1. Manuals
  2. Brands
  3. ZyXEL Communications Manuals
  4. Gateway
  5. ZyWALL 10
  6. User manual

ZyXEL Communications ZyWall 10 User Manual

Zyxel zywall internet security gateway
Hide thumbs Also See for ZyWall 10:
1
2
3
4
5
6
Table Of Contents
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
Table of Contents

Advertisement

Quick Links

Download this manual See also: Reference Manual
ZyWALL
10/10W/30W/50/100
Internet Security Gateway
User's Guide
Versions 3.52 and 3.61
June 2003

Advertisement

Table of Contents
loading

Related Manuals for ZyXEL Communications ZyWall 10

Summary of Contents for ZyXEL Communications ZyWall 10

  • Page 1 ZyWALL 10/10W/30W/50/100 Internet Security Gateway User’s Guide Versions 3.52 and 3.61 June 2003...

  • Page 2: Copyright

    ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.
  • Page 3 ZyWALL 10~100 Series Internet Security Gateway Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations.

  • Page 4: Information For Canadian Users

    ZyWALL 10~100 Series Internet Security Gateway Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction.

  • Page 5: Zyxel Limited Warranty

    ZyWALL 10~100 Series Internet Security Gateway ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon...

  • Page 6: Customer Support

    ZyWALL 10~100 Series Internet Security Gateway Customer Support When you contact your customer support representative please have the following information ready: Please have the following information ready when you contact customer support. • Product model and serial number. • Information in Menu 24.2.1 – System Information.

  • Page 7: Table Of Contents

    ZyWALL 10~100 Series Internet Security Gateway Table of Contents Copyright..............................ii Federal Communications Commission (FCC) Interference Statement..........iii Information for Canadian Users .......................iv ZyXEL Limited Warranty ..........................v Customer Support ............................vi List of Figures ............................xviii List of Tables ............................xxv Preface ..............................xxix Getting Started ..............................
  • Page 8 ZyWALL 10~100 Series Internet Security Gateway Chapter 4 System Screens........................4-1 System Overview ........................4-1 Configuring General Setup ......................4-1 Dynamic DNS..........................4-2 Configuring Dynamic DNS ......................4-2 Configuring Password.........................4-4 Configuring Time Zone ......................4-5 Chapter 5 LAN Screens ...........................5-1 LAN Overview ...........................5-1 DHCP Setup..........................5-1 LAN TCP/IP ..........................5-1 Configuring IP ..........................5-3...
  • Page 9 ZyWALL 10~100 Series Internet Security Gateway Chapter 7 DMZ Screens.......................... 7-1 DMZ Overview .......................... 7-1 Configuring DMZ ........................7-1 Chapter 8 WAN Screens.......................... 8-1 WAN Overview ......................... 8-1 TCP/IP Priority (Metric) ......................8-1 Configuring Route........................8-1 Configuring WAN ISP ....................... 8-2 Configuring WAN IP .......................
  • Page 10 ZyWALL 10~100 Series Internet Security Gateway Chapter 11 Firewalls ..........................11-1 11.1 Firewall Overview ........................11-1 11.2 Types of Firewalls.........................11-1 11.3 Introduction to ZyXEL’s Firewall ..................11-2 11.4 Denial of Service........................11-3 11.5 Stateful Inspection ........................11-7 11.6 Guidelines For Enhancing Security With Your Firewall ............11-11 11.7...
  • Page 11 ZyWALL 10~100 Series Internet Security Gateway VPN/IPSec ..............................VI Chapter 14 Introduction to IPSec......................14-1 14.1 VPN Overview ........................14-1 14.2 IPSec Architecture ....................... 14-3 14.3 Encapsulation ........................14-5 14.4 IPSec and NAT ........................14-5 Chapter 15 VPN Screens ........................15-1 15.1...
  • Page 12 ZyWALL 10~100 Series Internet Security Gateway 16.1 Remote Management Overview....................16-1 16.2 Telnet ............................16-2 16.3 Configuring TELNET......................16-3 16.4 Configuring FTP ........................16-4 16.5 Configuring WWW.......................16-5 16.6 Configuring SNMP .......................16-7 16.7 Configuring DNS ........................16-11 16.8 Configuring Security......................16-12 Chapter 17 UPnP............................17-1 17.1 Universal Plug and Play Overview ..................17-1 17.2...
  • Page 13 ZyWALL 10~100 Series Internet Security Gateway Chapter 19 Logs Screens ........................19-1 19.1 Configuring View Log ......................19-1 19.2 Configuring Log Settings ..................... 19-3 19.3 Configuring Reports......................19-6 Maintenance ..............................X Chapter 20 Maintenance ........................20-1 20.1 Maintenance Overview ......................20-1 20.2...
  • Page 14 ZyWALL 10~100 Series Internet Security Gateway 23.6 Remote Node Profile (Backup ISP) ..................23-6 23.7 Editing PPP Options ......................23-8 23.8 Editing TCP/IP Options ......................23-10 23.9 Editing Login Script......................23-12 23.10 Remote Node Filter......................23-14 Chapter 24 LAN Setup...........................24-1 24.1 Introduction to LAN Setup ....................24-1 24.2...
  • Page 15 ZyWALL 10~100 Series Internet Security Gateway 27.5 Remote Node Filter ......................27-10 Chapter 28 IP Static Route Setup ......................28-1 28.1 IP Static Route Setup......................28-1 Chapter 29 Network Address Translation (NAT) ................29-1 29.1 Using NAT ........................... 29-1 29.2 NAT Setup ...........................
  • Page 16 ZyWALL 10~100 Series Internet Security Gateway 33.5 Diagnostic ...........................33-11 Chapter 34 Firmware and Configuration File Maintenance ..............34-1 34.1 Introduction...........................34-1 34.2 Filename Conventions ......................34-1 34.3 Backup Configuration......................34-2 34.4 Restore Configuration......................34-8 34.5 Uploading Firmware and Configuration Files ..............34-11 Chapter 35 System Maintenance Menus 8 to 10..................35-1 35.1...
  • Page 17 ZyWALL 10~100 Series Internet Security Gateway 39.4 IKE Setup........................... 39-11 39.5 Manual Setup ........................39-14 Chapter 40 SA Monitor ......................... 40-1 40.1 Introduction .......................... 40-1 40.2 Using SA Monitor ........................ 40-1 Appendices and Index..........................XV Appendix A Troubleshooting ........................A Appendix B Hardware Specifications ....................... E Appendix C Safety Warnings and Instructions..................J...

  • Page 18: List Of Figures

    ZyWALL 10~100 Series Internet Security Gateway List of Figures Figure 1-1 Secure Internet Access via Cable, DSL or Wireless Modem............1-9 Figure 1-2 VPN Application .........................1-10 Figure 2-1 Change Password Screen ......................2-1 Figure 2-2 Example Xmodem Upload......................2-3 Figure 2-3 The MAIN MENU Screen of the Web Configurator..............2-4 Figure 3-1 Wizard 1 ............................3-2...
  • Page 19 ZyWALL 10~100 Series Internet Security Gateway Figure 9-1 How NAT Works .......................... 9-3 Figure 9-2 NAT Application With IP Alias ....................9-4 Figure 9-3 Multiple Servers Behind NAT Example ..................9-8 Figure 9-4 SUA/NAT Setup ........................... 9-9 Figure 9-5 Address Mapping.........................9-11 Figure 9-6Address Mapping Edit.........................
  • Page 20 ZyWALL 10~100 Series Internet Security Gateway Figure 15-5 Two Phases to Set Up the IPSec SA..................15-16 Figure 15-6 VPN IKE: Advanced .......................15-18 Figure 15-7 Manual Setup ..........................15-22 Figure 15-8 SA Monitor..........................15-26 Figure 15-9 Global Setting .........................15-27 Figure 15-10 Telecommuters Sharing One VPN Rule Example..............15-29 Figure 15-11 Telecommuters Using Unique VPN Rules Example .............15-30...
  • Page 21 ZyWALL 10~100 Series Internet Security Gateway Figure 20-9 Configuration ........................... 20-8 Figure 20-10 Reset Warning Message......................20-9 Figure 20-11 Configuration Upload Successful ..................20-10 Figure 20-12 Network Temporarily Disconnected..................20-10 Figure 20-13 Configuration Upload Error ....................20-11 Figure 21-1 Initial Screen ..........................21-1 Figure 21-2 Password Screen........................
  • Page 22 Figure 29-5 Menu 15.1.255: SUA Address Mapping Rules .................29-5 Figure 29-6 Menu 15.1.1: First Set.......................29-6 Figure 29-7 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set..........29-8 Figure 29-8 Menu 15.2: NAT Server Setup (ZyWALL 10) ................29-10 Figure 29-9 Multiple Servers Behind NAT Example..................29-10 Figure 29-10 NAT Example 1........................29-11 Figure 29-11 Menu 4: Internet Access &...
  • Page 23 ZyWALL 10~100 Series Internet Security Gateway Figure 31-10 Example Filter: Menu 21.1.3.1..................... 31-14 Figure 31-11 Example Filter Rules Summary: Menu 21.1.3..............31-15 Figure 31-12 Protocol and Device Filter Sets .................... 31-16 Figure 31-13 Filtering LAN Traffic ......................31-17 Figure 31-14Filtering DMZ Traffic......................31-18 Figure 31-15 Filtering Remote Node Traffic .....................
  • Page 24 ZyWALL 10~100 Series Internet Security Gateway Figure 35-5 Call History ..........................35-5 Figure 35-6 Menu 24: System Maintenance ....................35-6 Figure 35-7 Menu 24.10 System Maintenance: Time and Date Setting ............35-7 Figure 36-1 Menu 24.11 – Remote Management Control ................36-2 Figure 37-2 IP Routing Policy Setup ......................37-2 Figure 37-4 Menu 25.1: Sample IP Routing Policy Setup ................37-3...
  • Page 25 ZyWALL 10~100 Series Internet Security Gateway List of Tables Table 1-1 Model Specific Features......................... 1-6 Table 3-1 Ethernet Encapsulation ........................3-3 Table 3-2 PPTP Encapsulation ........................3-5 Table 3-3 PPPoE Encapsulation........................3-7 Table 3-4 Private IP Address Ranges ......................3-8 Table 3-5 Example of Network Properties for LAN Servers with Fixed IP Addresses........
  • Page 26 ZyWALL 10~100 Series Internet Security Gateway Table 11-1 Common IP Ports........................11-4 Table 11-2 ICMP Commands That Trigger Alerts ..................11-6 Table 11-3 Legal NetBIOS Commands ......................11-7 Table 11-4 Legal SMTP Commands......................11-7 Table 12-1 Firewall Rules Summary: First Screen ..................12-6 Table 12-2 Creating/Editing A Firewall Rule ....................12-9 Table 12-3 Adding/Editing Source and Destination Addresses ..............12-11...
  • Page 27 ZyWALL 10~100 Series Internet Security Gateway Table 18-4 Bandwidth Manager: Class Configuration................18-15 Table 18-5Services and Port Numbers ....................... 18-16 Table 18-6 Bandwidth Management Statistics ................... 18-17 Table 18-7 Bandwidth Manager Monitor....................18-18 Table 19-1 View Log............................ 19-3 Table 19-2 Log Settings Screen (ZyWALL 10W)..................19-5 Table 19-3 Reports ............................
  • Page 28 ZyWALL 10~100 Series Internet Security Gateway Table 29-2 SUA Address Mapping Rules .....................29-5 Table 29-3 Fields in Menu 15.1.1 .........................29-7 Table 29-4 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set ..........29-8 Table 29-5 Menu 15.3—Trigger Port Setup Description ................29-21 Table 31-1 Abbreviations Used in the Filter Rules Summary Menu ............31-5...

  • Page 29: Preface

    This manual may refer to the ZyWALL Internet Security Gateway as the ZyWALL. This manual covers the ZyWALL 10 to100 models. Supported features and the details of the features, vary from model to model. Not every feature applies to every model; refer to the Model Comparison Chart in chapter 1 of this user’s guide to see what features are specific to your ZyWALL model.

  • Page 30: Syntax Conventions

    Help us help you! E-mail all User’s Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Thank you! Syntax Conventions •...

  • Page 31: Getting Started

    Getting Started Part I: Getting Started This part helps you get to know your ZyWALL, introduces the web configurator and covers how to configure the Wizard Setup screens.

  • Page 33: Chapter 1 Getting To Know Your Zywall

    ZyWALL 10 Internet Security Gateway for Small/Home Offices The ZyWALL 10 offers all necessary basic firewall functionality for small office or home use. It supports VPN connections, real time attack alert and log systems, and content filtering while providing a user-friendly interface for installation and configuration.

  • Page 34: Zywall Features

    ZyWALL 10~100 Series Internet Security Gateway 1.1.5 ZyWALL 100 Internet Security Gateway for Small to Medium Businesses The ZyWALL 100 offers the highest degree of functionality and security for business applications. It supports up to 100 IPSec VPN connections and increases network security by adding a De-Militarized Zone (DMZ) port for use with publicly accessible servers.
  • Page 35 ZyWALL 10~100 Series Internet Security Gateway PCMCIA Port The PCMCIA port provides the option of a wireless LAN. This feature is not available on all models. IEEE 802.11b 11 Mbps Wireless LAN The optional 11 Mbps wireless LAN card provides mobility and a fast network environment for small and home offices.

  • Page 36: Pptp Encapsulation

    ZyWALL 10~100 Series Internet Security Gateway administrator to define time periods and days during which content filtering is enabled and to include or exclude a range of users on the LAN from content filtering. Wireless LAN MAC Address Filtering MAC Address Filtering together with ESSID (Extended Service Set IDentifier) and WEP (Wired Equivalent Privacy) ensure the most secure wireless solution.

  • Page 37: Traffic Redirect

    ZyWALL 10~100 Series Internet Security Gateway IP Multicast Deliver IP packets to a specific group of hosts using IP multicast. IGMP (Internet Group Management Protocol) is the protocol used to support multicast groups. The latest version is version 2 (see RFC 2236); the ZyWALL supports both versions 1 and 2.

  • Page 38: Table 1-1 Model Specific Features

    ZyWALL 10~100 Series Internet Security Gateway capability, enabled by default, which means it can assign IP addresses, an IP default gateway and DNS servers to all systems that support the DHCP client. The ZyWALL can also act as a surrogate DHCP server (DHCP Relay) where it relays IP address assignment from the actual real DHCP server to the clients.

  • Page 39: Figure 6-3 Wireless

    ZyWALL 10~100 Series Internet Security Gateway Table 1-1 Model Specific Features ZYWALL MODEL FEATURES 802.11b Wireless LAN Support 802.1x Wireless LAN Support Real Time Chip Auto-crossover 10/100 Mbps Ethernet Auto-negotiating 10/100 Mbps Ethernet Auto-negotiating 10/100 Mbps Ethernet Reset Button Uplink Button...

  • Page 40: Applications For The Zywall

    ZyWALL 10~100 Series Internet Security Gateway 1.2.4 ZyWALL 100 Note The ZyWALL 100 is designed to act as a secure gateway for all data passing between the Internet and the LAN or the DMZ. It has three Ethernet ports, one RS-232 auxiliary port and one PCMCIA port (for optional wireless applications), which are used to physically separate the network into three areas.

  • Page 41: Figure 1-1 Secure Internet Access Via Cable, Dsl Or Wireless Modem

    ZyWALL 10~100 Series Internet Security Gateway Figure 1-1 Secure Internet Access via Cable, DSL or Wireless Modem 1.3.2 VPN Application ZyWALL VPN is an ideal cost-effective way to connect branch offices and business partners over the Internet without the need (and expense) for leased lines between sites.

  • Page 42: Figure 1-2 Vpn Application

    ZyWALL 10~100 Series Internet Security Gateway Figure 1-2 VPN Application 1-10 Getting to Know Your ZyWALL...

  • Page 43: Chapter 2 Introducing The Web Configurator

    ZyWALL 10~100 Series Internet Security Gateway Chapter 2 Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens. Web Configurator Overview The embedded web configurator allows you to manage the ZyWALL from anywhere through a browser such as Microsoft Internet Explorer or Netscape Navigator.

  • Page 44: Resetting The Zywall

    ZyWALL 10~100 Series Internet Security Gateway The ZyWALL automatically times out after five minutes of inactivity. Simply log back into the ZyWALL if this happens to you. Resetting the ZyWALL If you forget your password or cannot access the SMT menu, you will need to reload the factory-default configuration file or use the RESET button the back of the ZyWALL.

  • Page 45: Navigating The Zywall Web Configurator

    ZyWALL 10~100 Series Internet Security Gateway Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Figure 2-2 Example Xmodem Upload Step 12. After successful firmware upload, enter "atgo" to restart the router.

  • Page 46: Figure 2-3 The Main Menu Screen Of The Web Configurator

    ZyWALL 10~100 Series Internet Security Gateway Click WIZARD SETUP for initial configuration including general setup, ISP parameters for Internet Access and WAN IP/DNS Server/MAC address assignment. Use submenus to configure ZyWALL features. Click LOGOUT at Click MAINTENANCE to view information about your ZyWALL or upgrade any time to exit the configuration/firmware files.

  • Page 47: Chapter 3 Wizard Setup

    ZyWALL 10~100 Series Internet Security Gateway Chapter 3 Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator. Wizard Setup Overview The web configurator’s setup wizard helps you configure your device to access the Internet. The second screen has three variations depending on what encapsulation type you use.

  • Page 48: Wizard Setup: Screen 2

    ZyWALL 10~100 Series Internet Security Gateway Figure 3-1 Wizard 1 Wizard Setup: Screen 2 The ZyWALL offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE. 3.3.1 Ethernet Choose Ethernet when the WAN port is used as a regular Ethernet.

  • Page 49: Figure 3-2 Wizard 2: Ethernet Encapsulation

    ZyWALL 10~100 Series Internet Security Gateway Figure 3-2 Wizard 2: Ethernet Encapsulation The following table describes the fields in this screen. Table 3-1 Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
  • Page 50 ZyWALL 10~100 Series Internet Security Gateway Table 3-1 Ethernet Encapsulation LABEL DESCRIPTION Login Server IP Type the authentication server IP address here if your ISP gave you one. Address Login Server Type the domain name of the Telia login server, for example “login1.telia.com”.

  • Page 51: Figure 3-3 Wizard 2: Pptp Encapsulation

    ZyWALL 10~100 Series Internet Security Gateway The ZYWALL supports one PPTP server connection at any given time. Figure 3-3 Wizard 2: PPTP Encapsulation The following table describes the fields in this screen. Table 3-2 PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box.

  • Page 52: Pppoe Encapsulation

    ZyWALL 10~100 Series Internet Security Gateway Table 3-2 PPTP Encapsulation LABEL DESCRIPTION Password Type the password associated with the User Name above. Nailed Up Select Nailed Up Connection if you do not want the connection to time out. Connection Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPTP server.

  • Page 53: Figure 3-4 Wizard2: Pppoe Encapsulation

    ZyWALL 10~100 Series Internet Security Gateway Figure 3-4 Wizard2: PPPoE Encapsulation The following table describes the fields in this screen. Table 3-3 PPPoE Encapsulation LABEL DESCRIPTION ISP Parameter for Internet Access Encapsulation Choose an encapsulation method from the pull-down list box. PPPoE forms a dial-up connection.

  • Page 54: Table 3-4 Private Ip Address Ranges

    ZyWALL 10~100 Series Internet Security Gateway Table 3-3 PPPoE Encapsulation LABEL DESCRIPTION Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server. The default time is 100 seconds. Click Next to continue.

  • Page 55: Ip Address And Subnet Mask

    ZyWALL 10~100 Series Internet Security Gateway Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space.

  • Page 56: Table 3-5 Example Of Network Properties For Lan Servers With Fixed Ip Addresses

    ZyWALL 10~100 Series Internet Security Gateway You can configure the WAN port's MAC address by either using the factory default or cloning the MAC address from a computer on your LAN. Once it is successfully configured, the address will be copied to the "rom"...

  • Page 57: Table 3-6 Wan Setup

    ZyWALL 10~100 Series Internet Security Gateway Figure 3-5 Wizard 3 The following table describes the fields in this screen. Table 3-6 WAN Setup LABEL DESCRIPTION WAN IP Address Assignment Get automatically from Select this option If your ISP did not assign you a fixed IP address. This is the default selection.

  • Page 58: Basic Setup Complete

    ZyWALL 10~100 Series Internet Security Gateway Table 3-6 WAN Setup LABEL DESCRIPTION Gateway IP Address Enter the gateway IP address in this field if you selected Use Fixed IP Address. This field is not available when you select PPPoE encapsulation in the previous wizard screen.

  • Page 59: System, Lan And Wireless Lan

    System, LAN and Wireless LAN Part II: System, LAN and Wireless LAN This part covers configuration of the system, LAN, and wireless LAN screens.

  • Page 61: Chapter 4 System Screens

    ZyWALL 10~100 Series Internet Security Gateway Chapter 4 System Screens This chapter provides information on the System screens. System Overview See the Wizard Setup chapter for more information on the next few screens. Configuring General Setup Click SYSTEM to open the General screen.

  • Page 62: Dynamic Dns

    ZyWALL 10~100 Series Internet Security Gateway Table 4-1 System General Setup LABEL DESCRIPTION Domain Name Enter the domain name (if you know it) here. If you leave this field blank, the ISP may assign a domain name via DHCP. The domain name entered by you is given priority over the ISP assigned domain name.

  • Page 63: Figure 4-2 Ddns

    ZyWALL 10~100 Series Internet Security Gateway Figure 4-2 DDNS The following table describes the fields in this screen. Table 4-2 DDNS LABEL DESCRIPTION Active Select this check box to use dynamic DNS. Service Provider Select the name of your Dynamic DNS service provider.

  • Page 64: Configuring Password

    ZyWALL 10~100 Series Internet Security Gateway Table 4-2 DDNS LABEL DESCRIPTION Enable Wildcard Select the check box to enable DYNDNS Wildcard. This option is available when CustomDNS is selected in the DDNS Type field. Off Line Check with your Dynamic DNS service provider to have traffic redirected to a URL (that you can specify) while you are off line.

  • Page 65: Configuring Time Zone

    ZyWALL 10~100 Series Internet Security Gateway Table 4-3 Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field. New Password Type the new password in this field. Retype to Confirm Type the new password again in this field.

  • Page 66: Table 4-4 Time Zone

    ZyWALL 10~100 Series Internet Security Gateway The following table describes the fields in this screen. Table 4-4 Time Zone LABEL DESCRIPTION Use Time Server Select the time service protocol that your time server sends when you turn on the when Bootup ZyWALL.
  • Page 67 ZyWALL 10~100 Series Internet Security Gateway Table 4-4 Time Zone LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. System...

  • Page 69: Chapter 5 Lan Screens

    ZyWALL 10~100 Series Internet Security Gateway Chapter 5 LAN Screens This chapter describes how to configure LAN settings. LAN Overview Local Area Network (LAN) is a shared communication system to which many computers are attached. The LAN screens can help you configure a LAN DHCP server, manage IP addresses, and partition your physical network into logical networks.

  • Page 70: Rip Setup

    ZyWALL 10~100 Series Internet Security Gateway These parameters should work for the majority of installations. If your ISP gives you explicit DNS server address(es), read the embedded web configurator help regarding what fields need to be configured. 5.3.2 IP Address and Subnet Mask Refer to the IP Address and Subnet Mask section in the Wizard Setup chapter for this information.

  • Page 71: Configuring Ip

    ZyWALL 10~100 Series Internet Security Gateway Configuring IP Click LAN to open the IP screen. Figure 5-1 IP The following table describes the fields in this screen.

  • Page 72: Table 5-1 Ip

    ZyWALL 10~100 Series Internet Security Gateway Table 5-1 IP LABEL DESCRIPTION DHCP Server DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients (workstations) to obtain TCP/IP configuration at startup from a server. Unless you are instructed by your ISP, leave the DHCP Server check box selected.

  • Page 73: Configuring Static Dhcp

    ZyWALL 10~100 Series Internet Security Gateway Table 5-1 IP LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.

  • Page 74: Configuring Ip Alias

    ZyWALL 10~100 Series Internet Security Gateway Figure 5-2 Static DHCP The following table describes the fields in this screen. Table 5-2 Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry (row). MAC Address Type the MAC address (with colons) of a computer on your LAN.

  • Page 75: Figure 5-3 Ip Alias

    ZyWALL 10~100 Series Internet Security Gateway To change your ZyWALL’s IP Alias settings, click LAN, then the IP Alias tab. The screen appears as shown. Figure 5-3 IP Alias The following table describes the fields in this screen. Table 5-3 IP Alias...
  • Page 76 ZyWALL 10~100 Series Internet Security Gateway Table 5-3 IP Alias LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None.

  • Page 77: Chapter 6 Wireless Lan Screens

    ZyWALL 10~100 Series Internet Security Gateway Chapter 6 Wireless LAN Screens This chapter discusses how to configure Wireless LAN on the ZyWALL 10W, 30W and 100 models. Wireless LAN Overview This section introduces the wireless LAN (WLAN) and some basic scenarios.

  • Page 78: Figure 6-1 Rts Threshold

    ZyWALL 10~100 Series Internet Security Gateway access point (AP) or wireless gateway, but out-of-range of each other, so they cannot “hear” each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other.

  • Page 79: Wireless Security

    ZyWALL 10~100 Series Internet Security Gateway Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy. 6.2.4 Fragmentation Threshold A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the ZyWALL will fragment the packet into smaller data frames.

  • Page 80: Configuring Wireless Lan

    ZyWALL 10~100 Series Internet Security Gateway 6.3.1 WEP WEP provides a mechanism for encrypting data using encryption keys. Both the AP and the wireless stations must use the same WEP key to encrypt and decrypt data. Your ZyWALL allows you to configure up to four 64-bit or 128-bit WEP keys, but only one key can be enabled at any one time.
  • Page 81 ZyWALL 10~100 Series Internet Security Gateway The following table describes the fields in this screen. Table 6-1 Wireless LABEL DESCRIPTION Enable The wireless LAN is turned off (No) by default, before you enable the wireless LAN you Wireless should configure some security by setting MAC filters and/or 802.1x security; otherwise your wireless LAN will be vulnerable upon enabling it.

  • Page 82: Configuring Mac Filter

    ZyWALL 10~100 Series Internet Security Gateway Table 6-1 Wireless LABEL DESCRIPTION Key 1 to If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 characters (ASCII Key 4 string) or 10 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.

  • Page 83: Figure 6-4 Mac Address Filter

    ZyWALL 10~100 Series Internet Security Gateway Figure 6-4 MAC Address Filter The following table describes the fields in this menu. Table 6-2 MAC Address Filter LABEL DESCRIPTION Active Use the drop down list box to enable or disable MAC address filtering.

  • Page 84: Overview

    ZyWALL 10~100 Series Internet Security Gateway Table 6-2 MAC Address Filter LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 802.1x Overview The IEEE 802.1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management.

  • Page 85: Figure 6-5 Eap Authentication

    ZyWALL 10~100 Series Internet Security Gateway • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message. The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting: •...

  • Page 86: Local User Database

    ZyWALL 10~100 Series Internet Security Gateway • The wireless station replies with identity information, including username and password. • The RADIUS server checks the user information against its user profile database and determines whether or not to authenticate the wireless station.

  • Page 87: Configuring Local User Database

    ZyWALL 10~100 Series Internet Security Gateway Table 6-3 802.1X Authentication LABEL DESCRIPTION Active Select Force Authorized, Force UnAuthorized or Auto from the drop-down list box. Select Auto to authenticate all wireless clients before they can access the wired network. Select Force Authorized to allow all wireless clients to access your wired network without authentication.

  • Page 88: Figure 6-7 Local User Database

    ZyWALL 10~100 Series Internet Security Gateway Figure 6-7 Local User Database The following table describes the fields in this screen. 6-12 Wireless LAN Screens...

  • Page 89: Configuring Radius

    ZyWALL 10~100 Series Internet Security Gateway Table 6-4 Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile. User Name Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile.

  • Page 90: Table 6-5 Radius

    ZyWALL 10~100 Series Internet Security Gateway The following table describes the fields in this screen. Table 6-5 RADIUS LABEL DESCRIPTION Authentication Server Active Select Yes from the drop-down list box to enable user authentication through an external authentication server. Select No to enable user authentication using the local user profile on the ZyWALL.

  • Page 91: Dmz And Wan

    DMZ and WAN Part III: DMZ and WAN This part covers configuration of the DMZ and WAN screens.

  • Page 93: Chapter 7 Dmz Screens

    ZyWALL 10~100 Series Internet Security Gateway Chapter 7 DMZ Screens This chapter describes how to configure the ZyWALL 100’s DMZ. DMZ Overview The DeMilitarized Zone (DMZ) auto-negotiating 10/100 Mbps Ethernet port provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death).
  • Page 94 ZyWALL 10~100 Series Internet Security Gateway Figure 7-1 DMZ The following table describes the fields in this screen. Table 7-1 DMZ LABEL DESCRIPTION DMZ TCP/IP IP Address Type the IP address of your ZyWALL in dotted decimal notation 192.168.1.1 (factory default).

  • Page 95: Table 7-1 Dmz

    ZyWALL 10~100 Series Internet Security Gateway Table 7-1 DMZ LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.

  • Page 97: Chapter 8 Wan Screens

    ZyWALL 10~100 Series Internet Security Gateway Chapter 8 WAN Screens This chapter describes how to configure WAN settings. Dial-backup applies to the ZyWALL 100, 30W and 10W (see Table 1-1 Model Specific Features). Traffic redirect applies to the ZyWALL 10W, 30W, 50 and 100 models.

  • Page 98: Configuring Wan Isp

    ZyWALL 10~100 Series Internet Security Gateway Figure 8-1 WAN Setup: Route The following table describes the fields in this screen. Table 8-1 WAN Setup: Route LABEL DESCRIPTION The default WAN connection is "1' as your broadband connection via the WAN port should always be your preferred method of accessing the WAN.

  • Page 99: Figure 8-2 Ethernet Encapsulation

    ZyWALL 10~100 Series Internet Security Gateway Figure 8-2 Ethernet Encapsulation The following table describes the fields in this screen. Table 8-2 Ethernet Encapsulation LABEL DESCRIPTION Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
  • Page 100 ZyWALL 10~100 Series Internet Security Gateway Table 8-2 Ethernet Encapsulation LABEL DESCRIPTION Relogin Period The Telia server logs the ZyWALL out if the ZyWALL does not log in periodically. (min) (Telia Login Type the number of minutes from 1 to 59 (30 default) for the ZyWALL to wait between only) logins.

  • Page 101: Figure 8-3 Pppoe Encapsulation

    ZyWALL 10~100 Series Internet Security Gateway Figure 8-3 PPPoE Encapsulation The following table describes the fields in this screen. Table 8-3 PPPoE Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation The PPPoE choice is for a dial-up connection using PPPoE. The router supports PPPoE (Point-to-Point Protocol over Ethernet).
  • Page 102 ZyWALL 10~100 Series Internet Security Gateway Table 8-3 PPPoE Encapsulation LABEL DESCRIPTION Retype to Type your password again to make sure that you have entered is correctly. Confirm Nailed Up Select Nailed Up Connection if you do not want the connection to time out.

  • Page 103: Figure 8-4 Pptp Encapsulation

    ZyWALL 10~100 Series Internet Security Gateway Figure 8-4 PPTP Encapsulation The following table describes the fields in this screen. Table 8-4 PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.

  • Page 104: Service Type

    ZyWALL 10~100 Series Internet Security Gateway Table 8-4 PPTP Encapsulation LABEL DESCRIPTION Password Type the password associated with the User Name above. Retype to Confirm Type your password again to make sure that you have entered is correctly. Nailed-up Select Nailed Up Connection if you do not want the connection to time out.

  • Page 105: Figure 8-5 Rr Service Type

    ZyWALL 10~100 Series Internet Security Gateway Figure 8-5 RR Service Type The following table describes the fields in this screen. Table 8-5 RR Service Type LABEL DESCRIPTION Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.

  • Page 106: Configuring Wan Ip

    ZyWALL 10~100 Series Internet Security Gateway Configuring WAN IP To change your ZyWALL’s WAN IP settings, click WAN, then the WAN IP tab. This screen varies according to the type of encapsulation you select. If your ISP did not assign you a fixed IP address, click Get automatically from ISP (Default);otherwise click Use fixed IP Address and enter the IP address in the following field.

  • Page 107: Table 8-6 Ip Setup

    ZyWALL 10~100 Series Internet Security Gateway Table 8-6 IP Setup LABEL DESCRIPTION WAN IP Address Assignment Get automatically Select this option If your ISP did not assign you a fixed IP address. This is the default from ISP selection. Use fixed IP Select this option If the ISP assigned a fixed IP address.
  • Page 108 ZyWALL 10~100 Series Internet Security Gateway Table 8-6 IP Setup LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets.

  • Page 109: Configuring Wan Mac

    ZyWALL 10~100 Series Internet Security Gateway Table 8-6 IP Setup LABEL DESCRIPTION Allow From WAN Select this option to forward NetBIOS packets from the WAN port to the DMZ port. to DMZ (Not all ZyWALL models have a DMZ port.) Allow Trigger Dial Select this option to allow NetBIOS packets to initiate calls.

  • Page 110: Traffic Redirect

    ZyWALL 10~100 Series Internet Security Gateway Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the ZyWALL still provides firewall protection.

  • Page 111: Configuring Traffic Redirect

    ZyWALL 10~100 Series Internet Security Gateway Configuring Traffic Redirect To change your ZyWALL’s Traffic Redirect settings, click WAN, then the Traffic Redirect tab. The screen appears as shown. Figure 8-10 Traffic Redirect The following table describes the fields in this screen.

  • Page 112: Configuring Dial Backup

    ZyWALL 10~100 Series Internet Security Gateway Table 8-7 Traffic Redirect LABEL DESCRIPTION Check WAN Configuration of this field is optional. If you do not enter an IP address here, the ZyWALL IP Address will use the default gateway IP address. Configure this field to test your ZyWALL's WAN accessibility.

  • Page 113: Figure 8-11 Dial Backup Setup

    ZyWALL 10~100 Series Internet Security Gateway Figure 8-11 Dial Backup Setup WAN Screens 8-17...

  • Page 114: Table 8-8Dial Backup Setup

    ZyWALL 10~100 Series Internet Security Gateway The following table describes the fields in this screen. Table 8-8Dial Backup Setup LABEL DESCRIPTION Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name Type the login name assigned by your ISP.
  • Page 115 ZyWALL 10~100 Series Internet Security Gateway Table 8-8Dial Backup Setup LABEL DESCRIPTION Get IP Address Type the login name assigned by your ISP for this remote node. Automatically from Remote Server Used Fixed IP Select this check box if your ISP assigned you a fixed IP address, then enter the Address IP address in the following field.
  • Page 116 ZyWALL 10~100 Series Internet Security Gateway Table 8-8Dial Backup Setup LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets.

  • Page 117: Advanced Modem Setup

    ZyWALL 10~100 Series Internet Security Gateway 8.10 Advanced Modem Setup 8.10.1 AT Command Strings For regular telephone lines, the default “Dial” string tells the modem that the line uses tone dialing. “ATDT” is the command for a switch that requires tone dialing. If your switch requires pulse dialing, change the string to “ATDP”.

  • Page 118: Figure 8-12 Advanced Setup

    ZyWALL 10~100 Series Internet Security Gateway Figure 8-12 Advanced Setup The following table describes the fields in this screen. Table 8-9 Advanced Setup LABEL DESCRIPTION EXAMPLE AT Command Strings Dial Type the AT Command string to make a call. atdt Drop Type the AT Command string to drop a call.
  • Page 119 ZyWALL 10~100 Series Internet Security Gateway Table 8-9 Advanced Setup LABEL DESCRIPTION EXAMPLE Drop DTR When Select this check box to have the ZyWALL drop the DTR (Data Hang Up Terminal Ready) signal after the "AT Command String: Drop" is sent out.

  • Page 121: Nat And Static Route

    NAT and Static Route Part IV: NAT and Static Route This part covers Network Address Translation and setting up static routes.

  • Page 123: Nat Overview

    ZyWALL 10~100 Series Internet Security Gateway Chapter 9 Network Address Translation (NAT) Screens This chapter discusses how to configure NAT on the ZyWALL. NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet.

  • Page 124: What Nat Does

    ZyWALL 10~100 Series Internet Security Gateway NAT never changes the IP address (either local or global) of an outside host. 9.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side.

  • Page 125: Figure 9-1 How Nat Works

    ZyWALL 10~100 Series Internet Security Gateway Figure 9-1 How NAT Works 9.1.4 NAT Application...

  • Page 126: Figure 9-2 Nat Application With Ip Alias

    ZyWALL 10~100 Series Internet Security Gateway The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter.

  • Page 127: Table 9-2 Nat Mapping Types

    ZyWALL 10~100 Series Internet Security Gateway Many One to One: In Many-One-to-One mode, the ZyWALL maps each local IP address to a unique global IP address. Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world although, it is highly recommended that you use the DMZ port for these servers instead.

  • Page 128: Using Nat

    ZyWALL 10~100 Series Internet Security Gateway Using NAT You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL. 9.2.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.

  • Page 129: Table 9-3 Services And Port Numbers

    ZyWALL 10~100 Series Internet Security Gateway desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21. In some cases, such as for unknown services or where one server can support more than one service (for example both FTP and web service), it might be better to specify a range of port numbers.

  • Page 130: Configuring Sua Server

    ZyWALL 10~100 Series Internet Security Gateway Figure 9-3 Multiple Servers Behind NAT Example Configuring SUA Server If you do not assign a Default Server IP Address, then all packets received for ports not specified in this screen will be discarded.

  • Page 131: Figure 9-4 Sua/Nat Setup

    ZyWALL 10~100 Series Internet Security Gateway Figure 9-4 SUA/NAT Setup The following table describes the fields in this screen. Table 9-4 SUA/NAT Setup LABEL DESCRIPTION Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen.

  • Page 132: Configuring Address Mapping

    ZyWALL 10~100 Series Internet Security Gateway Table 9-4 SUA/NAT Setup LABEL DESCRIPTION Start Port Enter a port number here. To forward only one port, enter it again in the End Port field. To specify a range of ports, enter the last port to be forwarded in the End Port No field...

  • Page 133: Figure 9-5 Address Mapping

    ZyWALL 10~100 Series Internet Security Gateway Figure 9-5 Address Mapping The following table describes the fields in this screen. Table 9-5 Address Mapping LABEL DESCRIPTION Local Start IP This refers to the Inside Local Address (ILA), that is the starting local IP address. Local IP addresses are N/A for Server port mapping.

  • Page 134: Figure 9-6Address Mapping Edit

    ZyWALL 10~100 Series Internet Security Gateway Table 9-5 Address Mapping LABEL DESCRIPTION Type 1. One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for the One-to-one NAT mapping type. 2. Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account...

  • Page 135: Configuring Trigger Port

    ZyWALL 10~100 Series Internet Security Gateway Table 9-6 Address Mapping Edit LABEL DESCRIPTION Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-one mode maps one local IP address to one global IP address. Note that port numbers do not change for One-to-one NAT mapping type.
  • Page 136 ZyWALL 10~100 Series Internet Security Gateway request a service with a specific port number and protocol (a "trigger" port). When the ZyWALL's WAN port receives a response with a specific port number and protocol ("incoming" port), the ZyWALL forwards the traffic to the LAN IP address of the computer that sent the request.

  • Page 137: Figure 9-7 Trigger Port

    ZyWALL 10~100 Series Internet Security Gateway Figure 9-7 Trigger Port The following table describes the fields in this screen. Table 9-7 Trigger Port LABEL DESCRIPTION This is the rule index number (read-only). Name Type a unique name (up to 15 characters) for identification purposes. All characters are permitted - including spaces.
  • Page 138 ZyWALL 10~100 Series Internet Security Gateway Table 9-7 Trigger Port LABEL DESCRIPTION Start Port Type a port number or the starting port number in a range of port numbers. End Port Type a port number or the ending port number in a range of port numbers.

  • Page 139: Chapter 10 Static Route Screens

    ZyWALL 10~100 Series Internet Security Gateway Chapter 10 Static Route Screens This chapter shows you how to configure static routes for your ZyWALL. 10.1 Static Route Overview Each remote node specifies only the network to which the gateway is directly connected, and the ZyWALL has no knowledge of the networks beyond.

  • Page 140: Figure 10-2 Edit Ip Static Route

    ZyWALL 10~100 Series Internet Security Gateway Table 10-1 IP Static Route Summary LABEL DESCRIPTION Active This field shows whether this static route is active (Yes) or not (No). Destination This parameter specifies the IP network address of the final destination. Routing is always based on network number.

  • Page 141: Table 10-2 Edit Ip Static Route

    ZyWALL 10~100 Series Internet Security Gateway Table 10-2 Edit IP Static Route LABEL DESCRIPTION Route Name Enter the name of the IP static route. Leave this field blank to delete this static route. Active This field allows you to activate/deactivate this static route.

  • Page 143: Firewall And Content Filters

    Firewall and Content Filters Part V: Firewall and Content Filters This part introduces firewalls in general and the ZyWALL firewall. It also explains how to configure the ZyWALL firewall and content filtering.

  • Page 145: Chapter 11 Firewalls

    ZyWALL 10~100 Series Internet Security Gateway Chapter 11 Firewalls This chapter gives some background information on firewalls and introduces the ZyWALL firewall. 11.1 Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another.

  • Page 146: Introduction To Zyxel's Firewall

    ZyWALL 10~100 Series Internet Security Gateway Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems.

  • Page 147: Denial Of Service

    ZyWALL 10~100 Series Internet Security Gateway Figure 11-1 ZyWALL Firewall Application 11.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.

  • Page 148: Table 11-1 Common Ip Ports

    ZyWALL 10~100 Series Internet Security Gateway for use over a single port, such as Web on port 80, other ports are also active. If the person configuring or managing the computer is not careful, a hacker could attack it over an unprotected port.

  • Page 149: Figure 11-2 Three-Way Handshake

    ZyWALL 10~100 Series Internet Security Gateway Figure 11-2 Three-Way Handshake Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment).

  • Page 150: Figure 11-4 Smurf Attack

    ZyWALL 10~100 Series Internet Security Gateway 2-b In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself.

  • Page 151: Stateful Inspection

    ZyWALL 10~100 Series Internet Security Gateway The only legal NetBIOS commands are the following - all others are illegal. Table 11-3 Legal NetBIOS Commands MESSAGE: REQUEST: POSITIVE: NEGATIVE: RETARGET: KEEPALIVE: All SMTP commands are illegal except for those displayed in the following tables.

  • Page 152: Figure 11-5 Stateful Inspection

    ZyWALL 10~100 Series Internet Security Gateway Allows all sessions originating from the LAN (local network) to the WAN (Internet). Denies all sessions originating from the WAN to the LAN. Figure 11-5 Stateful Inspection The previous figure shows the ZyWALL’s default firewall rules in action as well as demonstrates how stateful inspection works.

  • Page 153: Stateful Inspection And The Zywall

    ZyWALL 10~100 Series Internet Security Gateway 3. The packet is inspected by a firewall rule to determine and record information about the state of the packet's connection. This information is recorded in a new state table entry created for the new connection.

  • Page 154: Tcp Security

    ZyWALL 10~100 Series Internet Security Gateway The ability to define firewall rules is a very powerful tool. Using custom rules, it is possible to disable all firewall protection or block all access to the Internet. Use extreme caution when creating or deleting firewall rules. Test changes after creating them to make sure they work correctly.

  • Page 155: Guidelines For Enhancing Security With Your Firewall

    ZyWALL 10~100 Series Internet Security Gateway little tracking information. For instance, ICMP redirect packets are never allowed in, since they could be used to reroute traffic through attacking machines. 11.5.5 Upper Layer Protocols Some higher layer protocols (such as FTP and RealAudio) utilize multiple network connections simultaneously.

  • Page 156: Packet Filtering Vs Firewall

    ZyWALL 10~100 Series Internet Security Gateway 11.7 Packet Filtering Vs Firewall Below are some comparisons between the ZyWALL’s filtering and firewall functions. 11.7.1 Packet Filtering: The router filters packets as they pass through the router’s interface according to the filter rules you designed.
  • Page 157 ZyWALL 10~100 Series Internet Security Gateway 2. A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better choice when complex rules are required. 3. To selectively block/allow inbound or outbound traffic between inside host/networks and outside host/networks.

  • Page 159: Chapter 12 Firewall Screens

    ZyWALL 10~100 Series Internet Security Gateway Chapter 12 Firewall Screens This chapter shows you how to configure your ZyWALL firewall. 12.1 Access Methods The web configurator is, by far, the most comprehensive firewall configuration tool your ZyWALL has to offer. For this reason, it is recommended that you configure your firewall using the web configurator. SMT screens allow you to activate the firewall.

  • Page 160: Rule Logic Overview

    ZyWALL 10~100 Series Internet Security Gateway This prevents computers on the WAN from using the ZyWALL as a gateway to communicate with other computers on the WAN and/or managing the ZyWALL. • DMZ to LAN • DMZ to DMZ/ZyWALL This prevents computers on the DMZ from communicating between networks or subnets connected to the DMZ interface and/or managing the ZyWALL.

  • Page 161: Security Ramifications

    ZyWALL 10~100 Series Internet Security Gateway 5. What computers on the LAN or DMZ are to be affected (if any)? 6. What computers on the Internet will be affected? The more specific, the better. For example, if traffic is being allowed from the Internet to the LAN, it is better to allow only certain machines on the Internet to access the LAN.

  • Page 162: Connection Direction Examples

    ZyWALL 10~100 Series Internet Security Gateway Destination Address What is the connection’s destination address; is it on the LAN, DMZ or WAN? Is it a single IP, a range of IPs or a subnet? 12.4 Connection Direction Examples This section describes examples for firewall rules for connections going from LAN to WAN and from WAN to LAN.

  • Page 163: Configuring Firewall

    ZyWALL 10~100 Series Internet Security Gateway 12.4.2 WAN to LAN Rules The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If you wish to allow certain WAN users to have access to your LAN, you will need to create custom rules to allow it.

  • Page 164: Figure 12-3 Enabling The Firewall (Zywall 100)

    ZyWALL 10~100 Series Internet Security Gateway Select this check box to enable the firewall. Figure 12-3 Enabling the Firewall (ZyWALL 100) The following table describes the fields in this screen. Table 12-1 Firewall Rules Summary: First Screen LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall.
  • Page 165 ZyWALL 10~100 Series Internet Security Gateway Table 12-1 Firewall Rules Summary: First Screen LABEL DESCRIPTION Total Configured This read-only number is the total number of rules that have been configured for the Rules ZyWALL (the combined total for all packet directions). The ZyWALL allows you to configure up to 30 firewall rules total.

  • Page 166: Configuring Firewall Rules

    ZyWALL 10~100 Series Internet Security Gateway Table 12-1 Firewall Rules Summary: First Screen LABEL DESCRIPTION Alert This field tells you whether this rule generates an alert (Yes) or not (No) when the rule is matched. Insert Type the index number for where you want to put a rule. For example, if you type “6”, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.

  • Page 167: Table 12-2 Creating/Editing A Firewall Rule

    ZyWALL 10~100 Series Internet Security Gateway Figure 12-4 Creating/Editing A Firewall Rule (ZyWALL100) The following table describes the fields in this screen. Table 12-2 Creating/Editing A Firewall Rule LABEL DESCRIPTION Active Check the Active check box to have the ZyWALL use this rule. Leave it unchecked if...

  • Page 168: Configuring Source And Destination Addresses

    ZyWALL 10~100 Series Internet Security Gateway Table 12-2 Creating/Editing A Firewall Rule LABEL DESCRIPTION Source Address Click SrcAdd to add a new address, SrcEdit to edit an existing one or SrcDelete to delete one. Please see the next section for more information on adding and editing source addresses.

  • Page 169: Figure 12-5 Adding/Editing Source And Destination Addresses

    ZyWALL 10~100 Series Internet Security Gateway Figure 12-5 Adding/Editing Source and Destination Addresses The following table describes the fields in this screen. Table 12-3 Adding/Editing Source and Destination Addresses LABEL DESCRIPTION Address Type Do you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address? Select an...

  • Page 170: Example Firewall Rule

    ZyWALL 10~100 Series Internet Security Gateway Figure 12-6 Creating/Editing A Custom Port The following table describes the fields in this screen. Table 12-4 Creating/Editing A Custom Port LABEL DESCRIPTION Service Name Enter a unique name for your custom port. Service Type Choose the IP port (TCP, UDP or Both) that defines your customized port from the drop down list box.

  • Page 171: Figure 12-7 Firewall Ip Config Screen

    ZyWALL 10~100 Series Internet Security Gateway Step 2. In the Summary screen, type the index number for where you want to put the rule. For example, if you type “6”, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.

  • Page 172: Figure 12-8 Firewall Rule Edit Ip Example

    ZyWALL 10~100 Series Internet Security Gateway Figure 12-8 Firewall Rule Edit IP Example Step 7. In the firewall rule configuration screen, click Add under Custom Port to open the Edit Custom Port screen. Configure it as follows and click Apply.

  • Page 173: Figure 12-10 Myservice Rule Configuration (Zywall100)

    ZyWALL 10~100 Series Internet Security Gateway Custom ports show up with an “*” before their names in the Services list box and the Rule Summary list box. Click Apply after you’ve created your custom port. This is the address range of the “MyService”...

  • Page 174: Figure 12-11 My Service Example Rule Summary (Zywall100)

    ZyWALL 10~100 Series Internet Security Gateway On completing the configuration procedure for this Internet firewall rule, the Rule Summary screen should look like the following. Remember to click Apply when you have finished configuring your rule(s) to save your settings back to the ZyWALL.

  • Page 175: Predefined Services

    ZyWALL 10~100 Series Internet Security Gateway 12.7 Predefined Services The Available Services list box in the Rule Config(uration) screen (see Figure 12-4) displays all predefined services that the ZyWALL already supports. Next to the name of the service, two fields appear in brackets.
  • Page 176 ZyWALL 10~100 Series Internet Security Gateway Table 12-5 Predefined Services SERVICE DESCRIPTION IPSEC_TUNNEL(ESP:0) The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service. IRC(TCP/UDP:6667) This is another popular Internet chat program. Microsoft Networks’ messenger service uses this protocol. Messenger(TCP:1863)

  • Page 177: Alerts

    ZyWALL 10~100 Series Internet Security Gateway Table 12-5 Predefined Services SERVICE DESCRIPTION SMTP(TCP:25) Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another. SNMP(TCP/UDP:161) Simple Network Management Program.

  • Page 178: Configuring Attack Alert

    ZyWALL 10~100 Series Internet Security Gateway 12.9 Configuring Attack Alert Attack alerts are the first defense against DOS attacks. In the Attack Alert screen, shown later, you may choose to generate an alert whenever an attack is detected. For DoS attacks, the ZyWALL uses thresholds to determine when to drop sessions that do not become fully established.
  • Page 179 ZyWALL 10~100 Series Internet Security Gateway When the rate of new connection attempts rises above a threshold (one-minute high), the ZyWALL starts deleting half-open sessions as required to accommodate new connection requests. The ZyWALL continues to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (one-minute low).

  • Page 180: Figure 12-12 Attack Alert

    ZyWALL 10~100 Series Internet Security Gateway Figure 12-12 Attack Alert The following table describes the fields in this screen. Table 12-6 Attack Alert LABEL DESCRIPTION DEFAULT VALUES Generate alert A detected attack automatically generates a when attack log entry. Check this box to generate an alert...
  • Page 181 ZyWALL 10~100 Series Internet Security Gateway Table 12-6 Attack Alert LABEL DESCRIPTION DEFAULT VALUES One Minute High This is the rate of new half-open sessions that 100 half-open sessions per causes the firewall to start deleting half-open minute. The above numbers sessions.
  • Page 182 ZyWALL 10~100 Series Internet Security Gateway Table 12-6 Attack Alert LABEL DESCRIPTION DEFAULT VALUES Blocking Time When TCP Maximum Incomplete is reached Select this check box to specify a you can choose if the next session should be number in minutes (min) text box.

  • Page 183: Chapter 13 Content Filtering Screens

    ZyWALL 10~100 Series Internet Security Gateway Chapter 13 Content Filtering Screens This chapter provides a brief overview of content filtering. 13.1 Content Filtering Overview Internet content filtering allows schools and businesses to create and enforce Internet access policies tailored to their needs. Content filtering is the ability to block certain web features or specific URLs and should not be confused with packet filtering via SMT menu 21.1.

  • Page 184: Figure 13-1Content Filter: Categories

    ZyWALL 10~100 Series Internet Security Gateway Figure 13-1Content Filter: Categories The following table describes the fields in this screen. Table 13-1 Content Filter: Categories LABEL DESCRIPTION Restricted Web Restricted Web Features Features Select the box(es) to restrict a feature. When you download a page containing a restricted feature, that part of the web page will appear blank or grayed out.
  • Page 185 ZyWALL 10~100 Series Internet Security Gateway Table 13-1 Content Filter: Categories LABEL DESCRIPTION Java A programming language and development environment for building downloadable Web components or Internet and intranet business applications of all kinds. Cookies Used by Web servers to track usage and provide service based on ID.
  • Page 186 ZyWALL 10~100 Series Internet Security Gateway Table 13-1 Content Filter: Categories LABEL DESCRIPTION Intolerance Selecting this category excludes pictures or text advocating prejudice or discrimination against any race, color, national origin, religion, disability or handicap, gender, or sexual orientation. Also includes intolerant jokes or slurs.

  • Page 187: Configuring Free

    ZyWALL 10~100 Series Internet Security Gateway Table 13-1 Content Filter: Categories LABEL DESCRIPTION Always Block Click this option button to have content filtering always active with Time of Day limitations not enforced. This is enabled by default. Block from Click this option button to have content filtering only active during the time interval specified.

  • Page 188: Figure 13-2 Content Filter: Free

    ZyWALL 10~100 Series Internet Security Gateway Figure 13-2 Content Filter: Free The following table describes the fields in this screen. Table 13-2 Content Filter: Free LABEL DESCRIPTION Last Name Type your last name. You may enter up to 31 characters. This is a required field.

  • Page 189: Configuring Icard

    ZyWALL 10~100 Series Internet Security Gateway 13.4 Configuring iCard Use this screen to re-register the ZyWALL after the initial free subscription period expires (see 13.3). Update your subscription in this page by filling in your personal information in the fields as shown, and then click Apply.

  • Page 190: Configuring List Update

    ZyWALL 10~100 Series Internet Security Gateway Table 13-3 Content Filter: iCard LABEL DESCRIPTION Company Type the name of your company. You may enter up to 31 characters. Title Type your job title. You may enter up to 31 characters. Country Type your country name.

  • Page 191: Configuring Exempt Computers

    ZyWALL 10~100 Series Internet Security Gateway Table 13-4 Content Filter: List Update LABEL DESCRIPTION Download Now Click Download Now to download and install a new Content Filter List. This process may take a couple of minutes, depending on Internet traffic conditions and requires a current subscription to the Content Filter List.

  • Page 192: Figure 13-5 Content Filter: Exempt Zone

    ZyWALL 10~100 Series Internet Security Gateway Figure 13-5 Content Filter: Exempt Zone The following table describes the fields in this screen. Table 13-5 Content Filter: Exempt Zone LABEL DESCRIPTION Enforce Content Filter Select to have all users on your LAN follow Content Filter policies (default).

  • Page 193: Configuring Customize

    ZyWALL 10~100 Series Internet Security Gateway Table 13-5 Content Filter: Exempt Zone LABEL DESCRIPTION From Address Type the beginning IP address of the specific range of users on your LAN. To Address Type the ending IP address of the specific range of users on your LAN, then click Add Range.

  • Page 194: Figure 13-6 Content Filter: Customize

    ZyWALL 10~100 Series Internet Security Gateway Figure 13-6 Content Filter: Customize The following table describes the fields in this screen. Table 13-6 Content Filter: Customize LABEL DESCRIPTION Filter List Customization Make sure the Enable Filter List Customization check box is selected to make this feature available.
  • Page 195 ZyWALL 10~100 Series Internet Security Gateway Table 13-6 Content Filter: Customize LABEL DESCRIPTION Disable all web traffic When this box is selected, ZyWALL only allows Web access to sites on the except for Trusted Trusted Domains list. If Trusted Domains are chosen carefully, this is the Domains most effective way to block objectionable material.

  • Page 196: Configuring Keyword Blocking

    ZyWALL 10~100 Series Internet Security Gateway 13.8 Configuring Keyword Blocking Use this screen to block sites containing certain keywords. For example, if you enable the keyword "bad", the ZyWALL blocks all sites containing this keyword including the URL http://www.website.com/bad.html, even if it is not included in the Filter List. This functions as a second line of defense against objectionable material.
  • Page 197 ZyWALL 10~100 Series Internet Security Gateway Table 13-7 Content Filter: Keyword Blocking LABEL DESCRIPTION Click Add Keyword after you have typed a keyword. Repeat this procedure to add other keywords. Up to 64 keywords are allowed. When you try to access a web page containing a keyword, you will get a message telling you that the Content Filter is blocking this request.

  • Page 199: Vpn/Ipsec

    VPN/IPSec Part VI: VPN/IPSec This part provides information on how to configure VPN/IPSec.

  • Page 201: Chapter 14 Introduction To Ipsec

    ZyWALL 10~100 Series Internet Security Gateway Chapter 14 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 14.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.

  • Page 202: Figure 14-1 Encryption And Decryption

    ZyWALL 10~100 Series Internet Security Gateway Figure 14-1 Encryption and Decryption Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.

  • Page 203: Ipsec Architecture

    ZyWALL 10~100 Series Internet Security Gateway Figure 14-2 VPN Application 14.2 IPSec Architecture The overall IPSec architecture is shown as follows. Introduction to IPSec 14-3...

  • Page 204: Figure 14-3 Ipsec Architecture

    ZyWALL 10~100 Series Internet Security Gateway Figure 14-3 IPSec Architecture 14.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms).

  • Page 205: Encapsulation

    ZyWALL 10~100 Series Internet Security Gateway 14.3 Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 14-4 Transport and Tunnel Mode IPSec Encapsulation 14.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).

  • Page 206: Table 14-1 Vpn And Nat

    ZyWALL 10~100 Series Internet Security Gateway A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesn't match.

  • Page 207: Chapter 15 Vpn Screens

    ZyWALL 10~100 Series Internet Security Gateway Chapter 15 VPN Screens This chapter introduces the VPN Web Configurator. See the Logs chapter for information on viewing logs and the Reference Guide for IPSec log descriptions. 15.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections.

  • Page 208: My Ip Address

    ZyWALL 10~100 Series Internet Security Gateway Table 15-1 AH and ESP Select DES for minimal security and 3DES for maximum. Select MD5 for minimal security and SHA-1 for Select NULL to set up a tunnel without encryption. maximum security. DES (default)

  • Page 209: Summary Screen

    ZyWALL 10~100 Series Internet Security Gateway for telecommuters initiating a VPN tunnel to the company network. See section 15.17 for configuration examples. The Secure Gateway IP Address may be configured as 0.0.0.0 only when using IKE key management and not Manual key management.

  • Page 210: Figure 15-2 Summary

    ZyWALL 10~100 Series Internet Security Gateway Figure 15-2 Summary The following table describes the fields in this screen. Table 15-2 Summary LABEL DESCRIPTION The VPN policy index number Name This field displays the identification name for this VPN policy. Active This field displays whether the VPN policy is active or not.
  • Page 211 ZyWALL 10~100 Series Internet Security Gateway Table 15-2 Summary LABEL DESCRIPTION Local Address This is the IP address(es) of computer(s) on your local network behind your ZyWALL. The same (static) IP address is displayed twice when the Local Address Type field in the Configure-IKE (or Manual) screen is configured to Single Address.

  • Page 212: Keep Alive

    ZyWALL 10~100 Series Internet Security Gateway 15.6 Keep Alive When you initiate an IPSec tunnel with keep alive enabled, the ZyWALL automatically renegotiates the tunnel when the IPSec SA lifetime period expires (see section 15.11 for more on the IPSec SA lifetime). In effect, the IPSec tunnel becomes an “always on”...

  • Page 213: Id Type And Content

    ZyWALL 10~100 Series Internet Security Gateway Enable NAT traversal on both IPSec endpoints. In order for IPSec router A (see the figure) to receive an initiating IPSec packet from IPSec router B, set the NAT router to forward UDP port 500 to IPSec router A.

  • Page 214: Table 15-5 Matching Id Type And Content Configuration Example

    ZyWALL 10~100 Series Internet Security Gateway Table 15-4 Peer ID Type and Content Fields PEER ID TYPE= CONTENT= Type a domain name (up to 31 characters) by which to identify the remote IPSec router. E-mail Type an e-mail address (up to 31 characters) by which to identify the remote IPSec router.

  • Page 215: Pre-Shared Key

    ZyWALL 10~100 Series Internet Security Gateway 15.9 Pre-Shared Key A pre-shared key identifies a communicating party during a phase 1 IKE negotiation (see section 15.11 for more on IKE phases). It is called “pre-shared” because you have to share it with another party before you can communicate with them over a secure connection.

  • Page 216: Figure 15-4 Vpn Ike

    ZyWALL 10~100 Series Internet Security Gateway Figure 15-4 VPN IKE The following table describes the fields in this screen. 15-10 VPN Screens...

  • Page 217: Table 15-7 Vpn Ike

    ZyWALL 10~100 Series Internet Security Gateway Table 15-7 VPN IKE LABEL DESCRIPTION Active Select this check box to activate this VPN tunnel. This option determines whether a VPN rule is applied before a packet leaves the firewall. Keep Alive Select either Yes or No from the drop-down list box.
  • Page 218 ZyWALL 10~100 Series Internet Security Gateway Table 15-7 VPN IKE LABEL DESCRIPTION End/ Subnet Mask When the Address Type field is configured to Single Address, this field is N/A. When the Address Type field is configured to Range Address, enter the end (static) IP address, in a range of computers on the LAN behind your ZyWALL.
  • Page 219 ZyWALL 10~100 Series Internet Security Gateway Table 15-7 VPN IKE LABEL DESCRIPTION Content When you select IP in the Local ID Type field, type the IP address of your computer in the local Content field. The ZyWALL automatically uses the IP address in the My IP Address field (refer to the My IP Address field description) if you configure the local Content field to 0.0.0.0 or leave it blank.
  • Page 220 ZyWALL 10~100 Series Internet Security Gateway Table 15-7 VPN IKE LABEL DESCRIPTION Content When you select IP in the Peer ID Type field, type the IP address of the computer with which you will make the VPN connection in the peer Content field. The ZyWALL...

  • Page 221: Ike Phases

    ZyWALL 10~100 Series Internet Security Gateway Table 15-7 VPN IKE LABEL DESCRIPTION Authentication Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and Algorithm SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower.

  • Page 222: Figure 15-5 Two Phases To Set Up The Ipsec Sa

    ZyWALL 10~100 Series Internet Security Gateway Figure 15-5 Two Phases to Set Up the IPSec SA In phase 1 you must: Choose a negotiation mode. Authenticate the connection by entering a pre-shared key. Choose an encryption algorithm. Choose an authentication algorithm.

  • Page 223: Configuring Advanced Ike Settings

    ZyWALL 10~100 Series Internet Security Gateway Main Mode ensures the highest level of security when the communicating parties are negotiating authentication (phase 1). It uses 6 messages in three round trips: SA negotiation, Diffie-Hellman exchange and an exchange of nonces (a nonce is a random number). This mode features identity protection (your identity is not revealed in the negotiation).

  • Page 224: Figure 15-6 Vpn Ike: Advanced

    ZyWALL 10~100 Series Internet Security Gateway Figure 15-6 VPN IKE: Advanced The following table describes the fields in this screen. Table 15-8 VPN IKE: Advanced LABEL DESCRIPTION Protocol Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any protocol.
  • Page 225 ZyWALL 10~100 Series Internet Security Gateway Table 15-8 VPN IKE: Advanced LABEL DESCRIPTION Enable Replay As a VPN setup is processing intensive, the system is vulnerable to Denial of Service Detection (DoS) attacks The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks.
  • Page 226 ZyWALL 10~100 Series Internet Security Gateway Table 15-8 VPN IKE: Advanced LABEL DESCRIPTION Encryption Select DES or 3DES from the drop-down list box. Algorithm When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code.

  • Page 227: Manual Key Setup

    ZyWALL 10~100 Series Internet Security Gateway Table 15-8 VPN IKE: Advanced LABEL DESCRIPTION SA Life Time Define the length of time before an IKE SA automatically renegotiates in this field. It (seconds) may range from 60 to 3,000,000 seconds (almost 35 days).

  • Page 228: Figure 15-7 Manual Setup

    ZyWALL 10~100 Series Internet Security Gateway Figure 15-7 Manual Setup The following table describes the fields in this screen. Table 15-9 VPN Manual Setup LABEL DESCRIPTION Active Select this check box to activate this VPN policy. 15-22 VPN Screens...
  • Page 229 ZyWALL 10~100 Series Internet Security Gateway Table 15-9 VPN Manual Setup LABEL DESCRIPTION Name Type up to 32 characters to identify this VPN policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces. Key Management Select IKE or Manual Key from the drop-down list box. Manual is a useful option for troubleshooting if you have problems using IKE key management.
  • Page 230 ZyWALL 10~100 Series Internet Security Gateway Table 15-9 VPN Manual Setup LABEL DESCRIPTION Address Start address on the network behind the remote IPSec router. When the Addr Type field is configured to Range Address, enter the beginning (static) IP address, in a range of computers on the network behind the remote IPSec router.

  • Page 231: Viewing Sa Monitor

    ZyWALL 10~100 Series Internet Security Gateway Table 15-9 VPN Manual Setup LABEL DESCRIPTION Select AH if you want to use AH (Authentication Header Protocol). The AH protocol (RFC 2402) was designed for integrity, authentication, sequence integrity (replay resistance), and non-repudiation but not for confidentiality, for which the ESP was designed.

  • Page 232: Figure 15-8 Sa Monitor

    ZyWALL 10~100 Series Internet Security Gateway Figure 15-8 SA Monitor The following table describes the fields in this screen. Table 15-10 SA Monitor LABEL DESCRIPTION Go to page Choose the range of rules from the drop-down list box to display the summary page for the selected rules.

  • Page 233: Configuring Global Setting

    ZyWALL 10~100 Series Internet Security Gateway Table 15-10 SA Monitor LABEL DESCRIPTION Previous Page (if Click Previous Page to view more items in the summary (not all ZyWALL models applicable) have this feature). Refresh Click Refresh to display the current active VPN connection(s).

  • Page 234: Telecommuter Vpn/Ipsec Examples

    ZyWALL 10~100 Series Internet Security Gateway Table 15-11 SA Monitor LABEL DESCRIPTION Allow Through IP/Sec Select this check box to send NetBIOS packets through the VPN connection. Tunnel Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh.

  • Page 235: Figure 15-10 Telecommuters Sharing One Vpn Rule Example

    ZyWALL 10~100 Series Internet Security Gateway Figure 15-10 Telecommuters Sharing One VPN Rule Example 15.17.2 Telecommuters Using Unique VPN Rules Example With aggressive negotiation mode (see section 15.11.1), the ZyWALL can use the ID types and contents to distinguish between VPN rules. Telecommuters can each use a separate VPN rule to simultaneously access a ZyWALL at headquarters.

  • Page 236: Vpn And Remote Management

    ZyWALL 10~100 Series Internet Security Gateway Figure 15-11 Telecommuters Using Unique VPN Rules Example 15.18 VPN and Remote Management If a VPN tunnel uses a remote management service port (Telnet, FTP, WWW SNMP, DNS or ICMP) and terminates at the ZyWALL’s LAN or WAN port, configure remote management (REMOTE MGNT) to allow access for that service.

  • Page 237: Remote Management And Upnp

    Remote Management and UPnP Part VII: Remote Management and UPnP This part provides information and configuration instructions for remote management and Universal Plug and Play.

  • Page 239: Chapter 16 Remote Management Screens

    ZyWALL 10~100 Series Internet Security Gateway Chapter 16 Remote Management Screens This chapter provides information on the Remote Management screens. 16.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers.

  • Page 240: Telnet

    ZyWALL 10~100 Series Internet Security Gateway 3. The IP address in the Secured Client IP field does not match the client IP address. If it does not match, the ZyWALL will disconnect the session immediately. 4. There is an SMT console session running.

  • Page 241: Configuring Telnet

    ZyWALL 10~100 Series Internet Security Gateway Figure 16-1 Telnet Configuration on a TCP/IP Network 16.3 Configuring TELNET Click REMOTE MANAGEMENT to open the TELNET screen. Figure 16-2 Telnet The following table describes the fields in this screen. Remote Management Screens...

  • Page 242: Configuring Ftp

    ZyWALL 10~100 Series Internet Security Gateway Table 16-1 Telnet LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.

  • Page 243: Configuring Www

    ZyWALL 10~100 Series Internet Security Gateway Figure 16-3 FTP The following table describes the fields in this screen. Table 16-2 FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.

  • Page 244: Figure 16-4 Www

    ZyWALL 10~100 Series Internet Security Gateway Figure 16-4 WWW The following table describes the fields in this screen. Table 16-3 WWW LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.

  • Page 245: Configuring Snmp

    ZyWALL 10~100 Series Internet Security Gateway 16.6 Configuring SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your ZyWALL supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyWALL through the network. The ZyWALL supports SNMP version one (SNMPv1).

  • Page 246: Table 16-4 Snmp Traps

    ZyWALL 10~100 Series Internet Security Gateway An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices.
  • Page 247 ZyWALL 10~100 Series Internet Security Gateway Table 16-4 SNMP Traps authenticationFailure (defined in A trap is sent to the manager when receiving any SNMP RFC-1215) get or set requirements with the wrong community (password). whyReboot (defined in ZYXEL- A trap is sent with the reason of restart before rebooting MIB) when the system is going to restart (warm start).
  • Page 248 ZyWALL 10~100 Series Internet Security Gateway Figure 16-6 SNMP The following table describes the fields in this screen. Table 16-5 SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station.

  • Page 249: Configuring Dns

    ZyWALL 10~100 Series Internet Security Gateway Table 16-5 SNMP LABEL DESCRIPTION Trusted Host If you enter a trusted host, your ZyWALL will only respond to SNMP messages from this address. 0.0.0.0 (default) means your ZyWALL will respond to all SNMP messages it receives, regardless of source.

  • Page 250: Configuring Security

    ZyWALL 10~100 Series Internet Security Gateway Figure 16-7 DNS The following table describes the fields in this screen. Table 16-6 DNS LABEL DESCRIPTION Server Port The DNS service port number is 53 and cannot be changed here. Server Access Select the interface(s) through which a computer may send DNS queries to the ZyWALL.

  • Page 251: Figure 16-8 Security

    ZyWALL 10~100 Series Internet Security Gateway If an outside user attempts to probe an unsupported port on your ZyWALL, an ICMP response packet is automatically returned. This allows the outside user to know the ZyWALL exists. The ZyWALL series support anti-probing, which prevents the ICMP response packet from being sent. This keeps outsiders from discovering your ZyWALL when unsupported ports are probed.
  • Page 252 ZyWALL 10~100 Series Internet Security Gateway Table 16-7 Security LABEL DESCRIPTION Do not respond Select this option to prevent hackers from finding the ZyWALL by probing for unused to requests for ports. If you select this option, the ZyWALL will not send ICMP response packets to...

  • Page 253: Chapter 17 Upnp

    ZyWALL 10~100 Series Internet Security Gateway Chapter 17 UPnP This chapter introduces the Universal Plug and Play feature. 17.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.

  • Page 254: Upnp And Zyxel

    ZyWALL 10~100 Series Internet Security Gateway 17.1.3 Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments.

  • Page 255: Figure 17-1 Configuring Upnp

    ZyWALL 10~100 Series Internet Security Gateway Figure 17-1 Configuring UPnP The following table describes the fields in this screen. Table 17-1 Configuring UPnP FIELD DESCRIPTION Enable the Universal Plug Select this checkbox to activate UPnP. Be aware that anyone could use a...

  • Page 256: Installing Upnp In Windows Example

    ZyWALL 10~100 Series Internet Security Gateway Table 17-1 Configuring UPnP FIELD DESCRIPTION Allow UPnP to pass Select this check box to allow traffic from UPnP-enabled applications to through firewall bypass the firewall. Clear this check box to have the firewall block all UPnP application packets (for example, MSN packets).

  • Page 257: Installing Upnp In Windows Xp

    ZyWALL 10~100 Series Internet Security Gateway In the Communications window, select the Universal Plug and Play check box in the Components selection box. Click OK to go back to the Add/Remove Programs Properties window and click Next. Restart the computer when prompted.

  • Page 258: Using Upnp In Windows Xp Example

    ZyWALL 10~100 Series Internet Security Gateway In the Networking Services window, select the Universal Plug and Play check box. Click OK to go back to the Windows Optional Networking Component Wizard window and click Next. 17.5 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP.
  • Page 259 ZyWALL 10~100 Series Internet Security Gateway In the Internet Connection Properties window, click You may edit or delete the port mappings or Settings to see the port mappings that were automatically click Add to manually add port mappings. created. When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically.

  • Page 260: Web Configurator Easy Access

    ZyWALL 10~100 Series Internet Security Gateway Double-click the icon to display your current Internet connection status. 17.5.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first. This is helpful if you do not know the IP address of the ZyXEL device.
  • Page 261 ZyWALL 10~100 Series Internet Security Gateway An icon with the description for each UPnP- enabled device displays under Local Network. Right-click the icon for your ZyXEL device and select Invoke. The web configurator login screen displays. Right-click the icon for your ZyXEL device and select Properties.

  • Page 263: Bandwidth Management

    Bandwidth Management Part VIII: Bandwidth Management This part provides information on the functions and configuration of bandwidth management. VIII...

  • Page 265: Chapter 18 Bandwidth Management Screens

    ZyWALL 10~100 Series Internet Security Gateway Chapter 18 Bandwidth Management Screens This chapter describes the functions and configuration of bandwidth management. Bandwidth management applies to the ZyWALL 100. 18.1 Bandwidth Management Overview Bandwidth management allows you to allocate an interface’s outgoing capacity to specific types of traffic.

  • Page 266: Proportional Bandwidth Allocation

    ZyWALL 10~100 Series Internet Security Gateway application and/or subnet. Use the Class Configuration tab (see section 18.9.1) to set up a bandwidth class’s name, bandwidth allotment, and bandwidth filter. You can configure up to one bandwidth filter per bandwidth class. You can also configure bandwidth classes without bandwidth filters. However, it is recommended that you configure child-classes with filters for any classes that you configure without filters.

  • Page 267: Figure 18-1 Application-Based Bandwidth Management Example

    ZyWALL 10~100 Series Internet Security Gateway Figure 18-1 Application-based Bandwidth Management Example 18.4.2 Subnet-based Bandwidth Management Example The following example uses bandwidth classes based solely on LAN subnets. Each bandwidth class (Subnet A and Subnet B) is allotted 5 Mbps.

  • Page 268: Scheduler

    ZyWALL 10~100 Series Internet Security Gateway Table 18-1 Application and Subnet-based Bandwidth Management Example TRAFFIC TYPE FROM SUBNET A FROM SUBNET B VoIP 1 Mbps 1 Mbps 1 Mbps 1 Mbps 1 Mbps 1 Mbps E-mail 1 Mbps 1 Mbps...

  • Page 269: Maximize Bandwidth Usage

    ZyWALL 10~100 Series Internet Security Gateway 18.5.1 Priority-based Scheduler With the priority-based scheduler, the ZyWALL forwards traffic from bandwidth classes according to the priorities that you assign to the bandwidth classes. The larger a bandwidth class’s priority number is, the higher the priority.

  • Page 270: Figure 18-4 Bandwidth Allotment Example

    ZyWALL 10~100 Series Internet Security Gateway Step 2. Do not enable the interface’s Maximize Bandwidth Usage option. Step 3. Do not enable bandwidth borrowing on the child-classes that have the root class as their parent (see section 18.7). 18.6.2 Maximize Bandwidth Usage Example Here is an example of a ZyWALL that has maximize bandwidth usage enabled on an interface.

  • Page 271: Figure 18-5 Maximize Bandwidth Usage Example

    ZyWALL 10~100 Series Internet Security Gateway In this case, suppose that all of the classes except for the administration class need more bandwidth. Each class gets up to its budgeted bandwidth. The administration class only uses 1 Mbps of its budgeted 2 Mbps.

  • Page 272: Bandwidth Borrowing

    ZyWALL 10~100 Series Internet Security Gateway 18.7 Bandwidth Borrowing Bandwidth borrowing allows a child-class to borrow unused bandwidth from its parent class, whereas maximize bandwidth usage allows bandwidth classes to borrow any unused or unbudgeted bandwidth on the whole interface.

  • Page 273: Figure 18-6 Bandwidth Borrowing Example

    ZyWALL 10~100 Series Internet Security Gateway Figure 18-6 Bandwidth Borrowing Example The Bill class can borrow unused bandwidth from the Sales USA class because the Bill class has bandwidth borrowing enabled. The Bill class can also borrow unused bandwidth from the Sales class because the Sales USA class also has bandwidth borrowing enabled.

  • Page 274: Configuring Summary

    ZyWALL 10~100 Series Internet Security Gateway The Bill class cannot borrow unused bandwidth from the Root class because the Sales class has bandwidth borrowing disabled. The Amy class cannot borrow unused bandwidth from the Sales USA class because the Amy class has bandwidth borrowing disabled.

  • Page 275: Figure 18-7 Bandwidth Manager: Summary

    ZyWALL 10~100 Series Internet Security Gateway Figure 18-7 Bandwidth Manager: Summary The following table describes the fields in this screen. Bandwidth Management Screens 18-11...

  • Page 276: Configuring Class Setup

    ZyWALL 10~100 Series Internet Security Gateway Table 18-2 Bandwidth Manager: Summary LABEL DESCRIPTION These read-only labels represent the physical interfaces. Select an interface’s check box to enable bandwidth management on that interface. Not all interfaces are available on every ZyWALL.

  • Page 277: Figure 18-8 Bandwidth Manager: Class Setup

    ZyWALL 10~100 Series Internet Security Gateway The example reserves 15 Mbps of unbudgeted bandwidth for traffic that is not defined in the bandwidth filters (see section 18.6.1). The Administration, Sales USA and Sales Asia bandwidth classes each have bigger bandwidth budgets than the total of the budgets of their child-classes. The child-classes can borrow the extra bandwidth as long as they have bandwidth borrowing enabled (see section 18.7).

  • Page 278: Figure 18-9 Bandwidth Manager: Class Configuration

    ZyWALL 10~100 Series Internet Security Gateway Table 18-3 Bandwidth Manager: Class Setup LABEL DESCRIPTION Edit Click Edit to configure the selected class. You cannot edit the root class. Delete Click Delete to delete the class and all its child-classes. You cannot delete the root class.
  • Page 279 ZyWALL 10~100 Series Internet Security Gateway The following table describes the fields in this screen. Table 18-4 Bandwidth Manager: Class Configuration LABEL DESCRIPTION Class Name Use the auto-generated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces.

  • Page 280: Figure 16-6 Snmp

    ZyWALL 10~100 Series Internet Security Gateway Table 18-4 Bandwidth Manager: Class Configuration LABEL DESCRIPTION Protocol ID Enter the protocol ID (service type) number, for example: 1 for ICMP, 6 for TCP or 17 for UDP. Apply Click Apply to save your changes back to the ZyWALL.

  • Page 281: Figure 18-10 Bandwidth Management Statistics

    ZyWALL 10~100 Series Internet Security Gateway Figure 18-10 Bandwidth Management Statistics The following table describes the fields in this screen. Table 18-6 Bandwidth Management Statistics LABEL DESCRIPTION Class Name This field displays the name of the class the statistics page is showing.

  • Page 282: Configuring Monitor

    ZyWALL 10~100 Series Internet Security Gateway Table 18-6 Bandwidth Management Statistics LABEL DESCRIPTION Clear Counter Click Clear Counter to clear all of the bandwidth management statistics. 18.10 Configuring Monitor To view the device’s bandwidth usage and allotments, click BW MANAGER, then the Monitor tab. The screen appears as shown.
  • Page 283 ZyWALL 10~100 Series Internet Security Gateway LABEL DESCRIPTION Interface Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes. Class Name This field displays the name of the class. Budget (kbps) This field displays the amount of bandwidth allocated to the class.

  • Page 285: Logs

    Logs Part IX: Logs This part provides information and instructions for the logs and reports.

  • Page 287: Chapter 19 Logs Screens

    ZyWALL 10~100 Series Internet Security Gateway Chapter 19 Logs Screens This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to the Reference Guide for example log message explanations. 19.1 Configuring View Log The web configurator allows you to look at all of the ZyWALL’s logs in one location.

  • Page 288: Figure 19-1 View Log

    ZyWALL 10~100 Series Internet Security Gateway Figure 19-1 View Log The following table describes the fields in this screen. 19-2 Log Screens...

  • Page 289: Configuring Log Settings

    ZyWALL 10~100 Series Internet Security Gateway Table 19-1 View Log LABEL DESCRIPTION The categories that you select in the Log Settings page (see section 19.2) display in Display the drop-down list box. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page.

  • Page 290: Figure 19-2 Log Settings (Zywall 10W)

    ZyWALL 10~100 Series Internet Security Gateway Figure 19-2 Log Settings (ZyWALL 10W) The following table describes the fields in this screen. 19-4 Log Screens...

  • Page 291: Table 19-2 Log Settings Screen (Zywall 10W)

    ZyWALL 10~100 Series Internet Security Gateway Table 19-2 Log Settings Screen (ZyWALL 10W) LABEL DESCRIPTION Address Info Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail.

  • Page 292: Configuring Reports

    ZyWALL 10~100 Series Internet Security Gateway Table 19-2 Log Settings Screen (ZyWALL 10W) LABEL DESCRIPTION Send Immediate Alert Select the categories of alerts for which you want the ZyWALL to instantly e-mail alerts to the e-mail address specified in the Send Alerts To field.

  • Page 293: Figure 19-3 Reports

    ZyWALL 10~100 Series Internet Security Gateway Figure 19-3 Reports Enabling the ZyWALL’s reporting function decreases the overall throughput by about 1 Mbps. The following table describes the fields in this screen. Table 19-3 Reports LABEL DESCRIPTION Report Type Use the drop-down list box to select the type of reports to display.
  • Page 294 ZyWALL 10~100 Series Internet Security Gateway All of the recorded reports data is erased when you turn off the ZyWALL. 19.3.1 Viewing Web Site Hits In the Reports screen, select Web Site Hits from the Report Type drop-down list box to have the ZyWALL record and display which web sites have been visited the most often and how many times they have been visited.

  • Page 295: Figure 19-4 Web Site Hits Report Example

    ZyWALL 10~100 Series Internet Security Gateway Figure 19-4 Web Site Hits Report Example The following table describes the fields in this screen. Table 19-4 Web Site Hits Report LABEL DESCRIPTION Web Site This column lists the domain names of the web sites visited most often from computers on the LAN.

  • Page 296: Figure 19-5 Protocol/Port Report Example

    ZyWALL 10~100 Series Internet Security Gateway 19.3.2 Viewing Protocol/Port In the Reports screen, select Protocol/Port from the Report Type drop-down list box to have the ZyWALL record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports.

  • Page 297: Figure 19-6 Lan Ip Address Report Example

    ZyWALL 10~100 Series Internet Security Gateway 19.3.3 Viewing LAN IP Address In the Reports screen, select LAN IP Address from the Report Type drop-down list box to have the ZyWALL record and display the LAN IP addresses that the most traffic has been sent to and/or from and how much traffic has been sent to and/or from those IP addresses.

  • Page 298: Table 19-7 Report Specifications

    ZyWALL 10~100 Series Internet Security Gateway 19.3.4 Reports Specifications The following table lists detailed specifications on the reports feature. Table 19-7 Report Specifications LABEL DESCRIPTION Number of web sites/protocols or ports/IP addresses listed: Hit count limit: Up to 2 hits can be counted per web site. The count starts over at 0 if it passes four billion.

  • Page 299: Maintenance

    Maintenance Part X: Maintenance This part covers the maintenance screens.

  • Page 301: Chapter 20 Maintenance

    ZyWALL 10~100 Series Internet Security Gateway Chapter 20 Maintenance This chapter displays system information such as ZyNOS firmware, port IP addresses and port traffic statistics. 20.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyWALL.

  • Page 302: Table 20-1 System Status

    ZyWALL 10~100 Series Internet Security Gateway Table 20-1 System Status LABEL DESCRIPTION System Name This is the System Name you chose in the first Internet Access Wizard screen. It is for identification purposes ZyNOS Firmware This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's Version: proprietary Network Operating System design.

  • Page 303: Figure 20-2 System Status: Show Statistics

    ZyWALL 10~100 Series Internet Security Gateway Figure 20-2 System Status: Show Statistics The following table describes the fields in this screen. Table 20-2 System Status: Show Statistics LABEL DESCRIPTION Port This is the WAN, LAN, DMZ or Wireless LAN port.

  • Page 304: Dhcp Table Screen

    ZyWALL 10~100 Series Internet Security Gateway Table 20-2 System Status: Show Statistics LABEL DESCRIPTION Stop Click Stop to stop refreshing statistics, click Stop. 20.3 DHCP Table Screen DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server.

  • Page 305: F/W Upload Screen

    ZyWALL 10~100 Series Internet Security Gateway Table 20-3 DHCP Table LABEL DESCRIPTION MAC Address This field shows the MAC address of the computer with the name in the Host Name field. Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.

  • Page 306: Figure 20-5 Firmware Upgrade

    ZyWALL 10~100 Series Internet Security Gateway Figure 20-5 Firmware Upgrade LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Click Browse... to find the .bin file you want to upload. Remember that you must decompress Browse...

  • Page 307: Configuration Screen

    ZyWALL 10~100 Series Internet Security Gateway If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen. Figure 20-8 Firmware Upload Error 20.5 Configuration Screen The web configurator uses TFTP to transfer files. See the Firmware and Configuration File Maintenance chapter in the SMT User’s Guide for transferring configuration files using FTP/TFTP commands.

  • Page 308: Figure 20-9 Configuration

    ZyWALL 10~100 Series Internet Security Gateway Figure 20-9 Configuration 20-8 Maintenance...

  • Page 309: Figure 20-10 Reset Warning Message

    ZyWALL 10~100 Series Internet Security Gateway 20.5.1 Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the ZyWALL to its factory defaults as shown on the screen. The following warning screen will appear.

  • Page 310: Figure 20-11 Configuration Upload Successful

    ZyWALL 10~100 Series Internet Security Gateway Do not turn off the device while configuration file upload is in progress. After you see a “configuration upload successful” screen, you must then wait one minute before logging into the device again. Figure 20-11 Configuration Upload Successful The device automatically restarts in this time causing a temporary network disconnect.

  • Page 311: Figure 20-13 Configuration Upload Error

    ZyWALL 10~100 Series Internet Security Gateway Figure 20-13 Configuration Upload Error 20.5.4 System Restart System restart allows you to reboot the ZyWALL without turning the power off. Click Restart to have the ZyWALL reboot. This does not affect the ZyWALL's configuration.

  • Page 313: Smt General Configuration

    SMT General Configuration Part XI: SMT General Configuration This part introduces the System Management Terminal and covers the General setup menu, WAN and dial backup setup, LAN and wireless LAN setup, DMZ setup, and Internet access. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.

  • Page 315: Chapter 21 Introducing The Smt

    When you turn on your ZyWALL, it performs several internal tests as well as line initialization. After the tests, the ZyWALL asks you to press [ENTER] to continue, as shown next. Copyright (c) 1994 - 2002 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:a0:c5:41:51:61 initialize ch =1, ethernet address: 00:a0:c5:41:51:62 Press ENTER to continue...

  • Page 316: Navigating The Smt Interface

    ZyWALL 10~100 Series Internet Security Gateway For your first login, enter the default password “1234”. As you type the password, the screen displays an “X” for each character you type. Please note that if there is no activity for longer than five minutes after you log in, your ZyWALL will automatically log you out and display a blank screen.

  • Page 317: Table 21-2 Main Menu Summary

    Main Menu After you enter the password, the SMT displays the ZyWALL Main Menu, as shown next. Not all models have all the features shown. Copyright (c) 1994 - 2001 ZyXEL Communications Corp. ZyWALL 100 Main Menu Getting Started Advanced Management 1.
  • Page 318 ZyWALL 10~100 Series Internet Security Gateway Table 21-2 Main Menu Summary Menu Title FUNCTION LAN Setup Use this menu to apply LAN filters, configure LAN DHCP and TCP/IP settings and configure the wireless LAN port (not available on all models).

  • Page 319: Figure 21-4 Getting Started And Advanced Applications Smt Menus

    ZyWALL 10~100 Series Internet Security Gateway 21.3.2 SMT Menus at a Glance The available SMT screens vary by ZyWALL model. The following SMT overview applies to the ZyWALL 100. Figure 21-4 Getting Started and Advanced Applications SMT Menus Introducing the SMT...

  • Page 320: Figure 21-5 Advanced Management Smt Menus

    ZyWALL 10~100 Series Internet Security Gateway Figure 21-5 Advanced Management SMT Menus 21-6 Introducing the SMT...

  • Page 321: Changing The System Password

    ZyWALL 10~100 Series Internet Security Gateway Figure 21-6 Schedule Setup and IPSec VPN Configuration SMT Menus 21.4 Changing the System Password Change the system password by following the steps shown next. Step 1. Enter 23 in the main menu to open Menu 23 - System Password as shown next.

  • Page 322: Resetting The Zywall

    ZyWALL 10~100 Series Internet Security Gateway 21.5 Resetting the ZyWALL If you forget your password or cannot access the SMT menu, you will need to reload the factory-default configuration file or use the RESET button the back of the ZyWALL. Uploading this configuration file replaces the current configuration file with the factory-default configuration file.
  • Page 323 ZyWALL 10~100 Series Internet Security Gateway Step 1. Press the RESET button for ten seconds, and then release it. If the SYS LED begins to blink, the defaults have been restored and the ZyWALL restarts. Otherwise, go to step 2.

  • Page 325: Chapter 22 Smt Menu 1 - General Setup

    ZyWALL 10~100 Series Internet Security Gateway Chapter 22 SMT Menu 1 - General Setup Menu 1 - General Setup contains administrative and system-related information. 22.1 Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. 22.2 Configuring General Setup Step 1.

  • Page 326: Figure 22-2 Configure Dynamic Dns

    ZyWALL 10~100 Series Internet Security Gateway Table 22-1 General Setup Menu Field FIELD DESCRIPTION EXAMPLE Domain Name Enter the domain name (if you know it) here. If you leave this field zyxel.com.tw blank, the ISP may assign a domain name via DHCP. You can go to menu 24.8 and type "sys domain name"...

  • Page 327: Table 22-2 Configure Dynamic Dns Menu Fields

    ZyWALL 10~100 Series Internet Security Gateway Table 22-2 Configure Dynamic DNS Menu Fields FIELD DESCRIPTION EXAMPLE Service Provider This is the name of your Dynamic DNS service provider. WWW.DynDNS.ORG (default) Active Press [SPACE BAR] to select Yes and then press [ENTER] to make dynamic DNS active.
  • Page 328 ZyWALL 10~100 Series Internet Security Gateway Table 22-2 Configure Dynamic DNS Menu Fields FIELD DESCRIPTION EXAMPLE Press [SPACE BAR] to select Yes and then press [ENTER] to have the DDNS server automatically update the IP address of the host name(s) with the public IP address that the ZyWALL Use Server uses or is behind.

  • Page 329: Chapter 23 Wan And Dial Backup Setup

    ZyWALL 10~100 Series Internet Security Gateway Chapter 23 WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1. Dial-backup applies to the ZyWALL 100 and 10W (see Table 1-1 Model Specific Features in the Web Configuration User’s Guide).

  • Page 330: Dial Backup

    ZyWALL 10~100 Series Internet Security Gateway Table 23-1 MAC Address Cloning in WAN Setup FIELD DESCRIPTION EXAMPLE MAC Address Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods IP address to assign a MAC Address. Choose Factory Default to select the factory attached on assigned default MAC Address.

  • Page 331: Figure 23-2 Menu 2: Dial Backup Setup

    ZyWALL 10~100 Series Internet Security Gateway Menu 2 - WAN Setup MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Phone Number= Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= No Press ENTER to Confirm or ESC to Cancel: Figure 23-2 Menu 2: Dial Backup Setup The following table describes the fields in this screen.

  • Page 332: Advanced Wan Setup

    ZyWALL 10~100 Series Internet Security Gateway Table 23-2 Menu 2: Dial Backup Setup FIELD DESCRIPTION EXAMPLE When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel.

  • Page 333: Table 23-4 Advanced Wan Port Setup: Call Control Parameters

    ZyWALL 10~100 Series Internet Security Gateway Table 23-3 Advanced WAN Port Setup: AT Commands Fields FIELD DESCRIPTION DEFAULT Drop Enter the AT Command string to drop a call. “~” represents a one +++ath second wait, e.g., “~~~+++~~ath” can be used if your modem has a slow response time.

  • Page 334: Remote Node Profile (Backup Isp)

    ZyWALL 10~100 Series Internet Security Gateway Table 23-4 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION DEFAULT Drop Timeout Enter a number of seconds for the ZyWALL to wait before dropping 20 seconds (sec) the DTR signal if it does not receive a positive disconnect confirmation.
  • Page 335 ZyWALL 10~100 Series Internet Security Gateway Table 23-5 Fields in Menu 11.1 Remote Node Profile (Backup ISP) FIELD DESCRIPTION EXAMPLE Active Press [SPACE BAR] and then [ENTER] to select Yes to enable the remote node or No to disable the remote node.

  • Page 336: Editing Ppp Options

    ZyWALL 10~100 Series Internet Security Gateway Table 23-5 Fields in Menu 11.1 Remote Node Profile (Backup ISP) FIELD DESCRIPTION EXAMPLE Allocated Enter the maximum number of minutes that this remote node may be Budget called within the time period configured in the Period field. The default...

  • Page 337: Figure 23-5 Menu 11.2: Remote Node Ppp Options

    ZyWALL 10~100 Series Internet Security Gateway Menu 11.2 - Remote Node PPP Options Encapsulation= Standard PPP Compression= No Enter here to CONFIRM or ESC to CANCEL: Press Space Bar to Toggle. Figure 23-5 Menu 11.2: Remote Node PPP Options This table describes the Remote Node PPP Options Menu, and contains instructions on how to configure the PPP options fields.

  • Page 338: Editing Tcp/Ip Options

    ZyWALL 10~100 Series Internet Security Gateway 23.8 Editing TCP/IP Options Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Network Layer Options. Menu 11.3 - Remote Node Network Layer Options Rem IP Addr= 0.0.0.0...
  • Page 339 ZyWALL 10~100 Series Internet Security Gateway Table 23-6 Remote Node Network Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE Network Network Address Translation (NAT) allows the translation of an Internet None Address protocol address used within one network (for example a private IP...

  • Page 340: Editing Login Script

    ZyWALL 10~100 Series Internet Security Gateway Table 23-6 Remote Node Network Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE Once you have completed filling in Menu 11.3 Remote Node Network Layer Options, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration and return to menu 11, or press [ESC] at any time to cancel.
  • Page 341 ZyWALL 10~100 Series Internet Security Gateway manual call and watch the trace display to see if the sequence of messages and prompts from the server differs from what you expect. WAN and Dial Backup Setup 23-13...

  • Page 342: Remote Node Filter

    ZyWALL 10~100 Series Internet Security Gateway Menu 11.4 - Remote Node Script Active= No Set 1: Set 5: Expect= Expect= Send= Send= Set 2: Set 6: Expect= Expect= Send= Send= Set 3: Expect= Send= Set 4: Expect= Send= Enter here to CONFIRM or ESC to CANCEL: Figure 23-8 Menu 11.4 –...

  • Page 343: Figure 23-9 Menu 11.5: Dial Backup Remote Node Filter

    ZyWALL 10~100 Series Internet Security Gateway Use menu 11.5 to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the ZyWALL to prevent certain packets from triggering calls. You can specify up to four filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field.

  • Page 345: Chapter 24 Lan Setup

    ZyWALL 10~100 Series Internet Security Gateway Chapter 24 LAN Setup This chapter describes how to configure the LAN using Menu 3: LAN Setup. Wireless LAN is available on the ZyWALL 10W, 30W and 100 models. 24.1 Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN and wireless LAN connections.

  • Page 346: Tcp/Ip And Dhcp Ethernet Setup Menu

    ZyWALL 10~100 Series Internet Security Gateway Menu 3.1 – LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: Figure 24-2 Menu 3.1: LAN Port Filter Setup 24.4 TCP/IP and DHCP Ethernet Setup Menu...

  • Page 347: Figure 24-4 Menu 3.2: Tcp/Ip And Dhcp Ethernet Setup

    ZyWALL 10~100 Series Internet Security Gateway Menu 3.2 - TCP/IP and DHCP Ethernet Setup First address in DHCP= Server the IP Pool Configuration: Client IP Pool Starting Address= 192.168.1.33 Size of Client IP Pool= 32 Primary DNS Server= 0.0.0.0 Secondary DNS Server= 0.0.0.0...

  • Page 348: Table 24-2 Lan Tcp/Ip Setup Menu Fields

    ZyWALL 10~100 Series Internet Security Gateway Table 24-1 DHCP Ethernet Setup Menu Fields FIELD DESCRIPTION EXAMPLE DHCP Server If Relay is selected in the DHCP field above, then type the IP address Address of the actual, remote DHCP server here.

  • Page 349: Figure 24-5 Menu 3.2.1: Ip Alias Setup

    ZyWALL 10~100 Series Internet Security Gateway 24.4.1 IP Alias Setup You must use menu 3.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to configure the second and third network.

  • Page 350: Wireless Lan Setup

    ZyWALL 10~100 Series Internet Security Gateway Table 24-3 IP Alias Setup Menu Fields FIELD DESCRIPTION EXAMPLE Incoming Enter the filter set(s) you wish to apply to the incoming traffic Protocol Filters between this node and the ZyWALL. Outgoing Enter the filter set(s) you wish to apply to the outgoing traffic Protocol Filters between this node and the ZyWALL.

  • Page 351: Table 24-4 Wireless Lan Setup Menu Fields

    ZyWALL 10~100 Series Internet Security Gateway The settings of all client stations on the wireless LAN must match those of the ZyWALL. Follow the instructions in the next table on how to configure the wireless LAN parameters. Table 24-4 Wireless LAN Setup Menu Fields...
  • Page 352 ZyWALL 10~100 Series Internet Security Gateway 24-8 LAN Setup...

  • Page 353: Chapter 25 Dmz Setup

    ZyWALL 10~100 Series Internet Security Gateway Chapter 25 DMZ Setup This chapter describes how to configure the ZyWALL 100’s DMZ using Menu 5: DMZ Setup. 25.1 Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup.

  • Page 354: Tcp/Ip Setup

    ZyWALL 10~100 Series Internet Security Gateway 25.3 TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to the LAN chapter. 25.3.1 IP Address From the main menu, enter 5 to open Menu 5 - DMZ Setup to configure TCP/IP (RFC 1155).

  • Page 355: Figure 25-4 Menu 5.2: Tcp/Ip Setup

    ZyWALL 10~100 Series Internet Security Gateway Menu 5.2 - TCP/IP Ethernet Setup TCP/IP Setup: IP Address= ? IP Subnet Mask= RIP Direction= Both Version= RIP-1 Multicast= None Edit IP Alias= No Press ENTER to Confirm or ESC to Cancel: Figure 25-4 Menu 5.2: TCP/IP Setup The TCP/IP setup fields are the same as the ones in Menu 3.2 TCP/IP Ethernet Setup.

  • Page 356: Figure 25-5 Menu 5.2.1: Ip Alias Setup

    ZyWALL 10~100 Series Internet Security Gateway Menu 5.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A IP Alias 2= No...

  • Page 357: Chapter 26 Internet Access

    ZyWALL 10~100 Series Internet Security Gateway Chapter 26 Internet Access This chapter shows you how to configure your ZyWALL for Internet access. 26.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet.
  • Page 358 ZyWALL 10~100 Series Internet Security Gateway Table 26-1 Menu 4: Internet Access Setup Menu Fields FIELD DESCRIPTION Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet. The encapsulation method influences your choices for the IP Address field. Service Type...

  • Page 359: Configuring The Pptp Client

    ZyWALL 10~100 Series Internet Security Gateway Table 26-1 Menu 4: Internet Access Setup Menu Fields FIELD DESCRIPTION Network Address Network Address Translation (NAT) allows the translation of an Internet protocol Translation address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet).

  • Page 360: Configuring The Pppoe Client

    ZyWALL 10~100 Series Internet Security Gateway Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= PPTP Service Type= N/A My Login= username My Password= ****** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A...

  • Page 361: Basic Setup Complete

    ZyWALL 10~100 Series Internet Security Gateway Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A...

  • Page 363: Smt Advanced Applications

    SMT Advanced Applications Part XII: SMT Advanced Applications This part covers setting up remote nodes, IP static routes and Network Address Translation. It also covers the SMT firewall menu, filters and SNMP. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.

  • Page 365: Chapter 27 Remote Node Setup

    ZyWALL 10~100 Series Internet Security Gateway Chapter 27 Remote Node Setup This chapter shows you how to configure a remote node. 27.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection.

  • Page 366: Remote Node Profile Setup

    ZyWALL 10~100 Series Internet Security Gateway Menu 11 - Remote Node Setup 1. ChangeMe (ISP, SUA) 2. ________ Enter Node # to Edit: Figure 27-1 Menu 11 Remote Node Setup 27.3 Remote Node Profile Setup The following explains how to configure the remote node profile menu.

  • Page 367: Figure 27-2 Menu 11.1: Remote Node Profile For Ethernet Encapsulation

    ZyWALL 10~100 Series Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= Ethernet Edit IP= No Service Type= Standard Session Options: Service Name= N/A Edit Filter Sets= No Outgoing: My Login= N/A...
  • Page 368 ZyWALL 10~100 Series Internet Security Gateway Table 27-1 Fields in Menu 11.1 FIELD DESCRIPTION EXAMPLE My Password Enter the password assigned by your ISP when the ZyWALL calls ***** this remote node. Valid for PPPoE encapsulation only. Retype to Type your password again to make sure that you have entered it...

  • Page 369: Figure 27-3 Menu 11.1: Remote Node Profile For Pppoe Encapsulation

    ZyWALL 10~100 Series Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPPoE Edit IP= No Service Type= Standard Telco Option: Service Name= Allocated Budget(min)= 0 Outgoing: Period(hr)= 0 My Login=...

  • Page 370: Table 27-2 Fields In Menu 11.1 (Pppoe Encapsulation Specific)

    ZyWALL 10~100 Series Internet Security Gateway Metric See the Metric section in the WAN and Dial Backup Setup chapter for details on the Metric field. Table 27-2 Fields in Menu 11.1 (PPPoE Encapsulation Specific) FIELD DESCRIPTION EXAMPLE Authen This field sets the authentication protocol used for outgoing calls.

  • Page 371: Figure 27-4 Menu 11.1: Remote Node Profile For Pptp Encapsulation

    ZyWALL 10~100 Series Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Service Name=N/A Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login=...

  • Page 372: Edit Ip

    ZyWALL 10~100 Series Internet Security Gateway Table 27-3 Fields in Menu 11.1 (PPTP Encapsulation) FIELD DESCRIPTION EXAMPLE Nailed-Up Press [SPACE BAR] and then [ENTER] to select Yes if you want to Connections make the connection to this remote node a nailed-up connection.
  • Page 373 ZyWALL 10~100 Series Internet Security Gateway Table 27-4 Remote Node Network Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE (Rem) IP If you have a Static IP Assignment, enter the subnet mask assigned to Subnet Mask you. Gateway IP This field is applicable to Ethernet encapsulation only. Enter the...

  • Page 374: Remote Node Filter

    ZyWALL 10~100 Series Internet Security Gateway Table 27-4 Remote Node Network Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE RIP Direction Press [SPACE BAR] and then [ENTER] to select the RIP direction from None Both/ None/In Only/Out Only. See the LAN Setup chapter for more (default) information on RIP.

  • Page 375: Figure 27-6 Menu 11.5: Remote Node Filter (Ethernet Encapsulation)

    ZyWALL 10~100 Series Internet Security Gateway Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 27-6 Menu 11.5: Remote Node Filter (Ethernet Encapsulation) Menu 11.5 - Remote Node Filter...

  • Page 376: Figure 27-8 Menu 11.1: Remote Node Profile

    ZyWALL 10~100 Series Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ? Route= IP Active= Yes Encapsulation= Ethernet Edit IP= No Service Type= Standard Session Options: Service Name= N/A Edit Filter Sets= No Outgoing: My Login= N/A...

  • Page 377: Figure 27-9 Menu 11.6: Traffic Redirect Setup

    ZyWALL 10~100 Series Internet Security Gateway Configure parameters that determine when the ZyWALL will forward WAN traffic to the backup gateway using Menu 11.6 — Traffic Redirect Setup. Menu 11.6 - Traffic Redirect Setup Active= Yes Configuration: Backup Gateway IP Address= 0.0.0.0 Metric= 15 Check WAN IP Address= 0.0.0.0...
  • Page 378 ZyWALL 10~100 Series Internet Security Gateway Table 27-6 Traffic Redirect Setup FIELD DESCRIPTION EXAMPLE Backup Enter the IP address of your backup gateway in dotted decimal notation. 0.0.0.0 Gateway IP The ZyWALL automatically forwards traffic to this IP address if the Address ZyWALL’s Internet connection terminates.

  • Page 379: Chapter 28 Ip Static Route Setup

    ZyWALL 10~100 Series Internet Security Gateway Chapter 28 IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. 28.1 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.

  • Page 380: Figure 28-2 Menu 12. 1: Edit Ip Static Route

    ZyWALL 10~100 Series Internet Security Gateway Menu 12.1 - Edit IP Static Route Route #: 1 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to CONFIRM or ESC to CANCEL: Figure 28-2 Menu 12.
  • Page 381 ZyWALL 10~100 Series Internet Security Gateway Table 28-1 IP Static Route Menu Fields FIELD DESCRIPTION Private This parameter determines if the ZyWALL will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast.

  • Page 383: Chapter 29 Network Address Translation (Nat)

    ZyWALL 10~100 Series Internet Security Gateway Chapter 29 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 29.1 Using NAT You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL.

  • Page 384: Figure 29-1 Menu 4: Applying Nat For Internet Access

    ZyWALL 10~100 Series Internet Security Gateway Menu 4 - Internet Access Setup ISP's Name= myISP Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A...

  • Page 385: Figure 29-2 Menu 11.3: Applying Nat To The Remote Node

    ZyWALL 10~100 Series Internet Security Gateway Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= N/A Private= N/A RIP Direction= None...

  • Page 386: Nat Setup

    ZyWALL 10~100 Series Internet Security Gateway 29.2 NAT Setup Use the address mapping sets menus and submenus to create the mapping table used to assign global addresses to computers on the LAN and the DMZ. You can see two NAT address mapping sets in menu 15.1.

  • Page 387: Figure 29-4 Menu 15.1: Address Mapping Sets

    ZyWALL 10~100 Series Internet Security Gateway Figure 29-4 Menu 15.1: Address Mapping Sets SUA Address Mapping Set Enter 255 to display the next screen (see also section 29.1.1). The fields in this menu cannot be changed. Menu 15.1.255 - Address Mapping Rules...

  • Page 388: Figure 29-6 Menu 15.1.1: First Set

    ZyWALL 10~100 Series Internet Security Gateway Table 29-2 SUA Address Mapping Rules FIELD DESCRIPTION EXAMPLE Global End IP This is the ending global IP address (IGA). Type These are the mapping types discussed above. Server allows us to Server specify multiple servers of different types behind NAT to this machine.

  • Page 389: Table 29-3 Fields In Menu 15.1.1

    ZyWALL 10~100 Series Internet Security Gateway The Type, Local and Global Start/End IPs are configured in menu 15.1.1.1 (described later) and the values are displayed here. Ordering Your Rules Ordering your rules is important because the ZyWALL applies the rules in the order that you specify. When a rule matches the current packet, the ZyWALL takes the corresponding action and the remaining rules are ignored.

  • Page 390: Figure 29-7 Menu 15.1.1.1: Editing/Configuring An Individual Rule In A Set

    ZyWALL 10~100 Series Internet Security Gateway An IP End address must be numerically greater than its corresponding IP Start address. Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= = N/A Global IP: Start= = N/A Press ENTER to Confirm or ESC to Cancel: Figure 29-7 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set...

  • Page 391: Configuring A Server Behind Nat

    ZyWALL 10~100 Series Internet Security Gateway Table 29-4 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set FIELD DESCRIPTION EXAMPLE Once you have finished configuring a rule in this menu, press [ENTER] at the message “Press ENTER to Confirm…” to save your configuration, or press [ESC] to cancel.

  • Page 392: Figure 29-8 Menu 15.2: Nat Server Setup (Zywall 10)

    0.0.0.0 192.168.1.33 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 1026 1026 RR Reserved Press ENTER to Confirm or ESC to Cancel: Figure 29-8 Menu 15.2: NAT Server Setup (ZyWALL 10) Figure 29-9 Multiple Servers Behind NAT Example 29-10...

  • Page 393: General Nat Examples

    ZyWALL 10~100 Series Internet Security Gateway 29.4 General NAT Examples The following are some examples of NAT configuration. 29.4.1 Internet Access Only In the following Internet access example, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP.

  • Page 394: Figure 29-12 Nat Example 2

    ZyWALL 10~100 Series Internet Security Gateway From menu 4 shown above, simply choose the SUA Only option from the Network Address Translation field. This is the Many-to-One mapping discussed in section 29.4. The SUA Only read-only option from the Network Address Translation field in menus 4 and 11.3 is specifically pre-configured to handle this case.

  • Page 395: Figure 29-13 Menu 15.2: Specifying An Inside Server

    ZyWALL 10~100 Series Internet Security Gateway Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------- Default Default 192.168.1.10 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 1026 1026 RR Reserved Press ENTER to Confirm or ESC to Cancel: Figure 29-13 Menu 15.2: Specifying an Inside Server...

  • Page 396: Figure 29-14 Nat Example 3

    ZyWALL 10~100 Series Internet Security Gateway Figure 29-14 NAT Example 3 Step 1. In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.3) in Figure 29-15.

  • Page 397: Figure 29-15 Example 3: Menu 11.3

    ZyWALL 10~100 Series Internet Security Gateway Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= N/A Private= N/A RIP Direction= None...

  • Page 398: Figure 29-17 Example 3: Final Menu 15.1.1

    ZyWALL 10~100 Series Internet Security Gateway Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- ------ 1. 192.168.1.10 10.132.50.1 192.168.1.11 10.132.50.2 3. 0.0.0.0 255.255.255.255...

  • Page 399: Figure 29-19 Nat Example 4

    ZyWALL 10~100 Series Internet Security Gateway 29.4.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not change for Many-One-to-One (and One-to-One) NAT mapping types.

  • Page 400: Trigger Port Forwarding

    ZyWALL 10~100 Series Internet Security Gateway Menu 15.1.1.1 Address Mapping Rule Type= Many-One-to-One Local IP: Start= 192.168.1.10 = 192.168.1.12 Global IP: Start= 10.132.50.1 = 10.132.50.3 Press ENTER to Confirm or ESC to Cancel: Figure 29-20 Example 4: Menu 15.1.1.1: Address Mapping Rule After you’ve configured your rule, you should be able to check the settings in menu 15.1.1 as shown next.

  • Page 401: Figure 29-22 Trigger Port Forwarding Process: Example

    ZyWALL 10~100 Series Internet Security Gateway the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address. In order to use the same service on a...

  • Page 402: Figure 29-23 Menu 15.3-Trigger Port Setup

    ZyWALL 10~100 Series Internet Security Gateway 5. Only Jane can connect to the Real Audio server until the connection is closed or times out. The ZyWALL times out in three minutes with UDP (User Datagram Protocol) or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol).

  • Page 403: Table 29-5 Menu 15.3-Trigger Port Setup Description

    ZyWALL 10~100 Series Internet Security Gateway Table 29-5 Menu 15.3—Trigger Port Setup Description FIELD DESCRIPTION EXAMPLE Rule This is the rule index number. Name Enter a unique name for identification purposes. You may enter up to 15 Real Audio characters in this field. All characters are permitted - including spaces.

  • Page 405: Chapter 30 Introducing The Zywall Firewall

    ZyWALL 10~100 Series Internet Security Gateway Chapter 30 Introducing the ZyWALL Firewall This chapter shows you how to get started with the ZyWALL firewall. 30.1 Using ZyWALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next.

  • Page 406: Figure 30-2 Menu 21.2: Firewall Setup

    ZyWALL 10~100 Series Internet Security Gateway 30.1.1 Activating the Firewall Enter option 2 in this menu to bring up the following screen. Press [SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks.

  • Page 407: Chapter 31 Filter Configuration

    ZyWALL 10~100 Series Internet Security Gateway Chapter 31 Filter Configuration This chapter shows you how to create and apply filters. 31.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering.

  • Page 408: Figure 31-1 Outgoing Packet Filtering Process

    ZyWALL 10~100 Series Internet Security Gateway Call Filtering Active Data Built-in User-defined match match match Outgoing Initiate call default Data Call Filters Packet if line not up Call Filters (if applicable) Filtering Send packet and reset Idle Timer Match Match...

  • Page 409: Figure 31-2 Filter Rule Process

    ZyWALL 10~100 Series Internet Security Gateway Start Packet into filter Fetch First Filter Set Filter Set Fetch Next Fetch First Filter Set Filter Rule Fetch Next Filter Rule Next filter Next Filter Set Rule Active? Available? Available? Execute Filter Rule...

  • Page 410: Configuring A Filter Set

    ZyWALL 10~100 Series Internet Security Gateway You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.

  • Page 411: Table 31-1 Abbreviations Used In The Filter Rules Summary Menu

    ZyWALL 10~100 Series Internet Security Gateway Step 4. Enter a descriptive name or comment in the Edit Comments field and press [ENTER]. Step 5. Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.1 - Filter Rules Summary.

  • Page 412: Table 31-2 Rule Abbreviations Used

    ZyWALL 10~100 Series Internet Security Gateway Table 31-2 Rule Abbreviations Used ABBREVIATION DESCRIPTION Protocol Source Address Source Port number Destination Address Destination Port number Offset Length Refer to the next section for information on configuring the filter rules. 31.2.1 Configuring a Filter Rule To configure a filter rule, type its number in Menu 21.1.1 - Filter Rules Summary and press [ENTER] to...

  • Page 413: Figure 31-6 Menu 21.1.1.1: Tcp/Ip Filter Rule

    ZyWALL 10~100 Series Internet Security Gateway To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.1.1 - TCP/IP Filter Rule, as shown next. Menu 21.1.1.1 - TCP/IP Filter Rule Filter #: 1,1...
  • Page 414 ZyWALL 10~100 Series Internet Security Gateway Table 31-3 TCP/IP Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Port # Enter the destination port of the packets that you wish to filter. 0-65535 The range of this field is 0 to 65535. This field is ignored if it is...
  • Page 415 ZyWALL 10~100 Series Internet Security Gateway Table 31-3 TCP/IP Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS None Press [SPACE BAR] and then [ENTER] to select a logging option from the following: Action None – No packets will be logged. Matched Action Matched - Only packets that match the rule parameters will be logged.

  • Page 416: Figure 31-7 Executing An Ip Filter

    ZyWALL 10~100 Series Internet Security Gateway Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src Not Matched IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest Not Matched IP Addr Matched Check Not Matched IP Protocol Matched Check Src &...

  • Page 417: Figure 31-8 Menu 21.1.4.1: Generic Filter Rule

    ZyWALL 10~100 Series Internet Security Gateway 31.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly.
  • Page 418 ZyWALL 10~100 Series Internet Security Gateway Table 31-4 Generic Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Generic Filter Filter Use [SPACE BAR] and then [ENTER] to select a rule type. Parameters Type displayed below each type will be different. TCP/IP filter rules are used to Rule filter IP packets while generic filter rules allow filtering of non-IP packets.

  • Page 419: Example Filter

    ZyWALL 10~100 Series Internet Security Gateway 31.3 Example Filter Let’s look at an example to block outside users from accessing the ZyWALL via telnet. Please see our included disk for more example filters. Figure 31-9 Telnet Filter Example Step 1.

  • Page 420: Figure 31-10 Example Filter: Menu 21.1.3.1

    ZyWALL 10~100 Series Internet Security Gateway Step 6. Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure. Press [SPACE BAR] and then Menu 21.1.3.1 - TCP/IP Filter Rule...

  • Page 421: Filter Types And Nat

    ZyWALL 10~100 Series Internet Security Gateway Menu 21.1.3 - Filter Rules Summary # A Type Filter Rules M m n - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F This shows you that you have M = N means an action can be taken immediately.

  • Page 422: Firewall Versus Filters

    ZyWALL 10~100 Series Internet Security Gateway Address Translation) is enabled, the inside IP address and port number are replaced on a connection-by- connection basis, which makes it impossible to know the exact address and port on the wire. Therefore, the ZyWALL applies the protocol filters to the “native”...

  • Page 423: Figure 31-13 Filtering Lan Traffic

    ZyWALL 10~100 Series Internet Security Gateway If you do not activate the firewall, it is advisable to apply filters. 31.6.1 Applying LAN Filters LAN traffic filter sets may be useful to block certain packets, reduce traffic and prevent security breaches.

  • Page 424: Figure 31-14Filtering Dmz Traffic

    ZyWALL 10~100 Series Internet Security Gateway Menu 5.1 – DMZ Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: Figure 31-14Filtering DMZ Traffic 31.6.3 Applying Remote Node Filters Go to menu 11.5 (shown below –...

  • Page 425: Chapter 32 Snmp Configuration

    ZyWALL 10~100 Series Internet Security Gateway Chapter 32 SNMP Configuration This chapter explains SNMP configuration menu 22. SNMP is only available if TCP/IP is configured. 32.1 SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next.

  • Page 426: Snmp Traps

    ZyWALL 10~100 Series Internet Security Gateway Table 32-1 SNMP Configuration Menu Fields FIELD DESCRIPTION EXAMPLE Public Trap Type the Trap community, which is the password sent with each trap to the SNMP manager. Community Destination Type the IP address of the station to send your SNMP traps to.

  • Page 427: Smt System Maintenance

    SMT System Maintenance Part XIII: SMT System Maintenance This part covers system information and diagnosis, firmware and configuration file maintenance, as well as providing information on the system maintenance and information functions and how to configure remote management. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.

  • Page 429: Chapter 33 System Information & Diagnosis

    ZyWALL 10~100 Series Internet Security Gateway Chapter 33 System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. DMZ applies to the ZyWALL 100. Wireless LAN and dial-backup apply to the ZyWALL 100, 10W and 30W (see Table 1-1 Model Specific Features in the Web Configuration User’s Guide).

  • Page 430: Figure 33-2 Menu 24.1: System Maintenance: Status (Zywall 100)

    ZyWALL 10~100 Series Internet Security Gateway monitor your ZyWALL. Specifically, it gives you information on your system firmware version, number of packets sent and number of packets received. To get to the System Status: Step 1. Enter number 24 to go to Menu 24 - System Maintenance.

  • Page 431: System Information And Console Port Speed

    ZyWALL 10~100 Series Internet Security Gateway Table 33-1 System Maintenance: Status Menu Fields FIELD DESCRIPTION Shows the port speed and duplex setting if you’re using Ethernet Encapsulation Status and Down (line is down), idle (line (ppp) idle), dial (starting to trigger a call) and drop (dropping a call) if you’re using PPPoE Encapsulation.

  • Page 432: Figure 33-3 Menu 24.2: System Information And Console Port Speed

    ZyWALL 10~100 Series Internet Security Gateway Step 1. Enter 24 to go to Menu 24 – System Maintenance. Step 2. Enter 2 to open Menu 24.2 - System Information and Console Port Speed. Step 3. From this menu you have two choices as shown in the next figure: Menu 24.2 - System Information and Console Port Speed...

  • Page 433: Figure 33-5 Menu 24.2.2: System Maintenance: Change Console Port Speed

    ZyWALL 10~100 Series Internet Security Gateway Table 33-2 Fields in System Maintenance: Information FIELD DESCRIPTION Name This is the ZyWALL's system name + domain name assigned in menu 1. For example, System Name= xxx; Domain Name= baboo.mickey.com Name= xxx.baboo.mickey.com Routing Refers to the routing protocol used.

  • Page 434: Log And Trace

    ZyWALL 10~100 Series Internet Security Gateway 33.4 Log and Trace There are two logging facilities in the ZyWALL. The first is the error logs and trace records that are stored locally. The second is the UNIX syslog facility for message logging.

  • Page 435: Figure 33-7 Examples Of Error And Information Messages

    ZyWALL 10~100 Series Internet Security Gateway 0 Wed Aug 22 21:23:26 2001 PP17 INFO getDateTime fail: no server available 1 Wed Aug 22 21:23:26 2001 PP17 INFO adjtime task pause 60 seconds 2 Wed Aug 22 21:23:54 2001 PINI INFO...

  • Page 436: Table 33-3 System Maintenance Menu Syslog Parameters

    ZyWALL 10~100 Series Internet Security Gateway You need to configure the UNIX syslog parameters described in the following table to activate syslog then choose what you want to log. Table 33-3 System Maintenance Menu Syslog Parameters PARAMETER DESCRIPTION UNIX Syslog: Active Press [SPACE BAR] and then [ENTER] to turn syslog on or off.

  • Page 437: Filter Log

    ZyWALL 10~100 Series Internet Security Gateway 2. Packet triggered Packet triggered Message Format SdcmdSyslogSend( SYSLOG_PKTTRI, SYSLOG_NOTICE, String ); String = Packet trigger: Protocol=xx Data=xxxxxxxxxx…..x Protocol: (1:IP 2:IPX 3:IPXHC 4:BPDU 5:ATALK 6:IPNG) Data: We will send forty-eight Hex characters to the server Jul 19 11:28:39 192.168.102.2 ZyXEL: Packet Trigger: Protocol=1,...
  • Page 438 ZyWALL 10~100 Series Internet Security Gateway 5. Firewall log Firewall Log Message Format SdcmdSyslogSend(SYSLOG_FIREWALL, SYSLOG_NOTICE, buf); buf = IP[Src=xx.xx.xx.xx : spo=xxxx Dst=xx.xx.xx.xx : dpo=xxxx | prot | rule | action] Src: Source Address spo: Source port (empty means no source port information)

  • Page 439: Diagnostic

    ZyWALL 10~100 Series Internet Security Gateway IP Frame: ENET0-RECV Size: Time: 17:02:44.262 Frame Type: IP Header: IP Version Header Length = 20 Type of Service = 0x00 (0) Total Length = 0x002C (44) Identification = 0x0002 (2) Flags = 0x00...

  • Page 440: Figure 33-10 Menu 24.4: System Maintenance: Diagnostic

    ZyWALL 10~100 Series Internet Security Gateway Step 2. From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic. Menu 24.4 - System Maintenance - Diagnostic TCP/IP Ping Host WAN DHCP Release WAN DHCP Renewal...

  • Page 441: Figure 33-11 Wan & Lan Dhcp

    ZyWALL 10~100 Series Internet Security Gateway Figure 33-11 WAN & LAN DHCP The following table describes the diagnostic tests available in menu 24.4 for your ZyWALL and associated connections. Table 33-4 System Maintenance Menu Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LAN or WAN.

  • Page 443: Chapter 34 Firmware And Configuration File Maintenance

    ZyWALL 10~100 Series Internet Security Gateway Chapter 34 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 34.1 Introduction Use the instructions in this chapter to change the ZyWALL’s configuration file or upgrade its firmware.

  • Page 444: Backup Configuration

    ZyWALL 10~100 Series Internet Security Gateway This is a sample FTP session showing the transfer of the computer file " firmware.bin" to the ZyWALL. ftp> get rom-0 config.cfg This is a sample FTP session saving the current configuration to the computer file “config.cfg”.

  • Page 445: Figure 34-1 Telnet Into Menu 24.5

    ZyWALL 10~100 Series Internet Security Gateway preferred method for backing up your current configuration to your computer since it is faster. You can also perform backup and restore using menu 24 through the console port. Any serial communications program should work fine; however, you must use Xmodem protocol to perform the download/upload and you don’t have to rename the files.

  • Page 446: Figure 34-2 Ftp Session Example

    ZyWALL 10~100 Series Internet Security Gateway Step 6. Use “get” to transfer files from the ZyWALL to the computer, for example, “get rom-0 config.rom” transfers the configuration file on the ZyWALL to your computer and renames it “config.rom”. See earlier in this chapter for more information on filename conventions.

  • Page 447: File Maintenance Over Wan

    ZyWALL 10~100 Series Internet Security Gateway Table 34-2 General Commands for GUI-based FTP Clients COMMAND DESCRIPTION Initial Local Directory Specify the default local directory (path). 34.3.5 File Maintenance Over WAN TFTP, FTP and Telnet over the WAN will not work when: 1.

  • Page 448: Table 34-3 General Commands For Gui-Based Tftp Clients

    ZyWALL 10~100 Series Internet Security Gateway Step 5. Use the TFTP client (see the example below) to transfer files between the ZyWALL and the computer. The file name for the configuration file is “rom-0” (rom-zero, not capital o). Note that the telnet connection must be active and the SMT in CI mode before and during the TFTP transfer.

  • Page 449: Figure 34-3 System Maintenance: Backup Configuration

    ZyWALL 10~100 Series Internet Security Gateway 34.3.9 Backup Via Console Port Back up configuration via console port by following the HyperTerminal procedure shown next. Procedures using other serial communications programs should be similar. Step 1. Display menu 24.5 and enter “y” at the following screen.

  • Page 450: Restore Configuration

    ZyWALL 10~100 Series Internet Security Gateway ** Backup Configuration completed. OK. ### Hit any key to continue.### Figure 34-6 Successful Backup Confirmation Screen 34.4 Restore Configuration This section shows you how to restore a previously saved configuration. Note that this function erases the current configuration before restoring a previous back up configuration;...

  • Page 451: Figure 34-7 Telnet Into Menu 24.6

    ZyWALL 10~100 Series Internet Security Gateway Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root" and SMT password as requested.

  • Page 452: Figure 34-8 Restore Using Ftp Session Example

    ZyWALL 10~100 Series Internet Security Gateway 34.4.2 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec.

  • Page 453: Uploading Firmware And Configuration Files

    ZyWALL 10~100 Series Internet Security Gateway Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Figure 34-11 Restore Configuration Example Step 4. After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu.

  • Page 454: Figure 34-13 Telnet Into Menu 24.7.1: Upload System Firmware

    ZyWALL 10~100 Series Internet Security Gateway WARNING! Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR ZyWALL. 34.5.1 Firmware File Upload FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client.

  • Page 455: Figure 34-14 Telnet Into Menu 24.7.2: System Maintenance

    ZyWALL 10~100 Series Internet Security Gateway 34.5.2 Configuration File Upload You see the following screen when you telnet into menu 24.7.2. Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload the system configuration file, follow the procedure below: 1.

  • Page 456: Figure 34-15 Ftp Session Example Of Firmware File Upload

    ZyWALL 10~100 Series Internet Security Gateway transfers the configuration file on the ZyWALL to your computer and renames it “config.rom.” See earlier in this chapter for more information on filename conventions. Step 7. Enter “quit” to exit the ftp prompt.

  • Page 457: Tftp Upload Command Example

    ZyWALL 10~100 Series Internet Security Gateway Step 3. Enter the command “sys stdio 0” to disable the console timeout, so the TFTP transfer will not be interrupted. Enter “command sys stdio 5” to restore the five-minute console timeout (default) when the file transfer is complete.

  • Page 458: Figure 34-16 Menu 24.7.1 As Seen Using The Console Port

    ZyWALL 10~100 Series Internet Security Gateway 34.5.8 Uploading Firmware File Via Console Port Step 1. Select 1 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.1 - System Maintenance - Upload System Firmware, and then follow the instructions as shown in the following screen.

  • Page 459: Figure 34-17 Example Xmodem Upload

    ZyWALL 10~100 Series Internet Security Gateway 34.5.9 Example Xmodem Firmware Upload Using HyperTerminal Click Transfer, then Send File to display the following screen. Type the firmware file’s location, or click Browse to look for it. Choose the Xmodem protocol. Then click Send.

  • Page 460: Figure 34-18 Menu 24.7.2 As Seen Using The Console Port

    ZyWALL 10~100 Series Internet Security Gateway Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1. Enter "y" at the prompt below to go into debug mode. 2. Enter "atlc" after "Enter Debug Mode" message.

  • Page 461: Figure 34-19 Example Xmodem Upload

    ZyWALL 10~100 Series Internet Security Gateway Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Figure 34-19 Example Xmodem Upload After the configuration upload process has completed, restart the ZyWALL by entering “atgo”.

  • Page 463: Command Interpreter Mode

    ZyWALL 10~100 Series Internet Security Gateway Chapter 35 System Maintenance Menus 8 to 10 This chapter leads you through SMT menus 24.8 to 24.10. The Real Time Chip (RTC) applies to the ZyWALL 100, 50, 30W and 10W. 35.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware.

  • Page 464: Figure 35-2 Valid Commands

    A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Copyright (c) 1994 - 2003 ZyXEL Communications Corp. ras> ?

  • Page 465: Call Control Support

    ZyWALL 10~100 Series Internet Security Gateway Table 35-1 Valid Commands These commands display dial backup information and control dial backup connections. These commands display IP information and configure IP settings. ipsec These commands display IPSec information and configure IPSec settings.

  • Page 466: Figure 35-4 Budget Management

    ZyWALL 10~100 Series Internet Security Gateway 35.2.1 Budget Management Menu 24.9.1 shows the budget management statistics for outgoing calls. Enter 1 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu. Menu 24.9.1 - Budget Management...

  • Page 467: Figure 35-5 Call History

    ZyWALL 10~100 Series Internet Security Gateway 35.2.2 Call History This is the second option in Menu 24.9 - System Maintenance - Call Control. It displays information about past incoming and outgoing calls. Enter 2 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu.

  • Page 468: Time And Date Setting

    ZyWALL 10~100 Series Internet Security Gateway 35.3 Time and Date Setting The Real Time Chip (RTC) keeps track of the time and date (Not available on all models). There is also a software mechanism to set the time manually or get the current time and date from an external server when you turn on your ZyWALL.

  • Page 469: Figure 35-7 Menu 24.10 System Maintenance: Time And Date Setting

    ZyWALL 10~100 Series Internet Security Gateway Menu 24.10 - System Maintenance - Time and Date Setting Use Time Server when Bootup= NTP (RFC-1305) Time Server Address= tick.stdtime.gov.tw Current Time: 00 : 00 : 00 New Time (hh:mm:ss): 11 : 23 : 16...

  • Page 470: Resetting The Time

    ZyWALL 10~100 Series Internet Security Gateway Table 35-4 Time and Date Setting Fields FIELD DESCRIPTION Time Zone Press [SPACE BAR] and then [ENTER] to set the time difference between your time zone and Greenwich Mean Time (GMT). Daylight Saving Daylight Saving Time is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daylight time in the evenings.

  • Page 471: Chapter 36 Remote Management

    ZyWALL 10~100 Series Internet Security Gateway Chapter 36 Remote Management This chapter covers remote management found in SMT menu 24.11. 36.1 Remote Management Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers.

  • Page 472: Figure 36-1 Menu 24.11 - Remote Management Control

    ZyWALL 10~100 Series Internet Security Gateway To disable remote management of a service, select Disable in the corresponding Server Access field. Enter 11 from menu 24 to bring up Menu 24.11 – Remote Management Control. Menu 24.11 - Remote Management Control...

  • Page 473: Remote Management Limitations

    ZyWALL 10~100 Series Internet Security Gateway 36.1.1 Remote Management Limitations Remote management over LAN or WAN will not work when: 1. A filter in menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service.

  • Page 475: Smt Advanced Management

    SMT Advanced Management Part XIV: SMT Advanced Management This part provides information on how to configure IP Policy Routing, call scheduling, and VPN/IPSec. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.

  • Page 477: Chapter 37 Ip Policy Routing

    ZyWALL 10~100 Series Internet Security Gateway Chapter 37 IP Policy Routing This chapter covers setting and applying policies used for IP routing. IP Policy Routing applies to the ZyWALL 100. 37.1 Introduction to IP Policy Routing Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet.

  • Page 478: Ip Routing Policy Setup

    ZyWALL 10~100 Series Internet Security Gateway address and port, ToS and precedence (fields in the IP header) and length. The inclusion of length criterion is to differentiate between interactive and bulk traffic. Interactive applications, e.g., telnet, tend to have short packets, while bulk traffic, e.g., file transfer, tends to have large packets.

  • Page 479: Figure 37-4 Menu 25.1: Sample Ip Routing Policy Setup

    ZyWALL 10~100 Series Internet Security Gateway Step 2. Type the index of the policy set you want to configure to open Menu 25.1 – IP Routing Policy Setup. Menu 25.1 shows the summary of a policy set, including the criteria and the action of a single policy, and whether a policy is active or not.

  • Page 480: Figure 37-5 Ip Routing Policy

    ZyWALL 10~100 Series Internet Security Gateway Table 37-1 IP Routing Policy Setup ABBREVIATION MEANING Outgoing Type of service Outgoing Precedence Service Normal Minimum Delay Maximum Throughput Maximum Reliability Minimum Cost Type a number from 1 to 6 to display Menu 25.1.1 – IP Routing Policy (see the next figure). This menu allows you to configure a policy rule.
  • Page 481 ZyWALL 10~100 Series Internet Security Gateway Table 37-2 IP Routing Policy FIELD DESCRIPTION Active Press [SPACE BAR] and then [ENTER] to select Yes to activate the policy. Criteria IP Protocol Enter a number that represents an IP layer 4 protocol, for example, UDP=17, TCP=6, ICMP=1 and Don’t care=0.

  • Page 482: Applying An Ip Policy

    ZyWALL 10~100 Series Internet Security Gateway Table 37-2 IP Routing Policy FIELD DESCRIPTION When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen.

  • Page 483: Ip Policy Routing Example

    ZyWALL 10~100 Series Internet Security Gateway 37.6 IP Policy Routing Example If a network has both Internet and remote node connections, you can route Web packets to the Internet using one policy and route FTP packets to a remote network using another policy. See the next figure.

  • Page 484: Figure 37-8 Ip Routing Policy Example

    ZyWALL 10~100 Series Internet Security Gateway Menu 25.1.1 - IP Routing Policy Policy Set Name= set1 Active= Yes Criteria: IP Protocol Type of Service= Don't Care Packet length= 10 Precedence = Don't Care Len Comp= N/A Source: addr start= 192.168.1.2 end= 192.168.1.64...

  • Page 485: Figure 37-9 Ip Routing Policy

    ZyWALL 10~100 Series Internet Security Gateway Step 5. Create a rule in menu 25.1.1 for this set to route packets from any host (IP=0.0.0.0 means any host) with protocol TCP and port FTP access through another gateway (192.168.1.100). Menu 25.1.1 - IP Routing Policy...

  • Page 486: Figure 37-10 Applying Ip Policies

    ZyWALL 10~100 Series Internet Security Gateway Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP Setup DHCP= Server Client IP Pool Starting Address= 192.168.1.33 Size of Client IP Pool= 64 Primary DNS Server= 0.0.0.0 Secondary DNS Server= 0.0.0.0 Remote DHCP Server= N/A TCP/IP Setup: IP Address= 192.168.1.1...

  • Page 487: Chapter 38 Call Scheduling

    ZyWALL 10~100 Series Internet Security Gateway Chapter 38 Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 38.1 Introduction to Call Scheduling The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long.

  • Page 488: Figure 38-2 Schedule Set Setup

    ZyWALL 10~100 Series Internet Security Gateway To set up a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next. Menu 26.1 - Schedule Set Setup Active= Yes Start Date(yyyy/mm/dd) = 2000 –...
  • Page 489 ZyWALL 10~100 Series Internet Security Gateway Table 38-1Schedule Set Setup Fields FIELD DESCRIPTION OPTIONS Weekday: If you selected Weekly in the How Often field above, then select the day(s) when the set should activate (and recur) by going to that day(s) and pressing [SPACE BAR] to select Yes, then press [ENTER].

  • Page 490: Figure 38-3 Applying Schedule Set(S) To A Remote Node (Pppoe)

    ZyWALL 10~100 Series Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPPoE Edit IP= No Service Type= Standard Telco Option: Service Name= Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login=...

  • Page 491: Figure 38-4 Applying Schedule Set(S) To A Remote Node (Pptp)

    ZyWALL 10~100 Series Internet Security Gateway Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Service Name=N/A Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login=...

  • Page 493: Chapter 39 Vpn/Ipsec Setup

    ZyWALL 10~100 Series Internet Security Gateway Chapter 39 VPN/IPSec Setup This chapter introduces the VPN SMT menus. 39.1 Introduction The VPN/IPSec main SMT menu has these main submenus: 1. Define VPN policies in menu 27.1 submenus, including security policies, endpoint IP addresses, peer IPSec router IP address and key management.

  • Page 494: Ipsec Summary Screen

    ZyWALL 10~100 Series Internet Security Gateway Menu 27 - VPN/IPSec Setup 1. IPSec Summary 2. SA Monitor Enter Menu Selection Number: Figure 39-2 Menu 27: VPN/IPSec Setup 39.2 IPSec Summary Screen Type 1 in menu 27 and then press [ENTER] to display Menu 27.1 — IPSec Summary. This is a summary read-only menu of your IPSec rules (tunnels).

  • Page 495: Table 39-1 Menu 27.1: Ipsec Summary

    ZyWALL 10~100 Series Internet Security Gateway Table 39-1 Menu 27.1: IPSec Summary FIELD DESCRIPTION EXAMPLE This is the VPN policy index number. Name This field displays the unique identification name for this VPN rule. The Taiwan name may be up to 32 characters long but only 10 characters will be displayed here.
  • Page 496 ZyWALL 10~100 Series Internet Security Gateway Table 39-1 Menu 27.1: IPSec Summary FIELD DESCRIPTION EXAMPLE IPSec This field displays the security protocols used for an SA. ESP provides ESP DES MD5 Algorithm confidentiality and integrity of data by encrypting the data and encapsulating it into IP packets.
  • Page 497 ZyWALL 10~100 Series Internet Security Gateway Table 39-1 Menu 27.1: IPSec Summary FIELD DESCRIPTION EXAMPLE Remote When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to 172.16.2.46 Addr End Single, this is the same (static) IP address as in the Remote Addr Start field.

  • Page 498: Ipsec Setup

    ZyWALL 10~100 Series Internet Security Gateway 39.3 IPSec Setup Select Edit in the Select Command field; type the index number of a rule in the Select Rule field and press [ENTER] to edit the VPN using the menu shown next.
  • Page 499 ZyWALL 10~100 Series Internet Security Gateway Table 39-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Keep Alive Press [SPACE BAR] to choose either Yes or No. Choose Yes and press [ENTER] to have the ZyWALL automatically re-initiate the SA after the SA lifetime times out, even if there is no traffic.
  • Page 500 ZyWALL 10~100 Series Internet Security Gateway Table 39-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE My IP Addr Enter the IP address of your ZyWALL. The ZyWALL uses its current WAN 0.0.0.0 IP address (static or dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0.
  • Page 501 ZyWALL 10~100 Series Internet Security Gateway Table 39-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Local Local IP addresses must be static and correspond to the remote IPSec router’s configured remote IP addresses. Two active SAs cannot have the local and remote IP address(es) both the same.
  • Page 502 ZyWALL 10~100 Series Internet Security Gateway Table 39-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Remote Remote IP addresses must be static and correspond to the remote IPSec router’s configured local IP addresses. The remote fields are N/A when the Secure Gateway Address field is configured to 0.0.0.0.

  • Page 503: Ike Setup

    ZyWALL 10~100 Series Internet Security Gateway Table 39-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE End Enter a port number in this field to define a port range. This port number must be greater than that specified in the previous field. This field is N/A when 0 is configured in the Port Start field.
  • Page 504 ZyWALL 10~100 Series Internet Security Gateway Menu 27.1.1.1 - IKE Setup Phase 1 Negotiation Mode= Main Pre-Shared Key= Encryption Algorithm = DES Authentication Algorithm = SHA1 SA Life Time (Seconds)= 28800 Key Group= DH1 Phase 2 Active Protocol = ESP...

  • Page 505: Table 39-3 Menu 27.1.1.1: Ike Setup

    ZyWALL 10~100 Series Internet Security Gateway Table 39-3 Menu 27.1.1.1: IKE Setup FIELD DESCRIPTION EXAMPLE Encryption When DES is used for data communications, both sender and receiver must Algorithm know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code.

  • Page 506: Manual Setup

    ZyWALL 10~100 Series Internet Security Gateway Table 39-3 Menu 27.1.1.1: IKE Setup FIELD DESCRIPTION EXAMPLE Perfect Perfect Forward Secrecy (PFS) is disabled (None) by default in phase 2 None Forward IPSec SA setup. This allows faster IPSec setup, but is not so secure. Press Secrecy (PFS) [SPACE BAR] and choose from DH1 or DH2 to enable PFS.

  • Page 507: Figure 39-6 Menu 27.1.1.2: Manual Setup

    ZyWALL 10~100 Series Internet Security Gateway Menu 27.1.1.2 – Manual Setup Active Protocol= ESP Tunnel ESP Setup SPI= Encryption Algorithm= DES Key1= Key2= N/A Key3= N/A Authentication Algorithm= MD5 Key= N/A AH Setup SPI (Decimal)= N/A Authentication Algorithm= N/A Key= Press ENTER to Confirm or ESC to Cancel: Figure 39-6 Menu 27.1.1.2: Manual Setup...
  • Page 508 ZyWALL 10~100 Series Internet Security Gateway Table 39-5 Menu 27.1.1.2: Manual Setup FIELD DESCRIPTION EXAMPLE Authentication Press [SPACE BAR] to choose from MD5 or SHA1 and then press [ENTER]. Algorithm Key Enter the authentication key to be used by IPSec if applicable. The key must 123456789a be unique.

  • Page 509: Chapter 40 Sa Monitor

    ZyWALL 10~100 Series Internet Security Gateway Chapter 40 SA Monitor This chapter teaches you how to manage your SAs by using the SA Monitor in SMT menu 27.2. 40.1 Introduction A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This menu (shown next) displays active VPN connections.

  • Page 510: Table 40-1 Menu 27.2: Sa Monitor

    ZyWALL 10~100 Series Internet Security Gateway Table 40-1 Menu 27.2: SA Monitor FIELD DESCRIPTION EXAMPLE This is the security association index number. Name This field displays the identification name for this VPN policy. This name is Taiwan unique for each connection where the secure gateway IP address is a public static IP address.

  • Page 511: Appendices And Index

    Appendices and Index Part XV: Appendices and Index This part provides information about hardware specifications, safety warnings, how to change a ZyWALL 100 fuse and an index of key terms.

  • Page 513: Appendix A Troubleshooting

    ZyWALL 10~100 Series Internet Security Gateway Appendix A Troubleshooting This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our included disk for further information. DMZ applies to the ZyWALL 100.

  • Page 514: Problems With The Lan Interface

    ZyWALL 10~100 Series Internet Security Gateway Problems with the LAN Interface Chart 2 Troubleshooting the LAN Interface PROBLEM CORRECTIVE ACTION Cannot access Check your Ethernet cable type and connections. Refer to the Quick Start Guide or the ZyWALL Compact Guide for LAN connection instructions.

  • Page 515: Problems With The Wan Interface

    ZyWALL 10~100 Series Internet Security Gateway Problems with the WAN Interface Chart 4 Troubleshooting the WAN Interface PROBLEM CORRECTIVE ACTION Cannot get The ISP provides the WAN IP address after authentication. Authentication may be through WAN IP the user name and password, the MAC address or the host name. Use the following address from corrective actions to make sure the ISP can authenticate your connection.

  • Page 516: Problems With The Password

    ZyWALL 10~100 Series Internet Security Gateway Problems with the Password Chart 6 Troubleshooting the Password PROBLEM CORRECTIVE ACTION Cannot The password field is case sensitive. Make sure that you enter the correct password access the using the proper casing. ZyWALL.

  • Page 517: Appendix B Hardware Specifications

    ZyWALL 10~100 Series Internet Security Gateway Appendix B Hardware Specifications Chart 8 General Specifications Power Specification 100-240 VAC, 50/60Hz (ZyWALL 100) Power Specification I/P AC 120V / 60Hz; O/P DC 12V 1200 mA (ZyWALL 10,10W, 30W, 50) Power Consumption 16 Watts maximum...
  • Page 518 ZyWALL 10~100 Series Internet Security Gateway Cable Pin Assignments In a serial communications connection, generally a computer is DTE (Data Terminal Equipment) and a modem is DCE (Data Circuit-terminating Equipment). The ZyWALL is DCE when you connect a computer to the console port. The ZyWALL is DTE when you connect a modem to the dial backup port.
  • Page 519 ZyWALL 10~100 Series Internet Security Gateway Chart 10 Ethernet Cable Pin Assignments WAN/LAN/DMZ Ethernet Cable Pin Layout: Straight-Through Crossover (Switch) (Adapter) (Switch) (Switch) IRD + OTD + IRD + IRD + IRD - OTD - IRD - IRD - OTD +...
  • Page 520 ZyWALL 10~100 Series Internet Security Gateway Chart -12 European Union AC Power Adaptor Specifications Output power: DC12Volts/1.2A Power consumption: 10 W Plug: European Union standards Safety standards: TUV, CE (EN 60950) AC Power Adapter model JAD-121200E Input power: AC230Volts/50Hz, Output power: DC12Volts/1.2A...
  • Page 521 ZyWALL 10~100 Series Internet Security Gateway Chart 15 Australia and New Zealand AC Power Adaptor Specifications AC Power Adapter model AD-1201200Ds or AD-121200DS Input power: AC240Volts/50Hz/0.2A Output power: DC12Volts/1.2A Power consumption: 10 W Plug: Australia and New Zealand standards Safety standards: NATA (AS 3260)

  • Page 522: Appendix C Safety Warnings And Instructions

    ZyWALL 10~100 Series Internet Security Gateway Appendix C Safety Warnings and Instructions 1. Be sure to read and follow all warning notices and instructions. 2. The maximum recommended ambient temperature for the ZyWALL is 40º Celsius (104º Fahrenheit). Care must be taken to allow sufficient air circulation or space between units when the ZyWALL is installed inside a closed rack assembly.

  • Page 523: Appendix D Removing And Installing A Zywall 100 Fuse

    ZyWALL 10~100 Series Internet Security Gateway Appendix D Removing and Installing a ZyWALL 100 Fuse This appendix shows you how to remove and install fuses for the ZYWALL 100. The ZYWALL 100 uses a 0.5 Amp, 250 VAC fuse. The ZYWALL-100 comes from the factory; with two fuses installed in the fuse housing.

  • Page 525: Index

    ZyWALL 10~100 Series Internet Security Gateway Index Bandwidth Class ..........18-1 10/100 Mbps Ethernet WAN ......1-2 Bandwidth Filter ......... 18-2, 18-15 Bandwidth Management ......1-3, 18-1 Access Point..........6-5, 24-7 Bandwidth Management Statistics....18-16 Action for Matched Packets ......12-10 Bandwidth Manager Class Configuration..
  • Page 526 ZyWALL 10~100 Series Internet Security Gateway Call-Trigerring Packet ......... 33-10 Filter List ............13-1 Canada ..............iv Keywords..........13-14 Caution..............iv Restrict Web Features.........13-1 Certifications ............. iii Update List ..........13-8 Changing the Password........21-7 Copyright.............ii Channel ID..........6-5, 24-7 Custom Ports CHAP ........... 23-7, 27-6 Creating/Editing ........12-11...
  • Page 527 ZyWALL 10~100 Series Internet Security Gateway And the Firewall .......... 7-1 E-mail Address ..........22-3 IP Alias ............25-3 Enable Wildcard ..........22-3 IP Alias Setup ......See IP Alias Setup Enable Wireless LAN ........6-5 Port Filter Setup ......... 25-1 Encapsulation.......
  • Page 528 ZyWALL 10~100 Series Internet Security Gateway Generic Filter Rule ........31-11 Services ............12-17 Generic Rule ..........31-11 SMT Menus..........30-1 NAT ............31-15 Types ............11-1 Remote Node ........... 31-18 When To Use..........11-12 Structure............. 31-2 Firmware File TCP/IP Rule..........31-7 Maintenance ......20-5, 20-7, 34-1 Filters Flow Control...........21-1...
  • Page 529 ZyWALL 10~100 Series Internet Security Gateway Introduction to Filters ........31-1 Half-Open Sessions........12-20 IP address..........23-7, 23-10 Hidden Menus..........21-2 IP Address.3-8, 3-9, 5-2, 5-4, 9-6, 9-8, 20-4, 24-4, 24-5, 26-2, 27-8, 37-3 Host............4-5, 22-3 Remote............. 23-10 HTTP ....9-7, 11-1, 11-3, 11-4, 39-9, 39-10 IP Address Assignment.........
  • Page 530 ZyWALL 10~100 Series Internet Security Gateway Setup ............37-2 Login Screen........See Password IP Spoofing ........... 11-4, 11-7 Logs..............19-1 IP Static Route ........28-1, 28-2 Active............28-2 MAC Address..........23-2 Destination IP Address ......28-2 MAC Address Filter Action ......6-7 IP Subnet Mask.......... 28-2 MAC Address Filtering ........6-6...
  • Page 531 ZyWALL 10~100 Series Internet Security Gateway My Server IP Addr......... 27-7 One Minute High ......... 12-23 My WAN Address ........23-10 One Minute Low.......... 12-22 One to One..........See NAT Nailed-up Connection ........27-5 One-Minute High......... 12-21 Nailed-Up Connection ......23-8, 27-6 Online Registration..........v...
  • Page 532 ZyWALL 10~100 Series Internet Security Gateway Power Current............. E RAS ..............37-2 Power Specification ..........E Read Me First ..........xxix PPP ..............23-8 Real Time Chip ..........1-2 PPPoE ..........1-4, 3-2, 3-6 Related Documentation ........xxix PPPoE Encapsulation26-1, 26-5, 27-2, 27-4, 27-5, Relay...............24-3...
  • Page 533 ZyWALL 10~100 Series Internet Security Gateway Direction ............ 24-5 Security Ramifications........12-3 Version..........24-5, 27-10 Select ......See Syntax Conventions RoadRunner Support........1-6 Server4-6, 9-5, 26-2, 27-4, 29-4, 29-6, 29-8, 29-9, 29-10, 29-12, 29-13, 35-7 Root Class ............ 18-12 Server IP ............27-4 Route..............
  • Page 534 ZyWALL 10~100 Series Internet Security Gateway Stateful Inspection ..1-3, 11-1, 11-2, 11-7, 11-8 Setup............24-4 Process ............11-8 TCP/IP and DHCP Setup........24-2 ZyWALL ........... 11-9 TCP/IP filter rule ..........31-6 Static Route............ 10-1 Teardrop ............11-4 SUA ...........9-6, 9-7, 9-9 Telnet..............16-2 SUA (Single User Account) .. See NAT. See NAT Telnet Configuration ........16-3...
  • Page 535 ZyWALL 10~100 Series Internet Security Gateway Trigger Port Forwarding ......29-18 VT100............21-1 Process ............. 29-19 Process Example ........29-19 WAN DHCP ........33-12, 33-13 Trivial File Transfer Protocol....See TFTP WAN Setup..........3-9, 23-1 Troubleshooting ..........A WAN to LAN Rules ........12-5 Internet Access..........C...
  • Page 536 ZyWALL 10~100 Series Internet Security Gateway ZyXEL’s Firewall Introduction ..........11-2 Index...

This manual is also suitable for:

Zywall 50Zywall 100Zywall 30wZywall 10wZywall10

Table of Contents