the certificates that it has issued and you have selected the Issues certificate revocation lists (CRL) check box in the certificate’s details screen to have the ZyWALL check the CRL before trusting any certificates issued by the certification authority.
Page 165: Trusted Ca Certificate Details
ZyWALL P1 User’s Guide Table 55 Certificates: Trusted CA: Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload.
Page 166: Figure 68 Certificates: Trusted Ca: Details
ZyWALL P1 User’s Guide Figure 68 Certificates: Trusted CA: Details The following table describes the labels in this screen. Table 56 Certificates: Trusted CA: Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate.
Page 167 ZyWALL P1 User’s Guide Table 56 Certificates: Trusted CA: Details (continued) LABEL DESCRIPTION Certification Path Click the Refresh button to have this read-only text box display the end entity’s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity’s certificate.
Page 168: Trusted Remote Hosts
ZyWALL P1 User’s Guide Table 56 Certificates: Trusted CA: Details (continued) LABEL DESCRIPTION CRL Distribution This field displays how many directory servers with Lists of revoked certificates Points the issuing certification authority of this certificate makes available. This field also displays the domain names or IP addresses of the servers.
Page 169: Figure 69 Certificates: Trusted Remote Hosts
ZyWALL P1 User’s Guide Figure 69 Certificates: Trusted Remote Hosts The following table describes the labels in this screen. Table 57 Certificates: Trusted Remote Hosts LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 170: Verifying A Trusted Remote Host's Certificate
ZyWALL P1 User’s Guide Table 57 Certificates: Trusted Remote Hosts (continued) LABEL DESCRIPTION Modify Click the details icon to open a screen with an in-depth list of information about the certificate. Click the delete icon to remove the certificate. A window displays asking you to confirm that you want to delete the certificate.
Page 171: Importing A Trusted Remote Host's Certificate
ZyWALL P1 User’s Guide Figure 71 Certificate Details Verify (over the phone for example) that the remote host has the same information in the Thumbprint Algorithm and Thumbprint fields. 10.14 Importing a Trusted Remote Host’s Certificate Click CERTIFICATES, Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen.
Page 172: Trusted Remote Host Certificate Details
ZyWALL P1 User’s Guide Figure 72 Certificates: Trusted Remote Host: Import The following table describes the labels in this screen. Table 58 Certificates: Trusted Remote Host: Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it.
Page 173: Figure 73 Certificates: Trusted Remote Host: Details
ZyWALL P1 User’s Guide Figure 73 Certificates: Trusted Remote Host: Details The following table describes the labels in this screen. Table 59 Certificates: Trusted Remote Host: Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate.
Page 174 ZyWALL P1 User’s Guide Table 59 Certificates: Trusted Remote Host: Details (continued) LABEL DESCRIPTION Refresh Click Refresh to display the certification path. Certificate Information These read-only fields display detailed information about the certificate. Type This field displays general information about the certificate. With trusted remote host certificates, this field always displays CA-signed.
Page 175: Directory Servers
ZyWALL P1 User’s Guide Table 59 Certificates: Trusted Remote Host: Details (continued) LABEL DESCRIPTION Certificate in PEM This read-only text box displays the certificate or certification request in Privacy (Base-64) Encoded Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the Format binary certificate into a printable form.
Page 176: Add Or Edit A Directory Server
ZyWALL P1 User’s Guide Table 60 Certificates: Directory Servers LABEL DESCRIPTION PKI Storage Space This bar displays the percentage of the ZyWALL’s PKI storage space that is in Use currently in use. When you are using 80% or less of the storage space, the bar is green.
Page 177: Table 61 Certificates: Directory Server: Add
ZyWALL P1 User’s Guide The following table describes the labels in this screen. Table 61 Certificates: Directory Server: Add LABEL DESCRIPTION Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server.
Page 178: Network Address Translation (Nat)
ZyWALL P1 User’s Guide H A P T E R Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 11.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet.
Page 179: What Nat Does
ZyWALL P1 User’s Guide 11.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host.
Page 180: Using Nat
ZyWALL P1 User’s Guide • One to One: In One-to-One mode, one local IP address is mapped to one global IP address. • Many to One: In Many-to-One mode, the ZyWALL maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyWALL's Single User Account feature.
Page 181: Sua (Single User Account) Versus Nat
ZyWALL P1 User’s Guide 11.2.1 SUA (Single User Account) Versus NAT Your ZyWALL supports SUA (Single User Account) which is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. 11.3 Configuring NAT Overview Click NAT to open the NAT Overview screen shown next.
Page 182: Port Forwarding
ZyWALL P1 User’s Guide Table 64 NAT Overview (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 11.4 Port Forwarding A port forwarding set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though NAT makes your whole inside network appear as a single computer to the outside world.
Page 183: Configuring Servers Behind Port Forwarding (Example)
ZyWALL P1 User’s Guide The most often used port numbers are shown in the following table. Please refer to RFC 1700 for further information about port numbers. Please also refer to the Supporting CD for more examples and details on port forwarding and NAT.
Page 184: Port Translation
ZyWALL P1 User’s Guide 11.4.4 Port Translation The ZyWALL can translate the destination port number or a range of port numbers of packets coming from the WAN to another destination port number or range of port numbers on the LAN. When you use port forwarding without port translation, a single server on the LAN can use a specific port number and be accessible to the outside world through a single WAN IP address.
Page 185: Figure 80 Nat: Port Forwarding
ZyWALL P1 User’s Guide Figure 80 NAT: Port Forwarding The following table describes the labels in this screen. Table 66 NAT: Port Forwarding LABEL DESCRIPTION Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen.
Page 186: Configuring Trigger Port
ZyWALL P1 User’s Guide Table 66 NAT: Port Forwarding (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 11.6 Configuring Trigger Port Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side.
Page 187: Figure 82 Nat: Port Triggering
ZyWALL P1 User’s Guide To change your ZyWALL’s trigger port settings, click NAT and the Port Triggering tab. The screen appears as shown. Figure 82 NAT: Port Triggering The following table describes the labels in this screen. Table 67 NAT: Port Triggering...
Page 188: Static Route
ZyWALL P1 User’s Guide H A P T E R Static Route This chapter shows you how to configure static routes for your ZyWALL. 12.1 Static Route Overview Each remote node specifies only the network to which the gateway is directly connected, and the ZyWALL has no knowledge of the networks beyond.
