ZyXEL Communications Internet Security Gateway ZyWALL 100 User Manual Download Page 232 | Manualshive

Page: 232 / 708

background image

ZyWALL Series Internet Security Gateway

15-8

VPN

Screens

Figure 15-4 VPN Host using Intranet DNS Server Example

If you do not specify an Intranet DNS server on the remote network, then the VPN

host must use IP addresses to access the computers on the remote network.

15.8 ID Type and Content

With aggressive negotiation mode (see

section

15.12.2

), the ZyWALL identifies incoming SAs by ID type

and content since this identifying information is not encrypted. This enables the ZyWALL to distinguish
between multiple rules for SAs that connect from remote IPSec routers that have dynamic WAN IP
addresses. Telecommuters can use separate passwords to simultaneously connect to the ZyWALL from
IPSec routers with dynamic IP addresses (see

section 15.18.2

for a telecommuter configuration example).

Regardless of the ID type and content configuration, the ZyWALL does not allow

you to save multiple active rules with overlapping local and remote IP addresses.

With main mode (see

section

15.12.2

), the ID type and content are encrypted to provide identity protection.

In this case the ZyWALL can only distinguish between up to 12 different incoming SAs that connect from
remote IPSec routers that have dynamic WAN IP addresses. The ZyWALL can distinguish up to 12
incoming SAs because you can select between three encryption algorithms (DES, 3DES and AES), two
authentication algorithms (MD5 and SHA1) and two key groups (DH1 and DH2) when you configure a VPN
rule (see

section 15.13

). The ID type and content act as an extra level of identification for incoming SAs.

«
...
230
231
232
233
234
...
»

Summary of Contents for Internet Security Gateway ZyWALL 100

Page 1: ...ZyWALL 10W 30W 50 100 Internet Security Gateway User s Guide Version 3 62 February 2004 ...

Page 2: ...ssion of ZyXEL Communications Corporation Published by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products descri...

Page 3: ... instructions may cause harmful interference to radio communications If this equipment does cause harmful interference to radio television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient or relocate the receiving antenna Increase the separation between the equipment and...

Page 4: ... the compliance with the above conditions may not prevent degradation of service in some situations Repairs to certified equipment should be made by an authorized Canadian maintenance facility designated by the supplier Any repairs or alterations made by the user to this equipment or equipment malfunctions may give the telecommunications company cause to request the user to disconnect the equipmen...

Page 5: ...under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be held liable for indirect or consequential damages of any kind of character to the purchaser To obtain the services of this warranty contact ZyXEL s Ser...

Page 6: ...following information ready Please have the following information ready when you contact customer support see the next page for contact information Product model and serial number Information in Menu 24 2 1 System Information Warranty Information Date that you received your device Brief description of the problem and the steps you took to solve it ...

Page 7: ...y 33 0 4 72 52 97 97 FRANCE info zyxel fr 33 0 4 72 52 19 20 www zyxel fr ZyXEL France 1 rue des Vergers Bat 1 C 69760 Limonest France support zyxel es 34 902 195 420 SPAIN sales zyxel es 34 913 005 345 www zyxel es ZyXEL Communications Alejandro Villegas 33 1º 28043 Madrid Spain support zyxel dk 45 39 55 07 00 www zyxel dk DENMARK sales zyxel dk 45 39 55 07 07 ZyXEL Communications A S Columbusvej...

Page 8: ......

Page 9: ...L 1 1 1 1 ZyWALL Internet Security Gateway Overview 1 1 1 2 ZyWALL Features 1 1 1 3 Applications for the ZyWALL 1 9 Chapter 2 Introducing the Web Configurator 2 1 2 1 Web Configurator Overview 2 1 2 2 Accessing the ZyWALL Web Configurator 2 1 2 3 Resetting the ZyWALL 2 2 2 4 Navigating the ZyWALL Web Configurator 2 4 Chapter 3 Wizard Setup 3 1 3 1 Wizard Setup Overview 3 1 3 2 Wizard Setup General...

Page 10: ...g Time Setting 4 7 Chapter 5 LAN Screens 5 1 5 1 LAN Overview 5 1 5 2 DHCP Setup 5 1 5 3 LAN TCP IP 5 1 5 4 Configuring IP 5 3 5 5 Configuring Static DHCP 5 6 5 6 Configuring IP Alias 5 7 Chapter 6 Wireless LAN Screens 6 1 6 1 Wireless LAN Overview 6 1 6 2 Wireless LAN Basics 6 1 6 3 Wireless Security 6 3 6 4 Configuring Wireless LAN 6 4 6 5 Configuring MAC Filter 6 6 6 6 802 1x Overview 6 8 6 7 C...

Page 11: ...ackup 8 15 8 10 Advanced Modem Setup 8 20 8 11 Configuring Advanced Modem Setup 8 21 NAT and Static Route IV Chapter 9 Network Address Translation NAT Screens 9 1 9 1 NAT Overview 9 1 9 2 Using NAT 9 5 9 3 SUA Server 9 6 9 4 Configuring SUA Server 9 8 9 5 Configuring Address Mapping 9 10 9 6 Trigger Port Forwarding 9 13 9 7 Configuring Trigger Port Forwarding 9 14 Chapter 10 Static Route Screens 1...

Page 12: ...es 12 4 12 5 Bandwidth Management Lite 12 5 12 6 Bandwidth Management Usage Examples 12 5 12 7 Alerts 12 7 12 8 Configuring Firewall 12 7 12 9 Example Firewall Rule 12 17 12 10 Predefined Services 12 21 12 11 Configuring Attack Alert 12 24 Chapter 13 Content Filtering Screens 13 1 13 1 Content Filtering Overview 13 1 13 2 General Content Filter Configuration 13 1 13 3 Content Filtering with an Ext...

Page 13: ...ive 15 6 15 7 NAT Traversal 15 6 15 8 ID Type and Content 15 8 15 9 Pre Shared Key 15 10 15 10 Certificates 15 10 15 11 Editing VPN Policies 15 10 15 12 IKE Phases 15 19 15 13 Configuring Advanced IKE Settings 15 21 15 14 Manual Key Setup 15 25 15 15 Configuring Manual Key 15 25 15 16 Viewing SA Monitor 15 29 15 17 Configuring Global Setting 15 31 15 18 Telecommuter VPN IPSec Examples 15 32 15 19 ...

Page 14: ...rtificate 16 25 16 14 Importing a Trusted Remote Host s Certificate 16 27 16 15 Trusted Remote Host Certificate Details 16 28 16 16 Directory Servers 16 32 16 17 Add or Edit a Directory Server 16 33 Authentication Server Remote Management and UPnP VIII Chapter 17 Authentication Server 17 1 17 1 Authentication Server Overview 17 1 17 2 Local User Database 17 1 17 3 Configuring Local User Database 1...

Page 15: ...6 Configuring Security 18 28 Chapter 19 UPnP 19 1 19 1 Universal Plug and Play Overview 19 1 19 2 UPnP and ZyXEL 19 2 19 3 Configuring UPnP 19 2 19 4 Displaying UPnP Port Mapping 19 4 19 5 Installing UPnP in Windows Example 19 5 19 6 Using UPnP in Windows XP Example 19 7 Logs IX Chapter 20 Logs Screens 20 1 20 1 Configuring View Log 20 1 20 2 Configuring Log Settings 20 3 20 3 Configuring Reports ...

Page 16: ...1 Introduction to General Setup 23 1 23 2 Configuring General Setup 23 1 Chapter 24 WAN and Dial Backup Setup 24 1 24 1 Introduction to WAN and Dial Backup Setup 24 1 24 2 WAN Setup 24 1 24 3 Dial Backup 24 2 24 4 Configuring Dial Backup in Menu 2 24 2 24 5 Advanced WAN Setup 24 4 24 6 Remote Node Profile Backup ISP 24 6 24 7 Editing PPP Options 24 8 24 8 Editing TCP IP Options 24 9 24 9 Editing L...

Page 17: ...sic Setup Complete 27 5 SMT Advanced Applications XII Chapter 28 Remote Node Setup 28 1 28 1 Introduction to Remote Node Setup 28 1 28 2 Remote Node Setup 28 1 28 3 Remote Node Profile Setup 28 2 28 4 Edit IP 28 8 28 5 Remote Node Filter 28 10 Chapter 29 IP Static Route Setup 29 1 29 1 IP Static Route Setup 29 1 Chapter 30 Network Address Translation NAT 30 1 30 1 Using NAT 30 1 30 2 NAT Setup 30 ...

Page 18: ...r 34 System Information Diagnosis 34 1 34 1 Introduction to System Status 34 1 34 2 System Status 34 1 34 3 System Information and Console Port Speed 34 3 34 4 Log and Trace 34 5 34 5 Diagnostic 34 11 Chapter 35 Firmware and Configuration File Maintenance 35 1 35 1 Introduction 35 1 35 2 Filename Conventions 35 1 35 3 Backup Configuration 35 2 35 4 Restore Configuration 35 8 35 5 Uploading Firmwar...

Page 19: ...oduction to Call Scheduling 39 1 Chapter 40 VPN IPSec Setup 40 1 40 1 Introduction 40 1 40 2 IPSec Summary Screen 40 2 40 3 IPSec Setup 40 5 40 4 IKE Setup 40 12 40 5 Manual Setup 40 14 Chapter 41 SA Monitor 41 1 41 1 Introduction 41 1 41 2 Using SA Monitor 41 1 Troubleshooting and Hardware Appendices XV Appendix A Troubleshooting A 1 Appendix B Hardware Specifications B 1 Appendix C Safety Warnin...

Page 20: ... 1 Appendix L PPTP L 1 Appendix M IP Subnetting M 1 Command Log Content Filtering and Certificates Appendices and Index XVII Appendix N Command Interpreter N 1 Appendix O Firewall Commands O 1 Appendix P NetBIOS Filter Commands P 1 Appendix Q Certificate Commands Q 1 Appendix R Boot Commands R 1 Appendix S Log Descriptions S 1 Appendix T Brute Force Password Guessing Protection T 1 Appendix U Impo...

Page 21: ... Ethernet Encapsulation 3 3 Figure 3 3 Wizard2 PPPoE Encapsulation 3 5 Figure 3 4 Wizard 2 PPTP Encapsulation 3 7 Figure 3 5 Wizard 3 3 10 Figure 4 1 System General Setup 4 1 Figure 4 2 DDNS 4 4 Figure 4 3 Password 4 5 Figure 4 4 Time Setting 4 7 Figure 5 1 IP 5 3 Figure 5 2 Static DHCP 5 6 Figure 5 3 Physical Network Figure 5 4 Partitioned Logical Networks 5 7 Figure 5 5 IP Alias 5 8 Figure 6 1 R...

Page 22: ...igure 9 1 How NAT Works 9 3 Figure 9 2 NAT Application With IP Alias 9 4 Figure 9 3 Multiple Servers Behind NAT Example 9 8 Figure 9 4 SUA Server 9 9 Figure 9 5 Address Mapping 9 10 Figure 9 6Address Mapping Edit 9 12 Figure 9 7 Trigger Port Forwarding Process Example 9 14 Figure 9 8 Trigger Port 9 15 Figure 10 1 Example of Static Routing Topology 10 1 Figure 10 2 IP Static Route 10 2 Figure 10 3 ...

Page 23: ...t IP Example 12 18 Figure 12 13 Edit Custom Port Example 12 19 Figure 12 14 My Service Rule Configuration 12 20 Figure 12 15 My Service Example Rule Summary 12 21 Figure 12 16 Attack Alert 12 26 Figure 13 1 Content Filtering General 13 2 Figure 13 2 Content Filtering Lookup Procedure 13 5 Figure 13 3 Content Filtering Categories 13 7 Figure 13 4 Content Filtering Customization 13 16 Figure 14 1 En...

Page 24: ...9 Figure 16 5 My Certificate Details 16 13 Figure 16 6 Trusted Cas 16 17 Figure 16 7 Trusted CA Import 16 19 Figure 16 8 Trusted CA Import 16 19 Figure 16 9 Trusted CA Details 16 20 Figure 16 10 Trusted Remote Hosts 16 24 Figure 16 11 Remote Host Certificates 16 26 Figure 16 12 Certificate Details 16 26 Figure 16 13 Trusted Remote Host Import 16 27 Figure 16 14 Trusted Remote Host Details 16 29 Fi...

Page 25: ...5 Figure 18 13 Remote Management SSH 18 16 Figure 18 14 SSH Example 1 Store Host Key 18 18 Figure 18 15 SSH Example 2 Test 18 18 Figure 18 16 SSH Example 2 Log in 18 19 Figure 18 17 Secure FTP Firmware Upload Example 18 20 Figure 18 18 Telnet Configuration on a TCP IP Network 18 21 Figure 18 19 Telnet 18 21 Figure 18 20 FTP 18 23 Figure 18 21 SNMP Management Model 18 24 Figure 18 22 SNMP 18 26 Fig...

Page 26: ...d 21 9 Figure 21 12 Configuration Upload Error 21 10 Figure 21 13 Reset Warning Message 21 11 Figure 21 14 Restart Screen 21 11 Figure 22 1 Initial Screen 22 1 Figure 22 2 Password Screen 22 2 Figure 22 3 Main Menu ZyWALL 100 22 3 Figure 22 4 Getting Started and Advanced Applications SMT Menus 22 5 Figure 22 5 Advanced Management SMT Menus 22 6 Figure 22 6 Schedule Setup and IPSec VPN Configuratio...

Page 27: ...ort Filter Setup 26 1 Figure 26 3 Menu 5 TCP IP Setup 26 2 Figure 26 4 Menu 5 2 TCP IP Setup 26 2 Figure 26 5 Menu 5 2 1 IP Alias Setup 26 3 Figure 27 1 Menu 4 Internet Access Setup Ethernet 27 1 Figure 27 2 Internet Access Setup PPTP 27 4 Figure 27 3 Internet Access Setup PPPoE 27 5 Figure 28 1 Menu 11 Remote Node Setup 28 2 Figure 28 2 Menu 11 1 Remote Node Profile for Ethernet Encapsulation 28 ...

Page 28: ... Server Behind NAT Example 30 10 Figure 30 10 NAT Example 1 30 11 Figure 30 11 Menu 4 Internet Access NAT Example 30 11 Figure 30 12 NAT Example 2 30 12 Figure 30 13 Menu 15 2 Specifying an Inside Server 30 12 Figure 30 14 NAT Example 3 30 13 Figure 30 15 Example 3 Menu 11 3 30 14 Figure 30 16 Example 3 Menu 15 1 1 1 30 15 Figure 30 17 Example 3 Final Menu 15 1 1 30 15 Figure 30 18 Example 3 Menu ...

Page 29: ...onfiguration 33 1 Figure 34 1 Menu 24 System Maintenance 34 1 Figure 34 2 Menu 24 1 System Maintenance Status ZyWALL 100 34 2 Figure 34 3 Menu 24 2 System Information and Console Port Speed 34 4 Figure 34 4 Menu 24 2 1 System Maintenance Information ZyWALL 10W 34 4 Figure 34 5 Menu 24 2 2 System Maintenance Change Console Port Speed 34 5 Figure 34 6 Menu 24 3 System Maintenance Log and Trace 34 6 ...

Page 30: ... 15 FTP Session Example of Firmware File Upload 35 14 Figure 35 16 Menu 24 7 1 As Seen Using the Console Port 35 16 Figure 35 17 Example Xmodem Upload 35 17 Figure 35 18 Menu 24 7 2 As Seen Using the Console Port 35 18 Figure 35 19 Example Xmodem Upload 35 19 Figure 36 1 Command Mode in Menu 24 36 1 Figure 36 2 Valid Commands 36 2 Figure 36 3 Call Control 36 3 Figure 36 4 Budget Management 36 4 Fi...

Page 31: ...ule Set Setup 39 2 Figure 39 3 Applying Schedule Set s to a Remote Node PPPoE 39 4 Figure 39 4 Applying Schedule Set s to a Remote Node PPTP 39 5 Figure 40 1 VPN SMT Menu Tree 40 1 Figure 40 2 Menu 27 VPN IPSec Setup 40 2 Figure 40 3 Menu 27 1 IPSec Summary 40 2 Figure 40 4 Menu 27 1 1 IPSec Setup 40 6 Figure 40 5 Menu 27 1 1 1 IKE Setup 40 12 Figure 40 6 Menu 27 1 1 2 Manual Setup 40 15 Figure 41...

Page 32: ......

Page 33: ... for LAN Servers with Fixed IP Addresses 3 10 Table 3 6 WAN Setup 3 11 Table 4 1 System General Setup 4 2 Table 4 2 DDNS 4 4 Table 4 3 Password 4 6 Table 4 4 Pre defined Time Servers 4 6 Table 4 5 Time Setting 4 8 Table 5 1 IP 5 3 Table 5 2 Static DHCP 5 6 Table 5 3 IP Alias 5 8 Table 6 1 Wireless 6 5 Table 6 2 MAC Address Filter 6 7 Table 6 3 802 1X Authentication 6 8 Table 7 1 DMZ 7 2 Table 8 1 ...

Page 34: ...IP Static Route 10 3 Table 11 1 Common IP Ports 11 4 Table 11 2 ICMP Commands That Trigger Alerts 11 6 Table 11 3 Legal NetBIOS Commands 11 7 Table 11 4 Legal SMTP Commands 11 7 Table 12 1 Application and Subnet based Bandwidth Management Example 12 6 Table 12 2 Firewall Summary 12 8 Table 12 3 Firewall Edit Rule 12 11 Table 12 4 Source and Destination Addresses Add Edit 12 14 Table 12 5 Custom Po...

Page 35: ... 15 10 SA Monitor 15 30 Table 15 11 Global Setting 15 31 Table 15 12 Telecommuters Sharing One VPN Rule Example 15 32 Table 15 13 Telecommuters Using Unique VPN Rules Example 15 34 Table 16 1 My Certificates 16 4 Table 16 2 My Certificate Import 16 8 Table 16 3 My Certificate Create 16 9 Table 16 4 My Certificate Details 16 14 Table 16 5 Trusted CAs 16 17 Table 16 6 Trusted CA Details 16 21 Table ...

Page 36: ...e 20 5 Protocol Port Report 20 9 Table 20 6 LAN IP Address Report 20 10 Table 20 7 Report Specifications 20 11 Table 21 1 System Status 21 2 Table 21 2 System Status Show Statistics 21 3 Table 21 3 DHCP Table 21 4 Table 21 4 Restore Configuration 21 9 Table 22 1 Main Menu Commands 22 2 Table 22 2 Main Menu Summary 22 4 Table 23 1 General Setup Menu Field 23 2 Table 23 2 Configure Dynamic DNS 23 3 ...

Page 37: ...Menu 4 PPPoE screen 27 5 Table 28 1 Fields in Menu 11 1 28 3 Table 28 2 Fields in Menu 11 1 PPPoE Encapsulation Specific 28 6 Table 28 3 Fields in Menu 11 1 PPTP Encapsulation 28 7 Table 28 4 Remote Node Network Layer Options Menu Fields 28 8 Table 28 5 Menu 11 1 Remote Node Profile Traffic Redirect Field 28 12 Table 28 6 Menu 11 6 Traffic Redirect Setup 28 13 Table 29 1 IP Static Route Menu Field...

Page 38: ...5 4 Table 35 3 General Commands for GUI based TFTP Clients 35 6 Table 36 1 Valid Commands 36 2 Table 36 2 Budget Management 36 4 Table 36 3 Call History Fields 36 5 Table 36 4 Time and Date Setting Fields 36 7 Table 37 1 Menu 24 11 Remote Management Control 37 2 Table 38 1 IP Routing Policy Setup 38 3 Table 38 2 IP Routing Policy 38 4 Table 39 1Schedule Set Setup Fields 39 2 Table 40 1 Menu 27 1 I...

Page 39: ...and the details of the features vary from model to model Not every feature applies to every model refer to Table 1 1 Model Specific Features to see what features are specific to your ZyWALL model Related Documentation Support Disk Refer to the included CD for support documents Read Me First or Quick Start Guide The Read Me First or Quick Start Guide is designed to help you get up and running right...

Page 40: ...or you to use one of the predefined choices The SMT menu titles and labels are in Bold Times New Roman font Command and arrow keys are enclosed in square brackets ENTER means the Enter or carriage return key ESC means the Escape key and SPACE BAR means the Space Bar The choices of a menu item are in Bold Arial font Mouse action sequences are denoted using a comma For example click the Apple icon C...

Page 41: ...Getting Started I Part I Getting Started This part helps you get to know your ZyWALL introduces the web configurator and covers how to configure the Wizard Setup screens ...

Page 42: ......

Page 43: ...LAN to your home or small business network 1 1 2 ZyWALL 30W Internet Security Gateway The ZyWALL 30W adds more firewall protection and gives you the option of adding a wireless LAN to your small office or home office 1 1 3 ZyWALL 50 Internet Security Gateway for Small Home Office and Small Businesses The ZyWALL 50 adds more processing power to provide the robust firewall protection necessary for s...

Page 44: ...The Dial Backup or Auxiliary port can be used in reserve as a traditional dial up connection when if ever the broadband connection to the WAN port fails This feature is not available on all models Time and Date The ZyWALL allows you to get the current time and date from an external server when you turn on your ZyWALL You can also set the time manually The Real Time Chip RTC keeps track of the time...

Page 45: ... on public private key pairs Certificates provide a way to exchange public keys for use in authentication SSH The ZyWALL uses the SSH Secure Shell secure communication protocol to provide secure encrypted communication between two hosts over an unsecured network HTTPS HyperText Transfer Protocol over Secure Socket Layer or HTTP over SSL is a web protocol that encrypts and decrypts web sessions Use...

Page 46: ...es of wireless stations against a list of allowed or denied MAC addresses WEP Encryption WEP Wired Equivalent Privacy encrypts data frames before transmitting over the wireless network to help keep network communications private Brute Force Password Guessing Protection The ZyWALL has a special protection mechanism to discourage brute force password guessing attacks on the ZyWALL s management inter...

Page 47: ...rotocol used to support multicast groups The latest version is version 2 see RFC 2236 the ZyWALL supports both versions 1 and 2 IP Alias IP Alias allows you to partition a physical network into logical networks over the same Ethernet interface The ZyWALL supports three logical LAN interfaces via its single physical Ethernet LAN interface with the ZyWALL itself as the gateway for each LAN network I...

Page 48: ...ilt in DHCP server capability enabled by default which means it can assign IP addresses an IP default gateway and DNS servers to all systems that support the DHCP client The ZyWALL can also act as a surrogate DHCP server DHCP Relay where it relays IP address assignment from the actual real DHCP server to the clients Full Network Management The embedded web configurator is an all platform web based...

Page 49: ...elease Button O O 802 11b Wireless LAN Support O O O 802 1x Wireless LAN Support O O O EAP TLS and EAP TTLS O O Auto crossover 10 100 Mbps Ethernet LAN O O Auto negotiating 10 100 Mbps Ethernet DMZ O Uplink Button O Power Switch O Bandwidth Management Lite O O IP Policy Routing O Number of Static Routes 50 30 30 12 Number of Firewall Rules 400 100 100 50 Number of Custom Ports for Firewall Rules 5...

Page 50: ...estimated The actual number of rules that you can configure depends on how much memory each firewall rule takes up 1 2 4 ZyWALL 100 Note The ZyWALL 100 is designed to act as a secure gateway for all data passing between the Internet and the LAN or the DMZ It has three Ethernet ports one RS 232 auxiliary port and one PCMCIA port for optional wireless applications which are used to physically separa...

Page 51: ...p line when if the broadband connection to the WAN port fails 1 3 Applications for the ZyWALL Here are some examples of what you can do with your ZyWALL 1 3 1 Secure Broadband Internet Access via Cable or DSL Modem You can connect a cable modem DSL or wireless modem to the ZyWALL for broadband Internet access via Ethernet or wireless port on the modem The ZyWALL guarantees not only high speed Inte...

Page 52: ...ZyWALL Series Internet Security Gateway 1 10 Getting to Know Your ZyWALL Figure 1 2 VPN Application ...

Page 53: ...m the ones shown in this document due to differences between individual ZyWALL models or firmware versions The screens shown come primarily from the ZyWALL 10W Screens specific to other models have the model listed in the caption 2 2 Accessing the ZyWALL Web Configurator Step 1 Make sure your ZyWALL hardware is properly connected and prepare your computer computer network to connect to the ZyWALL ...

Page 54: ... the web configurator you will need to reload the factory default configuration file or use the RESET button the back of the ZyWALL Uploading this configuration file replaces the current configuration file with the factory default configuration file This means that you will lose all configurations that you had previously and the speed of the console port will be reset to the default of 9600bps wit...

Page 55: ... save it in a folder Step 2 Turn off the ZyWALL begin a terminal emulation software session and turn on the ZyWALL again When you see the message Press Any key to enter Debug Mode within 3 seconds press any key to enter debug mode Step 3 Enter y at the prompt below to go into debug mode Step 4 Enter atlc after Enter Debug Mode message Step 5 Wait for Starting XMODEM upload message before activatin...

Page 56: ...Screens Summary LINK TAB FUNCTION WIZARD Use these screens for initial configuration including general setup ISP parameters for Internet Access and WAN IP DNS Server MAC address assignment SYSTEM General Use this screen to configure general system settings Click WIZARD SETUP for initial configuration including general setup ISP parameters for Internet Access and WAN IP DNS Server MAC address assig...

Page 57: ... configure your DMZ connection WAN Route This screen allows you to configure route priority and traffic redirect properties WAN ISP Use this screen to configure Internet Service Provider parameters WAN IP Use this screen to configure WAN IP address settings WAN MAC Use this screen to configure WAN MAC address settings Traffic Redirect Use this screen to configure your traffic redirect properties a...

Page 58: ...y Certificates Use this screen to view a summary list of certificates and manage certificates and certification requests Trusted CAs Use this screen to view and manage the list of the trusted certification authorities Trusted Remote Hosts Use this screen to view and manage the certificates belonging to the trusted remote hosts Directory Servers Use this screen to view and manage the list of the di...

Page 59: ...nable UPnP on the ZyWALL Ports Use this screen to view the NAT port mapping rules that UPnP creates on the ZyWALL LOGS View Log Use this screen to view the logs for the categories that you selected Log Settings Use this screen to change your ZyWALL s log settings Reports Use this screen to have the ZyWALL record and display the network usage reports MAINTENANCE General This screen contains adminis...

Page 60: ......

Page 61: ...Computer Name In Windows 95 98 click Start Settings Control Panel Network Click the Identification tab note the entry for the Computer Name field and enter it as the System Name In Windows 2000 click Start Settings and Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and enter it as the System ...

Page 62: ...y Gateway 3 2 Wizard Setup Figure 3 1 Wizard 1 3 3 Wizard Setup Screen 2 The ZyWALL offers three choices of encapsulation They are Ethernet PPTP or PPPoE 3 3 1 Ethernet Choose Ethernet when the WAN port is used as a regular Ethernet ...

Page 63: ...therwise choose PPPoE or PPTP for a dial up connection Service Type Choose from Standard Telstra RoadRunner Telstra authentication method RR Manager Roadrunner Manager authentication method RR Toshiba Roadrunner Toshiba authentication method or Telia Login The following fields are not applicable N A for the Standard service type User Name Type the user name given to you by your ISP Password Type t...

Page 64: ...ing Microsoft Dial Up Networking experience and requires no new learning or procedures For the service provider PPPoE offers an access and authentication method that works with existing access control systems for instance Radius For the user PPPoE provides a login and authentication method that the existing Microsoft Dial Up Networking software can activate and therefore requires no new learning o...

