ZyXEL Communications P-202H V2 User Manual
  1. Manuals
  2. Brands
  3. ZyXEL Communications Manuals
  4. Network Router
  5. P-202H Plus v2
  6. User manual
ZyXEL Communications P-202H V2 User Manual

ZyXEL Communications P-202H V2 User Manual

Isdn internet access router
Hide thumbs Also See for P-202H V2:
Table of Contents

Advertisement

Quick Links

Download this manual
P-202H Plus v2
ISDN Internet Access Router
User's Guide
Version 3.40
Edition 1
8/2006

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the P-202H V2 and is the answer not in the manual?

Questions and answers

Related Manuals for ZyXEL Communications P-202H V2

Summary of Contents for ZyXEL Communications P-202H V2

  • Page 1 P-202H Plus v2 ISDN Internet Access Router User’s Guide Version 3.40 Edition 1 8/2006...

  • Page 3: Copyright

    Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others.

  • Page 4: Certifications

    Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada. Viewing Certifications 1 Go to http://www.zyxel.com. 2 Select your product from the drop-down list box on the ZyXEL home page to go to that product's page. 3 Select the certification you wish to view from this page.

  • Page 5: Safety Warnings

    P-202H Plus v2 User’s Guide Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. •...

  • Page 6: Zyxel Limited Warranty

    Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.

  • Page 7: Customer Support

    • Brief description of the problem and the steps you took to solve it. METHOD SUPPORT E-MAIL TELEPHONE WEB SITE REGULAR MAIL SALES E-MAIL FTP SITE LOCATION support@zyxel.com.tw +886-3-578-3942 www.zyxel.com ZyXEL Communications Corp. CORPORATE www.europe.zyxel.com 6 Innovation Road II HEADQUARTERS Science Park sales@zyxel.com.tw +886-3-578-2439 ftp.zyxel.com Hsinchu 300 (WORLDWIDE) Taiwan ftp.europe.zyxel.com...
  • Page 8 METHOD SUPPORT E-MAIL TELEPHONE WEB SITE REGULAR MAIL SALES E-MAIL FTP SITE LOCATION support@zyxel.no +47-22-80-61-80 www.zyxel.no ZyXEL Communications A/S Nils Hansens vei 13 NORWAY sales@zyxel.no +47-22-80-61-81 0667 Oslo Norway info@pl.zyxel.com +48 (22) 333 8250 www.pl.zyxel.com ZyXEL Communications ul. Okrzei 1A...

  • Page 9: Table Of Contents

    List of Figures ......................20 List of Tables ......................26 Preface ........................30 Chapter 1 Getting To Know Your ZyXEL Device ..............32 1.1 Introducing the ZyXEL Device ................32 1.2 Features ......................32 1.3 Applications for the ZyXEL Device ..............36 1.3.1 Internet Access ..................36 1.3.2 LAN-to-LAN Connection ................36...
  • Page 10 3.2.1 Test Your Internet Connection ..............53 Chapter 4 LAN Setup....................... 54 4.1 LAN Overview ....................54 4.1.1 LANs, WANs and the ZyXEL Device ............54 4.1.2 DHCP Setup .....................54 4.1.2.1 IP Pool Setup ..................55 4.1.3 DNS Server Address Assignment .............55 4.2 LAN TCP/IP ......................55 4.2.1 IP Address and Subnet Mask ..............55...
  • Page 11 8.4.2.2 Illegal Commands (NetBIOS and SMTP) ........81 8.4.2.3 Traceroute ..................82 8.5 Stateful Inspection ....................82 8.5.1 Stateful Inspection Process ..............83 8.5.2 Stateful Inspection and the ZyXEL Device ..........83 8.5.3 TCP Security .....................84 8.5.4 UDP/ICMP Security ..................84 8.5.5 Upper Layer Protocols ................85 8.6 Guidelines for Enhancing Security with Your Firewall ........85...
  • Page 12 P-202H Plus v2 User’s Guide 9.3.1 Alerts ......................90 9.3.2 Threshold Values ..................90 9.3.3 Half-Open Sessions ..................91 9.3.3.1 TCP Maximum Incomplete and Blocking Time .......91 9.3.4 Configuring Firewall Alert .................91 9.4 Rules Overview ....................93 9.5 Rule Logic Overview ..................93 9.5.1 Rule Checklist ...................94 9.5.2 Security Ramifications ................94 9.5.3 Key Fields For Configuring Rules .............94 9.5.3.1 Action ....................94...
  • Page 13 12.1 NetCAPI Overview ..................140 12.2 CAPI .......................140 12.2.1 ISDN-DCP ....................140 12.3 Configuring NetCAPI ..................141 12.3.1 Configuring the ZyXEL Device as a NetCAPI Server ......142 12.3.2 RVS-COM .....................142 12.3.3 Example of Installing a CAPI driver and Communication Software ..143 Table of Contents...
  • Page 14 14.5 Budget Control ....................157 Chapter 15 Introducing the SMT .................... 158 15.1 SMT Introduction ....................158 15.2 Accessing the ZyXEL Device via Console Port ..........158 15.2.1 Initial Screen ..................158 15.2.2 Entering Password ................158 15.3 Procedure for SMT Configuration via Telnet ..........159 15.4 SMT Menu Overview ..................159...
  • Page 15 P-202H Plus v2 User’s Guide 15.5.1 System Management Terminal Interface Summary ......162 15.6 Changing the System Password ..............163 Chapter 16 Menu 1 General Setup ..................166 16.1 General Setup ....................166 16.2 Procedure To Configure Menu 1 ..............166 16.2.1 Procedure to Configure Dynamic DNS ..........167 Chapter 17 Menu 2 ISDN Setup ....................
  • Page 16 P-202H Plus v2 User’s Guide 20.6 Editing PPP Options ..................191 20.7 LAN-to-LAN Application .................192 20.8 Configuring Network Layer Options ...............193 20.9 Remote Node Filter ..................195 Chapter 21 Static Route Setup ....................198 21.1 Static Route ....................198 21.2 IP Static Route Setup ..................198 Chapter 22 Dial-in Setup ......................
  • Page 17 24.3.2 Example E-mail Log ................233 Chapter 25 Filter Configuration ....................234 25.1 Introduction to Filters ..................234 25.1.1 The Filter Structure of the ZyXEL Device ..........235 25.2 Configuring a Filter Set ..................236 25.2.1 Filter Rules Summary Menus ...............239 25.2.2 Configuring a Filter Rule ...............240 25.2.3 Configuring a TCP/IP Filter Rule ............240...
  • Page 18 P-202H Plus v2 User’s Guide 28.3.2 Unix Syslog ...................263 28.3.2.1 CDR ....................264 28.3.2.2 Packet triggered ................265 28.3.2.3 Filter log ..................265 28.3.2.4 PPP log ..................266 28.3.2.5 POTS log ..................266 28.3.3 Accounting Server ................266 28.3.4 Call-Triggering Packet ................267 28.4 Diagnostic ......................268 Chapter 29 Firmware and Configuration File Maintenance ..........
  • Page 19 34.1 SA Monitor Overview ..................312 34.2 Using SA Monitor ...................312 Chapter 35 IPSec Log......................314 35.1 IPSec Logs .....................314 Chapter 36 Troubleshooting ....................318 36.1 Problems Starting Up the ZyXEL Device ............318 36.2 Problems with the LAN ...................318 Table of Contents...
  • Page 20 P-202H Plus v2 User’s Guide 36.3 Problems with the ISDN Line .................319 36.4 Problems with Remote User Dial-in ...............319 36.5 Problems Accessing the ZyXEL Device ............320 Appendix A Product Specifications ..................322 Appendix B Wall-mounting Instructions................. 324 Appendix C Log Descriptions....................326 Appendix D Setting up Your Computer’s IP Address............
  • Page 21 P-202H Plus v2 User’s Guide List of Figures Figure 1 Internet Access Application ................... 36 Figure 2 LAN-to-LAN Application Example ................. 37 Figure 3 Remote Access ..................... 37 Figure 4 Secure Internet Access and VPN Application ............38 Figure 5 Front Panel ......................38 Figure 6 Password Screen ....................
  • Page 22 Figure 75 Menu 1 General Setup..................166 Figure 76 Menu 1.1 Configure Dynamic DNS ..............167 Figure 77 ZyXEL Device Behind a PABX ................171 Figure 78 Menu 2 ISDN Setup ................... 172 Figure 79 Menu 2.1 ISDN Advanced Setup ............... 173 Figure 80 Loopback Test .....................
  • Page 23 P-202H Plus v2 User’s Guide Figure 82 Menu 3 Ethernet Setup ..................178 Figure 83 Menu 3.1 LAN Port Filter Setup................178 Figure 84 Menu 3.2 TCP/IP and DHCP Ethernet Setup ............. 179 Figure 85 Physical Network & Partitioned Logical Networks ..........181 Figure 86 Menu 3.2.1 IP Alias Setup ..................
  • Page 24 P-202H Plus v2 User’s Guide Figure 125 NAT Example 3 ....................224 Figure 126 NAT Example 3: Menu 11.3 ................225 Figure 127 Example 3: Menu 15.1.1.1 ................225 Figure 128 Example 3: Final Menu 15.1.1 ................226 Figure 129 Example 3: Menu 15.2 ..................226 Figure 130 NAT Example 4 ....................
  • Page 25 P-202H Plus v2 User’s Guide Figure 168 Display for a Successful Manual Call ..............269 Figure 169 Telnet in Menu 24.5 ................... 272 Figure 170 FTP Session Example ..................272 Figure 171 System Maintenance: Backup Configuration ............ 275 Figure 172 System Maintenance: Starting Xmodem Download Screen ......275 Figure 173 Backup Configuration Example .................
  • Page 26 P-202H Plus v2 User’s Guide Figure 211 Wall-mounting Example ..................324 Figure 212 WIndows 95/98/Me: Network: Configuration ............. 339 Figure 213 Windows 95/98/Me: TCP/IP Properties: IP Address ......... 340 Figure 214 Windows 95/98/Me: TCP/IP Properties: DNS Configuration ......341 Figure 215 Windows XP: Start Menu .................. 342 Figure 216 Windows XP: Control Panel ................
  • Page 27 P-202H Plus v2 User’s Guide List of Tables Table 1 Front Panel LEDs ....................39 Table 2 Web Configurator Screens Summary ..............42 Table 3 Password ....................... 44 Table 4 Wizard 1: ISDN Line Set Up .................. 47 Table 5 Wizard 2: ISP Parameters For Internet Access ............. 49 Table 6 Wizard: LAN Configuration ..................
  • Page 28 P-202H Plus v2 User’s Guide Table 39 Rule Setup with Manual Key ................132 Table 40 SA Monitor ......................135 Table 41 Global Setting ...................... 136 Table 42 Telecommuter and Headquarters Configuration Example ........136 Table 43 VPN Logs ......................139 Table 44 NetCAPI .......................
  • Page 29 Table 107 Sample IPSec Logs During Packet Transmission ..........316 Table 108 RFC-2408 ISAKMP Payload Types ..............317 Table 109 Troubleshooting Starting Up Your ZyXEL Device ..........318 Table 110 Troubleshooting the LAN ................... 318 Table 111 Troubleshooting the ISDN Line ................319 Table 112 Troubleshooting Remote User Dial-in ..............
  • Page 30 P-202H Plus v2 User’s Guide Table 125 IKE Logs ......................330 Table 126 PKI Logs ......................333 Table 127 Certificate Path Verification Failure Reason Codes ........... 334 Table 128 ACL Setting Notes ..................... 335 Table 129 ICMP Notes ....................... 336 Table 130 RFC-2408 ISAKMP Payload Types ..............

  • Page 31: Preface

    Settings and then click Control Panel. • “e.g.,” is a shorthand for “for instance”, and “i.e.,” means “that is” or “in other words”. • The P-202H Plus v2 may be referred to as the “ZyXEL Device” in this User’s Guide. Related Documentation •...

  • Page 32: User Guide Feedback

    User Guide Feedback Help us help you. E-mail all User Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Thank you.

  • Page 33: Chapter 1 Getting To Know Your Zyxel Device

    The ZyXEL Device is a high-performance ISDN router that offers a complete Internet access solution. By integrating NAT, firewall, VPN capability and a four-port switch, the ZyXEL Device is a complete security solution that protects your Intranet and efficiently manages data traffic on your network.

  • Page 34: Port Switch

    ISDN Basic Rate Interface (BRI) Support The ZyXEL Device supports a single BRI. A BRI offers two 64 Kbps channels, which can be used independently for two destinations or be bundled to speed up data transfer. Chapter 1 Getting To Know Your ZyXEL Device...

  • Page 35: Ppp Multilink

    Protocol) bundle dynamically, dropping or reconnecting a channel in a bundle when necessary. Previously, the router did this for voice calls only, but now with this new feature, the ZyXEL Device can drop a channel in an MP bundle if there is a data packet to another remote node.

  • Page 36: Full Network Management

    IP default gateway and DNS servers to all systems that support the DHCP client. The ZyXEL Device can also act as a surrogate DHCP server (DHCP relay) where it relays IP address assignment from another DHCP server to the clients.

  • Page 37: Applications For The Zyxel Device

    Caller ID Display Services on Analog PSTN Lines The ZyXEL Device supports Caller ID information on both phone ports. To use Caller ID Display you need a special telephone or display unit that can show and store incoming telephone numbers.

  • Page 38: Remote Access Server

    Figure 2 LAN-to-LAN Application Example 1.3.3 Remote Access Server Your ZyXEL Device allows remote users to dial-in and gain access to your LAN. This feature enables individuals that have computers with remote access capabilities to dial in to access the network resources without being physically in the office.

  • Page 39: Front Panel Leds

    P-202H Plus v2 User’s Guide Figure 4 Secure Internet Access and VPN Application 1.4 Front Panel LEDs The following figure shows the front panel LEDs. Figure 5 Front Panel Chapter 1 Getting To Know Your ZyXEL Device...

  • Page 40: Hardware Connection

    Table 1 Front Panel LEDs COLOR STATUS DESCRIPTION POWER Green The ZyXEL Device is receiving power and functioning properly. Blinking The ZyXEL Device is rebooting or performing diagnostics. Power to the ZyXEL Device is too low. The system is not ready or has malfunctioned.

  • Page 41: Chapter 2 Introducing The Web Configurator

    LAN port for initial configuration. 1 Make sure your ZyXEL Device hardware is properly connected (refer to the Quick Start Guide). 2 Prepare your computer/computer network to connect to the ZyXEL Device (refer to the Quick Start Guide).

  • Page 42: Resetting The Zyxel Device

    If you forget your password or cannot access the web configurator or the SMT menu, you will need to use the RESET button at the back of the ZyXEL Device to reload the factory-default configuration file. This means that you will lose all configurations that you had previously and the password will be reset to “1234”.

  • Page 43: Navigating The Web Configurator

    Use this screen to configure servers behind the ZyXEL Device. Address Mapping Use this screen to configure network address translation mapping rules. Dynamic DNS Use this screen to allow the ZyXEL Device to use dynamic host name resolution. Firewall Config Use this screen to enable the firewall.

  • Page 44: Changing Login Password

    Click Logout to exit the web configurator. 2.4.1 Changing Login Password It is highly recommended that you periodically change the password for accessing the ZyXEL Device. If you didn’t change the default one after you logged in or you want to change to a new password again, then click Advanced Setup >...

  • Page 45: Figure 9 Password

    Type your new system password (up to 30 characters). Note that as you type a password, the screen displays a (*) for each character you type. After you change the password, use the new password to access the ZyXEL Device. Retype to Type the new password again for confirmation.
  • Page 46 P-202H Plus v2 User’s Guide Chapter 2 Introducing the Web Configurator...

  • Page 47: Wizard Setup

    PABX, enter this number in the Outside Line Prefix field. Otherwise, leave it blank. Please note that the PABX prefix is for calls initiated by the ZyXEL Device only. If you place a call from a device on either A/B adapter, you must dial the prefix by hand.

  • Page 48: Figure 10 Wizard 1: Isdn Line Set Up

    If you are using both B channels, select Switch/Switch (default). If you are only using one B channel (for example, your ZyXEL Device is sharing the ISDN line with another device), then select Switch/Unused. If your second B channel is a leased line, select Switch/Leased.
  • Page 49 If you select Don't Care, then all data calls are routed to the ZyXEL Device itself. Analog calls, however, are routed to either A/B adapter 1 or 2, or simply ignored, depending on the Analog Call Routing field.

  • Page 50: Figure 11 Wizard 2: Isp Parameters For Internet Access

    Your ZyXEL Device always calls your ISP using the primary phone number first. Type the number exactly as your ISP gave you. Secondary If the primary phone number is busy or does not answer, your ZyXEL Device will dial Phone # the secondary phone number if available.
  • Page 51 Dial Out Channel Setting Transfer Type This field specifies the type of connection between the ZyXEL Device and your ISP. Select 64K or Leased. Multilink The ZyXEL Device uses the PPP Multilink Protocol (PPP/MP) to bundle multiple links in a single connection to boost the effective throughput between two nodes. This option is only available if the transfer type is 64K.

  • Page 52: Figure 12 Wizard 3: Summary

    P-202H Plus v2 User’s Guide Figure 12 Wizard 3: Summary 4 If you click Change LAN Configuration to change your ZyXEL Device LAN settings, the screen displays as shown below. Figure 13 Wizard: LAN Configuration Chapter 3 Wizard Setup...

  • Page 53: Figure 14 Wizard 4

    5 The ZyXEL Device automatically tests the connection to the computer(s) connected to the LAN ports. To test the connection from the ZyXEL Device to the ISP, click Start Diagnose. Otherwise click Return to Main Menu to go back to the Site Map screen.

  • Page 54: Test Your Internet Connection

    Refer to the rest of this User's Guide for more detailed information on the complete range of ZyXEL Device features. If you cannot access the Internet, open the web configurator again to confirm that the Internet settings you configured in the Wizard Setup are correct.

  • Page 55: Chapter 4 Lan Setup

    TCP/IP configuration at start-up from a server. You can configure the ZyXEL Device as a DHCP server or disable it. When configured as a server, the ZyXEL Device provides the TCP/IP configuration for the clients. If you turn DHCP service off, you must have another DHCP server on your LAN, or else the computer must be manually configured.

  • Page 56: Ip Pool Setup

    P-202H Plus v2 User’s Guide 4.1.2.1 IP Pool Setup The ZyXEL Device is pre-configured with a pool of IP addresses for the DHCP clients (DHCP Pool). See the product specifications in the appendices. Do not assign static IP addresses from the DHCP pool to your LAN computers.

  • Page 57: Private Ip Addresses

    Once you have decided on the network number, pick an IP address that is easy to remember, for instance, 192.168.1.1, for your ZyXEL Device, but make sure that no other device on your network is using that IP address.

  • Page 58: Figure 16 Lan Setup

    DHCP client. If set to None, the DHCP server will be disabled. If set to Relay, the ZyXEL Device acts as a surrogate DHCP server and relays DHCP requests and responses between the remote server and the clients. Enter the IP address of the actual, remote DHCP server in the Remote DHCP Server field in this case.
  • Page 59 IP Subnet Mask The subnet mask specifies the network number portion of an IP address. Your ZyXEL Device automatically selects the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyXEL Device.
  • Page 60 P-202H Plus v2 User’s Guide Chapter 4 LAN Setup...

  • Page 61: Chapter 5 Wan Setup

    A WAN (Wide Area Network) is an outside connection to another network or the Internet. 5.1.1 PPP Multilink The ZyXEL Device uses the PPP Multilink Protocol (PPP/MP) to bundle multiple links in a single connection to boost the effective throughput between two nodes.

  • Page 62: Figure 17 Wan Setup

    Type the number exactly as your ISP gave you. Secondary Phone # If the primary phone number is busy or does not answer, your ZyXEL Device will dial the secondary phone number if available. Some areas require dialing the pound sign (#) before the phone number for local calls.
  • Page 63 Select Nailed-Up Connection when you want your connection up all the time. Connection The ZyXEL Device will try to bring up the connection automatically if it is disconnected. Connect on Demand Select Connect on Demand when you don't want the connection up all the time and specify an idle time-out in the Max Idle Timeout field.
  • Page 64 P-202H Plus v2 User’s Guide Chapter 5 WAN Setup...

  • Page 65: Chapter 6 Network Address Translation (Nat) Screens

    IP address known within another network. 6.1.1 NAT Definitions Inside/outside denotes where a host is located relative to the ZyXEL Device, for example, the computers of your subscribers are the inside hosts, while the web servers on the Internet are the outside hosts.

  • Page 66: What Nat Does

    Many-to-One and Many-to-Many Overload NAT mapping) in each packet and then forwards it to the Internet. The ZyXEL Device keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. The following figure illustrates this.

  • Page 67: Nat Application

    6.1.5 NAT Mapping Types NAT supports five types of IP/port mapping. They are: • One to One: In One-to-One mode, the ZyXEL Device maps one local IP address to one global IP address. • Many to One: In Many-to-One mode, the ZyXEL Device maps multiple local IP addresses to one global IP address.

  • Page 68: Sua (Single User Account) Versus Nat

    Table 10 on page • Choose SUA Only if you have just one public WAN IP address for your ZyXEL Device. • Choose Full Feature if you have multiple public WAN IP addresses for your ZyXEL Device.

  • Page 69: Sua Server

    Select this radio button to disable NAT. SUA Only Select this radio button if you have just one public WAN IP address for your ZyXEL Device. The ZyXEL Device uses Server Set 1 in the NAT - Edit SUA/NAT Server Set screen.

  • Page 70: Default Server Ip Address

    Note: If you do not assign an IP address in Server Set 1 (default server), the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup.

  • Page 71: Configuring Sua Server

    Figure 21 Multiple Servers Behind NAT Example 6.5 Configuring SUA Server Note: If you do not assign an IP address in Server Set 1 (default server), the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup.

  • Page 72: Configuring Address Mapping

    Click Cancel to return to the previous configuration. 6.6 Configuring Address Mapping Ordering your rules is important because the ZyXEL Device applies the rules in the order that you specify. When a rule matches the current packet, the ZyXEL Device takes the corresponding action and the remaining rules are ignored.

  • Page 73: Figure 24 Edit Address Mapping Rule

    One-to-one NAT mapping type. M-1: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only.

  • Page 74: Table 15 Edit Address Mapping Rule

    Server Mapping Set field. Back Click Back to return to the previous screen. Apply Click Apply to save your changes back to the ZyXEL Device. Cancel Click Cancel to return to the previously saved settings. Delete Click Delete to exit this screen without saving.

  • Page 75: Chapter 7 Dynamic Dns

    Note: If you have a private WAN IP address, then you cannot use Dynamic DNS. Section 7.2 on page 74 for configuration instruction. 7.2 Configuring Dynamic DNS To change your ZyXEL Device’s DDNS, click Dynamic DNS. The screen appears as shown. Section 7.1 on page 74 for more information. Chapter 7 Dynamic DNS...

  • Page 76: Figure 25 Dynamic Dns

    This is the name of your Dynamic DNS service provider. Host Name Type the domain name assigned to your ZyXEL Device by your Dynamic DNS provider. You can specify up to two host names in the field separated by a comma (",").

  • Page 77: Chapter 8 Firewalls

    P-202H Plus v2 User’s Guide H A P T E R Firewalls This chapter gives some background information on firewalls and introduces the ZyXEL Device firewall. 8.1 Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another.

  • Page 78: Stateful Inspection Firewalls

    The ZyXEL Device also has packet filtering capabilities. The ZyXEL Device is installed between the LAN and the Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN.

  • Page 79: Denial Of Service Attacks

    Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. The ZyXEL Device is pre-configured to automatically detect and thwart all known DoS attacks.

  • Page 80: Types Of Dos Attacks

    P-202H Plus v2 User’s Guide 8.4.2 Types of DoS Attacks There are four types of DoS attacks: 1 Those that exploit bugs in a TCP/IP implementation. 2 Those that exploit weaknesses in the TCP/IP specification. 3 Brute-force attacks that flood a network with useless data. 4 IP Spoofing.

  • Page 81: Figure 28 Syn Flood

    P-202H Plus v2 User’s Guide • SYN Attack floods a targeted system with a series of SYN packets. Each packet causes the targeted system to issue a SYN-ACK response. While the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue.

  • Page 82: Icmp Vulnerability

    P-202H Plus v2 User’s Guide Figure 29 Smurf Attack 8.4.2.1 ICMP Vulnerability ICMP is an error-reporting protocol that works in concert with IP. The following ICMP types trigger an alert: Table 18 ICMP Commands That Trigger Alerts REDIRECT TIMESTAMP_REQUEST TIMESTAMP_REPLY ADDRESS_MASK_REQUEST ADDRESS_MASK_REPLY 8.4.2.2 Illegal Commands (NetBIOS and SMTP)

  • Page 83: Traceroute

    The ZyXEL Device uses stateful packet inspection to protect the private LAN from hackers and vandals on the Internet. By default, the ZyXEL Device’s stateful inspection allows all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet.

  • Page 84: Stateful Inspection Process

    P-202H Plus v2 User’s Guide The previous figure shows the ZyXEL Device’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed. However other Telnet traffic initiated from the WAN is blocked.

  • Page 85: Tcp Security

    Below is a brief technical description of how these connections are tracked. Connections may either be defined by the upper protocols (for instance, TCP), or by the ZyXEL Device itself (as with the "virtual connections" created for UDP and ICMP).

  • Page 86: Upper Layer Protocols

    P-202H Plus v2 User’s Guide A similar situation exists for ICMP, except that the ZyXEL Device is even more restrictive. Specifically, only outgoing echoes will allow incoming echo replies, outgoing address mask requests will allow incoming address mask replies, and outgoing timestamp requests will allow incoming timestamp replies.

  • Page 87: Packet Filtering Vs Firewall

    8.7 Packet Filtering Vs Firewall Below are some comparisons between the ZyXEL Device’s filtering and firewall functions. 8.7.1 Packet Filtering: • The router filters packets as they pass through the router’s interface according to the filter rules you designed.

  • Page 88: When To Use Filtering

    P-202H Plus v2 User’s Guide 8.7.1.1 When To Use Filtering • To block/allow LAN packets by their MAC addresses. • To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets. • To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A"...

  • Page 89: Chapter 9 Firewall Configuration

    To change your ZyXEL Device's E-mail log settings, click Firewall, and then E-mail. The screen appears as shown. Use the E-Mail screen to configure to where the ZyXEL Device is to send logs; the schedule for when the ZyXEL Device is to send the logs and which logs and/or immediate alerts the ZyXEL Device is to send.

  • Page 90: Figure 32 Firewall > E-Mail

    E-mail Alerts To Alerts are sent to the e-mail address specified in this field. If this field is left blank, alerts will not be sent via e-mail. Return Address Type an E-mail address to identify the ZyXEL Device as the sender of the e-mail messages i.e., a "return-to-sender" address for backup purposes.

  • Page 91: Attack Alert

    Attack alerts are real-time reports of DoS attacks. In the Alert screen, shown later, you may choose to generate an alert whenever an attack is detected. For DoS attacks, the ZyXEL Device uses thresholds to determine when to drop sessions that do not become fully established.

  • Page 92: Half-Open Sessions

    • If the Blocking Time timeout is 0 (the default), then the ZyXEL Device deletes the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host will never exceed the threshold.

  • Page 93: Figure 33 Firewall > Alert

    Incomplete High deleting half-open sessions. When the number of existing half-open sessions rises above this number, the ZyXEL Device deletes half-open sessions as required to accommodate new connection requests. Do not set Maximum Incomplete High to lower than the current Maximum Incomplete Low number.

  • Page 94: Rules Overview

    Click Cancel to begin configuring this screen afresh. 9.4 Rules Overview Firewall rules are subdivided into "Local Network" and "Internet". By default, the ZyXEL Device's stateful packet inspection allows all communications to the Internet that originate from the local network, and blocks all traffic to the LAN that originates from the Internet. You may define additional rules and sets or modify existing ones but please exercise extreme caution in doing so.

  • Page 95: Security Ramifications

    P-202H Plus v2 User’s Guide 9.5.1 Rule Checklist State the intent of the rule. For example, “This restricts all IRC access from the LAN to the Internet.” Or, “This allows a remote Lotus Notes server to synchronize over the Internet to an inside Notes server.”...

  • Page 96: Source Address

    P-202H Plus v2 User’s Guide 9.5.3.3 Source Address What is the connection’s source address; is it on the LAN or WAN? Is it a single IP, a range of IPs or a subnet? 9.5.3.4 Destination Address What is the connection’s destination address; is it on the LAN or WAN? Is it a single IP, a range of IPs or a subnet? 9.6 Connection Direction This section describes examples for firewall rules for connections going from LAN to WAN...

  • Page 97: Figure 34 Firewall > Rule Summary

    P-202H Plus v2 User’s Guide Figure 34 Firewall > Rule Summary The following table describes the labels in this screen. Table 23 Firewall > Rule Summary LABEL DESCRIPTION The default Use the drop-down list box to select whether to Block (silently discard) or Forward action for (allow the passage of) packets that do not match the following rules.

  • Page 98: Configuring Firewall Rules

    Click Move to move the rule. Back Click Back to return to the previous screen. Apply Click Apply to save your changes back to the ZyXEL Device. Cancel Click Cancel to begin configuring this screen afresh. 9.7.1 Configuring Firewall Rules Refer to Section 8.1 on page 76...

  • Page 99: Figure 35 Firewall > Edit A Rule

    P-202H Plus v2 User’s Guide Figure 35 Firewall > Edit a Rule The following table describes the labels in this screen. Table 24 Firewall > Edit a Rule LABEL DESCRIPTION Source Address Click SrcAdd to add a new address, SrcEdit to edit an existing one or SrcDelete to delete one.

  • Page 100: Figure 36 Firewall > Source And Destination Addresses

    P-202H Plus v2 User’s Guide Table 24 Firewall > Edit a Rule (continued) LABEL DESCRIPTION Action for Matched Use the drop down list box to select whether to Block (silently discard) or Packet Forward (allow the passage of) packets that match this rule. This field determines if a log is created for packets that match the rule (Match), don't match the rule (Not-Match), match either rule (Both) or no log is created (None).

  • Page 101: Figure 37 Firewall > Customized Services

    Click Cancel to return to the previously saved settings. 9.7.3 Customized Services Configure customized services and port numbers not predefined by the ZyXEL Device. For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) website. For further information on these services, please read Section 9.11 on page...

  • Page 102: Figure 38 Firewall > Configure Customized Services

    P-202H Plus v2 User’s Guide 9.7.4 Configuring A Customized Service Click a rule number in the Firewall Customized Services screen to create a new custom port or edit an existing one. This action displays the following screen. Refer to Section 8.1 on page 76 for more information.

  • Page 103: Figure 39 Firewall > Timeout

    DESCRIPTION TCP Timeout Values Connection Type the number of seconds (default 30) for the ZyXEL Device to wait for a TCP Timeout session to reach the established state before dropping the session. FIN-Wait Type the number of seconds (default 60) for a TCP session to remain open after the...

  • Page 104: Figure 40 Firewall > Logs

    P-202H Plus v2 User’s Guide 9.9 Logs Screen When you configure a new rule you also have the option to log events that match, don't match (or both) this rule. Click Logs to bring up the next screen. Firewall logs may also be viewed in SMT Menu 21.3 or via syslog (SMT Menu 24.3.2 - System Maintenance - UNIX Syslog).

  • Page 105: Example Firewall Rule

    P-202H Plus v2 User’s Guide Table 29 Firewall > Logs (continued) LABEL DESCRIPTION EXAMPLE Reason This field states the reason for the log; i.e., was the not match rule matched, not matched, or was there an attack. <1,01> dest IP The set and rule coordinates (<X, Y>...

  • Page 106: Figure 41 Firewall Example: Edit Rule

    P-202H Plus v2 User’s Guide Figure 41 Firewall Example: Edit Rule 4 Click SrcAdd to open the Rule IP Config screen. Configure it as follows and click Apply. Figure 42 Firewall Example: Configure Source IP 5 Click Edit Available Service in the Edit Rule screen and then click a rule number to bring up the Firewall Customized Services Config screen.

  • Page 107: Figure 44 Firewall Example: Edit Rule: Select Customized Services

    7 On completing the configuration procedure for these Internet firewall rules, the Rule Summary screen should look like the following. Don't forget to click Apply when you have finished configuring your rule(s) to save your settings back to the ZyXEL Device. Chapter 9 Firewall Configuration...

  • Page 108: Figure 45 Firewall Example: Rule Summary

    The Available Services list box in the Edit Rule screen (see Section 9.7.1 on page displays all predefined services that the ZyXEL Device already supports. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP).
  • Page 109 24032) DNS(UDP/TCP:53) Domain Name Server, a service that matches web names (e.g. ) to IP numbers. www.zyxel.com FINGER(TCP:79) Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. FTP(TCP:20.21) File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail.
  • Page 110 P-202H Plus v2 User’s Guide Table 30 Predefined Services (continued) SERVICE DESCRIPTION SMTP(TCP:25) Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another. SNMP(TCP/UDP:161) Simple Network Management Program. SNMP-TRAPS (TCP/ Traps for use with the SNMP (RFC:1215).

  • Page 111: Chapter 10 Introduction To Ipsec

    P-202H Plus v2 User’s Guide H A P T E R Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 10.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.

  • Page 112: Data Confidentiality

    The IPSec receiver can verify the source of IPSec packets. This service depends on the data integrity service. 10.1.4 VPN Applications The ZyXEL Device supports the following VPN applications. • Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites.

  • Page 113: Ipsec Algorithms

    P-202H Plus v2 User’s Guide Figure 47 IPSec Architecture 10.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard) and Triple DES algorithms.

  • Page 114: Transport Mode

    VPN gateway. The security protocol appears after the outer IP header and before the inside IP header. 10.4 IPSec and NAT Read this section if you are running IPSec on a host computer behind the ZyXEL Device. Chapter 10 Introduction to IPSec...

  • Page 115: Table 31 Vpn And Nat

    P-202H Plus v2 User’s Guide NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted.
  • Page 116 P-202H Plus v2 User’s Guide Chapter 10 Introduction to IPSec...

  • Page 117: Chapter 11 Vpn Screens

    P-202H Plus v2 User’s Guide H A P T E R VPN Screens This chapter introduces the VPN web configurator. See the section on logs for information on viewing logs and the appendices for IPSec log descriptions. 11.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections.

  • Page 118: Table 32 Ah And Esp

    Select MD5 for minimal security and SHA-1 for maximum security. 11.3 My IP Address My IP Address is the WAN IP address of the ZyXEL Device. If this field is configured as 0.0.0.0, then the ZyXEL Device will use the current ZyXEL Device WAN IP address (static or dynamic) to set up the VPN tunnel.

  • Page 119: Dynamic Secure Gateway Address

    Address field if the remote secure gateway has a dynamic WAN IP address and is using DDNS. The ZyXEL Device has to rebuild the VPN tunnel each time the remote secure gateway’s WAN IP address changes (there may be a delay until the DDNS servers are updated with the remote gateway’s new WAN IP address).

  • Page 120: Figure 50 Vpn Summary

    VPN policy is active. No signifies that this VPN policy is not active. Local Address This is the IP address of the computer on your local network behind your ZyXEL Device. The same (static) IP address is displayed twice when the Local Address Type field in the VPN-IKE (or VPN-Manual Key) screen is configured to Single.

  • Page 121: Keep Alive

    LOCAL ID TYPE CONTENT Type the IP address of your computer or leave the field blank to have the ZyXEL Device automatically use its own IP address. Type a domain name (up to 31 characters) by which to identify this ZyXEL Device.

  • Page 122: Id Type And Content Examples

    The two ZyXEL Devices in this example cannot complete their negotiation because ZyXEL Device B’s Local ID type is IP, but ZyXEL Device A’s Peer ID type is set to E-mail. An “ID mismatched” message displays in the IPSEC LOG.

  • Page 123: Pre-Shared Key

    P-202H Plus v2 User’s Guide Figure 51 Mismatching ID Type and Content Configuration Example ZYXEL DEVICE A ZYXEL DEVICE B Peer ID type: E-mail Peer ID type: IP Peer ID content: aa@yahoo.com Peer ID content: N/A 11.8 Pre-Shared Key A pre-shared key identifies a communicating party during a phase 1 IKE negotiation (see Section 11.10 on page 126...

  • Page 124: Figure 52 Vpn Rule Setup

    VPN rule is applied before a packet leaves the firewall. Keep Alive Select this check box to have the ZyXEL Device automatically re-initiate the SA after the SA lifetime times out, even if there is no traffic. The remote IPSec router must also have keep alive enabled in order for this feature to work.
  • Page 125 Range, enter the end (static) IP address, in a range of computers on the LAN behind your ZyXEL Device. When the Local Address Type field is configured to Subnet, this is a subnet mask on the LAN behind your ZyXEL Device.
  • Page 126 When you select DNS or E-mail in the Local ID Type field, type a domain name or e-mail address by which to identify this ZyXEL Device in the local Content field. Use up to 31 ASCII characters including spaces, although trailing spaces are truncated.

  • Page 127: Ike Phases

    VPN - Setup Select DES, 3DES or NULL from the drop-down list box. The ZyXEL Device’s encryption algorithm should be identical to the secure remote gateway. When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code.

  • Page 128: Negotiation Mode

    The ZyXEL Device automatically renegotiates the IPSec SA if there is traffic when the IPSec SA lifetime period expires. The ZyXEL Device also automatically renegotiates the IPSec SA if both IPSec routers have keep alive enabled, even if there is no traffic.

  • Page 129: Diffie-Hellman (Dh) Key Groups

    This may be unnecessary for data that does not require such security, so PFS is disabled (None) by default in the ZyXEL Device. Disabling PFS means new authentication and encryption keys are derived from the same root secret (which may have security implications in the long run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange).

  • Page 130: Figure 54 Advanced Rule Setup

    P-202H Plus v2 User’s Guide Figure 54 Advanced Rule Setup The following table describes the labels in this screen. Table 38 Advanced Rule Setup LABEL DESCRIPTION Protocol Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any protocol.
  • Page 131 A phase 2 exchange uses the IKE SA established in phase 1 to negotiate the SA for IPSec. Active Protocol Select ESP or AH from the drop-down list box. The ZyXEL Device's IPSec Protocol should be identical to the secure remote gateway. The ESP (Encapsulation Security Payload) protocol (RFC 2406) provides encryption as well as the authentication offered by AH.

  • Page 132: Manual Key

    DH2 refers to Diffie-Hellman Group 2, a 1024 bit (1Kb) random number (more secure, yet slower). Apply Click Apply to save your changes back to the ZyXEL Device and return to the VPN-IKE screen. Cancel Click Cancel to return to the VPN-IKE screen without saving your ZyXEL Device.

  • Page 133: Manual Key Screen

    P-202H Plus v2 User’s Guide 11.13 Manual Key Screen You only configure VPN Manual Key when you select Manual in the IPSec Key Mode field on the VPN-IKE screen. The VPN-Manual Key screen as shown next. Figure 55 Rule Setup with Manual Key The following table describes the labels in this screen.
  • Page 134 IPSec router. My IP Address Enter the WAN IP address of your ZyXEL Device. The ZyXEL Device uses its current WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0.

  • Page 135: Sa Monitor Screen

    A tunnel with no outbound or inbound traffic is "idle" and does not timeout until the SA lifetime period expires. See the Keep Alive section to have the ZyXEL Device renegotiate an IPSec SA when the SA lifetime expires, even if there is no traffic.

  • Page 136: Global Setting Screen

    Refresh Click Refresh to display the current active VPN connection(s). 11.15 Global Setting Screen To change your ZyXEL Device’s global settings, click the VPN, then the Global Setting link. The screen appears as shown. Figure 57 Global Setting Chapter 11 VPN Screens...

  • Page 137: Telecommuter Vpn/Ipsec Examples

    Click Reset to begin configuring this screen afresh. 11.16 Telecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyXEL Device at headquarters from remote IPSec routers that use dynamic WAN IP addresses. 11.16.1 Telecommuters Sharing One VPN Rule Example Multiple telecommuters can use one VPN rule to simultaneously access a ZyXEL Device at headquarters.

  • Page 138: Telecommuters Using Unique Vpn Rules Example

    ID types and contents to distinguish between VPN rules. Telecommuters can each use a separate VPN rule to simultaneously access a ZyXEL Device at headquarters. They can use different IPSec parameters (including the pre-shared key) and the local IP addresses (or ranges of addresses) can overlap.

  • Page 139: Logs

    P-202H Plus v2 User’s Guide Figure 59 Telecommuters Using Unique VPN Rules Example 11.17 Logs This screen displays the logs for all VPNs. The VPN log includes log index numbers, the date and time of the log records, and log messages. Refer to the Log appendix for descriptions and examples of VPN logs.

  • Page 140: Figure 60 Vpn Logs

    P-202H Plus v2 User’s Guide Figure 60 VPN Logs The following table describes the labels in this screen. Table 43 VPN Logs LABEL DESCRIPTION This field lists a message that gives information about the reason for the log. Back Click this button to return to the previous screen. Previous Click this button to view the previous page.

  • Page 141: Chapter 12 Netcapi

    DCP messages on TCP port number 2578 (the Internet-assigned number for RVS- COM DCP). When the ZyXEL Device receives a DCP message from a DCP client i.e., a computer, the ZyXEL Device processes the message and acts on it. Your ZyXEL Device supports all the DCP messages specified in the ISDN-DCP specification.

  • Page 142: Configuring Netcapi

    RVSCOM on your computer, and RVSCOM registers itself to the Users ZyXEL Device. Enter the maximum number of clients (no more than 5) for which you want the ZyXEL Device to allow connections at the same time.

  • Page 143: Configuring The Zyxel Device As A Netcapi Server

    Click Cancel to begin configuring this screen afresh. 12.3.1 Configuring the ZyXEL Device as a NetCAPI Server This section describes how to configure your ZyXEL Device to be a NetCAPI server. By default, NetCAPI is enabled on your ZyXEL Device. When NetCAPI is enabled, the ZyXEL Device listens for incoming DCP messages from the computers.

  • Page 144: Example Of Installing A Capi Driver And Communication Software

    P-202H Plus v2 User’s Guide 12.3.3 Example of Installing a CAPI driver and Communication Software Please uninstall previous versions of "RVS-CAPI" and "RVS-COM lite" before you install the new versions. In Windows, use the Add/Remove Programs window (click Start, Settings, Control Panel and Add/Remove Programs) to uninstall RVS-CAPI and RVS-COM.

  • Page 145: Supplementary Phone Services

    This chapter discusses the European ISDN supplemental services. 13.1 Overview The ZyXEL Device supports a comprehensive set of advanced calling features known as Supplemental Services. European ISDN Supplemental Services may vary and have different naming conventions that can be generalized as follows. Please check with your telephone company for the services they offer.

  • Page 146: Setting Up Supplemental Phone Service

    Calling Line Indication, or Caller ID, also in this menu decides whether the other party can see your number when you call. If set to Enable (default), the ZyXEL Device sends the caller ID and the party you call can see your number, otherwise if set to Disable, the caller ID is blocked.

  • Page 147: Three Way Calling

    P-202H Plus v2 User’s Guide • You are dialing a number on the B-channel the incoming caller is attempting to reach, but have not yet established a connection. 13.5 Three Way Calling Three Way Calling allows you to add a third party to an existing call. This service must be subscribed from your telephone company.

  • Page 148: To Do A Blind Transfer

    Either method should work fine, and you can use whichever one you are most comfortable with. 13.8 Reminder Ring The ZyXEL Device sends a single short ring to your telephone every time a call has been forwarded (US switches only). Chapter 13 Supplementary Phone Services...

  • Page 149: Multiple Subscriber Number (Msn)

    If you choose Multiple Subscriber Number (MSN) to determine routing for all incoming calls, the ZyXEL Device will compare the incoming call's Called Party Number or Subaddress to the number you set and route the incoming call to the destination that matches the number set.
  • Page 150 P-202H Plus v2 User’s Guide Chapter 13 Supplementary Phone Services...

  • Page 151: Chapter 14 Maintenance

    14.2 System Status Click System Status to open the following screen, where you can use to monitor your ZyXEL Device. Note that these fields are READ-ONLY and only for diagnostic purposes. Chapter 14 Maintenance...

  • Page 152: Figure 63 System Status

    LABEL DESCRIPTION System Status System Name This is the name of your ZyXEL Device. It is for identification purposes. ZyNOS This is the ZyNOS firmware version and the date the firmware was created. ZyNOS Firmware is ZyXEL's proprietary Network Operating System design.

  • Page 153: Figure 64 System Status > Show Statistics

    P-202H Plus v2 User’s Guide Table 47 System Status LABEL DESCRIPTION MAC Address This is the MAC (Media Access Control) or Ethernet address unique to your ZyXEL Device. IP Address This is the LAN port IP address. IP Subnet Mask This is the LAN port IP subnet mask.

  • Page 154: Dhcp Table Screen

    TCP/IP configuration at start-up from a server. You can configure the ZyXEL Device as a DHCP server or disable it. When configured as a server, the ZyXEL Device provides the TCP/IP configuration for the clients. If set to None, DHCP service will be disabled and you must have another DHCP server on your LAN, or else the computer must be manually configured.

  • Page 155: Firmware Screen

    00:A0:C5:00:00:02. 14.4 Firmware Screen Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a.bin extension, for example, "ZyXEL Device.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot.

  • Page 156: Figure 66 Firmware Upgrade

    ZyXEL device. Refer to the chapter about introducing the web configurator for more information on the RESET button. Note: Do NOT turn off the ZyXEL Device while firmware upload is in progress! After you see the Firmware Upload in Progress screen, wait two minutes before logging into the ZyXEL Device again.

  • Page 157: Figure 67 Firmware Upload In Progress

    P-202H Plus v2 User’s Guide Figure 67 Firmware Upload In Progress The ZyXEL Device automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 68 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the System Status screen.

  • Page 158: Figure 70 Budget Control

    P-202H Plus v2 User’s Guide 14.5 Budget Control Budget management allows you to set a limit on the total outgoing call time of the ZyXEL Device over a period of time. When the total outgoing call time exceeds the limit, the current call will be dropped and any future outgoing calls will be blocked.

  • Page 159: Chapter 15 Introducing The Smt

    8 data bits, 1 stop bit, data flow set to none, 9600 bps port speed. 15.2.1 Initial Screen When you turn on your ZyXEL Device, it performs several internal tests as well as line initialization. After the tests, the ZyXEL Device asks you to press [ENTER] to continue, as shown next.

  • Page 160: Procedure For Smt Configuration Via Telnet

    Please note that if there is no activity for longer than five minutes after you log in, your ZyXEL Device will automatically log you out and displays a blank screen. If you see a blank screen, press [ENTER] to bring up the login screen again.
  • Page 161 P-202H Plus v2 User’s Guide Table 52 SMT Menus Overview (continued) MENUS SUB MENUS 12 Static Routing Setup 12.1 Edit IP Static Route 13 Default Dial-in Setup 13.1 Default Dial-in Filter 14 Dial-in User Setup 14.1 Edit Dial-in User 15 NAT Setup 15.1 Address Mapping Sets 15.1.x Address Mapping Rules 15.1.x.x Address Mapping Rule...

  • Page 162: Navigating The Smt Interface

    15.5 Navigating the SMT Interface The SMT(System Management Terminal) is the interface that you use to configure your ZyXEL Device. Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below.

  • Page 163: System Management Terminal Interface Summary

    [ENTER]. the SMT interface. After you enter the password, the SMT displays the main menu, as shown next. Figure 73 SMT Main Menu Copyright (c) 1994 - 2006 ZyXEL Communications Corp. P202H Plus v2 Main Menu Getting Started Advanced Management 1.

  • Page 164: Changing The System Password

    Use this menu to set up static routes. Default Dial-in Setup Use this menu to set up default dial-in parameters so that your ZyXEL Device can be used as a dial-in server. Dial-in User Setup Use this menu to configure settings for remote dial-in users.
  • Page 165 P-202H Plus v2 User’s Guide 5 Re-type your new system password in the Retype to confirm field for confirmation and press [ENTER]. Note: When you type in a password, the screen displays an “*” for each character you type. Chapter 15 Introducing the SMT...
  • Page 166 P-202H Plus v2 User’s Guide Chapter 15 Introducing the SMT...

  • Page 167: Procedure To Configure Menu 1

    "Computer Name". • In Windows 95/98 click Start, Settings, Control Panel, Network. Click the Identification tab, note the entry for the Computer name field and enter it as the ZyXEL Device System Name.

  • Page 168: Procedure To Configure Dynamic Dns

    "_" are accepted. Location Enter the geographic location (up to 31 characters) of your ZyXEL Device. Contact Person's Enter the name (up to 30 characters) of the person in charge of this ZyXEL Name Device. Domain Name Enter the domain name (if you know it) here. If you leave this field blank, the ISP may assign a domain name via DHCP.

  • Page 169: Table 56 Menu 1.1 Configure Dynamic Dns

    This is the name of your Dynamic DNS service provider. Active Press [SPACE BAR] to select Yes and then press [ENTER] to make dynamic DNS active. Host Enter the domain name assigned to your ZyXEL Device by your Dynamic DNS provider. EMAIL Enter your e-mail address. Username Enter your user name.
  • Page 170 P-202H Plus v2 User’s Guide Chapter 16 Menu 1 General Setup...

  • Page 171: Chapter 17 Menu 2 Isdn Setup

    A PABX (Private Automatic Branch eXchange) generally requires you to dial a number (a single digit in most cases) when you need an outside line. If your ZyXEL Device is connected to a PABX, enter this number in PABX Outside Line Prefix, otherwise, leave it blank.

  • Page 172: Outgoing Calling Party Number

    P-202H Plus v2 User’s Guide Please note that the PABX prefix is for calls initiated by the ZyXEL Device only. If you place a call from a device on either A/B adapter, you must dial the prefix by hand. 17.1.4 Outgoing Calling Party Number If these fields are not blank, the ZyXEL Device will use these values as the calling party number for "ISDN Data", "A/B Adapter 1"...

  • Page 173: Figure 78 Menu 2 Isdn Setup

    ISDN Data & Enter the telephone number and the subaddress assigned to ISDN data calls for Subaddress the ZyXEL Device. The maximum number of digits is 25 for the telephone number and 5 for the subaddress. A/B Adapter 1 &...

  • Page 174: Figure 79 Menu 2.1 Isdn Advanced Setup

    P-202H Plus v2 User’s Guide Table 57 Menu 2 ISDN Setup FIELD DESCRIPTION Analog Call Select the destination for analog calls. The choices are A/B Adapter 1, A/B Routing Adapter 2 and Ignore. This field is only applicable when Incoming Phone Number Matching is Don't Care.

  • Page 175: Configuring Advanced Setup

    ISDN initialization takes slightly longer. At this point, the ZyXEL Device asks if you wish to test your ISDN. If you select Yes, the ZyXEL Device will perform a loop-back test to check the ISDN line. If the loop-back test fails, please note the error message that you receive and take the appropriate troubleshooting action.

  • Page 176: Netcapi

    LoopBack Test OK ### Hit any key to continue. ### 17.3 NetCAPI Your ZyXEL Device supports NetCAPI. NetCAPI is ZyXEL's implementation of CAPI (Common ISDN Application Program Interface) capabilities over a network. It runs over DCP (Device Control Protocol) developed by RVS-COM.

  • Page 177: Table 59 Menu 2.2 Netcapi Setup

    NetCAPI. Select Subscriber Number (MSN) if you want to direct all incoming call to the ZyXEL Device only when the incoming phone number matches the ISDN DATA number. If the incoming phone number does not match the ISDN DATA number, then the call will be routed to NetCAPI.
  • Page 178 P-202H Plus v2 User’s Guide Chapter 17 Menu 2 ISDN Setup...

  • Page 179: General Ethernet Setup

    P-202H Plus v2 User’s Guide H A P T E R Menu 3 Ethernet Setup This chapter covers how to configure your wired Local Area Network (LAN) settings. 18.1 Ethernet Setup This section describes how to configure the Ethernet using Menu 3 - Ethernet Setup. From the main menu, enter 3 to display menu 3.

  • Page 180: Ethernet Tcp/Ip And Dhcp Server

    P-202H Plus v2 User’s Guide 18.2 Ethernet TCP/IP and DHCP Server The ZyXEL Device has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability. For remote node TCP/IP configuration, refer to the chapter on Remote Node Configuration.

  • Page 181: Ip Alias Setup

    IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyXEL Device supports three logical LAN interfaces via its single physical Ethernet interface with the ZyXEL Device itself as the gateway for each LAN network.

  • Page 182: Figure 85 Physical Network & Partitioned Logical Networks

    Enter the IP address of your ZyXEL Device in dotted decimal notation. IP Subnet Mask Your ZyXEL Device will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyXEL Device.
  • Page 183 Incoming Protocol Enter the filter set(s) you wish to apply to the incoming traffic between this node Filters and the ZyXEL Device. Outgoing Protocol Enter the filter set(s) you wish to apply to the outgoing traffic between this node Filters and the ZyXEL Device.
  • Page 184 P-202H Plus v2 User’s Guide Chapter 18 Menu 3 Ethernet Setup...

  • Page 185: Figure 87 Menu 4 Internet Access Setup

    Menu 4 allows you to enter the Internet access information in one screen. Menu 4 is actually a simplified setup for one of the remote nodes that you can access in menu 11. Before you configure your ZyXEL Device for Internet access, you need to collect your Internet account information from your ISP.

  • Page 186: Table 63 Internet Access Setup

    At this point, the SMT will ask if you wish to test the Internet connection. If you select Yes, your ZyXEL Device will call the ISP to test the Internet connection. If the test fails, note the error message that you receive on the screen and take the appropriate troubleshooting steps.

  • Page 187: Chapter 20 Remote Node Configuration

    3 minutes. With minimum toll period, the ZyXEL Device will try to use all the toll period. In the above case, the ZyXEL Device tries to extend the idle timeout to the nearest 3 minutes (basic charging unit of time). If there is traffic during the extended 2 minutes and 50 seconds, the idle timeout will be cleared and a second call is eliminated.

  • Page 188: Figure 88 Menu 11 Remote Node Setup

    P-202H Plus v2 User’s Guide Figure 88 Menu 11 Remote Node Setup Menu 11 - Remote Node Setup 1. ChangeMe (ISP, SUA) 2. ________ 3. ________ 4. ________ 5. ________ 6. ________ 7. ________ 8. ________ Enter Node # to Edit: 3 When Menu 11.1 - Remote Node Profile appears, fill in the fields as described in the following table to define this remote profile.
  • Page 189 If this parameter is set to Both, your ZyXEL Device can both place and receive calls to/from this remote node. If set to Incoming, your ZyXEL Device will not place a call to this remote node. If set to Outgoing, your ZyXEL Device will drop any incoming calls from this remote node.

  • Page 190: Outgoing Authentication Protocol

    ZyXEL Device. Administrative packets such as RIP are not counted as data. The default is 300 seconds (5 minutes). Idle timeout only applies when the ZyXEL Device initiates the call. 0 sec means the remote node will never be automatically disconnected.

  • Page 191: Table 65 Btr Vs Mtr For Bod

    Target Utility number for longer than the Subtract Persist value. The Target Utility specifies the line utilization range at which you want the ZyXEL Device to add or subtract bandwidth. The range is 30 to 64 Kbps (kilobits per second). The parameters are separated by a '-'.

  • Page 192: Editing Ppp Options

    If, after making the call to bring up a second channel, the second channel does not succeed in joining the Multilink Protocol bundle (because the remote device does not recognize the second call as coming from the same device), the ZyXEL Device will hang up the second call and continue with the first channel alone.

  • Page 193: Figure 91 Tcp/Ip Lan-To-Lan Application

    [ESC] at any time to cancel. 20.7 LAN-to-LAN Application A typical LAN-to-LAN application is to use your ZyXEL Device to connect a branch office to the headquarters, as depicted in the following diagram. Figure 91 TCP/IP LAN-to-LAN Application For the branch office, you need to configure a remote node in order to dial out to headquarters.

  • Page 194: Active= Yes Call Direction= Both

    P-202H Plus v2 User’s Guide LAN 1 Setup Menu 11.1 - Remote Node Profile Rem Node Name= LAN_2 Edit PPP Options= No Active= Yes Rem IP Addr= 192.168.2.1 Call Direction= Both Edit IP= No Incoming: Telco Option: Rem Login= lan2 Transfer Type= 64K Rem Password= ******** Allocated Budget(min)= 0...

  • Page 195: Figure 92 Menu 11.3 Remote Node Network Layer Options

    Enter the IP address of the remote gateway in Menu 11.1 - Remote Node Profile. You must fill in either the remote ZyXEL Device WAN IP address or the remote ZyXEL Device LAN IP address. This depends on the remote router’s WAN IP i.e., for the (remote) ZyXEL Device, the My WAN IP Addr settings in Menu 4.

  • Page 196: Remote Node Filter

    Use menu 11.5 to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the ZyXEL Device to prevent certain packets from triggering calls. You can specify up to 4 filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field.

  • Page 197: Figure 93 Menu 11.5 Remote Node Filter

    P-202H Plus v2 User’s Guide Figure 93 Menu 11.5 Remote Node Filter Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Chapter 20 Remote Node Configuration...
  • Page 198 P-202H Plus v2 User’s Guide Chapter 20 Remote Node Configuration...

  • Page 199: Chapter 21 Static Route Setup

    However, the ZyXEL Device is unable to route a packet to network N3 because it doesn't know that there is a route through the same remote node Router 1 (via gateway Router 2). The static routes are for you to tell the ZyXEL Device about the networks beyond the remote nodes.

  • Page 200: Figure 95 Menu 12 Ip Static Route Setup

    Type the IP address of the gateway. The gateway is an immediate neighbor of your ZyXEL Device that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your ZyXEL Device;...
  • Page 201 2 or 3 is usually a good number. Private This parameter determines if the ZyXEL Device will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and is not included in RIP broadcasts. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts.
  • Page 202 P-202H Plus v2 User’s Guide Chapter 21 Static Route Setup...

  • Page 203: Chapter 22 Dial-In Setup

    This section covers the default dial-in parameters. The parameters in menu 13 affect incoming calls from both remote dial-in users and remote nodes until authentication is completed. Once authentication is completed and if it matches a remote node, your ZyXEL Device will use the parameters from that particular remote node.

  • Page 204: Setting Up Default Dial-In

    This field sets the authentication protocol for incoming calls. For security reason, setting authentication to None is strongly discouraged. Options for this field are: CHAP/PAP - Your ZyXEL Device will try CHAP first, but PAP will be used if CHAP is not available.
  • Page 205 IP Address Supplied By: Dial-in User If set to Yes, the ZyXEL Device will allow a remote host to specify its own IP address. If set to No, the remote host must use the IP address assigned by your ZyXEL Device from the IP pool, configured below.

  • Page 206: Callback Overview

    Use Menu 13.1 - Default Dial-in Filter to specify the filter set(s) to apply to the incoming and outgoing traffic between all dial-in users and your ZyXEL Device. Note that the filter set(s) only applies to the dial-in users but not the remote nodes. You can specify up to 4 filter sets separated by comma, e.g., 1, 5, 9, 12, in each filter field.

  • Page 207: Figure 99 Menu 14 Dial-In User Setup

    The other is ease of accounting. For instance, your company pays for the connection charges for telecommuting employees and you use your ZyXEL Device as the dial-in server. When you turn on the callback option for the dial-in users, all usage is charged to the company instead of the employees, and your accounting department can avoid the hassles of accountability and reimbursement.

  • Page 208: Telecommuting Application With Windows Example

    This field determines if your ZyXEL Device will allow call back to this user upon dial-in. If this option is enabled, your ZyXEL Device will call back to the user if requested. In such a case, your ZyXEL Device will disconnect the initial call from this user and dial back to the specified callback number (see ahead).

  • Page 209: Figure 101 Example Of Telecommuting

    P-202H Plus v2 User’s Guide Figure 101 Example of Telecommuting See the following screens on how to configure your ZyXEL Device if a remote user's computer is running Windows®. Configuring Menu 13: Figure 102 Configuring Menu 13 for Remote Access...

  • Page 210: Lan-To-Lan Server Application Example

    Your ZyXEL Device can also be used as a dial-in server for LAN-to-LAN application to provide access for the workstations on a remote network. For your ZyXEL Device to be set up as a LAN-to-LAN server, you need to configure the default dial-in user setup to set the operational parameters for incoming calls.

  • Page 211: Figure 105 Lan 1 Lan-To-Lan Application

    Idle Timeout(sec)= 100 Press ENTER to Confirm or ESC to Cancel: Go to menu 24.4.5 of the ZyXEL Device on LAN 1 and enter the numbers that correspond to the menu in LAN 1 above to test callback with your connection.

  • Page 212: Configuring With Clid In Lan-To-Lan Application

    The only difference between callback with CLID (Calling Line Identification) and callback described above is that you do not pay for the first call, i.e., when the ZyXEL Device on LAN 1 calls the ZyXEL Device on LAN 2. The ZyXEL Device (LAN 2) looks at the ISDN D- channel and verifies that the calling number corresponds with that configured in menu 11.

  • Page 213: Figure 109 Configuring Clid With Callback

    Press ENTER to Confirm or ESC to Cancel: Go to menu 24.8 (ZyXEL Device on LAN 2) and type "sys trcl call" to test your connection with callback on CLID. The ZyXEL Device displays all communication traces as shown in the next figure.
  • Page 214 P-202H Plus v2 User’s Guide Chapter 22 Dial-in Setup...

  • Page 215: Chapter 23 Network Address Translation (Nat)

    Section 23.3.1 on page 216 for a detailed description of the NAT set for SUA. The ZyXEL Device also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types.

  • Page 216: Figure 111 Menu 4: Applying Nat For Internet Access

    P-202H Plus v2 User’s Guide Figure 111 Menu 4: Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= ChangeMe Pri Phone #= 1234 Sec Phone #= My Login= ChangeMe My Password= ******** My WAN IP Addr= 0.0.0.0 NAT= SUA Only Address Mapping Set= N/A Telco Options:...

  • Page 217: Address Mapping Sets

    Press [SPACE BAR] and then [ENTER] to select Full Feature if you have multiple public WAN IP addresses for your ZyXEL Device. The SMT uses the address mapping set that you configure and enter in the Address Mapping Set field (menu 15.1 - see section ).

  • Page 218: Figure 114 Menu 15.1 Address Mapping Sets

    P-202H Plus v2 User’s Guide Figure 114 Menu 15.1 Address Mapping Sets Menu 15.1 - Address Mapping Sets 255. SUA (read only) Enter Menu Selection Number: Enter 255 to display the next screen, (see Section 23.1.1 on page 214). The fields in this menu cannot be changed.

  • Page 219: User-Defined Address Mapping Sets

    P-202H Plus v2 User’s Guide Table 74 Menu 15.1.255 SUA Address Mapping Rules FIELD DESCRIPTION Global Start IP This is the starting global IP address (IGA). If you have a dynamic IP, enter 0.0.0.0 as the Global Start IP. Global End IP This is the ending global IP address (IGA).

  • Page 220: Ordering Your Rules

    P-202H Plus v2 User’s Guide 23.3.1.2 Ordering Your Rules Ordering your rules is important because the ZyXEL Device applies the rules in the order that you specify. When a rule matches the current packet, the ZyXEL Device takes the corresponding action and the remaining rules are ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules.

  • Page 221: Configuring A Server Behind Nat

    P-202H Plus v2 User’s Guide The following table explains the fields in this menu. Table 76 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set FIELD DESCRIPTION Type Press [SPACE BAR] and then [ENTER] to select from a total of five types. These are the mapping types discussed in the chapter on NAT web configurator screens.

  • Page 222: Figure 119 Menu 15.2.1 Nat Server Setup

    P-202H Plus v2 User’s Guide 3 Enter 1 to go to Menu 15.2.1 NAT Server Setup as follows. Figure 119 Menu 15.2.1 NAT Server Setup Menu 15.2.1 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------- Default Default...

  • Page 223: General Nat Examples

    P-202H Plus v2 User’s Guide 23.5 General NAT Examples The following are some examples of NAT configuration. 23.5.1 Example 1: Internet Access Only In the following Internet access example, you only need one rule where the ILAs (Inside Local Addresses) of computers A through D map to one dynamic IGA (Inside Global Address) assigned by your ISP.

  • Page 224: Example 2: Internet Access With An Inside Server

    P-202H Plus v2 User’s Guide 23.5.2 Example 2: Internet Access with an Inside Server The dynamic Inside Global Address is assigned by the ISP. Figure 123 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2.1 to specify the Inside Server behind the NAT as shown in the next figure.

  • Page 225: Figure 125 Nat Example 3

    P-202H Plus v2 User’s Guide 1 Map the first IGA to the first inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses). 2 Map the second IGA to our second inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses).

  • Page 226: Figure 126 Nat Example 3: Menu 11.3

    P-202H Plus v2 User’s Guide Figure 126 NAT Example 3: Menu 11.3 Menu 11.3 - Remote Node Network Layer Options Rem IP Addr: Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 NAT= Full Feature Address Mapping Set= 2 Metric= 2 Private= No RIP Direction= Both Version= RIP-2B...

  • Page 227: Figure 128 Example 3: Final Menu 15.1.1

    P-202H Plus v2 User’s Guide Figure 128 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example 3 Local Start IP Local End IP Global Start IP Global End IP Type --------------- -------------- --------------- --------------- ------ 192.168.1.10 10.132.50.1 192.168.1.11...

  • Page 228: Example 4: Nat Unfriendly Application Programs

    P-202H Plus v2 User’s Guide 23.5.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT mapping using TCP or UDP port address translation. In this case it is better to use Many-to-Many No Overload mapping as port numbers do not change for Many-to-Many No Overload (and One-to-One) NAT mapping types.

  • Page 229: Figure 132 Example 4: Menu 15.1.1 Address Mapping Rules

    P-202H Plus v2 User’s Guide Figure 132 Example 4: Menu 15.1.1 Address Mapping Rules Menu 15.1.1 - Address Mapping Rules Set Name= Example4 Local Start IP Local End IP Global Start IP Global End IP Type -------------- -------------- --------------- --------------- ------ 192.168.1.10 192.168.1.12 10.132.50.1...
  • Page 230 P-202H Plus v2 User’s Guide Chapter 23 Network Address Translation (NAT)

  • Page 231: Chapter 24 Enabling The Firewall

    The web configurator is, by far, the most comprehensive firewall configuration tool your ZyXEL Device has to offer. For this reason, it is recommended that you configure your firewall using the web configurator, see the following chapters for instructions. SMT screens allow you to activate the firewall and view firewall logs.

  • Page 232: Viewing The Firewall Log

    P-202H Plus v2 User’s Guide Figure 133 Menu 21.2 Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. The default Policy sets 1. allow all sessions originating from the LAN to the WAN and 2.

  • Page 233: Table 77 View Firewall Log

    24.10 for real time; otherwise the hh:mm:ss: e.g., 00:00:00 clock will start at 2000/01/01 00:00:00 the last time the ZyXEL Device was reset. Packet Information This field lists packet information such as protocol and From and To IP...

  • Page 234: Example E-Mail Log

    An "End of Log" message displays for each mail in which a complete log has been sent. The following is an example of a log sent by e-mail. Subject: Firewall Alert From ZyXEL Device Date: Fri, 07 Apr 2006 10:05:42 From: user@zyxel.com...

  • Page 235: Chapter 25 Filter Configuration

    This chapter shows you how to create and apply filters. 25.1 Introduction to Filters Your ZyXEL Device uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later.

  • Page 236: The Filter Structure Of The Zyxel Device

    A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The ZyXEL Device allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system.

  • Page 237: Configuring A Filter Set

    24 rules active for a single port. 25.2 Configuring a Filter Set The ZyXEL Device includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. 1 Enter 21 in the main menu to open menu 21.

  • Page 238: Figure 137 Menu 21: Filter And Firewall Setup

    P-202H Plus v2 User’s Guide Figure 137 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup 3. View Firewall Log Enter Menu Selection Number: 2 Enter 1 to bring up the following menu. Figure 138 Menu 21.1: Filter Set Configuration Menu 21.1 - Filter Set Configuration Filter...

  • Page 239: Figure 139 Netbios_Wan Filter Rules Summary

    P-202H Plus v2 User’s Guide Figure 139 NetBIOS_WAN Filter Rules Summary Menu 21.1.1 - Filter Rules Summary # A Type Filter Rules M m n - - ---- ------------------------------------------------------------ - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=137 N D N 2 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=138 N D N...

  • Page 240: Filter Rules Summary Menus

    P-202H Plus v2 User’s Guide Figure 142 FTP_WAN Filter Rules Summary Menu 21.1.4 - Filter Rules Summary # A Type Filter Rules M m n - - ---- ------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=21 N D N 2 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=20 N D F...

  • Page 241: Configuring A Filter Rule

    If you include a protocol filter set in a device filter field or vice versa, the ZyXEL Device will warn you and will not allow you to save.

  • Page 242: Figure 143 Menu 21.1.1.1 Tcp/Ip Filter Rule

    P-202H Plus v2 User’s Guide Figure 143 Menu 21.1.1.1 TCP/IP Filter Rule. Menu 21.1.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 137 Port # Comp= Equal Source: IP Addr= 0.0.0.0...
  • Page 243 P-202H Plus v2 User’s Guide Table 80 Menu 21.1.x.x TCP/IP Filter Rule FIELD DESCRIPTION OPTIONS Port # Comp Press [SPACE BAR] and then [ENTER] to select the comparison None to apply to the destination port in the packet against the value Less given in Destination: Port #.

  • Page 244: Configuring A Generic Filter Rule

    P-202H Plus v2 User’s Guide Figure 144 Executing an IP Filter 25.2.4 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. Chapter 25 Filter Configuration...

  • Page 245: Figure 145 Menu 21.1.4.1 Generic Filter Rule

    P-202H Plus v2 User’s Guide For generic rules, the ZyXEL Device treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes.

  • Page 246: Example Filter

    Menu 21.1.x - Filter Rules Summary. 25.3 Example Filter Let’s look at an example to block outside users from accessing the ZyXEL Device via telnet. Figure 146 Telnet Filter Example 1 Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup.

  • Page 247: Figure 147 Example Filter: Menu 21.1.3.1

    P-202H Plus v2 User’s Guide 4 Enter a descriptive name or comment in the Edit Comments field and press [ENTER]. 5 Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.3 - Filter Rules Summary 6 Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure.

  • Page 248: Filter Types And Nat

    On the other hand, the generic, or device filters are applied to the raw packets that appear on the wire. They are applied at the point when the ZyXEL Device is receiving and sending the packets; i.e. the interface. The interface can be an Ethernet port or any other hardware port.

  • Page 249: Firewall Versus Filters

    NAT and the firewall. 25.6 Applying a Filter This section shows you where to apply the filter(s) after you design it (them). The ZyXEL Device already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections Note: If you do not activate the firewall, it is advisable to apply filters.

  • Page 250: Applying Remote Node Filters

    P-202H Plus v2 User’s Guide Figure 150 Filtering LAN Traffic Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= 2 device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 25.6.2 Applying Remote Node Filters Go to menu 11.5 (shown below) and enter the number(s) of the filter set(s) as appropriate.

  • Page 251: Chapter 26 Snmp Configuration

    An SNMP managed network consists of two main components: agents and a manager. An agent is a management software module that resides in a managed device (the ZyXEL Device). An agent translates the local management information from the managed device into a form compatible with SNMP.

  • Page 252: Supported Mibs

    26.2 Supported MIBs The ZyXEL Device supports RFC-1215 and MIB II as defined in RFC-1213 as well as ZyXEL private MIBs. The focus of the MIBs is to let administrators collect statistic data and monitor status and performance. 26.3 SNMP Configuration To configure SNMP, select option 22 from the main menu to open Menu 22 - SNMP Configuration as shown next.

  • Page 253: Table 82 Menu 22 Snmp Configuration

    [ESC] to cancel and go back to the previous screen. 26.4 SNMP Traps The ZyXEL Device will send traps to the SNMP manager when any one of the following events occurs: Table 83 SNMP Traps...
  • Page 254 P-202H Plus v2 User’s Guide Table 84 Ports and Permanent Virtual Circuits PVC (PERMANENT PORT VIRTUAL CIRCUIT) … … xDSL Chapter 26 SNMP Configuration...

  • Page 255: Chapter 27 System Security

    You should change the default password. If you forget your password you have to restore the default configuration file. Refer to the section on changing the system password in the Introducing the SMT chapter and the section on resetting the ZyXEL Device in the chapter about introducing the web configurator .

  • Page 256: Configuring External Server

    Figure 155 RADIUS Server In order to ensure network security, the ZyXEL Device and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access.
  • Page 257 The key is not sent over the network. This key must be the same on the external authentication server and ZyXEL Device. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel”...
  • Page 258 P-202H Plus v2 User’s Guide Chapter 27 System Security...

  • Page 259: Chapter 28 System Information And Diagnosis

    Figure 158 on page 259). System Status is a tool that can be used to monitor your ZyXEL Device. To get to System Status, type 24 to go to Menu 24 - System Maintenance. From this menu, type 1. System Status. There are two commands in Menu 24.1 - System Maintenance - Status.

  • Page 260: Figure 158 Menu 24.1 System Maintenance : Status

    This shows statistics for B1 and B2 channels respectively. This is the information displayed for each channel. Own IP Address This refers to the IP address of the ZyXEL Device. Own CLID This shows your Caller ID. Chapter 28 System Information and Diagnosis...

  • Page 261: Figure 159 Menu 24.2 System Information And Console Port Speed

    P-202H Plus v2 User’s Guide Table 86 System Maintenance: Status Menu Fields FIELD DESCRIPTION Peer IP Address This refers to the IP address of the peer. Peer CLID This shows the Caller ID of the peer. Ethernet This shows statistics for the LAN. Status This displays the port speed and duplex setting.

  • Page 262: Console Port Speed

    Ethernet Address Refers to the Ethernet MAC (Media Access Control) of your ZyXEL Device. IP Address This is the IP address of the ZyXEL Device in dotted decimal notation. IP Mask This shows the subnet mask of the ZyXEL Device.

  • Page 263: Viewing Error Log

    3 Enter 1 from Menu 24.3 - System Maintenance - Log and Trace to display the error log in the system. After the ZyXEL Device finishes displaying the error log, you will have the option to clear it. Samples of typical error and information messages are presented in the next figure.

  • Page 264: Figure 163 Sample Error And Information Messages

    Clear Error Log (y/n): 28.3.2 Unix Syslog The ZyXEL Device uses the syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server. Syslog and accounting can be configured in Menu 24.3.2 - System Maintenance - UNIX Syslog, as shown next.
  • Page 265 L02 Call Terminated C02 Call Terminated Jul 19 11:19:27 192.168.102.2 ZyXEL: board 0 line 0 channel 0, call 1, C01 Outgoing Call dev=2 ch=0 40002 Jul 19 11:19:32 192.168.102.2 ZyXEL: board 0 line 0 channel 0, call 1, C02 OutCall Connected 64000 40002 Jul 19 11:20:06 192.168.102.2 ZyXEL: board 0 line 0 channel 0, call 1, C02 Call...

  • Page 266: Packet Triggered

    String = Packet trigger: Protocol=xx Data=xxxxxxxxxx…..x Protocol: (1:IP 2:IPX 3:IPXHC 4:BPDU 5:ATALK 6:IPNG) Data: We will send forty-eight Hex characters to the server Jul 19 11:28:39 192.168.102.2 ZyXEL: Packet Trigger: Protocol=1, Data=4500003c100100001f010004c0a86614ca849a7b08004a5c020001006162636465666768696a6b6c 6d6e6f7071727374 Jul 19 11:28:56 192.168.102.2 ZyXEL: Packet Trigger: Protocol=1,...

  • Page 267: Ppp Log

    Proto = LCP / ATCP / BACP / BCP / CBCP / CCP / CHAP/ PAP / IPCP / IPXCP Jul 19 11:42:44 192.168.102.2 ZyXEL: ppp:LCP Closing Jul 19 11:42:49 192.168.102.2 ZyXEL: ppp:IPCP Closing Jul 19 11:42:54 192.168.102.2 ZyXEL: ppp:CCP Closing 28.3.2.5 POTS log...

  • Page 268: Call-Triggering Packet

    Specify a password (up to 31 alphanumeric characters) as the key to be shared between the external accounting server and the ZyXEL Device. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel”...

  • Page 269: Figure 167 Menu 24.4 System Maintenance : Diagnostic

    P-202H Plus v2 User’s Guide 28.4 Diagnostic The diagnostic facility allows you to test the different aspects of your ZyXEL Device to determine if it is working properly. Menu 24.4 allows you to choose among various types of diagnostic tests to evaluate your system, as shown in the following figure.

  • Page 270: Figure 168 Display For A Successful Manual Call

    Internet Setup Test This test checks to see if your Internet access configuration has been done correctly. When this option is chosen, the ZyXEL Device places a manual call to the ISP remote node. If everything is working properly, you will receive an appropriate response.

  • Page 271: Chapter 29 Firmware And Configuration File Maintenance

    The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc. It arrives from ZyXEL with a “rom” filename extension. Once you have customized the ZyXEL Device's settings, they can be saved back to your computer under a filename of your choosing.

  • Page 272: Backup Configuration

    The following table is a summary. Please note that the internal filename refers to the filename on the ZyXEL Device and the external filename refers to the filename not on the ZyXEL Device, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary.

  • Page 273: Using The Ftp Command From The Command Line

    4 Enter your password as requested (the default is “1234”). 5 Enter “bin” to set transfer mode to binary. 6 Use “get” to transfer files from the ZyXEL Device to the computer, for example, “get rom-0 config.rom” transfers the configuration file on the ZyXEL Device to your computer and renames it “config.rom”.

  • Page 274: Remote Management Limitations

    To use TFTP, your computer must have both telnet and TFTP clients. To backup the configuration file, follow the procedure shown next. 1 Use telnet from your computer to connect to the ZyXEL Device and log in. Because TFTP does not have any security checks, the ZyXEL Device records the IP address of the telnet client and accepts TFTP requests only from this address.

  • Page 275: Tftp Command Example

    Enter the IP address of the ZyXEL Device. 192.168.1.1 is the ZyXEL Device’s default IP address when shipped. Send/Fetch Use “Send” to upload the file to the ZyXEL Device and “Fetch” to back up the file on your computer. Local File Enter the path and name of the firmware file (*.bin extension) or configuration file...

  • Page 276: Backup Via Console Port

    P-202H Plus v2 User’s Guide 29.2.9 Backup Via Console Port Back up configuration via console port by following the HyperTerminal procedure shown next. Procedures using other serial communications programs should be similar. 1 Display menu 24.5 and enter “y” at the following screen. Figure 171 System Maintenance: Backup Configuration Ready to backup Configuration via Xmodem.

  • Page 277: Restore Configuration

    TFTP), please see your router manual. Press ENTER to Exit: 1 Launch the FTP client on your computer. 2 Enter “open”, followed by a space and the IP address of your ZyXEL Device. Chapter 29 Firmware and Configuration File Maintenance...

  • Page 278: Restore Via Console Port

    5 Enter “bin” to set transfer mode to binary. 6 Find the “rom” file (on your computer) that you want to restore to your ZyXEL Device. 7 Use “put” to transfer files from the ZyXEL Device to the computer, for example, “put config.rom rom-0”...

  • Page 279: Uploading Firmware And Configuration Files

    FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client. When you telnet into the ZyXEL Device, type 7 in menu 24. You will see Menu 24.7 - System Maintenance - Upload Firmware as shown.

  • Page 280: Configuration File Upload

    P-202H Plus v2 User’s Guide Enter 1 in menu 24.7 to display the following screen an upload firmware using FTP. Figure 182 Menu 24.7.1 Upload System Firmware Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1.

  • Page 281: Ftp File Upload Command From The Dos Prompt Example

    4 Enter your password as requested (the default is “1234”). 5 Enter “bin” to set transfer mode to binary. 6 Use “put” to transfer files from the computer to the ZyXEL Device, for example, “put firmware.bin ras” transfers the firmware on your computer (firmware.bin) to the ZyXEL Device and renames it “ras”.

  • Page 282: Tftp Upload Command Example

    The file name for the firmware is “ras”. Note that the telnet connection must be active and the ZyXEL Device in CI mode before and during the TFTP transfer. For details on TFTP commands (see following example), please consult the documentation of your TFTP client program.

  • Page 283: Example Xmodem Firmware Upload Using Hyperterminal

    29.4.9 Example Xmodem Firmware Upload Using HyperTerminal Click Transfer, then Send File to display the following screen. Figure 186 Example Xmodem Upload After the configuration upload process has completed, restart the ZyXEL Device by entering "atgo". 29.4.10 Uploading Configuration File Via Console Port 1 Select 2 from Menu 24.7 –...

  • Page 284: Example Xmodem Configuration Upload Using Hyperterminal

    29.4.11 Example Xmodem Configuration Upload Using HyperTerminal Click Transfer, then Send File to display the following screen. Figure 188 Example Xmodem Upload After the configuration upload process has completed, restart the ZyXEL Device by entering "atgo". Chapter 29 Firmware and Configuration File Maintenance...

  • Page 285: Chapter 30 System Maintenance

    Enter the CI from the SMT by selecting menu 24.8. See the included disk or the zyxel.com web site for more detailed information on CI commands. Enter 8 from Menu 24 — System Maintenance. A list of valid commands can be found by typing help or ? at the command prompt.

  • Page 286: Command Usage

    The blacklist function prevents the ZyXEL Device from re-dialing to an unreachable phone number. It is a list of phone numbers, up to a maximum of 14, to which the ZyXEL Device will not make an outgoing call. If the ZyXEL Device tries to dial to a phone number and fails a certain number of times (configurable in Menu 24.9.1), then the phone number is placed on...

  • Page 287: Black List

    Menu 24.9.2 shows the blacklist. The phone numbers on the blacklist are numbers that the ZyXEL Device had problems connecting to in the past. The only operation allowed is taking a number off the list by entering its index number. Enter 2 from menu 24.9 to bring up the following menu.

  • Page 288: Figure 193 Menu 24.9.2 Blacklist

    P-202H Plus v2 User’s Guide Figure 193 Menu 24.9.2 Blacklist Menu 24.9.2 - Blacklist Phone Number Remove Selection(1-14): 30.2.3 Budget Management Menu 24.9.3 shows the budget management statistics for outgoing calls. Enter 3 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu. Figure 194 Menu 24.9.3 - Budget Management Menu 24.9.3 - Budget Management Remote Node...

  • Page 289: Figure 195 Menu 24.9.4 - Call History

    P-202H Plus v2 User’s Guide The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked.

  • Page 290: Time And Date Setting

    ZyXEL Device. Menu 24.10 allows you to update the time and date settings of your ZyXEL Device. The real time is then displayed in the ZyXEL Device error logs and firewall logs.

  • Page 291: Resetting The Time

    Enter the time service protocol that your timeserver sends when you turn on the when Bootup ZyXEL Device. Not all timeservers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
  • Page 292 P-202H Plus v2 User’s Guide 2 When the ZyXEL Device starts up, if there is a timeserver configured in menu 24.10. 3 24-hour intervals after starting. Chapter 30 System Maintenance...

  • Page 293: Figure 198 Menu 24.11 - Remote Management Control

    This chapter covers remote management (SMT menu 24.11). 31.1 Remote Management Remote management allows you to determine which services/protocols can access which ZyXEL Device interface (if any) from which computers. You may manage your ZyXEL Device from a remote location via: • Internet (WAN only) •...

  • Page 294: Table 98 Menu 24.11 - Remote Management Control

    Web Server Port This field shows the port number for the service or protocol. You may change the port number if needed, but you must use the same port number to access the ZyXEL Device. Access Select the access interface (if any) by pressing [SPACE BAR], then [ENTER] to choose from: LAN only, WAN only, ALL or Disable.

  • Page 295: System Timeout

    There is a default system management idle timeout of five minutes (three hundred seconds). The ZyXEL Device automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when it is continuously updating the status in menu 24.1 or when sys stdio has been changed on the...
  • Page 296 P-202H Plus v2 User’s Guide Chapter 31 Remote Management...

  • Page 297: Chapter 32 Call Scheduling

    For example, if sets 1, 2 ,3 and 4 in are applied in the remote node then set 1 will take precedence over set 2, 3 and 4 as the ZyXEL Device, by default, applies the lowest numbered set first. Set 2 will take precedence over set 3 and 4, and so on.

  • Page 298: Figure 200 Menu 26.1 Schedule Set Setup

    Press ENTER to Confirm or ESC to Cancel: If a connection has been already established, your ZyXEL Device will not drop it. Once the connection is dropped manually or it times out, then that remote node can't be triggered up until the end of the Duration.

  • Page 299: Figure 201 Applying Schedule Set(S) To A Remote Node

    P-202H Plus v2 User’s Guide Table 99 Menu 26.1 Schedule Set Setup FIELD DESCRIPTION Action Forced On means that the connection is maintained whether or not there is a demand call on the line and will persist for the time period specified in the Duration field. Forced Down means that the connection is blocked whether or not there is a demand call on the line.
  • Page 300 P-202H Plus v2 User’s Guide Chapter 32 Call Scheduling...

  • Page 301: Chapter 33 Vpn/Ipsec Setup

    P-202H Plus v2 User’s Guide H A P T E R VPN/IPSec Setup This chapter introduces the VPN SMT menus. 33.1 VPN/IPSec Overview The VPN/IPSec main SMT menu has these main submenus: 1 Define VPN policies in menu 27.1 submenus, including security policies, endpoint IP addresses, peer IPSec router IP address and key management.

  • Page 302: Ipsec Summary Screen

    P-202H Plus v2 User’s Guide Figure 203 Menu 27 VPN/IPSec Setup Menu 27 - VPN/IPSec Setup 1. IPSec Summary 2. SA Monitor 3. View IPSec Log Enter Menu Selection Number: 33.2 IPSec Summary Screen Type 1 in menu 27 and then press [ENTER] to display Menu 27.1 - IPSec Summary. This is a summary read-only menu of your IPSec rules (tunnels).
  • Page 303 (static) IP address as in the Local Addr Start field. When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to RANGE, this is the end (static) IP address, in a range of computers on the LAN behind your ZyXEL Device.

  • Page 304: Figure 205 Menu 27.1.1 Ipsec Setup

    P-202H Plus v2 User’s Guide Table 100 Menu 27.1 IPSec Summary FIELD DESCRIPTION Select Press [SPACE BAR] to choose from None, Edit or Delete and then press [ENTER]. Command You must select a rule in the next field when you choose the Edit or Delete commands. Select None and then press [ENTER] to go to the “Press ENTER to Confirm…”...

  • Page 305: Table 101 Menu 27.1.1 Ipsec Setup

    When you select IP in the Peer ID Type field, type the IP address of the computer with which you will make the VPN connection or leave the field blank to have the ZyXEL Device automatically use the address in the Secure Gateway Address field.
  • Page 306 When the Addr Type field is configured to RANGE, enter the beginning (static) IP address, in a range of computers on your LAN behind your ZyXEL Device. When the Addr Type is configured to SUBNET, this is a (static) IP address on the LAN behind your ZyXEL Device.

  • Page 307: Ike Setup

    P-202H Plus v2 User’s Guide Table 101 Menu 27.1.1 IPSec Setup FIELD DESCRIPTION End/Subnet When the Addr Type field is configured to Single, this field is N/A. Mask When the Addr Type field is configured to Range, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router.

  • Page 308: Figure 206 Menu 27.1.1.1 Ike Setup

    Pre-Shared Key ZyXEL Device gateways authenticate an IKE VPN session by matching pre-shared keys. Pre-shared keys are best for small networks with fewer than ten nodes. Enter your pre-shared key here. Enter up to 31 characters. Any character may be used, including spaces, but trailing spaces are truncated.

  • Page 309: Manual Setup

    P-202H Plus v2 User’s Guide Table 102 Menu 27.1.1.1 IKE Setup FIELD DESCRIPTION SA Life Time Define the length of time before an IKE Security automatically renegotiates in this (Seconds) field. It may range from 60 to 3,000,000 seconds (almost 35 days). A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys.

  • Page 310: Figure 207 Menu 27.1.1.2 Manual Setup

    P-202H Plus v2 User’s Guide To edit this menu, move the cursor to the Edit Key Management Setup field in Menu 27.1.1 – IPSec Setup press [SPACE BAR] to select Yes and then press [ENTER] to go to Menu 27.1.1.2 – Manual Setup. Figure 207 Menu 27.1.1.2 Manual Setup Menu 27.1.1.2 –...
  • Page 311 P-202H Plus v2 User’s Guide Table 104 Menu 27.1.1.2 Manual Setup FIELD DESCRIPTION AH Setup The AH Setup fields are N/A if you chose an ESP Active Protocol. SPI (Decimal) The SPI must be from one to four unique decimal characters ("0" to "9") long. Authentication Press [SPACE BAR] to choose from MD5 or SHA1 and then press [ENTER].
  • Page 312 P-202H Plus v2 User’s Guide Chapter 33 VPN/IPSec Setup...

  • Page 313: Chapter 34 Sa Monitor

    A tunnel with no outbound or inbound traffic is "idle" and does not timeout until the SA lifetime period expires. See the Web configurator part on keep alive to have the ZyXEL Device renegotiate an IPSec SA when the SA lifetime expires, even if there is no traffic.

  • Page 314: Table 105 Menu 27.2 Sa Monitor

    This authentication information is calculated using header and payload data in the IP packet. This provides an additional level of security. AH choices are MD5 (default - 128 bits) and SHA -1(160 bits). Both AH and ESP increase ZyXEL Device processing requirements and communications latency (delay). Select...

  • Page 315: Chapter 35 Ipsec Log

    P-202H Plus v2 User’s Guide H A P T E R IPSec Log This chapter interprets common IPSec log messages. 35.1 IPSec Logs To view the IPSec and IKE connection log, type 3 in menu 27 and press [ENTER] to display the IPSec log as shown next.

  • Page 316: Figure 210 Example Vpn Responder Ipsec Log

    Start Phase 2: Quick Mode Phase 2 negotiation is beginning using Quick Mode. !! IKE Negotiation is in process The ZyXEL Device has begun negotiation with the peer for the connection already, but the IKE key exchange has not finished yet.

  • Page 317: Table 107 Sample Ipsec Logs During Packet Transmission

    If these ranges differ, then the connection fails. !! Local / remote IPs of incoming request If the security gateway is "0.0.0.0", the ZyXEL Device will conflict with rule <#d> use the peer's "Local Addr" as its "Remote Addr". If this IP (range) conflicts with a previously configured rule then the connection is not allowed.

  • Page 318: Table 108 Rfc-2408 Isakmp Payload Types

    P-202H Plus v2 User’s Guide The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Table 108 RFC-2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE Security Association PROP Proposal TRANS...

  • Page 319: Chapter 36 Troubleshooting

    Make sure that the ZyXEL Device’s power adaptor is connected to the ZyXEL Device LEDs turn on and plugged in to an appropriate power source. Make sure that the ZyXEL Device and when I turn on the power source are both turned on.

  • Page 320: Problems With The Isdn Line

    If the remote dial-in user is negotiating IP, verify that the IP address is supplied correctly in Menu 13. Check that either the remote dial- in user is supplying a valid IP address, or that the ZyXEL Device is assigning a valid address from the IP pool.

  • Page 321: Problems Accessing The Zyxel Device

    Your computer’s and the ZyXEL Device’s IP addresses must be on the same subnet for LAN access. If you changed the ZyXEL Device’s LAN IP address, then enter the new one as the URL. Make sure that pop-up windows, JavaScripts and Java permissions are allowed. See the appendix for how to enable them.
  • Page 322 P-202H Plus v2 User’s Guide Chapter 36 Troubleshooting...

  • Page 323: Appendix A Product Specifications

    P-202H Plus v2 User’s Guide P P E N D I X Product Specifications See also the Introduction chapter for a general overview of the key features. Specification Tables Table 114 Device Default IP Address 192.168.1.1 Default Subnet Mask 255.255.255.0 (24 bits) Default Password 1234 DHCP Pool...
  • Page 324 P-202H Plus v2 User’s Guide Table 115 Firmware (continued) Management Embedded Web Configurator Menu-driven SMT (System Management Terminal) management Remote Management via Telnet or Web FTP/TFTP for firmware downloading, configuration backup and restoration. Built-in Diagnostic Tools for FLASH memory, ISDN circuitry, RAM and LAN port Firewall Stateful Packet Inspection.

  • Page 325: Appendix B Wall-Mounting Instructions

    4 Make sure the screws are snugly fastened to the wall. They need to hold the weight of the ZyXEL Device with the connection cables. 5 Align the holes on the back of the ZyXEL Device with the screws on the wall. Hang the ZyXEL Device on the screws.
  • Page 326 P-202H Plus v2 User’s Guide Appendix B Wall-mounting Instructions...

  • Page 327: Log Descriptions

    P-202H Plus v2 User’s Guide P P E N D I X Log Descriptions This appendix provides descriptions of example log messages. Table 116 System Maintenance Logs LOG MESSAGE DESCRIPTION The router has adjusted its time based on information from the Time calibration is time server.

  • Page 328: Table 118 Access Control Logs

    P-202H Plus v2 User’s Guide Table 117 System Error Logs (continued) LOG MESSAGE DESCRIPTION The router failed to allocate memory for the NetBIOS filter settings. readNetBIOSFilter: calloc error A WAN connection is down. You cannot access the network WAN connection is down. through this interface.

  • Page 329: Table 120 Packet Filter Logs

    P-202H Plus v2 User’s Guide Table 119 TCP Reset Logs (continued) LOG MESSAGE DESCRIPTION The router sent a TCP reset packet when a dynamic firewall Firewall session time session timed out. out, sent TCP RST The default timeout values are as follows: ICMP idle timeout: 3 minutes UDP idle timeout: 3 minutes TCP connection (three way handshaking) timeout: 270 seconds...

  • Page 330: Table 122 Cdr Logs

    P-202H Plus v2 User’s Guide Table 121 ICMP Logs (continued) LOG MESSAGE DESCRIPTION The firewall does not support this kind of ICMP packets or Unsupported/out-of-order ICMP: the ICMP packets are out of order. ICMP The router sent an ICMP reply packet to the sender. Router reply ICMP packet: ICMP Table 122 CDR Logs LOG MESSAGE...

  • Page 331: Table 124 Ipsec Logs

    P-202H Plus v2 User’s Guide Table 123 Attack Logs (continued) LOG MESSAGE DESCRIPTION The firewall detected an ICMP teardrop attack. For type and code teardrop ICMP (type:%d, details, see Table 129 on page 336. code:%d) The firewall detected a TCP illegal command attack. illegal command TCP The firewall detected a TCP NetBIOS attack.
  • Page 332 P-202H Plus v2 User’s Guide Table 125 IKE Logs (continued) LOG MESSAGE DESCRIPTION The connection failed during IKE phase 2 because the router Verifying Local ID failed: and the peer’s Local/Remote Addresses don’t match. The router retransmitted the last packet sent because there IKE Packet Retransmit was no response from the peer.
  • Page 333 P-202H Plus v2 User’s Guide Table 125 IKE Logs (continued) LOG MESSAGE DESCRIPTION The router could not find a known phase 1 ID in the No known phase 1 ID type connection attempt. found The phase 1 ID types do not match. ID type mismatch.

  • Page 334: Table 126 Pki Logs

    P-202H Plus v2 User’s Guide Table 125 IKE Logs (continued) LOG MESSAGE DESCRIPTION Rule [%d] Phase 1 ID mismatch The listed rule’s IKE phase 1 ID did not match between the router and the peer. The listed rule’s IKE phase 1 hash did not match between the Rule [%d] Phase 1 hash router and the peer.

  • Page 335: Table 127 Certificate Path Verification Failure Reason Codes

    P-202H Plus v2 User’s Guide Table 126 PKI Logs (continued) LOG MESSAGE DESCRIPTION The router received a certification authority certificate, with subject Rcvd ca cert: <subject name as recorded, from the LDAP server whose IP address and port name> are recorded in the Source field. The router received a user certificate, with subject name as recorded, Rcvd user cert: from the LDAP server whose IP address and port are recorded in the...

  • Page 336: Table 128 Acl Setting Notes

    ACL set for packets traveling from the LAN to the LAN or ZyXEL Device the ZyXEL Device. (W to W) WAN to WAN/ ACL set for packets traveling from the WAN to the WAN ZyXEL Device or the ZyXEL Device. Appendix C Log Descriptions...

  • Page 337: Table 129 Icmp Notes

    P-202H Plus v2 User’s Guide Table 129 ICMP Notes TYPE CODE DESCRIPTION Echo Reply Echo reply message Destination Unreachable Net unreachable Host unreachable Protocol unreachable Port unreachable A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) Source route failed Source Quench...

  • Page 338: Table 130 Rfc-2408 Isakmp Payload Types

    P-202H Plus v2 User’s Guide The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Table 130 RFC-2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE Security Association Proposal PROP Transform...

  • Page 339: Appendix D Setting Up Your Computer's Ip Address

    After the appropriate TCP/IP components are installed, configure the TCP/IP settings in order to "communicate" with your network. If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the ZyXEL Device’s LAN port. Windows 95/98/Me Click Start, Settings, Control Panel and double-click the Network icon to open the Network window.

  • Page 340: Figure 212 Windows 95/98/Me: Network: Configuration

    P-202H Plus v2 User’s Guide Figure 212 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add.

  • Page 341: Figure 213 Windows 95/98/Me: Tcp/Ip Properties: Ip Address

    P-202H Plus v2 User’s Guide 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click 5 Restart your computer so the changes you made take effect. Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab.

  • Page 342: Windows 2000/Nt/Xp

    5 Click OK to save and close the TCP/IP Properties window. 6 Click OK to close the Network window. Insert the Windows CD if prompted. 7 Turn on your ZyXEL Device and restart your computer when prompted. Verifying Settings 1 Click Start and then Run.

  • Page 343: Figure 215 Windows Xp: Start Menu

    P-202H Plus v2 User’s Guide Figure 215 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 216 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties. Appendix D Setting up Your Computer’s IP Address...

  • Page 344: Figure 217 Windows Xp: Control Panel: Network Connections: Properties

    P-202H Plus v2 User’s Guide Figure 217 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 218 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP).

  • Page 345: Figure 219 Windows Xp: Internet Protocol (Tcp/Ip) Properties

    P-202H Plus v2 User’s Guide • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. • Click Advanced. Figure 219 Windows XP: Internet Protocol (TCP/IP) Properties 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK.

  • Page 346: Figure 220 Windows Xp: Advanced Tcp/Ip Properties

    P-202H Plus v2 User’s Guide Figure 220 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). •...

  • Page 347: Macintosh Os 8/9

    10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT). 11Turn on your ZyXEL Device and restart your computer (if prompted). Verifying Settings 1 Click Start, All Programs, Accessories and then Command Prompt. 2 In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab.

  • Page 348: Figure 222 Macintosh Os 8/9: Apple Menu

    P-202H Plus v2 User’s Guide Figure 222 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 223 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. Appendix D Setting up Your Computer’s IP Address...

  • Page 349: Macintosh Os X

    • Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyXEL Device in the Router address box. 5 Close the TCP/IP Control Panel. 6 Click Save if prompted, to save changes to your configuration.

  • Page 350: Linux

    • Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyXEL Device in the Router address box. 5 Click Apply Now and close the window. 6 Turn on your ZyXEL Device and restart your computer (if prompted).

  • Page 351: Figure 226 Red Hat 9.0: Kde: Network Configuration: Devices

    P-202H Plus v2 User’s Guide Note: Make sure you are logged in as the root administrator. Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Setting and click Network.

  • Page 352: Figure 228 Red Hat 9.0: Kde: Network Configuration: Dns

    P-202H Plus v2 User’s Guide • If you have a dynamic IP address click Automatically obtain IP address settings with and select dhcp from the drop down list. • If you have a static IP address click Statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields.

  • Page 353: Figure 230 Red Hat 9.0: Dynamic Ip Address Setting In Ifconfig-Eth0

    P-202H Plus v2 User’s Guide 1 Assuming that you have only one network card on the computer, locate the ifconfig- configuration file (where is the name of the Ethernet card). Open the eth0 eth0 configuration file with any plain text editor. •...

  • Page 354: Figure 233 Red Hat 9.0: Restart Ethernet Card

    P-202H Plus v2 User’s Guide Figure 233 Red Hat 9.0: Restart Ethernet Card [root@localhost init.d]# network restart Shutting down interface eth0: [OK] Shutting down loopback interface: [OK] Setting network parameters: [OK] Bringing up loopback interface: [OK] Bringing up interface eth0: [OK] 36.5.1 Verifying Settings Enter...

  • Page 355: Appendix E Ip Addresses And Subnetting

    P-202H Plus v2 User’s Guide P P E N D I X IP Addresses and Subnetting This appendix introduces IP addresses, IP address classes and subnet masks. You use subnet masks to subdivide a network into smaller logical networks. Introduction to IP Addresses An IP address has two parts: the network number and the host ID.

  • Page 356: Table 131 Classes Of Ip Addresses

    P-202H Plus v2 User’s Guide The following table shows the network number and host ID arrangement for classes A, B and Table 131 Classes of IP Addresses IP ADDRESS OCTET 1 OCTET 2 OCTET 3 OCTET 4 Class A Network number Host ID Host ID Host ID...

  • Page 357: Table 133 "Natural" Masks

    P-202H Plus v2 User’s Guide Subnet Masks A subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation). A subnet mask has 32 bits. If a bit in the subnet mask is a “1” then the corresponding bit in the IP address is part of the network number.

  • Page 358: Example: Two Subnets

    P-202H Plus v2 User’s Guide Table 134 Alternative Subnet Mask Notation (continued) SUBNET MASK SUBNET MASK “1” BITS LAST OCTET BIT VALUE DECIMAL 255.255.255.240 1111 0000 255.255.255.248 1111 1000 255.255.255.252 1111 1100 The first mask shown is the class “C” natural mask. Normally if no mask is specified it is understood that the natural mask is being used.

  • Page 359: Table 136 Subnet 1

    P-202H Plus v2 User’s Guide Table 136 Subnet 1 (continued) LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE Subnet Address: 192.168.1.0 Lowest Host ID: 192.168.1.1 Broadcast Address: Highest Host ID: 192.168.1.126 192.168.1.127 Table 137 Subnet 2 IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1.

  • Page 360: Example Eight Subnets

    P-202H Plus v2 User’s Guide Table 138 Subnet 1 (continued) LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE Subnet Address: 192.168.1.0 Lowest Host ID: 192.168.1.1 Broadcast Address: Highest Host ID: 192.168.1.62 192.168.1.63 Table 139 Subnet 2 LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE IP Address...

  • Page 361: Subnetting With Class A And Class B Networks

    P-202H Plus v2 User’s Guide The following table shows class C IP address last octet values for each subnet. Table 142 Eight Subnets BROADCAST SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS ADDRESS The following table is a summary for class “C” subnet planning. Table 143 Class C Subnet Planning NO.

  • Page 362: Table 144 Class B Subnet Planning

    P-202H Plus v2 User’s Guide The following table is a summary for class “B” subnet planning. Table 144 Class B Subnet Planning NO. “BORROWED” HOST NO. HOSTS PER SUBNET MASK NO. SUBNETS BITS SUBNET 255.255.128.0 (/17) 32766 255.255.192.0 (/18) 16382 255.255.224.0 (/19) 8190 255.255.240.0 (/20)

  • Page 363: Appendix F Pop-Up Windows, Javascripts And Java Permissions

    P-202H Plus v2 User’s Guide P P E N D I X Pop-up Windows, JavaScripts and Java Permissions In order to use the web configurator you need to allow: • Web browser pop-up windows from your device. • JavaScripts (enabled by default). •...

  • Page 364: Figure 236 Internet Options

    P-202H Plus v2 User’s Guide Figure 236 Internet Options 3 Click Apply to save this setting. Enable pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab. 2 Select Settings…to open the Pop-up Blocker Settings screen.

  • Page 365: Figure 237 Internet Options

    P-202H Plus v2 User’s Guide Figure 237 Internet Options 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1. 4 Click Add to move the IP address to the list of Allowed sites. Appendix F Pop-up Windows, JavaScripts and Java Permissions...

  • Page 366: Javascripts

    P-202H Plus v2 User’s Guide Figure 238 Pop-up Blocker Settings 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed.

  • Page 367: Figure 239 Internet Options

    P-202H Plus v2 User’s Guide Figure 239 Internet Options 2 Click the Custom Level... button. 3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default). 6 Click OK to close the window.

  • Page 368: Figure 240 Security Settings - Java Scripting

    P-202H Plus v2 User’s Guide Figure 240 Security Settings - Java Scripting Java Permissions 1 From Internet Explorer, click Tools, Internet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected. 5 Click OK to close the window.

  • Page 369: Figure 241 Security Settings - Java

    P-202H Plus v2 User’s Guide Figure 241 Security Settings - Java JAVA (Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 make sure that Use Java 2 for <applet> under Java (Sun) is selected. 3 Click OK to close the window.

  • Page 370: Figure 242 Java (Sun)

    P-202H Plus v2 User’s Guide Figure 242 Java (Sun) Appendix F Pop-up Windows, JavaScripts and Java Permissions...

  • Page 371: Index

    P-202H Plus v2 User’s Guide Index CAPI CAPI driver installing example alternative subnet mask notation CDR (Call Detail Record) Application-level Firewalls certifications AT command notices Attack Alert viewing Attack Types Challenge Handshake Authentication Protocol Authentication protocol change password at login CHAP CLID 34, 202...
  • Page 372 P-202H Plus v2 User’s Guide device model number Finger DHCP 35, 54, 261 Firewall see also Dynamic Host Configuration Protocol Access Methods Creating/Editing Rules DHCP relay Custom Ports DHCP server Firewall Vs Filters DHCP setup Guidelines For Enhancing Security TCP/IP configuration Introduction Dial-in filter LAN to WAN Rules...
  • Page 373 P-202H Plus v2 User’s Guide ICMP echo Internet Access see also Multiple subscriber number Internet access introduction Multicast ISP’s name Multilink Protocol setup Multiple subscriber number Internet Access Setup My Login Internet Assigned Numbers AuthoritySee IANA My Password Internet Control Message Protocol (ICMP) Internet Protocol Introduction to Filters IP Address...
  • Page 374 Remote Node Filter Stac Required fields Stateful Inspection 76, 77, 82 Reset button, the Process Resetting the Time ZyXEL device Resetting the ZyXEL device Static route Restore Configuration 67, 214 RFC 1631 SUA (Single User Account) SUA vs NAT Rules subnet...
  • Page 375 TCP/IP 78, 79, 240, 247 TCP/IP filter rule Teardrop Terminal portability ZyNOS TFTP File Transfer ZyNOS F/W Version TFTP Restrictions 273, 293 ZyXEL’s firewall Three way calling Introduction Three-Way Handshake Threshold Values Time and Date Setting 289, 290 Traceroute Index...

This manual is also suitable for:

P-202u

Table of Contents