Page 189: Configuring A Static Route Entry
ZyWALL P1 User’s Guide Figure 84 Static Route The following table describes the labels in this screen. Table 68 Static Route LABEL DESCRIPTION This is the number of an individual static route. Name This is the name that describes or identifies this route.
Page 190: Figure 85 Static Route: Edit
ZyWALL P1 User’s Guide Figure 85 Static Route: Edit The following table describes the labels in this screen. Table 69 Static Route: Edit LABEL DESCRIPTION Route Name Enter the name of the IP static route. Leave this field blank to delete this static route.
Page 191 ZyWALL P1 User’s Guide Chapter 12 Static Route...
Page 192: Chapter 13 Remote Management
ZyWALL P1 User’s Guide H A P T E R Remote Management This chapter provides information on the Remote Management screens. 13.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers.
Page 193: Remote Management And Nat
ZyWALL P1 User’s Guide 4 The IP address in the Secure Client IP Address field does not match the client IP address. If it does not match, the ZyWALL will disconnect the session immediately. 5 There is already another remote management session with an equal or higher priority running.
Page 194: Configuring Www
ZyWALL P1 User’s Guide 2 HTTP connection requests from a web browser go to port 80 (by default) on the ZyWALL’s WS (web server). Figure 86 HTTPS Implementation Note: If you disable HTTP Server Access (Disable) in the REMOTE MGMT WWW screen, then the ZyWALL blocks all HTTP connection attempts.
Page 195: Https Example
ZyWALL P1 User’s Guide The following table describes the labels in this screen. Table 70 WWW LABEL DESCRIPTION HTTPS Server Select the Server Certificate that the ZyWALL will use to identify itself. The Certificate ZyWALL is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL).
Page 196: Internet Explorer Warning Messages
ZyWALL P1 User’s Guide 13.4.1 Internet Explorer Warning Messages When you attempt to access the ZyWALL HTTPS server, a Windows dialog box pops up asking if you trust the server certificate. Click View Certificate if you want to verify that the certificate is from the ZyWALL.
Page 197: Avoiding The Browser Warning Messages
ZyWALL P1 User’s Guide Figure 89 Security Certificate 1 (Netscape) Figure 90 Security Certificate 2 (Netscape) 13.4.3 Avoiding the Browser Warning Messages The following describes the main reasons that your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings.
Page 198: Login Screen
ZyWALL P1 User’s Guide • The actual IP address of the HTTPS server (the IP address of the ZyWALL’s port that you are trying to access) does not match the common name specified in the ZyWALL’s HTTPS server certificate that your browser received. Do the following to check the common name specified in the certificate that your ZyWALL sends to HTTPS clients.
Page 199: Figure 91 Login Screen (Internet Explorer)
ZyWALL P1 User’s Guide Figure 91 Login Screen (Internet Explorer) Figure 92 Login Screen (Netscape) Chapter 13 Remote Management...
Page 200: Figure 93 Replace Certificate
ZyWALL P1 User’s Guide Click Login and you then see the next screen. The factory default certificate is a common default certificate. Figure 93 Replace Certificate Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device.
Page 201: Ssh Overview
ZyWALL P1 User’s Guide Figure 95 Common ZyWALL Certificate 13.5 SSH Overview Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shell) is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network.
Page 202: Ssh Implementation On The Zywall
ZyWALL P1 User’s Guide Figure 97 How SSH Works 1 Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server.
Page 203: Requirements For Using Ssh
ZyWALL P1 User’s Guide 13.7.1 Requirements for Using SSH You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the ZyWALL over SSH. 13.8 Configuring SSH To change your ZyWALL’s Secure Shell settings, click REMOTE MGMT, then the SSH tab.
Page 204: Secure Telnet Using Ssh Examples
ZyWALL P1 User’s Guide 13.9 Secure Telnet Using SSH Examples This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the ZyWALL. The configuration and connection steps are similar for most SSH client programs. Refer to your SSH client program user’s guide.
Page 205: Secure Ftp Using Ssh Example
ZyWALL P1 User’s Guide Figure 100 SSH Example 2: Test $ telnet 192.168.167.1 22 Trying 192.168.167.1... Connected to 192.168.167.1. Escape character is '^]'. SSH-1.5-1.0.0 2 Enter . This command forces your computer to connect to the ssh –1 192.168.167.1 ZyWALL using SSH version 1. If this is the first time you are connecting to the ZyWALL using SSH, a message displays prompting you to save the host information of the ZyWALL.
Page 206: Telnet
ZyWALL P1 User’s Guide Figure 102 Secure FTP: Firmware Upload Example $ sftp -1 192.168.167.1 Connecting to 192.168.167.1... The authenticity of host '192.168.167.1 (192.168.167.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.167.1' (RSA1) to the list...
Page 207: Configuring Ftp
ZyWALL P1 User’s Guide Figure 104 Telnet The following table describes the labels in this screen. Table 72 Telnet LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Page 208: Configuring Snmp
ZyWALL P1 User’s Guide Figure 105 FTP The following table describes the labels in this screen. Table 73 FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Page 209: Figure 106 Snmp Management Model
ZyWALL P1 User’s Guide Figure 106 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP.
Page 210: Supported Mibs
ZyWALL P1 User’s Guide 13.14.1 Supported MIBs The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. 13.14.2 SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events...
Page 211 ZyWALL P1 User’s Guide Figure 107 SNMP The following table describes the labels in this screen. Table 75 SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests.
Page 212: Configuring Dns
ZyWALL P1 User’s Guide 13.15 Configuring DNS Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. Refer to Chapter 5 on page 79 for more information. To change your ZyWALL’s DNS settings, click REMOTE MGMT, then the DNS tab. The screen appears as shown.
Page 213: Configuring Cnm
ZyWALL P1 User’s Guide If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the web configurator or commands) without notifying the Vantage CNM administrator.
Page 214 ZyWALL P1 User’s Guide Table 77 CNM (continued) LABEL DESCRIPTION Last Registration Time This field displays the last date (year-month-date) and time (hours-minutes- seconds) that the ZyWALL registered with the Vantage CNM server. It displays all zeroes if it has not yet registered with the Vantage CNM server.
Page 215 ZyWALL P1 User’s Guide Chapter 13 Remote Management...
Page 216: Chapter 14 Upnp
ZyWALL P1 User’s Guide H A P T E R UPnP This chapter introduces the Universal Plug and Play feature. 14.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.
