Page 1 ZyWALL 2 Series Internet Security Gateway User’s Guide Version 3.62 June 2004...
Page 2 ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.
Page 3 ZyWALL 2 Series User’s Guide Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations.
Page 4: Information For Canadian Users
ZyWALL 2 Series User’s Guide Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction. Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company.
Page 5: Zyxel Limited Warranty
ZyWALL 2 Series User’s Guide ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to...
Page 6: Customer Support
+47 22 80 61 81 +46 31 744 7700 www.zyxel.se +46 31 744 7701 +358-9-4780-8411 www.zyxel.fi +358-9-4780 8448 REGULAR MAIL ZyXEL Communications Corp. 6 Innovation Road II Science Park Hsinchu 300 Taiwan ZyXEL Communications Inc. 1130 N. Miller St. Anaheim CA 92806-2001 U.S.A.
Page 7: Table Of Contents
Copyright...ii Federal Communications Commission (FCC) Interference Statement... iii Information for Canadian Users ...iv ZyXEL Limited Warranty ...v Customer Support ...vi List of Figures ...xv List of Tables ...xxii Preface ...xxvi Getting Started ... I Chapter 1 Getting to Know Your ZyWALL ... 1-1 Introducing the ZyWALL ...
Page 8 Configuring IP ...5-3 Configuring Static DHCP ...5-6 Configuring IP Alias ...5-7 WAN and Wireless LAN... III Chapter 6 WAN Screens...6-1 WAN Overview ...6-1 TCP/IP Priority (Metric) ...6-1 WAN IP Address Assignment ...6-1 Configuring Route ...6-2 Configuring WAN ISP...6-3 Configuring WAN IP...6-9 Configuring WAN MAC ...6-13 Traffic Redirect...6-14 Configuring Traffic Redirect ...6-15...
Page 9 10.3 Introduction to ZyXEL’s Firewall... 10-2 10.4 Denial of Service... 10-3 10.5 Stateful Inspection... 10-7 10.6 Guidelines For Enhancing Security With Your Firewall ... 10-11 10.7 Packet Filtering Vs Firewall... 10-11 Chapter 11 Firewall Screens ...11-1 11.1 Access Methods ... 11-1 11.2 Firewall Policies Overview ...
Page 10 14.13 Configuring Advanced IKE Setup ...14-24 14.14 Manual Key Setup...14-28 14.15 Configuring Edit Manual Setup ...14-28 14.16 SA Monitor ...14-33 14.17 Global Settings...14-34 14.18 Telecommuter VPN/IPSec Examples ...14-35 14.19 VPN and Remote Management...14-38 Certificates ... VII Chapter 15 Certificates ...15-1 15.1 Certificates Overview ...15-1 15.2...
Page 11 17.9 Secure Telnet Using SSH Examples ... 17-16 17.10 Secure FTP Using SSH Example ... 17-18 17.11 Telnet ... 17-19 17.12 Configuring TELNET ... 17-20 17.13 Configuring FTP ... 17-21 17.14 Configuring SNMP ... 17-22 17.15 Configuring DNS ... 17-26 17.16 Configuring Security ...
Page 12 23.3 Configuring Dial Backup in Menu 2...23-2 23.4 Advanced WAN Setup...23-3 23.5 Remote Node Profile (Backup ISP) ...23-5 23.6 Editing PPP Options ...23-8 23.7 Editing TCP/IP Options ...23-9 23.8 Editing Login Script...23-11 23.9 Remote Node Filter...23-12 Chapter 24 LAN Setup...24-1 24.1 Introduction to LAN Setup ...24-1 24.2...
Page 13 30.5 Firewall Versus Filters ... 30-16 30.6 Applying a Filter ... 30-17 Chapter 31 SNMP Configuration ... 31-1 31.1 SNMP Configuration... 31-1 31.2 SNMP Traps... 31-2 SMT System Maintenance... XIII Chapter 32 System Information & Diagnosis... 32-1 32.1 Introduction to System Status ... 32-1 32.2 System Status ...
Page 14 Appendix F Types of EAP Authentication ... F-1 Appendix G PPPoE ...G-1 Appendix H PPTP ...H-1 Appendix I IP Subnetting ... I-1 Appendix J Safety Warnings and Instructions ...J-1 Command, Log Appendices and Index ...XVI Appendix K Command Interpreter ...K-1 Appendix L Firewall Commands ...
Page 15: List Of Figures
ZyWALL 2 Series User’s Guide List of Figures Figure 1-1 Secure Internet Access via Cable, DSL or Wireless Modem... 1-6 Figure 1-2 Secure Internet Access and VPN Application... 1-7 Figure 2-1 Change Password Screen... 2-1 Figure 2-2 Replace Certificate Screen ... 2-2 Figure 2-3 Example Xmodem Upload ...
Page 16 ZyWALL 2 Series User’s Guide Figure 8-3 Multiple Servers Behind NAT Example...8-6 Figure 8-4 SUA Server ...8-7 Figure 8-5 Address Mapping ...8-9 Figure 8-6 Address Mapping Rule...8-10 Figure 8-7 Trigger Port Forwarding Example...8-12 Figure 8-8 Trigger Port ...8-13 Figure 9-1 Example of Static Routing Topology ...9-1 Figure 9-2 Static Route Screen ...9-2 Figure 9-3 Edit IP Static Route ...9-3 Figure 10-1 ZyWALL Firewall Application ...10-3...
Page 17 ZyWALL 2 Series User’s Guide Figure 14-9 Advanced ... 14-25 IKE VPN Rule Setup Figure 14-10 Manual VPN Rule Setup ... 14-29 Figure 14-11 VPN SA Monitor ... 14-33 Figure 14-12 VPN Global Setting... 14-34 Figure 14-13 Telecommuters Sharing One VPN Rule Example ... 14-36 Figure 14-14 Telecommuters Using Unique VPN Rules Example ...
Page 18 ZyWALL 2 Series User’s Guide Figure 17-21 SNMP Management Model...17-23 Figure 17-22 SNMP...17-25 Figure 17-23 DNS...17-27 Figure 17-24 Security ...17-28 Figure 18-1 Configuring UPnP...18-3 Figure 18-2 UPnP Ports ...18-4 Figure 19-1 View Log...19-2 Figure 19-2 Log Settings ...19-4 Figure 19-3 Reports ...19-7 Figure 19-4 Web Site Hits Report Example...19-8 Figure 19-5 Protocol/Port Report Example ...19-9 Figure 19-6 LAN IP Address Report Example ...19-10...
Page 19 ZyWALL 2 Series User’s Guide Figure 23-9 Menu 11.5: Dial Backup Remote Node Filter ... 23-13 Figure 24-1 Menu 3: LAN Setup ... 24-1 Figure 24-2 Menu 3.1: LAN Port Filter Setup ... 24-2 Figure 24-3 Menu 3: TCP/IP and DHCP Setup... 24-2 Figure 24-4 Menu 3.2: TCP/IP and DHCP Ethernet Setup ...
Page 20 ZyWALL 2 Series User’s Guide Figure 28-20 Example 4: Menu 15.1.1.1: Address Mapping Rule ...28-16 Figure 28-21 Example 4: Menu 15.1.1: Address Mapping Rules...28-16 Figure 28-22 Trigger Port Forwarding Process: Example ...28-17 Figure 28-23 Menu 15.3: Trigger Port Setup...28-18 Figure 29-1 Menu 21: Filter and Firewall Setup...29-1 Figure 29-2 Menu 21.2: Firewall Setup ...29-2 Figure 30-1 Outgoing Packet Filtering Process ...30-2 Figure 30-2 Filter Rule Process ...30-3...
Page 21 ZyWALL 2 Series User’s Guide Figure 33-12 Successful Restoration Confirmation Screen ... 33-10 Figure 33-13 Telnet Into Menu 24.7.1: Upload System Firmware...33-11 Figure 33-14 Telnet Into Menu 24.7.2: System Maintenance ... 33-12 Figure 33-15 FTP Session Example of Firmware File Upload ... 33-13 Figure 33-16 Menu 24.7.1 As Seen Using the Console Port...
Page 22 Table 1-1 Model Specific Features ...1-1 Table 2-1 Web Configurator Screens Summary...2-4 Table 3-1 Ethernet Encapsulation ...3-3 Table 3-2 PPPoE Encapsulation...3-5 Table 3-3 PPTP Encapsulation...3-7 Table 3-4 Private IP Address Ranges ...3-8 Table 3-5 Example of Network Properties for LAN Servers with Fixed IP Addresses...3-10 Table 3-6 Wizard 3...3-11 Table 4-1 System General Setup...4-2 Table 4-2 DDNS ...4-4...
Page 23 ZyWALL 2 Series User’s Guide Table 10-2 ICMP Commands That Trigger Alerts ... 10-6 Table 10-3 Legal NetBIOS Commands ... 10-7 Table 10-4 Legal SMTP Commands ... 10-7 Table 11-1 Firewall Rules Summary: First Screen...11-7 Table 11-2 Creating/Editing A Firewall Rule ...11-10 Table 11-3 Adding/Editing Source and Destination Addresses...11-12 Table 11-4 Creating/Editing A Custom Port...11-13 Table 11-5 Predefined Services...11-18...
Page 24 ZyWALL 2 Series User’s Guide Table 16-2 RADIUS ...16-4 Table 17-1 WWW...17-5 Table 17-2 SSH...17-16 Table 17-3 Telnet ...17-20 Table 17-4 FTP ...17-21 Table 17-5 SNMP Traps...17-24 Table 17-6 SNMP ...17-26 Table 17-7 DNS ...17-27 Table 17-8 Security...17-28 Table 18-1 Configuring UPnP ...18-3 Table 18-2 UPnP Ports...18-4 Table 19-1 View Log ...19-2 Table 19-2 Log Settings...19-5...
Page 25 ZyWALL 2 Series User’s Guide Table 26-1 Menu 11.1: Remote Node Profile for Ethernet Encapsulation ... 26-2 Table 26-2 Fields in Menu 11.1 (PPPoE Encapsulation Specific) ... 26-5 Table 26-3 Fields in Menu 11.1 (PPTP Encapsulation)... 26-6 Table 26-4 Remote Node Network Layer Options Menu Fields... 26-7 Table 26-5 Menu 11.1: Remote Node Profile (Traffic Redirect Field) ...26-11 Table 26-6 Menu 11.6: Traffic Redirect Setup ...
Page 26: Preface
Help us help you. E-mail all User’s Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Thank you.
Page 27: Graphics Icons Key
• The version number on the title page is the latest firmware version that is documented in this User’s Guide. Earlier versions may also be included. • “Enter” means for you to type one or more characters and press the carriage return. “Select” or “Choose”...
Page 29: Getting Started
Getting Started Part I: Getting Started This part helps you get to know your ZyWALL, introduces the web configurator and covers how to configure the Wizard Setup screens.
Page 31: Chapter 1 Getting To Know Your Zywall
Getting to Know Your ZyWALL This chapter introduces the main features and applications of the ZyWALL. Introducing the ZyWALL The ZyWALL is an ideal secure gateway for all data passing between the Internet and the LAN. By integrating NAT, firewall and VPN capability, the ZyWALL is a complete security solution that protects your Intranet and efficiently manages data traffic on your network.
Page 32: Physical Features
ZyWALL 2 Series User’s Guide 1.2.1 Physical Features 4-Port Switch A combination of switch and router makes your ZyWALL a cost-effective and viable network solution. You can connect up to four computers to the ZyWALL without the cost of a hub. Use a hub to add more than four computers to your LAN.
Page 33: Content Filtering
ZyWALL 2 Series User’s Guide The ZyWALL supports two simultaneous VPN connections. X-Auth (Extended Authentication) X-Auth provides added security for VPN by requiring each VPN client to use a username and password. Certificates The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs.
Page 34: Call Scheduling
ZyWALL 2 Series User’s Guide Universal Plug and Play (UPnP) Using the standard TCP/IP protocol, the ZyWALL and other UPnP enabled devices can dynamically join a network, obtain an IP address and convey its capabilities to other devices on the network. Call Scheduling Configure call time periods to restrict and allow access for users on remote nodes.
Page 35: Traffic Redirect
ZyWALL 2 Series User’s Guide Central Network Management Central Network Management (CNM) allows an enterprise or service provider network administrator to manage your ZyWALL. The enterprise or service provider network administrator can configure your ZyWALL, perform firmware upgrades and do troubleshooting for you. SNMP SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices.
Page 36: Applications For The Zywall
Management Terminal) interface. The SMT is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection. RoadRunner Support In addition to standard cable modem services, the ZyWALL supports Time Warner’s RoadRunner Service. Logging and Tracing ♦...
Page 37: Figure 1-2 Secure Internet Access And Vpn Application
ZyWALL 2 Series User’s Guide 1.3.2 Secure Broadband Internet Access and VPN You can connect a cable, DSL or wireless modem to the ZyWALL via Ethernet for broadband Internet access. The ZyWALL also provides IP address sharing and a firewall-protected local network with traffic management.
Page 39: Chapter 2 Introducing The Web Configurator
Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and provides an overview of Web Configurator Overview The embedded web configurator (ewc) allows you to manage the ZyWALL from anywhere through a browser such as Microsoft Internet Explorer or Netscape Navigator. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions with JavaScript enabled.
Page 40: Resetting The Zywall
Step 6. Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. This feature is not available on the ZyWALL 2WE. Step 7. You should now see the MAIN MENU screen (see Figure 2-4). The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes).
Page 41: Navigating The Zywall Web Configurator
2.3.2 Uploading a Configuration File Via Console Port Step 3. Download the default configuration file from the ZyXEL Networks FTP site, unzip it and save it in a folder. Step 4. Turn off the ZyWALL, begin a terminal emulation software session and turn on the ZyWALL again.
Page 42: Figure 2-4 The Main Menu Screen Of The Web Configurator
Follow the instructions you see in the MAIN MENU screen or click the (located in the top right corner of most screens) to view online help. Click LOGOUT at any time to exit the web configurator. Figure 2-4 The MAIN MENU Screen of the Web Configurator The following table describes the sub-menus.
Page 43 Table 2-1 Web Configurator Screens Summary LINK SYSTEM General DDNS Password Time Setting Static DHCP IP Alias WIRELESS LAN Wireless (This feature is MAC Filter not available on 802.1X the ZyWALL 2.) Route WAN ISP WAN IP WAN MAC Traffic Redirect Dial Backup SUA/NAT SUA Server...
Page 44 Table 2-1 Web Configurator Screens Summary LINK CONTENT General FILTER Categories Customization VPN Rules SA Monitor Global Setting CERTIFICATES My Certificates (This feature is not available on Trusted CAs the ZyWALL Trusted Remote 2WE.) Hosts Directory Servers AUTH SERVER Local User Database RADIUS REMOTE MGNT...
Page 45 Table 2-1 Web Configurator Screens Summary LINK SNMP Security UPnP UPnP Ports LOGS View Log Log Settings Reports MAINTENANCE Status DHCP Table F/W Upload Configuration Restart LOGOUT Introducing the Web Configurator FUNCTION Use this screen to configure your ZyWALL’s settings for Simple Network Management Protocol management.
Page 47: Chapter 3 Wizard Setup
This chapter provides information on the Wizard Setup screens in the web configurator. Wizard Setup Overview The web configurator’s setup wizard helps you configure your device to access the Internet. The second screen has three variations depending on what encapsulation type you use. Refer to your ISP checklist in the Quick Start Guide to know what to enter in each field.
Page 48: Internet Access
ZyWALL 2 Series User’s Guide Figure 3-1 Wizard 1 Internet Access The ZyWALL offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE. 3.3.1 Ethernet Choose Ethernet when the WAN port is used as a regular Ethernet. Wizard Setup...
Page 49: Figure 3-2 Wizard 2: Ethernet Encapsulation
Figure 3-2 Wizard 2: Ethernet Encapsulation The following table describes the labels in this screen. LABEL ISP Parameters for Internet Access You must choose the Ethernet option when the WAN port is used as a regular Encapsulation Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection. Service Type Choose from Standard, Telstra (RoadRunner Telstra authentication method), RR- Manager (Roadrunner Manager authentication method), RR-Toshiba (Roadrunner...
Page 50: Pppoe Encapsulation
LABEL Login Server IP Type the authentication server IP address here if your ISP gave you one. Address Login Server Type the domain name of the Telia login server, for example “login1.telia.com”. (Telia Login only) Alternatively, click the right mouse button to copy and/or paste the IP address. Relogin Every The Telia server logs the ZyWALL out if the ZyWALL does not log in periodically.
Page 51: Figure 3-3 Wizard2: Pppoe Encapsulation
Figure 3-3 Wizard2: PPPoE Encapsulation The following table describes the labels in this screen. LABEL ISP Parameter for Internet Access Encapsulation Choose an encapsulation method from the pull-down list box. PPPoE forms a dial-up connection. Service Name Type the name of your service provider. User Name Type the user name given to you by your ISP.
Page 52 LABEL Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server. The default time is 100 seconds. Click Next to continue. Next Back Click Back to return to the previous screen. 3.3.3 PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables transfers of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.
Page 53: Figure 3-4 Wizard 2: Pptp Encapsulation
Figure 3-4 Wizard 2: PPTP Encapsulation The following table describes the labels in this screen. LABEL ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box. User Name Type the user name given to you by your ISP. Password Type the password associated with the User Name above.
Page 54: Wan And Dns
LABEL My IP Address Type the (static) IP address assigned to you by your ISP. My IP Subnet Type the subnet mask assigned to you by your ISP (if given). Mask Server IP Address Type the IP address of the PPTP server. Connection Enter the connection ID or connection name in this field.
Page 55: Ip Address And Subnet Mask
Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. 3.4.2 IP Address and Subnet Mask Similar to the way houses on a street share a common street name, so too do computers on a LAN share one common network number.
Page 56: Table 3-5 Example Of Network Properties For Lan Servers With Fixed Ip Addresses
3.4.4 WAN MAC Address Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You can configure the WAN port's MAC address by either using the factory default or cloning the MAC address from a computer on your LAN.
Page 57: Figure 3-5 Wizard 3
The following table describes the labels in this screen. LABEL WAN IP Address Assignment Get automatically from Select this option If your ISP did not assign you a fixed IP address. This is the default selection. Use fixed IP address Select this option If the ISP assigned a fixed IP address.
Page 58: Basic Setup Complete
LABEL Remote IP Subnet Enter the gateway IP subnet mask (if your ISP gave you one) in this field if you Mask selected Use Fixed IP Address. This field is only available when you select PPTP encapsulation in the previous wizard screen. Gateway/Remote IP Enter the gateway IP address in this field if you selected Use Fixed IP Address...
Page 59: Figure 3-6 Internet Access Wizard Setup Complete
ZyWALL 2 Series User’s Guide Figure 3-6 Internet Access Wizard Setup Complete Wizard Setup 3-13...
Page 61: System And Lan
System and LAN Part II: System and LAN This part covers configuration of the system, and LAN screens.
Page 63: Chapter 4 System Screens
System Overview See the Wizard Setup chapter for more information on the next few screens. Configuring General Setup Click SYSTEM to open the General screen. The following table describes the fields in this screen. System This chapter provides information on the System screens. Figure 4-1 System General Setup ZyWALL 2 Series User’s Guide Chapter 4...
Page 64: Table 4-1 System General Setup
LABEL System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name” in this field (see the Wizard Setup chapter for how to find your computer’s name). This name can be up to 30 alphanumeric characters long.
Page 65: Dynamic Dns
Dynamic DNS Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect.
Page 66: Figure 4-2 Ddns
The following table describes the fields in this screen. LABEL Active Select this check box to use dynamic DNS. Service Provider Select the name of your Dynamic DNS service provider. DDNS Type Select the type of service that you are registered for from your Dynamic DNS service provider.
Page 67: Configuring Password
LABEL Host Names 1~3 Enter the host names in the three fields provided. You can specify up to two host names in each field separated by a comma (","). User Enter your user name. You can use up to 31 alphanumeric characters (and the underscore).
Page 68: Pre-Defined Ntp Time Servers List
The following table describes the fields in this screen. LABEL Old Password Type the default password or the existing password you use to access the system in this field. New Password Type the new password in this field. Retype to Confirm Type the new password again in this field.
Page 69: Configuring Time Setting
Configuring Time Setting To change your ZyWALL’s time and date, click SYSTEM, then the Time Setting tab. The screen appears as shown. Use this screen to configure the ZyWALL’s time based on your local time zone. System Table 4-4 Default Time Servers ntp1.cs.wisc.edu ntp1.gbg.netnod.se ntp2.cs.wisc.edu...
Page 70: Figure 4-4 Time Setting
The following table describes the fields in this screen. LABEL Time Protocol Select the time service protocol that your time server sends when you turn on the ZyWALL. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 71 LABEL Time Server Enter the address of your time server. Check with your ISP/network administrator if Address you are unsure of this information (the default is tick.stdtime.gov.tw). Synchronize Now Click this button to get the time and date from the time server you specified above. Current Time This field displays the time of your ZyWALL.
Page 73: Chapter 5 Lan Screens
LAN Overview Local Area Network (LAN) is a shared communication system to which many computers are attached. The LAN screens can help you configure a LAN DHCP server, manage IP addresses, and partition your physical network into logical networks. DHCP Setup DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server.
Page 74: Dns Server Address Assignment
three numbers specify the network number while the last number identifies an individual computer on that network. Once you have decided on the network number, pick an IP address that is easy to remember, for instance, 192.168.1.1, for your ZyWALL, but make sure that no other device on your network is using that IP address. The subnet mask specifies the network number portion of an IP address.
Page 75: Configuring Ip
ZyWALL 2 Series User’s Guide RIP Version controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M send routing data in RIP-2 format;...
Page 76: Figure 5-1 Ip
ZyWALL 2 Series User’s Guide Figure 5-1 IP The following table describes the fields in this screen. Table 5-1 IP LABEL DESCRIPTION DHCP Setup...
Page 77 LABEL DHCP Server DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients (workstations) to obtain TCP/IP configuration at startup from a server. Unless you are instructed by your ISP, leave the DHCP Server check box selected. Clear it to disable the ZyWALL acting as a DHCP server. When configured as a server, the ZyWALL provides TCP/IP configuration for the clients.
Page 78: Configuring Static Dhcp
LABEL RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Page 79: Configuring Ip Alias
The following table describes the fields in this screen. LABEL This is the index number of the Static IP table entry (row). MAC Address Type the MAC address (with colons) of a computer on your LAN. IP Address Type the IP address to be assigned to the device with the MAC address entered above.
