Page 1 ZyWALL 10 Internet Security Gateway User’s Guide Version 3.24 April 2001...
Page 2: Copyright
ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.
Page 3: Federal Communications Commission (Fcc) Interference Statement
ZyWALL 10 Internet Security Gateway Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations.
Page 4: Information For Canadian Users
ZyWALL 10 Internet Security Gateway Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction. Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company.
Page 5: Declaration Of Conformity
EN 61000-4-8 Voltage dips, short interruptions and voltage variations immunity EN 61000-4-11 tests Declaration of Conformity We, the Manufacturer/Importer, ZyXEL Communications Corp. No. 6, Innovation Rd. II, Science-Based Industrial Park, Hsinchu, Taiwan, 300 R.O.C declare that the product ZyWALL 10...
Page 6 ZyWALL 10 Internet Security Gateway...
Page 7: Zyxel Limited Warranty
ZyWALL 10 Internet Security Gateway ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper...
Page 8: Customer Support
RMA/Repair hotline +49-2405-6909-99 ftp.europe.zyxel.com Regular Mail ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, HsinChu, Taiwan. ZyXEL Communications Inc., 1650 Miraloma Avenue, Placentia, CA 92870, U.S.A. ZyXEL Communications A/S, Columbusvej 5, 2860 Soeborg, Denmark. ZyXEL Communications Services GmbH.,...
Page 9: Table Of Contents
Copyright... ii Federal Communications Commission (FCC) Interference Statement... iii Information for Canadian Users ... iv ZyXEL Limited Warranty ... vii Customer Support... viii Table of Contents ... ix List of Figures... xvii List of Tables ... xxiii Preface... xxvii Getting Started... I Chapter 1 Getting to Know Your ZyWALL ...
Page 10 ZyWALL 10 Internet Security Gateway General Setup...2-9 2.7.1 Dynamic DNS ...2-10 2.7.2 Procedure For Configuring Menu 1 ...2-10 2.7.3 Configuring Dynamic DNS...2-11 WAN Setup ...2-12 LAN Setup ...2-13 2.9.1 LAN Port Filter Setup ...2-14 Chapter 3 Internet Access...3-1 TCP/IP and DHCP for LAN ...3-1 3.1.1 Factory LAN Defaults...3-1 3.1.2...
Page 11 IP Static Route Setup... 5-2 Chapter 6 Network Address Translation (NAT) ... 6-1 Introduction ... 6-1 6.1.1 NAT Definitions... 6-1 6.1.2 What NAT Does ... 6-1 6.1.3 How NAT works ... 6-2 6.1.4 NAT Mapping Types... 6-3 6.1.5 SUA (Single User Account) Versus NAT ... 6-4 6.1.6 NAT Application ...
Page 12 ZyWALL 10 Internet Security Gateway 7.6.2 Remote Node Filters...7-17 Chapter 8 SNMP Configuration...8-1 About SNMP...8-1 Configuring SNMP ...8-1 Chapter 9 System Information & Diagnosis ...9-1 System Status ...9-1 System Information and Console Port Speed...9-3 9.2.1 System Information ...9-4 9.2.2 Console Port Speed ...9-5 Log and Trace ...9-5 9.3.1 Viewing Error Log ...9-5...
Page 13 11.2 Call Control Support ... 11-2 11.2.1 Budget Management... 11-2 11.2.2 Call History ... 11-3 11.3 Time and Date Setting ... 11-4 How often does the ZyWALL update the time?... 11-6 11.4 Remote Management Setup... 11-7 11.5 Boot Commands ... 11-8 Chapter 12 Telnet Configuration and Capabilities ...
Page 14 ZyWALL 10 Internet Security Gateway 14.1 SMT Menus...14-1 14.1.1 View Firewall Log ...14-2 14.1.2 Attack Types ...14-2 14.2 The Big Picture - Filtering, Firewall and NAT ...14-5 14.3 Packet Filtering Vs Firewall...14-6 14.3.1 Packet Filtering: ...14-6 14.3.2 Firewall ...14-7 Chapter 15 Introducing the ZyWALL Web Configurator...15-1 15.1 Web Configurator Login and Welcome Screens...15-1 15.2...
Page 15 17.1 Introduction ... 17-1 17.2 Creating/Editing A Custom Port ... 17-3 Chapter 18 Logs ... 18-1 18.1 Log Screen... 18-1 Chapter 19 Example Firewall Rules... 19-1 19.1 Examples ... 19-1 19.1.1 Example 1: Firewall Rule To Allow Web Service From The Internet ... 19-1 19.1.2 Example 2: Small Office With Mail, FTP and Web Servers ...
Page 16 ZyWALL 10 Internet Security Gateway Appendix E Firewall CLI Commands ...G Appendix F Power Adapter Specifications... L Glossary of Terms ... N Index ... Y Table of Contents...
Page 17: List Of Figures
ZyWALL 10 Internet Security Gateway List of Figures Figure 1-1 Secure Internet Access via Cable ... 1-4 Figure 1-2 Secure Internet Access via DSL ... 1-4 Figure 2-1 Front Panel ... 2-1 Figure 2-2 ZyWALL 10 Rear Panel and Connections... 2-2 Figure 2-3 Initial Screen...
Page 18 ZyWALL 10 Internet Security Gateway Figure 4-4 Menu 11.3 — Remote Node Network Layer Options...4-6 Figure 4-5 Menu 11.3 — Remote Node Network Layer Options...4-8 Figure 4-6 Menu 11.5 — Remote Node Filter (Ethernet Encapsulation) ...4-10 Figure 4-7 Menu 11.5 — Remote Node Filter (PPPoE or PPTP Encapsulation) ...4-10 Figure 5-1 Example of Static Routing Topology ...5-1 Figure 5-2 Menu 12 —...
Page 19 ZyWALL 10 Internet Security Gateway Figure 6-21 NAT Example 4 ... 6-20 Figure 6-22 Example 4: Menu 15.1.1.1 — Address Mapping Rule... 6-21 Figure 6-23 Example 4: Menu 15.1.1 — Address Mapping Rules ... 6-21 Figure 7-1 Outgoing Packet Filtering Process ... 7-1 Figure 7-2 Filter Rule Process...
Page 20 ZyWALL 10 Internet Security Gateway Figure 9-8 Menu 24.3.2 — System Maintenance — UNIX Syslog...9-6 Figure 9-9 Call-Triggering Packet Example ...9-10 Figure 9-10 Menu 24.4 — System Maintenance — Diagnostic ...9-11 Figure 9-11 WAN & LAN DHCP...9-12 Figure 10-1 System Maintenance — Backup Configuration ...10-2 Figure 10-2 Example: Backup Configuration ...10-3 Figure 10-4 Telnet into Menu 24.5 —...
Page 21 ZyWALL 10 Internet Security Gateway Figure 12-1 Telnet Configuration on a TCP/IP Network ... 12-1 Figure 13-1 ZyWALL Firewall Application ... 13-3 Figure 13-2 Three-Way Handshake ... 13-5 Figure 13-3 SYN Flood... 13-5 Figure 13-4 Smurf Attack ... 13-6 Figure 13-5 Stateful Inspection ... 13-7 Figure 14-1 SMT Main Menu ...
Page 22 ZyWALL 10 Internet Security Gateway Figure 19-2 Example 1: E-mail Screen...19-3 Figure 19-3 Example 1: Configuring a Rule...19-4 Figure 19-4 Example 1: Destination Address for Traffic Originating from the Internet ...19-5 Figure 19-5 Example 1: Rule Summary Screen...19-6 Figure 19-6 Send Alerts When Attacked ...19-7 Figure 19-7 Configuring A POP Custom Port ...19-8 Figure 19-8 Example 2: Local Network Rule 1 Configuration...19-9 Figure 19-9 Example 2: Local Network Rule Summary...19-10...
Page 23 ZyWALL 10 Internet Security Gateway List of Tables Table 2-1 LED functions ... 2-1 Table 2-2 Main Menu Commands... 2-5 Table 2-3 Main Menu Summary... 2-7 Table 2-4 General Setup Menu Field... 2-11 Table 2-5 Configure Dynamic DNS Menu Fields ... 2-12 Table 2-6 WAN Setup Menu Fields...
Page 24 ZyWALL 10 Internet Security Gateway Table 7-2 Rule Abbreviations Used ...7-6 Table 7-3 TCP/IP Filter Rule Menu Fields ...7-8 Table 7-4 Generic Filter Rule Menu Fields...7-12 Table 8-1 SNMP Configuration Menu Fields ...8-2 Table 9-1 System Maintenance — Status Menu Fields...9-2 Table 9-2 Fields in System Maintenance —...
Page 25 ZyWALL 10 Internet Security Gateway Table 17-1 Custom Ports ... 17-2 Table 17-2 Creating/Editing A Custom Port ... 17-4 Table 18-1 Log Screen ... 18-2 Table 21-1 Troubleshooting the Start-Up of your ZyWALL ... 21-1 Table 21-2 Troubleshooting the LAN Interface ... 21-2 Table 21-3 Troubleshooting the WAN interface...
Page 27: Preface
About Your Router Congratulations on your purchase of the ZyWALL 10 Internet Security Gateway. Don’t forget to register your ZyWALL (fast, easy online registration at www.zyxel.com) for free future product updates and information. The ZyWALL 10 is a dual Ethernet Internet Security Gateway integrated with robust firewall solutions and network management features that allows access to the Internet via Cable/ADSL modem or Internet router.
Page 28 ZyWALL 10 Internet Security Gateway Regardless of your particular application, it is important that you follow the steps outlined in Chapters 1 and 2 to connect your ZyWALL to your LAN. You can then refer to the appropriate chapters of the manual, depending on your applications.
Page 29: Getting Started
Getting Started Part I: Getting Started Chapters 1— 3 are structured as a step-by-step guide to help you connect, install and setup your ZyWALL to operate on your network and access the Internet.
Page 31: Firewall And Content Filters
This chapter introduces the main features and applications of the ZyWALL. The ZyWALL 10 Internet Security Gateway The ZyWALL 10 is a dual Ethernet Internet Security Gateway integrated with a robust firewall and network management features designed for home offices and small businesses to access the Internet via Cable/ADSL modem or Internet router.
Page 32 ZyWALL 10 Internet Security Gateway PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using a TCP/IP-based network. PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet.
Page 33: Applications For Zywall 10
Full Network Management This feature allows you to access the SMT (System Management Terminal) through the console port or telnet connection. RoadRunner Support In addition to standard cable modem services, the ZyWALL supports Time Warner’s RoadRunner Service. Time and Date Setting This new feature (Menu 24.10) allows you to get the current time and date from an external server when you power up your ZyWALL.
Page 34: Figure 1-1 Secure Internet Access Via Cable
ZyWALL 10 Internet Security Gateway Figure 1-1 Secure Internet Access via Cable Figure 1-2 Secure Internet Access via DSL You can also use your xDSL modem in the bridge mode for always-on Internet access and high-speed data transfer. Getting to Know Your ZyWALL...
Page 35: Chapter 2 Hardware Installation & Initial Setup
Hardware Installation & Initial Setup This chapter explains the LEDs and ports as well as how to connect the hardware and perform Front Panel LEDs and Back Panel Ports 2.1.1 Front Panel LEDs The LEDs on the front panel indicate the operational status of the ZyWALL. The following table describes the LED functions: LEDS FUNCTION INDICATOR...
Page 36: Zywall 10 Rear Panel And Connections
ZyWALL 10 Internet Security Gateway LEDS FUNCTION INDICATOR STATUS Green ZyWALL 10 Rear Panel and Connections The following figure shows the rear panel of your ZyWALL 10 and the related connections. Figure 2-2 ZyWALL 10 Rear Panel and Connections This section outlines how to connect your ZyWALL 10 to the LAN and the WAN. In the case of connecting a cable modem you must connect the coaxial cable from your cable service to the threaded coaxial cable connector on the back of the cable modem.
Page 37: Additional Installation Requirements