Page 217: Upnp And Zyxel
ZyWALL P1 User’s Guide All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 14.2 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP™...
Page 218: Displaying Upnp Port Mapping
ZyWALL P1 User’s Guide Table 78 Configuring UPnP LABEL DESCRIPTION Allow users to make Select this check box to allow UPnP-enabled applications to automatically configuration changes configure the ZyWALL so that they can communicate through the ZyWALL, through UPnP for example by using NAT traversal, UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device;...
Page 219: Installing Upnp In Windows Example
ZyWALL P1 User’s Guide Table 79 UPnP Ports (continued) LABEL DESCRIPTION This is the index number of the UPnP-created NAT mapping rule entry. Remote Host This field displays the source IP address (on the WAN) of inbound IP packets. Since this is often a wildcard, the field may be blank. When the field is blank, the ZyWALL forwards all traffic sent to the External Port on the WAN interface to the Internal Client on the Internal Port.
Page 220: Installing Upnp In Windows Me
ZyWALL P1 User’s Guide 14.5.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windows Me. 1 Click Start, Settings and Control Panel. Double-click Add/Remove Programs. 2 Click on the Windows Setup tab and select Communication in the Components selection box.
Page 221: Installing Upnp In Windows Xp
ZyWALL P1 User’s Guide 14.5.2 Installing UPnP in Windows XP Follow the steps below to install UPnP in Windows XP. 1 Click Start, Settings and Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components ….
Page 222: Auto-Discover Your Upnp-Enabled Network Device
ZyWALL P1 User’s Guide 14.6.1 Auto-discover Your UPnP-enabled Network Device 1 Click Start and Control Panel. Double- click Network Connections. An icon displays under Internet Gateway. 2 Right-click the icon and select Properties. 3 In the Internet Connection Properties You may edit or delete the port mappings or click Add to manually add port mappings.
Page 223 ZyWALL P1 User’s Guide Note: When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 4 Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray.
Page 224: Web Configurator Easy Access
ZyWALL P1 User’s Guide 14.6.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first. This is helpful if you do not know the IP address of the ZyXEL device.
Page 225 ZyWALL P1 User’s Guide 6 Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. Chapter 14 UPnP...
Page 226: Chapter 15 Logs Screens
ZyWALL P1 User’s Guide H A P T E R Logs Screens This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to Appendix N on page 347 for example log message explanations. 15.1 Configuring View Log The web configurator allows you to look at all of the ZyWALL’s logs in one location.
Page 227: Log Description Example
ZyWALL P1 User’s Guide Table 80 View Log LABEL DESCRIPTION Display The categories that you select in the Log Settings page (see Section 15.3 on page 227) display in the drop-down list box. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page.
Page 228: Configuring Log Settings
ZyWALL P1 User’s Guide Table 81 Example Log Description (continued) LABEL DESCRIPTION notes The ZyWALL blocked the packet. message The ZyWALL blocked the packet in accordance with the firewall’s default policy of blocking sessions that are initiated from the WAN. “UDP” means that this was a User Datagram Protocol packet.
Page 229: Figure 114 Log Settings
ZyWALL P1 User’s Guide Figure 114 Log Settings The following table describes the labels in this screen. Chapter 15 Logs Screens...
Page 230: Table 82 Log Settings
ZyWALL P1 User’s Guide Table 82 Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail.
Page 231: Configuring Reports
ZyWALL P1 User’s Guide Table 82 Log Settings (continued) LABEL DESCRIPTION Active Some logs (such as the Attacks logs) may be so numerous that it becomes easy to ignore other important log messages. Select this check box to merge logs with identical messages into one log.
Page 232: Figure 115 Reports
ZyWALL P1 User’s Guide Figure 115 Reports Note: Enabling the ZyWALL’s reporting function decreases the overall throughput by about 1 Mbps. The following table describes the labels in this screen. Table 83 Reports LABEL DESCRIPTION Collect Statistics Select the check box and click Apply to have the ZyWALL record report data.
Page 233: Viewing Web Site Hits
ZyWALL P1 User’s Guide 15.4.1 Viewing Web Site Hits In the Reports screen, select Web Site Hits from the Report Type drop-down list box to have the ZyWALL record and display which web sites have been visited the most often and how many times they have been visited.
Page 234: Viewing Lan Ip Address
ZyWALL P1 User’s Guide Figure 117 Protocol/Port Report Example The following table describes the labels in this screen. Table 85 Protocol/ Port Report LABEL DESCRIPTION Protocol/Port This column lists the protocols or service ports for which the most traffic has gone through the ZyWALL.
Page 235: Reports Specifications
ZyWALL P1 User’s Guide Figure 118 LAN IP Address Report Example The following table describes the labels in this screen. Table 86 LAN IP Address Report LABEL DESCRIPTION IP Address This column lists the LAN IP addresses to and/or from which the most traffic has been sent.
Page 236: Chapter 16 Maintenance
ZyWALL P1 User’s Guide H A P T E R Maintenance This chapter displays information on the maintenance screens. 16.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyWALL.
Page 237: Configuring Password
ZyWALL P1 User’s Guide Figure 119 General The following table describes the labels in this screen. Table 88 General LABEL DESCRIPTION General Setup System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name” in this field. This name can be up to 30 alphanumeric characters long.
Page 238: Pre-Defined Ntp Time Servers List
ZyWALL P1 User’s Guide Figure 120 Password The following table describes the labels in this screen. Table 89 Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field.
Page 239: Configuring Time And Date
ZyWALL P1 User’s Guide Table 90 Default Time Servers (continued) tock.usno.navy.mil ntp3.cs.wisc.edu ntp.cs.strath.ac.uk ntp1.sp.se time1.stupi.se tick.stdtime.gov.tw tock.stdtime.gov.tw time.stdtime.gov.tw 16.4 Configuring Time and Date To change your ZyWALL’s time and date, click MAINTENANCE, then the Time and Date tab. The screen appears as shown. Use this screen to configure the ZyWALL’s time based on your local time zone.
Page 240: Table 91 Time And Date
ZyWALL P1 User’s Guide Table 91 Time and Date LABEL DESCRIPTION Current Time and Date Current Time This field displays the time of your ZyWALL. Each time you reload this page, the ZyWALL synchronizes the time with the time server.
Page 241: Time Server Synchronization
ZyWALL P1 User’s Guide Table 91 Time and Date (continued) LABEL DESCRIPTION Start Date Configure the day and time when Daylight Saving Time starts if you selected Enable Daylight Saving. The o'clock field uses the 24 hour format. Here are a...