Page 65: ...hod from the pull down list box PPPoE forms a dial up connection Service Name Type the name of your service provider User Name Type the user name given to you by your ISP Password Type the password associated with the user name above Nailed Up Connection Select Nailed Up Connection if you do not want the connection to time out Idle Timeout Type the time in seconds that elapses before the router au...

Page 66: ...oint Tunneling Protocol PPTP is a network protocol that enables transfers of data from a remote client to a private server creating a Virtual Private Network VPN using TCP IP based networks PPTP supports on demand multi protocol and virtual private networking over public networks such as the Internet Refer to the Appendices for more information on PPTP The ZYWALL supports one PPTP server connectio...

Page 67: ...r Internet Access Encapsulation Select PPTP from the drop down list box User Name Type the user name given to you by your ISP Password Type the password associated with the User Name above Nailed Up Connection Select Nailed Up Connection if you do not want the connection to time out Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPTP server ...

Page 68: ...t and the WAN MAC address 3 4 1 WAN IP Address Assignment Every computer on the Internet must have a unique IP address If your networks are isolated from the Internet for instance only between your two branch offices you can assign any IP addresses to the hosts without problems However the Internet Assigned Numbers Authority IANA has reserved the following three blocks of IP addresses specifically...

Page 69: ... zero and 255 are reserved In other words the first three numbers specify the network number while the last number identifies an individual computer on that network Once you have decided on the network number pick an IP address that is easy to remember for instance 192 168 1 1 for your ZyWALL but make sure that no other device on your network is using that IP address The subnet mask specifies the ...

Page 70: ...he setting or upload a different rom file ZyXEL recommends you clone the MAC address from a computer on your LAN even if your ISP does not require MAC address authentication Table 3 5 Example of Network Properties for LAN Servers with Fixed IP Addresses Choose an IP address 192 168 1 2 192 168 1 32 192 168 1 65 192 168 1 254 Subnet mask 255 255 255 0 Gateway or default route 192 168 1 1 ZyWALL LAN...

Page 71: ...pecify here to resolve domain names for VPN DDNS and the time server First DNS Server Second DNS Server Third DNS Server Select From ISP if your ISP dynamically assigns DNS server information and the ZyWALL s WAN IP address The field to the right displays the read only DNS server IP address that the ISP assigns Select User Defined if you have the IP address of a DNS server Enter the DNS server s I...

Page 72: ...nter the IP address of the computer on the LAN whose MAC you are cloning Once it is successfully configured the address will be copied to the rom file ZyNOS configuration file It will not change unless you change the setting or upload a different rom file It is advisable to clone the MAC address from a computer on your LAN even if your ISP does not presently require MAC address authentication Back...

Page 73: ...System LAN and Wireless LAN II Part II System LAN and Wireless LAN This part covers configuration of the system LAN and wireless LAN screens ...

Page 74: ......

Page 75: ...me System setup on the ZyWALL 1 Use the System General screen to configure the ZyWALL to use a DNS server to resolve domain names for ZyWALL system features like VPN DDNS and the time server 2 Use the LAN IP screen to configure the DNS server information that the ZyWALL sends to the DHCP client devices on the LAN 3 Use the Remote Management DNS screen to configure the ZyWALL to accept or discard D...

Page 76: ...ecommended System DNS Servers if applicable DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a machine before you can access it The ZyWALL uses a system DNS server in the order you specify here to resolve domain names for VPN DDNS and the time server First DNS ...

Page 77: ...ange instead of using an IP address that changes each time you reconnect Your friends or relatives will always be able to call you even if they don t know your IP address To use this service you must register with the Dynamic DNS service provider The Dynamic DNS service provider will give you a password or key 4 4 1 DYNDNS Wildcard Enabling the wildcard feature for your host causes yourhost dyndns...

Page 78: ...r Select the name of your Dynamic DNS service provider DDNS Type Select the type of service that you are registered for from your Dynamic DNS service provider Host Names 1 3 Enter the host names in the three fields provided You can specify up to two host names in each field separated by a comma User Enter your user name Password Enter the password assigned to you Enable Wildcard Select the check b...

Page 79: ...recommended that you select this option User Specify Select this option to update the IP address of the host name s to the IP address specified below Use this option if you have a static IP address IP Address Enter the IP address if you select the User Specify option Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh 4 6 Configuring ...

Page 80: ...o not specify a time server or it cannot synchronize with the time server you specified The ZyWALL can use this pre defined list of time servers regardless of the Time Protocol you select When the ZyWALL uses the pre defined list of NTP time servers it randomly selects one server and tries to synchronize with it If the synchronization fails then the ZyWALL goes through the rest of the list in orde...

Page 81: ... Time Setting To change your ZyWALL s time and date click SYSTEM then the Time Setting tab The screen appears as shown Use this screen to configure the ZyWALL s time based on your local time zone Figure 4 4 Time Setting The following table describes the labels in this screen ...

Page 82: ... New Time This field displays the last updated time from the time server When you select None in the Time Protocol field enter the new time in this field and then click Apply Current Date This field displays the date of your ZyWALL Each time you reload this page the ZyWALL synchronizes the time with the time server New Date This field displays the last updated date from the time server When you se...

Page 83: ...another DHCP server on your LAN or else the computer must be manually configured 5 2 1 IP Pool Setup The ZyWALL is pre configured with a pool of 32 IP addresses starting from 192 168 1 33 to 192 168 1 64 This configuration leaves 31 IP addresses excluding the ZyWALL itself in the lower range for other server computers for instance servers for mail FTP TFTP web etc that you may have 5 2 2 DNS Serve...

Page 84: ...ne router uses multicasting then all routers on your network must use multicasting also By default RIP Direction is set to Both and RIP Version to RIP 1 5 3 4 Multicast Traditionally IP packets are transmitted in one of either two ways Unicast 1 sender 1 recipient or Broadcast 1 sender everybody on the network Multicast delivers IP packets to a group of hosts on the network not everybody and not j...

Page 85: ...t startup from a server Leave the DHCP Server check box selected unless your ISP instructs you to do otherwise Clear it to disable the ZyWALL acting as a DHCP server When configured as a server the ZyWALL provides TCP IP configuration for the clients If not DHCP service is disabled and you must have another DHCP server on your LAN or else the computers must be manually configured When set as a ser...

Page 86: ...lick Apply If you set a second choice to User Defined and enter the same IP address the second User Defined changes to None after you click Apply Select DNS Relay to have the ZyWALL act as a DNS proxy The ZyWALL s LAN IP address displays in the field to the right read only The ZyWALL tells the DHCP clients on the LAN that the ZyWALL itself is the DNS server When a computer on the LAN sends a DNS q...

Page 87: ...ddress and so will not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting also By default RIP direction is set to Both and the Version set to RIP 1 Multicast Select IGMP V 1 or IGMP V 2 or None IGMP Internet Group Multicast Protocol is a network layer protocol used to establish membership in a Multicast group it is not used to car...

Page 88: ...example 00 A0 C5 00 00 02 To change your ZyWALL s Static DHCP settings click LAN then the Static DHCP tab The screen appears as shown Figure 5 2 Static DHCP The following table describes the labels in this screen Table 5 2 Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry row MAC Address Type the MAC address with colons of a computer on your LAN IP Address This fi...

Page 89: ...rface with the ZyWALL itself as the gateway for each LAN network When you use IP alias you can also configure firewall rules to control access between the LAN s logical networks subnets The following figure shows a LAN divided into subnets A B and C Figure 5 3 Physical Network Figure 5 4 Partitioned Logical Networks To change your ZyWALL s IP Alias settings click LAN then the IP Alias tab The scre...

Page 90: ...hat you assign Unless you are implementing subnetting use the subnet mask computed by the ZyWALL RIP Direction RIP Routing Information Protocol RFC1058 and RFC 1389 allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Select the RIP direction from Both In Only Out Only None When set to Both or Out Only the ZyWA...

Page 91: ... topology Both RIP 2B and RIP 2M sends the routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting Multicasting can reduce the load on non router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets However if one router uses multicasting then all routers on your network must u...

Page 92: ......

Page 93: ...ndows XP An optional network RADIUS server for remote user authentication and accounting 6 2 Wireless LAN Basics This section provides background information on WLAN 6 2 1 Channel IEEE 802 11b wireless devices use radio frequencies called channels Choose the radio channel depending on your geographical area Adjacent Access Points APs should use different channels to reduce crosstalk Crosstalk occu...

Page 94: ...revent collisions due to hidden nodes An RTS CTS defines the biggest size data frame you can send before an RTS Request To Send CTS Clear to Send handshake is invoked When a data frame exceeds the RTS CTS value you set between 0 to 2432 bytes the station that wants to transmit this frame must first send an RTS Request To Send message to the AP for permission to send it The AP then responds with a ...

Page 95: ...eshold for busy networks or networks that are prone to interference If the Fragmentation Threshold value is smaller than the RTS CTS value see previously you set then the RTS Request To Send CTS Clear to Send handshake will never occur as data frames will be fragmented before they reach RTS Threshold size 6 3 Wireless Security Wireless security is vital to your network to protect wireless communic...

Page 96: ...y to encrypt and decrypt data Your ZyWALL allows you to configure up to four 64 bit or 128 bit WEP keys but only one key can be enabled at any one time 6 4 Configuring Wireless LAN If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL s ESSID or WEP settings you will lose your wireless connection when you press Apply to confirm You must then chan...

Page 97: ...MHz Europe CE ETSI CH01 2412 MHz CH02 2417 MHz Ch14 2484 MHz Japan CH10 2457 MHz CH11 2462 MHz Spain CH10 2457 MHz CH11 2462 MHz CH13 2472 MHz France RTS Threshold Request To Send The threshold number of bytes for enabling RTS CTS handshake Data with its frame size larger than this value will perform the RTS CTS handshake Setting this attribute to be larger than the maximum MSDU MAC service data u...

Page 98: ...e same on the access points as they are on the wireless client computers Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh 6 5 Configuring MAC Filter The MAC filter screen allows you to configure the ZyWALL to give exclusive access to specific devices Allow Association or exclude specific devices from accessing the ZyWALL Deny Assoc...

Page 99: ...ons Filter Action Define the filter action for the list of MAC addresses in the MAC address filter table Select Deny Association to block access to the router MAC addresses not listed will be allowed to access the router Select Allow Association to permit access to the router MAC addresses not listed will be denied access to the router MAC Address Enter the MAC addresses in XX XX XX XX XX XX forma...

Page 100: ...tion The following table describes the labels in this screen Table 6 3 802 1X Authentication LABEL DESCRIPTION Authentication Type Select Authentication Required to authenticate all wireless clients before they can access the wired network Select No Authentication Required to allow all wireless clients to access your wired network without authentication Select No Access to deny all wireless client...

Page 101: ...ZyWALL Series Internet Security Gateway Wireless LAN Screens 6 9 Table 6 3 802 1X Authentication LABEL DESCRIPTION Reset Click Reset to begin configuring this screen afresh ...

Page 102: ......

Page 103: ...DMZ and WAN III Part III DMZ and WAN This part covers configuration of the DMZ and WAN screens ...

Page 104: ......

Page 105: ... configured by the administrator or the user is an authorized remote user It is highly recommended that you connect all of your public servers to the DMZ port If you have more than one public server connect a hub to the DMZ port It is also highly recommended that you keep all sensitive information off of the public servers connected to the DMZ port Store sensitive information on LAN computers 7 2 ...

Page 106: ...you assign Unless you are implementing subnetting use the subnet mask computed by the ZyWALL 255 255 255 0 RIP Direction RIP Routing Information Protocol RFC1058 and RFC 1389 allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Select the RIP direction from Both In Only Out Only None When set to Both or Out Onl...

Page 107: ...ticasting then all routers on your network must use multicasting also By default RIP direction is set to Both and the Version set to RIP 1 Multicast Select IGMP V 1 or IGMP V 2 or None IGMP Internet Group Multicast Protocol is a network layer protocol used to establish membership in a Multicast group it is not used to carry user data IGMP version 2 RFC 2236 is an improvement over version 1 RFC 111...

Page 108: ......

Page 109: ...routes have the same metric the ZyWALL uses the following pre defined priorities 1 Normal route designated by the ISP see section 8 5 or a static route see the IP Static Route Setup chapter 2 Traffic redirect route see section 8 8 3 Dial backup route see section 8 9 For example if the normal route has a metric of 1 and the traffic redirect route has a metric of 2 and dial backup route has a metric...

Page 110: ...p does not apply to all ZyWALL models You have two choices for an auxiliary connection in the event that your regular WAN connection goes down If Dial Backup is preferred to Traffic Redirect then type 14 in the Dial Backup Priority metric field and leave the Traffic Redirect Priority metric at the default of 15 Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin co...

Page 111: ...ication method RR Toshiba Roadrunner Toshiba authentication method or Telia Login The following fields do not appear with the Standard service type User Name Type the user name given to you by your ISP Password Type the password associated with the user name above Retype to Confirm Type the password again to make sure that you have entered it correctly Login Server IP Address Type the authenticati...

Page 112: ...er PPPoE offers an access and authentication method that works with existing access control systems for example Radius PPPoE provides a login and authentication method that the existing Microsoft Dial Up Networking software can activate and therefore requires no new learning or procedures for Windows users One of the benefits of PPPoE is the ability to let you access one of multiple network servic...

Page 113: ... cable wireless etc connection Operationally PPPoE saves significant effort for both the end user and ISP carrier as it requires no specific configuration of the broadband modem at the customer site By implementing PPPoE directly on the router rather than individual computers the computers on the LAN do not need PPPoE software installed since the router does that part of the task Further with NAT ...

Page 114: ...the router automatically disconnects from the PPPoE server Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh 8 4 3 PPTP Encapsulation Point to Point Tunneling Protocol PPTP is a network protocol that enables secure transfer of data from a remote client to a private server creating a Virtual Private Network VPN using TCP IP based net...

Page 115: ...emote client to a private server creating a Virtual Private Network VPN using TCP IP based networks PPTP supports on demand multi protocol and virtual private networking over public networks such as the Internet The ZyWALL supports only one PPTP server connection at any given time To configure a PPTP client you must configure the User Name and Password fields for a PPP connection and the PPTP para...

Page 116: ...l automatically calculate the subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the ZyWALL Server IP Address Type the IP address of the PPTP server Connection ID Name Type your identification name for the PPTP server Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen a...

Page 117: ...tomatically from ISP Select this option If your ISP did not assign you a fixed IP address This is the default selection Use fixed IP address Select this option If the ISP assigned a fixed IP address IP Address Enter your WAN IP address in this field if you selected Use Fixed IP Address IP Subnet Mask Enter the IP subnet mask if your ISP gave you one in this field if you selected Use Fixed IP Addre...

Page 118: ...eld sets this route s priority among the routes the ZyWALL uses The metric represents the cost of transmission A router determines the best route for transmission by choosing a path with the lowest cost RIP routing uses hop count as the measurement of cost with a minimum of 1 for directly connected networks The number must be between 1 and 15 a number greater than 15 means the link is down The sma...

Page 119: ...s a network layer protocol used to establish membership in a Multicast group it is not used to carry user data IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you would like to read more detailed information about interoperability between IGMP version 2 and version 1 please see sections 4 and 5 of RFC 2236 Windows Networking NetBIOS over...

Page 120: ... enter the IP address of the computer on the LAN whose MAC you are cloning Once it is successfully configured the address will be copied to the rom file ZyNOS configuration file It will not change unless you change the setting or upload a different ROM file 8 7 Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect to the Internet through its norm...

Page 121: ...he ZyWALL itself as the gateway for each LAN network Put the protected LAN in one subnet Subnet 1 in the following figure and the backup gateway in another subnet Subnet 2 Configure a LAN to LAN ZyWALL firewall rule that forwards packets from the protected LAN Subnet 1 to the backup gateway Subnet 2 Figure 8 8 Traffic Redirect LAN Setup 8 8 Configuring Traffic Redirect To change your ZyWALL s Traf...

Page 122: ...nts the cost of transmission A router determines the best route for transmission by choosing a path with the lowest cost RIP routing uses hop count as the measurement of cost with a minimum of 1 for directly connected networks The number must be between 1 and 15 a number greater than 15 means the link is down The smaller the number the lower the cost Check WAN IP Address Configuration of this fiel...

Page 123: ...estination IP address handles lots of traffic Timeout sec Type the number of seconds for your ZyWALL to wait for a ping response from the IP Address in the Check WAN IP Address field before it times out The WAN connection is considered down after the ZyWALL times out the number of times specified in the Fail Tolerance field Use a higher value in this field if your network is busy or congested Appl...

Page 124: ...ZyWALL Series Internet Security Gateway 8 16 WAN Screens Figure 8 10 Dial Backup Setup ...

Page 125: ...Phone number if available Some areas require dialing the pound sign before the phone number for local calls Include a symbol at the beginning of the phone numbers as required Dial Backup Port Speed Use the drop down list box to select the speed of the connection between the Dial Backup port and the external device Available speeds are 9600 19200 38400 57600 115200 or 230400 bps AT Command Initial ...

Page 126: ...ype the remote gateway s subnet mask here if you know it static Remote Node IP Address Leave this field set to 0 0 0 0 default to have the ISP or other remote router dynamically automatically send its IP address if you do not know it Type the remote gateway s IP address here if you know it static Enable SUA Network Address Translation NAT allows the translation of an Internet protocol address used...

Page 127: ...field controls the sending and receiving of RIP packets Choose Both In Only or Out Only When set to Both or Out Only the ZyWALL will broadcast its routing table periodically When set to Both or In Only the ZyWALL will incorporate RIP information that it receives Broadcast Dial Backup Route Select this check box to forward the backup route broadcasts to the WAN Enable Multicast Select this check bo...

Page 128: ...ction This option applies only when the ZyWALL initiates the call The dial backup connection never times out if you set this field to 0 it is the same as selecting Always On Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh 8 10 Advanced Modem Setup 8 10 1 AT Command Strings For regular telephone lines the default Dial string tells ...

Page 129: ...strings have not been standardized please consult the documentation of your WAN device to find the correct tags 8 11 Configuring Advanced Modem Setup Click the Edit button in the Dial Backup screen to display the Advanced Setup screen shown next Consult the manual of your WAN device connected to your dial backup port for specific AT commands Figure 8 11 Advanced Setup The following table describes...

Page 130: ...rom the WAN device CLID is required for CLID authentication NMBR Called ID Type the keyword preceding the dialed number Speed Type the keyword preceding the connection speed CONNECT Call Control Dial Timeout sec Type a number of seconds for the ZyWALL to try to set up an outgoing call before timing out stopping 60 Retry Count Type a number of times for the ZyWALL to retry a busy or no answer phone...

Page 131: ...es Internet Security Gateway WAN Screens 8 23 Table 8 8 Advanced Setup LABEL DESCRIPTION EXAMPLE Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh ...

Page 132: ......

Page 133: ...NAT and Static Route IV Part IV NAT and Static Route This part covers Network Address Translation and setting up static routes ...

Page 134: ......

Page 135: ...ample the local address refers to the IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that inside outside refers to the location of a host while global local refers to the IP address of a host used in a packet Thus an inside local address ILA is the IP address of an ins...

Page 136: ...o Many Overload mapping NAT offers the additional benefit of firewall protection With no servers defined your ZyWALL filters out all incoming inquiries thus preventing intruders from probing your network For more information on IP address translation refer to RFC 1631 The IP Network Address Translator NAT 9 1 3 How NAT Works Each packet has two addresses a source address and a destination address ...

Page 137: ...Application The following figure illustrates a possible NAT application where three inside LANs logical LANs using IP Alias behind the ZyWALL can communicate with three distinct WAN networks More examples follow at the end of this chapter Inside Local Address ILA Inside Global IP Address IGA ...

Page 138: ...ddress Many to One In Many to One mode the ZyWALL maps multiple local IP addresses to one global IP address This is equivalent to SUA i e PAT port address translation ZyXEL s Single User Account feature the SUA Only option Many to Many Overload In Many to Many Overload mode the ZyWALL maps the multiple local IP addresses to shared global IP addresses Many One to One In Many One to One mode the ZyW...

Page 139: ...BBREVIATION One to One ILA1 IGA1 1 1 Many to One SUA PAT ILA1 IGA1 ILA2 IGA1 M 1 Many to Many Overload ILA1 IGA1 ILA2 IGA2 ILA3 IGA1 ILA4 IGA2 M M Ov Many One to One ILA1 IGA1 ILA2 IGA2 ILA3 IGA3 M 1 1 Server Server 1 IP IGA1 Server 2 IP IGA1 Server 3 IP IGA1 Server 9 2 Using NAT You must create a firewall rule in addition to setting up SUA NAT to allow traffic from the WAN to be forwarded through...

Page 140: ...mber identifies a service for example web service is on port 80 and FTP on port 21 In some cases such as for unknown services or where one server can support more than one service for example both FTP and web service it might be better to specify a range of port numbers You can allocate a server IP address that corresponds to a port or a range of ports Many residential broadband ISP accounts do no...

Page 141: ...Network News Transport Protocol 119 SNMP Simple Network Management Protocol 161 SNMP trap 162 PPTP Point to Point Tunneling Protocol 1723 9 3 3 Configuring Servers Behind SUA Example Let s say you want to assign ports 21 25 to one server A in the example port 80 to another B in the example and assign a default server IP address of 192 168 1 35 to a third C in the example You assign the LAN IP addr...

Page 142: ...ng SUA Server If you do not assign a Default Server IP Address the ZyWALL discards all packets received for ports that are not specified in this screen or remote management Click SUA NAT to open the SUA Server screen Refer to Table 9 4 for port numbers commonly used for particular services IP address assigned by ISP ...

Page 143: ...server IP address then all packets received for ports not specified in this screen or remote management will be discarded Number of an individual SUA server entry Active Select this check box to enable the SUA server entry Clear this checkbox to disallow forwarding of these ports to an inside server without having to delete the entry Name Enter a name to identify this port forwarding rule Start Po...

Page 144: ...ket the ZyWALL takes the corresponding action and the remaining rules are ignored If there are any empty rules before your new configured rule your configured rule will be pushed up by that number of empty rules For example if you have already configured rules 1 to 6 in your current set and now you configure rule number 9 In the set summary screen the new rule will be rule 7 not 9 Now if you delet...

Page 145: ...A for One to One Many to One and Server mapping types Type 1 One to One mode maps one local IP address to one global IP address Note that port numbers do not change for the One to one NAT mapping type 2 Many to One mode maps multiple local IP addresses to one global IP address This is equivalent to SUA i e PAT port address translation ZyXEL s Single User Account feature that previous ZyXEL routers...

Page 146: ...ny to Many Overload mode maps multiple local IP addresses to shared global IP addresses 4 Many One to One Many One to one mode maps each local IP address to unique global IP addresses 5 Server This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world Local Start IP This is the starting Inside Local IP Address ILA Local IP addresses ar...

Page 147: ...he same service on a different LAN computer you have to manually replace the LAN computer s IP address in the forwarding port with another LAN computer s IP address Trigger port forwarding solves this problem by allowing computers on the LAN to dynamically take turns using the service The ZyWALL records the IP address of a LAN computer that sends traffic to the WAN to request a service with a spec...

Page 148: ...ct to the Real Audio server until the connection is closed or times out The ZyWALL times out in three minutes with UDP User Datagram Protocol or two hours with TCP IP Transfer Control Protocol Internet Protocol 9 6 2 Two Points To Remember About Trigger Ports 1 Trigger events only happen on data that is going coming from inside the ZyWALL and going to the outside 2 If an application needs a contin...

Page 149: ...ort or a range of ports that a server on the WAN uses when it sends out a particular service The ZyWALL forwards the traffic with this port or range of ports to the client computer on the LAN that requested the service Start Port Type a port number or the starting port number in a range of port numbers End Port Type a port number or the ending port number in a range of port numbers Trigger The tri...

Page 150: ...CRIPTION Start Port Type a port number or the starting port number in a range of port numbers End Port Type a port number or the ending port number in a range of port numbers Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh ...

Page 151: ...f the networks beyond For instance the ZyWALL knows about network N2 in the following figure through remote node router R1 However the ZyWALL is unable to route a packet to network N3 because it doesn t know that there is a route through the same remote node router R1 via gateway router R2 The static routes are for you to tell the ZyWALL about the networks beyond the remote nodes Figure 10 1 Examp...

Page 152: ...tive Yes or not No Destination This parameter specifies the IP network address of the final destination Routing is always based on network number Gateway This is the IP address of the gateway The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination On the LAN the gateway must be a router on the same segment as your ZyWALL over the WAN the gateway must be ...

Page 153: ...ws you to activate deactivate this static route Destination IP Address This parameter specifies the IP network address of the final destination Routing is always based on network number If you need to specify a route to a single host use a subnet mask of 255 255 255 255 in the subnet mask field to force the network number to be identical to the host ID IP Subnet Mask Enter the IP subnet mask here ...

Page 154: ...s the cost for this link The number need not be precise but it must be between 1 and 15 In practice 2 or 3 is usually a good number Private This parameter determines if the ZyWALL will include this route to a remote node in its RIP broadcasts Select this check box to keep this route private and not included in RIP broadcasts Clear this checkbox to propagate this route to other hosts through RIP br...

Page 155: ...all and Content Filtering V Part V Firewall and Content Filtering This part introduces firewalls in general and the ZyWALL firewall It also explains how to configure the ZyWALL firewall and content filtering ...

Page 156: ......

Page 157: ...irewall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must be implemented within the firewall itself 11 2 Types of Firewalls There are three main types of firewalls 1 Packet Filtering Firewalls 2 Application level Firewalls 3 Stateful Inspection Firewalls 11 2 1 Packet F...

Page 158: ...support See section 11 5 for more information on Stateful Inspection Firewalls of one type or another have become an integral part of standard security solutions for enterprises 11 3 Introduction to ZyXEL s Firewall The ZyWALL firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated in SMT menu 21 2 or in the web configurator The ZyWALL...

Page 159: ...rotocols that perform specific functions An extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc For example Web traffic by default uses TCP port 80 When computers communicate on the Internet they are using the client server model where the server listens on a specific TCP UDP port for information requests from remo...

Page 160: ...The oversize packet is then sent to an unsuspecting system Systems may crash hang or reboot 1 b Teardrop attack exploits weaknesses in the reassembly of IP packet fragments As data is transmitted through a network IP packets are often broken up into smaller chunks Each fragment looks like the original IP packet except that it contains an offset field that says for instance This fragment is carryin...

Page 161: ...SYN Attack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN ACK it queues up all outstanding SYN ACK responses on what is known as a backlog queue SYN ACKs are moved off the queue only when an ACK comes back or when an internal timer which is set at relatively lo...

Page 162: ...ress of the network the router will broadcast the ICMP echo request packet to all hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request and response traffic If a hacker chooses to spoof the source IP address of the ICMP echo request packet the resulting ICMP traffic will not only clog up the intermediary network but will also congest the network of t...

Page 163: ...ters by tricking a router or firewall into thinking that the communications are coming from within the trusted network To engage in IP spoofing a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall The ZyWALL blocks all IP Spoofing attempts 11 5 Stateful Inspection With stateful inspection fiel...

Page 164: ...ic initiated from the WAN is blocked 11 5 1 Stateful Inspection Process In this example the following sequence of events occurs when a TCP packet leaves the LAN network through the firewall s WAN interface The TCP packet is the first in a session and the packet s application layer protocol is configured for a firewall rule inspection 1 The packet travels from the firewall s LAN to the WAN 2 The pa...

Page 165: ...nspected by a firewall rule and the connection s state table entry is updated as necessary Based on the updated state information the inbound extended access list temporary entries might be modified in order to permit only packets that are valid for the current state of the connection 8 Any additional inbound or outbound packets that belong to the connection are inspected to update the state table...