Page 80: Figure 5-3 Physical Network Figure 5-4 Partitioned Logical Networks
ZyWALL 2 Series User’s Guide When you use IP alias, you can also configure firewall rules to control access between the LAN's logical networks (subnets). The following figure shows a LAN divided into subnets A, B, and C. Figure 5-3 Physical Network Figure 5-4 Partitioned Logical Networks.
Page 81: Table 5-3 Ip Alias
The following table describes the fields in this screen. LABEL IP Alias 1,2 Select the check box to configure another LAN for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign.
Page 83: Wan And Wireless Lan
WAN and Wireless LAN Part III: WAN and Wireless LAN This part covers configuration of the WAN and Wireless LAN screens.
Page 85: Chapter 6 Wan Screens
WAN Overview See the LAN chapter for information about Primary and Secondary DNS Server, DNS Server Address Assignment and IP Address and Subnet Mask. TCP/IP Priority (Metric) The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost".
Page 86: Configuring Route
You can obtain your IP address from the IANA, from an ISP or have it assigned by a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks.
Page 87: Configuring Wan Isp
The following table describes the fields in this screen. LABEL The default WAN connection is "1” as your broadband connection via the WAN port should always be your preferred method of accessing the WAN. The default priority of the routes is WAN, Traffic Redirect and then Dial Backup: Traffic Redirect You have two choices for an auxiliary connection (Traffic Redirect and Dial Backup) in...
Page 88: Figure 6-2 Ethernet Encapsulation
The following table describes the fields in this screen. LABEL Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet. Service Type Choose from Standard, Telstra (RoadRunner Telstra authentication method), RR- Manager (Roadrunner Manager authentication method), RR-Toshiba (Roadrunner Toshiba authentication method) or Telia Login.
Page 89 ZyWALL 2 Series User’s Guide Table 6-4 Ethernet Encapsulation LABEL DESCRIPTION Reset Click Reset to begin configuring this screen afresh. 6.5.2 PPPoE Encapsulation The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.) connection.
Page 90: Figure 6-3 Pppoe Encapsulation
The following table describes the fields in this screen. LABEL ISP Parameters for Internet Access Encapsulation The PPPoE choice is for a dial-up connection using PPPoE. The router supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (i.e.
Page 91 LABEL Password Type the password associated with the User Name above. Retype to Type your password again to make sure that you have entered is correctly. Confirm Nailed-Up Select Nailed-Up Connection if you do not want the connection to time out. Connection Idle Timeout This value specifies the time in seconds that elapses before the router automatically...
Page 92: Figure 6-4 Pptp Encapsulation
The following table describes the fields in this screen. LABEL ISP Parameters for Internet Access Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.
Page 93: Configuring Wan Ip
LABEL User Name Type the user name given to you by your ISP. Password Type the password associated with the User Name above. Retype to Confirm Type your password again to make sure that you have entered is correctly. Nailed-up Select Nailed-Up Connection if you do not want the connection to time out.
Page 94: Figure 6-5 Ip Setup
The following table describes the fields in this screen. LABEL WAN IP Address Assignment Get automatically from Select this option If your ISP did not assign you a fixed IP address. This is the default selection. Use fixed IP address Select this option If the ISP assigned a fixed IP address.
Page 95 LABEL My WAN IP Address (or Enter your WAN IP address in this field if you selected Use Fixed IP Address. IP Address) My WAN IP Subnet Type your network's IP subnet mask. Mask (Ethernet encapsulation only) Remote IP Address (or Type the IP address of the remote network or gateway.
Page 96 LABEL Private (PPPoE and This parameter determines if the ZyWALL will include the route to this remote PPTP only) node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts.
Page 97: Configuring Wan Mac
LABEL Windows Networking (NetBIOS over TCP/IP): Windows Networking (NetBIOS over TCP/IP): NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.
Page 98: Traffic Redirect
ZyWALL 2 Series User’s Guide The MAC address screen allows users to configure the WAN port's MAC Address by either using the factory default or cloning the MAC address from a computer on your LAN. Choose Factory Default to select the factory assigned default MAC Address.
Page 99: Configuring Traffic Redirect
ZyWALL 2 Series User’s Guide Figure 6-8 Traffic Redirect LAN Setup Configuring Traffic Redirect To change your ZyWALL’s Traffic Redirect settings, click WAN, then the Traffic Redirect tab. The screen appears as shown. WAN Screens 6-15...
Page 100: Figure 6-9 Traffic Redirect
The following table describes the fields in this screen. LABEL Active Select this check box to have the ZyWALL use traffic redirect if the normal WAN connection goes down. Backup Type the IP address of your backup gateway in dotted decimal notation. The ZyWALL Gateway IP automatically forwards traffic to this IP address if the ZyWALL's Internet connection Address...
Page 101: Configuring Dial Backup
LABEL Check WAN Configuration of this field is optional. If you do not enter an IP address here, the ZyWALL IP Address will use the default gateway IP address. Configure this field to test your ZyWALL's WAN accessibility. Type the IP address of a reliable nearby computer (for example, your ISP's DNS server address).
Page 102: Figure 6-10 Dial Backup Setup
ZyWALL 2 Series User’s Guide Figure 6-10 Dial Backup Setup 6-18 WAN Screens...
Page 103: Table 6-9 Dial Backup Setup
The following table describes the labels in this screen. LABEL Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name Type the login name assigned by your ISP. Password Type the password assigned by your ISP. Retype to Confirm Type your password again to make sure that you have entered is correctly.
Page 104 LABEL Get IP Address Type the login name assigned by your ISP for this remote node. Automatically from Remote Server Used Fixed IP Select this check box if your ISP assigned you a fixed IP address, then enter the Address IP address in the following field.
Page 105 LABEL RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M. RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Page 106: Advanced Modem Setup
LABEL Configure Budget Select this check box to have the dial backup connection on during the time that you select. Allocated Budget Type the amount of time (in minutes) that the dial backup connection can be used during the time configured in the Period field. Set an amount that is less than the time period configured in the Period field.
Page 107: Configuring Advanced Modem Setup
ZyWALL 2 Series User’s Guide 6.11.3 Response Strings The response strings tell the ZyWALL the tags, or labels, immediately preceding the various call parameters sent from the WAN device. The response strings have not been standardized; please consult the documentation of your WAN device to find the correct tags. 6.12 Configuring Advanced Modem Setup Click the Edit button in the Dial Backup screen to display the Advanced Setup screen shown next.
Page 108: Figure 6-11 Advanced Setup
ZyWALL 2 Series User’s Guide Figure 6-11 Advanced Setup The following table describes the labels in this screen. Table 6-10 Advanced Setup LABEL DESCRIPTION EXAMPLE AT Command Strings Dial Type the AT Command string to make a call. atdt 6-24 WAN Screens...
Page 109 LABEL Drop Type the AT Command string to drop a call. "~" represents a one second wait, for example, "~~~+++~~ath" can be used if your modem has a slow response time. Answer Type the AT Command string to answer a call. Drop DTR When Select this check box to have the ZyWALL drop the DTR (Data Hang Up...
Page 111: Chapter 7 Wireless Lan Screens
This chapter discusses how to configure Wireless LAN on the ZyWALL 2WE. Wireless LAN Overview This section introduces the wireless LAN (WLAN) and some basic scenarios. 7.1.1 Additional Installation Requirements for Using 802.1x A computer with an IEEE 802.11b wireless LAN card. A computer equipped with a web browser (with JavaScript enabled) and/or Telnet.
Page 112: Figure 7-1 Rts Threshold
is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other. When station A sends data to the ZyWALL, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.
Page 113: Wireless Security
ZyWALL 2 Series User’s Guide A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS Threshold size.
Page 114: Configuring Wireless Lan
ZyWALL 2 Series User’s Guide Configuring Wireless LAN If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL’s ESSID or WEP settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the ZyWALL’s new settings.
Page 115: Table 7-1 Wireless
LABEL Enable Wireless The wireless LAN is turned off by default, before you enable the wireless LAN you should configure some security by setting MAC filters and/or 802.1x security; otherwise your wireless LAN will be vulnerable upon enabling it. Select the check box to enable the wireless LAN.
Page 116: Configuring Mac Filter
ZyWALL 2 Series User’s Guide Configuring MAC Filter The MAC filter screen allows you to configure the ZyWALL to give exclusive access to specific devices (Allow Association) or exclude specific devices from accessing the ZyWALL (Deny Association). Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.
Page 117: Overview
LABEL Active Select or clear the check box to enable or disable MAC address filtering. Enable MAC address filtering to have the router allow or deny access to wireless stations based on MAC addresses. Disable MAC address filtering to have the router not perform MAC filtering on the wireless stations.
Page 118: Eap Authentication Overview
• Access-Request Sent by the ZyWALL requesting authentication. • Access-Reject Sent by a RADIUS server rejecting access. • Access-Accept Sent by a RADIUS server allowing access. • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message.
Page 119: Local User Database
The details below provide a general description of how IEEE 802.1x EAP authentication works. For an example list of EAP-MD5 authentication steps, see the IEEE 802.1x chapter in the Appendices. • The wireless station sends a “start” message to the ZyWALL. •...
Page 120: Figure 7-6 802.1X Authentication
The following table describes the fields in this screen. LABEL Authentication Select Authentication Required, No Access or No Authentication Required from Type the drop-down list box. Select Authentication Required to authenticate all wireless stations before they can access the wired network. Select No Authentication Required to allow all wireless stations to access your wired network without authentication.
Page 121: Nat And Static Route
NAT and Static Route Part IV: NAT and Static Route This part covers Network Address Translation and setting up static routes.
Page 123: Chapter 8 Network Address Translation (Nat)
Network Address Translation (NAT) NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network.
Page 124: Figure 8-1 How Nat Works
ZyWALL 2 Series User’s Guide local address before forwarding it to the original inside host. Note that the IP address (either local or global) of an outside host is never changed. The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP. In addition, you can designate servers (for example a web server and a telnet server) on your local network and make them accessible to the outside world.
Page 125: Figure 8-2 Nat Application With Ip Alias
8.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter. Figure 8-2 NAT Application With IP Alias 8.1.5 NAT Mapping Types NAT supports five types of IP/port mapping.
Page 126: Using Nat
Many to One: In Many-to-One mode, the ZyWALL maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), the Single User Account feature (the SUA Only option). Many to Many Overload: In Many-to-Many Overload mode, the ZyWALL maps the multiple local IP addresses to shared global IP addresses.
Page 127: Sua Server
8.2.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is an implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. The ZyWALL also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types.
Page 128: Figure 8-3 Multiple Servers Behind Nat Example
DNS (Domain Name System) Finger HTTP (Hyper Text Transfer protocol or WWW, Web) POP3 (Post Office Protocol) NNTP (Network News Transport Protocol) SNMP (Simple Network Management Protocol) SNMP trap PPTP (Point-to-Point Tunneling Protocol) 8.3.3 Configuring Servers Behind SUA (Example) Let's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a third (C in the example).
Page 129: Configuring Sua Server
ZyWALL 2 Series User’s Guide Configuring SUA Server If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup. Click SUA/NAT to open the SUA Server screen. Refer to the firewall chapters for port numbers commonly used for particular services.
Page 130: Configuring Address Mapping
LABEL Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen. If you do not assign a default server IP address, then all packets received for ports not specified in this screen will be discarded.
Page 131: Figure 8-5 Address Mapping
The following table describes the fields in this screen. LABEL Local Start IP This refers to the Inside Local Address (ILA), that is the starting local IP address. Local IP addresses are N/A for Server port mapping. Local End IP This is the end Inside Local Address (ILA).
Page 132: Figure 8-6 Address Mapping Rule
LABEL Type 1. One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for the One-to-one NAT mapping type. 2. Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), the Single User Account feature.
Page 133: Configuring Trigger Port
LABEL Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-one mode maps one local IP address to one global IP address. Note that port numbers do not change for One-to-one NAT mapping type. 2. Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address.
Page 134: Figure 8-7 Trigger Port Forwarding Example
ZyWALL 2 Series User’s Guide receives a response with a specific port number and protocol ("incoming" port), the ZyWALL forwards the traffic to the LAN IP address of the computer that sent the request. After that computer’s connection for that service closes, another computer on the LAN can use the service in the same manner.
Page 135: Figure 8-8 Trigger Port
The following table describes the fields in this screen. LABEL This is the rule index number (read-only). Name Type a unique name (up to 15 characters) for identification purposes. All characters are permitted - including spaces. Figure 8-8 Trigger Port Table 8-7 Trigger Port DESCRIPTION ZyWALL 2 Series User’s Guide...
Page 136 LABEL Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The ZyWALL forwards the traffic with this port (or range of ports) to the client computer on the LAN that requested the service. Start Port Type a port number or the starting port number in a range of port numbers.
Page 137: Chapter 9 Static Route Screens
This chapter shows you how to configure static routes for your ZyWALL. Static Route Overview Each remote node specifies only the network to which the gateway is directly connected, and the ZyWALL has no knowledge of the networks beyond. For instance, the ZyWALL knows about network N2 in the following figure through remote node Router 1.
Page 138: Figure 9-2 Static Route Screen
The following table describes the fields in this screen. LABEL Number of an individual static route. Name Name that describes or identifies this route. This field shows whether this static route is active (Yes) or not (No). Active Destination This parameter specifies the IP network address of the final destination. Routing is always based on network number.
Page 139: Figure 9-3 Edit Ip Static Route
LABEL Gateway This is the IP address of the gateway. The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your ZyWALL; over the WAN, the gateway must be the IP address of one of the remote nodes.
Page 140 LABEL Active This field allows you to activate/deactivate this static route. Destination IP This parameter specifies the IP network address of the final destination. Routing is Address always based on network number. If you need to specify a route to a single host, use a subnet mask of 255.255.255.255 in the subnet mask field to force the network number to be identical to the host ID.
Page 141: Firewall And Content Filters
Firewall and Content Filters Part V: Firewall and Content Filters This part introduces firewalls in general and the ZyWALL firewall. It also explains how to configure the ZyWALL firewall and content filtering.
Page 143: Chapter 10 Firewalls
ZyWALL 2 Series User’s Guide Chapter 10 Firewalls This chapter gives some background information on firewalls and introduces the ZyWALL firewall. 10.1 Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another.
Page 144: Introduction To Zyxel's Firewall
Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems. Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging.
Page 145: Denial Of Service
ZyWALL 2 Series User’s Guide Figure 10-1 ZyWALL Firewall Application 10.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.
Page 146: Table 10-1 Common Ip Ports
10.4.2 Types of DoS Attacks There are four types of DoS attacks: 1. Those that exploit bugs in a TCP/IP implementation. 2. Those that exploit weaknesses in the TCP/IP specification. 3. Brute-force attacks that flood a network with useless data. 4.
Page 147: Figure 10-2 Three-Way Handshake
Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established.
Page 148: Figure 10-4 Smurf Attack
2-b In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself. 3.
Page 149: Stateful Inspection
Illegal Commands (NetBIOS and SMTP) The only legal NetBIOS commands are the following - all others are illegal. All SMTP commands are illegal except for those displayed in the following tables. AUTH DATA EHLO QUIT RCPT RSET Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute the firewall gaining knowledge of the network topology inside the firewall.
Page 150: Figure 10-5 Stateful Inspection
all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet. In summary, stateful inspection: Allows all sessions originating from the LAN (local network) to the WAN (Internet). Denies all sessions originating from the WAN to the LAN. The previous figure shows the ZyWALL’s default firewall rules in action as well as demonstrates how stateful inspection works.
Page 151: Stateful Inspection And The Zywall
4. Based on the obtained state information, a firewall rule creates a temporary access list entry that is inserted at the beginning of the WAN interface's inbound extended access list. This temporary access list entry is designed to permit inbound packets of the same connection as the outbound packet just inspected.
Page 152: Tcp Security
ZyWALL 2 Series User’s Guide Below is a brief technical description of how these connections are tracked. Connections may either be defined by the upper protocols (for instance, TCP), or by the ZyWALL itself (as with the "virtual connections" created for UDP and ICMP). 10.5.3 TCP Security The ZyWALL uses state information embedded in TCP packets.
Page 153: Guidelines For Enhancing Security With Your Firewall
10.5.5 Upper Layer Protocols Some higher layer protocols (such as FTP and RealAudio) utilize multiple network connections simultaneously. In general terms, they usually have a "control connection" which is used for sending commands between endpoints, and then "data connections" which are used for transmitting bulk information. Consider the FTP protocol.
Page 154: When To Use Filtering
10.7.1 Packet Filtering: The router filters packets as they pass through the router’s interface according to the filter rules you designed. Packet filtering is a powerful tool, yet can be complex to configure and maintain, especially if you need a chain of rules to filter a service. Packet filtering only checks the header portion of an IP packet.
Page 155 3. To selectively block/allow inbound or outbound traffic between inside host/networks and outside host/networks. Remember that filters cannot distinguish traffic originating from an inside host or an outside host by IP address. 4. The firewall performs better than filtering if you need to check many rules. 5.
Page 157: Chapter 11 Firewall Screens
11.1 Access Methods The web configurator is, by far, the most comprehensive firewall configuration tool your ZyWALL has to offer. For this reason, it is recommended that you configure your firewall using the web configurator. SMT screens allow you to activate the firewall. CLI commands provide limited configuration options and are only recommended for advanced users, please refer to the Appendices for firewall CLI commands.
Page 158: Rule Logic Overview
If you configure firewall rules without a good understanding of how they work, you might inadvertently introduce security risks to the firewall and to the protected network. Make sure you test your rules after you configure them. For example, you may create rules to: ♦...
Page 159: Connection Direction Examples
1. Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC is blocked, are there users that require this service? 2. Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will a rule that blocks just certain users be more effective? 3.
Page 160: Figure 11-1 Lan To Wan Traffic
ZyWALL 2 Series User’s Guide policies for managing the ZyWALL through the LAN interface) and policies for LAN-to-LAN (the policies that control routing between two subnets on the LAN). Similarly, WAN to WAN/ZyWALL polices apply in the same way to the WAN ports. 11.4.1 LAN to WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed non-restricted access to the WAN.
Page 161: Alerts
ZyWALL 2 Series User’s Guide Figure 11-2 WAN to LAN Traffic 11.5 Alerts Alerts are reports on events, such as attacks, that you may want to know about right away. You can choose to generate an alert when an attack is detected in the Attack Alert screen (Figure 11-12 - check the Generate alert when attack detected checkbox) or when a rule is matched in the Edit Rule screen (see Figure 11-4) Configure the Log Settings screen to have the ZyWALL send an immediate e-mail message to you when an event generates an alert.