Page 242: F/W Upload Screen
ZyWALL P1 User’s Guide Figure 123 Synchronization is Successful If the update was not successful, the following screen appears. Click Return to go back to the Time and Date screen. Figure 124 Synchronization Fail 16.5 F/W Upload Screen Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a ".bin"...
Page 243: Figure 125 Firmware Upload
ZyWALL P1 User’s Guide Figure 125 Firmware Upload The following table describes the labels in this screen. Table 92 Firmware Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it.
Page 244: Configuration Screen
ZyWALL P1 User’s Guide Figure 127 Network Temporarily Disconnected After about two minutes, log in again and check your new firmware version in the System Status screen. If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen.
Page 245: Backup Configuration
ZyWALL P1 User’s Guide Figure 129 Configuration 16.6.1 Backup Configuration Backup Configuration allows you to back up (save) the ZyWALL’s current configuration to a file on your computer. Once your ZyWALL is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes.
Page 246: Figure 130 Configuration Upload Successful
ZyWALL P1 User’s Guide Note: Do NOT turn off the ZyWALL while configuration file upload is in progress. After you see a “restore configuration successful” screen, you must then wait one minute before logging into the ZyWALL again. Figure 130 Configuration Upload Successful The ZyWALL automatically restarts in this time causing a temporary network disconnect.
Page 247: Back To Factory Defaults
ZyWALL P1 User’s Guide Figure 132 Configuration Upload Error 16.6.3 Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the ZyWALL to its factory defaults as shown on the screen. The following warning screen will appear.
Page 248: Figure 134 Restart Screen
ZyWALL P1 User’s Guide Figure 134 Restart Screen Chapter 16 Maintenance...
Page 249 ZyWALL P1 User’s Guide Chapter 16 Maintenance...
Page 250: Firmware And Configuration File Maintenance
ZyWALL P1 User’s Guide H A P T E R Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 17.1 Introduction Use the instructions in this chapter to change the ZyWALL’s configuration file or upgrade its...
Page 251: Backup Configuration
ZyWALL P1 User’s Guide If your (T)FTP client does not allow you to have a destination filename different than the source, you will need to rename them as the ZyWALL only recognizes “rom-0” and “ras”. Be sure you keep unaltered copies of both files for later use.
Page 252: Gui-Based Ftp Clients
ZyWALL P1 User’s Guide Figure 135 FTP Session Example 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
Page 253: Backup Configuration Using Tftp
ZyWALL P1 User’s Guide 17.3.4 Backup Configuration Using TFTP The ZyWALL supports the up/downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN. Although TFTP should work over WAN as well, it is not recommended.
Page 254: Gui-Based Tftp Clients
ZyWALL P1 User’s Guide 17.3.6 GUI-based TFTP Clients The following table describes some of the fields that you may see in GUI-based TFTP clients. Table 96 General Commands for GUI-based TFTP Clients COMMAND DESCRIPTION Host Enter the IP address of the ZyWALL. 192.168.1.1 is the ZyWALL’s default IP address when shipped.
Page 255: Restore Using Ftp Session Example
ZyWALL P1 User’s Guide 5 Enter “bin” to set transfer mode to binary. 6 Find the “rom” file (on your computer) that you want to restore to your ZyWALL. 7 Use “put” to transfer files from the ZyWALL to the computer, for example, “put config.rom rom-0”...
Page 256: Ftp Session Example Of Firmware File Upload
ZyWALL P1 User’s Guide 5 Enter “bin” to set transfer mode to binary. 6 Use “put” to transfer files from the computer to the ZyWALL, for example, “put firmware.bin ras” transfers the firmware on your computer (firmware.bin) to the ZyWALL and renames it “ras”. Similarly, “put config.rom rom-0” transfers the configuration file on your computer (config.rom) to the ZyWALL and renames it “rom-...
Page 257: Tftp Upload Command Example
ZyWALL P1 User’s Guide 4 Launch the TFTP client on your computer and connect to the ZyWALL. Set the transfer mode to binary before starting data transfer. 5 Use the TFTP client (see the example below) to transfer files between the ZyWALL and the computer.
Page 258: Chapter 18 Troubleshooting
ZyWALL P1 User’s Guide H A P T E R Troubleshooting This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our included disk for further information.
Page 259: Problems Accessing The Zywall
ZyWALL P1 User’s Guide 18.2 Problems Accessing the ZyWALL Table 98 Troubleshooting Accessing the ZyWALL PROBLEM CORRECTIVE ACTION I cannot The username is “admin”. The default password is “1234”. The Password and access the Username fields are case-sensitive. Make sure that you enter the correct password ZyWALL.
Page 260: Figure 138 Pop-Up Blocker
ZyWALL P1 User’s Guide Figure 138 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. 1 In Internet Explorer, select Tools, Internet Options, Privacy. 2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled.
Page 261: Figure 140 Internet Options
ZyWALL P1 User’s Guide 2 Select Settings…to open the Pop-up Blocker Settings screen. Figure 140 Internet Options 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1.
Page 262: Javascripts
ZyWALL P1 User’s Guide Figure 141 Pop-up Blocker Settings 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. 18.2.1.2 JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed.
Page 263: Figure 142 Internet Options
ZyWALL P1 User’s Guide Figure 142 Internet Options 2 Click the Custom Level... button. 3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default).
Page 264: Java Permissions
ZyWALL P1 User’s Guide Figure 143 Security Settings - Java Scripting 18.2.1.3 Java Permissions 1 From Internet Explorer, click Tools, Internet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected.
Page 265: Figure 144 Security Settings - Java
ZyWALL P1 User’s Guide Figure 144 Security Settings - Java 18.2.1.3.1 JAVA (Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 make sure that Use Java 2 for <applet> under Java (Sun) is selected.
Page 266: Problems With The Lan Interface
ZyWALL P1 User’s Guide Figure 145 Java (Sun) 18.3 Problems with the LAN Interface Table 99 Troubleshooting the LAN Interface PROBLEM CORRECTIVE ACTION Cannot access the Check your Ethernet cable type and connections. Refer to the Quick Start Guide ZyWALL from the for LAN connection instructions.
Page 267: Problems With The Wan Interface
ZyWALL P1 User’s Guide 18.4 Problems with the WAN Interface Table 100 Troubleshooting the WAN Interface PROBLEM CORRECTIVE ACTION Cannot get WAN IP The ISP provides the WAN IP address after authentication. Authentication may address from the be through the user name and password, the MAC address or the host name.
Page 268: Problems With Remote Management
ZyWALL P1 User’s Guide 18.7 Problems with Remote Management Table 103 Troubleshooting Telnet PROBLEM CORRECTIVE ACTION Cannot access the Refer to Section 15.1.1 on page 232 for scenarios when remote management ZyWALL from the may not be possible. LAN or WAN.
Page 269 ZyWALL P1 User’s Guide Chapter 18 Troubleshooting...
Page 270: Setting Up Your Computer's Ip Address
ZyWALL P1 User’s Guide Appendix A Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/ IP on your computer.
Page 271: Figure 146 Windows 95/98/Me: Network: Configuration
ZyWALL P1 User’s Guide Figure 146 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add.
Page 272: Figure 147 Windows 95/98/Me: Tcp/Ip Properties: Ip Address
ZyWALL P1 User’s Guide 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click 5 Restart your computer so the changes you made take effect. Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab.
Page 273: Figure 148 Windows 95/98/Me: Tcp/Ip Properties: Dns Configuration
ZyWALL P1 User’s Guide Figure 148 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. • If you do not know your gateway’s IP address, remove previously installed gateways. • If you have a gateway IP address, type it in the New gateway field and click Add.
Page 274: Figure 149 Windows Xp: Start Menu
ZyWALL P1 User’s Guide Figure 149 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 150 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties.
Page 275: Figure 151 Windows Xp: Control Panel: Network Connections: Properties
ZyWALL P1 User’s Guide Figure 151 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 152 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP).
Page 276: Figure 153 Windows Xp: Internet Protocol (Tcp/Ip) Properties
ZyWALL P1 User’s Guide • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. • Click Advanced. Figure 153 Windows XP: Internet Protocol (TCP/IP) Properties 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK.
Page 277: Figure 154 Windows Xp: Advanced Tcp/Ip Properties
ZyWALL P1 User’s Guide Figure 154 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es).
Page 278: Figure 155 Windows Xp: Internet Protocol (Tcp/Ip) Properties
ZyWALL P1 User’s Guide Figure 155 Windows XP: Internet Protocol (TCP/IP) Properties 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window. 10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT).
Page 279: Figure 156 Macintosh Os 8/9: Apple Menu
ZyWALL P1 User’s Guide Figure 156 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 157 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. Appendix A Setting up Your Computer’s IP Address...
Page 280: Figure 158 Macintosh Os X: Apple Menu
ZyWALL P1 User’s Guide 4 For statically assigned settings, do the following: • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. •...
Page 281: Figure 159 Macintosh Os X: Network
ZyWALL P1 User’s Guide Figure 159 Macintosh OS X: Network 4 For statically assigned settings, do the following: • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box.
Page 282: Appendix Bip Subnetting
ZyWALL P1 User’s Guide Appendix B IP Subnetting IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1.
Page 283: Table 105 Allowed Ip Address Range By Class
ZyWALL P1 User’s Guide Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127. Similarly the first octet of a class “B” must begin with “10”, therefore the first octet of a class “B”...
Page 284: Table 107 Alternative Subnet Mask Notation
ZyWALL P1 User’s Guide Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet. This is usually specified by writing a “/”...
Page 285: Table 109 Subnet 1
ZyWALL P1 User’s Guide Note: In the following charts, shaded/bolded last octet bit values indicate host ID bits “borrowed” to form network ID bits. The number of “borrowed” host ID bits determines the number of subnets you can have. The remaining number of host ID bits (after “borrowing”) determines the number of hosts you can have on each subnet.
Page 286: Table 111 Subnet 1
ZyWALL P1 User’s Guide Example: Four Subnets The above example illustrated using a 25-bit subnet mask to divide a class “C” address space into two subnets. Similarly to divide a class “C” address into four subnets, you need to “borrow” two host ID bits to give four possible combinations of 00, 01, 10 and 11. The subnet mask is 26 bits (11111111.11111111.11111111.11000000) or 255.255.255.192.
Page 287: Table 114 Subnet 4
ZyWALL P1 User’s Guide Table 114 Subnet 4 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 11000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: Lowest Host ID: 192.168.1.193 192.168.1.192 Broadcast Address: Highest Host ID: 192.168.1.254 192.168.1.255...
Page 288: Table 117 Class B Subnet Planning
ZyWALL P1 User’s Guide Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet mask also determines which bits are part of the network number and which are part of the host ID.
Page 289 ZyWALL P1 User’s Guide Appendix B IP Subnetting...
Page 290: Appendix Cpppoe
ZyWALL P1 User’s Guide Appendix C PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your computer to an ATM PVC (Permanent Virtual Circuit) which connects to a DSL Access...
Page 291: Figure 160 Single-Computer Per Router Hardware Configuration
ZyWALL P1 User’s Guide Figure 160 Single-Computer per Router Hardware Configuration How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the computer and the computer runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC).
Page 292: Appendix Dpptp
ZyWALL P1 User’s Guide Appendix D PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a computer to a broadband...
Page 293: Figure 163 Pptp Protocol Overview
ZyWALL P1 User’s Guide PPTP Protocol Overview PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F (Cisco’s Layer 2 Forwarding). Conceptually, there are three parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Access Concentrator) and the PPTP user. The PNS is the box that hosts both the PPP and the PPTP stacks and forms one end of the PPTP tunnel.
Page 294: Figure 164 Example Message Exchange Between Computer And An Ant
ZyWALL P1 User’s Guide Figure 164 Example Message Exchange between Computer and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header.
Page 295 ZyWALL P1 User’s Guide Appendix D PPTP...
Page 296: Appendix E Triangle Route
ZyWALL P1 User’s Guide Appendix E Triangle Route The Ideal Setup When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyWALL to protect your LAN against attacks.
Page 297: Figure 166 "Triangle Route" Problem
ZyWALL P1 User’s Guide Figure 166 “Triangle Route” Problem The “Triangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface.
Page 298: Figure 167 Ip Alias
ZyWALL P1 User’s Guide Figure 167 IP Alias Gateways on the WAN Side A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your ZyWALL to your LAN.
Page 299 ZyWALL P1 User’s Guide Appendix E Triangle Route...
Page 300: Sip Passthrough
ZyWALL P1 User’s Guide P P E N D I X SIP Passthrough The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet.
Page 301: Sip Servers
ZyWALL P1 User’s Guide Table 118 SIP Call Progression (continued) 3. OK 4. ACK 5.Dialogue (voice traffic) 6. BYE 7. OK 1 A sends a SIP INVITE request to B. This message is an invitation for B to participate in a SIP telephone call.
Page 302: Figure 170 Sip Proxy Server
ZyWALL P1 User’s Guide In the following example, you want to use client device A to call someone who is using client device C. 1 The client device (A in the figure) sends a call invitation to the SIP proxy server (B).
Page 303: Figure 171 Sip Redirect Server
ZyWALL P1 User’s Guide Figure 171 SIP Redirect Server SIP Register Server A SIP register server maintains a database of SIP identity-to-IP address (or domain name) mapping. The register server checks your user name and password when you register. When you make a VoIP call using SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer.
Page 304: Figure 172 Zywall Sip Alg
ZyWALL P1 User’s Guide ZyXEL SIP ALG • SIP clients can be connected to the LAN, WLAN or DMZ. A SIP server must be on the WAN. The WLAN and DMZ are not available on all models. • You can make and receive calls between the LAN and the WAN, between the WLAN and the WAN and/or between the DMZ and the WAN.
Page 305: Signaling Session Timeout
ZyWALL P1 User’s Guide If the primary WAN connection fails, the SIP client needs to re-register with the SIP server through the secondary WAN port to have the SIP connection go through the secondary WAN port. When the ZyWALL uses both of the WAN ports at the same time, you can configure a routing policy to have the voice traffic from any IP address with UDP port 5060 and the RTP ports go over a specified WAN port.
Page 306: Appendix Gvpn Setup
ZyWALL P1 User’s Guide Appendix G VPN Setup This appendix will help you to quickly create a IPSec/VPN connection between two ZyXEL IPSec routers. It should be considered a quick reference for experienced users. General Notes • The private networks behind the IPSec routers must be on different subnets.
Page 307: Figure 173 Vpn Rules
ZyWALL P1 User’s Guide The following pages show a typical configuration that builds a tunnel between two private networks. One network is the headquarters (HQ) and the other is a branch office. Both sites have static (fixed) public addresses. Replace the Secure Gateway Address and Local/ Remote IP Address Start settings with your own values.
Page 308: Figure 174 Headquarters Vpn Rule Edit
ZyWALL P1 User’s Guide Figure 174 Headquarters VPN Rule Edit IP addresses on different subnets. The IP address of the branch office IPSec router. Appendix G VPN Setup...
Page 309: Figure 175 Branch Office Vpn Rule Edit
ZyWALL P1 User’s Guide Figure 175 Branch Office VPN Rule Edit IP addresses on different subnets. The IP address of the headquarters IPSec router. Dialing the VPN Tunnel via Web Configurator Appendix G VPN Setup...
Page 310: Figure 176 Vpn Rule Configured
ZyWALL P1 User’s Guide To test whether the IPSec routers can build the VPN tunnel, click the dial icon in the VPN Rules screen’s Modify column to have the IPSec routers set up the tunnel. Figure 176 VPN Rule Configured Dial Icon The following screen displays.
Page 311: Figure 178 Vpn Tunnel Established
ZyWALL P1 User’s Guide Figure 178 VPN Tunnel Established VPN Configuration via SMT This section gives a VPN rule configuration example using the SMT. 1 From the main menu, enter 27 to display the first VPN menu (shown next). Figure 179 Menu 27: VPN/IPSec Setup Menu 27 - VPN/IPSec Setup 1.
Page 312: Figure 180 Menu 27.1: Ipsec Summary
ZyWALL P1 User’s Guide Figure 180 Menu 27.1: IPSec Summary Menu 27.1 - IPSec Summary Name A Local Addr Start - Addr End / Mask Encap IPSec Algorithm Key Mgt Remote Addr Start - Addr End / Mask Secure Gw Addr...
Page 313: Figure 182 Branch Office Menu 27.1.1: Ipsec Setup
ZyWALL P1 User’s Guide Note: Press [ENTER] at the bottom of each screen to save your configuration. You can press the ‘Up’ arrow at the top of a menu to quickly reach the bottom of the menu. Figure 182 Branch Office Menu 27.1.1: IPSec Setup Menu 27.1.1 - IPSec Setup...
Page 314: Figure 183 Menu 27.1.1.1: Ike Setup
‘ipsec dial n’ (where “n” is the number of the VPN rule) command from the Command Interpreter - Menu 24.8 to have the IPSec device set up the tunnel. Here is an example. Copyright (c) 1994 - 2004 ZyXEL Communications Corp. ras> ipsec dial 1 Tunnel built successfully!
Page 315: Figure 184 Vpn Log Example
ZyWALL P1 User’s Guide VPN Log The system log can often help to identify a configuration problem. Enable IKE & IPSec logging via the web configurator at both ends, clear the log and then build the tunnel. View the log via the web configurator or type ‘sys log disp’ from CLI. See...
Page 316: Figure 185 Ike/Ipsec Debug Example
<0:None | 1:User | 2:Low | 3:High> ras> ipsec debug type 1 on ras> ipsec debug type 2 on ras> ipsec debug level 3 Copyright (c) 1994 - 2004 ZyXEL Communications Corp. ras> ipsec dial 1 Start dialing for tunnel <rule# 1>... ikeStartNegotiate(): saIndex<0>...
Page 317 ZyWALL P1 User’s Guide FTP Example The following example shows a text-based login from a branch office computer to an FTP server behind the remote IPSec router at headquarters. The server’s IP address (192.168.10.33) is in the subnet configured in the Local Policy fields in...
Page 318: Importing Certificates
ZyWALL P1 User’s Guide Appendix H Importing Certificates This appendix shows importing certificates examples using Internet Explorer 5. Import ZyWALL Certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the ZyWALL’s server certificate by importing it into your operating system as a trusted certification authority.
Page 319: Figure 187 Login Screen
ZyWALL P1 User’s Guide Figure 187 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 188 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard. Appendix H Importing Certificates...
Page 320: Figure 189 Certificate Import Wizard 1
ZyWALL P1 User’s Guide Figure 189 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 190 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard. Appendix H Importing Certificates...
Page 321: Figure 191 Certificate Import Wizard 3
ZyWALL P1 User’s Guide Figure 191 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store. Figure 192 Root Certificate Store Appendix H Importing Certificates...
Page 322: Figure 193 Certificate General Information After Import
ZyWALL P1 User’s Guide Figure 193 Certificate General Information after Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).
Page 323: Figure 194 Zywall Trusted Ca Screen
ZyWALL P1 User’s Guide Figure 194 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next.
Page 324: Figure 195 Ca Certificate Example
ZyWALL P1 User’s Guide Figure 195 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment.
Page 325: Figure 196 Personal Certificate Import Wizard 1
ZyWALL P1 User’s Guide Figure 196 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate.
Page 326: Figure 198 Personal Certificate Import Wizard 3
ZyWALL P1 User’s Guide Figure 198 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 199 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process.
Page 327: Figure 200 Personal Certificate Import Wizard 5
ZyWALL P1 User’s Guide Figure 200 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer. Figure 201 Personal Certificate Import Wizard 6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS.
Page 328: Figure 203 Ssl Client Authentication
ZyWALL P1 User’s Guide Figure 203 SSL Client Authentication 3 You next see the ZyWALL login screen. Figure 204 ZyWALL Secure Login Screen Appendix H Importing Certificates...
Page 329 ZyWALL P1 User’s Guide Appendix H Importing Certificates...
Page 330: Appendix I Command Interpreter
ZyWALL P1 User’s Guide Appendix I Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode.
Page 331 ZyWALL P1 User’s Guide Appendix I Command Interpreter...
Page 332: Appendix J Firewall Commands
ZyWALL P1 User’s Guide Appendix J Firewall Commands The following describes the firewall commands. See Appendix I on page 329 for information on the command structure. Table 119 Firewall Commands FUNCTION COMMAND DESCRIPTION FirewallSet-Up This command turns the firewall on or off.
Page 333 ZyWALL P1 User’s Guide Table 119 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION E-mail This command sets the IP address to which config edit firewall e-mail the e-mail messages are sent. mail-server <ip address of mail server> This command sets the source e-mail address config edit firewall e-mail of the firewall e-mails.
Page 334 ZyWALL P1 User’s Guide Table 119 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command sets the threshold rate of new config edit firewall attack half-open sessions per minute where the minute-high <0-255> ZyWALL starts deleting old half-opened sessions until it gets them down to the minute- low threshold.
Page 335 ZyWALL P1 User’s Guide Table 119 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command sets how long ZyWALL lets an Config edit firewall set <set inactive TCP connection remain open before #> tcp-idle-timeout <seconds> considering it closed. This command sets whether or not the Config edit firewall set <set...
Page 336 ZyWALL P1 User’s Guide Table 119 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command sets a rule to have the config edit firewall set <set ZyWALL check for traffic with a particular #> rule <rule #> destaddr- subnet destination (defined by IP address and subnet <ip address>...
Page 337 ZyWALL P1 User’s Guide Appendix J Firewall Commands...
Page 338: Netbios Filter Commands
ZyWALL P1 User’s Guide Appendix K NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See Appendix I on page 329 for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN.
Page 339: Table 120 Netbios Filter Default Settings
ZyWALL P1 User’s Guide The filter types and their default settings are as follows. Table 120 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN This field displays whether NetBIOS packets are blocked or forwarded Block and WAN between the LAN and the WAN.
Page 340 ZyWALL P1 User’s Guide This command blocks IPSec NetBIOS packets. sys filter netbios config 3 on This command stops NetBIOS commands from initiating calls. sys filter netbios config 4 off Appendix K NetBIOS Filter Commands...
Page 341 ZyWALL P1 User’s Guide Appendix K NetBIOS Filter Commands...
Page 342: Certificates Commands
ZyWALL P1 User’s Guide Appendix L Certificates Commands The following describes the certificate commands. See Appendix I on page 329 information on the command structure. All of these commands start with certificates. Table 121 Certificates Commands COMMAND DESCRIPTION my_cert create Create a self-signed local host certificate.
Page 343 ZyWALL P1 User’s Guide Table 121 Certificates Commands (continued) COMMAND DESCRIPTION Create a certificate request and enroll for a create cmp_enroll certificate immediately online using CMP <name> <CA protocol. <name> specifies a descriptive name addr> <CA for the enrolled certificate. <CA addr> specifies cert>...
Page 344 ZyWALL P1 User’s Guide Table 121 Certificates Commands (continued) COMMAND DESCRIPTION Create a certificate using your device MAC replace_fact address that will be specific to this device. The factory default certificate is a common default certificate for all ZyWALL models.
Page 345 ZyWALL P1 User’s Guide Table 121 Certificates Commands (continued) COMMAND DESCRIPTION Delete the specified trusted remote host delete <name> certificate. <name> specifies the name of the certificate to be deleted. List all trusted remote host certificate names and list basic information.
Page 346: Brute-Force Password Guessing Protection
ZyWALL P1 User’s Guide Appendix M Brute-Force Password Guessing Protection Brute-force password guessing protection allows you to specify a wait-time that must expire before entering a fourth password after three incorrect passwords have been entered. The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password.
Page 347 ZyWALL P1 User’s Guide Appendix M Brute-Force Password Guessing Protection...
Page 348: Appendix N Log Descriptions
ZyWALL P1 User’s Guide Appendix N Log Descriptions This appendix provides descriptions of example log messages. Table 123 System Maintenance Logs LOG MESSAGE DESCRIPTION The router has adjusted its time based on information from the Time calibration is time server.
Page 349: Table 124 System Error Logs
ZyWALL P1 User’s Guide Table 123 System Maintenance Logs (continued) LOG MESSAGE DESCRIPTION The router is saving configuration changes. Configuration Change: PC = 0x%x, Task ID = 0x%x Someone has logged on to the router’s SSH server. Successful SSH login Someone has failed to log on to the router’s SSH server.
Page 350: Table 126 Tcp Reset Logs
ZyWALL P1 User’s Guide Table 126 TCP Reset Logs LOG MESSAGE DESCRIPTION The router sent a TCP reset packet when a host was under a SYN Under SYN flood attack, flood attack (the TCP incomplete count is per destination host.)
Page 351: Table 128 Icmp Logs
ZyWALL P1 User’s Guide Table 128 ICMP Logs LOG MESSAGE DESCRIPTION ICMP access matched the default policy and was blocked Firewall default policy: ICMP or forwarded according to the user's setting. For type and <Packet Direction>, <type:%d>, code details, see Table 140 on page 359.
Page 352: Table 131 Upnp Logs
ZyWALL P1 User’s Guide Table 130 PPP Logs (continued) LOG MESSAGE DESCRIPTION The PPP connection’s Link Control Protocol stage is closing. ppp:LCP Closing The PPP connection’s Internet Protocol Control Protocol stage is closing. ppp:IPCP Closing Table 131 UPnP Logs LOG MESSAGE DESCRIPTION UPnP packets can pass through the firewall.
Page 353: Table 133 Attack Logs
ZyWALL P1 User’s Guide Table 132 Content Filtering Logs (continued) LOG MESSAGE DESCRIPTION The connection to the external content filtering server failed. Connecting to content filter server fail License key is invalid The external content filtering license key is invalid.
Page 354: Table 134 Ipsec Logs
ZyWALL P1 User’s Guide Table 134 IPSec Logs LOG MESSAGE DESCRIPTION The router received and discarded a packet with an incorrect Discard REPLAY packet sequence number. The router received a packet that has been altered. A third party may Inbound packet have altered or tampered with the packet.
Page 355 ZyWALL P1 User’s Guide Table 135 IKE Logs (continued) LOG MESSAGE DESCRIPTION The router couldn’t resolve the IP address from the domain Cannot resolve Secure Gateway name that was used for the secure gateway address. Addr for rule <%d> The displayed ID information did not match between the two Peer ID: <peer id>...
Page 356 ZyWALL P1 User’s Guide Table 135 IKE Logs (continued) LOG MESSAGE DESCRIPTION The router was not able to use extended authentication to XAUTH fail! Username: authenticate the listed username. <Username> The listed rule’s IKE phase 1 negotiation mode did not match Rule[%d] Phase 1 negotiation between the router and the peer.
Page 357: Table 136 Pki Logs
ZyWALL P1 User’s Guide Table 135 IKE Logs (continued) LOG MESSAGE DESCRIPTION The listed rule’s IKE phase 2 did not match between the router Rule [%d] phase 2 mismatch and the peer. The listed rule’s IKE phase 2 key lengths (with the AES...
Page 358: Table 137 Certificate Path Verification Failure Reason Codes
ZyWALL P1 User’s Guide Table 136 PKI Logs (continued) LOG MESSAGE DESCRIPTION The router received directory data that was too large (the size is listed) Rcvd data <size> too from the LDAP server whose address and port are recorded in the large! Max size Source field.
Page 359: Table 138 802.1X Logs
ZyWALL P1 User’s Guide Table 137 Certificate Path Verification Failure Reason Codes (continued) CODE DESCRIPTION Database method failed. Path was not verified. Maximum path length reached. Table 138 802.1X Logs LOG MESSAGE DESCRIPTION A user was authenticated by the local user database.
Page 360: Table 139 Acl Setting Notes
ZyWALL P1 User’s Guide Table 139 ACL Setting Notes PACKET DIRECTION DIRECTION DESCRIPTION (L to W) LAN to WAN ACL set for packets traveling from the LAN to the WAN. (W to L) WAN to LAN ACL set for packets traveling from the WAN to the LAN.
Page 361: Table 141 Syslog Logs
ZyWALL P1 User’s Guide Table 140 ICMP Notes (continued) TYPE CODE DESCRIPTION Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error Timestamp Timestamp request message Timestamp Reply Timestamp reply message Information Request...
Page 362: Figure 205 Displaying Log Categories Example
ZyWALL P1 User’s Guide Table 142 RFC-2408 ISAKMP Payload Types (continued) LOG DISPLAY PAYLOAD TYPE Signature Nonce NONCE Notification NOTFY Delete Vendor ID Log Commands Go to the command interpreter interface. Appendix I on page 329 explains how to access and use the commands.
Page 363: Displaying Logs
ZyWALL P1 User’s Guide Use 0 to not record logs for that category, 1 to record only logs for that category, 2 to record only alerts for that category, and 3 to record both logs and alerts for that category. Not every parameter is available with every category.
Page 364: Index
ZyWALL P1 User’s Guide Index Numerics 110V AC 3, 4 Cable Modem 230V AC 3, 4 Cables, Connecting 3, 5 Central Network Management certificate certificates Client-server Protocol Command Line 3, 4 Configuration 47, 73 Accessories 3, 5 Connecting Cables 3, 5...
Page 365 ZyWALL P1 User’s Guide Dynamic DNS Support FTP Server Dynamic Secure Gateway Address Full Network Management DYNDNS Wildcard Gas Pipes 3, 5 ECHO General Setup Electric Shock 3, 5 Germany, Contact Information Electrical Pipes 3, 5 Global Electrocution 3, 4...
Page 366 ZyWALL P1 User’s Guide ISP Parameters Navigation Panel Negotiation Mode Aggressive Mode Main Mode NetBIOS (Network Basic Input/Output System) 77, 80 NetBIOS commands Network Address Translation (NAT) Key Fields For Configuring Rules Network Address Translators Network Management network status NNTP...
Page 367 ZyWALL P1 User’s Guide PPTP 51, 55, 56, 182 PPTP Encapsulation 33, 56 Pre-Shared Key 63, 134, 137 Private SA (Security Association) Private IP Address Safety Warnings Protocol/Port 231, 232 Saving the State Secure FTP Using SSH Example Secure Gateway Address...
Page 368 ZyWALL P1 User’s Guide Subnet Masks Uniform Resource Identifier Subnetting Universal Plug and Play (UPnP) 215, 216 Supply Voltage 3, 4 Upload Firmware Support E-mail UPnP 33, 215 Supporting Disk UPnP Examples Sweden, Contact Information UPnP Port Mapping Swimming Pool...
Page 369 ZyWALL P1 User’s Guide X-Auth ZyNOS ZyXEL Limited Warranty Note ZyXEL’s Firewall Introduction Index...

ZyXEL Communications ZyWall P1 User Manual

Chapter 1 Getting to Know Your Zywall

Chapter 2 Introducing the Web Configurator

Chapter 3 Wizard Setup

Chapter 4 LAN Screens

Chapter 5 WAN Screens

Chapter 6 Firewalls

Chapter 7 Firewall Screens

Chapter 8 Introduction to Ipsec

Chapter 9 VPN Screens

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZyWall P1

Summary of Contents for ZyXEL Communications ZyWall P1