ZyXEL Communications 2WG manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784

Ir a la página of

Buen manual de instrucciones

Las leyes obligan al vendedor a entregarle al comprador, junto con el producto, el manual de instrucciones ZyXEL Communications 2WG. La falta del manual o facilitar información incorrecta al consumidor constituyen una base de reclamación por no estar de acuerdo el producto con el contrato. Según la ley, está permitido adjuntar un manual de otra forma que no sea en papel, lo cual últimamente es bastante común y los fabricantes nos facilitan un manual gráfico, su versión electrónica ZyXEL Communications 2WG o vídeos de instrucciones para usuarios. La condición es que tenga una forma legible y entendible.

¿Qué es un manual de instrucciones?

El nombre proviene de la palabra latina “instructio”, es decir, ordenar. Por lo tanto, en un manual ZyXEL Communications 2WG se puede encontrar la descripción de las etapas de actuación. El propósito de un manual es enseñar, facilitar el encendido o el uso de un dispositivo o la realización de acciones concretas. Un manual de instrucciones también es una fuente de información acerca de un objeto o un servicio, es una pista.

Desafortunadamente pocos usuarios destinan su tiempo a leer manuales ZyXEL Communications 2WG, sin embargo, un buen manual nos permite, no solo conocer una cantidad de funcionalidades adicionales del dispositivo comprado, sino también evitar la mayoría de fallos.

Entonces, ¿qué debe contener el manual de instrucciones perfecto?

Sobre todo, un manual de instrucciones ZyXEL Communications 2WG debe contener:
- información acerca de las especificaciones técnicas del dispositivo ZyXEL Communications 2WG
- nombre de fabricante y año de fabricación del dispositivo ZyXEL Communications 2WG
- condiciones de uso, configuración y mantenimiento del dispositivo ZyXEL Communications 2WG
- marcas de seguridad y certificados que confirmen su concordancia con determinadas normativas

¿Por qué no leemos los manuales de instrucciones?

Normalmente es por la falta de tiempo y seguridad acerca de las funcionalidades determinadas de los dispositivos comprados. Desafortunadamente la conexión y el encendido de ZyXEL Communications 2WG no es suficiente. El manual de instrucciones siempre contiene una serie de indicaciones acerca de determinadas funcionalidades, normas de seguridad, consejos de mantenimiento (incluso qué productos usar), fallos eventuales de ZyXEL Communications 2WG y maneras de solucionar los problemas que puedan ocurrir durante su uso. Al final, en un manual se pueden encontrar los detalles de servicio técnico ZyXEL Communications en caso de que las soluciones propuestas no hayan funcionado. Actualmente gozan de éxito manuales de instrucciones en forma de animaciones interesantes o vídeo manuales que llegan al usuario mucho mejor que en forma de un folleto. Este tipo de manual ayuda a que el usuario vea el vídeo entero sin saltarse las especificaciones y las descripciones técnicas complicadas de ZyXEL Communications 2WG, como se suele hacer teniendo una versión en papel.

¿Por qué vale la pena leer los manuales de instrucciones?

Sobre todo es en ellos donde encontraremos las respuestas acerca de la construcción, las posibilidades del dispositivo ZyXEL Communications 2WG, el uso de determinados accesorios y una serie de informaciones que permiten aprovechar completamente sus funciones y comodidades.

Tras una compra exitosa de un equipo o un dispositivo, vale la pena dedicar un momento para familiarizarse con cada parte del manual ZyXEL Communications 2WG. Actualmente se preparan y traducen con dedicación, para que no solo sean comprensibles para los usuarios, sino que también cumplan su función básica de información y ayuda.

Índice de manuales de instrucciones

  • Página 1

    www .zyxel.com ZyW ALL 2WG Internet Security Appliance User ’ s Guide V ersion 4.03 12/2007 Edition 1[...]

  • Página 2

    [...]

  • Página 3

    About This User's Guide ZyWALL 2WG User’s Guide 3 About This User's Guide Intended Audience This manual is intended for people who want to configure the ZyW ALL using the web configurator or System Manag ement T erminal (SMT). Y ou should have at least a basic knowledge of TCP/IP netw orking concepts and to pology . Related Document ati[...]

  • Página 4

    Document Conventions ZyWALL 2WG User’s Guide 4 Document Conventions W arnings and Notes These are how warnings and notes are shown in this User ’ s Guide. 1 W arnings tell you about things that could harm you or your device. " Notes tell you other important informati on (for example, other things you may need to configure or helpful tip s)[...]

  • Página 5

    Document Conventions ZyWALL 2WG User’s Guide 5 Icons Used in Figures Figures in this User ’ s Guide may use the followi ng generic icons. The ZyW ALL icon is not a n exact representation of your device. ZyW ALL Computer Notebook computer Server DSLAM Firewall T elephone Switch Router[...]

  • Página 6

    Safety Warnings ZyWALL 2WG User’s Guide 6 Safety Warnings 1 For your safety , be sure to read and follow all warni ng notices and instructions. • Do NOT use this product near water , for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. • Do NOT store thin gs on the devic[...]

  • Página 7

    Safety Warnings ZyWALL 2WG User’s Guide 7 • Antenna W arning! This device meets ETSI and FCC certification requirements when using the included antenna(s). On ly use the included antenna(s). • If you wall mount your device, make sure th at no electrical lines, gas or water pipes will be damaged. This product is recyclable . Dispose of it prop[...]

  • Página 8

    Safety Warnings ZyWALL 2WG User’s Guide 8[...]

  • Página 9

    Contents Overview ZyWALL 2WG User’s Guide 9 Contents Overview Introduction .......................................... ........................................................................ .......... 51 Getting to Know Y our ZyWALL .............. ............. ................ ................ ............. ................ .......... 5 3 Intro[...]

  • Página 10

    Contents Overview ZyWALL 2WG User’s Guide 10 SMT ............................................ ............................................................................... ............ 529 Introducing the SMT ........... ............. ................ ............. ................ ............. ................ ......... ..... 531 SMT Menu 1 -[...]

  • Página 11

    Table of Contents ZyWALL 2WG User’s Guide 11 Table of Contents About This User's Guide ................................................................ .......................................... 3 Document Conventions.................................................................. ......................................... .4 Safety Warning[...]

  • Página 12

    Table of Contents ZyWALL 2WG User’s Guide 12 2.4.5 Navigation Panel .............................. ... .......... ............. ............ ............. ................ ....... 70 2.4.6 Port St atistics .......................... ............. ............. ................ ............. ............. ......... .... 74 2.4.7 Show S tatistics: [...]

  • Página 13

    Table of Contents ZyWALL 2WG User’s Guide 13 4.5.3 Assign Bob’s Computer a S pecific IP Address ........... ................ ................ ............. . 136 4.5.4 Create a Cont ent Filter Policy for Bob . .......... ............. ............ ............. ................ ..... 136 4.5.5 Set the Cont ent Filter Schedule ................ .[...]

  • Página 14

    Table of Contents ZyWALL 2WG User’s Guide 14 8.1 W AN Ov erview ... ............. ............. ............. ................ ............. ............. ............. ............ . .... 165 8.2 Multiple W AN ... ............. ................ ............. ............. ............. ................ ............. .......... ....... 1 65 8.3 L[...]

  • Página 15

    Table of Contents ZyWALL 2WG User’s Guide 15 10.1 Wireless LAN Introduct ion ................ ....... ...... ............. ............. ................ ............. ............ 21 1 10.2 Configuring WLAN ....... ............. ................ ............. ............. ................ ............. ............ .. 212 10.3 WLAN S tatic DHCP[...]

  • Página 16

    Table of Contents ZyWALL 2WG User’s Guide 16 1 1.1 1 Firewall Thresholds ......... ................ ............. ................. ............ ................. ............ .. ... 261 1 1.1 1.1 Threshold V alues ...... ............. ................ ............. ................ ............. ................ ..... 262 1 1.12 Threshold Screen[...]

  • Página 17

    Table of Contents ZyWALL 2WG User’s Guide 17 14.4.3 Encryption and Authentic ation Algorithms .. ............. ................ ............. ................ ..31 1 14.5 VPN Rules (IKE) Gateway Po licy Edit . ............. ............. ................ ............. ............. ........ 312 14.6 IPSec SA Overview ......... ............. .....[...]

  • Página 18

    Table of Contents ZyWALL 2WG User’s Guide 18 15.7.1 Certificate File Export Formats .......... ................ ............. ............. ............. ............. . 356 15.8 My Certificate Import ................... ............. ............. ............. ................ ............. ........... ... 357 15.8.1 Certificate File Formats ..[...]

  • Página 19

    Table of Contents ZyWALL 2WG User’s Guide 19 17.5.3 Configuring Servers Behind Port Forwarding (Example ) ............... ............. ........... 3 95 17.5.4 NA T and Multiple W AN ...... ............. ...... .......... ............. ............. ............. ............ ..... 396 17.5.5 Port T rans lation . ............. ................ ..[...]

  • Página 20

    Table of Contents ZyWALL 2WG User’s Guide 20 Chapter 21 DNS ....................................................................................... ..................................... ............ 427 21.1 DNS Overview ............. ............. ................ ............. ............. ............. ................ .......... .... 427 21.[...]

  • Página 21

    Table of Contents ZyWALL 2WG User’s Guide 21 22.13 FTP ............... ............. ............. ................ ............. ............. ................ ............. ... ........... 453 22.14 SNMP ........... ................ ............. ............. ................ ............. ............. ................ ... ........ 454 22.14.[...]

  • Página 22

    Table of Contents ZyWALL 2WG User’s Guide 22 25.5.2 SIP ALG Details ...... ... .......... ............. ................ ............. ............. ............. ............. . 476 25.5.3 SIP Signaling Session Timeout ............ .......... ............. ............. ............. ............ ..... 477 25.5.4 SIP Audio Session Timeout ......[...]

  • Página 23

    Table of Contents ZyWALL 2WG User’s Guide 23 27.13 Diagnostics .............. ............. ................ ............. ............. ................ ............. .......... ....... 526 Part VI: SMT .......... .................................................................. .............. 529 Chapter 28 Introducing the SMT ................[...]

  • Página 24

    Table of Contents ZyWALL 2WG User’s Guide 24 31.3 LAN Port Filter Setup .. ......... ............. ............. ............. ................ ............. ............. ........ ... 559 31.4 TCP/IP and DHCP Ethernet Setup Menu ................ ............. ............. ................ ............. . 560 31.4.1 IP Alias Setup .... ...... ..[...]

  • Página 25

    Table of Contents ZyWALL 2WG User’s Guide 25 Chapter 37 IP St atic Route Setup ............................ .............................................................................. .. 591 37.1 IP S tatic Route Setup .............. ................ ............. ................ ............. ................ ............ .. 591 Chapter 38 N[...]

  • Página 26

    Table of Contents ZyWALL 2WG User’s Guide 26 Chapter 41 SNMP Configuration .................................................................................. ........................... 63 3 41.1 SNMP Configuration ...... ................ ............. ................ ............. ................ ............. .......... .6 3 3 41.2 SNMP Trap [...]

  • Página 27

    Table of Contents ZyWALL 2WG User’s Guide 27 43.5.6 TFTP Upload Command Ex ample .......... ................. ............ .......................... ........ 658 43.5.7 Uploading Via Console Po rt ........... ............. ............. ............ ............. ................ ..... 658 43.5.8 Uploading Firmwar e File Via Console Port .......[...]

  • Página 28

    Table of Contents ZyWALL 2WG User’s Guide 28 Chapter 49 Product Sp ecifications .............................................................................. ........................... 693 49.1 General ZyW A LL S pecifications .... ............. ................ ............. ............. ............. ............. . 693 49.2 Compatible 3G Ca[...]

  • Página 29

    List of Figures ZyWALL 2WG User’s Guide 29 List of Figures Figure 1 Secure Internet Access via Cable or DSL Modem ............... ............. ................ ................ ....... 54 Figure 2 VPN Application ...................... ............. ................ ............. ................ ............. ......... .............. ... 55 Fig[...]

  • Página 30

    List of Figure s ZyWALL 2WG User’s Guide 30 Figure 39 SECURITY > FIREWALL > Rule Summary . ...... ............. ................ ............. ............. ........... 1 06 Figure 40 SECURITY > FIREWALL > Rule Summary > Edit: Allow ................. ............. ............. ........ 107 Figure 41 SECURITY > FIREWALL > Rul[...]

  • Página 31

    List of Figures ZyWALL 2WG User’s Guide 31 Figure 82 SECURITY > CONTENT FIL TER > Policy > Ex ternal D atabase (Default) ......................... . 135 Figure 83 HOME > DHCP T able ......... ............. ................ ............. ................ ............. ............. ...... ........ 136 Figure 84 SECURITY > CO NTENT F[...]

  • Página 32

    List of Figure s ZyWALL 2WG User’s Guide 32 Figure 125 DMZ Private and Public Address Example ................... ................ ................ ................ ..... 209 Figure 126 NETWORK > DMZ > P ort Roles ........... ............. ............. ................ ............. ............. ........ 2 10 Figure 127 Example of a Wirel[...]

  • Página 33

    List of Figures ZyWALL 2WG User’s Guide 33 Figure 168 My Service Firewall Rule Example: Rule Edit: Source and Destinat ion Addresses .......... 2 68 Figure 169 My Service Firewall Rule Example: Edit Rule: Service Configuration ..................... ........... 269 Figure 170 My Service Firewall Rule Example: Ru le Summary: Completed ... .........[...]

  • Página 34

    List of Figure s ZyWALL 2WG User’s Guide 34 Figure 21 1 SECURITY > VPN > VPN Rules (Manual) > Edit ... ................ ................ ................ ........... 335 Figure 212 SECURITY > VPN > SA Monitor .............. ................ ................ ............. ................ ........... 338 Figure 213 Overlap in a Dyna[...]

  • Página 35

    List of Figures ZyWALL 2WG User’s Guide 35 Figure 254 ADV ANCED > ST A TIC ROUTE > IP S tatic Route > Edit ............... ............. ............. ........... 4 03 Figure 255 ADV ANCED > POLICY ROUTE > Policy Route Summary ........... ................ ................ ..... 406 Figure 256 Edit IP Policy Route ..................[...]

  • Página 36

    List of Figure s ZyWALL 2WG User’s Guide 36 Figure 297 H.323 with Multiple W AN IP Addresses ............. ................. ............ ............. ............. ........ 475 Figure 298 H.323 Calls from the W AN with Multiple Outgoing Calls .. ............. ................ ............. ........ 476 Figure 299 SIP ALG Example ...............[...]

  • Página 37

    List of Figures ZyWALL 2WG User’s Guide 37 Figure 340 Menu 2.1: Advanced W AN Setup .. ...... ....... ............. ............. ................ ............. ............ ..... 548 Figure 341 Menu 1 1 .3: Remote No de Profile (Backup ISP) .............. ............. ................ ................ ..... 549 Figure 342 Menu 1 1.3.2: Remote N[...]

  • Página 38

    List of Figure s ZyWALL 2WG User’s Guide 38 Figure 383 Menu 15.2: NA T Server Sets ............ ................ ............. ............. ............. ................ ...... ..... 602 Figure 384 Menu 15.2.x: NA T Server Sets ......... ... ................ ............. ............. ............. ............. ....... .... 603 Figure 385 15.[...]

  • Página 39

    List of Figures ZyWALL 2WG User’s Guide 39 Figure 426 Call-T riggering Pac ket Example ....... ... ....... ............. ................ ............. ............. ............ . .... 644 Figure 427 Menu 24.4: System Main tenance: Diagnostic ............. ............. ................ ............. ........... 6 45 Figure 428 W AN & LAN DH[...]

  • Página 40

    List of Figure s ZyWALL 2WG User’s Guide 40 Figure 469 Pop-up Blocker ................. ................ ............. ................ ............. ................ .......... ......... ..... 705 Figure 470 Internet Options: Privacy ............... ............. ............. ................ ............. ............. ....... .......... 706 F[...]

  • Página 41

    List of Figures ZyWALL 2WG User’s Guide 41 Figure 512 Login Screen .... ................ ............. ............. ................ ............. ............. ............. .. ............... 756 Figure 513 Certificate General I nfo rmation before Import ......... ................ ................ ............. .............. 75 6 Figure 514 C[...]

  • Página 42

    List of Figure s ZyWALL 2WG User’s Guide 42[...]

  • Página 43

    List of Tables ZyWALL 2WG User’s Guide 43 List of Tables T a ble 1 Front Panel Lights ................. ............. ................ ............. ................ ............. ........... ........... ....... 56 T a ble 2 T itle Bar: Web Configurator Icons ... ............ ................. ............. ................ ................ .....[...]

  • Página 44

    List of Tables ZyWALL 2WG User’s Guide 44 T able 39 NETWORK > W AN > W AN 1 (PPPoE Encapsulat ion) ........... ............ .......................... ........ 182 T a ble 40 NETWORK > WAN > W AN 1 (PPTP Encapsulation) .............. ................ ................ .............. 185 T a ble 41 2G , 2.5G , 2.75G , 3G and 3.5G Wirele[...]

  • Página 45

    List of Tables ZyWALL 2WG User’s Guide 45 T a ble 82 SECURITY > CO NTENT FIL TE R > Object ............ ................. ................ ............. ................ . 289 T a ble 83 SECURITY > CO NTENT FIL TE R > Cache ............ ................. ................ ............. ................ . 292 T a ble 84 SECURITY > VP[...]

  • Página 46

    List of Tables ZyWALL 2WG User’s Guide 46 T a ble 125 Application and Subnet- based Bandwidth Management Example ................ ................ ..... 412 T a ble 126 Maximize Bandwidth Usage Example ...................... ................ ................ ................ ........... 41 4 T a ble 127 Priority-based Allotment of Unused and Unbu[...]

  • Página 47

    List of Tables ZyWALL 2WG User’s Guide 47 T a ble 168 ICMP Logs .............. ............. ............. ................ ............. ................ ............. ........ ............... . 495 T a ble 169 CDR Logs ............... ............. ................ ............. ............. ................ ............. ........ ............[...]

  • Página 48

    List of Tables ZyWALL 2WG User’s Guide 48 T a ble 21 1 Menu 3.2: LAN TCP/IP Setup Fields ................. ................ ................ ................. ................ .5 6 2 T a ble 212 Menu 3.2.1: IP Alias Setup ..................... ............. ................. ................ ............. ......... ........ 5 63 T a ble 213 Menu [...]

  • Página 49

    List of Tables ZyWALL 2WG User’s Guide 49 T a ble 254 Firmware S pecifications ....... ............. ................ ................ ............. ................ ........... ......... . 694 T a ble 255 Feature S pecifications ................. ............ ................. ............. ................ ............. ..... ............ 6 95 [...]

  • Página 50

    List of Tables ZyWALL 2WG User’s Guide 50[...]

  • Página 51

    51 P ART I Introduction Getting to Know Y our ZyW ALL (53) Introducing the W eb Configurator (57) W izard Setup (81) T utorial (101) Registration (141)[...]

  • Página 52

    52[...]

  • Página 53

    ZyWALL 2WG User’s Guide 53 C HAPTER 1 Getting to Know Your ZyWALL This chapter introduces the main feat ures and applications of the ZyW ALL. 1.1 ZyW ALL Internet Security Appliance Overview The ZyW ALL is loaded with security features including VPN, firewall, content filtering and certificates. The ZyW ALL’ s De-Militarized Zone (DMZ) increase[...]

  • Página 54

    Chapter 1 Getting to Know Your ZyWALL ZyWALL 2WG User’s Guide 54 • V anta ge CNM (Centralized Netwo rk Management). The dev ice can be remo tely manage d using a V antage CNM server . 1.3 Good Habit s for Managing the ZyW ALL Do the following things regularly to make the ZyW ALL mo re secure and to manage the ZyW ALL more effectively . • Chan[...]

  • Página 55

    Chapter 1 Getting to Know Your ZyWALL ZyWALL 2WG User’s Guide 55 1.4.2 VPN Application ZyW ALL VPN is an ideal cost-effective way to securely connect branch offices, business partners and telecommuters over the Internet w ithout the need (and e xpense) for leased lines between sites. Figure 2 VPN Application 1.4.3 3G W AN Application Insert a 3G [...]

  • Página 56

    Chapter 1 Getting to Know Your ZyWALL ZyWALL 2WG User’s Guide 56 1.4.4 Front Panel Light s Figure 4 Front Panel The following table describes the lights. T able 1 Front Panel Lights LED COLOR STATUS DESCRIPTION PWR Off The ZyW ALL is turned off. Green On The ZyW ALL is ready and runni ng. Flashing The ZyW A LL is restarting. Red On The power to t[...]

  • Página 57

    ZyWALL 2WG User’s Guide 57 C HAPTER 2 Introducing the Web Configurator This chapter describes how to access the Zy W ALL web configurator and provides an overview of its screens. 2.1 W eb Configurator Overview The web configurator is an HTML-based mana gement interface that allows easy ZyW ALL setup and management via Internet browser . Use Inter[...]

  • Página 58

    Chapter 2 Introducing the Web Configur ator ZyWALL 2WG User’s Guide 58 5 Y ou should see a screen asking you to change your password (highly recommended) as shown next. T ype a new password (and retype it to co nfirm) and click Apply or click Ignore . Figure 5 Change Password Screen 6 Click Apply in the Replace Certificate scre en to create a cer[...]

  • Página 59

    Chapter 2 Introducing the Web Configurator ZyWALL 2WG User’s Guide 59 2.3 Resetting the ZyW ALL If you forget your password or cannot access the web configurator, you will need to reload the factory-default configuration file or use the RESET button on the back of the ZyW ALL. Uploading this configuration f ile replaces the current configur ation[...]

  • Página 60

    Chapter 2 Introducing the Web Configur ator ZyWALL 2WG User’s Guide 60 2.4 Navigating the ZyW ALL W eb Configurator The following summarizes how to navigate the web configurator from the HOME scree n. Figure 8 HOME Screen As illustrated above, the main scr een is di vided into these parts: • A - title bar • B - main window • C - navigation [...]

  • Página 61

    Chapter 2 Introducing the Web Configurator ZyWALL 2WG User’s Guide 61 2.4.2 Main Window The main window shows the screen you select in the navigation panel. It is discussed in more detail in the rest of this document. Right after you log in, the HOME screen is displayed. The screen varies according to the device mode you select in the MAINTENANCE[...]

  • Página 62

    Chapter 2 Introducing the Web Configur ator ZyWALL 2WG User’s Guide 62 The following table describes the labels in this screen. T able 3 W eb Configurat or HOME Sc reen in Rou ter Mode LABEL DESCRIPTION Automati c Refresh Interval Select a number of seconds or None from the drop-do wn list box to update all screen statistics automatically at the [...]

  • Página 63

    Chapter 2 Introducing the Web Configurator ZyWALL 2WG User’s Guide 63 Interfaces This is the port type. Click "+" to expand or "-" to collapse the IP alias drop-down lists. Hold your cursor over an interface’s label to display the interface’s MAC address. Click an interface’s label to go to the screen where you ca n conf[...]

  • Página 64

    Chapter 2 Introducing the Web Configur ator ZyWALL 2WG User’s Guide 64 3G Connection S tatus This displays Down when the 3G connection is down or not activated. This displays Initializing when the ZyW ALL is con figuring the 3G card with A T commands. This displays Ready to Connect wh en the 3G connection is idle before the ZyW ALL trigg ers a ca[...]

  • Página 65

    Chapter 2 Introducing the Web Configurator ZyWALL 2WG User’s Guide 65 3G Card ESN This field is availabl e only when you insert a CDMA (Code Division Multiple Access) 3G card. This shows the ESN (Electron ic Serial Number) of the inserted CDMA 3G card. The ESN is the serial number of a CDMA 3G card and is similar to the IMEI on a GSM or UMTS 3G c[...]

  • Página 66

    Chapter 2 Introducing the Web Configur ator ZyWALL 2WG User’s Guide 66 Remaining Data Budget This field is available only when you enab le budget control in the Network > W AN > 3G (W AN 2) screen. This shows how much data (in bytes) can still be transmitted through the 3G connection before the ZyWALL ta kes the actions you specified in th [...]

  • Página 67

    Chapter 2 Introducing the Web Configurator ZyWALL 2WG User’s Guide 67 2.4.4 HOME Screen: Bridge Mode The following screen displays when the ZyW ALL is set to bridge mode. In bridge mode, the ZyW ALL functions as a transparent firewall (als o kn own as a bridge firewall). The ZyW ALL bridges traffic traveling between the ZyW ALL' s interfaces[...]

  • Página 68

    Chapter 2 Introducing the Web Configur ator ZyWALL 2WG User’s Guide 68 System Name This is the System Name you enter in the MAINTENA NCE > General sc reen. It is for identification purposes. Click the field label to go to the screen where you can specify a name for this ZyW ALL. Model This is the model name of your Zy W ALL. Bootbase Ve r s i [...]

  • Página 69

    Chapter 2 Introducing the Web Configurator ZyWALL 2WG User’s Guide 69 Rapid S panning T ree Protocol This shows whether RSTP (Rapid S panni ng T r ee Protocol) is active or not. The following labels or values relative to RSTP do not apply when RSTP is disabled. Bridge Priority This is the bridge priority of th e ZyW AL L. The bridge (or switch) w[...]

  • Página 70

    Chapter 2 Introducing the Web Configur ator ZyWALL 2WG User’s Guide 70 2.4.5 Navigation Panel After you enter the password, use the sub-menus on the navigation panel to configure ZyW ALL features. The following table lists the featur es available for each device mode. Port S tatistics Click Port Statistics to see router performance st a tistics s[...]

  • Página 71

    Chapter 2 Introducing the Web Configurator ZyWALL 2WG User’s Guide 71 T able Key: A Y in a mode’ s column shows that the device mode has the specified feature. The information in this table was correct at the tim e of writing, although it may be subject to change. The following table describes the sub-menus. Logs Y Y Maintenance Y Y T able 6 Sc[...]

  • Página 72

    Chapter 2 Introducing the Web Configur ator ZyWALL 2WG User’s Guide 72 WIRELESS 3G (W AN 2) 3G (W AN 2) Use this screen to configure the W AN2 connecti on for Internet access. Wi-Fi Wireless Card Use this screen to configure the wireless LAN setting s. Secur ity Use this screen to configure the WLAN security settings. MAC Filter Use this scre en [...]

  • Página 73

    Chapter 2 Introducing the Web Configurator ZyWALL 2WG User’s Guide 73 NA T NA T Overview Use this screen to enable NA T . Address Mapping Use this screen to configure net work address translation mapping rules. Port Forwarding Use this screen to configure servers beh ind the ZyW ALL. Port T rigge ring Use this screen to change your ZyWALL’s por[...]

  • Página 74

    Chapter 2 Introducing the Web Configur ator ZyWALL 2WG User’s Guide 74 2.4.6 Port St atistics Click Port St a t i s t i c s in the HOME screen. Read-only information here includes po rt status and packet specific statistics. The Automatic Refresh Interval field is configurable. Figure 1 1 HOME > Show S tatistics LOGS View Log Use this screen t[...]

  • Página 75

    Chapter 2 Introducing the Web Configurator ZyWALL 2WG User’s Guide 75 The following table describes the labels in this screen. 2.4.7 Show St atistics: Line Chart Click the icon in the Show S tatistics screen when the ZyW ALL is set to router mode. This screen shows you a line chart of ea ch port’ s throughput statistics. Figure 12 HOME > Sho[...]

  • Página 76

    Chapter 2 Introducing the Web Configur ator ZyWALL 2WG User’s Guide 76 The following table describes the labels in this screen. 2.4.8 DHCP T able Screen DHCP (Dynamic Host Configuration Protocol , RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a se rver . Y ou can configure the ZyW ALL as a DHCP s[...]

  • Página 77

    Chapter 2 Introducing the Web Configurator ZyWALL 2WG User’s Guide 77 2.4.9 VPN St atus Click VPN in the HOME screen. This sc reen displays read -only information about the active VPN connections. The Poll Interval(s) field is configurable. A Security Association (SA) is the group of security settings related to a specific VPN tunnel. Figure 14 H[...]

  • Página 78

    Chapter 2 Introducing the Web Configur ator ZyWALL 2WG User’s Guide 78 2.4.10 Bandwid th Monitor Click Bandwidth in the HOME screen to display the bandwidth monitor . This screen displays the device’ s bandwidth usage and allotments. Figure 15 Home > Bandwidth Monitor The following table describes the labels in this screen. IPSec Algorithm T[...]

  • Página 79

    Chapter 2 Introducing the Web Configurator ZyWALL 2WG User’s Guide 79 Automati c Refresh Interval Select a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics. Refresh Click this button to update the screen’s statistics immed[...]

  • Página 80

    Chapter 2 Introducing the Web Configur ator ZyWALL 2WG User’s Guide 80[...]

  • Página 81

    ZyWALL 2WG User’s Guide 81 C HAPTER 3 Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator . The Internet access wizard is only applicable when the ZyW ALL is in router mode. 3.1 Wizard Setup Overview The web confi gurator's setup wizards help you configure Intern et and VPN connection settings. [...]

  • Página 82

    Chapter 3 Wizard Setup ZyWALL 2WG User’s Guide 82 3.2.1 ISP Parameters The ZyW ALL offers three choices of encapsulation. They are Ethernet , PP TP or PPPoE . The wizard screen varies according to the ty pe of encapsulation that you select in the Encapsula tion field. 3.2.1.1 Ethernet For ISPs (such as T elstra) that send UDP heartbea t packets t[...]

  • Página 83

    Chapter 3 Wizard Setup ZyWALL 2WG User’s Guide 83 3.2.1.2 PPPoE Encap sulation Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet Engineering T ask Force) standard specifying ho w a host personal compute r interacts with a broadband modem (for example DSL, cable , wireless, etc.) to achieve[...]

  • Página 84

    Chapter 3 Wizard Setup ZyWALL 2WG User’s Guide 84 The following table describes the labels in this screen. 3.2.1.3 PPTP Encap sulation Point-to-Point T u nneling Protocol (PP TP) is a network protocol tha t enables transfers of data from a remote client to a private server , crea ting a V irtual Private Network (VPN) using TCP/ IP-based networks.[...]

  • Página 85

    Chapter 3 Wizard Setup ZyWALL 2WG User’s Guide 85 Figure 19 ISP Parameters: PPTP Encap sulation The following table describes the labels in this screen. T able 14 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box. T o co nfigure a PPTP client, you must con[...]

  • Página 86

    Chapter 3 Wizard Setup ZyWALL 2WG User’s Guide 86 3.2.2 Internet Access Wizard: Second Screen Click Next to go to the screen whe re you can regi ster your ZyW ALL and activate the free content filtering trial application. Other w ise, click Skip to display the congratulations screen and click Close to complete the Internet access setup. Figure 20[...]

  • Página 87

    Chapter 3 Wizard Setup ZyWALL 2WG User’s Guide 87 Figure 21 Internet Access Setup Complete 3.2.3 Internet Access Wizard: Registration If you clicked Next in the previous screen (see Figure 20 on page 86 ), the following screen displays. Use this screen to register the ZyW ALL with myZyXEL.com. Y ou must register your ZyW ALL before you can activa[...]

  • Página 88

    Chapter 3 Wizard Setup ZyWALL 2WG User’s Guide 88 Figure 22 Internet Access Wizard: Registration The following table describes the labels in this screen. After you fill in the fields and click Next , the following screen shows indicating the registration is in progress. W ait for the registration progress to finish. T able 15 Internet Access Wiza[...]

  • Página 89

    Chapter 3 Wizard Setup ZyWALL 2WG User’s Guide 89 Figure 23 Internet Access Wizard: Registration in Progress 3.2.4 Internet Access Wizard: S t atus This screen shows your device registra tion and service subscription status. Click Close to leave the wizard screen when the re gistration and activation are done. Figure 24 Internet Access Wizard: S [...]

  • Página 90

    Chapter 3 Wizard Setup ZyWALL 2WG User’s Guide 90 3.2.5 Internet Access Wizard: Service Activation If the ZyW ALL has been registered, the Device Registration screen is read -only and the Service Activation screen appears indicating what trial applications are activated after you click Next . Figure 26 Internet Access Wizard : Registered Device F[...]

  • Página 91

    Chapter 3 Wizard Setup ZyWALL 2WG User’s Guide 91 Figure 28 VPN Wizard: Gate way Setting The following table describes the labels in this screen. T able 16 VPN Wizard: Gateway S etting LABEL DESCRIPTION Gateway Policy Property Name T ype up to 32 characte rs to identify this VPN gateway poli cy . Y ou may use any character , including spaces, but[...]

  • Página 92

    Chapter 3 Wizard Setup ZyWALL 2WG User’s Guide 92 3.4 VPN Wizard Network Setting Use this screen to name the VPN network policy (IPSec SA) and identify the devices behind the IPSec rou ters at either end of a VPN tu nnel. T wo active SAs cannot have the local and remote IP address(es) both the same. T wo active SAs can have the same local or remo[...]

  • Página 93

    Chapter 3 Wizard Setup ZyWALL 2WG User’s Guide 93 3.5 VPN Wizard IKE T unnel Setting (IKE Phase 1) Use this screen to specify the authentication, encryption and othe r settings needed to negotiate a phase 1 IKE SA. S tarting IP Address When the Lo cal Network field is configured to Single , enter a (static) IP address on the LAN behind your Z yW [...]

  • Página 94

    Chapter 3 Wizard Setup ZyWALL 2WG User’s Guide 94 Figure 30 VPN Wizard: IKE Tunnel Setting The following table describes the labels in this screen. T able 18 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotiation Mode Select Main M ode for identity pr otection. Sele ct Ag gressive Mode to allo w more incoming connections from dynami c IP ad[...]

  • Página 95

    Chapter 3 Wizard Setup ZyWALL 2WG User’s Guide 95 3.6 VPN Wizard IPSec Setting (IKE Phase 2) Use this screen to specify the authentication, encryption and othe r settings needed to negotiate a phase 2 IPSec SA. Figure 31 VPN Wizard: IPSec Setting Pre-Shared Key T ype your pre-sha red key in this fi eld. A pre-shared key identifies a communicating[...]

  • Página 96

    Chapter 3 Wizard Setup ZyWALL 2WG User’s Guide 96 The following table describes the labels in this screen. 3.7 VPN Wizard S t atus Summary This read-only screen shows the status of the current VPN settin g. Use the summary table to check whether what you have configured is correct. T able 19 VPN Wizard: IPSec Setting LABEL DESCRIPTION Encapsulati[...]

  • Página 97

    Chapter 3 Wizard Setup ZyWALL 2WG User’s Guide 97 Figure 32 VPN Wizard: VPN S tatus The following table describes the labels in this screen. T able 20 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This i s the name of this VPN gateway policy . Gateway Policy Setting My ZyW A LL This is the WAN IP address or t he domain nam[...]

  • Página 98

    Chapter 3 Wizard Setup ZyWALL 2WG User’s Guide 98 Network Policy Setting Local Network S tarting IP Address This i s a (static) IP address on the LAN behind your Z yW ALL. Ending IP Address/ Subnet Mask When the local network is con figured for a single IP address, this fie ld is N/A. When the local network is con figured for a range IP address, [...]

  • Página 99

    Chapter 3 Wizard Setup ZyWALL 2WG User’s Guide 99 3.8 VPN Wizard Setup Complete Congratulations! Y ou have successfully set up the VPN rule for your ZyW ALL. If you already had VPN rules config ured, the wi zard adds the new VPN rule after the last existing VPN rule. Figure 33 VPN Wizard Setup Co mplete[...]

  • Página 100

    Chapter 3 Wizard Setup ZyWALL 2WG User’s Guide 100[...]

  • Página 101

    ZyWALL 2WG User’s Guide 101 C HAPTER 4 Tutorial This chapter describes how to ap ply security settings to VPN tr af fic, how to set up your ZyW ALL if you have more than on e fixed (static) IP address from your ISP and how to allocate bandwidth and apply priorities to traf fic that flows out through the ZyW ALL’ s W AN port. 4.1 Security Settin[...]

  • Página 102

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 102 Figure 34 Firewall Rule for VPN 4.1.2 Configuring the VPN Rule This section shows how to configure a VPN rule on device A to let the network behind B access the FTP server . Y ou would also have to configure a correspon ding rule on device B . 1 Click Security > VPN to open the following screen. C[...]

  • Página 103

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 103 Figure 36 SECURITY > VPN > VPN Rules (I KE)> Add Gateway Policy 3 Click the Add Network Policy icon.[...]

  • Página 104

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 104 Figure 37 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example 4 Use this screen to specify which computers behind the routers can use the VPN tunnel. Configure the fields that are circled as follows and click Apply . Y ou may notice that the example does not specify th e port numbers.[...]

  • Página 105

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 105 Figure 38 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy 4.1.3 Configuring the Firewall Rules Suppose you have sever al VPN tunnels but you only want to allow de vice B ’ s network to access the FTP server . Y ou also only want FTP traf fic to go to the FTP server , so you want to bl[...]

  • Página 106

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 106 4.1.3.1 Firewall Ru le to Allow Access Example Configure a firewall rule that allows FTP acc ess from the VPN tunnel to the FTP server . 1 Click Security > Fir ewall > Rule Summary . 2 Select VPN to LAN as the packet direction and click Refresh . 3 Click the insert icon. Figure 39 SECURITY >[...]

  • Página 107

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 107 Figure 40 SECURITY > FIREW ALL > Rule Summary > Edit: Allow 5 The rule displays in the summary list of VPN to LAN firewall rules.[...]

  • Página 108

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 108 Figure 41 SECURITY > FIREW ALL > Rule Summary: Allow 4.1.3.2 Default Firewall Rule to Block Other Access Example Now you configure the default firewall rule to bl ock all VPN to LAN traf fic. This blocks any other types of access from VPN tunnels to the LA N FTP server . This mean s that you ne[...]

  • Página 109

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 109 4.2 Using NA T with Multiple Public IP Addresses This section shows you examples of how to set up your ZyW ALL if you have more than one fixed (static) IP address from your ISP . 4.2.1 Example Parameters and Scenario The following table shows the public IP addresses from your ISP and your ZyW ALL’ [...]

  • Página 110

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 11 0 4.2.2 Configuring the W AN Connection with a St atic IP Address The following table shows the information your ISP gave you for Internet connection. Follow the steps below to configure your ZyW ALL for Internet access using PPPoE in this example. Figure 44 T utoria l Example: WAN Connection with a S[...]

  • Página 111

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 111 Figure 45 T utorial Example: W AN 1 Screen 6 Click ADV ANCED > DNS . 7 The System screen displays. Click the Insert button to configure the IP address of the DNS server th e ZyW ALL can quer y to resolve domain names. Figure 46 T utorial Example: DNS > System 8 Select Public DNS Server and ente[...]

  • Página 112

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 11 2 Figure 47 T utorial Example: DNS > System Edit-1 9 Enter the rule number (2) where you want to put the second record and click the Insert button to configure the sec ond DNS serv er ’ s IP address as follows. Click Apply . " T o resolve a domain name, theZyW ALL checks it against the name [...]

  • Página 113

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 11 3 Figure 49 T utorial Example: DNS > System: Done 11 Go to the Home screen to check your W AN connection status. Make sure the status is not down. Figure 50 T utorial Example: S tatus 4.2.3 Public IP Address Mapping T o have the local computers and servers use specific W AN IP addres ses, you need [...]

  • Página 114

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 11 4 " The one-to-one NA T addr ess mapping rules are for both incoming and outgoing connections. The ZyW ALL forwards tr affic that is initiated from either the LAN or the W A N to the destinat ion IP address. " The many-to-one or many-to-many NA T address mapping rules are for outgoing connec[...]

  • Página 115

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 11 5 Figure 52 T utorial Example: NA T > NA T Overview 3 Click the Address Mapping tab. 4 Select W AN 1 . 5 Click the first rule’ s Edit icon ( ) in the Modify column to display the Addr ess Mapping Rule screen.[...]

  • Página 116

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 11 6 Figure 53 T utorial Example: NA T > Address Mapping 6 Map a public IP address to the web server . Select the One-to-One type and enter 192.168.1.12 as the local start IP address and 1.2.3.5 as the global start IP address. Click Apply . Figure 54 T utorial Example: NA T Address Mapping Edit: One- [...]

  • Página 117

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 11 7 Figure 55 T utorial Example: NA T Address Mapping Edit: One- to-One (2) 9 Click the third rule’ s Edit icon ( ). 10 Map a public IP address to other outgoing LAN traffic. