ZyXEL Communications P-334WT Support Notes page 39

1. If there is a NAT router running in the front of P-334WT, please make sure the NAT router supports to pass through IPSec.
2. In NAT case (either run on the frond end router, or in P-334WT VPN box), only IPSec ESP tunneling mode is supported since NAT
against AH mode.
3. Source IP/Destination IP-- P-334WT only supports SINGLE for Local Addr Type in its VPN rules. Therefore, only one PC
assigned in the Local IP Addr of VPN rule can be protected via VPN/IPSec. Remote IP Addr can be a Subnet, Range or single host.
4. Secure Gateway IP Address -- This must be a public, routable IP address, private IP is not allowed. That means it can not be in the
10.x.x.x subnet, the 192.168.x.x subnet, nor in the range 172.16.0.0 - 172.31.255.255 (these address ranges are reserved by internet
standard for private LAN numberings behind NAT devices). It is usually a static IP so that we can pre-configure it in P-334WT for
making VPN connections. If it is a dynamic IP given by ISP, you still can configure this IP address after the remote P-334WT/
ZyWALL is on-line and its WAN IP is available from ISP.
8. Does P-334WT VPN support NetBIOS broadcast?
Yes, P-334WT supports NetBIOS broadcast over IPSec VPN tunnel. Use CI command
menu 24.8 to enable/disable this function.
9. Why does VPN throughput decrease when staying in SMT menu 24.1?
If P-334WT stays in menu 24.1 and 24.8 a certain of memory is allocated to generate the required statistics. So, we do not suggest to stay
in menu 24.1 and 24.8 when VPN is in use.
10. How do I configure P-334WT with NAT for internal servers?
Generally, without IPSec, to configure an internal server for outside access, we need to configure the server private IP and its service port in
SUA/NAT Server Table.
However, if both NAT and IPSec is enabled in P-334WT, the edit of the table is necessary only if the connection is a non-secure
connections. For secure connections, none SUA server settings are required since private IP is reachable in the VPN case.
For example:
host----P-334WT(NAT)----ADSL Modem----Internet----Secure host
11. I am planning my P-334WT behind a NAT router. What do I need to know?
Some tips for this:
1. The NAT router must support to pass through IPSec protocol. Only ESP tunnel mode is possible to work in NAT case. In the NAT
router is P-334WT NAT router supporting IPSec pass through, default port and the P-334WT WAN IP must be configured in SUA/
NAT Server Table.
2. WAN IP of the NAT router is the tunneling endpoint for this case, not the WAN IP of P-334WT.
3. If firewall is turned on in P-334WT, you must forward IKE port in Internet interface.
4. If NAT are also enabled in P-334WT, NAT server is required for non-secure connections, NAT server is not required for secure
connections and the physical private IP is used.
For example:
host----P-334WT----NAT Router----Internet----Secure host
12. Where can I configure Phase 1 ID in P-334WT?
\
\
Non-secure host
\
\
Non-secure host
"ipsec config netbios active <yes|no>" in SMT