console port of the ZyWALL and the other end (choice of 9-pin or 25-pin, depending on your computer) end to a serial port (COM1, COM2 or other COM port) of your workstation. You can use an extension RS- 232 cable if the enclosed one is too short. After the initial setup, you can modify the configuration remotely through telnet connections.
Page 38: Turn On Your Zywall
When you turn on your ZyWALL, it performs several internal tests as well as line initialization. After the tests, the ZyWALL asks you to press [ Copyright (c) 1994 - 2001 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:a0:c5:41:51:61 initialize ch =1, ethernet address: 00:a0:c5:41:51:62 Press ENTER to continue...
Page 39: Table 2-2 Main Menu Commands
Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below. OPERATION KEYSTROKES Move down to [ENTER] another menu Move up to a [ESC] previous menu Move to a “hidden” Press the [SPACE BAR] to change No menu...
Page 40: Main Menu
4. Internet Access Setup Advanced Applications 11. Remote Node Setup 12. Static Routing Setup 15. NAT Setup Copyright (c) 1994 - 2001 ZyXEL Communications Corp. ZyWALL Main Menu Advanced Management 21. Filter and Firewall Setup 22. SNMP Configuration 23. System Password 24.
Page 41: System Management Terminal Interface Summary
2.5.2 System Management Terminal Interface Summary MENU TITLE General Setup WAN Setup Ethernet Setup Internet Access Setup Remote Node Setup Static Routing Setup NAT Setup Filter and Firewall Setup SNMP Configuration System Password System Maintenance Schedule Setup Exit Hardware Installation & Initial Setup Table 2-3 Main Menu Summary Use this menu to set up routing/bridging and general information.
Page 42: Smt Menus At A Glance
ZyWALL 10 Internet Security Gateway 2.5.3 SMT Menus at a Glance Figure 2-6 SMT Menus at a Glance Hardware Installation & Initial Setup...
Page 43: Changing The System Password
Changing the System Password The first thing you should do is change the default system password by following the steps shown next. Step 1. Enter 23 in the main menu to open Menu 23 - System Password as shown below. Old Password= ? New Password= ? Retype to confirm= ?
Page 44: Dynamic Dns
ZyWALL 10 Internet Security Gateway The Domain Name entry is what is propagated to the DHCP clients on the LAN. If you leave this field blank, the domain name obtained by DHCP from the ISP is used. While you must enter the host name (System Name) on each individual machine, the domain name can be assigned from the ZyWALL via DHCP.
Page 45: Configuring Dynamic Dns
FIELD System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name” in this field. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes “-” and underscores "_" are accepted.
Page 46: Wan Setup
ZyWALL 10 Internet Security Gateway Table 2-5 Configure Dynamic DNS Menu Fields FIELD Service Enter the name of your Dynamic DNS client. Provider Press [SPACE BAR] to cycle between Yes or No. Active Host Enter the domain name assigned to your ZyWALL by your Dynamic DNS provider.
Page 47: Lan Setup
Press Space Bar to Toggle The MAC address field allows users to configure the WAN port's MAC address by either using the factory default or cloning the MAC address from a computer on your LAN. Once it is successfully configured, the address will be copied to the rom file (ZyNOS configuration file).
Page 48: Lan Port Filter Setup
ZyWALL 10 Internet Security Gateway 2.9.1 LAN Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to the LAN traffic. You seldom need to filter the LAN traffic, however, the filter sets may be useful to block certain packets, reduce traffic and prevent security breaches.
Page 49: Chapter 3 Internet Access
This chapter shows you how to configure the LAN as well as the WAN of your ZyWALL for Internet TCP/IP and DHCP for LAN The ZyWALL has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability.
Page 50: Ip Address And Subnet Mask
ZyWALL 10 Internet Security Gateway Example of network properties for LAN servers with fixed IP addresses: Choose an IP address: Subnet mask: Gateway (or default route): 3.1.3 IP Address and Subnet Mask Similar to the way houses on a street share a common street name, the machines on a LAN share one common network number, also.
Page 51: Rip Setup
ZyWALL 10 Internet Security Gateway Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses. Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above.
Page 52: Ip Alias
ZyWALL 10 Internet Security Gateway WAN interfaces using menus 3.2 (LAN) and 11.3 (WAN). Select None to disable IP Multicasting on these interfaces. 3.1.7 IP Alias IP Alias allows you to partition a physical network into different logical networks over the same Ethernet interface.
Page 53: Figure 3-3 Menu 3 - Lan Setup
LAN Port Filter Setup TCP/IP and DHCP Setup Enter Menu Selection Number: From menu 3, select the submenu option TCP/IP and DHCP Setup and press [ENTER]. The screen now displays Menu 3.2 — TCP/IP and DHCP Ethernet Setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server Configuration: Client IP Pool Starting Address= 192.168.1.33...
Page 54: Table 3-1 Dhcp Ethernet Setup Menu Fields
ZyWALL 10 Internet Security Gateway Table 3-1 DHCP Ethernet Setup Menu Fields FIELD DHCP This field enables/disables the DHCP server. If set to Server, your ZyWALL will act as a DHCP server. If set to None, the DHCP server will be disabled. If set to Relay, the ZyWALL acts as a surrogate DHCP server and relays requests and responses between the remote server and the clients.
Page 55: Ip Alias Setup
FIELD Multicast IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group. The ZyWALL supports both IGMP version 1 (IGMP-v1) and version 2 (IGMP-v2). Press the [SPACE BAR] to enable IP Multicasting or select None (default) to disable it.
Page 56: Internet Access Setup
ZyWALL 10 Internet Security Gateway Use the instructions in the following table to configure IP Alias parameters. FIELD Choose Yes to configure the LAN network for the ZyWALL. IP Alias IP Address Enter the IP address of your ZyWALL in dotted decimal notation IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign.
Page 57: Figure 3-6 Menu 4 - Internet Access Setup (Ethernet)
ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= Full Feature Press ENTER to Confirm or ESC to Cancel: Figure 3-6 Menu 4 —...
Page 58: Pptp Encapsulation
ZyWALL 10 Internet Security Gateway FIELD IP Address IP Subnet Mask Gateway IP Address Network Address Translation When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. 3.3.2 PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks...
Page 59: Pppoe Encapsulation
Figure 3-7 Internet Access Setup (PPTP) The following table contains instructions about the new fields when you choose PPTP in the Encapsulation field in Menu 4. Table 3-5 New Fields in Menu 4 (PPTP) screen FIELD Encapsulation Press the [SPACE BAR] and then press [ENTER] to choose PPTP.
Page 60: Figure 3-8 Internet Access Setup (Pppoe)
ZyWALL 10 Internet Security Gateway known as dynamic service selection. This enables the service provider to easily create and offer new IP services for specific users. Operationally, PPPoE saves significant effort for both the end user and ISP/carrier, as it requires no specific configuration of the broadband modem at the customer site.
Page 61: Basic Setup Complete
ZyWALL 10 Internet Security Gateway Basic Setup Complete Well done! You have successfully connected, installed and set up your ZyWALL to operate on your network as well as access the Internet. Please note that when the firewall is activated, the default policy allows all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet.
Page 62: Advanced Applications
Advanced Applications Part II: Advanced Applications Chapters 4 — 6 describe advanced applications including Remote Node Setup, IP Static routes and NAT.
Page 63: Chapter 4 Remote Node Setup
A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. Note that when you use menu 4 to set up Internet access, you are actually configuring a remote node. We will show you how to configure Menu 11.1 Remote Node Profile, Menu 11.3 - Remote Node Network Layer Options and Menu 11.5 - Remote Node Filter.
Page 64 ZyWALL 10 Internet Security Gateway FIELD Rem Node Name Enter a descriptive name for the remote node. This field can be up to eight characters. Press [SPACE BAR] to select Yes (activate remote node) or Active No (deactivate remote node). Ethernet is the default encapsulation.
Page 65: Pppoe Encapsulation
Once you have configured the Remote Node Profile Menu, press [ENTER] to return to menu 11. Press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel. 4.1.2 PPPoE Encapsulation The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet).
Page 66: Pptp Encapsulation
ZyWALL 10 Internet Security Gateway Do not specify a nailed-up connection unless your telephone company offers flat-rate service or you need a constant connection and the cost is of no concern. The following table describes the fields not already described in Table 4-1. Table 4-2 Fields in Menu 11.1 (PPPoE Encapsulation Specific) FIELD Authen...
Page 67: Figure 4-3 Menu 11.1 - Remote Node Profile For Pptp Encapsulation
Rem Node Name= ChangeMe Active= Yes Encapsulation= PPTP Service Type= Standard Service Name=N/A Outgoing= My Login= My Password= ******** Authen= CHAP/PAP PPTP : My IP Addr= Server IP Addr= Connection ID/Name= Press Space Bar to Toggle. Figure 4-3 Menu 11.1 — Remote Node Profile for PPTP Encapsulation The next table shows how to configure fields in menu 11.1 not previously discussed above.
Page 68: Editing Tcp/Ip Options (With Ethernet Encapsulation)
ZyWALL 10 Internet Security Gateway Editing TCP/IP Options (with Ethernet Encapsulation) Move the cursor to the Edit IP field in menu 11.1, then press the [SPACE BAR] to toggle and set the value to Yes. Press [ENTER] to open Menu 11.3 - Network Layer Options. Press Space Bar to Toggle Figure 4-4 Menu 11.3 —...
Page 69: Editing Tcp/Ip Options (With Pptp Encapsulation)
FIELD Private This field is valid only for PPTP/PPPoE encapsulation. This parameter determines if the ZyWALL will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts.
Page 70: Figure 4-5 Menu 11.3 - Remote Node Network Layer Options
ZyWALL 10 Internet Security Gateway Menu 11.3 - Remote Node Network Layer Options Press Space Bar to Toggle. Figure 4-5 Menu 11.3 — Remote Node Network Layer Options The next table gives you instructions about configuring remote node network layer options. Table 4-5 Remote Node Network Layer Options Menu Fields FIELD If your ISP did not assign you an explicit IP address, select Dynamic;...
Page 71: Editing Tcp/Ip Options (With Pppoe Encapsulation)
FIELD number. Private This parameter determines if the ZyWALL will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts.
Page 72: Figure 4-6 Menu 11.5 - Remote Node Filter (Ethernet Encapsulation)
ZyWALL 10 Internet Security Gateway Figure 4-6 Menu 11.5 — Remote Node Filter (Ethernet Encapsulation) Figure 4-7 Menu 11.5 — Remote Node Filter (PPPoE or PPTP Encapsulation) 4-10 Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= 3 device filters= Output Filter Sets: protocol filters= 1...
Page 73: Chapter 5 Ip Static Route Setup
ZyWALL 10 Internet Security Gateway Chapter 5 IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. Static routes tell the ZyWALL routing information that it cannot learn automatically through other means. This can arise in cases where RIP is disabled on the LAN. Each remote node specifies only the network to which the gateway is directly connected, and the ZyWALL has no knowledge of the networks beyond.
Page 74: Figure 5-2 Menu 12 - Ip Static Route Setup
ZyWALL 10 Internet Security Gateway IP Static Route Setup You configure IP static routes in menu 12. 1, by selecting one of the IP static routes as shown below. Enter 12 from the main menu. 1. ________ 2. ________ 3. ________ 4.
Page 75: Table 5-1 Ip Static Route Menu Fields
FIELD Route # This is the index number of the static route that you chose in menu 12. Route Name Enter a descriptive name for this route. This is for identification purposes only. Active This field allows you to activate/deactivate this static route. Destination IP This parameter specifies the IP network address of the final destination.
Page 77: Chapter 6 Network Address Translation (Nat)
Network Address Translation (NAT) Introduction NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet, e.g., the source address of an outgoing packet, used within one network to a different IP address known within another network.
Page 78: How Nat Works
ZyWALL 10 Internet Security Gateway The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP. In addition, you can designate servers, e.g., a web server and a telnet server, on your local network and make them accessible to the outside world.
Page 79: Nat Mapping Types
6.1.4 NAT Mapping Types NAT supports five types of IP/port mapping. They are: One to One: In One-to-One mode, the ZyWALL maps one local IP address to one global IP address. Many to One: In Many-to-One mode, the ZyWALL maps multiple local IP addresses to one global IP address.
Page 80: Sua (Single User Account) Versus Nat
ZyWALL 10 Internet Security Gateway TYPE Server 6.1.5 SUA (Single User Account) Versus NAT SUA (Single User Account) in previous ZyNOS versions is a subset of NAT that supports two types of mapping, Many-to-One and Server. See section 6.2.3 for a detailed description of the NAT set for SUA. The ZyWALL now has Full Feature NAT support to map global IP addresses to local IP addresses of clients or servers using all mapping types as outlined in Table 6-2.
Page 81: Smt Menus
ZyWALL 10 Internet Security Gateway Figure 6-2 NAT Application SMT Menus 6.2.1 Applying NAT in the SMT Menus You apply NAT via menus 4 or 11.3 as displayed next. The next figure shows you how to apply NAT for Internet access in menu 4. Enter 4 from the main menu to go to Menu 4 - Internet Access Setup.
Page 82: Figure 6-3 Menu 4 - Applying Nat For Internet Access
ZyWALL 10 Internet Security Gateway Figure 6-3 Menu 4 — Applying NAT for Internet Access The following figure shows how you apply NAT to the remote node in menu 11.1. Step 1. Enter 11 from the main menu. Step 2. Move the cursor to the Edit IP field, press the [SPACE BAR] to select Yes and then press [ENTER] to bring up Menu 11.3 - Remote Node Network Layer Options.
Page 83: Configuring Nat
Table 6-3 Applying NAT in Menus 4 & 11.3 FIELD Network Full Feature Address Translation None SUA Only 6.2.2 Configuring NAT To configure NAT, enter 15 from the main menu to bring up the following screen. 6.2.3 Address Mapping Sets and NAT Server Sets: Use the Address Mapping Sets menus and submenus to create the mapping table used to assign global addresses to machines on the LAN.
Page 84: Figure 6-6 Menu 15.1 - Address Mapping Sets
ZyWALL 10 Internet Security Gateway Enter 1 to bring up Menu 15.1 — Address Mapping Sets. Figure 6-6 Menu 15.1 — Address Mapping Sets 1. NAT_SET is a set name that was created as an example. Information about creating your own address mapping sets is provided later in the chapter. Let’s look first at Option 255.
Page 85: Table 6-4 Sua Address Mapping Rules
FIELD Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create. This is the index or rule number. Local Start IP is the starting local IP address (ILA) Local Start IP (see Figure 6-1).
Page 86: Figure 6-8 Menu 15.1.1 - First Set
ZyWALL 10 Internet Security Gateway Set Name= NAT_SET Local Start IP --------------- Action= Edit Press ENTER to Confirm or ESC to Cancel: The Type, Local and Global Start/End IPs are configured in menu 15.1.1.1 (described Ordering Your Rules Ordering your rules is important because the ZyWALL applies the rules in the order that you specify. When a rule matches the current packet, the ZyWALL takes the corresponding action and the remaining rules are ignored.
Page 87: Figure 6-9 Menu 15.1.1.1 - Editing An Individual Rule In A Set
FIELD Set Name Enter a name for this set of rules. This is a required field. Please note that if this field is left blank, the entire set will be deleted. There are four actions. The default is Edit. Edit means Action you want to edit a selected rule (see following field).
Page 88: Nat Server Sets
ZyWALL 10 Internet Security Gateway The following table describes the fields in this screen. Table 6-6 Menu 15.1.1.1 — Configuring an Individual Rule FIELD Type Local IP Start Global IP Start Once you have finished configuring a rule in this menu, press [ENTER] at the message “Press ENTER to Confirm…”...
Page 89: Multiple Servers Behind Nat
6.3.1 Multiple Servers behind NAT If you wish, you can make inside servers for different services, e.g., web or FTP, visible to the outside users, even though NAT makes your whole inside network appear as a single machine to the outside world. A service is identified by the port number, e.g., web service is on port 80 and FTP on port 21.
Page 90: Figure 6-11 Menu 15.2 - Nat Server Setup
ZyWALL 10 Internet Security Gateway Step 4. Press [ENTER] at the “Press ENTER to confirm …” prompt to save your configuration after you define all the servers or press [ESC] at any time to cancel. If you’re using Ethernet Encapsulation the SMT does not allow you to change the port The most often used port numbers are shown in the following table.
Page 91: Examples
Examples 6.4.1 Internet Access Only In the following Internet access example, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP. Figure 6-13 Menu 4 — Internet Access & NAT Example From menu 4 shown above, simply choose the SUA Only option from the Network Address Translation field.
Page 92: Example 2: Internet Access With An Inside Server
ZyWALL 10 Internet Security Gateway the Network Address Translation field in menus 4 and 11.3 is specifically pre-configured to handle this case. 6.4.2 Example 2: Internet Access with an Inside Server In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2 to specify the Inside Server behind the NAT as shown in the next figure.
Page 93: Example 3: General Case
6.4.3 Example 3: General Case In this example, there are 3 IGAs from our ISP. There are many departments but two have their own FTP server. All departments share the same router. The example will reserve one IGA for each department with an FTP server and the other IGA is used by all.
Page 94: Figure 6-17 Example 3: Menu
ZyWALL 10 Internet Security Gateway Step 3. Enter 1 to configure the Address Mapping Sets. Step 4. Enter 1 to begin configuring this new set. Enter a Set Name, choose the Edit Action and then enter 1 for the Select Rule field. Press [ENTER] to confirm. Step 5.
Page 95 When you have configured all four rules, Menu 15.1.1 should look as follows. Set Name= Example3 Local Start IP --------------- 1. 192.168.1.10 192.168.1.11 3. 0.0.0.0 Now configure the IGA3 to map to our web server and mail server on the LAN. Step 8.
Page 96: Example 4: Nat Unfriendly Application Programs
ZyWALL 10 Internet Security Gateway 6.4.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-to-Many No Overload mapping as port numbers do not change for Many-to- Many No Overload (and One-to-One) NAT mapping types.
Page 97: Figure 6-22 Example 4: Menu 15.1.1.1 - Address Mapping Rule
Type= Many-to-Many No Overload Local IP: Start= 192.168.1.10 = 192.168.1.12 Global IP: Start= 10.132.50.1 = 10.132.50.3 Figure 6-22 Example 4: Menu 15.1.1.1 — Address Mapping Rule After you’ve configured your rule, you should be able to check the settings in menu 15.1.1 as shown next. Set Name= Example4 Local Start IP ---------------...
Page 98: Advanced Management
Advanced Management Part III: Advanced Management Chapters 7 — 12 provides information on ZyWALL Filtering, SNMP Configuration, System Information and Diagnosis, Transferring Files, System Maintenance and Telnet.
Page 100: Chapter 7 Filter Configuration
About Filtering Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later. Data filtering screens the data to determine if the packet should be allowed to pass.
Page 101: The Filter Structure Of The Zywall
ZyWALL 10 Internet Security Gateway 7.1.1 The Filter Structure of the ZyWALL A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The ZyWALL allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system.
Page 102: Filter Set
Fetch Next Filter Set Next Filter Set Available? Drop Packet You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. Filters Filter Set Fetch Next...
Page 103: Configuring A Filter Set
ZyWALL 10 Internet Security Gateway Configuring a Filter Set To configure a filter set, follow the procedure below. For more information on menus 21.2 and 21.3, please see Part 4. Step 1. Select option 21. Filter Set Configuration from the main menu to open menu 21. Figure 7-4 Menu 21 —...
Page 104: Figure 7-6 Netbios_Wan Filter Rules Summary
# A Type - - ---- -------------------------------------------- --------- - - - 1 Y IP Pr=6, 2 Y IP Pr=6, 3 Y IP Pr=6, 4 Y IP Pr=17, 5 Y IP Pr=17, 6 Y IP Pr=17, Figure 7-6 NetBIOS_WAN Filter Rules Summary # A Type - - ---- -------------------------------------------- --------- - - - 1 Y IP...
Page 105: Filter Rules Summary Menu
ZyWALL 10 Internet Security Gateway 7.2.1 Filter Rules Summary Menu This screen shows the summary of the existing rules in the filter set. The following tables contain a brief description of the abbreviations used in the previous menus. Table 7-1 Abbreviations Used in the Filter Rules Summary Menu FIELD The filter rule number: 1 to 6.
Page 106: Configuring A Filter Rule
ABBREVIATION Refer to the next section for information on configuring the filter rules. 7.2.2 Configuring a Filter Rule To configure a filter rule, type its number in Menu 21.1 - Filter Rules Summary and press [ENTER] to open menu 21.1.1 for the rule. To speed up filtering, all rules in a filter set must be of the same class, i.e., protocol filters or generic filters.
Page 107: Table 7-3 Tcp/Ip Filter Rule Menu Fields
ZyWALL 10 Internet Security Gateway The following table describes how to configure your TCP/IP filter rule. FIELD Active Yes activates the filter rule and No deactivates it. IP Protocol Protocol refers to the upper layer protocol, e.g., TCP is 6, UDP is 17 and ICMP is 1.
Page 108 FIELD according to the action fields. If More is Yes, then Action Matched and Action Not Matched will be N/A. Select the logging option from the following: None – No packets will be logged. Action Matched - Only packets that match the rule parameters will be logged.
Page 109: Figure 7-10 Executing An Ip Filter
ZyWALL 10 Internet Security Gateway The following figure illustrates the logic flow of an IP filter. Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest IP Addr Matched Check IP Protocol...
Page 110: Generic Filter Rule
7.2.4 Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the ZyWALL treats a packet as a byte stream as opposed to an IP or IPX packet.
Page 111: Table 7-4 Generic Filter Rule Menu Fields
ZyWALL 10 Internet Security Gateway Table 7-4 Generic Filter Rule Menu Fields FIELD Filter # This is the filter set, filter rule co-ordinates, i.e., 2,3 refers to the second filter set and the third rule of that set. Filter Type Use the [SPACE BAR] to select a rule type.
Page 112: Example Filter
Example Filter Let’s look at an example to block outside users from telnetting into the ZyWALL. Please see our included disk for more example filters. Step 1. Enter 21 from the main menu to open Menu 21.1 - Filter Set Configuration. Step 2.
Page 113: Figure 7-13 Example Filter - Menu 21.1.1.1
ZyWALL 10 Internet Security Gateway Menu 21.1.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 Destination: IP Addr= 0.0.0.0 Source: IP Addr= 0.0.0.0 TCP Estab= No More= No Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
Page 114: Filter Types And Nat
Menu 21.1.3 - Filter Rules Summary # A Type - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 Enter Filter Rule Number (1-6) to Configure: 1 This shows you that you have configured and activated (A = Y) a TCP/IP filter rule (Type = IP, Pr = 6) for destination telnet ports (DP = 23).
Page 115: Firewall
ZyWALL 10 Internet Security Gateway the raw packets that appear on the wire. They are applied at the point when the ZyWALL is receiving and sending the packets; i.e. the interface. The interface can be an Ethernet port or any other hardware port. The following diagram illustrates this.
Page 116: Remote Node Filters
7.6.2 Remote Node Filters Go to menu 11.5 (shown below – note that call filter sets are only present for PPPoE encapsulation) and enter the number(s) of the filter set(s) as appropriate. You can cascade up to four filter sets by entering their numbers separated by commas.
Page 118: Chapter 8 Snmp Configuration
This chapter discusses SNMP (Simple Network Management Protocol) for network management About SNMP Your ZyWALL supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyWALL through the network. Keep in mind that SNMP is only available if TCP/IP is configured on your ZyWALL.
Page 119: Table 8-1 Snmp Configuration Menu Fields
ZyWALL 10 Internet Security Gateway The following table describes the SNMP configuration parameters. Table 8-1 SNMP Configuration Menu Fields FIELD Enter the get community, which is the password for the Community incoming Get- and GetNext- requests from the management station. Enter the set community, which is the password for incoming Community Set- requests from the management station.
Page 120: Chapter 9 System Information & Diagnosis
This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status, log and trace capabilities and upgrades for the system software. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown below. Figure 9-1 Menu 24 —...
Page 121: Figure 9-2 Menu 24.1 - System Maintenance - Status
ZyWALL 10 Internet Security Gateway Port Status 10M/Half 10M/Half Port: Ethernet Address 00:a0:c5:21:8c:a3 00:a0:c5:21:8c:a2 System up Time: 22:11:43 Name: xxx.baboo.mickey.com Routing: IP ZyNOS F/W Version: V324WA0b06 | 3/14/2001 COMMANDS: 1-Drop WAN 9-Reset Counters Figure 9-2 Menu 24.1 — System Maintenance — Status The following table describes the fields present in Menu 24.1 - System Maintenance - Status.
Page 122: System Information And Console Port Speed
FIELD IP Address IP Mask DHCP Ethernet Address IP Address IP Mask DHCP System up Time Name ZyNOS F/W Version You may enter 1 to drop the WAN connection, 9 to reset the counters or [ESC] to return to menu 24. System Information and Console Port Speed This section describes your system and allows you to choose different console port speeds.
Page 123: System Information
ZyWALL 10 Internet Security Gateway 9.2.1 System Information System Information gives you information about your system as shown below. More specifically, it gives you information on your routing protocol, Ethernet address, IP address, etc. Figure 9-4 Menu 24.2.1 — System Maintenance — Information Table 9-2 Fields in System Maintenance —...
Page 124: Console Port Speed
9.2.2 Console Port Speed You can change the speed of the console port through Menu 24.2.2 – Console Port Speed. Your ZyWALL supports 9600 (default), 19200, 38400, 57600, and 115200 bps for the console port. Use the [SPACE BAR] to select the desired speed in menu 24.2.2, as shown below. Menu 24.2.2 –...
Page 125: Unix Syslog
ZyWALL 10 Internet Security Gateway Figure 9-6 Menu 24.3 — System Maintenance — Log and Trace Examples of typical error and information messages are presented in the figure below. 59 Thu Jan 60 Thu Jan 61 Thu Jan 62 Thu Jan 63 Thu Jan Clear Error Log (y/n): Figure 9-7 Examples of Error and Information Messages...
Page 126: Table 9-3 System Maintenance Menu Syslog Parameters
You need to configure the UNIX syslog parameters described in the following table to activate syslog then choose what you want to log. Table 9-3 System Maintenance Menu Syslog Parameters PARAMETER UNIX Syslog: Active Press [SPACE BAR] to turn syslog on or off. Syslog IP Address Enter the IP Address of the server that will log the CDR (Call Detail Record) and system messages i.e., the syslog server.
Page 127: Packet Triggered
ZyWALL 10 Internet Security Gateway 1. CDR CDR Message Format SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String ); String = board xx line xx channel xx, call xx, str board = the hardware board ID line = the WAN ID in a board Channel = channel ID within the WAN call = the call reference number which starts from 1 and increments by 1 for each new call str = C01 Outgoing Call dev xx ch xx (dev:device No.
Page 128: Firewall Log
Mar 03 10:39:43 202.132.155.97 ZyXEL: GEN[fffffffffffnordff0080] }S05>R01mF Mar 03 10:41:29 202.132.155.97 ZyXEL: GEN[00a0c5f502fnord010080] }S05>R01mF Mar 03 10:41:34 202.132.155.97 ZyXEL: IP[Src=192.168.2.33 Dst=202.132.155.93 ICMP]}S04>R01mF Mar 03 11:59:20 202.132.155.97 ZyXEL: GEN[00a0c5f502fnord010080] }S05>R01mF Mar 03 12:00:31 202.132.155.97 ZyXEL: GEN[fffffffffffnordff0080] }S05>R01mF Mar 03 12:00:52 202.132.155.97 ZyXEL: GEN[ffffffffffff0080] }S05>R01mF Mar 03 12:00:57 202.132.155.97 ZyXEL: GEN[00a0c5f502010080] }S05>R01mF...
Page 129: Call-Triggering Packet
ZyWALL 10 Internet Security Gateway 9.3.3 Call-Triggering Packet Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equivalent information is available in menu 24.1 in hex format. An example is shown next. IP Frame: ENET0-RECV Size: Frame Type: IP Header:...
Page 130: Wan Dhcp
Figure 9-10 Menu 24.4 — System Maintenance — Diagnostic Follow the procedure below to get to Menu 24.4 - System Maintenance – Diagnostic. Step 1. From the main menu, select option 24 to open Menu 24 - System Maintenance. Step 2. From this menu, select option 4.
Page 131: Figure 9-11 Wan & Lan Dhcp
ZyWALL 10 Internet Security Gateway The following table describes the diagnostic tests available in menu 24.4 for your ZyWALL and associated connections. Table 9-4 System Maintenance Menu Diagnostic FIELD Ping Host WAN DHCP Release WAN DHCP Renewal Internet Setup Test Reboot System Host IP Address= Enter the number of the selection you would like to perform or press [ESC] to...
Page 132: Chapter 10 Firmware And Configuration File Maintenance
ZyWALL 10 Internet Security Gateway Chapter 10 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 10.1 Filename conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc.
Page 133: Firmware Development
ZyWALL 10 Internet Security Gateway FILE TYPE INTERNAL NAME Configuration Rom-0 File Firmware 10.1.1 Firmware Development It is important to upgrade your firmware regularly, especially if there are problems. If you discover an unexpected behavior, or bug, see if your problem is mentioned in the release notes. Load it according to instructions (e.g., see if the default configuration file is needed also).
Page 134: Example: Backup Configuration Using Hyperterminal
10.2.1 Example: Backup Configuration Using HyperTerminal This section contains examples of backup configuration, restore configuration and upload firmware using the HyperTerminal program. Other serial communications programs should be similar. In menu 24.5 enter y. Run the HyperTerminal program. Click Transfer, then Receive File to display the following screen. Figure 10-2 Example: Backup Configuration 10.2.2 Backup Configuration Using Telnet Telnetting into the ZyWall produces this Backup Configuration screen.
Page 135: Restore Configuration
ZyWALL 10 Internet Security Gateway 10.3 Restore Configuration Menu 24.6 -- System Maintenance - Restore Configuration allows you to restore the configuration via the console port. FTP and TFTP are the preferred methods for restoring your current workstation configuration to your ZyWALL since FTP and TFTP are faster.
Page 136: Upload Firmware
To transfer the firmware and the configuration file, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root" and SMT password as requested. 3. Type “put backupfilename rom-0” where backupfilename is the name of your backup configuration file on your workstation and rom-spt is the remote file name on the router.
Page 137: Example: Xmodem Upload Using Hyperterminal
ZyWALL 10 Internet Security Gateway Step 4. After successful firmware upload, enter atgo to restart the ZyWALL. Menu 24.7.1 - System Maintenance - Upload Router Firmware To upload router firmware: 1. Enter "y" at the prompt below to go into debug mode. 2.
Page 138: Tftp File Transfer
Menu 24.6 replaces the current configuration with your customized configuration you backed up previously. Menu 24.7.2 shows you the instructions for uploading the Router Configuration file that replaces the current configuration file with the default configuration file, i.e., zywall.rom. You will lose all configurations that you had before and the speed of the console port will be reset to the default of 9600 bps with 8 data bit, no parity and 1 stop bit (8n1).
Page 139: Example: Tftp Command
ZyWALL 10 Internet Security Gateway Step 1. Use telnet from your workstation to connect to the ZyWALL and log in. Because TFTP does not have any security checks, the ZyWALL records the IP address of the telnet client and accepts TFTP requests only from this address. Step 2.
Page 140: Ftp File Transfer
COMMAND Remote File Binary Abort TFTP over WAN will not work if: You have disabled Telnet service in menu 24.11. You have applied a filter in menu 3.1 (LAN) or in menu 11.5 (WAN) to block Telnet service. The IP you entered in the Secured Client IP field in menu 24.11 does not match the client IP. If it does not match, the ZyWALL will disconnect the Telnet session immediately.
Page 141: Figure 10-13 Telnet Into Menu
ZyWALL 10 Internet Security Gateway Menu 24.7.1 - System Maintenance - Upload Router Firmware To upload the router firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root" and SMT password as requested.
Page 142: Using The Ftp Command From The Dos Prompt
10.6.1 Using the FTP command from the DOS Prompt Step 1. Launch the FTP client on your workstation. Step 2. Type open and the IP address of your ZyWALL. Step 3. Press [ENTER] when prompted for a username. Step 4. Type root and your SMT password as requested.
Page 143: Table 10-3 Third Party Ftp Clients - General Fields
ZyWALL 10 Internet Security Gateway Table 10-3 Third Party FTP Clients — General Fields COMMAND Host Address Login Type Transfer Type Initial Remote Directory. Initial Local Directory. FTP over WAN will not work if: You have disabled Telnet service in menu 24.11. You have applied a filter in menu 3.1 (LAN) or in menu 11.5 (WAN) to block Telnet service.
Page 144: Chapter 11 System Maintenance & Information
System Maintenance. A list of valid commands can be found by typing help or ? at the command prompt. Type “exit” to return to the SMT main menu when finished. Copyright (c) 1994 - 2001 ZyXEL Communications Corp. ras> ?
Page 145: Call Control Support
ZyWALL 10 Internet Security Gateway 11.2 Call Control Support The ZyWALL provides two call control functions: budget management and call history. Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1. The budget management function allows you to set a limit on the total outgoing call time of the ZyWALL within certain times.
Page 146: Call History
The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked. After each period, the total budget is reset. The default for the total budget is 0 minutes and the period is 0 hours, meaning no budget control.
Page 147: Time And Date Setting
ZyWALL 10 Internet Security Gateway Phone Number FIELD Phone Number The PPPoE service names are shown here. This shows whether the call was incoming or outgoing. Rate This is the transfer rate of the call. #call This is the number of calls made to or received from that telephone number.
Page 148: Figure 11-6 Menu 24 - System Maintenance
Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown next. Figure 11-6 Menu 24 — System Maintenance Then enter 10 to go to Menu 24.10 - System Maintenance - Time and Date Setting to update the time and date settings of your ZyWALL as shown in the following screen.
Page 149: How Often Does The Zywall Update The Time
ZyWALL 10 Internet Security Gateway FIELD Use Time Server Enter the time service protocol that your time server sends when you turn on the when Bootup ZyWALL. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 150: Remote Management Setup
11.4 Remote Management Setup Telnet and FTP do not support encryption, so for very strong security both services should be shut down. This is done in Menu 24.11 - Remote Management Control. Enter 11 from menu 24 to bring up this menu.
Page 151: Boot Commands
ZyWALL 10 Internet Security Gateway 11.5 Boot Commands The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware (ZyNOS) is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen.
Page 152: Figure 11-10 Boot Module Commands
just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) change system date to year/month/day or show current date ATDS dump RAS stack ATDT...
Page 154: Chapter 12 Telnet Configuration And Capabilities
ZyWALL 10 Internet Security Gateway Chapter 12 Telnet Configuration and Capabilities This chapter covers the Telnet Configuration and Capabilities of the ZyWALL. 12.1 About Telnet Configuration Before the ZyWALL is properly setup for TCP/IP, the only option for configuring it is through the console port.
Page 155: System Timeout
ZyWALL 10 Internet Security Gateway 12.3.2 System Timeout There is a system timeout of 5 minutes (300 seconds) for either the console port or telnet. Your ZyWALL will automatically log you out if you do nothing in this timeout period, except when it is continuously updating the status in menu 24.1 or when sys stdio has been changed on the command line.
Page 156: Firewall And Content Filters
Firewall and Content Filters Part IV: Firewall and Content Filters Chapters 13 — 20 define the term “Firewall”, introduce the ZyWALL Firewall and ZyWALL Web Configurator, describe how to create Custom Rules and configure customized ports, explain Logs and provide Example Firewall Rules. Chapter 20 explains Content Filtering and how to use the ZyWALL to restrict web features such as ActiveX controls and Java applets, etc.
Page 158: Chapter 13 What Is A Firewall
Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The network term firewall is typically defined as a system or group of systems that enforces an access-control policy between two networks. It may also be defined as a mechanism used to protect a trusted network from an untrusted network.
Page 159: Stateful Inspection Firewalls
ZyWALL 10 Internet Security Gateway Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging. Filtering rules at the packet filtering router can be less complex than they would be if the router needed to filter application traffic and direct it to a number of specific systems.
Page 160: Denial Of Service
ZyWALL 10 Internet Security Gateway Figure 13-1 ZyWALL Firewall Application 13.3 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.
Page 161: Types Of Dos Attacks
ZyWALL 10 Internet Security Gateway Some of the most common IP ports are: 13.3.2 Types of DoS attacks There are four types of DoS attacks: Those that exploit bugs in a TCP/IP implementation. Those that exploit weaknesses in the TCP/IP specification. Brute-force attacks that flood a network with useless data.
Page 162: Figure 13-2 Three-Way Handshake
Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, connection is established. 2-a SYN Attack floods a targeted system with a series of SYN packets.
Page 163: Stateful Inspection
ZyWALL 10 Internet Security Gateway A brute-force attack, such as a "Smurf" attack, targets a feature in the IP specification known as directed or subnet broadcasting, to quickly flood the target network with useless data. A Smurf hacker floods a router with Internet Control Message Protocol (ICMP) echo request packets (pings). Since the destination IP address of each packet is the broadcast address of the network, the router will broadcast the ICMP echo request packet to all hosts on the network.
Page 164: Stateful Inspection Process
Denies all sessions originating from the WAN (Internet) to the LAN (local network). The previous figure shows the ZyWALL’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed.
Page 165: Stateful Inspection & The Zywall
ZyWALL 10 Internet Security Gateway Later, an inbound packet reaches the interface. This packet is part of the connection previously established with the outbound packet. The inbound packet is evaluated against the inbound access list, and is permitted because of the temporary access list entry previously created. The packet is inspected by a firewall rule, and the connection's state table entry is updated as necessary.
Page 166: Udp/Icmp Security
ZyWALL 10 Internet Security Gateway If an initiation packet originates on the LAN, this means that someone is trying to make a connection from the LAN to the Internet. Assuming that this is an acceptable part of the security policy (as is the case with the default policy), the connection will be allowed.
Page 167: Security In General
ZyWALL 10 Internet Security Gateway Think about access control before you connect a console port to the network in any way, including attaching a modem to the port. Be aware that a break on the console port might give unauthorized individuals total control of the firewall, even with access control configured.
Page 168 Change your passwords regularly. Also, use passwords that are not easy to figure out. The most difficult passwords to crack are those with upper and lower case letters, numbers and a symbol such as % or #. Upgrade your software regularly. Many older versions of software, especially web browsers, have well known security deficiencies.
Page 170: Chapter 14 Introducing The Zywall Firewall
This chapter shows you how to get started with the ZyWALL Firewall. Please see Chapter 13 for 14.1 SMT Menus From the main menu (see below) enter 21 to go to Menu 21 - Filter Set and Firewall Configuration. Copyright (c) 1994 - 2000 ZyXEL Communications Corp. Getting Started 1. General Setup 2.
Page 171: View Firewall Log
ZyWALL 10 Internet Security Gateway The firewall protects against Denial of Service (DOS) attacks when it is active. The default Policy sets 1. allow all sessions originating from the LAN to the WAN and 2. deny all sessions originating from the WAN to the LAN You may define additional Policy rules or modify existing ones but please exercise extreme caution in doing so Active: No...
Page 172: Table 14-1 Icmp Commands That Trigger Alerts
ICMP Echo A brute-force attack, such as a "Smurf" attack, targets a feature in the IP specification known as directed or subnet broadcasting, to quickly flood the target network with useless data. A Smurf hacker floods a router with Internet Control Message Protocol (ICMP) echo request packets (pings). Since the destination IP address of each packet is the broadcast address of the network, the router will broadcast the ICMP echo request packet to all hosts on the network.
Page 173: Figure 14-4 View Firewall Log
ZyWALL 10 Internet Security Gateway Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute the firewall gaining knowledge of the network topology inside the firewall. Teardrop Teardrop attacks exploit weaknesses in the reassembly of IP packet fragments.
Page 174: The Big Picture - Filtering, Firewall And Nat
FIELD This is the index number of the firewall log. 128 entries are available numbered from 0 to 127. Once they are all used, the log will wrap around and the old logs will be lost. Time This is the time the log was recorded in this format. You must configure menu 24.10 for real time;...
Page 175: Packet Filtering Vs Firewall
ZyWALL 10 Internet Security Gateway Figure 14-5 Big Picture — Filtering, Firewall and NAT 14.3 Packet Filtering Vs Firewall Below are some comparisons between the ZyWALL’s filtering and firewall functions. 14.3.1 Packet Filtering: The router filters packets as they pass through the router’s interface according to the filter rules you designed.
Page 176: Firewall
When To Use Filtering To block/allow LAN packets by their MAC address. To block/allow special IP packets which are neither TCP, UDP, nor ICMP packets. To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A"...
Page 178: Chapter 15 Introducing The Zywall Web Configurator
Introducing the ZyWALL Web Configurator This chapter shows you how to configure your firewall with the Web Configurator. 15.1 Web Configurator Login and Welcome Screens Launch your web browser and enter 192.168.1.1 as the URL. This is the factory default IP address of the ZyWALL when shipped.
Page 179: Figure 15-2 Zywall Web Configurator Welcome Screen
ZyWALL 10 Internet Security Gateway Figure 15-2 ZyWALL Web Configurator Welcome Screen 15-2 Introducing the ZyWALL Web Configurator...
Page 180: Enabling The Firewall
ZyWALL 10 Internet Security Gateway 15.2 Enabling the Firewall Click Firewall, then Configuration, then the Rule Config tab to enable the firewall as seen in the following screen. Figure 15-3 Enabling the Firewall 15.3 E-mail This screen allows you to specify your mail server, where e-mail alerts should be sent as well as when and how often they should be sent.
Page 181: What Are Logs
ZyWALL 10 Internet Security Gateway mail account. Enter the complete e-mail address to which alert messages will be sent in the E-mail Alerts To field and schedule times for sending alerts in the Alert Timer fields in the E-mail screen (following screen). 15.3.2 What are Logs? A log is a detailed record that you create for packets that either match a rule, don’t match a rule or both when you are creating/editing a firewall rule (see Figure 16-4).
Page 182: Table 15-1 E-Mail
FIELD Address Information Mail Server Enter the IP address of your mail server in dotted decimal format. Your Internet Service Provider (ISP) should be able to provide this information. If this field is left blank, log and alert messages will not be sent via e- mail.
Page 183: Smtp Error Messages
ZyWALL 10 Internet Security Gateway 15.3.3 SMTP Error Messages If there are difficulties in sending e-mail the following error messages appear. Please see the Support Notes on the included disk for information on other types of error messages. E-mail error messages appear in menu 24.3.1 as "SMTP action request failed. ret= ??". “??" is described in the following table.
Page 184: Attack Alert
Subject: Firewall Alert From ZyWALL Date: Fri, 07 Apr 2000 10:05:42 From: user@zyxel.com user@zyxel.com 1|Apr 7 00 |From:192.168.1.1 |forward | 09:54:03 |UDP src port:00520 dest port:00520 2|Apr 7 00 |From:192.168.1.131 |forward | 09:54:17 |UDP src port:00520 dest port:00520 3|Apr 7 00 |From:192.168.1.6 | 09:54:19 |UDP src port:03516 dest port:00053 ……………………………..{snip}…………………………………..
Page 185: Half-Open Sessions
ZyWALL 10 Internet Security Gateway Type of traffic for certain servers. If your network is slower than average for any of these factors (especially if you have servers that are slow or handle many tasks and are often busy), then the default values should be reduced. You should make any changes to the threshold values before you continue configuring firewall rules.
Page 186: Figure 15-6 Attack Alert
ZyWALL 10 Internet Security Gateway Figure 15-6 Attack Alert The following table describes the fields in this screen. Introducing the ZyWALL Web Configurator 15-9...
Page 187: Table 15-3 Attack Alert
ZyWALL 10 Internet Security Gateway FIELD Generate alert when A detected attack automatically generates attack detected a log entry. Check this box to generate an alert (as well as a log) whenever an attack is detected. See the Logs Chapter for more information on logs and alerts.
Page 188 FIELD rises above this number, the ZyWALL deletes half-open sessions as required to accommodate new connection requests. Do not set Maximum Incomplete High to lower than the current Maximum Incomplete Low number. TCP Maximum This is the number of existing half-open Incomplete TCP sessions with the same destination host IP address that causes the firewall to...
Page 190: Chapter 16 Creating Custom Rules
This chapter contains instructions for defining both Local Network and Internet rules. 16.1 Rules Overview Firewall rules are subdivided into “Local Network” and “Internet”. By default, the ZyWALL’s stateful packet inspection allows all communications to the Internet that originate from the local network, and blocks all traffic to the LAN that originates from the Internet.
Page 191: Security Ramifications
ZyWALL 10 Internet Security Gateway What computers on the LAN are to be affected (if any)? What computers on the Internet will be affected? The more specific, the better. For example, if traffic is being allowed from the Internet to the LAN, it is better to allow only certain machines on the Internet to access the LAN.
Page 192: Connection Direction
ZyWALL 10 Internet Security Gateway 16.3 Connection Direction This section talks about configuring firewall rules for connections going from LAN to WAN and WAN to LAN in your firewall. 16.3.1 LAN to WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed non-restricted access to the WAN.
Page 193: Rule Summary
ZyWALL 10 Internet Security Gateway Figure 16-2 WAN to LAN Traffic 16.4 Rule Summary The fields in the Rule Summary screens are the same for Local Network and Internet, so the discussion below refers to both. Click on Firewall, then Local Network to bring up the following screen. This screen is a summary of the existing rules.
Page 194: Figure 16-3 Firewall Rules Summary - First Screen
ZyWALL 10 Internet Security Gateway Figure 16-3 Firewall Rules Summary — First Screen The following table describes the fields in this screen. Creating Custom Rules 16-5...
Page 195: Table 16-1 Firewall Rules Summary - First Screen
ZyWALL 10 Internet Security Gateway Table 16-1 Firewall Rules Summary — First Screen FIELD General Name The default action for packets not matching following rules. Default Permit Log Firewall Rule Summary Source IP Destination IP Service Action Move Rule To Rule Number Move 16-6 DESCRIPTION...
Page 196: Predefined Services
FIELD Click Apply to create a new firewall rule. New firewall rules are added at the end after existing firewall rules. Click Edit to edit an existing filter rule. See section 16.5 for more details. Click Delete to delete an existing firewall rule. Note that subsequent firewall rules move up by one when you take this action.
Page 197: Table 16-2 Predefined Services
ZyWALL 10 Internet Security Gateway SERVICE BGP(TCP:179) BOOTP_CLIENT(UDP:68) BOOTP_SERVER(UDP:67) CU-SEEME(TCP/UDP:7648, 24032) DNS(UDP/TCP:53) FINGER(TCP:79) FTP(TCP:20.21) HTTP(TCP:80) HTTPS ICMP ICQ(UDP:4000) IRC(TCP/UDP:6667) NEWS(TCP:144) NFS(UDP:2049) NNTP(TCP:119) RCMD(TCP:512) REAL_AUDIO(TCP:7070) REXEC(TCP:514) RLOGIN(TCP:513) RTELNET(TCP:107) RTSP(TCP/UDP:554) 16-8 Table 16-2 Predefined Services DESCRIPTION Border Gateway Protocol. DHCP Client. DHCP Server. A popular videoconferencing solution from White Pines Software.
Page 198 SERVICE SFTP(TCP:115) SMTP(TCP:25) SNMP(TCP/UDP:161) SNMP-TRAPS(TCP/UDP:162) SQL-NET(TCP:1521) SSH(TCP/UDP:22) STRM WORKS(UDP:1558) TACACS(UDP:49) TELNET(TCP:23) TFTP(UDP:69) VDOLIVE(TCP:7000) Creating Custom Rules ZyWALL 10 Internet Security Gateway DESCRIPTION Simple File Transfer Protocol. Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e- mail server to another.
Page 199: Creating/Editing Firewall Rules
ZyWALL 10 Internet Security Gateway 16.5.1 Creating/Editing Firewall Rules To create a new rule, click a number (No.) then click Edit in the last screen shown to display the following screen. Figure 16-4 Creating/Editing A Firewall Rule 16-10 Creating Custom Rules...
Page 200: Table 16-3 Creating/Editing A Firewall Rule
Table 16-3 Creating/Editing A Firewall Rule FIELD Source Address Destination Address Services Available/Selected Action for Matched Packets Alert When you have finished, click Apply to save your customized settings and exit this screen, Cancel to exit this screen without saving, or Help for online HTML help on fields in this screen. Creating Custom Rules ZyWALL 10 Internet Security Gateway DESCRIPTION...
Page 201: Source And Destination Addresses
ZyWALL 10 Internet Security Gateway 16.5.2 Source and Destination Addresses To add a new source or destination address, click SrcAdd or DestAdd from the screen above. To edit an existing source or destination address, select it from the box and click SrcEdit or DestEdit from the screen above.
Page 202: Table 16-4 Adding/Editing Source And Destination Addresses
Table 16-4 Adding/Editing Source and Destination Addresses FIELD Address Type Do you want your rule to apply to packets with a particular (single) IP address, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address? Select an option from the drop down list box Start IP Address Enter the single IP address or the starting IP address in a range...
Page 203: Timeout
ZyWALL 10 Internet Security Gateway 16.6 Timeout The fields in the Timeout screens are the same for Local and Internet networks, so the discussion below refers to both. 16.6.1 Factors Influencing Choices for Timeout Values The factors influencing choices for timeout values are the same as the factors influencing choices for threshold values –...
Page 204: Table 16-5 Timeout Menu
FIELD TCP Timeout Values Connection Timeout This is the length of time the ZyWALL waits for a TCP session to reach the established state before dropping the session. FIN-Wait Timeout This is the length of time a TCP session remains open after the firewall detects a FIN-exchange (indicating the end of the TCP session).
Page 206: Chapter 17 Custom Ports
ZyWALL 10 Internet Security Gateway Chapter 17 Custom Ports This chapter covers creating, viewing and editing custom ports. 17.1 Introduction Configure customized ports for services not predefined by the ZyWALL (see Figure 16-4). For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) website.
Page 207: Table 17-1 Custom Ports
ZyWALL 10 Internet Security Gateway FIELD Customized Services Status Name Protocol Add a New Entry Click a custom port number option box (No.) and then click Edit to edit an existing service (custom port) or Delete to delete that service (custom port). Click Help for online HTML help on fields in this screen.
Page 208: Creating/Editing A Custom Port
ZyWALL 10 Internet Security Gateway 17.2 Creating/Editing A Custom Port Click Edit to create a new custom port or edit an existing one. This displays the following screen. Figure 17-2 Creating/Editing A Custom Port The next table describes the fields in this screen. Custom Ports 17-3...
Page 209: Table 17-2 Creating/Editing A Custom Port
ZyWALL 10 Internet Security Gateway Table 17-2 Creating/Editing A Custom Port FIELD Service Name Service Type Port Configuration Type Port Number When you have finished, click Apply to save your customized settings and exit this screen, Cancel to exit this screen without saving, or Help for online HTML help on fields in this screen.
Page 210: Chapter 18 Logs
ZyWALL 10 Internet Security Gateway Chapter 18 Logs This chapter contains information about using the log screen to view the results of the rules you have configured. 18.1 Log Screen When you configure a new rule you also have the option to log events that match, don’t match (or both) this rule (see Figure 16-4).
Page 211: Table 18-1 Log Screen
ZyWALL 10 Internet Security Gateway FIELD This is the index number of the firewall log. 128 entries are available numbered from 0 to 127. Once they are all used, the log will wrap around and the old logs will be lost. Time This is the time the log was recorded in this format.
Page 212: Chapter 19 Example Firewall Rules
ZyWALL 10 Internet Security Gateway Chapter 19 Example Firewall Rules This chapter gives examples for configuring various rules for WAN to LAN and LAN to WAN. 19.1 Examples Whenever you open a hole in the firewall to forward a service from the Internet to the local network, and NAT is also enabled, you may have to also configure a server behind NAT using SMT menu 15.2.
Page 213: Figure 19-1 Activate The Firewall
ZyWALL 10 Internet Security Gateway Step 1. Activate the firewall. You may activate the firewall through the ZyWALL Web Configurator as shown next (click Configuration, the Config tab, then check the Firewall Enabled box) or through SMT menu 21.2. You can only configure the firewall using the ZyWALL Web Configurator or CI commands (see Appendices).
Page 214: Figure 19-2 Example 1: E-Mail Screen
Step 2. Configure your E-mail screen as follows. Click the E-mail tab to bring up the next screen. Example Firewall Rules Figure 19-2 Example 1: E-mail Screen ZyWALL 10 Internet Security Gateway Enter 10.100.1.2, the IP address of the mail server here. Enter a subject for these e-mails here.
Page 215: Figure 19-3 Example 1: Configuring A Rule
ZyWALL 10 Internet Security Gateway Step 3. Configure your firewall rule as shown in the following screen. The default firewall blocks all Internet traffic entering our local network, but you want to create a hole for web service from the Internet.
Page 216: Figure 19-4 Example 1: Destination Address For Traffic Originating From The Internet
Step 4. Click DestAdd to configure the destination address as the IP of your server on the LAN. Figure 19-4 Example 1: Destination Address for Traffic Originating from the Internet Example Firewall Rules ZyWALL 10 Internet Security Gateway 10.100.1.2 is the IP of our server on the LAN (supporting FTP, HTTP, Telnet and mail services) to which we wish to...
Page 217: Example 2: Small Office With Mail, Ftp And Web Servers
ZyWALL 10 Internet Security Gateway Step 5. When you have finished configuring your rules, the Rule Summary screen should look like this. Click Apply in this screen to save your configuration back to the ZyWALL. Block packets that don’t match the rules specified below.
Page 218: Figure 19-6 Send Alerts When Attacked
Step 1. First you want to send alerts when there is an attack. Go to the Attack Alert screen (click Configuration, then the Attack Alert tab) shown next. Step 2. Configure the E-mail screen as shown in example 1: your mail server’s IP is 192.168.10.2. Step 3.
Page 219: Figure 19-7 Configuring A Pop Custom Port
ZyWALL 10 Internet Security Gateway Figure 19-7 Configuring A POP Custom Port Step 4. Now, you will create rules to block all outgoing traffic (from the local network to the Internet) except for traffic originating from the HTTP proxy server and our mail server. Click Internet to see the Rule Summary screen.
Page 220: Figure 19-8 Example 2: Local Network Rule 1 Configuration
Step 5. Click SrcAdd under the Source Address box and enter the IP address of the mail server (192.168.10.2) in the same fashion as in Figure 19-4. You want to forward packets that match these rules. Figure 19-8 Example 2: Local Network Rule 1 Configuration Step 6.
Page 221: Figure 19-9 Example 2: Local Network Rule Summary
ZyWALL 10 Internet Security Gateway Step 7. The Rule Summary screen should look like Figure 19-9. Don’t forget to click Apply when you have finished configuring your rule(s) to save your settings back to the ZyWALL. Rule 1 forwards SMTP and POP traffic from the mail server and Rule 2 forwards HTTP traffic from the proxy web server.
Page 222: Figure 19-10 Example: Internet To Local Network Rule Summary
Step 9. On completing the procedure the Rule Summary for this Internet firewall rules should look like the following screen. Don’t forget to click Apply when you have finished configuring your rule(s) to save your settings back to the ZyWALL. IP address of the FTP server to which traffic from the Internet will be forwarded.
Page 223: Example 3: Dhcp Negotiation And Syslog Connection From The Internet
ZyWALL 10 Internet Security Gateway 19.1.3 Example 3: DHCP Negotiation and Syslog Connection from the Internet The following are some Internet firewall rule examples that allow DHCP negotiation between the ISP and the ZyWALL 10 and allow a syslog connection from the Internet. Step 1.
Page 224: Figure 19-12 Syslog Rule Configuration
Step 2. Follow the procedures outlined in the previous examples to configure all your rules. When finished, your rule summary screen should look like the following. Figure 19-12 Syslog Rule Configuration Example Firewall Rules ZyWALL 10 Internet Security Gateway This is the address range of the syslog servers.
Page 225: Figure 19-13 Example 3: Rule Summary
ZyWALL 10 Internet Security Gateway Step 3. On completing the procedure the Rule Summary for this Internet firewall rules should look like the following screen. Don’t forget to click Apply when you have finished configuring your rule(s) to save your settings back to the ZyWALL. Rule 1: Allow DHCP negotiation between the ISP and the ZyWALL 10.
Page 226: Chapter 20 Content Filtering
This chapter provides a brief overview of content filtering using the Web Configurator. For more detailed Internet content filtering allows schools and businesses to create and enforce Internet access policies tailored to their needs. Content filtering gives the ability to block certain web features or specific URLs and should not be confused with packet filtering via SMT menu 21.1.
Page 227: Figure 20-1 Categories Screen
ZyWALL 10 Internet Security Gateway Figure 20-1 Categories Screen 20-2 Content Filtering...
Page 228: Update List
ZyWALL 10 Internet Security Gateway 20.2 Update List Content on the Internet is constantly changing, so the content filter list should be updated on a weekly basis. Figure 20-2 List Update Screen Content Filtering 20-3...
Page 229: Exempting Computers
ZyWALL 10 Internet Security Gateway 20.3 Exempting Computers This screen allows the administrator to include or exclude a range of users on the LAN from content filtering. Figure 20-3 Exempt Zone Screen 20-4 Content Filtering...
Page 230: Customizing
ZyWALL 10 Internet Security Gateway 20.4 Customizing Customize the content filter list by adding or removing specific sites from the filter list. Figure 20-4 Customize Screen Content Filtering 20-5...
Page 231: Keywords
ZyWALL 10 Internet Security Gateway 20.5 Keywords The ZyWALL can also be configured to block certain web sites by using URL keywords. Figure 20-5 Keyword Screen 20-6 Content Filtering...
Page 232: Log Records
ZyWALL 10 Internet Security Gateway 20.6 Log Records This screen records the results of your content filter policies. Figure 20-6 Logs Screen Content Filtering 20-7...
Page 233: Troubleshooting, Appendices, Glossary And Index
Troubleshooting, Appendices, Glossary and Index Part V: Troubleshooting, Appendices, Glossary and Index Chapter 21 provides information about solving common problems, followed by some Appendices, a Glossary of Terms and an Index.
Page 235: Chapter 21 Troubleshooting
This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our 21.1 Problems Starting Up the ZyWALL Table 21-1 Troubleshooting the Start-Up of your ZyWALL Problem None of the LEDs are on when you turn on the ZyWALL.
Page 236: Problems With The Lan Interface
ZyWALL 10 Internet Security Gateway 21.2 Problems with the LAN Interface Table 21-2 Troubleshooting the LAN Interface Problem Can’t ping any workstation on the LAN. 21.3 Problems with the WAN interface Table 21-3 Troubleshooting the WAN interface Problem Cannot get WAN IP from the ISP. Can’t connect to a remote node or ISP.
Page 237: Problems With Internet Access
21.4 Problems with Internet Access Table 21-4 Troubleshooting Internet Access Problem Cannot access the Connect your Cable/xDSL modem with the ZyWALL using Internet. appropriate cable. Check with the manufacturer of your Cable/xDSL device about your cable requirement because for some devices may require crossover cable and others a regular patch cable.
Page 239: Appendix Apppoe
PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit) which connects to a xDSL Access Concentrator where the PPP session terminates (see the next figure). One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP.
Page 240 ZyWALL 10 Internet Security Gateway How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.
Page 241: Appendix Bpptp
ZyWALL 10 Internet Security Gateway Appendix B PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the short haul between the PC and the modem over Ethernet.
Page 242 ZyWALL 10 Internet Security Gateway Access Concentrator) and the PPTP user. The PNS is the box that hosts both the PPP and the PPTP stacks and forms one end of the PPTP tunnel. The PAC is the box that dials/answers the phone calls and relays the PPP frames to the PNS.
Page 243: Appendix C Hardware Specifications
Power Specification MTBF Operation Temperature Ethernet Specification for Ethernet Specification for Console Port RS – 232 Pin 9 WAN/LAN Cable Pin Layout: Straight-Through (Switch) IRD + IRD - OTD + OTD - Hardware Specifications ZyWALL 10 Internet Security Gateway Hardware Specifications I/P AC 120V / 60Hz ;...
Page 244: Appendix D Important Safety Instructions
ZyWALL 10 Internet Security Gateway The following safety instructions apply to the ZyWALL. Be sure to read and follow all warning notices and instructions. The maximum recommended ambient temperature for the ZyWALL is 40º Celsius (104º Fahrenheit).Care must be taken to allow sufficient air circulation or space between units when the ZyWALL is installed inside a closed rack assembly.
Page 245: Appendix E Firewall Cli Commands
The following table describes the syntax used to configure your firewall using Command Line Interface (CLI) commands. Select Menu 24.8 - Command Interpreter Mode from the main menu to go into CLI mode. For details on other CLI commands to configure your ZyWALL, please consult the included disk. Function CLI Syntax config edit firewall active <yes...
Page 246: Cli Commands
ZyWALL 10 Internet Security Gateway Function CLI Syntax config edit firewall e-mail email-to <e-mail address> config edit firewall e-mail policy <full | hourly | daily | weekly> config edit firewall e-mail day <sunday | monday | tuesday | wednesday | thursday | friday | saturday>...
Page 247 Function CLI Syntax Config edit firewall set <set #> default-permit <forward | block> Config edit firewall set <set #> icmp-timeout <seconds> Config edit firewall set <set #> udp-idle-timeout <seconds> Config edit firewall set <set #> connection-timeout <seconds> Config edit firewall set <set #> fin-wait-timeout <seconds>...
Page 248 ZyWALL 10 Internet Security Gateway Function CLI Syntax config edit firewall set <set #> rule <rule #> srcaddr-subnet <ip address> <subnet mask> config edit firewall set <set #> rule <rule #> srcaddr-range <start ip address> <end ip address> config edit firewall set <set #> rule <rule #>...
Page 249 Function CLI Syntax config delete firewall e-mail config delete firewall attack config delete firewall set <set #> config delete firewall set <set #> rule <rule #> CLI Commands ZyWALL 10 Internet Security Gateway Description Removes all the settings for e-mail alert. Resets all the settings for attack to default setting.
Page 250: Appendix F Power Adapter Specifications
ZyWALL 10 Internet Security Gateway North America AC Power Adapter model MW48-1201200 Input power: AC120Volts/60Hz Output power: DC12Volts/1.2A Power consumption: 9 W Plug: North American standards Safety standards: UL, CUL (UL 1310, CSA C22.2 No.233-M91) AC Power Adapter model AD48-1201200DUY Input power: AC120Volts/60Hz Output power: DC12Volts/1.2A Power consumption: 9 W...
Page 251 ZyWALL 10 Internet Security Gateway Japan AC Power Adapter model JOD-48-1124 Input power: AC100Volts/ 50/60Hz/ 27VA Output power: DC12Volts/1.2A Power consumption: 9 W Plug: Japan standards Safety standards: T-Mark Australia and New Zealand AC Power Adapter model AD-1201200DS Input power: AC240Volts/50Hz/0.2A Output power: DC12Volts/1.2A Power consumption: 9 W Plug: Australia and New Zealand standards...
Page 252: Glossary Of Terms
ZyWALL 10 Internet Security Gateway 10BaseT The 10-Mbps baseband Ethernet specification that uses two pairs of twisted-pair cabling (Category 3 or 5): one pair for transmitting data and the other for receiving data. Address Resolution Protocol is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address that is recognized in the local network.
Page 253 Cookie A string of characters saved by a web browser on the user's hard disk. Many web pages send cookies to track specific user information. Cookies can be used to retain information as the user browses a web site. For example, cookies are used to 'remember' the items a shopper may have in a shopping cart.
Page 254 ZyWALL 10 Internet Security Gateway Digital Signature Digital code that authenticates whomever signed the document or software. Software, messages, Email, and other electronic documents can be signed electronically so that they cannot be altered by anyone else. If someone alters a signed document, the signature is no longer valid.
Page 255 Events These are network activities. Some activities are direct attacks on your system, while others might be depending on the circumstances. Therefore, any activity, regardless of severity is called an event. An event may or may not be a direct attack on your system. (Frequently Asked Questions) -- FAQs are documents that list and answer the most common questions on a particular subject.
Page 256 ZyWALL 10 Internet Security Gateway Integrity Proof that the data is the same as originally intended. Unauthorized software or people have not altered the original information. internet (Lower case i) Any time you connect 2 or more networks together, you have an internet. Internet (Upper case I) The vast collection of inter-connected networks that all use the TCP/IP protocols and that evolved from the ARPANET of the late 60’s and early 70’s.
Page 257 same as your Ethernet address.) The MAC layer frames data for transmission over the network, then passes the frame to the physical layer interface where it is transmitted as a stream of bits. Name Resolution The allocation of an IP address to a host name. See DNS Network Address Translation is the translation of an Internet Protocol address used within one network to a different IP address known within another network - see also SUA.
Page 258 ZyWALL 10 Internet Security Gateway This category of computer criminal includes several different types of illegal activities Making copies of software for others to use. Distributing pirated software over the Internet or a Bulletin Board System. Receiving or downloading illegal copies of software in any form.
Page 259 Proxy Server A server that performs network operations in lieu of other systems on the network. Proxy Servers are most often used as part of a firewall to mask the identity of users inside a corporate network yet still provide access to the Internet. When a user connects to a proxy server, via a web browser or other networked application, he submits commands to the proxy server.
Page 260 ZyWALL 10 Internet Security Gateway security flaws in their network systems. Server A computer, or a software package, that provides a specific kind of service to client software running on other computers. Shoulder Surfing Looking over someone's shoulder to see the numbers they dial on a phone, or the information they enter into a computer.
Page 261 TFTP Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP (File Transfer Protocol), but it is scaled back in functionality so that it requires fewer resources to run. TFTP uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol).
Page 263: Index
Action for Matched Packets ... 16-11 Activate The Firewall ... 19-3 Alert Schedule ... 15-5 Application-level Firewalls ... 13-1 AT command ... 10-1 Attack Reasons ... 18-2 Attack Alert ... 15-7, 15-8, 15-9, 15-10 Attack Types... 14-3 Reason... 14-5 Authentication... 4-3, 4-4 BackOrifice ...
Page 264 ZyWALL 10 Internet Security Gateway E-mail tab ...15-4 Encapsulation PPP over Ethernet...A Ethernet Encapsulation3-8, 4-1, 4-5, 4-6, 4-10, 6- 12, 6-14 Example E-mail Log ...15-6 Examples ...19-1 Factory Default...2-13 Filename Conventions...10-1 Filter ... 2-14, 4-9, 7-1 About... 7-1 Applying... 7-16 Configuring ...
Page 265 Rule Summary ... 16-4 log... 9-5 Log Facility ... 9-7 Log Screen ... 18-1 Login screen ... 15-1 MAC Address ... 2-13, 21-2 Mail Server ... 15-5 Main Menu... 2-6 maximum incomplete high... 15-10 maximum incomplete low ... 15-10 max-incomplete high ... 15-8 max-incomplete low...
Page 266 ZyWALL 10 Internet Security Gateway Security Ramifications...16-2 Send Alerts When Attacked ...19-7 Server ... 3-1, 3-9, 4-2, 6-3, 6-4, 6-7, 6-9, 6-12, 6-13, 6- 14, 6-16, 6-17, 11-6, N, U, V Service ... vii, 16-2 Service Type ... 3-9, 4-2, 17-4, 21-2 Services Supported...16-8 SMT...2-4 SMT Menus at a Glance...2-9...
Page 267 xDSL modem... 1-3, 1-4, 2-3, 2-4, 4-3, 21-2, 21-3 XMODEM protocol... 10-2 ZyNOS... 2-13, 6-4, 6-7, 9-3, 9-4, 10-1, 10-2 Index ZyWALL 10 Internet Security Gateway ZyNOS F/W Version... 9-3, 9-4, 10-1 ZyWALL Firewall Application...13-3 ZyWALL Web Configurator ..13-2, 13-8, 13-9, 14-2, 15-1, 15-2, 16-2, 19-2 ZyXEL Limited Warranty Note ...vii ZyXEL website ...

This manual is also suitable for:

Zywall 10

ZyXEL Communications ZyXEL ZYWALL10 User Manual

Copyright

Federal Communications Commission (FCC) Interference Statement

Information for Canadian Users

Zyxel Limited Warranty

Customer Support

List of Figures

Preface

Chapter 1 Getting to Know Your Zywall

Chapter 2 Hardware Installation & Initial Setup

Chapter 3 Internet Access

Chapter 4 Remote Node Setup

Chapter 5 IP Static Route Setup

Chapter 6 Network Address Translation (NAT)

Chapter 7 Filter Configuration

Chapter 8 SNMP Configuration

Chapter 9 System Information & Diagnosis

Chapter 10 Firmware and Configuration File Maintenance

Chapter 11 System Maintenance & Information

Chapter 12 Telnet Configuration and Capabilities

Chapter 13 What Is a Firewall

Quick Links

Troubleshooting

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for ZyXEL Communications ZyXEL ZYWALL10

Summary of Contents for ZyXEL Communications ZyXEL ZYWALL10