Page 162: Figure 11-3 Enabling The Firewall
The following table describes the fields in this screen. 11-6 Select this check box to enable the firewall. Figure 11-3 Enabling the Firewall Firewall Screens...
Page 163: Table 11-1 Firewall Rules Summary: First Screen
Table 11-1 Firewall Rules Summary: First Screen LABEL Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. Bypass Triangle Select this check box to have the ZyWALL firewall ignore the use of triangle route Route topology on the network.
Page 164: Configuring Firewall Rules
Table 11-1 Firewall Rules Summary: First Screen LABEL This field shows you if a log is created for packets that match the rule (Match), don't match the rule (Not Match), both (Both) or no log is created (None). Alert This field tells you whether this rule generates an alert (Yes) or not (No) when the rule is matched.
Page 165: Figure 11-4 Creating/Editing A Firewall Rule
ZyWALL 2 Series User’s Guide Figure 11-4 Creating/Editing A Firewall Rule Firewall Screens 11-9...
Page 166: Table 11-2 Creating/Editing A Firewall Rule
The following table describes the fields in this screen. Table 11-2 Creating/Editing A Firewall Rule LABEL Active Check the Active check box to have the ZyWALL use this rule. Leave it unchecked if you do not want the ZyWALL to use the rule after you apply it Packet Use the drop-down list box to select the direction of packet travel to which you want Direction...
Page 167: Figure 11-5 Adding/Editing Source And Destination Addresses
Table 11-2 Creating/Editing A Firewall Rule LABEL This field determines if a log is created for packets that match the rule (Match), don't match the rule (Not Match), both (Both) or no log is created (None). Go to the Log Settings page and select the Access Control logs category to have the ZyWALL record these logs.
Page 168: Figure 11-6 Creating/Editing A Custom Port
Table 11-3 Adding/Editing Source and Destination Addresses LABEL Address Type Do you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address? Select an option from the drop-down list box that includes: Single Address, Range Address, Subnet Address and Any Address.
Page 169: Example Firewall Rule
Table 11-4 Creating/Editing A Custom Port LABEL Service Name Enter a unique name for your custom port. Service Type Choose the IP port (TCP, UDP or Both) that defines your customized port from the drop down list box. Port Configuration Type Select Single to specify one port only or Range to specify a span of ports that define your customized service.
Page 170: Figure 11-7 Firewall Ip Config Screen
Step 4. Select Any in the Destination Address box and then click DestDelete. 11-14 Figure 11-7 Firewall IP Config Screen Select WAN to LAN from the drop-down list box Firewall Screens...
Page 171: Figure 11-8 Firewall Rule Edit Ip Example
Step 5. Click DestAdd under the Destination Address box. Step 6. Configure the Firewall Rule Edit IP screen as follows and click Apply. Figure 11-8 Firewall Rule Edit IP Example Step 7. In the firewall rule configuration screen, click Add under Custom Port to open the Edit Custom Port screen.
Page 172: Figure 11-10 Myservice Rule Configuration
Custom ports show up with an “*” before their names in the Services list box and the Rule Summary list box. Click Apply after you’ve created your custom port. Click Apply when finished. Figure 11-10 My Service Rule Configuration 11-16 This is the address range of servers.
Page 173: Figure 11-11 My Service Example Rule Summary
On completing the configuration procedure for this Internet firewall rule, the Rule Summary screen should look like the following. Remember to click Apply when you have finished configuring your rule(s) to save your settings back to the ZyWALL. Click Apply to save your settings back to the ZyWALL.
Page 174: Predefined Services
11.8 Predefined Services The Available Services list box in the Rule Config(uration) screen (see Figure 11-4) displays all predefined services that the ZyWALL already supports. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP). The second field indicates the IP port number that defines the service.
Page 175 Table 11-5 Predefined Services SERVICE IPSEC_TUNNEL(ESP:0) IRC(TCP/UDP:6667) MSN Messenger(TCP:1863) MULTICAST(IGMP:0) NEW-ICQ(TCP:5190) NEWS(TCP:144) NFS(UDP:2049) NNTP(TCP:119) PING(ICMP:0) POP3(TCP:110) PPTP(TCP:1723) PPTP_TUNNEL(GRE:0) RCMD(TCP:512) REAL_AUDIO(TCP:7070) REXEC(TCP:514) RLOGIN(TCP:513) RTELNET(TCP:107) RTSP(TCP/UDP:554) SFTP(TCP:115) Firewall Screens DESCRIPTION The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service. This is another popular Internet chat program. Microsoft Networks’...
Page 176: Configuring Attack Alert
Table 11-5 Predefined Services SERVICE SMTP(TCP:25) SNMP(TCP/UDP:161) SNMP- TRAPS(TCP/UDP:162) SQL-NET(TCP:1521) SSH(TCP/UDP:22) STRM WORKS(UDP:1558) SYSLOG(UDP:514) TACACS(UDP:49) TELNET(TCP:23) TFTP(UDP:69) VDOLIVE(TCP:7000) 11.9 Configuring Attack Alert Attack alerts are the first defense against DOS attacks. In the Attack Alert screen, shown later, you may choose to generate an alert whenever an attack is detected.
Page 177: Threshold Values
ZyWALL 2 Series User’s Guide 11.9.1 Threshold Values Tune these parameters when something is not working and after you have checked the firewall counters. These default values should work fine for normal small offices with ADSL bandwidth. Factors influencing choices for threshold values are: 1.
Page 178: Figure 11-12 Attack Alert
Whenever the number of half-open sessions with the same destination host address rises above a threshold (TCP Maximum Incomplete), the ZyWALL starts deleting half-open sessions according to one of the following methods: 1. If the Blocking Period timeout is 0 (the default), then the ZyWALL deletes the oldest existing half-open session for the host for every new connection request to the host.
Page 179: Table 11-6 Attack Alert
LABEL Generate alert when A detected attack automatically generates a attack detected log entry. Check this box to generate an alert (as well as a log) whenever an attack is detected. See the chapter on logs for more information on logs and alerts. Denial of Service Thresholds One Minute Low This is the rate of new half-open sessions that...
Page 180 LABEL Maximum Incomplete This is the number of existing half-open High sessions that causes the firewall to start deleting half-open sessions. When the number of existing half-open sessions rises above this number, the ZyWALL deletes half- open sessions as required to accommodate new connection requests.
Page 181: Chapter 12 Content Filtering Screens
This chapter provides a brief overview of content filtering using the web embedded 12.1 Introduction to Content Filtering Internet content filtering allows you to create and enforce Internet access policies tailored to their needs. Content filtering is the ability to block certain web features or specific URL keywords and should not be confused with packet filtering via SMT menu 21.1.
Page 182: Figure 12-1 Content Filter : General
ZyWALL 2 Series User’s Guide Figure 12-1 Content Filter : General The following table describes the labels in this screen. 12-2 Content Filtering Screens...
Page 183: Table 12-1 Content Filter : General
LABEL Enable Content Filter Select this check box to enable the content filter. Restrict Web Features : Select the check box(es) to restrict a feature. When you download a page containing a restricted feature, that part of the web page will appear blank or grayed out. Block ActiveX is a tool for building dynamic and active web pages and distributed object applications.
Page 184: Content Filtering With An External Server
LABEL Exclude specified Select this checkbox to exempt a specific range of users on your LAN from address ranges from content filter policies. the content filter enforcement Add Address Ranges From Type the beginning IP address (in dotted decimal notation) of the specific range of users on your LAN.
Page 185: Checking Content Filtering Activation
Step 1. A computer sends an HTTP request to a web server. Step 2. The ZyWALL looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL’s cache. The ZyWALL either blocks or forwards the request based on how you configure the category based content filtering.
Page 186: Figure 12-3 Content Filter : Categories
ZyWALL 2 Series User’s Guide Figure 12-3 Content Filter : Categories 12-6 Content Filtering Screens...
Page 187: Table 12-2 Content Filter : Categories
The following table describes the labels in this screen. LABEL Enable Web Site Auto Categorization Matched Web Pages Unrated Web Pages When Content Filter Server Is Unavailable Content Filter Server Unavailable Timeout Content Filtering Screens Table 12-2 Content Filter : Categories Enable external database content filtering to have the ZyWALL check an external database to find to which category a requested web page belongs.
Page 188 ZyWALL 2 Series User’s Guide LABEL Select Categories Select All Categories Clear All Categories Adult/Mature Content Pornography Sex Education Intimate Apparel/Swimsuit Nudity Alcohol/Tobacco Illegal/Questionable 12-8 Table 12-2 Content Filter : Categories Select this check box to restrict access to all site categories listed below. Select this check box to clear the selected categories below.
Page 189 ZyWALL 2 Series User’s Guide Table 12-2 Content Filter : Categories LABEL DESCRIPTION Gambling Selecting this category excludes pages where a user can place a bet or participate in a betting pool (including lotteries) online. It also includes pages that provide information, assistance, recommendations, or training on placing bets or participating in games of chance.
Page 190 ZyWALL 2 Series User’s Guide LABEL Education Cultural Institutions Financial Services Brokerage/Trading Games Government/Legal Military Political/Activist Groups Health 12-10 Table 12-2 Content Filter : Categories Selecting this category excludes pages that offer educational information, distance learning and trade school information or programs. It also includes pages that are sponsored by schools, educational facilities, faculty, or alumni groups.
Page 191 ZyWALL 2 Series User’s Guide Table 12-2 Content Filter : Categories LABEL DESCRIPTION Computers/Internet Selecting this category excludes pages that sponsor or provide information on computers, technology, the Internet and technology-related organizations and companies. Hacking/Proxy Avoidance Pages providing information on illegal or questionable access to or the use of communications equipment/software, or provide information on how to bypass proxy server features or gain access to URLs in any way that bypasses the proxy server.
Page 192 ZyWALL 2 Series User’s Guide LABEL Shopping Auctions Real Estate Society/Lifestyle Gay/Lesbian Restaurants/Dining/Food Sports/Recreation/Hobbies Travel Vehicles Humor/Jokes Streaming Media/MP3 12-12 Table 12-2 Content Filter : Categories Selecting this category excludes pages that provide or advertise the means to obtain goods or services. It does not include pages that can be classified in other categories (such as vehicles or weapons).
Page 193 LABEL Software Downloads Pay to Surf For Kids Web Advertisements Web Hosting Advanced/Basic Test Web Site Attribute Test if Web site is blocked Test Against Local Cache Test Against Internet Server Registration and Reports Registration Status Content Filtering Screens Table 12-2 Content Filter : Categories Selecting this category excludes pages that are dedicated to the electronic download of software packages, whether for payment or at no charge.
Page 194: Configuring Customization
ZyWALL 2 Series User’s Guide LABEL Register Apply Reset 12.6 Configuring Customization To customize the content filter list by adding or removing specific sites from the filter list on your ZyWALL, click CONTENT FILTER, then the Customization tab. The screen appears as shown. 12-14 Table 12-2 Content Filter : Categories Click Register to go to a web site where you can register for category-based...
Page 195: Figure 12-4 Content Filter : Customization
ZyWALL 2 Series User’s Guide Figure 12-4 Content Filter : Customization Content Filtering Screens 12-15...
Page 196: Table 12-3 Content Filter : Customization
The following table describes the labels in this screen. LABEL Web Site List Customization Enable Web site customization Disable all Web traffic except for trusted Web sites Don't block Java/ActiveX/Cookies/Web proxy to trusted Web sites Trusted Web Site List Add Trusted Web Site Trusted Web Sites Delete Forbidden Web Site List...
Page 197 Table 12-3 Content Filter : Customization LABEL Delete Keyword Blocking Block Web sites which contain these keywords Add Keyword Keyword List Delete Apply Reset Content Filtering Screens DESCRIPTION Select a web site name from the Forbidden Web Site List, and then click this button to delete it from that list.
Page 199: Vpn/Ipsec
VPN/IPSec Part VI: VPN/IPSec This part provides information on how to configure VPN/IPSec.
Page 201: Chapter 13 Introduction To Ipsec
13.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.
Page 202: Figure 13-1 Encryption And Decryption
Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission. Data Origin Authentication The IPSec receiver can verify the source of IPSec packets.
Page 203: Ipsec Architecture
ZyWALL 2 Series User’s Guide 13.2 IPSec Architecture The overall IPSec architecture is shown as follows. Figure 13-2 IPSec Architecture 13.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms).
Page 204: Encapsulation
13.3 Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 13-3 Transport and Tunnel Mode IPSec Encapsulation 13.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
Page 205: Ipsec And Nat
13.4 IPSec and NAT Read this section if you are running IPSec on a host computer behind the ZyWALL. NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet.
Page 207: Chapter 14 Vpn Screens
ZyWALL 2 Series User’s Guide Chapter 14 VPN Screens This chapter introduces the VPN Web configurator. See the Logs chapter for information on viewing logs and the appendix for IPSec log descriptions. 14.1 VPN/IPSec Overview Use the screens documented in this chapter to configuring and managing a VPN connection. 14.2 IPSec Algorithms The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec VPN.
Page 208: My Ip Address
DES (default) Data Encryption Standard (DES) is a widely used method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data. 3DES Triple DES (3DES) is a variant of DES, which iterates three times with three separate keys (3 x 56 = 168 bits), effectively doubling the strength of DES.
Page 209: Summary Screen
ZyWALL 2 Series User’s Guide You can also enter a remote secure gateway’s domain name in the Secure Gateway Address field if the remote secure gateway has a dynamic WAN IP address and is using DDNS. The ZyWALL has to rebuild the VPN tunnel each time the remote secure gateway’s WAN IP address changes (there may be a delay until the DDNS servers are updated with the remote gateway’s new WAN IP address).
Page 210: Figure 14-2 Vpn Rules
The following table describes the fields in this screen. LABEL This field displays the VPN rule number. Name This field displays the identification name for this VPN policy. Active Y signifies that this VPN rule is active. Local IP This is the IP address(es) of computer(s) on your local network behind your ZyWALL. Address The same (static) IP address is displayed twice when the Local Address Type field in the Edit VPN Rule (or Manual Key) screen is configured to Single Address.
Page 211: Keep Alive
LABEL Remote IP This is the IP address(es) of computer(s) on the remote network behind the remote IPSec Address router. This field displays N/A when the Secure Gateway Address field displays 0.0.0.0. In this case only the remote IPSec router can initiate the VPN. The same (static) IP address is displayed twice when the Remote Address Type field in the Edit VPN Rule (or Manual Key) screen is configured to Single Address.
Page 212: Nat Traversal
When there is outbound traffic with no inbound traffic, the ZyWALL automatically 14.7 NAT Traversal NAT traversal allows you to set up a VPN connection when there are NAT routers between IPSec routers A and B. Figure 14-3 NAT Router Between IPSec Routers Normally you cannot set up a VPN connection with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet.
Page 213: Figure 14-4 Vpn Host Using Intranet Dns Server Example
ZyWALL 2 Series User’s Guide 14.7.2 X-Auth (Extended Authentication) Extended authentication provides added security by allowing you to use usernames and passwords for VPN connections. This is especially helpful when multiple ZyWALLs use one VPN rule to connect to a single ZyWALL.
Page 214: Id Type And Content
If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote network. 14.8 ID Type and Content With aggressive negotiation mode (see section 14.12.1), the ZyWALL identifies incoming SAs by ID type and content since this identifying information is not encrypted.
Page 215: Table 14-4 Peer Id Type And Content Fields
Table 14-4 Peer ID Type and Content Fields PEER ID TYPE= Type the IP address of the computer with which you will make the VPN connection or leave the field blank to have the ZyWALL automatically use the address in the Secure Gateway field.
Page 216: Pre-Shared Key
Table 14-6 Mismatching ID Type and Content Configuration Example ZYWALL A Peer ID type: E-mail Peer ID content: aa@yahoo.com 14.9 Pre-Shared Key A pre-shared key identifies a communicating party during a phase 1 IKE negotiation (see section 14.10 for more on IKE phases). It is called “pre-shared” because you have to share it with another party before you can communicate with them over a secure connection.
Page 217: Configuring Basic Ike Vpn Rule Setup
ZyWALL 2 Series User’s Guide Figure 14-6 Site-to-Site VPN Example 14.11 Configuring Basic IKE VPN Rule Setup Select one of the VPN rules in the VPN Rules screen and click Edit or click the Rule Setup tab on the ZyWALL 2WE to configure the rule’s settings. The basic IKE rule setup screen is shown next. VPN Screens 14-11...
Page 218: Figure 14-7 Basic Ike Vpn Rule Edit
ZyWALL 2 Series User’s Guide Figure 14-7 Basic IKE VPN Rule Edit 14-12 VPN Screens...
Page 219: Table 14-7 Basic Ike Vpn Rule Edit
The following table describes the fields in this screen. LABEL Select this check box to activate this VPN tunnel. This option determines whether a VPN Active rule is applied before a packet leaves the firewall. Select this check box to turn on the keep alive feature for this SA. Turn on Keep Alive to have the ZyWALL automatically reinitiate the SA after the SA Keep Alive lifetime times out, even if there is no traffic.
Page 220 LABEL Select Server Mode to have this ZyWALL authenticate extended authentication clients Server Mode that request this VPN connection. You must also configure the extended authentication clients’ usernames and passwords in the auth server’s local user database or a RADIUS server (see the Authentication Server section).
Page 221 LABEL Local IP Address Enter a static local IP address. The local IP address must correspond to the remote IPSec router's configured remote IP addresses. Site to Site Select this radio button to establish a VPN between two sites (groups of IP addresses). Address Type Use the drop-down menu to choose Range Address or Subnet Address.
Page 222 LABEL When the Address Type field is configured to Single Address, this field is N/A. When the Ending IP Address/ Subnet Address Type field is configured to Range Address, enter the end (static) IP address, in Mask a range of computers on the network behind the remote IPSec router. When the Address Type field is configured to Subnet Address, enter a subnet mask on the network behind the remote IPSec router.
Page 223 LABEL Local ID Type Select IP to identify this ZyWALL by its IP address. Select DNS to identify this ZyWALL by a domain name. Select E-mail to identify this ZyWALL by an e-mail address. You do not configure the local ID type and content when you set Authentication Method to Certificate.
Page 224 LABEL Select from the following when you set Authentication Method to Pre-shared Key. Peer ID Type Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the remote IPSec router by a domain name. Select E-mail to identify the remote IPSec router by an e-mail address.
Page 225 LABEL Content The configuration of the peer content depends on the peer ID type. Do the following when you set Authentication Method to Pre-shared Key. For IP, type the IP address of the computer with which you will make the VPN connection.
Page 226 LABEL My IP Address Enter the WAN IP address of your ZyWALL. The VPN tunnel has to be rebuilt if this IP address changes. The following applies if this field is configured as 0.0.0.0: The ZyWALL uses the current ZyWALL WAN IP address (static or dynamic) to set up the VPN tunnel.
Page 227: Ike Phases
LABEL Encryption Select DES, 3DES, AES or NULL from the drop-down list box. Algorithm When you use one of these encryption algorithms for data communications, both the sending device and the receiving device must use the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code.
Page 228: Figure 14-8 Two Phases To Set Up The Ipsec Sa
Figure 14-8 Two Phases to Set Up the IPSec SA In phase 1 you must: Choose a negotiation mode. Authenticate the connection by entering a pre-shared key. Choose an encryption algorithm. Choose an authentication algorithm. Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2). Set the IKE SA lifetime.
Page 229: Negotiation Mode
IPSec SA lifetime period expires. The ZyWALL also automatically renegotiates the IPSec SA if both IPSec routers have keep alive enabled, even if there is no traffic. If an IPSec SA times out, then the IPSec router must renegotiate the SA the next time someone attempts to send traffic. 14.12.1 X-Auth and IKE X-Auth (Extended Authentication) inserts a new exchange between IKE phases 1 and 2 for client...
Page 230: Configuring Advanced Ike Setup
ZyWALL 2 Series User’s Guide 14.12.5 Perfect Forward Secrecy (PFS) Enabling PFS means that the key is transient. The key is thrown away and replaced by a brand new key using a new Diffie-Hellman exchange for each new IPSec SA setup. With PFS enabled, if one key is compromised, previous and subsequent keys are not compromised, because subsequent keys are not derived from previous keys.
Page 231: Figure 14-9 Advanced Ike Vpn Rule Setup
ZyWALL 2 Series User’s Guide Figure 14-9 Advanced IKE VPN Rule Setup The following table describes the fields in this screen. Table 14-8 Advanced IKE VPN Rule Setup LABEL DESCRIPTION Protocol Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any protocol. VPN Screens 14-25...
Page 232: Table 14-8 Advanced Ike Vpn Rule Setup
LABEL Enable Replay As a VPN setup is processing intensive, the system is vulnerable to Denial of Service Detection (DoS) attacks The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks. Select YES from the drop-down menu to enable replay detection, or select NO to disable it.
Page 233 LABEL Authentication Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 Algorithm algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security.
Page 234: Manual Key Setup
LABEL SA Life Time Define the length of time before an IKE SA automatically renegotiates in this field. It may (seconds) range from 180 to 3,000,000 seconds (almost 35 days). A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys.
Page 235: Figure 14-10 Manual Vpn Rule Setup
ZyWALL 2 Series User’s Guide Select Manual Key (or Manual) in the Key Management (or IPSec Keying Mode) field to display the manual VPN rule setup screen. Figure 14-10 Manual VPN Rule Setup VPN Screens 14-29...
Page 236: Table 14-9 Vpn Manual Setup
The following table describes the labels in this screen. LABEL Active Select this check box to activate this VPN policy. Name Type up to 32 characters to identify this VPN policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces. Key Management Select IKE or Manual Key (or Manual) from the drop-down list box.
Page 237 LABEL Remote: Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses. Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time.
Page 238 LABEL Secure Gateway Type the WAN IP address or the URL (up to 31 characters) of the IPSec router with Addr which you're making the VPN connection. Type a unique SPI (Security Parameter Index) from one to four characters long. Valid Characters are "0, 1, 2, 3, 4, 5, 6, 7, 8, and 9".
Page 239: Sa Monitor
LABEL Authentication Type a unique authentication key to be used by IPSec if applicable. Enter 16 characters for MD5 authentication or 20 characters for SHA-1 authentication. Any characters may be used, including spaces, but trailing spaces are truncated. Click Apply to save your changes back to the ZyWALL. Apply Cancel Click Cancel to exit this screen without saving.
Page 240: Global Settings
The following table describes the fields in this screen. LABEL This is the security association index number. Name This field displays the identification name for this VPN policy. Encapsulation This field displays Tunnel or Transport mode. This field displays the security protocols used for an SA. IPSec Algorithm Both AH and ESP increase ZyWALL processing requirements and communications latency (delay).
Page 241: Telecommuter Vpn/Ipsec Examples
LABEL Windows Networking (NetBIOS over TCP/IP) NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. It may sometimes be necessary to allow NetBIOS packets to pass through VPN tunnels in order to allow local computers to find computers on the remote network and vice versa.
Page 242: Figure 14-13 Telecommuters Sharing One Vpn Rule Example
Figure 14-13 Telecommuters Sharing One VPN Rule Example Table 14-12 Telecommuters Sharing One VPN Rule Example FIELDS My IP Address: 0.0.0.0 (dynamic IP address assigned by the ISP) Secure Gateway Public static IP address IP Address: Local IP Address: Telecommuter A: 192.168.2.12 Telecommuter B: 192.168.3.2 Telecommuter C: 192.168.4.15 Remote IP...
Page 243: Figure 14-14 Telecommuters Using Unique Vpn Rules Example
See the following table and figure for an example where three telecommuters each use a different VPN rule for a VPN connection with a ZyWALL located at headquarters. The ZyWALL at headquarters (HQ in the figure) identifies each incoming SA by its ID type and content and uses the appropriate VPN rule to establish the VPN connection.
Page 244: Vpn And Remote Management
Table 14-13 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS Local IP Address: 192.168.2.12 Telecommuter B (telecommuterb.dydns.org) Local ID Type: DNS Local ID Content: telecommuterb.com Local IP Address: 192.168.3.2 Telecommuter C (telecommuterc.dydns.org) Local ID Type: E-mail Local ID Content: myVPN@myplace.com Local IP Address: 192.168.4.15 14.19 VPN and Remote Management If a VPN tunnel uses Telnet, FTP, WWW SNMP, DNS or ICMP, then you should configure remote management (REMOTE MGNT) to allow access for that service.
Page 245: Certificates
VPN/IPSec Part VII: Certificates This part provides information and configuration instructions for public-key certificates.
Page 247: Chapter 15 Certificates
This chapter gives background information about public-key certificates and explains how to use 15.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.
Page 248: Self-Signed Certificates
Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can check a peer’s certificate against a directory server’s list of revoked certificates.
Page 249: My Certificates
ZyWALL 2 Series User’s Guide 15.4 My Certificates Click CERTIFICATES, My Certificates to open the ZyWALL’s summary list of certificates and certification requests. Certificates display in black and certification requests display in gray. See the following figure. Figure 15-2 My Certificates The following table describes the labels in this screen.
Page 250: Table 15-1 My Certificates
LABEL PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is currently Space in Use in use. When you are using 80% or less of the storage space, the bar is green. When the amount of space used is over 80%, the bar is red. When the bar is red, you should consider deleting expired or unnecessary certificates before adding more certificates.
Page 251: Certificate File Formats
LABEL Details Select the radio button next to a certificate’s index number and then click Details to open a screen with an in-depth list of information about that certificate. Refresh Click this button to display the current validity status of the certificates. Delete Select the radio button next to the index number of a certificate that you want to delete and then click Delete to remove that certificate.
Page 252: Importing A Certificate
15.6 Importing a Certificate Click CERTIFICATES, My Certificates and then Import to open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate to the ZyWALL, see the following figure. 1. You can only import a certificate that matches a corresponding certification request that was generated by the ZyWALL.
Page 253: Creating A Certificate
LABEL Apply Click Apply to save the certificate on the ZyWALL. Cancel Click Cancel to quit and return to the My Certificates screen. 15.7 Creating a Certificate Click CERTIFICATES, My Certificates and then Create to open the My Certificate Create screen. Use this screen to have the ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request, see the following figure.
Page 254: Table 15-3 My Certificate Create
The following table describes the labels in this screen. LABEL Certificate Name Type up to 31 ASCII characters (not including spaces) to identify this certificate. Subject Information Use these fields to record information that identifies the owner of the certificate. You do not have to fill in every field, although the Common Name is mandatory.
Page 255 LABEL Create a certification Select Create a certification request and enroll for a certificate immediately request and enroll for online to have the ZyWALL generate a request for a certificate and apply to a a certificate certification authority for a certificate. immediately online You must have the certification authority’s certificate already imported in the Trusted CAs screen.
Page 256: My Certificate Details
ZyWALL 2 Series User’s Guide After you click Apply in the My Certificate Create screen, you see a screen that tells you the ZyWALL is generating the self-signed certificate or certification request. After the ZyWALL successfully enrolls a certificate or generates a certification request or a self-signed certificate, you see a screen with a Return button that takes you back to the My Certificates screen.
Page 257: Figure 15-5 My Certificate Details
ZyWALL 2 Series User’s Guide Figure 15-5 My Certificate Details Certificates 15-11...
Page 258: Table 15-4 My Certificate Details
The following table describes the labels in this screen. LABEL Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate. You may use any character (not including spaces).
Page 259 LABEL Signature Algorithm This field displays the type of algorithm that was used to sign the certificate. The ZyWALL uses rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Some certification authorities may use ras-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm). Valid From This field displays the date that the certificate becomes applicable.
Page 260: Trusted Cas
LABEL Certificate in PEM This read-only text box displays the certificate or certification request in Privacy (Base-64) Encoded Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the binary Format certificate into a printable form. You can copy and paste a certification request into a certification authority’s web page, an e-mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment.
Page 261: Figure 15-6 Trusted Cas
The following table describes the labels in this screen. LABEL PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is currently Space in Use in use. When you are using 80% or less of the storage space, the bar is green. When the amount of space used is over 80%, the bar is red.
Page 262: Importing A Trusted Ca's Certificate
LABEL Issuer This field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field. Valid From This field displays the date that the certificate becomes applicable.
Page 263: Trusted Ca Certificate Details
You must remove any spaces from the certificate’s filename before you can import The following table describes the labels in this screen. LABEL File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload.
Page 264: Figure 15-8 Trusted Ca Details
ZyWALL 2 Series User’s Guide Figure 15-8 Trusted CA Details 15-18 Certificates...
Page 265: Table 15-7 Trusted Ca Details
The following table describes the labels in this screen. LABEL Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
Page 266 LABEL Signature Algorithm This field displays the type of algorithm that was used to sign the certificate. Some certification authorities use rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Other certification authorities may use ras-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).
Page 267: Trusted Remote Hosts
LABEL Certificate in PEM This read-only text box displays the certificate or certification request in Privacy (Base-64) Encoded Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the binary Format certificate into a printable form. You can copy and paste the certificate into an e-mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example).
Page 268: Figure 15-9 Trusted Remote Hosts
The following table describes the labels in this screen. LABEL PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is currently Space in Use in use. When you are using 80% or less of the storage space, the bar is green. When the amount of space used is over 80%, the bar is red.
Page 269: Verifying A Trusted Remote Host's Certificate
LABEL Subject This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information. Valid From This field displays the date that the certificate becomes applicable.
Page 270: Importing A Trusted Remote Host's Certificate
Step 3. Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. 15.14 Importing a Trusted Remote Host’s Certificate Click CERTIFICATES, Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen.
Page 271: Trusted Remote Host Certificate Details
The trusted remote host certificate must be a self-signed certificate; and you must remove any spaces from its filename before you can import it. Figure 15-10 Trusted Remote Host Import The following table describes the labels in this screen. Table 15-11 Trusted Remote Host Import LABEL File Path Type in the location of the file you want to upload in this field or click Browse to find it.
Page 272: Figure 15-11 Trusted Remote Host Details
ZyWALL 2 Series User’s Guide Figure 15-11 Trusted Remote Host Details 15-26 Certificates...
Page 273: Table 15-12 Trusted Remote Host Details
The following table describes the labels in this screen. Table 15-12 Trusted Remote Host Details LABEL Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
Page 274 LABEL Key Algorithm This field displays the type of algorithm that was used to generate the certificate’s key pair (the ZyWALL uses RSA encryption) and the length of the key set in bits (1024 bits for example). Subject Alternative This field displays the certificate’s owner‘s IP address (IP), domain name (DNS) or Name e-mail address (EMAIL).
Page 275: Directory Servers
15.16 Directory Servers Click CERTIFICATES, Directory Servers to open the Directory Servers screen. This screen displays a summary list of directory servers (that contain lists of valid and revoked certificates) that have been saved into the ZyWALL. If you decide to have the ZyWALL check incoming certificates against the issuing certification authority’s list of revoked certificates, the ZyWALL first checks the server(s) listed in the CRL Distribution Points field of the incoming certificate.
Page 276: Add Or Edit A Directory Server
LABEL Port This field displays the port number that the directory server uses. Protocol This field displays the protocol that the directory server uses. Click Add to open a screen where you can configure information about a directory server so that the ZyWALL can access it. Select the radio button next to a directory server’s index number and then click Edit Edit to open a screen where you can change the information about that directory server.
Page 277: Table 15-14 Directory Server Add
LABEL Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server. Access Protocol Use the drop-down list box to select the access protocol used by the directory server. LDAP (Lightweight Directory Access Protocol) is a protocol over TCP that specifies how clients access directories certificates and lists of revoked certificates.
Page 279: Authentication Server, Remote Management And Upnp
Remote Management and UPnP Part VIII: Authentication Server, Remote Management and UPnP This part provides information and configuration instructions for configuration of the authentication server screens, remote management and Universal Plug and Play. VIII...
Page 281: Chapter 16 Authentication Server
ZyWALL 2 Series User’s Guide Chapter 16 Authentication Server This chapter discusses how to configure the authentication server on the ZyWALL. 16.1 Authentication Server Overview A ZyWALL set to be a VPN extended authentication server can use either the local user database internal to the ZyWALL or an external RADIUS server for an unlimited number of users.
Page 282: Figure 16-1 Local User Database
ZyWALL 2 Series User’s Guide Figure 16-1 Local User Database 16-2 Authentication Server...
Page 283: Configuring Radius
The following table describes the fields in this screen. LABEL Active Select this check box to enable the user profile. User Name Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile. Apply Click Apply to save your changes back to the ZyWALL.
Page 284: Figure 16-2 Radius
ZyWALL 2 Series User’s Guide The following table describes the fields in this screen. LABEL Authentication Server Active Enable this feature to have the ZyWALL use an external authentication server in performing user authentication. Disable this feature if you will not use an external authentication server. If you disable this feature, you can still set the ZyWALL to perform user authentication using the local user database.
Page 285 LABEL Port Number The default port of the RADIUS server for authentication is 1812. You need not change this value unless your network administrator instructs you to do so with additional information. Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the access points.
Page 287: Chapter 17 Remote Management Screens
17.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access. See the firewall chapters for You may manage your ZyWALL from a remote location via: Internet (WAN only) LAN only,...
Page 288: Introduction To Https
ZyWALL 2 Series User’s Guide 17.1.1 Remote Management Limitations Remote management over LAN or WAN will not work when: 1. A filter in SMT menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service.
Page 289: Figure 17-1 Https Implementation
data), authentication (one party can identify the other party) and data integrity (you know if data has been changed). It relies upon certificates, public keys, and private keys (see the Certificates chapter for more information). HTTPS on the ZyWALL is used so that you may securely access the ZyWALL using the web configurator. The SSL protocol specifies that the SSL server (the ZyWALL) must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL), whereas the SSL client only should authenticate itself when the SSL server requires it to do so (select Authenticate Client Certificates in...
Page 290: Configuring Www
ZyWALL 2 Series User’s Guide If you disable HTTP Server Access (Disable) in the REMOTE MGMT WWW screen, then the ZyWALL blocks all HTTP connection attempts. 17.3 Configuring WWW To change your ZyWALL’s web settings, click REMOTE MGNT, then the WWW tab. The screen appears as shown.
Page 291: Table 17-1 Www
LABEL HTTPS: This feature is not available on the ZyWALL 2WE. Server Select the Server Certificate that the ZyWALL will use to identify itself. The ZyWALL Certificate is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL).
Page 292: Https Example
ZyWALL 2 Series User’s Guide Table 17-1 WWW LABEL DESCRIPTION Reset Click Reset to begin configuring this screen afresh. 17.4 HTTPS Example If you haven’t changed the default HTTPS port on the ZyWALL, then in your browser enter “https://ZyWALL IP Address/” as the web site address where “ZyWALL IP Address” is the IP address or domain name of the ZyWALL you wish to access.
Page 293: Figure 17-4 Security Certificate 1 (Netscape)
ZyWALL 2 Series User’s Guide 17.4.2 Netscape Navigator Warning Messages When you attempt to access the ZyWALL HTTPS server, a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate. Click Examine Certificate if you want to verify that the certificate is from the ZyWALL.
Page 294: Figure 17-5 Security Certificate 2 (Netscape)
ZyWALL 2 Series User’s Guide Figure 17-5 Security Certificate 2 (Netscape) 17.4.3 Avoiding the Browser Warning Messages The following describes the main reasons that your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings. The issuing certificate authority of the ZyWALL’s HTTPS server certificate is not one of the browser’s trusted certificate authorities.
Page 295: Login Screen
Step 2. Click CERTIFICATES. Find the certificate and check its Subject column. CN stands for certificate’s common name (see Figure 17-9 for an example). Use this procedure to have the ZyWALL use a certificate with a common name that matches the ZyWALL’s actual IP address.
Page 296: Figure 17-6 Login Screen (Internet Explorer)
ZyWALL 2 Series User’s Guide Figure 17-6 Login Screen (Internet Explorer) 17-10 Remote Management Screens...
Page 297: Figure 17-7 Login Screen (Netscape)
ZyWALL 2 Series User’s Guide Figure 17-7 Login Screen (Netscape) Click Login and you then see the next screen. The factory default certificate is a common default certificate for all ZyWALL models. Remote Management Screens 17-11...
Page 298: Figure 17-8 Replace Certificate
ZyWALL 2 Series User’s Guide Figure 17-8 Replace Certificate Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Click CERTIFICATES to open the My Certificates screen. You will see information similar to that shown in the following figure.
Page 299: Ssh Overview
ZyWALL 2 Series User’s Guide Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate. You will then see this information in the My Certificates screen. Figure 17-10 Common ZyWALL Certificate 17.5 SSH Overview Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shell) is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network.
Page 300: How Ssh Works
ZyWALL 2 Series User’s Guide Figure 17-11 SSH Communication Example 17.6 How SSH works The following table summarizes how a secure connection is established between two remote hosts. Figure 17-12How SSH Works 17-14 1. Host Identification The SSH client sends a connection request to the SSH server.
Page 301: Ssh Implementation On The Zywall
ZyWALL 2 Series User’s Guide 17.7 SSH Implementation on the ZyWALL Your ZyWALL supports SSH version 1.5 using RSA authentication and three encryption methods (DES, 3DES and Blowfish). The SSH server is implemented on the ZyWALL for remote SMT management and file transfer on port 22.
Page 302: Secure Telnet Using Ssh Examples
ZyWALL 2 Series User’s Guide LABEL Server Host Key Select the certificate whose corresponding private key is to be used to identify the ZyWALL for SSH connections. You must have certificates already configured in the My Certificates screen (Click My Certificates and see the Certificates part for details). Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Page 303: Figure 17-14 Ssh Example 1: Store Host Key
Step 3. A window displays prompting you to store the host key in you computer. Click Yes to continue. Figure 17-14 SSH Example 1: Store Host Key Enter the password to log in to the ZyWALL. The SMT main menu displays next. 17.9.2 Example 2: Linux This section describes how to access the ZyWALL using the OpenSSH client program that comes with most Linux distributions.
Page 304: Secure Ftp Using Ssh Example
ZyWALL 2 Series User’s Guide Step 2. Enter “ssh –1 192.168.1.1”. This command forces your computer to connect to the ZyWALL using SSH version 1. If this is the first time you are connecting to the ZyWALL using SSH, a message displays prompting you to save the host information of the ZyWALL.
Page 305: Telnet
Step 3. Use the “put” command to upload a new firmware to the ZyWALL. $ sftp -1 192.168.1.1 Connecting to 192.168.1.1... The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts.
Page 306: Configuring Telnet
ZyWALL 2 Series User’s Guide 17.12 Configuring TELNET Click REMOTE MGNT to open the TELNET screen. The following table describes the labels in this screen. LABEL Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Page 307: Configuring Ftp
17.13 Configuring FTP You can upload and download the ZyWALL’s firmware and configuration files using FTP, please see the chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP client. To change your ZyWALL’s FTP settings, click REMOTE MANAGEMENT, then the FTP tab. The screen appears as shown.
Page 308: Configuring Snmp
ZyWALL 2 Series User’s Guide LABEL Secure Client IP A secure client is a “trusted” computer that is allowed to communicate with the Address ZyWALL using this service. Select All to allow any computer to access the ZyWALL using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service.
Page 309: Figure 17-21 Snmp Management Model
ZyWALL 2 Series User’s Guide Figure 17-21 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP.
Page 310: Table 17-5 Snmp Traps
ZyWALL 2 Series User’s Guide • Get - Allows the manager to retrieve an object variable from the agent. • GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.
Page 311 ZyWALL 2 Series User’s Guide 17.14.3 REMOTE MANAGEMENT: SNMP To change your ZyWALL’s SNMP settings, click REMOTE MGNT, then the SNMP tab. The screen appears as shown. Figure 17-22 SNMP The following table describes the fields in this screen. Remote Management Screens 17-25...
Page 312: Configuring Dns
ZyWALL 2 Series User’s Guide LABEL SNMP Configuration Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests. Set Community Enter the Set community, which is the password for incoming Set requests from the management station.
Page 313: Figure 17-23 Dns
To change your ZyWALL’s DNS settings, click REMOTE MGNT, then the DNS tab. The screen appears as shown. The following table describes the fields in this screen. LABEL Service Port The DNS service port number is 53 and cannot be changed here. Service Access Select the interface(s) through which a computer may send DNS queries to the ZyWALL.
Page 314: Configuring Security
ZyWALL 2 Series User’s Guide 17.16 Configuring Security To change your ZyWALL’s Security settings, click REMOTE MGNT, then the Security tab. The screen appears as shown. If an outside user attempts to probe an unsupported port on your ZyWALL, an ICMP response packet is automatically returned.
Page 315 LABEL Respond to Ping The ZyWALL will not respond to any incoming Ping requests when Disable is selected. Select LAN to reply to incoming LAN Ping requests. Select WAN to reply to incoming WAN Ping requests. Otherwise select LAN & WAN to reply to both incoming LAN and WAN Ping requests.
Page 317: Chapter 18 Upnp
18.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network. In turn, a device can leave a network smoothly and automatically when it is no longer in use.
Page 318: Upnp Implementation
ZyWALL 2 Series User’s Guide 18.1.3 Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. All UPnP-enabled devices may communicate freely with each other without additional configuration.
Page 319: Figure 18-1 Configuring Upnp
The following table describes the fields in this screen. FIELD Device Name Enable the Universal Plug and Play (UPnP) feature Allow users to make configuration changes through UPnP Allow UPnP to pass through Firewall Apply UPnP Figure 18-1 Configuring UPnP Table 18-1 Configuring UPnP This identifies the device in UPnP applications.
Page 320: Displaying Upnp Port Mapping
ZyWALL 2 Series User’s Guide FIELD Reset 18.4 Displaying UPnP Port Mapping Click UPnP and then Ports to display the screen as shown next. Use this screen to view the NAT port mapping rules that UPnP creates on the ZyWALL. The following table describes the labels in this screen.
Page 321: Installing Upnp In Windows Example
LABEL This is the index number of the UPnP-created NAT mapping rule entry. Remote Host This field displays the source IP address (on the WAN) of inbound IP packets. Since this is often a wildcard, the field may be blank. When the field is blank, the ZyWALL forwards all traffic sent to the External Port on the WAN interface to the Internal Client on the Internal Port.
Page 322: Installing Upnp In Windows Me
ZyWALL 2 Series User’s Guide 18.5.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windows Me. Click Start and Control Panel. Double-click Add/Remove Programs. Click on the Windows Setup tab and select Communication in the Components selection box.
Page 323 Step 1. Click Start and Control Panel. Step 2. Double-click Network Connections. Step 3. In the Network Connections window, click Advanced in the main menu and select Optional Networking Components …. The Windows Optional Networking Components Wizard window displays. Step 4. Select Networking Service in the Components selection box and click Details.
Page 324: Using Upnp In Windows Xp Example
ZyWALL 2 Series User’s Guide 18.6 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the device. Make sure the computer is connected to a LAN port of the device.
Page 325 Step 4. You may edit or delete the port mappings or click Add to manually add port mappings. When the UPnP-enabled device is disconnected from your computer, all port Step 5. Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray Step 6.
Page 326: Web Configurator Easy Access
ZyWALL 2 Series User’s Guide 18.6.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator without first finding out its IP address. This is helpful if you do not know the IP address of your ZyWALL. Follow the steps below to access the web configurator. Step 1.
Page 327: Logs
Logs Part IX: Logs This part provides information and instructions for the logs and reports.
Page 329: Chapter 19 Logs Screens
ZyWALL 2 Series User’s Guide Chapter 19 Logs Screens This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to appendices for example log message explanations. 19.1 Configuring View Log The web configurator allows you to look at all of the ZyWALL’s logs in one location. Click LOGS to open the View Log screen.
Page 330: Figure 19-1 View Log
ZyWALL 2 Series User’s Guide The following table describes the labels in this screen. LABEL Display The categories that you select in the Log Settings page (see section 19.2) display in the drop-down list box. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page.
Page 331: Configuring Log Settings
LABEL Note This field displays additional information about the log entry. Email Log Now Click Email Log Now to send the log screen to the e-mail address specified in the Log Settings page (make sure that you have first filled in the Address Info fields in Log Settings, see section 19.2).
Page 332: Figure 19-2 Log Settings
ZyWALL 2 Series User’s Guide Figure 19-2 Log Settings 19-4 Log Screens...
Page 333: Table 19-2 Log Settings
The following table describes the labels in this screen. LABEL Address Info Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail.
Page 334: Configuring Reports
ZyWALL 2 Series User’s Guide LABEL Time for Sending Enter the time of the day in 24-hour format (for example 23:00 equals 11:00 pm) to send the logs. Select the categories of logs that you want to record. Logs include alerts. Send Immediate Select the categories of alerts for which you want the ZyWALL to instantly e-mail Alert...
Page 335: Figure 19-3 Reports
The ZyWALL records web site hits by counting the HTTP GET packets. Many web sites include HTTP GET references to other web sites and the ZyWALL may count these as hits, thus the web hit count is not (yet) 100% accurate. Enabling the ZyWALL’s reporting function decreases the overall throughput by The following table describes the labels in this screen.
Page 336: Figure 19-4 Web Site Hits Report Example
ZyWALL 2 Series User’s Guide LABEL Refresh Click Refresh to update the report display. The report also refreshes automatically when you close and reopen the screen. All of the recorded reports data is erased when you turn off the ZyWALL. 19.3.1 Viewing Web Site Hits In the Reports screen, select Web Site Hits from the Report Type drop-down list box to have the ZyWALL record and display which web sites have been visited the most often and how many times they have been...
Page 337: Figure 19-5 Protocol/Port Report Example
LABEL Web Site This column lists the domain names of the web sites visited most often from computers on the LAN. The names are ranked by the number of visits to each web site and listed in descending order with the most visited web site listed first. The ZyWALL counts each page viewed in a web site as another hit on the web site.
Page 338: Figure 19-6 Lan Ip Address Report Example
ZyWALL 2 Series User’s Guide LABEL Protocol/Port This column lists the protocols or service ports for which the most traffic has gone through the ZyWALL. The protocols or service ports are listed in descending order with the most used protocol or service port listed first. This field displays Incoming to denote traffic that is coming in from the WAN to the Direction LAN.
Page 339: Table 19-6 Lan Ip Address Report
The following table describes the labels in this screen. LABEL IP Address This column lists the LAN IP addresses to and/or from which the most traffic has been sent. The LAN IP addresses are listed in descending order with the LAN IP address to and/or from which the most traffic was sent listed first.
Page 341: Maintenance
Maintenance Part X: Maintenance This part covers the maintenance screens.
Page 343: Chapter 20 Maintenance
ZyWALL 2 Series User’s Guide Chapter 20 Maintenance This chapter displays system information such as firmware, port IP addresses and port traffic statistics. 20.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyWALL.
Page 344: Table 20-1 System Status
The following table describes the labels in this screen. LABEL System Name This is the System Name you chose in the first Internet Access Wizard screen. It is for identification purposes Model Name The model name identifies your device type. The model name should also be on a sticker on your device.
Page 345: Figure 20-2 System Status: Show Statistics
Figure 20-2 System Status: Show Statistics The following table describes the labels in this screen. Table 20-2 System Status: Show Statistics LABEL Port This is the WAN or LAN port. Status This displays the port speed and duplex setting if you're using Ethernet encapsulation and down (line is down), idle (line (ppp) idle), dial (starting to trigger a call) and drop (dropping a call) if you're using PPPoE encapsulation.
Page 346: Dhcp Table Screen
LABEL Stop Click Stop to stop refreshing statistics, click Stop. 20.3 DHCP Table Screen DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the ZyWALL as a DHCP server or disable it.
Page 347: F/W Upload Screen
LABEL IP Address This field displays the IP address relative to the # field listed above. Host Name This field displays the computer host name. MAC Address This field shows the MAC address of the computer with the name in the Host Name field.
Page 348: Figure 20-5 Firmware Upload
The following table describes the fields in this screen. LABEL File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse... Click Browse to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them.
Page 349: Configuration Screen
ZyWALL 2 Series User’s Guide Figure 20-7 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the System Status screen. If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen.
Page 350: Figure 20-9 Configuration
ZyWALL 2 Series User’s Guide Figure 20-9 Configuration 20.5.1 Backup Configuration Backup Configuration allows you to backup (save) the current system (ZyWALL) configuration to your computer. Backup is highly recommended once your ZyWALL is functioning properly. Click Backup to save your current ZyWALL configuration to your computer. 20-8 Maintenance...
Page 351: Figure 20-10 Configuration Upload Successful
20.5.2 Restore Configuration Restore Configuration allows you to restore a previously saved configuration file from your computer to your ZyWALL. LABEL File Path Type in the location of the file you want to upload in this field or click Browse to find it. Click Browse to find the file you want to upload.
Page 352: Figure 20-12 Configuration Upload Error
ZyWALL 2 Series User’s Guide If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default device IP address (192.168.1.1). See your Quick Start Guide for details on how to set up your computer’s IP address.
Page 353: Restart Screen
ZyWALL 2 Series User’s Guide You can also press the RESET button on the rear panel to reset the factory defaults of your ZyWALL. Refer to the section on resetting the ZyWALL for more information on the RESET button. 20.6 Restart Screen System restart allows you to reboot the ZyWALL without turning the power off.
Page 355: Smt General Configuration
SMT General Configuration Part XI: SMT General Configuration This part introduces the System Management Terminal and covers the General setup menu, WAN, LAN and wireless LAN setup, and Internet access. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Page 357: Chapter 21 Introducing The Smt
When you turn on your ZyWALL, it performs several internal tests as well as line initialization. After the tests, the ZyWALL asks you to press [ENTER] to continue, as shown next. Copyright (c) 1994 - 2003 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:A0:C5:00:00:01 initialize ch =1, ethernet address: 00:A0:C5:00:00:02 Press ENTER to continue...
Page 358: Navigating The Smt Interface
21.2.2 Entering the Password The login screen appears after you press [ENTER], prompting you to enter the password, as shown below. For your first login, enter the default password “1234”. As you type the password, the screen displays an “X” for each character you type.
Page 359: Figure 21-3 Main Menu
Type 99, then press [ENTER]. 21.3.1 Main Menu After you enter the password, the SMT displays the ZyWALL Main Menu, as shown next. Copyright (c) 1994 - 2003 ZyXEL Communications Corp. Getting Started 1. General Setup 2. WAN Setup 3. LAN Setup 4.
Page 360: Table 21-2 Main Menu Summary
Table 21-2 Main Menu Summary Menu Title General Setup WAN Setup LAN Setup Internet Access Setup Remote Node Setup Static Routing Setup NAT Setup Filter and Firewall Setup SNMP Configuration System Password System Maintenance Schedule Setup VPN/IPSec Setup Exit 21.3.2 SMT Menus at a Glance We use the ZyWALL 2 menus in this guide as an example.
Page 361: Figure 21-4 Zywall 2 Smt Menu Overview Example
ZyWALL Main Menu Menu 2 Menu 3 Menu 1 WAN Setup LAN Setup General Setup Menu 1.1 Menu 2.1 Menu 3.1 Configure Dynamic Advanced WAN LAN Port Filter Setup Setup Menu 3.2 TCP/IP and DHCP Setup Menu 3.2.1 Menu 3.2.1 IP Alias Setup IP Alias Setup Menu 27...
Page 362: Changing The System Password
21.4 Changing the System Password Change the system password by following the steps shown next. Step 1. Enter 23 in the main menu to open Menu 23 - System Password as shown next. Step 2. Type your existing password and press [ENTER]. Step 3.
Page 363: Chapter 22 Smt Menu 1 - General Setup
Menu 1 - General Setup contains administrative and system-related information. 22.1 Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. 22.2 Configuring General Setup Step 1. Enter 1 in the main menu to open Menu 1: General Setup. Step 2.
Page 364 FIELD Domain Name Enter the domain name (if you know it) here. If you leave this field blank, the ISP may assign a domain name via DHCP. You can go to menu 24.8 and type "sys domain name" to see the current domain name used by your router.
Page 365: Figure 22-2 Configure Dynamic Dns
Service Provider= WWW.DynDNS.ORG Active= No DDNSType= DynamicDNS Host1= Host2= Host3= USER= Password= ******** Enable Wildcard= No Offline= N/A Edit Update IP Address: Use Server Detected IP= No User Specified IP Address= No IP Address= N/A Follow the instructions in the next table to configure Dynamic DNS parameters. FIELD Service Provider This is the name of your Dynamic DNS service provider.
Page 366 FIELD Offline This field is only available when CustomDNS is selected in the DDNS Type field. Press [SPACE BAR] and then [ENTER] to select Yes. When Yes is selected, is redirected to a URL that you have previously specified (see www.dyndns.org Edit Update IP Address: You can select Yes in either the Use Server Detected IP field (recommended) or the User Specified IP...
Page 367: Chapter 23 Wan And Dial Backup Setup
This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 23.1 Introduction to WAN This chapter explains how to configure settings for your WAN port. From the main menu, enter 2 to open menu 2. Figure 23-1 MAC Address Cloning in WAN Setup The following table describes the fields in this screen.
Page 368: Dial Backup
Table 23-1 MAC Address Cloning in WAN Setup FIELD IP Address This field is applicable only if you choose the IP address attached on LAN method in the Assigned By field. Enter the IP address of the computer on the LAN whose MAC you are cloning. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…”...
Page 369: Advanced Wan Setup
The following table describes the fields in this menu. FIELD Dial-Backup: Active Use this field to turn the dial-backup feature on (Yes) or off (No). Phone Enter the telephone number assigned to your line by your telephone Number company. This field only accepts digits; do not include dashes and spaces.
Page 370: Figure 23-3 Menu 2.1 Advanced Wan Setup
AT Command Strings: Dial= Drop= Answer= Drop DTR When Hang Up= No AT Response Strings: CLID= Called Id= Speed= Figure 23-3 Menu 2.1 Advanced WAN Setup The following table describes fields in this menu. Table 23-3 Advanced WAN Port Setup: AT Commands Fields FIELD AT Command Strings: Dial...
Page 371: Remote Node Profile (Backup Isp)
Table 23-4 Advanced WAN Port Setup: Call Control Parameters FIELD Call Control Dial Timeout Enter a number of seconds for the ZyWALL to keep trying to set (sec) up an outgoing call before timing out (stopping). The ZyWALL times out and stops if it cannot set up an outgoing call within the timeout value.
Page 372: Figure 23-4 Menu 11.1 Remote Node Profile (Backup Isp)
Rem Node Name= ? Active= Yes Outgoing: My Login= My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP Pri Phone #= ? Sec Phone #= Figure 23-4 Menu 11.1 Remote Node Profile (Backup ISP) The following table describes the fields in this menu. Table 23-5 Menu 11.1 Remote Node Profile (Backup ISP) FIELD Rem Node...
Page 373 Table 23-5 Menu 11.1 Remote Node Profile (Backup ISP) FIELD Pri Phone # Enter the first (primary) phone number from the ISP for this remote node. If the Primary Phone number is busy or does not answer, your Sec Phone # ZyWALL dials the Secondary Phone number if available.
Page 374: Editing Ppp Options
Table 23-5 Menu 11.1 Remote Node Profile (Backup ISP) FIELD Idle Timeout Enter the number of seconds of idle time (when there is no traffic from the ZyWALL to the remote node) that can elapse before the ZyWALL automatically disconnects the PPP connection. This option only applies when the ZyWALL initiates the call.
Page 375: Editing Tcp/Ip Options
23.7 Editing TCP/IP Options Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Remote Node Network Layer Options. Menu 11.3 - Remote Node Network Layer Options Rem IP Addr= 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0...
Page 376 Table 23-6 Menu 11.3: Remote Node Network Layer Options FIELD Network Network Address Translation (NAT) allows the translation of an Internet Address protocol address used within one network (for example a private IP Translation address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet).
Page 377: Editing Login Script
23.8 Editing Login Script For some remote gateways, text login is required before PPP negotiation is started. The ZyWALL provides a script facility for this purpose. The script has six programmable sets; each set is composed of an ‘Expect’ string and a ‘Send’ string. After matching a message from the server to the ‘Expect’ field, the ZyWALL returns the set’s ‘Send’...
Page 378: Remote Node Filter
Active= No Set 1: Expect= Send= Set 2: Expect= Send= Set 3: Expect= Send= Set 4: Expect= Send= Figure 23-8 Menu 11.4: Remote Node Script The following table describes the fields in this menu. FIELD Active Press [SPACE BAR] and then [ENTER] to select either Yes to enable the AT strings or No to disable them.
Page 379: Figure 23-9 Menu 11.5: Dial Backup Remote Node Filter
Figure 23-9 Menu 11.5: Dial Backup Remote Node Filter WAN and Dial Backup Setup Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: ZyWALL 2 Series User’s Guide 23-13...
Page 381: Chapter 24 Lan Setup
This chapter describes how to configure the LAN using Menu 3: LAN Setup. 24.1 Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN connections. 24.2 Accessing the LAN Menus From the main menu, enter 3 to open Menu 3 – LAN Setup. 24.3 LAN Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to the LAN traffic.
Page 382: Tcp/Ip And Dhcp Ethernet Setup Menu
Figure 24-2 Menu 3.1: LAN Port Filter Setup 24.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup. Figure 24-3 Menu 3: TCP/IP and DHCP Setup From menu 3, select the submenu option TCP/IP and DHCP Setup and press [ENTER].
Page 383: Figure 24-4 Menu 3.2: Tcp/Ip And Dhcp Ethernet Setup
First address in the IP Pool DHCP= Server Client IP Pool: Starting Address= 192.168.1.33 Size of Client IP Pool= 32 First DNS Server= From ISP IP Address= N/A Second DNS Server= From ISP IP Address= N/A Third DNS Server= From ISP IP Address= N/A Figure 24-4 Menu 3.2: TCP/IP and DHCP Ethernet Setup Follow the instructions in the next table on how to configure the DHCP fields.
Page 384: Table 24-2 Lan Tcp/Ip Setup Menu Fields
FIELD TCP/IP Setup: IP Address Enter the IP address of your ZyWALL in dotted decimal notation IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL. RIP Direction Press [SPACE BAR] and then [ENTER] to select the RIP direction.
Page 385: Figure 24-7 Menu 3.2.1: Ip Alias Setup
Figure 24-5 Physical Network You must use menu 3.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to configure the second and third network. Press [ENTER] to open Menu 3.2.1 - IP Alias Setup, as shown next. Use the instructions in the following table to configure IP Alias parameters.
Page 386: Wireless Lan Setup
FIELD IP Address Enter the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL. RIP Direction Press [SPACE BAR] and then [ENTER] to select the RIP direction.
Page 387: Figure 24-8 Menu 3.5: Wireless Lan Setup
Figure 24-8 Menu 3.5: Wireless LAN Setup The settings of all client stations on the wireless LAN must match those of the Follow the instructions in the next table on how to configure the wireless LAN parameters. Table 24-4 Menu 3.5: Wireless LAN Setup FIELD Enable Press [SPACE BAR] to select Yes to turn on the wireless LAN.
Page 388 FIELD Frag. The threshold (number of bytes) for the fragmentation boundary for Threshold directed messages. It is the maximum data fragment size that can be sent. Enter a value between 256 and 2432. Select Disable to allow wireless stations to communicate with the access points without any data encryption.
Page 389: Figure 24-9 Menu 3.5.1: Wlan Mac Address Filter
Step 3. In the Edit MAC Address Filter field, press [SPACE BAR] to select Yes and press [ENTER]. Menu 3.5.1 – WLAN MAC Address Filter displays as shown next. Figure 24-9 Menu 3.5.1: WLAN MAC Address Filter The following table describes the fields in this menu. Table 24-5 Menu 3.5.1: WLAN MAC Address Filter FIELD To enable MAC address filtering, press [SPACE BAR] to select Yes and press [ENTER].
Page 391: Chapter 25 Internet Access
This chapter shows you how to configure your ZyWALL for Internet access. 25.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet. There are three different menu 4 screens depending on whether you chose Ethernet, PPTP or PPPoE Encapsulation.
Page 392 Table 25-1 Menu 4: Internet Access Setup (Ethernet) FIELD Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet. The encapsulation method influences your choices for the IP Address field. Service Type Press [SPACE BAR] and then [ENTER] to select Standard, RR-Toshiba (RoadRunner Toshiba authentication method), RR-Manager (RoadRunner Manager authentication method), RR-Telstra or Telia Login.
Page 393: Pptp Encapsulation
25.3 PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks. PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet.
Page 394: Pppoe Encapsulation
FIELD Encapsulation Press [SPACE BAR] and then press [ENTER] to choose PPTP. The encapsulation method influences your choices for the IP Address field. Idle Timeout This value specifies the time, in seconds, that elapses before the ZyWALL automatically disconnects from the PPTP server. 25.4 PPPoE Encapsulation The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet).
Page 395: Basic Setup Complete
Figure 25-3 Internet Access Setup (PPPoE) The following table contains instructions about the new fields when you choose PPPoE in the Encapsulation field in menu 4. Table 25-3 New Fields in Menu 4 (PPPoE) screen FIELD Encapsulation Press [SPACE BAR] and then press [ENTER] to choose PPPoE. The encapsulation method influences your choices in the IP Address field.
Page 397: Smt Advanced Applications
SMT Advanced Applications Part XII: SMT Advanced Applications This part covers setting up remote nodes, IP static routes and Network Address Translation. It also covers the SMT firewall menu, filters, SNMP, schedules and VPN setup. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Page 399: Chapter 26 Remote Node Setup
ZyWALL 2 Series User’s Guide Chapter 26 Remote Node Setup This chapter shows you how to configure a remote node. 26.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection.
Page 400: Figure 26-1Menu 11.1: Remote Node Profile For Ethernet Encapsulation
Rem Node Name= ChangeMe Active= Yes Encapsulation= Ethernet Service Type= Standard Service Name= N/A Outgoing: My Login= N/A My Password= N/A Retype to Confirm= N/A Server= N/A Relogin Every (min)= Figure 26-1Menu 11.1: Remote Node Profile for Ethernet Encapsulation The following table describes the fields in this screen. Table 26-1 Menu 11.1: Remote Node Profile for Ethernet Encapsulation FIELD Rem Node Name...
Page 401 Table 26-1 Menu 11.1: Remote Node Profile for Ethernet Encapsulation FIELD My Password Enter the password assigned by your ISP when the ZyWALL calls this remote node. Valid for PPPoE encapsulation only. Retype to Type your password again to make sure that you have entered it Confirm correctly.
Page 402: Figure 26-2 Menu 11.1: Remote Node Profile For Pppoe Encapsulation
Encapsulation to PPPoE, then you will see the next screen. Please see the appendix for more information on PPPoE. Rem Node Name= ChangeMe Active= Yes Encapsulation= PPPoE Service Type= Standard Service Name= Outgoing: My Login= My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP Figure 26-2 Menu 11.1: Remote Node Profile for PPPoE Encapsulation Outgoing Authentication Protocol...
Page 403: Table 26-2 Fields In Menu 11.1 (Pppoe Encapsulation Specific)
Do not specify a nailed-up connection unless your telephone company offers flat-rate service or you need a constant connection and the cost is of no concern. The following table describes the fields not already described in Table 26-1. Metric See the Metric section in the WAN and Dial Backup Setup chapter for details on the Metric field. Table 26-2 Fields in Menu 11.1 (PPPoE Encapsulation Specific) FIELD Authen...
Page 404: Figure 26-3 Menu 11.1: Remote Node Profile For Pptp Encapsulation
26.2.3 PPTP Encapsulation If you change the Encapsulation to PPTP in menu 11.1, then you will see the next screen. Please see the appendix for information on PPTP. Rem Node Name= ChangeMe Active= Yes Encapsulation= PPTP Service Type= Standard Service Name= N/A Outgoing: My Login= My Password= ********...
Page 405: Edit Ip
26.3 Edit IP Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Network Layer Options. Figure 26-4 Menu 11.3: Remote Node Network Layer Options for Ethernet Encapsulation This menu displays the My WAN Addr field for PPPoE and PPTP encapsulations and Gateway IP Addr field for Ethernet encapsulation.
Page 406 Table 26-4 Remote Node Network Layer Options Menu Fields FIELD My WAN Addr This field is applicable to PPPoE and PPTP encapsulations only. Some implementations, especially the UNIX derivatives, require the WAN link to have a separate IP network number from the LAN and each end must have a unique address within the WAN network number.
Page 407: Remote Node Filter
Table 26-4 Remote Node Network Layer Options Menu Fields FIELD Multicast IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group. The ZyWALL supports both IGMP version 1 (IGMP-v1) and version 2 (IGMP-v2). Press [SPACE BAR] to enable IP Multicasting or select None to disable it.
Page 408: Traffic Redirect
Figure 26-6 Menu 11.5: Remote Node Filter (PPPoE or PPTP Encapsulation) 26.5 Traffic Redirect To configure the parameters for traffic redirect, enter 11 from the main menu to display Menu 11.1— Remote Node Profile as shown next. Rem Node Name= ChangeMe Active= Yes Encapsulation= Ethernet Service Type= Standard...
Page 409: Figure 26-8 Menu 11.6: Traffic Redirect Setup
Table 26-5 Menu 11.1: Remote Node Profile (Traffic Redirect Field) FIELD Edit Traffic Press [SPACE BAR] to select Yes or No. Redirect Select No (default) if you do not want to configure this feature. Select Yes and press [ENTER] to configure Menu 11.6 — Traffic Redirect Setup.
Page 410: Table 26-6 Menu 11.6: Traffic Redirect Setup
Table 26-6 Menu 11.6: Traffic Redirect Setup FIELD Active Press [SPACE BAR] and select Yes (to enable) or No (to disable) traffic redirect setup. The default is No. When the Active field is Yes, you must configure every field in this screen unless you are using PPPoE or PPTP encapsulation (except Check WAN IP Address and Timeout).
Page 411 ZyWALL 2 Series User’s Guide Table 26-6 Menu 11.6: Traffic Redirect Setup FIELD DESCRIPTION EXAMPLE When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. Remote Node Setup 26-13...
Page 413: Chapter 27 Ip Static Route Setup
This chapter shows you how to configure static routes with your ZyWALL. 27.1 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12. 1. Figure 27-1 Menu 12: IP Static Route Setup Now, enter the index number of the static route that you want to configure.
Page 414: Figure 27-2 Menu 12. 1: Edit Ip Static Route
Figure 27-2 Menu 12. 1: Edit IP Static Route `The following table describes the IP Static Route Menu fields. FIELD Route # This is the index number of the static route that you chose in menu 12. Route Name Enter a descriptive name for this route. This is for identification purposes only. Active This field allows you to activate/deactivate this static route.
Page 415: Chapter 28 Network Address Translation (Nat)
ZyWALL 2 Series User’s Guide Chapter 28 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 28.1 Using NAT You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL. 28.1.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is an implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.
Page 416: Figure 28-1 Menu 4: Applying Nat For Internet Access
Figure 28-1 Menu 4: Applying NAT for Internet Access The following figure shows how you apply NAT to the remote node in menu 11.1. Step 1. Enter 11 from the main menu. Step 2. Move the cursor to the Edit IP field, press [SPACE BAR] to select Yes and then press [ENTER] to bring up Menu 11.3 - Remote Node Network Layer Options.
Page 417: Nat Setup
Table 28-1 Applying NAT in Menus 4 & 11.3 FIELD Network When you select this option the SMT will use Address Mapping Set 1 Address (menu 15.1 - see section 28.2.1 for further discussion). You can Translation configure any of the mapping types described in the Web Configurator User’s Guide.
Page 418: Figure 28-4 Menu 15.1: Address Mapping Sets
Configure LAN IP addresses in NAT menus 15.1 and 15.2. 28.2.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 — Address Mapping Sets. Figure 28-4 Menu 15.1: Address Mapping Sets SUA Address Mapping Set Enter 255 to display the next screen (see also section 28.1.1). The fields in this menu cannot be changed. Menu 15.1.1 - Address Mapping Rules Set Name= SUA Local Start IP...
Page 419: Table 28-2 Sua Address Mapping Rules
Table 28-2 SUA Address Mapping Rules FIELD Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create. This is the index or rule number. Local Start IP Local Start IP is the starting local IP address (ILA).
Page 420: Figure 28-6 Menu 15.1.1: First Set
Menu 15.1.1 - Address Mapping Rules Set Name= ? Local Start IP --------------- The Type, Local and Global Start/End IPs are configured in menu 15.1.1.1 (described later) and the values are displayed here. Ordering Your Rules Ordering your rules is important because the ZyWALL applies the rules in the order that you specify. When a rule matches the current packet, the ZyWALL takes the corresponding action and the remaining rules are ignored.
Page 421: Figure 28-7 Menu 15.1.1.1: Editing/Configuring An Individual Rule In A Set
FIELD Set Name Enter a name for this set of rules. This is a required field. If this field is left blank, the entire set will be deleted. Action The default is Edit. Edit means you want to edit a selected rule (see following field).
Page 422: Configuring A Server Behind Nat
The following table describes the fields in this screen. Table 28-4 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set FIELD Type Press [SPACE BAR] and then [ENTER] to select from a total of five types. These are the mapping types discussed in the Web Configurator User’s Guide.
Page 423: General Nat Examples
Step 5. Press [ENTER] at the “Press ENTER to confirm …” prompt to save your configuration after you define all the servers or press [ESC] at any time to cancel. Rule --------------------------------------------------- Figure 28-8 Menu 15.2: NAT Server Setup You assign the private network IP addresses. The NAT network appears as a single host on the Internet. A is the FTP/Telnet/SMTP server.
Page 424: Figure 28-10 Nat Example 1
28.4.1 Internet Access Only In the following Internet access example, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP. Figure 28-11 Menu 4: Internet Access & NAT Example From menu 4 shown above, simply choose the SUA Only option from the Network Address Translation field.
Page 425: Figure 28-12 Nat Example 2
28.4.2 Example 2: Internet Access with an Inside Server In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2 to specify the Inside Server behind the NAT as shown in the next figure. Rule --------------------------------------------------- Figure 28-13 Menu 15.2: Specifying an Inside Server...
Page 426: Figure 28-14 Nat Example 3
other LAN traffic to the remaining IGA. Map the third IGA to an inside web server and mail server. Four rules need to be configured, two bi-directional and two uni-directional as follows. Rule 1. Map the first IGA to the first inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses).
Page 427: Figure 28-15 Example 3: Menu 11.3
Step 5. Select Type as One-to-One (direct mapping for packets going both ways), and enter the local Start IP as 192.168.1.10 (the IP address of FTP Server 1), the global Start IP as 10.132.50.1 (our first IGA). (See Figure 28-16). Step 6.
Page 428: Figure 28-17 Example 3: Final Menu 15.1.1
Example3 Set Name= Local Start IP --------------- 1. 192.168.1.10 2. 192.168.1.11 3. 0.0.0.0 Now configure the IGA3 to map to our web server and mail server on the LAN. Step 8. Enter 15 from the main menu. Step 9. Now enter 2 from this menu and configure it as shown in Figure 28-18. 28-14 Menu 15.1.1 - Address Mapping Rules Local End IP...
Page 429: Figure 28-19 Nat Example 4
ZyWALL 2 Series User’s Guide 28.4.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not change for Many-One-to-One (and One-to-One) NAT mapping types.
Page 430: Trigger Port Forwarding
Type= Many-One-to-One Local IP: Start= Global IP: Start= Figure 28-20 Example 4: Menu 15.1.1.1: Address Mapping Rule After you’ve configured your rule, you should be able to check the settings in menu 15.1.1 as shown next. Set Name= Example4 Local Start IP --------------- 192.168.1.10 Figure 28-21 Example 4: Menu 15.1.1: Address Mapping Rules...
Page 431: Figure 28-22 Trigger Port Forwarding Process: Example
LAN computer, you have to manually replace the LAN computer's IP address in the forwarding port with another LAN computer's IP address, Trigger port forwarding solves this problem by allowing computers on the LAN to dynamically take turns using the service. The ZyWALL records the IP address of a LAN computer that sends traffic to the WAN to request a service with a specific port number and protocol (a "trigger"...
Page 432: Figure 28-23 Menu 15.3: Trigger Port Setup
5. Only A can connect to the Real Audio server until the connection is closed or times out. The ZyWALL times out in three minutes with UDP (User Datagram Protocol) or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol). 28.5.2 Two Points To Remember About Trigger Ports 1.
Page 433: Table 28-5 Menu 15.3: Trigger Port Setup
Table 28-5 Menu 15.3: Trigger Port Setup FIELD Rule This is the rule index number. Name Enter a unique name for identification purposes. You may enter up to 15 characters in this field. All characters are permitted - including spaces. Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service.
Page 435: Chapter 29 Introducing The Firewall
29.1 Using SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next. Figure 29-1 Menu 21: Filter and Firewall Setup 29.1.1 Activating the Firewall Enter option 2 in this menu to bring up the following screen. Press [SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the firewall.
Page 436: Figure 29-2 Menu 21.2: Firewall Setup
ZyWALL 2 Series User’s Guide Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User's Guide for details about the firewall default policies.
Page 437: Chapter 30 Filter Configuration
ZyWALL 2 Series User’s Guide Chapter 30 Filter Configuration This chapter shows you how to create and apply filters. 30.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering.
Page 438: Figure 30-1 Outgoing Packet Filtering Process
Outgoing Data Packet Match Drop packet Figure 30-1 Outgoing Packet Filtering Process For incoming packets, your ZyWALL applies data filters only. Packets are processed depending upon whether a match is found. The following sections describe how to configure filter sets. Filter Structure 30.1.1 A filter set consists of one or more filter rules.
Page 439: Figure 30-2 Filter Rule Process
Fetch Next Filter Set Next Filter Set Available? Drop Packet Filter Configuration Filter Set Fetch Next Filter Rule Next filter Rule Available? Check Next Rule Figure 30-2 Filter Rule Process ZyWALL 2 Series User’s Guide Start Packet into filter Fetch First Filter Set Fetch First Filter Rule...
Page 440: Configuring A Filter Set
You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. 30.2 Configuring a Filter Set The ZyWALL includes filtering for NetBIOS over TCP/IP packets by default.
Page 441: Table 30-1 Abbreviations Used In The Filter Rules Summary Menu
Step 4. Enter a descriptive name or comment in the Edit Comments field and press [ENTER]. Step 5. Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.1 - Filter Rules Summary. This screen shows the summary of the existing rules in the filter set. The following tables contain a brief description of the abbreviations used in the previous menus.
Page 442: Table 30-2 Rule Abbreviations Used
ABBREVIATION Refer to the next section for information on configuring the filter rules. 30.2.1 Configuring a Filter Rule To configure a filter rule, type its number in Menu 21.1.1 - Filter Rules Summary and press [ENTER] to open menu 21.1.1.1 for the rule. To speed up filtering, all rules in a filter set must be of the same class, i.e., protocol filters or generic filters.
Page 443: Figure 30-5 Menu 21.1.1.1: Tcp/Ip Filter Rule
To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.1.1 - TCP/IP Filter Rule, as shown next. Figure 30-5 Menu 21.1.1.1: TCP/IP Filter Rule The following table describes how to configure your TCP/IP filter rule. Table 30-3 TCP/IP Filter Rule Menu Fields FIELD Active...
Page 444 FIELD Port # Enter the destination port of the packets that you wish to filter. The range of this field is 0 to 65535. This field is ignored if it is Port # Comp Press [SPACE BAR] and then [ENTER] to select the comparison to apply to the destination port in the packet against the value given in Destination: Port #.
Page 445 Table 30-3 TCP/IP Filter Rule Menu Fields FIELD Press [SPACE BAR] and then [ENTER] to select a logging option from the following: None – No packets will be logged. Action Matched - Only packets that match the rule parameters will be logged. Action Not Matched - Only packets that do not match the rule parameters will be logged.
Page 446: Figure 30-6 Executing An Ip Filter
Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest IP Addr Matched Check IP Protocol Matched Check Src & Dest Port Matched More? Action Matched Drop Drop Packet 30-10 Not Matched...
Page 447: Figure 30-7 Menu 21.1.1.1: Generic Filter Rule
30.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the ZyWALL treats a packet as a byte stream as opposed to an IP or IPX packet.
Page 448 Table 30-4 Menu 21.1.1.1: Generic Filter Rule FIELD Filter Use [SPACE BAR] and then [ENTER] to select a rule type. Parameters Type displayed below each type will be different. TCP/IP filter rules are used to filter IP packets while generic filter rules allow filtering of non-IP packets. Active Select Yes to turn on the filter rule or No to turn it off.
Page 449: Example Filter
30.3 Example Filter Let’s look at an example to block outside users from accessing the ZyWALL via telnet. Please see our included disk for more example filters. Step 1. Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup. Step 2.
Page 450: Figure 30-9 Example Filter: Menu 21.1.3.1
Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 Destination: IP Addr= 0.0.0.0 Source: IP Addr= 0.0.0.0 TCP Estab= No More= No Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
Page 451: Figure 30-10 Example Filter Rules Summary: Menu 21.1.3
# A Type - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 This shows you that you have configured and activated (A = Y) a TCP/IP filter rule (Type = IP, Pr = 6) for destination telnet ports (DP = 23).
Page 452: Filter Types And Nat
ZyWALL 2 Series User’s Guide 30.4 Filter Types and NAT There are two classes of filter rules, Generic Filter (Device) rules and protocol filter (TCP/IP) rules. Generic filter rules act on the raw data from/to LAN and WAN. Protocol filter rules act on the IP packets. Generic and TCP/IP filter rules are discussed in more detail in the next section.
Page 453: Applying A Filter
30.6 Applying a Filter This section shows you where to apply the filter(s) after you design it (them). The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections. If you do not activate the firewall, it is advisable to apply filters. 30.6.1 Applying LAN Filters LAN traffic filter sets may be useful to block certain packets, reduce traffic and prevent security breaches.
Page 454: Figure 30-13 Filtering Remote Node Traffic
Press ENTER to Confirm or ESC to Cancel: Figure 30-13 Filtering Remote Node Traffic 30-18 Menu 11.5 – Remote Node Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Filter Configuration...
Page 455: Chapter 31 Snmp Configuration
31.1 SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get, Set and Trap fields is SNMP terminology for password. Figure 31-1 Menu 22: SNMP Configuration The following table describes the SNMP configuration parameters.
Page 456: Snmp Traps
FIELD Trap Type the Trap community, which is the password sent with each trap to the SNMP manager. Community Destination Type the IP address of the station to send your SNMP traps to. When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel”...
Page 457: Smt System Maintenance
SMT System Maintenance Part XIII: SMT System Maintenance This part covers system information and diagnosis, firmware and configuration file maintenance, as well as providing information on the system maintenance and information functions and how to configure remote management and VPN. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Page 459: Chapter 32 System Information & Diagnosis
System Information & Diagnosis 32.1 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trace capabilities. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown below. Figure 32-1 Menu 24: System Maintenance 32.2 System Status The first selection, System Status, gives you information on the version of your system firmware and the...
Page 460: Figure 32-2 Menu 24.1: System Maintenance: Status
ZyWALL 2 Series User’s Guide monitor your ZyWALL. Specifically, it gives you information on your system firmware version, number of packets sent and number of packets received. To get to the System Status: Step 1. Enter number 24 to go to Menu 24 - System Maintenance. Step 2.
Page 461: System Information And Console Port Speed
ZyNOS F/W Version Refers to the ZyNOS (ZyXEL Network Operating System) system firmware version. ZyNOS is a registered trademark of ZyXEL Communications Corporation. You may enter 1 to drop the WAN connection, 9 to reset the counters or [ESC] to return to menu 24.
Page 462: Figure 32-3 Menu 24.2: System Information And Console Port Speed
ZyWALL 2 Series User’s Guide Step 2. Enter 2 to open Menu 24.2 - System Information and Console Port Speed. Step 3. From this menu you have two choices as shown in the next figure: Figure 32-3 Menu 24.2: System Information and Console Port Speed 32.3.1 System Information System Information gives you information about your system as shown below.
Page 463: Log And Trace
FIELD ZyNOS F/W Refers to the ZyNOS (ZyXEL Network Operating System) system firmware version. Version ZyNOS is a registered trademark of ZyXEL Communications Corporation. Ethernet Address Refers to the Ethernet MAC (Media Access Control) address of your ZyWALL. IP Address This is the IP address of the ZyWALL in dotted decimal notation.
Page 464: Figure 32-6 Menu 24.3: System Maintenance: Log And Trace
ZyWALL 2 Series User’s Guide 2. UNIX Syslog 4. Call-Triggering Packet Press ENTER to Confirm or ESC to Cancel Figure 32-6 Menu 24.3: System Maintenance: Log and Trace 32.4.1 UNIX Syslog The ZyWALL uses the UNIX syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server.
Page 465 Table 32-3 System Maintenance Menu Syslog Parameters PARAMETER Log Facility Press [SPACE BAR] and then [ENTER] to select a location. The log facility allows you to log the messages to different files in the syslog server. Refer to the documentation of your syslog program for more details When finished configuring this screen, press [ENTER] to confirm or [ESC] to cancel.
Page 466: Firewall Log
ZyWALL 2 Series User’s Guide Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D).
Page 467: Figure 32-8 Call-Triggering Packet Example
32.4.2 Call-Triggering Packet Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equivalent information is available in menu 24.1 in hex format. An example is shown next. IP Frame: ENET0-RECV Size: Frame Type: IP Header: IP Version Header Length...
Page 468: Figure 32-9 Menu 24.4: System Maintenance: Diagnostic
ZyWALL 2 Series User’s Guide Follow the procedure below to get to Menu 24.4 - System Maintenance – Diagnostic. Step 1. From the main menu, select option 24 to open Menu 24 - System Maintenance. Step 2. From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic.
Page 469: Figure 32-10 Wan & Lan Dhcp
The following table describes the diagnostic tests available in menu 24.4 for your ZyWALL and associated connections. Table 32-4 System Maintenance Menu Diagnostic FIELD Ping Host WAN DHCP Release WAN DHCP Renewal Internet Setup Test Reboot System Host IP Address= Enter the number of the selection you would like to perform or press [ESC] to cancel.
Page 471: Chapter 33 Firmware And Configuration File Maintenance
ZyWALL 2 User’s Guide Chapter 33 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 33.1 Introduction Use the instructions in this chapter to change the ZyWALL’s configuration file or upgrade its firmware. After you configure your ZyWALL, you can backup the configuration file to a computer.
Page 472: Backup Configuration
ZyWALL 2 User’s Guide ftp> get rom-0 config.cfg This is a sample FTP session saving the current configuration to the computer file “config.cfg”. If your (T)FTP client does not allow you to have a destination filename different than the source, you will need to rename them as the ZyWALL only recognizes “rom-0”...
Page 473: Figure 33-1 Telnet Into Menu 24.5
preferred method for backing up your current configuration to your computer since it is faster. You can also perform backup and restore using menu 24 through the console port. Any serial communications program should work fine; however, you must use Xmodem protocol to perform the download/upload and you don’t have to rename the files.
Page 474: Figure 33-2 Ftp Session Example
ZyWALL 2 User’s Guide Step 6. Use “get” to transfer files from the ZyWALL to the computer, for example, “get rom-0 config.rom” transfers the configuration file on the ZyWALL to your computer and renames it “config.rom”. See earlier in this chapter for more information on filename conventions. Step 7.
Page 475: File Maintenance Over Wan
33.3.5 File Maintenance Over WAN TFTP, FTP and Telnet over the WAN will not work when: 1. The firewall is active (turn the firewall off in menu 21.2 or create a firewall rule to allow access from the WAN). 2. You have disabled Telnet service in menu 24.11. 3.
Page 476: Table 33-3 General Commands For Gui-Based Tftp Clients
ZyWALL 2 User’s Guide TFTP client program. For UNIX, use “get” to transfer from the ZyWALL to the computer and “binary” to set binary transfer mode. 33.3.7 TFTP Command Example The following is an example TFTP command: tftp [-i] host get rom-0 config.rom Where “i”...
Page 477: Figure 33-3 System Maintenance: Backup Configuration
Step 1. Display menu 24.5 and enter “y” at the following screen. Ready to backup Configuration via Xmodem. Do you want to continue (y/n): Figure 33-3 System Maintenance: Backup Configuration Step 2. The following screen indicates that the Xmodem download has started. You can enter ctrl-x to terminate operation any time.
Page 478: Restore Configuration
ZyWALL 2 User’s Guide 33.4 Restore Configuration This section shows you how to restore a previously saved configuration. Note that this function erases the current configuration before restoring a previous back up configuration; please do not attempt to restore unless you have a backup configuration file stored on disk. FTP is the preferred method for restoring your current computer configuration to your ZyWALL since FTP is faster.
Page 479: Figure 33-8 Restore Using Ftp Session Example
Step 1. Launch the FTP client on your computer. Step 2. Enter “open”, followed by a space and the IP address of your ZyWALL. Step 3. Press [ENTER] when prompted for a username. Step 4. Enter your password as requested (the default is “1234”). Step 5.
Page 480: Figure 33-9 System Maintenance: Restore Configuration
ZyWALL 2 User’s Guide Step 1. Display menu 24.6 and enter “y” at the following screen. Ready to restore Configuration via Xmodem. Do you want to continue (y/n): Figure 33-9 System Maintenance: Restore Configuration Step 2. The following screen indicates that the Xmodem download has started. Starting XMODEM download (CRC mode) ...
Page 481: Uploading Firmware And Configuration Files
33.5 Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files. You can upload configuration files by following the procedure in the previous Restore Configuration section or by following the instructions in Menu 24.7.2 - System Maintenance - Upload System Configuration File (for console port). Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE 33.5.1 Firmware File Upload FTP is the preferred method for uploading the firmware and configuration.
Page 482: Figure 33-14 Telnet Into Menu 24.7.2: System Maintenance
ZyWALL 2 User’s Guide 33.5.2 Configuration File Upload You see the following screen when you telnet into menu 24.7.2. Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload the system configuration file, follow the procedure below: 1. Launch the FTP client on your workstation. 2.
Page 483: Figure 33-15 Ftp Session Example Of Firmware File Upload
transfers the configuration file on the ZyWALL to your computer and renames it “config.rom.” See earlier in this chapter for more information on filename conventions. Step 7. Enter “quit” to exit the ftp prompt. 33.5.4 FTP Session Example of Firmware File Upload 331 Enter PASS command Password: 230 Logged in...
Page 484: Tftp Upload Command Example
ZyWALL 2 User’s Guide Step 3. Enter the command “sys stdio 0” to disable the console timeout, so the TFTP transfer will not be interrupted. Enter “command sys stdio 5” to restore the five-minute console timeout (default) when the file transfer is complete. Step 4.
Page 485: Figure 33-16 Menu 24.7.1 As Seen Using The Console Port
33.5.8 Uploading Firmware File Via Console Port Step 1. Select 1 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.1 - System Maintenance - Upload System Firmware, and then follow the instructions as shown in the following screen. Menu 24.7.1 - System Maintenance - Upload System Firmware To upload system firmware: 1.
Page 486: Figure 33-17 Example Xmodem Upload
ZyWALL 2 User’s Guide After the firmware upload process has completed, the ZyWALL will automatically restart. 33.5.10 Uploading Configuration File Via Console Port Step 1. Select 2 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.2 - System Maintenance - Upload System Configuration File.
Page 487: Figure 33-18 Menu 24.7.2 As Seen Using The Console Port
Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1. Enter "y" at the prompt below to go into debug mode. 2. Enter "atlc" after "Enter Debug Mode" message. 3. Wait for "Starting XMODEM upload" message before activating Xmodem upload on your terminal.
Page 488: Figure 33-19 Example Xmodem Upload
ZyWALL 2 User’s Guide After the configuration upload process has completed, restart the ZyWALL by entering “atgo”. 33-18 Figure 33-19 Example Xmodem Upload Firmware and Configuration File Maintenance Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol.
Page 489: Chapter 34 System Maintenance Menus 8 To 10
System Maintenance Menus 8 to 10 34.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions. Enter the CI from the SMT by selecting menu 24.8.
Page 490: Figure 34-2 Valid Commands
A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Copyright (c) 1994 - 2003 ZyXEL Communications Corp. ras> ? Valid commands are: ras>...
Page 491: Call Control Support
ether These commands display Ethernet information and configure Ethernet settings. These commands display dial backup information and control dial backup connections. These commands display IP information and configure IP settings. ipsec These commands display IPSec information and configure IPSec settings. 34.2 Call Control Support The ZyWALL provides two call control functions: budget management and call history.
Page 492: Figure 34-4 Budget Management
ZyWALL 2 User’s Guide Remote Node 1.ChangeMe 2.-------- The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked. After each period, the total budget is reset.
Page 493: Time And Date Setting
Phone Number The following table describes the fields in this screen. FIELD Phone Number The PPPoE service names are shown here. This shows whether the call was incoming or outgoing. Rate This is the transfer rate of the call. #call This is the number of calls made to or received from that telephone number.
Page 494: Figure 34-6 Menu 24: System Maintenance
ZyWALL 2 User’s Guide Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown next. Figure 34-6 Menu 24: System Maintenance Enter 10 to go to Menu 24.10 - System Maintenance - Time and Date Setting to update the time and date settings of your ZyWALL as shown in the following screen.
Page 495: Table 34-4 Menu 24.10 System Maintenance: Time And Date Setting
Table 34-4 Menu 24.10 System Maintenance: Time and Date Setting FIELD Time Protocol Enter the time service protocol that your timeserver sends when you turn on the ZyWALL. Not all timeservers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 496 ZyWALL 2 User’s Guide When the ZyWALL starts up, if there is a timeserver configured in menu 24.10. iii. 24-hour intervals after starting. 34-8 System Maintenance & Information...
Page 497: Chapter 35 Remote Management
35.1 Remote Management Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. You may manage your ZyWALL from a remote location via: Internet (WAN only) LAN only, When you Choose WAN only or ALL (LAN & WAN), you still need to configure a To disable remote management of a service, select Disable in the corresponding Server Access field.
Page 498: Figure 35-1 Menu 24.11 - Remote Management Control
ZyWALL 2 User’s Guide TELNET Server: FTP Server: SSH Server: HTTPS Server: HTTP Server: SNMP Service: DNS Service: Figure 35-1 Menu 24.11 – Remote Management Control The following table describes the fields in this screen. Table 35-1 Menu 24.11 – Remote Management Control FIELD Telnet Server Each of these read-only labels denotes a service that you may use to...
Page 499: Remote Management Limitations
Table 35-1 Menu 24.11 – Remote Management Control FIELD Once you have filled in this menu, press [ENTER] at the message "Press ENTER to Confirm or ESC to Cancel" to save your configuration, or press [ESC] to cancel. 35.1.1 Remote Management Limitations Remote management over LAN or WAN will not work when: 1.
Page 501: Smt Advanced Management
SMT Advanced Management Part XIV: SMT Advanced Management This part provides information on how to configure call scheduling, and VPN/IPSec. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Page 503: Chapter 36 Call Scheduling
Call scheduling allows you to dictate when a remote node should be called and for how long. 36.1 Introduction to Call Scheduling The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long.
Page 504: Figure 36-2 Schedule Set Setup
To set up a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next. Press Space Bar to Toggle If a connection has been already established, your ZyWALL will not drop it. Once the connection is dropped manually or it times out, then that remote node can't be triggered up until the end of the Duration.
Page 505 FIELD If you selected Weekly in the How Often field above, then select the day(s) when the set should activate (and recur) by going to that day(s) and pressing [SPACE BAR] to select Yes, then press [ENTER]. Start Enter the start time when you wish the schedule set to take effect in hour- Time minute format.
Page 506: Figure 36-3 Applying Schedule Set(S) To A Remote Node (Pppoe)
Rem Node Name= ChangeMe Active= Yes Encapsulation= PPPoE Service Type= Standard Service Name= Outgoing= My Login= My Password= ******** Authen= CHAP/PAP Figure 36-3 Applying Schedule Set(s) to a Remote Node (PPPoE) You can apply up to four schedule sets, separated by commas, for one remote node. Change the schedule set numbers to your preference(s).
Page 507: Chapter 37 Vpn/Ipsec Setup
37.1 Introduction The VPN/IPSec main SMT menu has these main submenus: 1. Define VPN policies in menu 27.1 submenus, including security policies, endpoint IP addresses, peer IPSec router IP address and key management. 2. Menu 27.2 - SA Monitor allows you to manage (refresh or disconnect) your SA connections. This is an overview of the VPN menu tree.
Page 508: Ipsec Summary Screen
37.2 IPSec Summary Screen Type 1 in menu 27 and then press [ENTER] to display Menu 27.1 — IPSec Summary. This is a summary read-only menu of your IPSec rules (tunnels). Edit or create an IPSec rule by selecting an index number and then configuring the associated submenus.
Page 509 FIELD Name This field displays the unique identification name for this VPN rule. The name may be up to 32 characters long but only 10 characters will be displayed here. Y signifies that this VPN rule is active. Local Addr When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Start Single, this is a static IP address on the LAN behind your ZyWALL.
Page 510 FIELD Key Mgt This field displays the SA’s type of key management, (IKE or Manual). Remote When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Addr Start Single, this is a static IP address on the network behind the remote IPSec router.
Page 511: Ipsec Setup
FIELD Select Press [SPACE BAR] to choose from None, Edit, Delete, Go To Rule, Command Next Page or Previous Page and then press [ENTER]. You must select a rule in the next field when you choose the Edit, Delete or Go To commands.
Page 512: Figure 37-4 Menu 27.1.1: Ipsec Setup
Index #= 2 Active= No Local ID type= IP My IP Addr= 0.0.0.0 Peer ID type= IP Secure Gateway Address= zw2test.zyxel Protocol= 0 Local: Remote: Addr Type= SUBNET Enable Replay Detection= No Key Management= IKE Edit Key Management Setup= No You must also configure menu 27.1.1.1 or menu 27.1.1.2 to fully configure and use The following table describes the fields in this screen.
Page 513 FIELD NAT Traversal Select this check box to enable NAT traversal. NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec routers. The remote IPSec router must also have NAT traversal enabled. You can use NAT traversal with ESP protocol using Transport or Tunnel mode, but not with AH protocol nor with Manual key management.
Page 514 FIELD Peer ID type Press [SPACE BAR] to choose IP, DNS, or E-mail and press [ENTER]. Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the remote IPSec router by a domain name. Select E-mail to identify the remote IPSec router by an e-mail address.
Page 515 FIELD Local Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses. Two active SAs can have the same configured local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time.
Page 516 ZyWALL 2 Series User’s Guide Table 37-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE End Enter a port number in this field to define a port range. This port number must be greater than that specified in the previous field. This field is N/A when 0 is configured in the Port Start field.
Page 517: Ike Setup
FIELD Port Start 0 is the default and signifies any port. Type a port number from 0 to 65535. Someone behind the remote IPSec router cannot create a VPN tunnel when attempting to connect using a port number that does not match this port number or range of port numbers.
Page 518: Figure 37-5 Menu 27.1.1.1: Ike Setup
Phase 1 Negotiation Mode= Main Authentication Method= PreShare Key PSK= qwer1234 Certificate= N/A Encryption Algorithm= DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 300 Key Group= DH1 Phase 2 Active Protocol= ESP Encryption Algorithm= DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 2880 Encapsulation= Tunnel Perfect Forward Secrecy (PFS)= None Press Space Bar to Toggle.
Page 519 FIELD Encryption When DES is used for data communications, both sender and receiver must Algorithm know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. ZyWALL DES encryption algorithm uses a 56-bit key.
Page 520: Manual Setup
FIELD Encapsulation Press [SPACE BAR] to choose from Tunnel mode or Transport mode and then press [ENTER]. See earlier for a discussion of these. Perfect Perfect Forward Secrecy (PFS) is disabled (None) by default in phase 2 Forward IPSec SA setup. This allows faster IPSec setup, but is not so secure. Press Secrecy (PFS) [SPACE BAR] and choose from DH1 or DH2 to enable PFS.
Page 521: Figure 37-6 Menu 27.1.1.2: Manual Setup
To edit this menu, move the cursor to the Edit Manual Setup field in Menu 27.1.1 – IPSec Setup press [SPACE BAR] to select Yes and then press [ENTER] to go to Menu 27.1.1.2 – Manual Setup. Active Protocol= ESP Tunnel ESP Setup SPI (Decimal)= Encryption Algorithm= DES...
Page 522 FIELD Key3 Enter a unique eight-character key. It can be comprised of any character including spaces (but trailing spaces are truncated). Authentication Press [SPACE BAR] to choose from MD5 or SHA1 and then press [ENTER]. Algorithm Key Enter the authentication key to be used by IPSec if applicable. The key must be unique.
Page 523: Chapter 38 Sa Monitor
This chapter teaches you how to manage your SAs by using the SA Monitor in SMT menu 27.2. 38.1 Introduction A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This menu (shown next) displays active VPN connections. When there is outbound traffic but no inbound traffic, the SA times out automatically after two minutes.
Page 524: Table 38-1 Menu 27.2: Sa Monitor
FIELD This is the security association index number. Name This field displays the identification name for this VPN policy. This name is unique for each connection where the secure gateway IP address is a public static IP address. When the secure gateway IP address is 0.0.0.0 (as discussed in the last chapter), there may be different connections using this same VPN rule.
Page 525: General Appendices
General Appendices Part XV: General Appendices This part provides background information about troubleshooting, setting up your computer’s IP address, triangle route, how functions are related, PPPoE, PPTP, wireless LAN, 802.1x, EAP authentication, IP subnetting and safety warnings.
Page 527: Appendix A Troubleshooting
This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our Problems Starting Up the ZyWALL Chart 1 Troubleshooting the Start-Up of Your ZyWALL PROBLEM None of the Make sure that you have the included power adaptor or cord connected to the ZyWALL...
Page 528 Problems with the LAN Interface Chart 3 Troubleshooting the LAN Interface PROBLEM Cannot access Check your Ethernet cable type and connections. Refer to the Quick Start Guide for LAN the ZyWALL connection instructions. from the LAN. Make sure the computer’s Ethernet adapter is installed and functioning properly. Cannot ping Check the 10M/100M LAN LEDs on the front panel.
Page 529 Problems with Internet Access Chart 5 Troubleshooting Internet Access PROBLEM Cannot Connect your cable/DSL modem with the ZyWALL using the appropriate cable. access the Check with the manufacturer of your cable/DSL device about your cable requirement Internet. because some devices may require crossover cable and others a regular straight-through cable.
Page 531: Appendix B Setting Up Your Computer's Ip Address
ZyWALL 2 Series User’s Guide Appendix B Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer.
Page 532 The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: In the Network window, click Add. Select Adapter and then click Add. Select the manufacturer and model of your network adapter and then click OK.
Page 533 Click the IP Address tab. -If your IP address is dynamic, select Obtain an IP address automatically. -If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields. Click the DNS Configuration tab.
Page 534 Click the Gateway tab. -If you do not know your gateway’s IP address, remove previously installed gateways. -If you have a gateway IP address, type it in the New gateway field and click Add. Click OK to save and close the TCP/IP Properties window. Click OK to close the Network window.
Page 535 For Windows XP, click Start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections. Setting Up Your Computer’s IP Address ZyWALL 2 Series User’s Guide Right-click Local Area Connection and then click Properties.
Page 536 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). -If you have a dynamic IP address click Obtain an IP address automatically. -If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields.
Page 537 ZyWALL 2 Series User’s Guide -If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: -In the IP Settings tab, in IP addresses, click Add.
Page 538 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): -Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). -If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.
Page 539 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Select Ethernet built-in from the Connect via list. For dynamically assigned settings, select Using DHCP Server from the Configure: list. Setting Up Your Computer’s IP Address ZyWALL 2 Series User’s Guide...
Page 540 For statically assigned settings, do the following: -From the Configure box, select Manually. -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your ZyWALL in the Router address box. Close the TCP/IP Control Panel.
Page 541 Click Network in the icon bar. - Select Automatic from the Location list. - Select Built-in Ethernet from the Show list. - Click the TCP/IP tab. For dynamically assigned settings, select Using DHCP from the Configure list. For statically assigned settings, do the following: -From the Configure box, select Manually.
Page 543: Appendix C Triangle Route
The Ideal Setup When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyWALL to protect your LAN against attacks. The “Triangle Route”...
Page 544 ZyWALL 2 Series User’s Guide Diagram 2 “Triangle Route” Problem The “Triangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your ZyWALL supports up to three logical LAN interfaces with the ZyWALL being the gateway for each logical network.
Page 545 Gateways on the WAN Side A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your ZyWALL to your LAN.
Page 546 ZyWALL 2 Series User’s Guide Step 3. Use the following commands to allow/disallow triangle route. sys firewall ignore triangle all off sys firewall ignore triangle all on This command allows triangle route. This command disallows triangle route. Triangle Route...
Page 547 Wireless LAN and IEEE 802.11 A wireless LAN (WLAN) provides a flexible data communications system that you can use to access various services (navigating the Internet, email, printer services, etc.) without the use of a cabled connection. In effect a wireless LAN environment provides you the freedom to stay connected to the network while roaming around in the coverage area.
Page 548 ZyWALL 2 Series User’s Guide Spread Spectrum (DSSS) and Frequency-Hopping Spread Spectrum (FHSS), in the 2.4 to 2.4825 GHz unlicensed ISM (Industrial, Scientific and Medical) band. The third method is infrared technology, using very high frequencies, just below visible light in the electromagnetic spectrum to carry data. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless nodes or stations (STA), which is called a Basic Service Set (BSS).
Page 549 ZyWALL 2 Series User’s Guide could be any type of network, it is almost invariably an Ethernet LAN. Mobile nodes can roam between Access Points and seamless campus-wide coverage is possible. Diagram D-2 ESS Provides Campus-Wide Coverage Wireless LAN and IEEE 802.11...
Page 551: Appendix E Wireless Lan With Ieee 802.1X
Wireless LAN With IEEE 802.1x As wireless networks become popular for both portable computing and corporate networks, security is now a priority. Security Flaws with IEEE 802.11 Wireless networks based on the original IEEE 802.11 have a poor reputation for safety. The IEEE 802.11b wireless access standard, first published in 1999, was based on the MAC address.
Page 552 RADIUS Server Authentication Sequence The following figure depicts a typical wireless network with a remote RADIUS server for user authentication using EAPOL (EAP Over LAN). Diagram E-1 Sequences for EAP MD5–Challenge Authentication Client computer access authorized. Client computer access not authorized.
Page 553: Appendix F Types Of Eap Authentication
ZyWALL 2 Series User’s Guide Appendix F Types of EAP Authentication This appendix discusses three popular EAP authentication types: EAP-MD5, EAP-TLS and EAP-TTLS. The type of authentication you use depends on the RADIUS server or the AP. Consult your network administrator for more information.
Page 554 TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS- CHAP v2. Mutual Authentication Certificate – Client Certificate – Server Dynamic Key Exchange Credential Security Deployment Difficulty Wireless Security Client Identity Protection EAP-MD5 EAP-TLS None Strong Easy Hard...
Page 555: Appendix Gpppoe
PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit), which connects to a DSL Access Concentrator where the PPP session terminates (see the next figure). One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP.
Page 556 ZyWALL 2 Series User’s Guide The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.
Page 557: Appendix Hpptp
ZyWALL 2 Series User’s Guide Appendix H PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the short haul between the PC and the modem over Ethernet.
Page 558 ZyWALL 2 Series User’s Guide PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F (Cisco’s Layer 2 Forwarding). Conceptually, there are three parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Access Concentrator) and the PPTP user.
Page 559 ZyWALL 2 Series User’s Guide Diagram H-3 Example Message Exchange between PC and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header. PPTP...
Page 561 IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1.
Page 562: Appendix I Ip Subnetting
ZyWALL 2 Series User’s Guide A class “A” address (24 host bits) can have 2 Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127. Similarly the first octet of a class “B”...
Page 563 of ones beginning from the left most bit of the mask, followed by a continuous sequence of zeros, for a total number of 32 bits. Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet.
Page 564 Divide the network 192.168.1.0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit. The “borrowed” host ID bit can be either “0” or “1” thus giving two subnets; 192.168.1.0 with mask 255.255.255.128 and 192.168.1.128 with mask 255.255.255.128. In the following charts, shaded/bolded last octet bit values indicate host ID bits “borrowed”...
Page 565 actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126. Similarly the host ID range for the second subnet is 192.168.1.129 to 192.168.1.254. Example: Four Subnets The above example illustrated using a 25-bit subnet mask to divide a class “C” address space into two subnets.
Page 566 IP Address IP Address (Binary) Subnet Mask (Binary) Subnet Address: 192.168.1.192 Broadcast Address: 192.168.1.255 Example Eight Subnets Similarly use a 27-bit mask to create 8 subnets (001, 010, 011, 100, 101, 110). The following table shows class C IP address last octet values for each subnet. SUBNET SUBNET ADDRESS The following table is a summary for class “C”...
Page 567 Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet mask also determines which bits are part of the network number and which are part of the host ID. A class “B” address has two host ID octets available for subnetting and a class “A” address has three host ID octets (see Error! Reference source not found.) available for subnetting.
Page 568 NO. “BORROWED” HOST BITS Chart I-13 Class B Subnet Planning SUBNET MASK NO. SUBNETS (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) NO. HOSTS PER SUBNET 16384 32768 IP Subnetting...
Page 569: Appendix J Safety Warnings And Instructions
Safety Warnings and Instructions 1. Be sure to read and follow all warning notices and instructions. 2. The maximum recommended ambient temperature for the ZyWALL is 40º Celsius (104º Fahrenheit). Care must be taken to allow sufficient air circulation or space between units when the ZyWALL is installed inside a closed rack assembly.
Page 571: Command, Log Appendices And Index
Command, Log Appendices and Index Part XVI: Command, Log Appendices and Index This part provides information on the command line interface, firewall and NetBIOS commands, logs and password protection. There is also an index of key terms.
Page 573: Appendix K Command Interpreter
The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands. Use of undocumented commands or misconfiguration can damage the Command Syntax The command keywords are in courier new font.
Page 575: Appendix L Firewall Commands
The following describes the firewall commands. See the Command Interpreter appendix for information on the command structure. Chart L-1 Firewall Commands FUNCTION config edit firewall active <yes | no> config retrieve firewall config save firewall config display firewall config display firewall set <set #> config display firewall set <set #>...
Page 576 FUNCTION config display firewall e-mail config display firewall ? config edit firewall e-mail mail- server <ip address of mail server> config edit firewall e-mail return- addr <e-mail address> config edit firewall e-mail email- to <e-mail address> config edit firewall e-mail policy <full | hourly | daily | weekly>...
Page 577: Firewall Commands
Chart L-1 Firewall Commands FUNCTION config edit firewall attack block <yes | no> config edit firewall attack block- minute <0-255> config edit firewall attack minute- high <0-255> config edit firewall attack minute- low <0-255> config edit firewall attack max- incomplete-high <0-255> config edit firewall attack max- incomplete-low <0-255>...
Page 578 FUNCTION Config edit firewall set <set #> default-permit <forward | block> Config edit firewall set <set #> icmp-timeout <seconds> Config edit firewall set <set #> udp-idle-timeout <seconds> Config edit firewall set <set #> connection-timeout <seconds> Config edit firewall set <set #> fin-wait-timeout <seconds>...
Page 579 Chart L-1 Firewall Commands FUNCTION Config edit firewall set <set #> rule <rule #> protocol <integer protocol value > Config edit firewall set <set #> rule <rule #> log <none | match | not-match | both> Config edit firewall set <set #> rule <rule #>...
Page 580 FUNCTION config edit firewall set <set #> rule <rule #> TCP destport-single <port #> config edit firewall set <set #> rule <rule #> TCP destport-range <start port #> <end port #> config edit firewall set <set #> rule <rule #> UDP destport-single <port #>...
Page 581: Appendix M Netbios Filter Commands
The following describes the NetBIOS packet filter commands. See the Command Interpreter appendix for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.
Page 582 NAME Between LAN This field displays whether NetBIOS packets are blocked or forwarded and WAN between the LAN and the WAN. IPSec Packets This field displays whether NetBIOS packets sent through a VPN connection are blocked or forwarded. Trigger dial This field displays whether NetBIOS packets are allowed to initiate calls.
Page 583 ZyWALL 2 Series User’s Guide sys filter netbios config 4 off Command: This command stops NetBIOS commands from initiating calls. NetBIOS Filter Commands...
Page 585: Appendix N Boot Commands
The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware (ZyNOS) is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen. In debug mode you have access to a series of boot module commands, for example ATLC firmware) and...
Page 586 just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) change system date to year/month/day or show current date ATDS dump RAS stack ATDT...
Page 587: Appendix O Log Descriptions
LOG MESSAGE %s exceeds the max. number of session per host! LOG MESSAGE Time calibration is successful Time calibration failed DHCP client gets %s DHCP client IP expired DHCP server assigns SMT Login Successfully SMT Login Fail WEB Login Successfully WEB Login Fail TELNET Login Successfully...
Page 588 TELNET Login Fail FTP Login Successfully FTP Login Fail NAT Session Table is Full! LOG MESSAGE UPnP pass through Firewall CATEGORY LOG MESSAGE URLFOR IP/Domain Name URLBLK IP/Domain Name JAVBLK IP/Domain Name LOG MESSAGE attack TCP attack UDP Chart O-2 System Maintenance Logs Someone has failed to log on to the router via telnet.
Page 589 LOG MESSAGE attack IGMP attack ESP attack GRE attack OSPF attack ICMP (type:%d, code:%d) land TCP land UDP land IGMP land ESP land GRE land OSPF land ICMP (type:%d, code:%d) ip spoofing - WAN TCP ip spoofing - WAN UDP ip spoofing - WAN IGMP ip spoofing - WAN ESP...
Page 590 LOG MESSAGE syn flood TCP ports scan TCP teardrop TCP teardrop UDP teardrop ICMP (type:%d, code:%d) illegal command TCP NetBIOS TCP ip spoofing - no routing entry TCP ip spoofing - no routing entry UDP ip spoofing - no routing entry IGMP ip spoofing - no routing entry ESP ip spoofing - no...
Page 591 LOG MESSAGE Firewall default policy: TCP (set:%d) Firewall default policy: UDP (set:%d) Firewall default policy: ICMP (set:%d, type:%d, code:%d) Firewall default policy: IGMP (set:%d) Firewall default policy: ESP (set:%d) Firewall default policy: GRE (set:%d) Firewall default policy: OSPF (set:%d) Firewall default policy: (set:%d) Firewall rule match: TCP (set:%d, rule:%d)
Page 592 LOG MESSAGE Firewall rule match: ESP (set:%d, rule:%d) Firewall rule match: GRE (set:%d, rule:%d) Firewall rule match: OSPF (set:%d, rule:%d) Firewall rule match: (set:%d, rule:%d) Firewall rule NOT match: TCP (set:%d, rule:%d) Firewall rule NOT match: UDP (set:%d, rule:%d) Firewall rule NOT match: ICMP (set:%d, rule:%d, type:%d, code:%d)
Page 593 LOG MESSAGE Firewall rule NOT match: (set:%d, rule:%d) Filter default policy DROP! Filter default policy DROP! Filter default policy DROP! Filter default policy DROP! Filter default policy DROP! Filter default policy FORWARD! Filter default policy FORWARD! Filter default policy FORWARD! Filter default policy FORWARD! Filter default policy...
Page 594 LOG MESSAGE Filter match DROP <set %d/rule %d> Filter match DROP <set %d/rule %d> Filter match FORWARD <set %d/rule %d> Filter match FORWARD <set %d/rule %d> Filter match FORWARD <set %d/rule %d> Filter match FORWARD <set %d/rule %d> Filter match FORWARD <set %d/rule %d>...
Page 595 LOG MESSAGE Packet without a NAT table entry blocked Out of order TCP handshake packet blocked Drop unsupported/out- of-order ICMP Router sent ICMP response packet (type:%d, code:%d) ACL SET DIRECTION NUMBER LAN to WAN WAN to LAN LAN to LAN/ZyWALL WAN to WAN/ZyWALL TYPE...
Page 596 TYPE CODE Destination Unreachable Net unreachable Host unreachable Protocol unreachable Port unreachable A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) Source route failed Source Quench A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network.
Page 597 TYPE CODE Timestamp Reply Timestamp reply message Information Request Information request message Information Reply Information reply message LOG MESSAGE Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" msg="<msg>" note="<note>" VPN/IPSec logs To view the IPSec and IKE connection log, type 3 in menu 27 and press [ENTER] to display the IPSec log as shown next.
Page 598: Log Descriptions
Index: Date/Time: ------------------------------------------------------------ 01 Jan 08:02:22 01 Jan 08:02:22 01 Jan 08:02:22 01 Jan 08:02:24 01 Jan 08:02:24 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 Clear IPSec Log (y/n): Diagram O-1 Example VPN Initiator IPSec Log VPN Responder IPSec Log The following figure shows a typical log from the VPN connection peer.
Page 599 A PYLD_MALFORMED packet usually means that the two ends of the VPN tunnel Chart O-10 Sample IKE Key Exchange Logs LOG MESSAGE Send <Symbol> Mode request to <IP> Send <Symbol> Mode request to <IP> Recv <Symbol> Mode request from <IP> Recv <Symbol>...
Page 600 Chart O-10 Sample IKE Key Exchange Logs LOG MESSAGE !! Invalid IP <IP start>/<IP end> !! Remote IP <IP start> / <IP end> conflicts !! Active connection allowed exceeded !! IKE Packet Retransmit !! Failed to send IKE Packet !! Too many errors! Deleting SA !! Phase 1 ID type mismatch !! Phase 1 ID content mismatch !! No known phase 1 ID type...
Page 601 Chart O-10 Sample IKE Key Exchange Logs LOG MESSAGE vs. My Local <IP address> -> <symbol> Error ID Info The following table shows sample log messages during packet transmission. Chart O-11 Sample IPSec Logs During Packet Transmission LOG MESSAGE !! WAN IP changed to <IP> !! Cannot find IPSec SA !! Cannot find outbound SA for rule <%d>...
Page 602 The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. PROP TRANS CER_REQ HASH NONCE NOTFY Log Commands Go to the command interpreter interface (the Command Interpreter Appendix explains how to access and use the commands).
Page 603 Chart O-13 Log Categories and Available Settings LOG CATEGORIES attack error ipsec javablocked mten upnp urlblocked urlforward to not record logs for that category, alerts for that category, and Use the sys logs save command to store the settings in the ZyWALL (you must do this in order to record logs).
Page 604 ras> sys logs display access .time notes message 0|11/11/2002 15:10:12 |172.22.3.80:137 |ACCESS BLOCK Firewall default policy: UDP(set:8) 1|11/11/2002 15:10:12 |172.21.4.17:138 |ACCESS BLOCK Firewall default policy: UDP(set:8) 2|11/11/2002 15:10:11 |172.17.2.1 |ACCESS BLOCK Firewall default policy: IGMP(set:8) 3|11/11/2002 15:10:11 |172.22.3.80:137 |ACCESS BLOCK Firewall default policy: UDP(set:8) 4|11/11/2002 15:10:10 |192.168.20.1:520 |ACCESS BLOCK...
Page 605: Appendix P Brute-Force Password Guessing Protection
Brute-Force Password Guessing The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See the Interpreter appendix for information on the command structure. Chart P-1 Brute-Force Password Guessing Protection Commands COMMAND sys pwderrtm sys pwderrtm 0 sys pwderrtm N...
Page 607: Appendix Q Index
10/100 Mbps Ethernet WAN ... 1-2 4-Port Switch ... 1-2 Access Point... 7-5, Action for Matched Packets ... 11-10 Active...23-6, 23-8, 26-2 Address Assignment ... 3-8, 3-9, 5-2, 6-1 Ad-hoc Configuration ... D-2 Allocated Budget ... 23-7, 26-5 Alternative Subnet Mask Notation...I-3 Application-level Firewalls...
Page 608 Configuration File Upload... 33-16 File Backup ... 33-6 File Upload... 33-15 Restoring Files ... 33-9 Content Filtering... 1-3, 12-1 Categories... 12-1 Customizing ... 12-14 Days and Times... 12-1 Filter List... 12-1 Restrict Web Features ... 12-1 Copyright ...ii Custom Ports Creating/Editing ...
Page 609 Filter... 23-12, 24-1, 26-9, 30-1 Applying ... 30-17 Configuration ... 30-1 Configuring... 30-4 Example ... 30-13 Generic Filter Rule... 30-11 Generic Rule ... 30-11 NAT ... 30-16 Remote Node ... 30-17 Structure TCP/IP Rule... 30-7 Filters Executing a Filter Rule ... 30-2 IP Filter Logic Flow...
Page 610 Inside Local Address ... 8-1 Internet Access... 25-1 ISP's Name ... 25-1 Internet Access Setup ... 25-1, 28-2, A-2 Internet Control Message Protocol (ICMP) ... 10-6 Internet Security Gateway ...xxvii Introduction to Filters ... 30-1 IP address... 23-7, IP Address...3-8, 3-9, 5-1, 6-1, 6-2, 8-5, 8-7, 20-4, 24-4, 24-6, 25-2, 26-7 Remote ...
Page 611 Nailed-up Connection ... 26-4 Nailed-Up Connection ... 23-7, 26-5 NAT ... 3-4, 3-9, 5-1, 8-5, 8-6, 23-10, 26-8, 30-16 Application... 8-3 Applying NAT in the SMT Menus ... 28-1 Configuring... 28-3 Definitions ... 8-1 Examples... 28-9 How NAT Works... 8-2 Mapping Types ...
Page 612 Replacement ...v Reports... 19-6 Required fields... 21-3 Reset Button ... 1-2 Resetting the Time ... 34-7 Restore ... 20-9 Restore Configuration... 33-8 retry count... 23-5 retry interval ... 23-5 Return Material Authorization Number...v RF signals ...D-1 RIP... 5-2, 5-3, 23-10, 24-4, 24-6, 26-8 Direction...
Page 613 System Management Terminal ... 21-2 System Name ...4-2, 22-1 System Status ... 32-1 System Timeout ... 17-2 TCP Maximum Incomplete...11-21, 11-22, 11-24 TCP Security... 10-10 TCP/IP .10-3, 10-4, 17-19, 23-9, 24-2, 24-3, 24-4, 26-7, 30-6, 30-7, 30-9, 30-12, 30-16 Setup ... 24-4 TCP/IP and DHCP Setup ...
Page 614 Wireless LAN Setup ... 24-6 Wizard Setup ... 3-1 WLAN ... See Wireless LAN www.dyndns.org... 22-4 www.zyxel.com ...v xDSL Modem ... 1-7 Xmodem File Upload... 33-15 XMODEM Protocol... 33-3 ZyNOS F/W Version...33-2 ZyWALL Firewall Application ...10-3 ZyXEL Limited Warranty Note...v ZyXEL website...

ZyXEL Communications Internet Security Gateway ZyWALL 2 Series User Manual

Chapter 1 Getting to Know Your Zywall

Chapter 2 Introducing the Web Configurator

Chapter 3 Wizard Setup

Chapter 4 System Screens

Chapter 5 LAN Screens

Chapter 6 WAN Screens

Chapter 7 Wireless LAN Screens

Chapter 8 Network Address Translation (NAT)

Chapter 9 Static Route Screens

Chapter 10 Firewalls

Chapter 11 Firewall Screens

Chapter 12 Content Filtering Screens

Chapter 13 Introduction to Ipsec

Chapter 14 VPN Screens

Quick Links

Related Manuals for ZyXEL Communications Internet Security Gateway ZyWALL 2 Series

Summary of Contents for ZyXEL Communications Internet Security Gateway ZyWALL 2 Series