Page 166: ...he security policy as is the case with the default policy the connection will be allowed A cache entry is added which includes connection information such as IP addresses TCP ports sequence numbers etc When the ZyWALL receives any subsequent packet from the Internet or from the LAN its connection information is extracted and checked against the cache A packet is only allowed to pass through if it ...

Page 167: ... safely since the PORT command contains address and port information which can be used to uniquely identify the connection Any protocol that operates in this way must be supported on a case by case basis You can use the web configurator s Custom Ports feature to do this 11 6 Guidelines For Enhancing Security With Your Firewall 1 Change the default password via SMT or web configurator 2 Think about...

Page 168: ...ot distinguish traffic originating from an inside host or an outside host by IP address 4 To block allow IP trace route 11 7 2 Firewall The firewall inspects packet contents as well as their source and destination addresses Firewalls of this type employ an inspection module applicable to all protocols that understands data in the packet is intended for other layers from the network layer IP header...

Page 169: ... between inside host networks and outside host networks Remember that filters cannot distinguish traffic originating from an inside host or an outside host by IP address 4 The firewall performs better than filtering if you need to check many rules 5 Use the firewall if you need routine e mail reports about your system or need to be alerted when attacks occur 6 The firewall can block specific URL t...

Page 170: ......

Page 171: ...endices for firewall CLI commands 12 2 Firewall Policies Overview Firewall rules are grouped based on the direction of travel of packets to which they apply LAN to LAN ZyWALL WAN to LAN DMZ to LAN LAN to WAN WAN to WAN ZyWALL DMZ to WAN LAN to DMZ WAN to DMZ DMZ to DMZ ZyWALL DMZ is not available on all models By default the ZyWALL s stateful packet inspection allows packets traveling in the follo...

Page 172: ...hat from the LAN to the Internet Allow certain types of traffic such as Lotus Notes database synchronization from specific hosts on the Internet to specific hosts on the LAN Allow everyone except your competitors to access a Web server Restrict use of certain protocols such as Telnet to authorized users on the LAN These custom rules work by comparing the Source IP address Destination IP address an...

Page 173: ...at blocks just certain users be more effective 3 Does a rule that allows Internet users access to resources on the LAN create a security vulnerability For example if FTP ports TCP 20 21 are allowed from the Internet to the LAN Internet users may be able to connect to computers with running FTP servers 4 Does this rule conflict with any existing rules Once these questions have been answered adding ...

Page 174: ...aging the ZyWALL through the LAN interface and policies for LAN to LAN the policies that control routing between two subnets on the LAN Similarly WAN to WAN ZyWALL and DMZ to DMZ ZyWALL polices apply in the same way to the WAN and DMZ ports 12 4 1 LAN to WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed non restricted access to the WAN When you configure a ...

Page 175: ...idth hungry applications or individuals by allocating the maximum bandwidth for traffic that matches a firewall rule Enable bandwidth management in the BM Global Setting screen and apply bandwidth management to individual firewall rules in the Firewall Edit Rule screen go to the Summary screen and click Insert to create a new rule or select an existing rule s radio button and click Edit to edit th...

Page 176: ...t A and Subnet B is allotted 320 Kbps Figure 12 4 Subnet based Bandwidth Management Example 12 6 3 Application and Subnet based Bandwidth Management Example The following example uses bandwidth classes based on LAN subnets and applications specific applications in each subnet are allotted bandwidth Table 12 1 Application and Subnet based Bandwidth Management Example TRAFFIC TYPE FROM SUBNET A FROM...

Page 177: ...e an alert when an attack is detected in the Attack Alert screen Figure 12 16 check the Generate alert when attack detected checkbox or when a rule is matched in the Edit Rule screen see Figure 12 7 Configure the Log Settings screen to have the ZyWALL send an immediate e mail message to you when an event generates an alert Refer to the chapter on logs for details 12 8 Configuring Firewall The orde...

Page 178: ...attacks when the firewall is activated Bypass Triangle Route Select this check box to have the ZyWALL firewall ignore the use of triangle route topology on the network See the Appendices for more on triangle route topology Firewall Rules Storage Space in Use This read only bar shows how much of the ZyWALL s memory for recording firewall rules it is currently using When you are using 80 or less of ...

Page 179: ...d displays whether a firewall is turned on Active or not Inactive Rules that have not been configured display Empty Source Address This drop down list box displays the source addresses or ranges of addresses to which this firewall rule applies Please note that a blank source or destination address is equivalent to Any Destination Address This drop down list box displays the destination addresses o...

Page 180: ...der of their numbering Rule to Rule Number Click a rule s option button and type the number for where you want to put that rule Edit Click Edit to create or edit a rule Delete Click Delete to delete an existing firewall rule Note that subsequent firewall rules move up by one when you take this action Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring t...

Page 181: ...ve the ZyWALL use this rule Leave it unchecked if you do not want the ZyWALL to use the rule after you apply it Packet Direction Use the drop down list box to select the direction of packet travel to which you want to apply this firewall rule Source Address Click SrcAdd to add a new address SrcEdit to edit an existing one or SrcDelete to delete one Please see the next section for more information ...

Page 182: ... from the Available Services list and click this button to remove the service Action for Matched Packets Use the drop down list box to select whether to discard Block or allow the passage of Forward packets that match this rule Log This field determines if a log is created for packets that match the rule Match don t match the rule Not Match both Both or no log is created None Go to the Log Setting...

Page 183: ...kbps and the ZyWALL allocates 64 kbps for traffic that it forwards from the LAN to the WAN and 64 kbps for traffic that it forwards from the WAN to the LAN For LAN to LAN ZyWALL rules the amount of bandwidth that you configure applies to the traffic that the ZyWALL forwards from the LAN or the ZyWALL to the LAN For WAN to WAN ZyWALL rules the amount of bandwidth that you configure applies to the t...

Page 184: ...10 to 192 169 1 50 a subnet or any IP address Select an option from the drop down list box that includes Single Address Range Address Subnet Address and Any Address Start IP Address Enter the single IP address or the starting IP address in a range here End IP Address Enter the ending IP address in a range here Subnet Mask Enter the subnet mask here if applicable Apply Click Apply to save your cust...

Page 185: ...umber Enter a single port number or the range of port numbers that define your customized service Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to exit this screen without saving 12 8 4 Bandwidth for Traffic that Does Not Match Firewall Rules Use one of the following methods to configure the ZyWALL to allow bandwidth for traffic that does not match fir...

Page 186: ... then the BM Global Setting tab The screen appears as shown Figure 12 10 BM Global Setting The following table describes the labels in this screen Table 12 6 BM Global Setting LABEL DESCRIPTION Enable Bandwidth Management Select this check box to have the ZyWALL apply bandwidth management to traffic going out through the ZyWALL s WAN or LAN port Enable bandwidth management to give traffic that mat...

Page 187: ...all rules that apply to the WAN port with bandwidth allotments you must set this field to be equal to or greater than the sum of the firewall rules bandwidth allotments Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh 12 9 Example Firewall Rule The following Internet firewall rule example allots 64Kbps for a hypotheti...

Page 188: ... 12 11 Firewall Edit Rule Screen Step 4 Select Any in the Destination Address box and then click DestEdit Step 5 Configure the Firewall Rule Edit IP screen as follows and click Apply Figure 12 12 Firewall Rule Edit IP Example Select WAN to LAN from the drop down list box ...

Page 189: ...re it as follows and click Apply Figure 12 13 Edit Custom Port Example Step 8 The firewall rule configuration screen displays use the arrows between Available Services and Selected Services to configure it as shown in the following screen Step 9 Select the Apply Bandwidth Management check box and configure the Bandwidth for This Rule field to 64 Step 10 Click Apply when you are done ...

Page 190: ...ames in the Services list box and the Rule Summary list box Click Apply after you ve created your custom port Figure 12 14 My Service Rule Configuration This is the address range of the MyService servers Click Apply when finished This is your MyService custom port Select this check box Type 64 in this field ...

Page 191: ...rvice Example Rule Summary 12 10Predefined Services The Available Services list box in the Edit Rule screen see Figure 12 7 displays all predefined services that the ZyWALL already supports Next to the name of the service two fields appear in brackets The first field indicates the IP protocol type TCP UDP or ICMP The second field indicates the IP port number that Rule 1 Allows a My Service connect...

Page 192: ...ain Name Server a service that matches web names e g www zyxel com to IP numbers FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on FTP TCP 20 21 File Transfer Program a program to enable fast transfer of files including large files that may not be possible by e mail H 323 TCP 1720 NetMeeting uses this protocol HTTP TCP 80 Hyper Text Tran...

Page 193: ...ost Office Protocol version 3 lets a client computer get e mail from a POP3 server through a temporary connection TCP IP or other PPTP TCP 1723 Point to Point Tunneling Protocol enables secure transfer of data over public networks This is the control channel PPTP_TUNNEL GRE 0 Point to Point Tunneling Protocol enables secure transfer of data over public networks This is the data channel RCMD TCP 51...

Page 194: ... host systems TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP but uses the UDP User Datagram Protocol rather than TCP Transmission Control Protocol VDOLIVE TCP 7000 Another videoconferencing solution 12 11Configuring Attack Alert Attack alerts are the first defense against DOS attacks In the Attack Alert screen shown later you may choose to generate ...

Page 195: ...en sessions rises above a threshold max incomplete high the ZyWALL starts deleting half open sessions as required to accommodate new connection requests The ZyWALL continues to delete half open requests as necessary until the number of existing half open sessions drops below another threshold max incomplete low When the rate of new connection attempts rises above a threshold one minute high the Zy...

Page 196: ...m Incomplete is exceeded The global values specified for the threshold and timeout apply to all TCP connections Click the Attack Alert tab to bring up the next screen Figure 12 16 Attack Alert The following table describes the labels in this screen Table 12 8 Attack Alert LABEL DESCRIPTION DEFAULT VALUES Generate alert when attack detected A detected attack automatically generates a log entry Chec...

Page 197: ...stop deleting half open sessions when fewer than 80 session establishment attempts have been detected in the last minute Maximum Incomplete Low This is the number of existing half open sessions that causes the firewall to stop deleting half open sessions The ZyWALL continues to delete half open requests as necessary until the number of existing half open sessions drops below this number 80 existin...

Page 198: ... sessions 30 in the ZyWALL 10W 30W and 100 Blocking Time When TCP Maximum Incomplete is reached you can choose if the next session should be allowed or blocked If you check Blocking Time any new sessions will be blocked for the length of time you specify in the next field min and all old incomplete sessions will be cleared during this period If you want strong security it is better to block the tr...

Page 199: ...and disable web proxies 13 1 2 Create a Filter List You can select categories such as pornography or racial intolerance to block from a pre defined list 13 1 3 Filter Specific Web Sites Your ZyWALL can block or allow access to specific web sites based on their URLs or based on certain key words contained in web site content 13 2 General Content Filter Configuration Click CONTENT FILTER to open the...

Page 200: ... the labels in this screen Table 13 1 Content Filtering General LABEL DESCRIPTION Enable Content Filter Select this check box to enable the content filter Restricted Web Features Select the check box es to restrict a feature When you download a page containing a restricted feature that part of the web page will appear blank or grayed out ...

Page 201: ...filtering scheduling only applies to the Filter List Customized sites and Keywords Restricted web server data such as ActiveX Java Cookies and Web Proxy are not affected Always Block Click this option button to have content filtering always active with Time of Day limitations not enforced This is enabled by default Block From To Click this option button to have content filtering only active during...

Page 202: ... click Add Range Address List This text field shows the address ranges that are blocked Add Range Click Add Range after you have filled in the From and To fields above Delete Range Click Delete Range after you select the range of addresses you wish to delete Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh 13 3 Content Filtering wi...

Page 203: ...er Step 3 The lookup server sends the rating information back to the ZyWALL which then either forwards or blocks the web content The web site address is then also stored in the ZyWALL s content filtering cache 13 4 A Procedure to Enable External Database Content Filtering The following is an example procedure for using external database content filtering Step 1 Enable content filtering in the Cont...

Page 204: ...g Step 1 Go to your device s web configurator s Content Filtering Categories screen Step 2 Select at least one category and click Apply Step 3 Enter a valid URL or IP address of a web site in the Test if Web site is blocked field and click the Test Against Internet Server button When content filtering is active you should see an access blocked or access forwarded message An error message displays ...

Page 205: ...ZyWALL Series Internet Security Gateway Content Filtering Screens 13 7 Figure 13 3 Content Filtering Categories The following table describes the labels in this screen ...

Page 206: ...s message that you configured in the Content Filtering General screen along with the category of the blocked web page Select Log to record attempts to access web pages that are not categorized When Content Filter Server Is Unavailable Select Block to block access to any requested web page if the external content filtering database is unavailable The following are possible causes There is no respon...

Page 207: ...f other products offered Nudity Selecting this category excludes pages containing nude or seminude depictions of the human body These depictions are not necessarily sexual in intent or effect but may include pages containing nude paintings or photo galleries of artistic nature This category also includes nudist or naturist pages that contain pictures of nude individuals Alcohol Tobacco Selecting t...

Page 208: ...ic and programming guides books comics movie theatres galleries artists or reviews on entertainment Business Economy Selecting this category excludes pages devoted to business firms business information economics marketing business management and entrepreneurship This does not include pages that perform services that are defined in another category such as Information Technology companies or compa...

Page 209: ...vernment agencies and government services such as taxation and emergency services It also includes pages that discuss or explain laws of various governmental entities Military Selecting this category excludes pages that promote or provide information on military branches or armed services Political Activist Groups Selecting this category excludes pages sponsored by or which provide information on ...

Page 210: ...pages and scientific information Chat Instant Messaging Selecting this category excludes pages that provide chat or instant messaging capabilities or client downloads Email Selecting this category excludes pages offering web based email services such as online email reading e cards and mailing list services Newsgroups Selecting this category excludes pages that offer access to Usenet news groups o...

Page 211: ...g including finding and making travel reservations vehicle rentals descriptions of travel destinations or promotions for hotels or casinos Vehicles Selecting this category excludes pages that provide information on or promote vehicles boats or aircraft including pages that support online purchase of vehicles or parts Humor Jokes Selecting this category excludes pages that primarily focus on comedy...

Page 212: ...Click this button to test whether or not the web page above is saved in the ZyWALL s database of restricted web pages Test Against Internet Server Click this button to test whether or not the web page above is saved in the external content filter server s database of restricted web pages Registration and Reports Registration Status This read only field displays Registered if you have successfully ...

Page 213: ...tering to be activated See section 13 5 for how to check the content filtering activation You can manage your registration status or view content filtering reports after you register this device You cannot access the web site if you have enabled content filtering in the Content Filtering General screen and blocked access to web pages that use Java Apply Click Apply to save your changes back to the...

Page 214: ...ty Gateway 13 16 Content Filtering Screens Figure 13 4 Content Filtering Customization The following table describes the labels in this screen Table 13 3 Content Filtering Customization LABEL DESCRIPTION WEB Site List Customization ...

Page 215: ... Site Enter host names such as www good site com into this text field Do not enter the complete URL of the site that is do not include http All sub domains are allowed For example entering zyxel com also allows www zyxel com partner zyxel com press zyxel com etc Trusted Web Sites This list displays the trusted web sites already added Add Click this button when you have finished adding the host nam...

Page 216: ...n these keywords Select this checkbox to enable keyword blocking Add Keyword Enter a keyword to block Keyword List This list displays the keywords already added Add Click this button when you have finished adding the key words field above Delete Select a keyword from the Keyword List and then click this button to delete it from that list Apply Click Apply to save your changes back to the ZyWALL Re...

Page 217: ...VPN IPSec VI Part VI VPN IPSec This part provides information on how to configure Virtual Private Networks ...

Page 218: ......

Page 219: ...lutions for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer 14 1 2 Security Association A Security Association SA is a contract between two parties indicating what security parameters such as keys and algorithms they will use 14 1...

Page 220: ...PN applications Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites Accessing Network Resources When NAT Is Enabled When NAT is enabled remote users are not able to access hosts on the LAN unless the host is designated a public LAN server for t...

Page 221: ...thm describes the use of encryption techniques such as DES Data Encryption Standard AES Advanced Encryption Standard and Triple DES algorithms The Authentication Algorithms HMAC MD5 RFC 2403 and HMAC SHA 1 RFC 2404 provide an authentication mechanism for the AH and ESP protocols Please see section 15 2 for more information 14 2 2 Key Management Key management allows you to determine whether to use...

Page 222: ...nternal systems Tunnel mode is fundamentally an IP tunnel with authentication and encryption This is the most common mode of operation Tunnel mode is required for gateway to gateway and host to gateway communications Tunnel mode communications have two sets of IP headers Outside header The outside IP header contains the destination IP address of the VPN gateway Inside header The inside IP header c...

Page 223: ...ol with authentication the packet contents in this case the entire original packet are encrypted The encrypted contents but not the new headers are signed with a hash value appended to the packet Tunnel mode ESP with authentication is compatible with NAT because integrity checks are performed over the combination of the original header plus original payload which is unchanged by a NAT device Trans...

Page 224: ......

Page 225: ...r integrity authentication sequence integrity replay resistance and non repudiation but not for confidentiality for which the ESP was designed In applications where confidentiality is not required or not sanctioned by government encryption restrictions an AH can be employed to ensure integrity This type of implementation does not protect the information from dissemination but will allow for verifi...

Page 226: ...r maximum Select NULL to set up a tunnel without encryption Select MD5 for minimal security and SHA 1 for maximum security 15 3 My IP Address My IP Address is the WAN IP address of the ZyWALL The ZyWALL has to rebuild the VPN tunnel if the My IP Address changes after setup The following applies if this field is configured as 0 0 0 0 The ZyWALL uses the current ZyWALL WAN IP address static or dynam...

Page 227: ...er 0 0 0 0 as the secure gateway s address In this case only the remote secure gateway can initiate SAs This may be useful for telecommuters initiating a VPN tunnel to the company network See section 15 18 for configuration examples The Secure Gateway IP Address may be configured as 0 0 0 0 only when using IKE key management and not Manual key management 15 5 VPN Rules Screen The following figure ...

Page 228: ...bels in this screen Table 15 2 VPN Rules LABEL DESCRIPTION The VPN policy index number Name This field displays the identification name for this VPN policy Active This field displays whether the VPN policy is active or not A Yes signifies that this VPN policy is active No signifies that this VPN policy is not active ...

Page 229: ...re IKE or Manual screen is configured to Single Address The beginning and ending static IP addresses in a range of computers are displayed when the Remote Address Type field in the Configure IKE or Manual screen is configured to Range Address A static IP address and a subnet mask are displayed when the Remote Address Type field in the Configure IKE or Manual screen is configured to Subnet Address ...

Page 230: ...d traffic the ZyWALL automatically drops the tunnel after two minutes 15 7 NAT Traversal NAT traversal allows you to set up a VPN connection when there are NAT routers between IPSec routers A and B Figure 15 3 NAT Router Between IPSec Routers Normally you cannot set up a VPN connection with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet In ...

Page 231: ...ng the IPSec connection see also the Authentication Server part A ZyWALL can be an extended authentication server for some VPN connections and an extended authentication client for other VPN connections 15 7 3 DNS Server for IPSec VPN In cases where you want to use domain names to access Intranet servers on a remote network that has a DNS server you must identify that DNS server You cannot use DNS...

Page 232: ... the ZyWALL from IPSec routers with dynamic IP addresses see section 15 18 2 for a telecommuter configuration example Regardless of the ID type and content configuration the ZyWALL does not allow you to save multiple active rules with overlapping local and remote IP addresses With main mode see section 15 12 2 the ID type and content are encrypted to provide identity protection In this case the Zy...

Page 233: ... will make the VPN connection or leave the field blank to have the ZyWALL automatically use the address in the Secure Gateway field DNS Type a domain name up to 31 characters by which to identify the remote IPSec router E mail Type an e mail address up to 31 characters by which to identify the remote IPSec router The domain name or e mail address that you use in the Content field is used for ident...

Page 234: ...Local ID type IP Local ID type IP Local ID content 1 1 1 10 Local ID content 1 1 1 10 Peer ID type E mail Peer ID type IP Peer ID content aa yahoo com Peer ID content N A 15 9 Pre Shared Key A pre shared key identifies a communicating party during a phase 1 IKE negotiation see section 15 12 for more on IKE phases It is called pre shared because you have to share it with another party before you ca...

Page 235: ...ZyWALL Series Internet Security Gateway VPN Screens 15 11 Figure 15 5 VPN IKE ...

Page 236: ...t the ZyWALL drops trailing spaces Key Management Select IKE or Manual Key from the drop down list box IKE provides more protection so it is generally recommended Manual Key is a useful option for troubleshooting Negotiation Mode Select Main or Aggressive from the drop down list box Multiple SAs connecting through a secure gateway must have the same negotiation mode Enable Extended Authentication ...

Page 237: ...0 0 0 0 the ranges of the local IP addresses cannot overlap between rules If you configure an active rule with 0 0 0 0 in the Secure Gateway Address field and the LAN s full IP address range as the local IP address then you cannot configure any other active rules with the Secure Gateway Addr field set to 0 0 0 0 Address Type Use the drop down menu to choose Single Address Range Address or Subnet A...

Page 238: ...hind the remote IPSec router When the Address Type field is configured to Subnet Address enter a static IP address on the network behind the remote IPSec router Ending IP Address Subnet Mask When the Address Type field is configured to Single Address this field is N A When the Address Type field is configured to Range Address enter the end static IP address in a range of computers on the network b...

Page 239: ... to identify this ZyWALL by a domain name Select E mail to identify this ZyWALL by an e mail address You do not configure the local ID type and content when you set Authentication Method to Certificate The ZyWALL takes them from the certificate you select Content When you select IP in the Local ID Type field type the IP address of your computer The ZyWALL uses the IP address in the My IP Address f...

Page 240: ...mote IPSec router by an e mail address The e mail address must be the same as in the subject alternative name field of the certificate that the remote IPSec router uses for this VPN connection Select Subject Name to identify the remote IPSec router by a subject name when the certificate that the peer uses for this VPN connection does not contain a subject alternative name such as IP or E mail The ...

Page 241: ...ype Peer ID Content when you set Authentication Method to Certificate IP Type the same IP address as the subject alternative name field of the certificate the remote IPSec router will use for this VPN connection If you configure this field as 0 0 0 0 or leave it blank the ZyWALL uses the address in the Secure Gateway Address field The ZyWALL checks the peer ID content against the IP address in the...

Page 242: ...ave more than one active rule with the Secure Gateway Address field set to 0 0 0 0 the ranges of the local IP addresses cannot overlap between rules If you configure an active rule with 0 0 0 0 in the Secure Gateway Address field and the LAN s full IP address range as the local IP address then you cannot configure any other active rules with the Secure Gateway Address field set to 0 0 0 0 Encapsul...

Page 243: ...ion When you select NULL you do not enter an encryption key Authentication Algorithm Select SHA1 or MD5 from the drop down list box MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data The SHA1 algorithm is generally considered stronger than MD5 but is slower Select MD5 for minimal security and SHA 1 for maximum security Advanced Click Advanced t...

Page 244: ...es The ZyWALL also automatically renegotiates the IPSec SA if both IPSec routers have keep alive enabled even if there is no traffic If an IPSec SA times out then the IPSec router must renegotiate the SA the next time someone attempts to send traffic 15 12 1 Extended Authentication and IKE Extended authentication inserts a new exchange between IKE phases 1 and 2 for client authentication 15 12 2 N...

Page 245: ...The key is thrown away and replaced by a brand new key using a new Diffie Hellman exchange for each new IPSec SA setup With PFS enabled if one key is compromised previous and subsequent keys are not compromised because subsequent keys are not derived from previous keys The time consuming Diffie Hellman exchange is the trade off for this extra security This may be unnecessary for data that does not...

Page 246: ...5 22 VPN Screens Figure 15 7 VPN IKE Advanced The following table describes the labels in this screen Table 15 8 VPN IKE Advanced LABEL DESCRIPTION Protocol Enter 1 for ICMP 6 for TCP 17 for UDP etc 0 is the default and signifies any protocol ...

Page 247: ...hase 1 Negotiation Mode Select Main or Aggressive from the drop down list box Multiple SAs connecting through a secure gateway must have the same negotiation mode Encryption Algorithm Select DES 3DES or AES from the drop down list box The ZyWALL and the remote IPSec router generate an encryption key from the Diffie Hellman key exchange The DES encryption algorithm uses a 56 bit key Triple DES 3DES...

Page 248: ...5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data The SHA1 algorithm is generally considered stronger than MD5 but is slower Select MD5 for minimal security and SHA 1 for maximum security SA Life Time seconds Define the length of time before an IKE SA automatically renegotiates in this field It may range from 60 to 3 000 000 seconds almost 35 da...

Page 249: ...urity Parameter Index along with a destination IP address uniquely identify a particular Security Association SA The SPI is transmitted from the remote VPN gateway to the local VPN gateway The local VPN gateway then uses the network encryption and key values that the administrator associated with the SPI to establish the tunnel Current ZyXEL implementation assumes identical outgoing and incoming S...

Page 250: ...BEL DESCRIPTION Active Select this check box to activate this VPN policy Name Type up to 32 characters to identify this VPN policy You may use any character including spaces but the ZyWALL drops trailing spaces Key Management Select IKE or Manual Key from the drop down list box Manual is a useful option for troubleshooting if you have problems using IKE key management ...

Page 251: ...ield is configured to Single Address this field is N A When the Address Type field is configured to Range Address enter the end static IP address in a range of computers on the LAN behind your ZyWALL When the Address Type field is configured to Subnet Address this is a subnet mask on the LAN behind your ZyWALL Remote Remote IP addresses must be static and correspond to the remote IPSec router s co...

Page 252: ... IPSec router with which you re making the VPN connection SPI Type a number base 10 from 1 to 999999 for the Security Parameter Index Encapsulation Mode Select Tunnel mode or Transport mode from the drop down list box ESP Select ESP if you want to use ESP Encapsulation Security Payload The ESP protocol RFC 2406 provides encryption as well as some of the services offered by AH If you select ESP her...

Page 253: ...y to be used by IPSec if applicable Enter 16 characters for MD5 authentication or 20 characters for SHA 1 authentication Any characters may be used including spaces but trailing spaces are truncated Apply Click Apply to save your changes back to the ZyWALL Cancel Click Cancel to begin configuring this screen afresh 15 16Viewing SA Monitor In the web configurator click VPN and the SA Monitor tab Us...

Page 254: ...o page feature This is the security association index number Name This field displays the identification name for this VPN policy Encapsulation This field displays Tunnel or Transport mode IPSec Algorithm This field displays the security protocols used for an SA Both AH and ESP increase ZyWALL processing requirements and communications latency delay Previous Page if applicable Click Previous Page ...

Page 255: ...bal Setting The following table describes the labels in this screen Table 15 11 Global Setting LABEL DESCRIPTION Windows Networking NetBIOS over TCP IP NetBIOS Network Basic Input Output System are TCP or UDP broadcast packets that enable a computer to find other computers It may sometimes be necessary to allow NetBIOS packets to pass through VPN tunnels in order to allow local computers to find c...

Page 256: ... access a ZyWALL at headquarters HQ in the figure The telecommuters do not have domain names mapped to the WAN IP addresses of their IPSec routers The telecommuters must all use the same IPSec parameters but the local IP addresses or ranges of addresses should not overlap Figure 15 11 Telecommuters Sharing One VPN Rule Example Table 15 12 Telecommuters Sharing One VPN Rule Example FIELDS HEADQUART...

Page 257: ...s a ZyWALL at headquarters They can use different IPSec parameters The local IP addresses or ranges of addresses of the rules configured on the ZyWALL at headquarters can overlap The local IP addresses of the rules configured on the telecommuters IPSec routers should not overlap See the following table and figure for an example where three telecommuters each use a different VPN rule for a VPN conn...

Page 258: ...r ID Type IP Local ID Type IP Peer ID Content 192 168 2 12 Local ID Content 192 168 2 12 Secure Gateway Address telecommuter1 com Local IP Address 192 168 2 12 Remote Address 192 168 2 12 Headquarters ZyWALL Rule 2 Telecommuter B telecommuterb dydns org Peer ID Type DNS Local ID Type DNS Peer ID Content telecommuterb com Local ID Content telecommuterb com Secure Gateway Address telecommuterb com L...

Page 259: ...Internet Security Gateway VPN Screens 15 35 15 19VPN and Remote Management If a VPN tunnel uses Telnet FTP WWW SNMP DNS or ICMP then you should configure remote management REMOTE MGNT to allow access for that service ...

Page 260: ......

Page 261: ...Certificates VII Part VII Certificates This part provides information and configuration instructions for public key certificates ...

Page 262: ......

Page 263: ...tion authorities You can use the ZyWALL to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority In public key encryption and decryption each host has two keys One key is public and can be made openly available the other key is private and must be kept secure Public key encryption in general works ...

Page 264: ...with databases of valid and revoked certificates A directory of certificates that have been revoked before the scheduled expiration is called a CRL Certificate Revocation List The ZyWALL can check a peer s certificate against a directory server s list of revoked certificates The framework of servers software procedures and policies that handles keys is called PKI public key infrastructure 16 1 1 A...

Page 265: ...tion requests display in gray See the following figure Use the My Certificate screens to generate and export self signed certificates or certification requests and import the ZyWALLs CA signed certificates Use the Trusted Remote Hosts screens to import self signed certificates Use the Directory Servers screen to configure a list of addresses of directory servers that contain lists of valid and rev...

Page 266: ...BEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ZyWALL s PKI storage space that is currently in use When you are using 80 or less of the storage space the bar is green When the amount of space used is over 80 the bar is red When the bar is red you should consider deleting expired or unnecessary certificates before adding more certificates ...

Page 267: ...st certificates CERT represents a certificate issued by a certification authority Subject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the cer...

Page 268: ... certificate 3 Select the Default self signed certificate which signs the imported remote host certificates check box 4 Click Apply to save the changes and return to the My Certificates screen 5 The certificate that originally showed SELF displays SELF and you can delete it now Note that subsequent certificates move up by one when you take this action 16 5 Certificate File Formats The certificatio...

Page 269: ...certificate to the ZyWALL see the following figure 1 You can only import a certificate that matches a corresponding certification request that was generated by the ZyWALL 2 The certificate you import replaces the corresponding request in the My Certificates screen 3 You must remove any spaces from the certificate s filename before you can import it Figure 16 3 My Certificate Import The following t...

Page 270: ...ate file you want to upload Apply Click Apply to save the certificate on the ZyWALL Cancel Click Cancel to quit and return to the My Certificates screen 16 7 Creating a Certificate Click CERTIFICATES My Certificates and then Create to open the My Certificate Create screen Use this screen to have the ZyWALL create a self signed certificate enroll a certificate with a certification authority or gene...

Page 271: ...cates 16 9 Figure 16 4 My Certificate Create The following table describes the labels in this screen Table 16 3 My Certificate Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters not including spaces to identify this certificate ...

Page 272: ...he company or group to which the certificate owner belongs You may use any character including spaces but the ZyWALL drops trailing spaces Country Type up to 127 characters to identify the nation where the certificate owner is located You may use any character including spaces but the ZyWALL drops trailing spaces Key Length Select a number from the drop down list box to determine how many bits the...

Page 273: ...veloped by the Public Key Infrastructure X 509 working group of the Internet Engineering Task Force IETF and is specified in RFC 2510 CA Server Address Enter the IP address or URL of the certification authority server CA Certificate Select the certification authority s certificate from the CA Certificate drop down list box You must have the certification authority s certificate already imported in...

Page 274: ...turn button that takes you back to the My Certificate Create screen Click Return and check your information in the My Certificate Create screen Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the ZyWALL to enroll a certificate online 16 8 My Certificate Details Click CERTIFICATES and then My Certificates to open th...

Page 275: ...ZyWALL Series Internet Security Gateway Certificates 16 13 Figure 16 5 My Certificate Details The following table describes the labels in this screen ...

Page 276: ... certification authority is one that you have imported as a trusted certification authority it may be the only certification authority in the list along with the certificate itself If the certificate is a self signed certificate the certificate itself is the only one in the list The ZyWALL does not trust the certificate and displays Not trusted in this field if any certificate on the path has expi...

Page 277: ...This field displays the type of algorithm that was used to generate the certificate s key pair the ZyWALL uses RSA encryption and the length of the key set in bits 1024 bits for example Subject Alternative Name This field displays the certificate owner s IP address IP domain name DNS or e mail address EMAIL Key Usage This field displays for what functions the certificate s key can be used For exam...

Page 278: ...ter distribution via floppy disk for example Export Click this button and then Save in the File Download screen The Save As screen opens browse to the location that you want to use and click Save Apply Click Apply to save your changes back to the ZyWALL You can only change the name except in the case of a self signed certificate which you can also set to be the default self signed certificate that...

Page 279: ...nt of space used is over 80 the bar is red When the bar is red you should consider deleting expired or unnecessary certificates before adding more certificates This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate Subject This field displays identifying information about the certificate...

Page 280: ... certificate revocation lists CRL check box in the certificate s details screen to have the ZyWALL check the CRL before trusting any certificates issued by the certification authority Otherwise the field displays No Import Click Import to open a screen where you can save the certificate of a certification authority that you trust from your computer to the ZyWALL Details Select the radio button nex...

Page 281: ...ave the certificate on the ZyWALL Cancel Click Cancel to quit and return to the Trusted CAs screen 16 11Trusted CA Certificate Details Click CERTIFICATES Trusted CAs to open the Trusted CAs screen Select a certificate s radio button and click Details to open the Trusted CA Details screen Use this screen to view in depth information about the certification authority s certificate change the certifi...

Page 282: ...ZyWALL Series Internet Security Gateway 16 20 Certificates Figure 16 9 Trusted CA Details ...

Page 283: ...he issuing certification authority is one that you have imported as a trusted certification authority it may be the only certification authority in the list along with the end entity s own certificate The ZyWALL does not trust the end entity s certificate and displays Not trusted in this field if any certificate on the path has expired or been revoked Refresh Click Refresh to display the certifica...

Page 284: ...hm This field displays the type of algorithm that was used to generate the certificate s key pair the ZyWALL uses RSA encryption and the length of the key set in bits 1024 bits for example Subject Alternative Name This field displays the certificate s owner s IP address IP domain name DNS or e mail address EMAIL Key Usage This field displays for what functions the certificate s key can be used For...

Page 285: ... example Export Click this button and then Save in the File Download screen The Save As screen opens browse to the location that you want to use and click Save Apply Click Apply to save your changes back to the ZyWALL You can only change the name and or set whether or not you want the ZyWALL to check the CRL that the certification authority issues before trusting a certificate issued by the certif...

Page 286: ...ired or unnecessary certificates before adding more certificates Issuer My Default Self signed Certificate This field displays identifying information about the default self signed certificate on the ZyWALL that the ZyWALL uses to sign the trusted remote host certificates This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the...

Page 287: ...lick this button to display the current validity status of the certificates Delete Select the radio button next to the index number of a certificate that you want to delete and then click Delete to remove that certificate 16 13 Verifying a Trusted Remote Host s Certificate Certificates issued by certification authorities have the certification authority s signature for you to check Self signed cer...

Page 288: ... click the certificate s icon to open the Certificate window Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields Figure 16 12 Certificate Details Verify over the phone for example that the remote host has the same information in the Thumbprint Algorithm and Thumbprint fields ...

Page 289: ...d remote host certificate must be a self signed certificate and you must remove any spaces from its filename before you can import it Figure 16 13 Trusted Remote Host Import The following table describes the labels in this screen Table 16 8Trusted Remote Host Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click...

Page 290: ...k CERTIFICATES Trusted Remote Hosts to open the Trusted Remote Hosts screen Select a certificate s radio button and click Details to open the Trusted Remote Host Details screen You can use this screen to view in depth information about the trusted remote host s certificate and or change the certificate s name ...

Page 291: ...ZyWALL Series Internet Security Gateway Certificates 16 29 Figure 16 14 Trusted Remote Host Details ...

Page 292: ...ZyWALL is the Certification Authority that signed the certificate X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates Version This field displays the X 509 version number Serial Number This field displays the certificate s identification number given by the device that created the certificate Subj...

Page 293: ...e hosts actual certificate See section 16 13 1 for how to verify a remote host s certificate SHA1 Fingerprint This is the certificate s message digest that the ZyWALL calculated using the SHA1 algorithm You cannot use this value to verify that this is the remote host s actual certificate because the ZyWALL has signed the certificate thus causing this value to be different from that of the remote h...

Page 294: ...s screen This screen displays a summary list of directory servers that contain lists of valid and revoked certificates that have been saved into the ZyWALL If you decide to have the ZyWALL check incoming certificates against the issuing certification authority s list of revoked certificates the ZyWALL first checks the server s listed in the CRL Distribution Points field of the incoming certificate...

Page 295: ...of the directory server Port This field displays the port number that the directory server uses Protocol This field displays the protocol that the directory server uses Add Click Add to open a screen where you can configure information about a directory server so that the ZyWALL can access it Edit Select the radio button next to a directory server s index number and then click Edit to open a scree...

Page 296: ...his directory server Access Protocol Use the drop down list box to select the access protocol used by the directory server LDAP Lightweight Directory Access Protocol is a protocol over TCP that specifies how clients access directories of certificates and lists of revoked certificates 1 Server Address Type the IP address in dotted decimal notation or the domain name of the directory server 1 At the...

Page 297: ...uses 389 is the default server port number for LDAP Login The ZyWALL may need to authenticate itself in order to assess the directory server Type the login name up to 31 ASCII characters from the entity maintaining the directory server usually a certification authority Password Type the password up to 31 ASCII characters from the entity maintaining the directory server usually a certification auth...

Page 298: ......

Page 299: ...nt and UPnP VIII Part VIII Authentication Server Remote Management and UPnP This part provides information and configuration instructions for configuration of the authentication server screens remote management and Universal Plug and Play ...

Page 300: ......

Page 301: ...ers The ZyWALL uses the same local user database for VPN extended authentication and wireless LAN security see the VPN and wireless LAN chapters 17 2 Local User Database By storing user profiles locally on the ZyWALL your ZyWALL is able to authenticate VPN extended authentication clients or wireless clients without interacting with a network RADIUS server However there is a limit on the number of ...

Page 302: ...ZyWALL Series Internet Security Gateway 17 2 Authentication Server Figure 17 1 Local User Database ...

Page 303: ...DIUS RADIUS is based on a client sever model that supports authentication and accounting where access point is the client and the server is the RADIUS server The RADIUS server handles the following tasks among others Authentication Determines the identity of the users Accounting Keeps track of the client s network activity RADIUS user is a simple package exchange in which your ZyWALL acts as a mes...

Page 304: ...yWALL and the RADIUS server use a shared secret key which is a password they both know The key is not sent over the network In addition to the shared key password information exchanged is also encrypted to protect the network from unauthorized access 17 3 2 EAP Authentication Overview EAP Extensible Authentication Protocol is an authentication protocol that runs on top of the IEEE802 1x transport ...

Page 305: ...request identity message to the wireless station for identity information The wireless station replies with identity information including username and password The RADIUS server checks the user information against its user profile database and determines whether or not to authenticate the wireless station 17 4 Configuring RADIUS Use the RADIUS screen if you want to use an external server to perfo...

Page 306: ...e Enable this feature to have the ZyWALL use an external authentication server in performing user authentication Disable this feature if you will not use an external authentication server If you disable this feature you can still set the ZyWALL to perform user authentication using the local user database Server Address Enter the IP address of the external authentication server in dotted decimal no...

Page 307: ...counting Server Active Enable this feature to do user accounting through an external authentication server Server Address Enter the IP address of the external accounting server in dotted decimal notation Port Number The default port of the RADIUS server for accounting is 1813 You need not change this value unless your network administrator instructs you to do so with additional information Key Ent...

Page 308: ......

Page 309: ...r details on configuring firewall rules You may manage your ZyWALL from a remote location via Internet WAN only ALL LAN and WAN LAN only Neither Disable When you Choose WAN only or ALL LAN WAN you still need to configure a firewall rule to allow access To disable remote management of a service select Disable in the corresponding Server Access field You may only have one remote management session r...

Page 310: ...ement and NAT When NAT is enabled Use the ZyWALL s WAN IP address when configuring from the WAN Use the ZyWALL s LAN IP address when configuring from the LAN 18 1 3 System Timeout There is a default system timeout of five minutes three hundred seconds for either the console port or telnet web FTP connections Your ZyWALL automatically logs you out if you do nothing in this timeout period except whe...

Page 311: ...hich requests the HTTPS connection with the ZyWALL whereas the SSL client only should authenticate itself when the SSL server requires it to do so select Authenticate Client Certificates in the Remote Mngt WWW screen Authenticate Client Certificates is optional and if selected means the SSL client must send the ZyWALL a certificate You must apply for a certificate for the browser from a CA that is...

Page 312: ...EMOTE MGNT WWW screen then the ZyWALL blocks all HTTP connection attempts 18 3 Configuring WWW To change your ZyWALL s World Wide Web settings click REMOTE MANAGEMENT then the WWW tab The screen appears as shown Figure 18 2 WWW The following table describes the labels in this screen Table 18 1 WWW LABEL DESCRIPTION HTTPS ...

Page 313: ... incoming HTTPS access is allowed You can allow only secure web configurator access by setting the HTTP Server Access field to Disable and setting the HTTPS Server Access field to an interface s Secure Client IP Address A secure client is a trusted computer that is allowed to communicate with the ZyWALL using this service Select All to allow any computer to access the ZyWALL using this service Cho...

Page 314: ...ou wish to access 18 4 1 Internet Explorer Warning Messages When you attempt to access the ZyWALL HTTPS server a Windows dialog box pops up asking if you trust the server certificate Click View Certificate if you want to verify that the certificate is from the ZyWALL You see the following Security Alert screen in Internet Explorer Select Yes to proceed to the web configurator login screen if you s...

Page 315: ...ority screen pops up asking if you trust the server certificate Click Examine Certificate if you want to verify that the certificate is from the ZyWALL If Accept this certificate temporarily for this session is selected then click OK to continue in Netscape Select Accept this certificate permanently to import the ZyWALL s certificate into the SSL client Figure 18 4 Security Certificate Example Net...

Page 316: ...L itself since the certificate is a self signed certificate o For the browser to trust a self signed certificate import the self signed certificate into your operating system as a trusted certificate o To have the browser trust the certificates issued by a certificate authority import the certificate authority s certificate into your operating system as a trusted certificate Refer to the appendix ...

Page 317: ... procedure if you need to access the WAN port and it uses a dynamically assigned IP address Step 1 Create a new certificate for the ZyWALL that uses the IP address of the ZyWALL s port that you are trying to access as the certificate s common name For example to use HTTPS to access a LAN port with IP address 192 168 1 1 create a certificate that uses 192 168 1 1 as the common name Step 2 Go to the...

Page 318: ...ZyWALL Series Internet Security Gateway 18 10 Remote Management Screens Figure 18 6 Login Screen Example Internet Explorer ...

Page 319: ...t Security Gateway Remote Management Screens 18 11 Figure 18 7 Login Screen Example Netscape Click Login and you then see the next screen The factory default certificate is a common default certificate for all ZyWALL models ...

Page 320: ... Certificate Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL s MAC address that will be specific to this device Click CERTIFICATES My Certificates to open the My Certificates screen You will see information similar to that shown in the following figure ...

Page 321: ...ty Gateway Remote Management Screens 18 13 Figure 18 9 Device specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate You will then see this information in the My Certificates screen ...

Page 322: ... Common ZyWALL Certificate 18 5 SSH Overview Unlike Telnet or FTP which transmit data in clear text SSH Secure Shell is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network ...

Page 323: ...ends the result back to the server The client automatically saves any new server public keys In subsequent connections the server public key is checked against the saved version on the client computer 2 Encryption Method Once the identification is verified both the client and server must agree on the type of encryption method to use Figure 18 12How SSH Works 3 Authentication and Data Transmission ...

Page 324: ...ALL for remote SMT management and file transfer on port 22 Only one SSH connection is allowed at a time 18 7 1 Requirements for Using SSH You must install an SSH client program on a client computer Windows or Linux operating system that is used to connect to the ZyWALL over SSH 18 8 Configuring SSH Click Remote Management and then the SSH tab The screen displays as shown Figure 18 13 Remote Manage...

Page 325: ...WALL using SSH Select Selected or All If you select Selected you must enter an IP address in the field provided The ZyWALL will check if the client IP address matches the value here when an SSH session is up If it does not match the ZyWALL will disconnect the session immediately Select All if you want to allow computers with any IP address to access the ZyWALL s SSH server 0 0 0 0 Apply Click Appl...

Page 326: ...log in to the ZyWALL The SMT main menu displays next 18 9 2 Example 2 Linux This section describes how to access the ZyWALL using the OpenSSH client program that comes with most Linux distributions Step 1 Test whether the SSH service is available on the ZyWALL Enter telnet 192 168 1 1 22 at a terminal prompt and press ENTER The computer attempts to connect to port 22 on the ZyWALL using the defaul...

Page 327: ...e similar for other SSH client programs Refer to your SSH client program user s guide Step 1 Enter sftp 1 192 168 1 1 This command forces your computer to connect to the ZyWALL for secure file transfer using SSH version 1 If this is the first time you are connecting to the ZyWALL using SSH a message displays prompting you to save the host information of the ZyWALL Type yes and press ENTER Step 2 E...

Page 328: ...ALL sftp 1 192 168 1 1 Connecting to 192 168 1 1 The authenticity of host 192 168 1 1 192 168 1 1 can t be established RSA1 key fingerprint is 21 6c 07 25 7e f4 75 80 ec af bd d4 3d 80 53 d1 Are you sure you want to continue connecting yes no yes Warning Permanently added 192 168 1 1 RSA1 to the list of known hosts Administrator 192 168 1 1 s password sftp put firmware bin ras Uploading firmware b...

Page 329: ...ay Remote Management Screens 18 21 Figure 18 18 Telnet Configuration on a TCP IP Network 18 12Configuring TELNET Click REMOTE MANAGEMENT to open the TELNET screen Figure 18 19 Telnet The following table describes the labels in this screen ...

Page 330: ...sing this service Select All to allow any computer to access the ZyWALL using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh 18 13Configuring FTP You can upload and download the ZyWALL...

Page 331: ...er that is allowed to communicate with the ZyWALL using this service Select All to allow any computer to access the ZyWALL using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh 18 14Con...

Page 332: ...nager An agent is a management software module that resides in a managed device the ZyWALL An agent translates the local management information from the managed device into a form compatible with SNMP The manager is the console through which network administrators perform network management functions It executes applications that control and monitor managed devices The managed devices contain obje...

Page 333: ... Used by the agent to inform the manager of some events 18 14 1 Supported MIBs The ZyWALL supports MIB II that is defined in RFC 1213 and RFC 1215 The focus of the MIBs is to let administrators collect statistical data and monitor status and performance 18 14 2 SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events occurs Table 18 5 SNMP Traps TRAP TRAP NAME...

Page 334: ...sent with the message of the fatal code if the system reboots because of fatal errors 18 14 3 REMOTE MANAGEMENT SNMP To change your ZyWALL s SNMP settings click REMOTE MANAGEMENT then the SNMP tab The screen appears as shown Figure 18 22 SNMP The following table describes the labels in this screen Table 18 6 SNMP LABEL DESCRIPTION SNMP Configuration ...

Page 335: ...tion to send your SNMP traps to SNMP Service Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Service Access Select the interface s through which a computer may access the ZyWALL using this service Secure Client IP Address A secure client is a trusted computer that is allowed to communica...

Page 336: ... ZyWALL Select All to allow any computer to send DNS queries to the ZyWALL Choose Selected to just allow the computer with the IP address that you specify to send DNS queries to the ZyWALL Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh 18 16Configuring Security To change your ZyWALL s security settings click REMOTE ...

Page 337: ...rotocol is a message control and error reporting protocol between a host server and a gateway to the Internet ICMP uses Internet Protocol IP datagrams but the messages are processed by the TCP IP software and directly apparent to the application user Respond to Ping on The ZyWALL will not respond to any incoming Ping requests when Disable is selected Select LAN to reply to incoming LAN Ping reques...

Page 338: ... probe on its unused UDP ports and a TCP Reset packet for a port probe on its unused TCP ports Note that the probing packets must first traverse the ZyWALL s firewall mechanism before reaching this anti probing mechanism Therefore if the firewall mechanism blocks a probing packet the ZyWALL reacts based on the firewall policy which by default is to send a TCP reset packet for a blocked TCP packet ...

Page 339: ...an icon in the Network Connections folder Windows XP Each UPnP compatible device installed on your network will appear as a separate icon Selecting the icon of a UPnP device will allow you to access the information and properties of that device 19 1 2 NAT Traversal UPnP NAT traversal automates the process of allowing an application to operate through NAT UPnP network devices can automatically conf...

Page 340: ...UPnP if this is not your intention 19 2 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP Implementers Corp UIC ZyXEL s UPnP implementation supports IGD 1 0 Internet Gateway Device At the time of writing ZyXEL s UPnP implementation supports Windows Messenger 4 6 and 4 7 while Windows Messenger 5 0 and Xbox are still being tested UPnP broadcast...

Page 341: ...iguration changes through UPnP Select this check box to allow UPnP enabled applications to automatically configure the ZyWALL so that they can communicate through the ZyWALL for example by using NAT traversal UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device this eliminates the need to manually configure port forwarding for the U...

Page 342: ...le transfers this option allows the ZyWALL to keep a record when your computer uses UPnP to create a NAT forwarding entry for that service The following read only table displays information about the UPnP created NAT port forwarding entries in the ZyWALL s NAT routing table This is the index number of the UPnP created NAT port forwarding entry Remote Host This field displays the source IP address ...

Page 343: ...nal Client This field displays the DNS host name or IP address of a client on the LAN Multiple NAT clients can use a single port simultaneously if the Internal Client field is set to 255 255 255 255 for UDP mappings Enabled This field displays whether or not this UPnP created NAT port forwarding entry is turned on The UPnP enabled device that connected to the ZyWALL and configured the UPnP created...

Page 344: ...x in the Components selection box Step 4 Click OK to go back to the Add Remove Programs Properties window and click Next Step 5 Restart the computer when prompted 19 5 2 Installing UPnP in Windows XP Follow the steps below to install UPnP in Windows XP Step 1 Click Start and Control Panel Step 2 Double click Network Connections Step 3 In the Network Connections window click Advanced in the main me...

Page 345: ...ck box Step 6 Click OK to go back to the Windows Optional Networking Component Wizard window and click Next 19 6 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL device Make sure the computer is connected to a LAN port of the ZyXEL device Turn on your computer and the...

Page 346: ...el Double click Network Connections An icon displays under Internet Gateway Step 2 Right click the icon and select Properties Step 3 In the Internet Connection Properties window click Settings to see the port mappings that were automatically created Step 4 You may edit or delete the port mappings or click Add to manually add port mappings ...

Page 347: ...tion area when connected check box and click OK An icon displays in the system tray Step 6 Double click the icon to display your current Internet connection status 19 6 2 Web Configurator Easy Access With UPnP you can access the web based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first This is helpful if you do not know the IP address of the ZyXEL devi...

Page 348: ...art and then Control Panel Step 2 Double click Network Connections Step 3 Select My Network Places under Other Places Step 4 An icon with the description for each UPnP enabled device displays under Local Network Step 5 Right click the icon for your ZyXEL device and select Invoke The web configurator login screen displays ...

Page 349: ...ZyWALL Series Internet Security Gateway UPnP 19 11 Step 6 Right click the icon for your ZyXEL device and select Properties A properties window displays with basic information about the ZyXEL device ...

Page 350: ......

Page 351: ...Logs IX Part IX Logs This part provides information and instructions for the logs and reports ...

Page 352: ......

Page 353: ...k LOGS to open the View Log screen Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen see section 20 2 Options include logs about system maintenance system errors access control allowed or blocked web sites blocked web features such as ActiveX controls java and cookies attacks such as DoS and IPSec Log entries in red indicate system error logs T...

Page 354: ... labels in this screen Table 20 1 View Log LABEL DESCRIPTION Display The categories that you select in the Log Settings page see section 20 2 display in the drop down list box Select a category of logs to view select All Logs to view logs from all of the log categories that you selected in the Log Settings page ...

Page 355: ...en Clear Log Click Clear Log to delete all the logs 20 2 Configuring Log Settings To change your ZyWALL s log settings click Logs then the Log Settings tab The screen appears as shown Use the Log Settings screen to configure to where the ZyWALL is to send logs the schedule for when the ZyWALL is to send the logs and which logs and or immediate alerts the ZyWALL is to send An alert is a type of log...

Page 356: ...ZyWALL Series Internet Security Gateway 20 4 Log Screens Figure 20 2 Log Settings ...

Page 357: ...ogs Active Click Active to enable syslog logging Syslog Server IP Address Enter the server name or IP address of the syslog server that will log the selected categories of logs Log Facility Select a location from the drop down list box The log facility allows you to log the messages to different files in the syslog server Refer to the documentation of your syslog program for more details Send Log ...

Page 358: ...LL record and display the following network usage details Web sites visited the most often Number of times the most visited web sites were visited The most used protocols or service ports The amount of traffic for the most used protocols or service ports The LAN IP addresses to and or from which the most traffic has been sent How much traffic has been sent to and from the LAN IP addresses to and o...

Page 359: ... service ports that have been used the most and the amount of traffic for the most used protocols or service ports LAN IP Address displays the LAN IP addresses to and or from which the most traffic has been sent and how much traffic has been sent to and from those IP addresses Start Collection Stop Collection The button text shows Start Collection when the ZyWALL is not recording report data and S...

Page 360: ...mple The following table describes the labels in this screen Table 20 4 Web Site Hits Report LABEL DESCRIPTION Web Site This column lists the domain names of the web sites visited most often from computers on the LAN The names are ranked by the number of visits to each web site and listed in descending order with the most visited web site listed first The ZyWALL counts each page viewed in a web si...

Page 361: ...has gone through the ZyWALL The protocols or service ports are listed in descending order with the most used protocol or service port listed first Direction This column lists the direction of travel of the traffic belonging to each protocol or service port listed Incoming refers to traffic that is coming into the ZyWALL s LAN from the WAN Outgoing refers to traffic that is going out from the ZyWAL...

Page 362: ... 20 6 LAN IP Address Report Example The following table describes the labels in this screen Table 20 6 LAN IP Address Report LABEL DESCRIPTION IP Address This column lists the LAN IP addresses to and or from which the most traffic has been sent The LAN IP addresses are listed in descending order with the LAN IP address to and or from which the most traffic was sent listed first Amount This column ...

Page 363: ... Table 20 7 Report Specifications LABEL DESCRIPTION Number of web sites protocols or ports IP addresses listed 20 Hit count limit Up to 2 32 hits can be counted per web site The count starts over at 0 if it passes four billion Bytes count limit Up to 2 64 bytes can be counted per protocol port or LAN IP address The count starts over at 0 if it passes 264 bytes ...

Page 364: ......

Page 365: ...Maintenance X Part X Maintenance This part covers the maintenance screens ...

Page 366: ......

Page 367: ... Overview The maintenance screens can help you view system information upload new firmware manage configuration and restart your ZyWALL 21 2 Status Screen Click MAINTENANCE to open the Status screen where you can use to monitor your ZyWALL Note that these fields are READ ONLY and are meant to be used for diagnostic purposes Figure 21 1 System Status The following table describes the labels in this...

Page 368: ...in all ZyWALL router models WAN Port IP Address This is the WAN port IP address IP Subnet Mask This is the WAN port subnet mask DHCP This is the WAN port DHCP role Client or None LAN Port IP Address This is the LAN port IP address IP Subnet Mask This is the LAN port subnet mask DHCP This is the LAN port DHCP role Server Relay not all ZyWALL models or None DMZ Port not available on all ZyWALL model...

Page 369: ... re using PPPoE encapsulation TxPkts This is the number of transmitted packets on this port RxPkts This is the number of received packets on this port Collisions This is the number of collisions on this port Tx B s This displays the transmission speed in bytes per second on this port Rx B s This displays the reception speed in bytes per second on this port Up Time This is the total amount of time ...

Page 370: ...s If set to None DHCP service will be disabled and you must have another DHCP server on your LAN or else the computer must be manually configured Click MAINTENANCE and then the DHCP Table tab Read only information here relates to your DHCP status The DHCP table shows current DHCP client information including IP Address Host Name and MAC Address of all network clients using the DHCP server Figure 2...

Page 371: ... address and IP address also display in the LAN Static DHCP screen where you can edit them This feature is not available on all models Refresh Click Refresh to renew the screen 21 4 F W Upload Screen Find firmware at www zyxel com in a file that usually uses the system model name with a bin extension e g zywall bin The upload process uses HTTP Hypertext Transfer Protocol and may take up to two min...

Page 372: ...ress compressed zip files before you can upload them Upload Click Upload to begin the upload process This process may take up to two minutes Do not turn off the device while firmware upload is in progress After you see the Firmware Upload in Process screen wait two minutes before logging into the device again Figure 21 6 Firmware Upload In Process The device automatically restarts in this time cau...

Page 373: ...ar Click Return to go back to the F W Upload screen Figure 21 8 Firmware Upload Error 21 5 Configuration Screen See the Firmware and Configuration File Maintenance chapter in the SMT User s Guide for transferring configuration files using FTP TFTP commands Click MAINTENANCE and then the Configuration tab Information related to factory defaults backup configuration and restoring configuration appea...

Page 374: ...rrent configuration to a file on your computer Once your device is configured and functioning properly it is highly recommended that you back up your configuration file before making configuration changes The backup configuration file will be useful in case you need to return to your previous settings Click Backup to save the device s current configuration to your computer ...

Page 375: ...le you want to upload Remember that you must decompress compressed ZIP files before you can upload them Upload Click Upload to begin the upload process Do not turn off the device while configuration file upload is in progress After you see a configuration upload successful screen you must then wait one minute before logging into the device again Figure 21 10 Configuration Upload Successful The dev...

Page 376: ...rt Guide for details on how to set up your computer s IP address If the upload was not successful the following screen will appear Click Return to go back to the Configuration screen Figure 21 12 Configuration Upload Error 21 5 3 Back to Factory Defaults Pressing the Reset button in this section clears all user entered configuration information and returns the ZyWALL to its factory defaults as sho...

Page 377: ...y defaults of your ZyWALL Refer to the Introducing the Web Configurator chapter for more information on the RESET button 21 6 Restart Screen System restart allows you to reboot the ZyWALL without turning the power off Click MAINTENANCE and then Restart Click Restart to have the ZyWALL reboot This does not affect the ZyWALL s configuration Figure 21 14 Restart Screen ...

Page 378: ......

Page 379: ...oduces the System Management Terminal and covers the General setup menu WAN and dial backup setup LAN and wireless LAN setup DMZ setup and Internet access See the web configurator parts of this guide for background information on features configurable by web configurator and SMT ...

Page 380: ......

Page 381: ...the SMT via the Console Port Make sure you have the physical connection properly set up as described in the hardware installation chapter When configuring using the console port you need a computer equipped with communications software configured to the following parameters VT100 terminal emulation 9600 Baud No parity 8 data bits 1 stop bit flow control set to none 22 2 1 Initial Screen When you t...

Page 382: ...figure your ZyWALL Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below Table 22 1 Main Menu Commands OPERATION KEYSTROKES DESCRIPTION Move down to another menu ENTER To move forward to a submenu type in the number of the desired submenu and press ENTER Move up to a previous menu ESC Press the ESC key to move back to the p...

Page 383: ...e Press ENTER to confirm or ESC to cancel Saving the data on the screen will take you in most cases to the previous menu Exit the SMT Type 99 then press ENTER Type 99 at the main menu prompt and press ENTER to exit the SMT interface 22 3 1 Main Menu After you enter the password the SMT displays the ZyWALL Main Menu as shown next Not all models have all the features shown Figure 22 3 Main Menu ZyWA...

Page 384: ...11 Remote Node Setup Use this menu to configure detailed remote node settings your ISP is also a remote node as well as apply WAN filters 12 Static Routing Setup Configure IP static routes in this menu 15 NAT Setup Use this menu to configure Network Address Translation 21 Filter and Firewall Setup Configure filters activate deactivate the firewall and view the firewall log 22 SNMP Configuration Us...

Page 385: ...ity Gateway Introducing the SMT 22 5 22 3 2 SMT Menus at a Glance The available SMT screens vary by ZyWALL model The following SMT overview applies to the ZyWALL 100 Figure 22 4 Getting Started and Advanced Applications SMT Menus ...

Page 386: ...ZyWALL Series Internet Security Gateway 22 6 Introducing the SMT Figure 22 5 Advanced Management SMT Menus ...

Page 387: ...System Password Change the system password by following the steps shown next Step 1 Enter 23 in the main menu to open Menu 23 System Password as shown next Figure 22 7 Menu 23 System Password Step 2 Type your existing password and press ENTER Menu 23 System Password Old Password New Password Retype to confirm Enter here to CONFIRM or ESC to CANCEL ...

Page 388: ...4 Re type your new system password for confirmation and press ENTER Note that as you type a password the screen displays an X for each character you type 22 5 Resetting the ZyWALL If you forget your password or cannot access the SMT menu refer to the section on resetting the ZyWALL in the web configurator part of this guide ...

Page 389: ...ng General Setup Step 1 Enter 1 in the main menu to open Menu 1 General Setup Step 2 The Menu 1 General Setup screen appears as shown next Fill in the required fields Figure 23 1 Menu 1 General Setup ZyWALL 10W The following table describes the fields in this screen Menu 1 General Setup System Name Domain Name First System DNS Server From ISP IP Address N A Second System DNS Server None IP Address...

Page 390: ...e before you can access it The ZyWALL uses a system DNS server in the order you specify here to resolve domain names for VPN DDNS and the time server Press SPACE BAR and then ENTER to select an option Select From ISP if your ISP dynamically assigns DNS server information and the ZyWALL s WAN IP address The IP Address field below displays the read only DNS server IP address that the ISP assigns Sel...

Page 391: ...hen press ENTER to make dynamic DNS active Yes DDNS Type Press SPACE BAR and then ENTER to select DynamicDNS if you have a dynamic IP address es Select StaticDNS if you have a static IP address s Select CustomDNS to have dyns org provide DNS service for a domain name that you already have from a source other than dyndns org DynamicDNS default Host1 3 Enter your host name s in the fields provided Y...

Page 392: ...ically updates the IP address of the host name s with the ZyWALL s WAN IP address DDNS does not work with a private IP address When both fields are set to No the ZyWALL must have a public WAN IP address in order for DDNS to work Use Server Detected IP Press SPACE BAR to select Yes and then press ENTER to have the DDNS server automatically update the IP address of the host name s with the public IP...

Page 393: ...AN port and how to configure the ZyWALL for a dial backup connection 24 2 WAN Setup From the main menu enter 2 to open menu 2 Figure 24 1 MAC Address Cloning in WAN Setup The following table describes the fields in this screen Table 24 1 MAC Address Cloning in WAN Setup Menu 2 WAN Setup MAC Address Assigned By Factory default IP Address N A Dial Backup Active No Phone Number Port Speed 115200 AT C...

Page 394: ...d this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel 24 3 Dial Backup The Dial Backup port or CON AUX port can be used in reserve as a traditional dial up connection should the broadband connection to the WAN port fail This feature is not available on all models To set up the auxiliary port Dial Backup or CON AUX for use in the ...

Page 395: ...e dashes and spaces 1234567 Port Speed Press SPACE BAR and then press ENTER to select the speed of the connection between the Dial Backup port and the external device Available speeds are 9600 19200 38400 57600 115200 or 230400 bps 115200 AT Command String Init Enter the AT command string to initialize the WAN device Consult the manual of your WAN device connected to your Dial Backup port for spec...

Page 396: ... connected to your Dial Backup port for specific AT commands To edit the advanced setup for the Dial Backup port move the cursor to the Edit Advanced Setup field in Menu 2 WAN Setup press the SPACE BAR to select Yes and then press ENTER Figure 24 3 Menu 2 1 Advanced WAN Setup The following table describes fields in this menu Table 24 3 Advanced WAN Port Setup AT Commands Fields FIELD DESCRIPTION D...

Page 397: ...ponse string This lets the ZyWALL capture the CLID in the AT response string that comes from the WAN device CLID is required for CLID authentication NMBR Called Id Enter the keyword preceding the dialed number TO Speed Enter the keyword preceding the connection speed CONNECT Table 24 4 Advanced WAN Port Setup Call Control Parameters FIELD DESCRIPTION DEFAULT Call Control Dial Timeout sec Enter a n...

Page 398: ...up ISP shown below and configure the setup for your Dial Backup port connection This feature is not available on all models Figure 24 4 Menu 11 1 Remote Node Profile Backup ISP The following table describes the fields in this screen Table 24 5 Fields in Menu 11 1 Remote Node Profile Backup ISP FIELD DESCRIPTION EXAMPLE Rem Node Name Enter a descriptive name for the remote node This field can be up...

Page 399: ...answer your ZyWALL dials the Secondary Phone number if available Some areas require dialing the pound sign before the phone number for local calls Include a symbol at the beginning of the phone numbers as required Edit PPP Options Move the cursor to this field and use the space bar to select Yes and press Enter to edit the PPP options for this remote node This brings you to Menu 11 2 Remote Node P...

Page 400: ... not there is any traffic Select No to have this connection act as a dial up connection No default Session Options Edit Filter sets This field leads to another hidden menu Use SPACE BAR to select Yes and press ENTER to open menu 11 5 to edit the filter sets See section 24 10 for more details No default Idle Timeout Enter the number of seconds of idle time when there is no traffic from the ZyWALL t...

Page 401: ...s SPACE BAR and then ENTER to select Yes to enable or No to disable Stac compression No default 24 8 Editing TCP IP Options Move the cursor to the Edit IP field in menu 11 1 then press SPACE BAR to select Yes Press ENTER to open Menu 11 3 Network Layer Options Figure 24 6 Menu 11 3 Remote Node Network Layer Options Menu 11 2 Remote Node PPP Options Encapsulation Standard PPP Compression No Enter h...

Page 402: ...tocol address used within one network for example a private IP address used in a local network to a different IP address known within another network for example a public IP address used on the Internet Press SPACE BAR and then ENTER to select either Full Feature None or SUA Only Choose None to disable NAT Choose SUA Only if you have a single public IP address SUA Single User Account is a subset o...

Page 403: ...des a script facility for this purpose The script has six programmable sets each set is composed of an Expect string and a Send string After matching a message from the server to the Expect field the ZyWALL returns the set s Send string to the server For instance a typical login sequence starts with the server printing a banner a login prompt for you to enter the user name and a password prompt to...

Page 404: ... PPP after you enter the password then you should create a third set to match the final PPP but without a Send string Otherwise the ZyWALL will start PPP prematurely right after sending your password to the server If there are errors in the script and it gets stuck at a set for longer than the Dial Timeout in menu 2 default 60 seconds the ZyWALL will timeout and drop the line To debug a script go ...

Page 405: ...then press SPACE BAR to set the value to Yes Press ENTER to open Menu 11 5 Remote Node Filter Use menu 11 5 to specify the filter set s to apply to the incoming and outgoing traffic between this remote node and the ZyWALL to prevent certain packets from triggering calls You can specify up to four filter sets separated by commas for example 1 5 9 12 in each filter field Note that spaces are accepte...

Page 406: ......

Page 407: ...ing the LAN Menus From the main menu enter 3 to open Menu 3 LAN Setup Figure 25 1 Menu 3 LAN Setup 25 3 LAN Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to the LAN traffic You seldom need to filter the LAN traffic however the filter sets may be useful to block certain packets reduce traffic and prevent security breaches Menu 3 LAN Setup 1 LAN Port Filter...

Page 408: ...3 TCP IP and DHCP Setup From menu 3 select the submenu option TCP IP and DHCP Setup and press ENTER The screen now displays Menu 3 2 TCP IP and DHCP Ethernet Setup as shown next Menu 3 1 LAN Port Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Press ENTER to Confirm or ESC to Cancel Menu 3 LAN Setup 1 LAN Port Filter Setup 2 TCP IP ...

Page 409: ...IP Pool Starting Address This field specifies the first of the contiguous addresses in the IP address pool 192 168 1 3 3 Size of Client IP Pool This field specifies the size or count of the IP address pool 32 Menu 3 2 TCP IP and DHCP Ethernet Setup DHCP Server TCP IP Setup Client IP Pool Starting Address 192 168 2 33 IP Address 192 168 2 1 Size of Client IP Pool 32 IP Subnet Mask 255 255 255 0 Fir...

Page 410: ...ALL s LAN IP address displays in the IP Address field below read only The ZyWALL tells the DHCP clients on the LAN that the ZyWALL itself is the DNS server When a computer on the LAN sends a DNS query to the ZyWALL the ZyWALL forwards the query to the ZyWALL s system DNS server configured in the SYSTEM General screen and relays the response back to the computer You can only select DNS Relay for on...

Page 411: ... both IGMP version 1 IGMP v1 and version 2 IGMP v2 Press SPACE BAR and then ENTER to enable IP Multicasting or select None default to disable it None Edit IP Alias The ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network Press SPACE BAR to select Yes and then press ENTER to display menu 3 2 1 Yes IP Polic...

Page 412: ...y Out Only or None None Version Press SPACE BAR and then ENTER to select the RIP version Options are RIP 1 RIP 2B or RIP 2M RIP 1 Incoming Protocol Filters Enter the filter set s you wish to apply to the incoming traffic between this node and the ZyWALL 1 Outgoing Protocol Filters Enter the filter set s you wish to apply to the outgoing traffic between this node and the ZyWALL 2 When you have comp...

Page 413: ...AN configuration enter 5 to open Menu 3 5 Wireless LAN Setup as shown next Figure 25 6 Menu 3 5 Wireless LAN Setup The settings of all client stations on the wireless LAN must match those of the ZyWALL Follow the instructions in the next table on how to configure the wireless LAN parameters Table 25 4 Wireless LAN Setup Menu Fields FIELD DESCRIPTION EXAMPLE Enable Wireless LAN Press SPACE BAR to s...

Page 414: ...0 2457 MHz CH11 2462 MHz Spain CH10 2457 MHz CH11 2462 MHz CH13 2472 MHz France CH01 2412 MHz RTS Threshold Request To Send The threshold number of bytes for enabling RTS CTS handshake Data with its frame size larger than this value will perform the RTS CTS handshake Setting this attribute to be larger than the maximum MSDU MAC service data unit size turns off the RTS CTS handshake Setting this at...

Page 415: ...en press ENTER to display menu 3 5 1 No When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel The ZyWALL LAN Ethernet and wireless ports can transparently communicate with each other transparent bridge 25 5 1 MAC Address Filter Setup Your ZyWALL checks the MAC address of the wireless station device against a...

Page 416: ...not listed will be denied access to the router MAC Address Filter Address 1 12 Enter the MAC addresses in XX XX XX XX XX XX format of the client computers that are allowed or denied access to the ZyWALL in these address fields When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel Menu 3 5 1 WLAN MAC Address ...

Page 417: ...2 DMZ Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to your public server s traffic This feature is not available on all models Figure 26 2 Menu 5 1 DMZ Port Filter Setup Menu 5 DMZ Setup 1 DMZ Port Filter Setup 2 TCP IP Setup Enter Menu Selection Number Menu 5 1 DMZ Port Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets pr...

Page 418: ...press ENTER The screen now displays Menu 5 2 TCP IP Setup as shown next Figure 26 4 Menu 5 2 TCP IP Setup The TCP IP setup fields are the same as the ones in Menu 3 2 TCP IP Ethernet Setup Each public server will need a unique IP address Refer to section 25 4 for information on how to configure these fields Menu 5 DMZ Setup 1 DMZ Port Filter Setup 2 TCP IP Setup Enter Menu Selection Number Menu 5 ...

Page 419: ...ure the second and third network Pressing ENTER opens Menu 5 2 1 IP Alias Setup as shown next Figure 26 5 Menu 5 2 1 IP Alias Setup Refer to Table 25 3 for instructions on configuring IP Alias parameters Menu 5 2 1 IP Alias Setup IP Alias 1 No IP Address N A IP Subnet Mask N A RIP Direction N A Version N A Incoming protocol filters N A Outgoing protocol filters N A IP Alias 2 No IP Address N A IP ...

Page 420: ......

Page 421: ...oose Ethernet in menu 4 you will see the next screen Figure 27 1 Menu 4 Internet Access Setup Ethernet The following table describes the fields in this screen Table 27 1 Menu 4 Internet Access Setup Menu Fields FIELD DESCRIPTION ISP s Name Enter the name of your Internet Service Provider e g myISP This information is for identification purposes only Menu 4 Internet Access Setup ISP s Name ChangeMe...

Page 422: ... Retype to Confirm Enter your password again to make sure that you have entered is correctly Login Server The ZyWALL will find the RoadRunner Server IP if this field is left blank If it does not then you must enter the authentication server IP address Relogin Every min This field is available when you select Telia Login in the Service Type field The Telia server logs the ZyWALL out if the ZyWALL d...

Page 423: ...g types include One to One Many to One SUA PAT Many to Many Overload Many One to One and Server When you select Full Feature you must configure at least one address mapping set Please see the NAT chapter for a more detailed discussion on the Network Address Translation feature When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC...

Page 424: ...d PPTP Idle Timeout This value specifies the time in seconds that elapses before the ZyWALL automatically disconnects from the PPTP server 100 default 27 4 Configuring the PPPoE Client If you enable PPPoE in menu 4 you will see the next screen For more information on PPPoE please see the Appendices Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation PPTP Service Type N A My Login My Pas...

Page 425: ...m the PPPoE server 100 default If you need a PPPoE service name to identify and reach the PPPoE server please go to menu 11 and enter the PPPoE service name provided to you in the Service Name field 27 5 Basic Setup Complete Well done You have successfully connected installed and set up your ZyWALL to operate on your network as well as access the Internet Menu 4 Internet Access Setup ISP s Name Ch...

Page 426: ...originate from the LAN and blocks all traffic to the LAN that originates from the Internet You may deactivate the firewall in menu 21 2 or via the ZyWALL embedded web configurator You may also define additional firewall rules or modify existing ones but please exercise extreme caution in doing so See the firewall chapters for more information on the firewall ...

Page 427: ...his part covers setting up remote nodes IP static routes and Network Address Translation It also covers the SMT firewall menu filters and SNMP See the web configurator parts of this guide for background information on features configurable by web configurator and SMT ...

Page 428: ......

Page 429: ...o set up Internet access you are actually configuring a remote node The following describes how to configure Menu 11 1 Remote Node Profile Menu 11 3 Remote Node Network Layer Options and Menu 11 5 Remote Node Filter 28 2 Remote Node Setup From the main menu select menu option 11 to open Menu 11 Remote Node Setup shown below Then enter 1 to open Menu 11 1 Remote Node Profile and configure the setup...

Page 430: ...ofile menu 28 3 1 Ethernet Encapsulation There are two variations of menu 11 1 depending on whether you choose Ethernet Encapsulation or PPPoE Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet The first menu 11 1 screen you see is for Ethernet encapsulation shown next Menu 11 Remote Node Setup 1 ChangeMe ISP SUA 2 ________ Enter Node to Edit ...

Page 431: ...tion method or RR Manager RoadRunner Manager authentication method Choose one of the RoadRunner methods if your ISP is Time Warner s RoadRunner otherwise choose Standard Standard Outgoing My Login This field is applicable for PPPoE encapsulation only Enter the login name assigned by your ISP when the ZyWALL calls this remote node Some ISPs append this field to the Service Name field above e g jim ...

Page 432: ...eld refers to the protocol that will be routed by your ZyWALL IP is the only option for the ZyWALL IP Edit IP This field leads to a hidden menu Press SPACE BAR to select Yes and press ENTER to go to Menu 11 3 Remote Node Network Layer Options No default Session Options Edit Filter sets This field leads to another hidden menu Use SPACE BAR to select Yes and press ENTER to open menu 11 5 to edit the...

Page 433: ...n is always up regardless of traffic demand The ZyWALL does two things when you specify a nailed up connection The first is that idle timeout is disabled The second is that the ZyWALL will try to bring up the connection when turned on and whenever the connection is down A nailed up connection can be very expensive for obvious reasons Do not specify a nailed up connection unless your telephone comp...

Page 434: ...lt Period hr This field is the time period that the budget should be reset For example if we are allowed to call this remote node for a maximum of 10 minutes every hour then the Allocated Budget is 10 minutes and the Period hr is 1 hour 0 default Schedules You can apply up to four schedule sets here For more details please refer to the Call Schedule Setup chapter Nailed Up Connection This field sp...

Page 435: ...dress of the ANT modem 10 0 0 138 Connection ID Name Enter the connection ID or connection name in the ANT It must follow the c id and n name format This field is optional and depends on the requirements of your DSL modem N My ISP Schedules You can apply up to four schedule sets here For more details refer to the Call Schedule Setup chapter Menu 11 1 Remote Node Profile Rem Node Name ChangeMe Rout...

Page 436: ...ons and Gateway IP Addr field for Ethernet encapsulation The following table describes the fields in this screen Table 28 4 Remote Node Network Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE IP Address Assignment If your ISP did not assign you an explicit IP address press SPACE BAR and then ENTER to select Dynamic otherwise select Static and enter the IP address subnet mask in the following f...

Page 437: ...used in a local network to a different IP address known within another network for example a public IP address used on the Internet Choose None to disable NAT Choose SUA Only if you have a single public IP address SUA Single User Account is a subset of NAT that supports two types of mapping Many to One and Server Choose Full Feature if you have multiple public IP addresses Full Feature mapping typ...

Page 438: ...ble it See the LAN Setup chapter for more information on this feature None default Once you have completed filling in Menu 11 3 Remote Node Network Layer Options press ENTER at the message Press ENTER to Confirm to save your configuration and return to menu 11 or press ESC at any time to cancel 28 5 Remote Node Filter Move the cursor to the field Edit Filter Sets in menu 11 1 and then press SPACE ...

Page 439: ...om the main menu to display Menu 11 1 Remote Node Profile as shown next Menu 11 5 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Enter here to CONFIRM or ESC to CANCEL Menu 11 5 Remote Node Filter Input Filter Sets protocol filters Device filters Output Filter Sets protocol filters device filters Call Filter Sets protocol fil...

Page 440: ...nd press ENTER to configure Menu 11 6 Traffic Redirect Setup Yes Press ENTER at the message Press ENTER to Confirm to save your configuration or press ESC at any time to cancel 28 5 1 Traffic Redirect Setup Configure parameters that determine when the ZyWALL will forward WAN traffic to the backup gateway using Menu 11 6 Traffic Redirect Setup Menu 11 1 Remote Node Profile Rem Node Name Route IP Ac...

Page 441: ...et this route s priority among the ZyWALL s routes see the Metric section in the WAN and Dial Backup Setup chapter The smaller the number the higher priority the route has 15 default Check WAN IP Address Enter the IP address of a reliable nearby computer for example your ISP s DNS server address to test your ZyWALL s WAN accessibility The ZyWALL uses the default gateway IP address if you do not en...

Page 442: ...to 60 is usually a good number 5 Timeout sec Enter the number of seconds the ZyWALL waits for a ping response from the IP Address in the Check WAN IP Address field before it times out The number in this field should be less than the number in the Period field Three to 50 is usually a good number The WAN connection is considered down after the ZyWALL times out the number of times specified in the F...

Page 443: ...m the main menu Select one of the IP static routes as shown next to configure IP static routes in menu 12 1 Figure 29 1 Menu 12 IP Static Route Setup Now enter the index number of the static route that you want to configure Menu 12 IP Static Route Setup 1 ________ 2 ________ 3 ________ 4 ________ 5 ________ 6 ________ 7 ________ 8 ________ 9 ________ 10 ________ 11 ________ 12 ________ Enter selec...

Page 444: ...net mask of 255 255 255 255 in the subnet mask field to force the network number to be identical to the host ID IP Subnet Mask Enter the IP subnet mask for this destination Gateway IP Address Enter the IP address of the gateway The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination On the LAN the gateway must be a router on the same segment as your ZyWA...

Page 445: ...ll include the route to this remote node in its RIP broadcasts If set to Yes this route is kept private and not included in RIP broadcast If No the route to this remote node will be propagated to other hosts through RIP broadcasts Once you have completed filling in this menu press ENTER at the message Press ENTER to Confirm to save your configuration or press ESC to cancel ...

Page 446: ......

Page 447: ...ver See section 30 2 1 for a detailed description of the NAT set for SUA The ZyWALL also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types as outlined in the web configurator parts of this User s Guide 1 Choose SUA Only if you have just one public WAN IP address for your ZyWALL 2 Choose Full Feature if you h...

Page 448: ... select Yes and then press ENTER to bring up Menu 11 3 Remote Node Network Layer Options Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation Ethernet Service Type Standard My Login N A My Password N A Retype to Confirm N A Login Server N A Relogin Every min N A IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Address N A Network Address Translation SUA Only Pre...

Page 449: ...blic WAN IP addresses for your ZyWALL When you select Full Feature you must configure at least one address mapping set Full Feature NAT is disabled when you select this option None Network Address Translation When you select this option the SMT will use Address Mapping Set 255 menu 15 1 see section 30 2 1 Choose SUA Only if you have just one public WAN IP address for your ZyWALL SUA Only Menu 11 3...

Page 450: ... a list of LAN and DMZ servers mapped to external ports To use this set a server rule must be set up inside the NAT address mapping set Please see the section on port forwarding in the chapter on NAT web configurator screens for further information on these menus To configure NAT enter 15 from the main menu to bring up the following screen Figure 30 3 Menu 15 NAT Setup Configure DMZ and LAN IP add...

Page 451: ...ged Figure 30 5 Menu 15 1 255 SUA Address Mapping Rules The following table explains the fields in this screen Menu 15 1 Address Mapping Sets 1 255 SUA read only Enter Menu Selection Number Menu 15 1 255 Address Mapping Rules Set Name SUA Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 0 0 0 0 255 255 255 255 0 0 0 0 M 1 2 0 0 0 0 Server 3 4 5 6 7 8 9 10 Press ENTER to Confirm...

Page 452: ...If you have a dynamic IP enter 0 0 0 0 as the Global Start IP 0 0 0 0 Global End IP This is the ending global IP address IGA Type These are the mapping types discussed above Server allows us to specify multiple servers of different types behind NAT to this machine See later for some examples Server Once you have finished configuring a rule in this menu press ENTER at the message Press ENTER to Con...

Page 453: ...figured rule your configured rule will be pushed up by that number of empty rules For example if you have already configured rules 1 to 6 in your current set and now you configure rule number 9 In the set summary screen the new rule will be rule 7 not 9 Now if you delete rule 4 rules 5 to 7 will be pushed up by 1 rule so as old rule 5 becomes rule 4 old rule 6 becomes rule 5 and old rule 7 becomes...

Page 454: ...le to apply the action in question 1 You must press ENTER at the bottom of the screen to save the whole set You must do this again if you make any changes to the set including deleting a rule No changes to the set take place until this action is taken Selecting Edit in the Action field and then selecting a rule brings up the following menu Menu 15 1 1 1 Address Mapping Rule in which you can edit a...

Page 455: ...ss IGA If you have a dynamic IP enter 0 0 0 0 as the Global IP Start Note that Global IP Start can be set to 0 0 0 0 only if the types are Many to One or Server 0 0 0 0 End Enter the ending global IP address IGA This field is N A for One to One Many to One and Server types N A Once you have finished configuring a rule in this menu press ENTER at the message Press ENTER to Confirm to save your conf...

Page 456: ...NAT network appears as a single host on the Internet A is the FTP Telnet SMTP server Figure 30 9 Server Behind NAT Example 30 4 General NAT Examples The following are some examples of NAT configuration Menu 15 2 NAT Server Setup Rule Start Port No End Port No IP Address 1 Default Default 0 0 0 0 2 21 25 192 168 1 33 3 0 0 0 0 0 0 4 0 0 0 0 0 0 5 0 0 0 0 0 0 6 0 0 0 0 0 0 7 0 0 0 0 0 0 8 0 0 0 0 0 ...

Page 457: ...ork Address Translation field This is the Many to One mapping discussed in section 30 4 The SUA Only read only option from the Network Address Translation field in menus 4 and 11 3 is specifically pre configured to handle this case Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation Ethernet Service Type Standard My Login N A My Password N A Retype to Confirm N A Login Server N A Relogi...

Page 458: ...d SUA Only set and also go to menu 15 2 to specify the Inside Server behind the NAT as shown in the next figure Figure 30 13 Menu 15 2 Specifying an Inside Server Menu 15 2 NAT Server Setup Rule Start Port No End Port No IP Address 1 Default Default 192 168 1 10 2 0 0 0 0 0 0 3 0 0 0 0 0 0 4 0 0 0 0 0 0 5 0 0 0 0 0 0 6 0 0 0 0 0 0 7 0 0 0 0 0 0 8 0 0 0 0 0 0 9 0 0 0 0 0 0 10 0 0 0 0 0 0 11 0 0 0 0...

Page 459: ...c in both directions 1 1 mapping giving both local and global IP addresses Rule 2 Map the second IGA to our second inside FTP server for FTP traffic in both directions 1 1 mapping giving both local and global IP addresses Rule 3 Map the other outgoing LAN traffic to IGA3 Many 1 mapping Rule 4 You also map your third IGA to the web server and mail server on the LAN Type Server allows you to specify...

Page 460: ...he global Start IP as 10 132 50 1 our first IGA See Figure 30 16 Step 6 Repeat the previous step for rules 2 to 4 as outlined above Step 7 When finished menu 15 1 1 should look like as shown in Figure 30 17 Figure 30 15 Example 3 Menu 11 3 The following figure shows how to configure the first rule Menu 11 3 Remote Node Network Layer Options IP Address Assignment Dynamic IP Address N A IP Subnet Ma...

Page 461: ...Type One to One Local IP Start 192 168 1 10 End N A Global IP Start 10 132 50 1 End N A Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Menu 15 1 1 Address Mapping Rules Set Name Example3 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 10 132 50 1 1 1 2 192 168 1 11 10 132 50 2 1 1 3 0 0 0 0 255 255 255 255 10 132 50 3 M 1 4 10 132 50 3 Server 5 ...

Page 462: ...is case it is better to use Many One to One mapping as port numbers do not change for Many One to One and One to One NAT mapping types The following figure illustrates this Figure 30 19 NAT Example 4 Menu 15 2 NAT Server Setup Rule Start Port No End Port No IP Address 1 Default Default 0 0 0 0 2 80 80 192 168 1 21 3 25 25 192 168 1 20 4 0 0 0 0 0 0 5 0 0 0 0 0 0 6 0 0 0 0 0 0 7 0 0 0 0 0 0 8 0 0 0...

Page 463: ... One to One mapping types Follow the steps outlined in example 3 above to configure these two menus as follows Figure 30 20 Example 4 Menu 15 1 1 1 Address Mapping Rule After you ve configured your rule you should be able to check the settings in menu 15 1 1 as shown next Menu 15 1 1 1 Address Mapping Rule Type Many One to One Local IP Start 192 168 1 10 End 192 168 1 12 Global IP Start 10 132 50 ...

Page 464: ...r can use a trigger port range at a time Enter 3 in menu 15 to display Menu 15 3 Trigger Port Setup shown next Menu 15 1 1 Address Mapping Rules Set Name Example4 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 192 168 1 12 10 132 50 1 10 132 50 3 M 1 1 2 3 4 5 6 7 8 9 10 Action Edit Select Rule Press ENTER to Confirm or ESC to Cancel ...

Page 465: ...r the starting port number in a range of port numbers 6970 End Port Enter a port number or the ending port number in a range of port numbers 7170 Trigger The trigger port is a port or a range of ports that causes or triggers the ZyWALL to record the IP address of the LAN computer that sent the traffic to a server on the WAN Start Port Enter a port number or the starting port number in a range of p...

Page 466: ......

Page 467: ...ion to display the screen shown next Figure 31 1 Menu 21 Filter and Firewall Setup 31 1 1 Activating the Firewall Enter option 2 in this menu to bring up the following screen Press SPACE BAR and then ENTER to select Yes in the Active field to activate the firewall The firewall must be active to protect against Denial of Service DoS attacks Use the web configurator to configure firewall rules This ...

Page 468: ...otects against Denial of Service DoS attacks when it is active Your network is vulnerable to attacks when the firewall is turned off Refer to the User s Guide for details about the firewall default policies You may define additional policy rules or modify existing ones but please exercise extreme caution in doing so Active Yes You can use the Web Configurator to configure the firewall Press ENTER ...

Page 469: ...nd protocol filters which are discussed later Data filtering screens the data to determine if the packet should be allowed to pass Data filters are divided into incoming and outgoing filters depending on the direction of the packet relative to a port Data filtering can be applied on either the WAN side or the LAN side Call filtering is used to determine if a packet should be allowed to trigger a c...

Page 470: ...o four filter sets to a particular port to block multiple types of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port Sets of factory default filter rules have been configured in menu 21 to prevent NetBIOS traffic from triggering calls and to prevent incoming telnet sessions A summary of their filter rules is shown in the figures that fo...

Page 471: ... Set Fetch First Filter Rule Active Execute Filter Rule Fetch Next Filter Rule Next filter Rule Available Fetch Next Filter Set Next Filter Set Available Accept Packet Drop Packet Yes No Yes No Yes Packet into filter Filter Set Forward Drop No Check Next Rule Figure 32 2 Filter Rule Process ...

Page 472: ...4 Menu 21 Filter and Firewall Setup Step 2 Enter 1 to bring up the following menu Figure 32 5 Menu 21 1 Filter Set Configuration Step 3 Select the filter set you wish to configure 1 12 and press ENTER Menu 21 1 Filter Set Configuration Filter Filter Set Comments Set Comments 1 _______________ 7 _______________ 2 _______________ 8 _______________ 3 _______________ 9 _______________ 4 ______________...

Page 473: ...GEN for Generic IP for TCP IP Filter Rules These parameters are displayed here M More Y means there are more rules to check which form a rule chain with the present rule An action cannot be taken until the rule chain is complete N means there are no more rules to check You can specify an action to be taken i e forward the packet drop the packet or check the next rule For the latter the next rule i...

Page 474: ... 1 1 1 for the rule To speed up filtering all rules in a filter set must be of the same class i e protocol filters or generic filters The class of a filter set is determined by the first rule that you create When applying the filter sets to a port separate menu fields are provided for protocol and device filter sets If you include a protocol filter set in a device filter field or vice versa the Zy...

Page 475: ...Y protocol 0 255 IP Source Route Press SPACE BAR and then ENTER to select Yes to apply the rule to packets with an IP source route option Otherwise the packets must not have a source route option The majority of IP packets do not have source route Yes No Destination IP Address Enter the destination IP Address of the packet you wish to filter This field is ignored if it is 0 0 0 0 0 0 0 0 IP Mask E...

Page 476: ...Addr 0 0 0 0 Port Enter the source port of the packets that you wish to filter The range of this field is 0 to 65535 This field is ignored if it is 0 0 65535 Port Comp Press SPACE BAR and then ENTER to select the comparison to apply to the source port in the packet against the value given in Source Port None Less Greater Equal Not Equal TCP Estab This field is applicable only when the IP Protocol ...

Page 477: ...ll packets will be logged None Action Matched Action Not Matched Both Action Matched Press SPACE BAR and then ENTER to select the action for a matching packet Check Next Rule Forward Drop Action Not Matched Press SPACE BAR and then ENTER to select the action for a packet not matching the rule Check Next Rule Forward Drop When you have Menu 21 1 1 1 TCP IP Filter Rule configured press ENTER at the ...

Page 478: ...lter Active Check IP Protocol Drop Drop Packet Accept Packet Drop Forward Check Next Rule Check Next Rule Check Next Rule Forward Not Matched Yes No Check Src IP Addr Apply SrcAddrMask to Src Addr Matched Check Dest IP Addr Apply DestAddrMask to Dest Addr Not Matched Not Matched Check Src Dest Port Matched Not Matched Figure 32 7 Executing an IP Filter ...

Page 479: ...ote that it takes two hexadecimal digits to represent a byte so if the length is 4 the value in either field will take 8 digits for example FFFFFFFF To configure a generic rule select Generic Filter Rule in the Filter Type field in menu 21 1 4 1 and press ENTER to open Generic Filter Rule as shown below Figure 32 8 Menu 21 1 4 1 Generic Filter Rule The following table describes the fields in the G...

Page 480: ...er the value in Hexadecimal notation to compare with the data portion More If Yes a matching packet is passed to the next filter rule before an action is taken else the packet is disposed of according to the action fields If More is Yes then Action Matched and Action Not Matched will be No Yes No Log Select the logging option from the following None No packets will be logged Action Matched Only pa...

Page 481: ...e Step 1 Enter 21 from the main menu to open Menu 21 Filter and Firewall Setup Step 2 Enter 1 to open Menu 21 1 Filter Set Configuration Step 3 Enter the index of the filter set you wish to configure say 3 and press ENTER Step 4 Enter a descriptive name or comment in the Edit Comments field and press ENTER Step 5 Press ENTER at the message Press ENTER to confirm to open Menu 21 1 3 Filter Rules Su...

Page 482: ... IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Press SPACE BAR and then ENTER to choose this filter rule type The first filter rule type determines all subsequent filter types within a set Select Yes to make the rule active 6 is the TCP protocol The port number for...

Page 483: ...eric Filter Device rules and protocol filter TCP IP rules Generic filter rules act on the raw data from to LAN and WAN Protocol filter rules act on the IP packets Generic and TCP IP filter rules are discussed in more detail in the next section When NAT Network Menu 21 1 3 Filter Rules Summary A Type Filter Rules M m n 1 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 23 N D F 2 N 3 N 4 N 5 N 6 N This shows you...

Page 484: ...packets that appear on the wire They are applied at the point when the ZyWALL is receiving and sending the packets i e the interface The interface can be an Ethernet port or any other hardware port The following diagram illustrates this Figure 32 12 Protocol and Device Filter Sets 32 5 Firewall Versus Filters Firewall configuration is discussed in the firewall chapters of this manual Further compa...

Page 485: ...g remote node call filter sets Figure 32 13 Filtering LAN Traffic 32 6 2 Applying DMZ Filters DMZ traffic filter sets may be useful to block certain packets reduce traffic and prevent security breaches Go to menu 5 1 shown next and enter the number s of the filter set s that you want to apply as appropriate You can choose up to four filter sets from twelve by entering their numbers separated by co...

Page 486: ...numbers separated by commas The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls and block incoming telnet FTP and HTTP connections Figure 32 15 Filtering Remote Node Traffic Menu 11 5 Remote Node Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Press ENTER to Confirm or ESC to Cancel Menu 5 1 DMZ Port Filt...

Page 487: ... Configuration Menu Fields FIELD DESCRIPTION EXAMPLE Get Community Type the Get community which is the password for the incoming Get and GetNext requests from the management station Public Set Community Type the Set community which is the password for incoming Set requests from the management station Public Trusted Host If you enter a trusted host your ZyWALL will only respond to SNMP messages fro...

Page 488: ...lowing events occurs Table 33 2 SNMP Traps TRAP TRAP NAME DESCRIPTION 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmStart defined in RFC 1215 A trap is sent after booting software reboot 4 authenticationFailure defined in RFC 1215 A trap is sent to the manager when receiving any SNMP get or set requirements with the wrong community password 6 whyReboot defined in ZYXE...

Page 489: ...diagnosis firmware and configuration file maintenance as well as providing information on the system maintenance and information functions and how to configure remote management See the web configurator parts of this guide for background information on features configurable by web configurator and SMT ...

Page 490: ......

Page 491: ...ance 34 2 System Status The first selection System Status gives you information on the version of your system firmware and the status and statistics of the ports as shown in the next figure System Status is a tool that can be used to monitor your ZyWALL Specifically it gives you information on your system firmware version number of packets sent and number of packets received Menu 24 System Mainten...

Page 492: ...m Maintenance Status Menu Fields FIELD DESCRIPTION Port Identifies a port WAN LAN DMZ or WLAN on the ZyWALL DMZ not available on all models Status Shows the port speed and duplex setting if you re using Ethernet Encapsulation and Down line is down idle line ppp idle dial starting to trigger a call and drop dropping a call if you re using PPPoE Encapsulation TxPkts The number of transmitted packets...

Page 493: ...ystem up Time The total time the ZyWALL has been on ZyNOS F W Version The ZyNOS Firmware version and the date created Some ZyWALL models include some or all of the following fields Name This is the ZyWALL s system name domain name assigned in menu 1 For example System Name xxx Domain Name baboo mickey com Name xxx baboo mickey com Routing Refers to the routing protocol used ZyNOS F W Version The Z...

Page 494: ... 24 2 1 System Maintenance Information ZyWALL 10W Table 34 2 Fields in System Maintenance Information FIELD DESCRIPTION Name This is the ZyWALL s system name domain name assigned in menu 1 For example System Name xxx Domain Name baboo mickey com Name xxx baboo mickey com Menu 24 2 1 System Maintenance Information Name Routing IP ZyNOS F W Version V3 62 WH 0 b8 11 10 2003 Country Code 255 LAN Ether...

Page 495: ...hed viewing press ESC or ENTER to exit 34 3 2 Console Port Speed You can change the speed of the console port through Menu 24 2 2 Console Port Speed Your ZyWALL supports 9600 default 19200 38400 57600 and 115200 bps for the console port Press SPACE BAR and then ENTER to select the desired speed in menu 24 2 2 as shown next Figure 34 5 Menu 24 2 2 System Maintenance Change Console Port Speed 34 4 L...

Page 496: ...menu 24 select option 3 to open Menu 24 3 System Maintenance Log and Trace Step 3 Select the first option from Menu 24 3 System Maintenance Log and Trace to display the error log in the system After the ZyWALL finishes displaying you will have the option to clear the error log Figure 34 6 Menu 24 3 System Maintenance Log and Trace Examples of typical error and information messages are presented in...

Page 497: ...ug 22 21 24 26 2001 PP0d INFO No DNS server available 4 Wed Aug 22 21 24 26 2001 PP17 WARN Wrong domain name 5 Wed Aug 22 21 24 26 2001 PP0d INFO No DNS server available 6 Wed Aug 22 21 24 26 2001 PP17 INFO Last errorlog repeat 8 Times 7 Wed Aug 22 21 24 26 2001 PP17 INFO getDateTime fail no server available 8 Wed Aug 22 21 24 26 2001 PP17 INFO adjtime task pause 1 day 10 Thu Aug 23 08 26 59 2001 ...

Page 498: ...firm or ESC to cancel Your ZyWALL sends five types of syslog messages Some examples not all ZyWALL specific of these syslog messages with their message formats are shown next 1 CDR CDR Message Format SdcmdSyslogSend SYSLOG_CDR SYSLOG_INFO String String board xx line xx channel xx call xx str board the hardware board ID line the WAN ID in a board Channel channel ID within the WAN call the call refe...

Page 499: ...o xxxx dpo xxxx S04 R01mD IP is the packet header and S04 R01mD means filter set 4 S and rule 1 R match m drop D Src Source Address Dst Destination Address prot Protocol TCP UDP ICMP spo Source port dpo Destination port Mar 03 10 39 43 202 132 155 97 ZyXEL GEN fffffffffffnordff0080 S05 R01mF Mar 03 10 41 29 202 132 155 97 ZyXEL GEN 00a0c5f502fnord010080 S05 R01mF Mar 03 10 41 34 202 132 155 97 ZyX...

Page 500: ...on nothing N block B forward F 08 01 2000 11 48 41 Local1 Notice 192 168 10 10 RAS FW 172 21 1 80 137 172 21 1 80 137 UDP default permit 2 0 B 08 01 2000 11 48 41 Local1 Notice 192 168 10 10 RAS FW 192 168 77 88 520 192 168 77 88 520 UDP default permit 2 0 B 08 01 2000 11 48 39 Local1 Notice 192 168 10 10 RAS FW 172 21 1 50 172 21 1 50 IGMP 2 default permit 2 0 B 08 01 2000 11 48 39 Local1 Notice ...

Page 501: ...ize 44 44 Time 17 02 44 262 Frame Type IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x002C 44 Identification 0x0002 2 Flags 0x00 Fragment Offset 0x00 Time to Live 0xFE 254 Protocol 0x06 TCP Header Checksum 0xFB20 64288 Source IP 0xC0A80101 192 168 1 1 Destination IP 0x00000000 0 0 0 0 TCP Header Source Port 0x0401 1025 Destination Port 0x000D 13 Sequence Number 0x05B...

Page 502: ...LL can act either as a WAN DHCP client IP Address Assignment field in menu 4 or menu 11 3 is Dynamic and the Encapsulation field in menu 4 or menu 11 is Ethernet or None when you have a static IP The WAN Release and Renewal fields in menu 24 4 conveniently allow you to release and or renew the assigned WAN IP address subnet mask and default gateway in a fashion similar to winipcfg Menu 24 4 System...

Page 503: ...HCP Release Enter 2 to release your WAN DHCP settings WAN DHCP Renewal Enter 3 to renew your WAN DHCP settings Internet Setup Test Enter 4 to test the Internet setup You can also test the Internet setup in Menu 4 Internet Access Please refer to the Internet Access chapter for more details This feature is only available for dial up connections using PPPoE or PPTP encapsulation Reboot System Enter 1...

Page 504: ......

Page 505: ...t configuration file if you want to return the ZyWALL to the original default settings The firmware determines the ZyWALL s available features and functionality You can download new firmware releases from your nearest ZyXEL FTP site to use to upgrade your ZyWALL s performance 35 2 Filename Conventions The configuration file often called the romfile or rom 0 contains the factory default settings in...

Page 506: ...rsion field in Menu 24 2 1 System Maintenance Information to confirm that you have uploaded the correct firmware version The AT command is the command you enter after you press y when prompted in the SMT menu to go into debug mode Table 35 1 Filename Conventions FILE TYPE INTERNAL NAME EXTERNAL NAME DESCRIPTION Configuration File Rom 0 This is the configuration filename on the ZyWALL Uploading the...

Page 507: ... 2 Using the FTP Command from the Command Line Step 1 Launch the FTP client on your computer Step 2 Enter open followed by a space and the IP address of your ZyWALL Step 3 Press ENTER when prompted for a username Step 4 Enter your password as requested the default is 1234 Step 5 Enter bin to set transfer mode to binary Menu 24 5 System Maintenance Backup Configuration To transfer the configuration...

Page 508: ...or GUI based FTP Clients COMMAND DESCRIPTION Host Address Enter the address of the host server Login Type Anonymous This is when a user I D and password is automatically supplied to the server for anonymous access Anonymous logins will work only if your ISP or service administrator has enabled this option Normal The server requires a unique User ID and Password to login Transfer Type Transfer file...

Page 509: ...guration Using TFTP The ZyWALL supports the up downloading of the firmware and the configuration file using TFTP Trivial File Transfer Protocol over LAN Although TFTP should work over WAN as well it is not recommended To use TFTP your computer must have both telnet and TFTP clients To backup the configuration file follow the procedure shown next Step 1 Use telnet from your computer to connect to t...

Page 510: ...he ZyWALL IP address get transfers the file source on the ZyWALL rom 0 name of the configuration file on the ZyWALL to the file destination on the computer and renames it config rom 35 3 8 GUI based TFTP Clients The following table describes some of the fields that you may see in GUI based TFTP clients Table 35 3 General Commands for GUI based TFTP Clients COMMAND DESCRIPTION Host Enter the IP add...

Page 511: ...s that the Xmodem download has started Figure 35 4 System Maintenance Starting Xmodem Download Screen Step 3 Run the HyperTerminal program by clicking Transfer then Receive File as shown in the following screen Figure 35 5 Backup Configuration Example Step 4 After a successful backup you will see the following screen Press any key to return to the SMT menu Ready to backup Configuration via Xmodem ...

Page 512: ...ile stored on disk FTP is the preferred method for restoring your current computer configuration to your ZyWALL since FTP is faster Please note that you must wait for the system to automatically restart after the file transfer is complete WARNING Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR ZyWALL When the Restore Configuration process is complete the ZyWALL will ...

Page 513: ...ventions Step 8 Enter quit to exit the ftp prompt The ZyWALL will automatically restart after a successful restore process Menu 24 6 System Maintenance Restore Configuration To transfer the firmware and configuration file to your workstation follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your router Then type root and SMT password as reques...

Page 514: ... Display menu 24 6 and enter y at the following screen Figure 35 9 System Maintenance Restore Configuration Step 2 The following screen indicates that the Xmodem download has started Figure 35 10 System Maintenance Starting Xmodem Download Screen Step 3 Run the HyperTerminal program by clicking Transfer then Send File as shown in the following screen ftp put config rom rom 0 200 Port command okay ...

Page 515: ...ion Screen 35 5 Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files You can upload configuration files by following the procedure in the previous Restore Configuration section or by following the instructions in Menu 24 7 2 System Maintenance Upload System Configuration File for console port Save to ROM Hit any key to start system reboot...

Page 516: ...u 24 7 1 System Maintenance Upload System Firmware To upload the system firmware follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your system Then type root and SMT password as requested 3 Type put firmwarefilename ras where firmwarefilename is the name of your firmware upgrade file on your workstation and ras is the remote file name on the s...

Page 517: ...e ZyWALL and renames it ras Similarly put config rom rom 0 transfers the configuration file on your computer config rom to the ZyWALL and renames it rom 0 Likewise get rom 0 config rom Menu 24 7 2 System Maintenance Upload System Configuration File To upload the system configuration file follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your s...

Page 518: ...firmware files using TFTP Trivial File Transfer Protocol over LAN Although TFTP should work over WAN as well it is not recommended To use TFTP your computer must have both telnet and TFTP clients To transfer the firmware and the configuration file follow the procedure shown next Step 1 Use telnet from your computer to connect to the ZyWALL and log in Because TFTP does not have any security checks ...

Page 519: ...to the computer put the other way around and binary to set binary transfer mode 35 5 6 TFTP Upload Command Example The following is an example TFTP command tftp i host put firmware bin ras Where i specifies binary image transfer mode use this mode when transferring binary files host is the ZyWALL s IP address put transfers the file source on the computer firmware bin name of the firmware on the co...

Page 520: ...age appears activate the Xmodem protocol on your computer Follow the procedure as shown previously for the HyperTerminal program The procedure for other serial communications programs should be similar Menu 24 7 1 System Maintenance Upload System Firmware To upload system firmware 1 Enter y at the prompt below to go into debug mode 2 Enter atur after Enter Debug Mode message 3 Wait for Starting XM...

Page 521: ...ad After the firmware upload process has completed the ZyWALL will automatically restart 35 5 10 Uploading Configuration File Via Console Port Step 1 Select 2 from Menu 24 7 System Maintenance Upload Firmware to display Menu 24 7 2 System Maintenance Upload System Configuration File Follow the instructions as shown in the next screen Choose the Xmodem protocol Then click Send Type the firmware fil...

Page 522: ...screen Menu 24 7 2 System Maintenance Upload System Configuration File To upload system configuration file 1 Enter y at the prompt below to go into debug mode 2 Enter atlc after Enter Debug Mode message 3 Wait for Starting XMODEM upload message before activating Xmodem upload on your terminal 4 After successful firmware upload enter atgo to restart the system Warning 1 Proceeding with the upload w...

Page 523: ...ion File Maintenance 35 19 Figure 35 19 Example Xmodem Upload After the configuration upload process has completed restart the ZyWALL by entering atgo Choose the Xmodem protocol Then click Send Type the configuration file s location or click Browse to search for it ...

Page 524: ......

Page 525: ... a serial connection to the console port although some commands are only available with a serial connection See the included disk or zyxel com for more detailed information on CI commands Enter 8 from Menu 24 System Maintenance Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable Figure 36 1 Command Mode in Menu 24 Menu 24 System Maintenance 1 System...

Page 526: ... list of commands can be found by typing help or at the command prompt Always type the full command Type exit to return to the SMT main menu when finished Figure 36 2 Valid Commands Table 36 1 Valid Commands COMMAND DESCRIPTION sys The system commands display device information and configure device settings exit This command returns you to the SMT main menu ether These commands display Ethernet in...

Page 527: ...rovides two call control functions budget management and call history Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11 1 The budget management function allows you to set a limit on the total outgoing call time of the ZyWALL within certain times When the total outgoing call time exceeds the limit the current call will be dropped and any f...

Page 528: ...r 0 to update the screen The budget and the reset period can be configured in menu 11 1 for the remote node Table 36 2 Budget Management FIELD DESCRIPTION EXAMPLE Remote Node Enter the index number of the remote node you want to reset just one in this case 1 Connection Time Total Budget This is the total connection time that has gone by within the allocated budget that you set in menu 11 1 5 10 me...

Page 529: ...ESCRIPTION Phone Number The PPPoE service names are shown here Dir This shows whether the call was incoming or outgoing Rate This is the transfer rate of the call call This is the number of calls made to or received from that telephone number Max This is the length of time of the longest telephone call Min This is the length of time of the shortest telephone call Total This is the total length of ...

Page 530: ...displayed in the ZyWALL error logs and firewall logs Select menu 24 in the main menu to open Menu 24 System Maintenance as shown next Figure 36 6 Menu 24 System Maintenance Enter 10 to go to Menu 24 10 System Maintenance Time and Date Setting to update the time and date settings of your ZyWALL as shown in the following screen Menu 24 System Maintenance 1 System Status 2 System Information and Cons...

Page 531: ...05 the default is similar to Time RFC 868 Use Time Server when Bootup None enter the time manually Time Server Address Enter the IP address or domain name of your timeserver Check with your ISP network administrator if you are unsure of this information The default is tick stdtime gov tw Current Time This field displays an updated time only when you reenter this menu New Time Enter the new time in...

Page 532: ...ylight savings time then choose Yes Start Date Enter the month and day that your daylight savings time starts on if you selected Yes in the Daylight Saving field End Date Enter the month and day that your daylight savings time ends on if you selected Yes in the Daylight Saving field Once you have filled in this menu press ENTER at the message Press ENTER to Confirm or ESC to Cancel to save your co...

Page 533: ... Management Remote management allows you to determine which services protocols can access which ZyWALL interface if any from which computers You may manage your ZyWALL from a remote location via Internet WAN only ALL LAN and WAN LAN only Neither Disable DMZ only When you Choose WAN only or ALL LAN DMZ WAN you still need to configure a firewall rule to allow access ...

Page 534: ...s field shows the port number for the service or protocol You may change the port number if needed but you must use the same port number to access the ZyWALL 23 Server Access Select the access interface if any by pressing SPACE BAR then ENTER to choose from LAN only DMZ only WAN only ALL or Disable LAN Only default Menu 24 11 Remote Management Control TELNET Server Port 23 Access ALL Secured Clien...

Page 535: ...press ESC to cancel 37 1 1 Remote Management Limitations Remote management over LAN or WAN will not work when 1 A filter in menu 3 1 LAN or in menu 11 5 WAN is applied to block a Telnet FTP or Web service 2 You have disabled that service in menu 24 11 3 The IP address in the Secured Client IP field menu 24 11 does not match the client IP address If it does not match the ZyWALL will disconnect the ...

Page 536: ......

Page 537: ...Advanced Management This part provides information on how to configure IP Policy Routing call scheduling and VPN IPSec See the web configurator parts of this guide for background information on features configurable by web configurator and SMT ...

Page 538: ......

Page 539: ...fic from different users through different connections Quality of Service QoS Organizations can differentiate traffic by setting the precedence or ToS Type of Service values in the IP header at the periphery of the network to enable the backbone to prioritize traffic Cost Savings IPPR allows organizations to distribute interactive traffic on high bandwidth high cost paths while using low cost path...

Page 540: ...d policies are grouped together A user defines the policies before applying them to an interface or a remote node in the same fashion as the filters There are 4 policy sets with six policies in each set 38 4 IP Routing Policy Setup Menu 25 shows all the policies defined Figure 38 1 IP Routing Policy Setup To setup a routing policy perform the following procedures Step 1 Type 25 in the main menu to...

Page 541: ...utgoing Type of service P Outgoing Precedence Menu 25 1 IP Routing Policy Setup A Criteria Action 1 Y SA 1 1 1 1 1 1 1 1 DA 2 2 2 2 2 2 2 5 SP 20 25 DP 20 25 P 6 T NM PR 0 GW 192 168 1 1 T MT PR 0 2 N __________________________________________________________________________ __________________________________________________________________________ 3 N _____________________________________________...

Page 542: ...LD DESCRIPTION Policy Set Name This is the policy set name assigned in Menu 25 IP Routing Policy Setup Active Press SPACE BAR and then ENTER to select Yes to activate the policy Criteria Menu 25 1 1 IP Routing Policy Policy Set Name test Active Yes Criteria IP Protocol 6 Type of Service Normal Packet length 40 Precedence 0 Len Comp N A Source addr start 1 1 1 1 end 1 1 1 1 port start 20 end 20 Des...

Page 543: ...cable only for TCP UDP Destination addr start end Destination IP address range from start to end port start end Destination port number range from start to end applicable only for TCP UDP Action Specifies whether action should be taken on criteria Matched or Not Matched Gateway addr Defines the outgoing gateway address The gateway must be on the same subnet as the ZYWALL if it is on the LAN otherw...

Page 544: ...ode connections you can route Web packets to the Internet using one policy and route FTP packets to a remote network using another policy See the next figure Route 1 represents the default IP route and route 2 represents the configured IP route Menu 3 2 TCP IP and DHCP Ethernet Setup DHCP Server Configuration Client IP Pool Starting Address 192 168 1 33 Size of Client IP Pool 32 Primary DNS Server...

Page 545: ...o force Web packets coming from clients with IP addresses of 192 168 1 33 to 192 168 1 64 to be routed to the Internet via the WAN port of the ZyWALL follow the steps as shown next Step 1 Create a routing policy set in menu 25 Step 2 Create a rule for this set in Menu 25 1 1 IP Routing Policy as shown next ...

Page 546: ...1 IP Routing Policy Policy Set Name set1 Active Yes Criteria IP Protocol 6 Type of Service Don t Care Packet length 10 Precedence Don t Care Len Comp N A Source addr start 192 168 1 2 end 192 168 1 64 port start 0 end N A Destination addr start 0 0 0 0 end N A port start 80 end 80 Action Matched Gateway addr 192 168 1 1 Log No Type of Service No Change Precedence No Change Press ENTER to Confirm o...

Page 547: ...e if the rule is added correctly Step 7 Apply both policy sets in menu 3 2 as shown next Menu 25 1 1 IP Routing Policy Policy Set Name set2 Active Yes Criteria IP Protocol 6 Type of Service Don t Care Packet length 10 Precedence Don t Care Len Comp N A Source addr start 0 0 0 0 end N A port start 0 end N A Destination addr start 0 0 0 0 end N A port start 20 end 21 Action Matched Gateway addr 192 ...

Page 548: ...Client IP Pool Starting Address 192 168 1 33 Size of Client IP Pool 64 Primary DNS Server 0 0 0 0 Secondary DNS Server 0 0 0 0 Remote DHCP Server N A TCP IP Setup IP Address 192 168 1 1 IP Subnet Mask 255 255 255 0 RIP Direction Both Version RIP 1 Multicast None IP Policies 1 2 Edit IP Alias No Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle ...

Page 549: ...cedence over higher numbered sets thereby avoiding scheduling conflicts For example if sets 1 2 3 and 4 are applied in the remote node then set 1 will take precedence over set 2 3 and 4 as the ZyWALL by default applies the lowest numbered set first Set 2 will take precedence over set 3 and 4 and so on You can design up to 12 schedule sets but you can only apply up to four schedule sets for a remot...

Page 550: ...in year month date format Valid dates are from the present to 2036 February 5 How Often Should this schedule set recur weekly or be used just once only Press SPACE BAR and then ENTER to select Once or Weekly Both these options are mutually exclusive If Once is selected then all weekday settings are N A When Once is selected the schedule rule deletes automatically after the scheduled time elapses O...

Page 551: ...nd will persist for the time period specified in the Duration field Forced Down means that the connection is blocked whether or not there is a demand call on the line Enable Dial On Demand means that this schedule permits a demand call on the line Disable Dial On Demand means that this schedule prevents a demand call on the line Forced On Forced Down Enable Dial On Demand Disable Dial On Demand Wh...

Page 552: ...preference s Menu 11 1 Remote Node Profile Rem Node Name ChangeMe Route IP Active Yes Encapsulation PPPoE Edit IP No Service Type Standard Telco Option Service Name Allocated Budget min 0 Outgoing Period hr 0 My Login Schedules 1 2 3 4 My Password Nailed Up Connection No Authen CHAP PAP Session Options Edit Filter Sets No Idle Timeout sec 100 Press ENTER to Confirm or ESC to Cancel Press Space Bar...

Page 553: ...ulation PPTP Edit IP No Service Type Standard Telco Option Service Name N A Allocated Budget min 0 Outgoing Period hr 0 My Login Schedules 1 2 3 4 My Password Nailed up Connections Authen CHAP PAP Session Options PPTP Edit Filter Sets No My IP Addr Idle Timeout sec 100 Server IP Addr Connection ID Name Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Apply your schedule sets here ...

Page 554: ......

Page 555: ...se main submenus 1 Define VPN policies in menu 27 1 submenus including security policies endpoint IP addresses peer IPSec router IP address and key management 2 Menu 27 2 SA Monitor allows you to manage refresh or disconnect your SA connections This is an overview of the VPN menu tree Figure 40 1 VPN SMT Menu Tree From the main menu enter 27 to display the first VPN menu shown next ...

Page 556: ...c Summary FIELD DESCRIPTION EXAMPLE This is the VPN policy index number 1 Menu 27 VPN IPSec Setup 1 IPSec Summary 2 SA Monitor Enter Menu Selection Number Menu 27 1 IPSec Summary Name A Local Addr Start Addr End Mask Encap IPSec Algorithm Key Mgt Remote Addr Start Addr End Mask Secure GW Addr 1 Taiwan Y 192 168 1 35 192 168 1 38 Tunnel ESP DES MD5 IKE 172 16 2 40 172 16 2 46 193 81 13 2 2 zw50 N 1...

Page 557: ...ange this is the end static IP address in a range of computers on the LAN behind your ZyWALL When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to SUBNET this is a subnet mask on the LAN behind your ZyWALL 192 168 1 38 Encap This field displays Tunnel mode or Transport mode See earlier for a discussion of these You need to finish configuring the VPN policy in menu 27 1 1 1 or 27 1 1...

Page 558: ...e Secure Gateway Address field in SMT 27 1 1 to 0 0 0 0 172 16 2 40 Addr End Mask When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to Single this is the same static IP address as in the Remote Addr Start field When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to Range this is the end static IP address in a range of computers on the network behind the remote IPSec r...

Page 559: ...rule first make sure you are on the correct page When a VPN rule is deleted subsequent rules do not move up in the page list Use Go To Rule to view the page where your desired rule is listed Select Next Page or Previous Page to view the next or previous page of rules respectively None Select Rule Type the VPN rule index number you wish to edit or delete and then press ENTER 3 When you have complet...

Page 560: ...er a VPN rule is applied before a packet leaves the firewall Yes Keep Alive Press SPACE BAR to choose either Yes or No Choose Yes and press ENTER to have the ZyWALL automatically re initiate the SA after the SA lifetime times out even if there is no traffic The remote IPSec router must also have keep alive enabled in order for this feature to work No Menu 27 1 1 IPSec Setup Index 1 Name Taiwan Act...

Page 561: ...Method to Certificate in Menu 27 1 1 1 IKE Setup see the Edit Key Management Setup field The ZyWALL takes the local ID type and content from the certificate you select Content When you select IP in the Local ID type field type the IP address of your computer in the local Content field The ZyWALL automatically uses the IP address in the My IP Address field refer to the My IP Address field descripti...

Page 562: ...to choose IP DNS or E mail and press ENTER Select from the following when you set Authentication Method to Pre Shared Key in Menu 27 1 1 1 IKE Setup see the Edit Key Management Setup field Select IP to identify the remote IPSec router by its IP address Select DNS to identify the remote IPSec router by a domain name Select E mail to identify the remote IPSec router by an e mail address Then Peer ID...

Page 563: ...N IP addresses With either Authentication Method Pre Shared Key or Certificate in menu 27 1 1 1 if you use IP as the peer ID type and configure the content as 0 0 0 0 or blank and the Secure Gateway Address is also configured as 0 0 0 0 the ZyWALL does not check the peer s ID content Regardless of how you configure the ID Type and Content fields active rules cannot have overlapping local and remot...

Page 564: ...yWALL 192 168 1 38 Port Start 0 is the default and signifies any port Type a port number from 0 to 65535 You cannot create a VPN tunnel if you try to connect using a port number that does not match this port number or range of port numbers Some of the most common IP ports are 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 0 End Enter a port number in this field to define a port range This port n...

Page 565: ... to SUBNET enter a subnet mask on the network behind the remote IPSec router This field displays N A when you configure the Secure Gateway Address field to 0 0 0 0 255 255 0 0 Port Start 0 is the default and signifies any port Type a port number from 0 to 65535 Someone behind the remote IPSec router cannot create a VPN tunnel when attempting to connect using a port number that does not match this ...

Page 566: ...hen you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel 40 4 IKE Setup To edit this menu the Key Management field Menu 27 1 1 IPSec Setup must be set to IKE Move the cursor to the Edit Key Management Setup field in Menu 27 1 1 IPSec Setup press SPACE BAR to select Yes and then press ENTER to display Menu 27 1 1...

Page 567: ...including spaces but trailing spaces are truncated Both ends of the VPN tunnel must use the same pre shared key You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Certificate Select the certificate to use for this VPN tunnel You must have certificates already configured in the My Certificates screen see the web configurator Certificates p...

Page 568: ...up a tunnel without encryption DES Authentication Algorithm Press SPACE BAR to choose from SHA1 or MD5 and then press ENTER MD5 SA Life Time Seconds Define the length of time before an IPSec Security Association automatically renegotiates in this field It may range from 60 to 3 000 000 seconds almost 35 days 28800 default Encapsulation Press SPACE BAR to choose from Tunnel mode or Transport mode a...

Page 569: ...o Menu 27 1 1 2 Manual Setup Figure 40 6 Menu 27 1 1 2 Manual Setup Table 40 5 Menu 27 1 1 2 Manual Setup FIELD DESCRIPTION EXAMPLE Active Protocol Press SPACE BAR to choose from ESP Tunnel ESP Transport AH Tunnel or AH Transport and then press ENTER Choosing an ESP combination causes the AH Setup fields to be non applicable N A ESP Tunnel ESP Setup The ESP Setup fields are N A if you chose an AH ...

Page 570: ...uding spaces but trailing spaces are truncated Authentication Algorithm Press SPACE BAR to choose from MD5 or SHA1 and then press ENTER MD5 Key Enter the authentication key to be used by IPSec if applicable The key must be unique Enter 16 characters for MD5 authentication and 20 characters for SHA 1 authentication Any character may be used including spaces but trailing spaces are truncated 1234567...

Page 571: ...s not timeout until the SA lifetime period expires See the web configurator parts of this User s Guide on keep alive to have the ZyWALL renegotiate an IPSec SA when the SA lifetime expires even if there is no traffic 41 2 Using SA Monitor 1 Use the Refresh function to display active VPN connections 2 Use the Disconnect function to cut off active connections Type 2 in Menu 27 VPN IPSec Setup and th...

Page 572: ...6 bit DES 168 bit 3DES and 128 bit AES NULL denotes a tunnel without encryption An incoming SA may have an AH in addition to ESP The Authentication Header provides strong integrity and authentication by adding authentication information to IP packets This authentication information is calculated using header and payload data in the IP packet This provides an additional level of security AH choices...

Page 573: ...ooting and Hardware Appendices XV Part XV Troubleshooting and Hardware Appendices This part provides information about troubleshooting hardware specifications safety warnings and how to change a ZyWALL 100 fuse ...

Page 574: ......

Page 575: ...LL and to an appropriate power source Replace the fuse if it is burnt out see the appendices for more on changing a fuse None of the LEDs turn on when you turn on the ZyWALL If the error persists you may have a hardware problem In this case you should contact your vendor 1 Check to see if the ZyWALL is connected to your computer s console port VT100 terminal emulation 9600 bps is the default speed...

Page 576: ... on the same subnet Problems with the DMZ Interface The DMZ interface is not available on all models Chart A 3 Troubleshooting the DMZ Interface PROBLEM CORRECTIVE ACTION Check your Ethernet cable type and connections Refer to the Quick Start Guide or Compact Guide for DMZ connection instructions Make sure the Ethernet adapters on the LAN computer and the DMZ server are installed and functioning p...

Page 577: ...uter on the LAN as the ZyWALL s WAN MAC address Refer to the WAN Screens chapter web configurator or the WAN and Dial Backup Setup chapter SMT It is recommended that you clone your computer s MAC address even if your ISP presently does not require MAC address authentication Cannot get WAN IP address from the ISP If your ISP requires host name authentication configure your computer s name as the Zy...

Page 578: ...u disable content filtering then please check your device connections and Internet access settings Your username and password may be case sensitive If device connections and Internet access settings are correct then please contact your Internet Service Provider Problems with the Password Chart A 7 Troubleshooting the Password PROBLEM CORRECTIVE ACTION The password field is case sensitive Make sure...

Page 579: ...enarios when remote management may not be possible When NAT is enabled Use the ZyWALL s WAN IP address when configuring from the WAN Use the ZyWALL s LAN IP address when configuring from the LAN Refer to the Problems with the LAN Interface section for instructions on checking your LAN connection Cannot access the ZyWALL from the LAN or WAN Refer to the Problems with the WAN Interface section for i...

Page 580: ......

Page 581: ...16 Watts maximum Power Current ZyWALL 100 1 9 Amps Fuse Rating ZyWALL 100 0 5 Amps 250 VAC MTBF 100000 hrs Mean Time Between Failures Operation Temperature 0º C 40º C Ethernet Specification for WAN Not on all models 10 100Mbps Half Full Auto negotiation Ethernet Specification for WAN Not on all models 10Mbps Half Full Auto negotiation Ethernet Specification for DMZ Not on all models 10 100Mbps Hal...

Page 582: ...n Assignments CONSOLE Port RS 232 Female DB 9F DIAL BACKUP RS 232 Male DB 9M Not on all models Pin 1 NON Pin 2 DCE TXD Pin 3 DCE RXD Pin 4 DCE DSR Pin 5 GND Pin 6 DCE DTR Pin 7 DCE CTS Pin 8 DCE RTS PIN 9 NON Pin 1 NON Pin 2 DTE RXD Pin 3 DTE TXD Pin 4 DTE DTR Pin 5 GND Pin 6 DTE DSR Pin 7 DTE RTS Pin 8 DTE CTS PIN 9 NON The CON AUX port also has these pin assignments The CON AUX switch changes th...

Page 583: ...ican AC Power Adaptor Specifications AC Power Adapter model AD48 1201200DUY Input power AC120Volts 60Hz 0 25A Output power DC12Volts 1 2A Power consumption 10 W Plug North American standards Safety standards UL CUL UL 1950 CSA C22 2 No 234 M90 AC Power Adapter model AD48 1201200DUY Input power AC120Volts 60Hz Output power DC12Volts 1 2A Power consumption 9 W Plug North American standards Safety st...

Page 584: ...ower consumption 9 W Plug European Union standards Safety standards TUV CE EN 60950 Chart B 6 UK AC Power Adaptor Specifications AC Power Adapter model AD 1201200DK Input power AC230Volts 50Hz 0 2A Output power DC12Volts 1 2A Power consumption 10 W Plug United Kingdom standards Safety standards TUV CE EN 60950 BS7002 Chart B 7 Japan AC Power Adaptor Specifications AC Power Adapter model JOD 48 112...

Page 585: ...art B 8 Australia and New Zealand AC Power Adaptor Specifications AC Power Adapter model AD 1201200Ds or AD 121200DS Input power AC240Volts 50Hz 0 2A Output power DC12Volts 1 2A Power consumption 10 W Plug Australia and New Zealand standards Safety standards NATA AS 3260 ...

Page 586: ......

Page 587: ...110VAC for North America and 230VAC for Europe Make sure that the supplied AC voltage is correct and stable 7 Installation in restricted access areas must comply with Articles 110 16 110 17 and 110 18 of the National Electrical Code ANSI NFPA 70 8 Do not allow anything to rest on the power cord and do not locate the product where anyone can walk on the power cord 9 Do not service the product by yo...

Page 588: ......

Page 589: ...ween the power switch and the power port Use a small flat head screwdriver to carefully pry out the fuse housing Step 4 A burnt out fuse is blackened darkened or cloudy inside its glass casing A working fuse has a completely clear glass casing Pull gently but firmly to remove the burnt out fuse from the fuse housing Dispose of the burnt out fuse Installing a Fuse Step 1 The ZyWALL 100 is shipped f...

Page 590: ......

Page 591: ... Part XVI General Appendices This part provides background information about setting up your computer s IP address triangle route how functions are related wireless LAN 802 1x EAP authentication PPPoE PPTP and IP subnetting ...

Page 592: ......

Page 593: ... 3 1 requires the purchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment make sure tha...

Page 594: ...ck OK If you need TCP IP a In the Network window click Add b Select Protocol and then click Add c Select Microsoft from the list of manufacturers d Select TCP IP from the list of network protocols and then click OK If you need Client for Microsoft Networks a Click Add b Select Client and then click Add c Select Microsoft from the list of manufacturers d Select Client for Microsoft Networks from th...

Page 595: ...automatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields 2 Click the DNS Configuration tab If you do not know your DNS information select Disable DNS If you know your DNS information select Enable DNS and type the information in the fields below you may not need to fill them all in ...

Page 596: ... 4 Click OK to save and close the TCP IP Properties window 5 Click OK to close the Network window Insert the Windows CD if prompted 6 Turn on your ZyWALL and restart your computer when prompted Verifying Your Computer s IP Address 1 Click Start and then Run 2 In the Run window type winipcfg and then click OK to open the IP Configuration window 3 Select your network adapter You should see your comp...

Page 597: ...Address E 5 1 For Windows XP click start Control Panel In Windows 2000 NT click Start Settings Control Panel 2 For Windows XP click Network Connections For Windows 2000 NT click Network and Dial up Connections 3 Right click Local Area Connection and then click Properties ...

Page 598: ... in Win XP and click Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP address click Obtain an IP address automatically If you have a static IP address click Use the following IP Address and fill in the IP address Subnet mask and Default gateway fields Click Advanced ...

Page 599: ...an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways In TCP IP Gateway Address type the IP address of the default gateway in Gateway To manually configure a default metric the number of transmission hops clear the...

Page 600: ...DNS server fields If you have previously configured DNS servers click Advanced and then the DNS tab to order them 8 Click OK to close the Internet Protocol TCP IP Properties window 9 Click OK to close the Local Area Connection Properties window 10 Turn on your ZyWALL and restart your computer if prompted Verifying Your Computer s IP Address 1 Click Start All Programs Accessories and then Command P...

Page 601: ...Computer s IP Address E 9 1 Click the Apple menu Control Panel and double click TCP IP to open the TCP IP Control Panel 2 Select Ethernet built in from the Connect via list 3 For dynamically assigned settings select Using DHCP Server from the Configure list ...

Page 602: ... the Subnet mask box Type the IP address of your ZyWALL in the Router address box 5 Close the TCP IP Control Panel 6 Click Save if prompted to save changes to your configuration 7 Turn on your ZyWALL and restart your computer if prompted Verifying Your Computer s IP Address Check your TCP IP properties in the TCP IP Control Panel window Macintosh OS X 1 Click the Apple menu and click System Prefer...

Page 603: ...t Using DHCP from the Configure list 4 For statically assigned settings do the following From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your ZyWALL in the Router address box 5 Click Apply Now and close the window 6 Turn on your ZyWALL and restart your computer if prompted Verifying Your Computer ...

Page 604: ......

Page 605: ...fic route is a path for sending or receiving data packets between two Ethernet devices Some companies have more than one alternate route to one or more ISPs If the LAN and ISP s are in the same subnet the triangle route problem may occur The steps below describe the triangle route problem 1 A computer on the LAN initiates a connection by sending out a SYN packet A to a receiving server on the WAN ...

Page 606: ...p to three logical LAN interfaces with the ZyWALL being the gateway for each logical network By putting your LAN and Gateway B in different subnets all returning network traffic must pass through the ZyWALL to your LAN The following steps describe such a scenario 1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN 2 The ZyWALL reroutes the packet...

Page 607: ... second solution to the triangle route problem is to put all of your network gateways on the WAN side as the following figure shows This ensures that all incoming network traffic passes through your ZyWALL to your LAN Therefore your LAN is protected Diagram F 4 Gateways on the WAN Side ...

Page 608: ......

Page 609: ...ternet Security Gateway The Big Picture G 1 Appendix G The Big Picture The following figure gives an overview of how filtering the firewall VPN and NAT are related Diagram G 1 Big Picture Filtering Firewall VPN and NAT ...

Page 610: ......

Page 611: ...ers like doctors and nurses access to a complete patient s profile on a handheld or notebook computer upon entering a patient s room 3 It allows flexible workgroups a lower total cost of ownership for workspaces that are frequently reconfigured 4 It allows conference room users access to the network as they move from meeting to meeting getting up to date access to information and the ability to co...

Page 612: ...wireless nodes or stations STA which is called a Basic Service Set BSS In the most basic form a wireless LAN connects a set of computers with wireless adapters Any time two or more wireless adapters are within range of each other they can set up an independent network which is commonly referred to as an Ad hoc network or Independent Basic Service Set IBSS The following diagram shows an example of ...

Page 613: ...o through the Access Point The Extended Service Set ESS shown in the next figure consists of a series of overlapping BSSs each containing an Access Point connected together by means of a Distribution System DS Although the DS could be any type of network it is almost invariably an Ethernet LAN Mobile nodes can roam between Access Points and seamless campus wide coverage is possible Diagram H 2 ESS...

Page 614: ......

Page 615: ... current computer speed Deployment Issues with IEEE 802 11 User account management has become a network administrator s nightmare in a corporate environment as the IEEE 802 11b standard does not provide any central user account management User access control is done through manual modification of the MAC address table on the access point Although WEP data encryption offers a form of data security ...

Page 616: ...le Authentication Protocol RFC 2486 that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients RADIUS Server Authentication Sequence The following figure depicts a typical wireless network with a remote RADIUS server for user authentication using EAPOL EAP Over LAN Diagram I 1 Sequences for EAP MD5 Challenge Authentication Client comput...

Page 617: ...han the authentication server may access the password file In addition it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication Finally MD5 authentication method does not support data encryption with dynamic session key You must configure WEP encryption keys for data encryption EAP TLS Transport Layer Security With EAP TLS digital c...

Page 618: ...rough the secure connection thus client identity is protected For client authentication EAP TTLS supports EAP methods and legacy authentication methods such as PAP CHAP MS CHAP and MS CHAP v2 EAP MD5 EAP TLS EAP TTLS Mutual Authentication No Yes Yes Certificate Client No Yes Optional Certificate Server No Yes Yes Dynamic Key Exchange No Yes Yes Credential Security None Strong Strong Deployment Dif...

Page 619: ...services using PPP Benefits of PPPoE PPPoE offers the following benefits 1 It provides you with a familiar dial up networking DUN user interface 2 It lessens the burden on the carriers of provisioning virtual circuits all the way to the ISP on multiple switches for thousands of users For GSTN PSTN ISDN the switching fabric is already in place 3 It allows the ISP to use the existing dial up model t...

Page 620: ...els the PPP frames to the ISP The L2TP tunnel is capable of carrying multiple PPP sessions With PPPoE the VC Virtual Circuit is equivalent to the dial up connection and is between the modem and the AC as opposed to all the way to the ISP However the PPP negotiation is between the PC and the ISP ZyWALL as a PPPoE Client When using the ZyWALL as a PPPoE client the PCs on the LAN see only Ethernet an...

Page 621: ...s that it requires one separate ATM VC per destination Diagram L 1 Transport PPP frames over Ethernet PPTP and the ZyWALL When the ZyWALL is deployed in such a setup it appears as a PC to the ANT In Windows VPN or PPTP Pass Through feature the PPTP tunneling is created from Windows 95 98 and NT clients to an NT server in a remote location The pass through feature allows users on the network to acc...

Page 622: ...p capability The phone call is between the user and the PAC and the PAC tunnels the PPP frames to the PNS The PPTP user is unaware of the tunnel between the PAC and the PNS Diagram L 2 PPTP Protocol Overview Microsoft includes PPTP as a part of the Windows OS In Microsoft s implementation the PC and hence the ZyWALL is the PNS that requests the PAC the ANT to place an outgoing call over AAL5 to an...

Page 623: ...mple Message Exchange between PC and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE General Routing Encapsulation RFC 1701 1702 The individual calls within a tunnel are distinguished using the Call ID field in the GRE header ...

Page 624: ......

Page 625: ... a 1 in the left most bit and a 0 in the next left most bit In a class B address the first two octets make up the network number and the two remaining octets make up the host ID Class C addresses begin starting from the left with 1 1 0 In a class C address the first three octets make up the network number and the last octet is the host ID Class D addresses begin with 1 1 1 0 Class D addresses are ...

Page 626: ...T OCTET DECIMAL Class A 00000000 to 01111111 0 to 127 Class B 10000000 to 10111111 128 to 191 Class C 11000000 to 11011111 192 to 223 Class D 11100000 to 11101111 224 to 239 Subnet Masks A subnet mask is used to determine which bits are part of the network number and which bits are part of the host ID using a logical AND operation A subnet mask has 32 bits each bit of the mask corresponds to a bit...

Page 627: ...g a followed by the number of bits in the mask after the address For example 192 1 1 0 25 is equivalent to saying 192 1 1 0 with mask 255 255 255 128 The following table shows all possible subnet masks for a class C address using both notations Chart M 4 Alternative Subnet Mask Notation SUBNET MASK IP ADDRESS SUBNET MASK 1 BITS LAST OCTET BIT VALUE 255 255 255 0 24 0000 0000 255 255 255 128 25 100...

Page 628: ...Chart M 5 Subnet 1 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 0 IP Address Binary 11000000 10101000 00000001 00000000 Subnet Mask 255 255 255 128 Subnet Mask Binary 11111111 11111111 11111111 10000000 Subnet Address 192 168 1 0 Lowest Host ID 192 168 1 1 Broadcast Address 192 168 1 127 Highest Host ID 192 168 1 126 Chart M 6 Subnet 2 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192...

Page 629: ...000000 or 255 255 255 192 Each subnet contains 6 host ID bits giving 26 2 or 62 hosts for each subnet all 0 s is the subnet itself all 1 s is the broadcast address on the subnet Chart M 7 Subnet 1 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 0 IP Address Binary 11000000 10101000 00000001 00000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 0 Lowest H...

Page 630: ...bnet Address 192 168 1 192 Lowest Host ID 192 168 1 193 Broadcast Address 192 168 1 255 Highest Host ID 192 168 1 254 Example Eight Subnets Similarly use a 27 bit mask to create 8 subnets 001 010 011 100 101 110 The following table shows class C IP address last octet values for each subnet Chart M 11 Eight Subnets SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS BROADCAST ADDRESS 1 0 1 30 31 2 32 ...

Page 631: ...bnet mask also determines which bits are part of the network number and which are part of the host ID A class B address has two host ID octets available for subnetting and a class A address has three host ID octets see Chart M 1 available for subnetting The following table is a summary for class B subnet planning Chart M 13 Class B Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HO...

Page 632: ...t Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 9 255 255 255 128 25 512 126 10 255 255 255 192 26 1024 62 11 255 255 255 224 27 2048 30 12 255 255 255 240 28 4096 14 13 255 255 255 248 29 8192 6 14 255 255 255 252 30 16384 2 15 255 255 255 254 31 32768 1 ...

Page 633: ...ltering and Certificates Appendices and Index This part provides information on the command interpreter interface firewall NetBIOS and certificate commands and logs and password protection content filtering registration and reports and importing certificates There is also an index of key terms ...

Page 634: ......

Page 635: ...unit and possibly render it unusable Command Syntax The command keywords are in courier new font Enter the command keywords exactly as shown do not abbreviate The required fields in a command are enclosed in angle brackets The optional fields in a command are enclosed in square brackets The symbol means or For example sys filter netbios config type on off means that you must specify the type of ne...

Page 636: ......

Page 637: ...ll This command returns the previously saved firewall settings config save firewall This command saves the current firewall settings D Di is sp pl la ay y config display firewall This command shows the of all the firewall settings including e mail attack and the sets rules config display firewall set set This command shows the current configuration of a set including timeout values name default pe...

Page 638: ...s command sets the IP address to which the e mail messages are sent config edit firewall e mail return addr e mail address This command sets the source e mail address of the firewall e mails config edit firewall e mail email to e mail address This command sets the e mail address to which the firewall e mails are sent config edit firewall e mail policy full hourly daily weekly This command sets how...

Page 639: ...es or disables the immediate sending of DOS attack notification e mail messages config edit firewall attack block yes no Set this command to yes to block new traffic after the tcp max incomplete threshold is exceeded Set it to no to delete the oldest half open session when traffic exceeds the tcp max incomplete threshold config edit firewall attack block minute 0 255 This command sets the number o...

Page 640: ...d sessions config edit firewall attack tcp max incomplete 0 255 This command sets the threshold of half open TCP sessions with the same destination where the ZyWALL starts dropping half open sessions to that destination S Se et ts s config edit firewall set set name desired name This command sets a name to identify a specified set Config edit firewall set set default permit forward block This comm...

Page 641: ...set tcp idle timeout seconds This command sets how long ZyWALL lets an inactive TCP connection remain open before considering it closed Config edit firewall set set log yes no This command sets whether or not the ZyWALL creates logs for packets that match the firewall s default rule set R Ru ul le es s Config edit firewall set set rule rule permit forward block This command sets whether packets th...

Page 642: ...h this individual source address config edit firewall set set rule rule srcaddr subnet ip address subnet mask This command sets a rule to have the ZyWALL check for traffic from a particular subnet defined by IP address and subnet mask config edit firewall set set rule rule srcaddr range start ip address end ip address This command sets a rule to have the ZyWALL check for traffic from this range of...

Page 643: ...le TCP destport range start port end port This command sets a rule to have the ZyWALL check for TCP traffic with a destination port in this range config edit firewall set set rule rule UDP destport single port This command sets a rule to have the ZyWALL check for UDP traffic with this destination address You may repeat this command to enter various non consecutive port numbers config edit firewall...

Page 644: ...t O 1 Firewall Commands FUNCTION COMMAND DESCRIPTION config delete firewall set set This command removes the specified set from the firewall configuration config delete firewall set set rule rule This command removes the specified rule in a firewall configuration set ...

Page 645: ...S packets cause unwanted calls You can configure NetBIOS filters to do the following Allow or disallow the sending of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN Allow or disallow the sending of NetBIOS packets through VPN connections Allow or disallow NetBIOS packets to initiate calls Display NetBIOS Filter Settings Syntax sys filter netbios disp This command gives a read ...

Page 646: ...e Identify which NetBIOS filter numbered 0 3 to configure 0 LAN to WAN and WAN to LAN 3 IPSec packet pass through 4 Trigger Dial on off For type 0 use on to enable the filter and block NetBIOS packets Use off to disable the filter and forward NetBIOS packets For type 3 use on to block NetBIOS packets from being sent through a VPN connection Use off to allow NetBIOS packets to be sent through a VPN...

Page 647: ...ZyWALL Series Internet Security Gateway NetBIOS Filter Commands P 3 Command sys filter netbios config 4 off This command stops NetBIOS commands from initiating calls ...

Page 648: ......

Page 649: ...ct name required and alternative name required The format is subject name dn ip dns email value If the name contains spaces please put it in quotes key size specifies the key size It has to be an integer from 512 to 2048 The default is 1024 bits create request name subject key size Create a certificate request and save it to the router for later manual enrollment name specifies a descriptive name ...

Page 650: ...addr specifies the CA server address CA cert specifies the name of the CA certificate auth key specifies the id and key used for user authentication The format is id key To leave the id and key blank type subject specifies a subject name required and alternative name required The format is subject name dn ip dns email value If the name contains spaces please put it in quotes key size specifies the...

Page 651: ...ficate name specifies the name of the certificate to be set as the default self signed certificate If name is not specified the name of the current self signed certificate is displayed ca_trusted import name Import the PEM encoded certificate from stdin name specifies the name as which the imported CA certificate is to be saved export name Export the PEM encoded certificate to stdout for user to c...

Page 652: ...t the PEM encoded certificate to stdout for user to copy and paste name specifies the name of the certificate to be exported view name View the information of the specified trusted remote host certificate name specifies the name of the certificate to be viewed verify name timeout Verify the certification path of the specified trusted remote host certificate name specifies the name of the certifica...

Page 653: ...eleted view name View the specified directory service name specifies the name of the directory server to be viewed edit name addr por t login psw d Edit the specified directory service name specifies the name of the directory server to be edited addr port specifies the server address required and port optional The format is server address port The default port is 389 login pswd specifies the login...

Page 654: ......

Page 655: ...le ZyWALL boot module commands as shown in the next screen ATBAx allows you to change the console port speed The x denotes the number preceding the colon to give the console port speed following the colon in the list of numbers that follows for example ATBA3 will give a console port speed of 9 6 Kbps ATSE displays the seed that is used to generate a password to turn on the debug flag in the firmwa...

Page 656: ...ATDUx y dump memory contents from address x for length y ATRBx display the 8 bit value of address x ATRWx display the 16 bit value of address x ATRLx display the 32 bit value of address x ATGO x run program at addr x or boot router ATGR boot router ATGT run Hardware Test Program ATRTw x y z RAM test level w from address x to y z iterations ATSH dump manufacturer related data in ROM ATDOx y downloa...

Page 657: ...Successful SMT login Someone has logged on to the router s SMT interface SMT login failed Someone has failed to log on to the router s SMT interface Successful WEB login Someone has logged on to the router s web configurator interface WEB login failed Someone has failed to log on to the router s web configurator interface Successful TELNET login Someone has logged on to the router via telnet TELNE...

Page 658: ...Time server Connect to NTP server fail The router was not able to connect to the NTP server Too large ICMP packet has been dropped The router dropped an ICMP packet that was too large SMT Session Begin An SMT management session has started SMT Session End An SMT management session has ended Configuration Change PC 0x x Task ID 0x x The router is saving configuration changes Successful SSH login So...

Page 659: ...lt policy TCP UDP IGMP ESP GRE OSPF Packet Direction Attempted TCP UDP IGMP ESP GRE OSPF access matched the default policy and was blocked or forwarded according to the default policy s setting Firewall rule NOT match TCP UDP IGMP ESP GRE OSPF Packet Direction rule d Attempted TCP UDP IGMP ESP GRE OSPF access matched or did not match a configured firewall rule denoted by its number and was blocked...

Page 660: ...CP state Firewall session time out sent TCP RST The router sent a TCP reset packet when a dynamic firewall session timed out Default timeout values ICMP idle timeout s 60 UDP idle timeout s 60 TCP connection three way handshaking timeout s 30 TCP FIN wait timeout s 60 TCP idle established timeout s 3600 Exceed MAX incomplete sent TCP RST The router sent a TCP reset packet when the number of incomp...

Page 661: ...ion on ICMP messages for type and code details Firewall rule NOT match ICMP Packet Direction rule d type d code d ICMP access matched or didn t match a firewall rule denoted by its number and was blocked or forwarded according to the rule See the section on ICMP messages for type and code details Triangle route packet forwarded ICMP The firewall allowed a triangle route session to pass through Pac...

Page 662: ...PTP or dial up call is connected board d line d channel d call d s C02 Call Terminated The PPPoE PPTP or dial up call was disconnected Chart S 8 PPP Logs LOG MESSAGE DESCRIPTION ppp LCP Starting The PPP connection s Link Control Protocol stage has started ppp LCP Opening The PPP connection s Link Control Protocol stage is opening ppp CHAP Opening The PPP connection s Challenge Handshake Authentica...

Page 663: ...Contains cookie The web site contains a cookie s Proxy mode detected The router detected proxy mode in the packet s The content filter server responded that the web site is in the blocked category list but it did not return the category type s s The content filter server responded that the web site is in the blocked category list and returned the category type s cache hit The system detected that ...

Page 664: ...tion on ICMP messages for type and code details icmp echo ICMP type d code d The firewall detected an ICMP echo attack See the section on ICMP messages for type and code details syn flood TCP The firewall detected a TCP syn flood attack ports scan TCP The firewall detected a TCP port scan attack teardrop TCP The firewall detected a TCP teardrop attack teardrop UDP The firewall detected an UDP tear...

Page 665: ...ve IPSec packet but no corresponding tunnel exists The router dropped an inbound packet for which SPI could not find a corresponding phase 2 SA Rule d idle time out disconnect The router dropped a connection that had outbound traffic and no inbound traffic for a certain time period You can use the ipsec timer chk_conn CI command to set the time period The default value is 2 minutes WAN IP changed ...

Page 666: ...onnection but the IKE process has not finished yet No proposal chosen Phase 1 or phase 2 parameters don t match Please check all protocols settings Ex One device being configured for 3DES and the other being configured for DES causes the connection to fail Local remote IPs of incoming request conflict with rule d The security gateway is set to 0 0 0 0 and the router used the peer s Local Address a...

Page 667: ...tion conflicted with static rule d thus the connection is not allowed Phase 1 ID type mismatch This router s Peer ID Type is different from the peer IPSec router s Local ID Type Phase 1 ID content mismatch This router s Peer ID Content is different from the peer IPSec router s Local ID Content No known phase 1 ID type found The router could not find a known phase 1 ID in the connection attempt ID ...

Page 668: ...Phase 1 authentication algorithm mismatch The listed rule s IKE phase 1 authentication algorithm did not match between the router and the peer Rule d Phase 1 authentication method mismatch The listed rule s IKE phase 1 authentication method did not match between the router and the peer Rule d Phase 1 key group mismatch The listed rule s IKE phase 1 key group did not match between the router and th...

Page 669: ...nd Rule d Verify peer s signature failed The listed rule s IKE phase 1verification of the peer s signature failed Rule d Sending IKE request IKE sent an IKE request for the listed rule Rule d Receiving IKE request IKE received an IKE request for the listed rule Swap rule to rule d The router changed to using the listed rule Rule d Phase 1 key length mismatch The listed rule s IKE phase 1 key lengt...

Page 670: ...he certification authority server s IP address cannot be resolved Rcvd ca cert subject name The router received a certification authority certificate with subject name as recorded from the LDAP server whose IP address and port are recorded in the Source field Rcvd user cert subject name The router received a user certificate with subject name as recorded from the LDAP server whose IP address and p...

Page 671: ...he router allows is also recorded Cert trusted subject name The router has verified the path of the certificate with the listed subject name Due to reason codes cert not trusted subject name Due to the reasons listed the certificate with the listed subject name has not passed the path verification The recorded reason codes are only approximate reasons for not trusting the certificate Please refer ...

Page 672: ...g 14 Not used 15 CRL is too old 16 CRL is not valid 17 CRL signature was not verified correctly 18 CRL was not found anywhere 19 CRL was not added to the cache 20 CRL decoding failed 21 CRL is not currently valid but in the future 22 CRL contains duplicate serial numbers 23 Time interval is not continuous 24 Time information not available 25 Database method failed due to timeout 26 Database method...

Page 673: ...pired The router logged out a user whose session expired User logout because of user deassociation The router logged out a user who ended the session User logout because of no authentication response from user The router logged out a user from which there was no authentication response User logout because of idle timeout expired The router logged out a user whose idle timeout period expired User l...

Page 674: ... LAN ACL set for packets traveling from the DMZ to the LAN D to W DMZ to WAN ACL set for packets traveling from the DMZ to the WAN W to D WAN to DMZ ACL set for packets traveling from the WAN to the DMZ L to D LAN to DMZ ACL set for packets traveling from the LAN to the DMZ L to L ZW LAN to LAN ZyWALL ACL set for packets traveling from the LAN to the LAN or the ZyWALL W to W ZW WAN to WAN ZyWALL A...

Page 675: ...ded to queue the datagrams for output to the next network on the route to the destination network 5 Redirect 0 Redirect datagrams for the Network 1 Redirect datagrams for the Host 2 Redirect datagrams for the Type of Service and Network 3 Redirect datagrams for the Type of Service and Host 8 Echo 0 Echo message 11 Time Exceeded 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded...

Page 676: ... a syslog The facility is defined in the web MAIN MENU LOGS Log Settings page The severity is the log s syslog class The definition of messages and notes are defined in the various log charts throughout this appendix The devID is the last three characters of the MAC address of the router s LAN port The cat is the same as the category in the router s logs The following table shows RFC 2408 ISAKMP p...

Page 677: ...ou Want the ZyWALL to Log Step 1 Use the sys logs load command to load the log setting buffer that allows you to configure which logs the ZyWALL is to record Step 2 Use sys logs category to view a list of the log categories Diagram S 1 Displaying Log Categories Example Step 3 Use sys logs category followed by a log category to display the parameters that are available for the category ras sys logs...

Page 678: ...L you must do this in order to record logs Displaying Logs Use the sys logs display command to show all of the logs in the ZyWALL s log Use the sys logs category display command to show the log settings for all of the log categories Use the sys logs display log category command to show the logs in an individual ZyWALL log category Use the sys logs clear command to erase all of the ZyWALL s logs Lo...

Page 679: ...55 138 ACCESS BLOCK Firewall default policy UDP set 8 2 11 11 2002 15 10 11 172 17 2 1 224 0 1 60 ACCESS BLOCK Firewall default policy IGMP set 8 3 11 11 2002 15 10 11 172 22 3 80 137 172 22 255 255 137 ACCESS BLOCK Firewall default policy UDP set 8 4 11 11 2002 15 10 10 192 168 10 1 520 192 168 10 255 520 ACCESS BLOCK Firewall default policy UDP set 8 5 11 11 2002 15 10 10 172 21 4 67 137 172 21 ...

Page 680: ......

Page 681: ...ommands COMMAND DESCRIPTION sys pwderrtm This command displays the brute force guessing password protection settings sys pwderrtm 0 This command turns off the password s protection from brute force guessing The brute force password guessing protection is turned off by default sys pwderrtm N This command sets the password protection to block all access attempts for N a number from 1 to 60 minutes a...

Page 682: ......

Page 683: ...ation authority Select Accept This Certificate Permanently in the following screen to do this Diagram U 1 Security Certificate Importing the ZyWALL s Certificate into Internet Explorer For Internet Explorer to trust a self signed certificate from the ZyWALL simply import the self signed certificate into your operating system as a trusted certification authority To have Internet Explorer trust a Zy...

Page 684: ...s The following example procedure shows how to import the ZyWALL s self signed server certificate into your operating system as a trusted certification authority Step 1 In Internet Explorer double click the lock shown in the following screen Diagram U 2 Login Screen ...

Page 685: ...ZyWALL Series Internet Security Gateway Importing Certificates U 3 Step 2 Click Install Certificate to open the Install Certificate wizard Diagram U 3 Certificate General Information Before Import ...

Page 686: ...ZyWALL Series Internet Security Gateway U 4 Importing Certificates Step 3 Click Next to begin the Install Certificate wizard Diagram U 4 Certificate Import Wizard 1 ...

Page 687: ...ZyWALL Series Internet Security Gateway Importing Certificates U 5 Step 4 Select where you would like to store the certificate and then click Next Diagram U 5 Certificate Import Wizard 2 ...

Page 688: ...teway U 6 Importing Certificates Step 5 Click Finish to complete the Import Certificate wizard Diagram U 6 Certificate Import Wizard 3 Step 6 Click Yes to add the ZyWALL s certificate to the root store Diagram U 7 Root Certificate Store ...

Page 689: ... needs a certificate if Authenticate Client Certificates is selected on the ZyWALL You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active see the part on certificates for details Apply for a certificate from a Certification Authority CA that is trusted by the ZyWALL see the ZyWALL s Trusted CA web configurator screen ...

Page 690: ...LL Trusted CA Screen The CA sends you a package containing the CA s certificate s your personal certificate s and a password to install the personal certificate s Installing the CA s Certificate Step 1 Double click the CA s certificate to produce a screen similar to the one shown next ...

Page 691: ...n the Importing the ZyWALL s Certificate into the SSL Client section Installing Your Personal Certificate s You need a password in advance The CA may issue the password or you may have to specify it during the enrollment Double click the personal certificate given to you by the CA to produce a screen similar to the one shown next Step 1 Click Next to begin the wizard ...

Page 692: ...am U 11 Personal Certificate Import Wizard 1 Step 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certificate Diagram U 12 Personal Certificate Import Wizard 2 ...

Page 693: ...tes U 11 Step 3 Enter the password Diagram U 13 Personal Certificate Import Wizard 3 Step 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location ...

Page 694: ...net Security Gateway U 12 Importing Certificates Diagram U 14 Personal Certificate Import Wizard 4 Step 5 Click Finish to complete the wizard and begin the import process Diagram U 15 Personal Certificate Import Wizard 5 ...

Page 695: ...tificate is correctly installed on your computer Diagram U 16 Personal Certificate Import Wizard 6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS Step 1 Enter https ZyWALL IP Address in your browser s web address field Diagram U 17 Access the ZyWALL Via HTTPS ...

Page 696: ...is selected on the ZyWALL the following screen asks you to select a personal certificate to send to the ZyWALL This screen displays even if you only have a single certificate as in the example Diagram U 18 SSL Client Authentication Step 3 You next see the ZyWALL login screen Diagram U 19 ZyWALL Secure Login Screen ...

Page 697: ...on 24 7 28 5 28 6 Authentication Protocol 28 5 Auto crossover 10 100 Mbps Ethernet LAN 1 2 Auto negotiating 10 100 Mbps Ethernet DMZ 1 2 Auto negotiating 10 100 Mbps Ethernet LAN 1 2 Auxiliary 1 2 B Backup 21 8 35 2 Backup WAN 1 2 Bandwidth Management 1 3 Basic Service Set H 2 Big Picture G 1 Blocking Time 12 25 12 26 12 28 Boot commands R 1 Broadband Access Security Gateway xxxix Brute force Atta...

Page 698: ...7 File Backup 35 7 File Upload 35 16 Restoring Files 35 10 Console Dial Backup Port Pin Assignments B 2 Content Filtering 1 3 13 1 Categories 13 1 Customizing 13 15 Days and Times 13 1 Filter List 13 1 Restrict Web Features 13 1 Copyright ii Custom Ports Creating Editing 12 14 Customer Support vi D DDNS Configuration 23 3 DDNS Type 23 3 Default 21 10 Default Policy Log 12 9 DeMilitarized Zone 7 1 ...

Page 699: ... 24 5 Dynamic DNS 4 3 23 2 Dynamic DNS Support 1 5 DYNDNS Wildcard 4 3 E e g See Syntax Conventions EAP 6 3 EAP Authentication XVI J 1 MD5 J 1 TLS J 1 TTLS J 1 ECHO 9 6 Edit IP 24 7 28 4 EMAIL 23 3 E mail Address 23 3 Enable Wildcard 23 4 Enable Wireless LAN 6 5 Encapsulation 27 2 28 3 28 7 PPP over Ethernet K 1 Enter See Syntax Conventions Entering Information 22 3 ESS See Extended Service Set ES...

Page 700: ...ng 31 1 Address Type 12 14 Alerts 12 7 Connection Direction 12 4 Creating Editing Rules 12 10 Custom Ports See Custom Ports See Custom Ports Enabling 12 1 Firewall Vs Filters 11 12 Guidelines For Enhancing Security 11 11 Introduction 11 2 LAN to WAN Rules 12 4 Policies 12 1 Rule Checklist 12 2 Rule Logic 12 2 Rule Security Ramifications 12 3 Services 12 21 SMT Menus 31 1 Types 11 1 When To Use 11 ...

Page 701: ... 28 5 28 6 IEEE 802 11 H 1 Deployment Issues I 1 Security Flaws I 1 IEEE 802 11b 1 2 IEEE 802 1x 1 4 I 1 Advantages I 1 IGMP 5 2 Incoming Protocol Filters 25 6 Independent Basic Service Set H 2 Industry Canada iv Infrastructure Configuration H 2 Initial Screen 22 1 Inside 9 1 Inside Global Address 9 1 Inside Local Address 9 1 Installing Fuses D 1 Interactive Applications 38 2 Internet Access 27 1 ...

Page 702: ...Savings 38 1 Criteria 38 1 Load Sharing 38 1 Setup 38 2 IP Spoofing 11 4 11 7 IP Static Route 29 1 29 2 Active 29 2 Destination IP Address 29 2 IP Subnet Mask 29 2 Name 29 2 Route Number 29 2 IP Subnet Mask 24 10 25 6 Remote 24 10 IPSec standard 1 3 IPSec VPN Capability 1 3 ISP s Name 27 1 K Key Fields For Configuring Rules 12 3 L LAN IP Address 20 7 20 10 LAN Port Filter Setup 25 1 LAN Setup 5 1 ...

Page 703: ...y IP Addr 28 7 My Login 24 7 28 3 My Login Name 27 2 My Password 24 7 27 2 28 3 My Server IP Addr 28 7 My WAN Address 24 10 N Nailed up Connection 28 5 Nailed Up Connection 24 8 28 6 Nailed Up Connections 28 8 NAT 3 4 3 9 9 6 9 8 24 10 28 9 32 15 Applying NAT in the SMT Menus 30 1 Configuring 30 4 Definitions 9 1 Examples 30 10 How NAT Works 9 2 Mapping Types 9 4 NAT Unfriendly Application Program...

Page 704: ... Power Current B 1 Power Specification B 1 PPP 24 8 PPPoE 1 5 3 2 3 4 PPPoE Encapsulation27 1 27 5 28 2 28 4 28 5 28 6 28 11 PPTP 3 2 3 4 3 6 9 7 L 1 Client 27 3 27 4 Configuring a Client 27 3 27 4 PPTP Encapsulation 1 5 3 6 28 6 Precedence 38 1 38 5 Private 10 4 24 10 28 9 29 3 Private IP Address 3 8 Protocol Filters 25 6 Incoming 25 6 Outgoing 25 6 Protocol Port 20 7 20 9 Public Servers 7 1 Q Qu...

Page 705: ... RoadRunner Support 1 6 Route 28 4 Routing Policy 38 1 RTC See Real Time Chip See Real Time Chip RTS Threshold 6 2 RTS CTS handshake 6 5 25 8 Rule Summary 12 21 Rules 12 1 12 4 Checklist 12 2 Creating Custom 12 1 Key Fields 12 3 LAN to WAN 12 4 Logic 12 2 Predefined Services 12 21 Source and Destination Addresses 12 14 S SA Monitor 41 1 Safety Instructions C 1 Saving the State 11 7 Schedule Sets D...

Page 706: ...bnet Masks M 2 Subnetting M 2 Support Disk xxxix SYN Flood 11 4 11 5 SYN ACK 11 5 Syntax Conventions xl Syslog 34 7 Syslog 12 17 34 8 Syslog IP Address 34 8 System Information 34 1 34 3 34 4 System Maintenance 20 3 34 1 34 2 34 3 34 4 34 5 34 6 34 7 34 8 34 11 34 12 34 13 35 2 35 5 35 14 35 16 36 1 36 3 36 4 36 5 36 7 System Management Terminal 22 2 System Name 4 2 23 2 System Status 34 1 System T...

Page 707: ... Triangle Route Solutions F 2 Trigger Port Forwarding 30 18 Process 9 13 Trivial File Transfer Protocol See TFTP Troubleshooting A 1 Internet Access A 3 LAN Interface A 2 WAN Interface A 3 Trusted Network See LAN TTLS J 1 Tunneled Transport Layer Service See TTLS Type of Service 38 1 38 3 38 5 U UDP ICMP Security 11 10 Universal Plug and Play 1 4 Universal Plug and Play UPnP 19 1 19 3 Upload Firmw...

Page 708: ...s LAN 1 2 H 1 Benefits H 1 Wireless LAN MAC Address Filtering 1 4 Wireless LAN Setup 25 7 Wizard Setup 3 1 3 2 3 8 WLAN See Wireless LAN www dyndns org 23 4 X Xmodem File Upload 35 17 XMODEM Protocol 35 3 Z ZyNOS 34 3 34 5 35 2 ZyNOS F W Version 34 3 34 5 35 2 ZyWALL Firewall Application 11 3 ZyXEL Limited Warranty Note v ZyXEL s Firewall Introduction 11 2 ...

Reviews:

No comments

Related manuals for Internet Security Gateway ZyWALL 100

Brand: Zennio Pages: 38

NEXEDGE NX-700 series

Brand: Kenwood Pages: 228

Brand: TENETICS, LLC Pages: 12

Brand: Mercury Pages: 5

Brand: IOGear Pages: 2

Brand: National Instruments Pages: 18

Brand: ZyXEL Communications Pages: 5

Brand: Packet8 Pages: 20

Brand: Teltonika Pages: 4

SURFboard SBG6700-AC

Brand: Arris Pages: 86

Brand: GlobalScale Pages: 18

Brand: X2E Pages: 22

Brand: Juniper Pages: 128

Brand: IAI Pages: 125

Brand: Xi an ZFE Pages: 14

NX-S/O 2 Series

Brand: call4tel Pages: 42

Brand: ICP DAS USA Pages: 4

Brand: ZIGBEE Pages: 6

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands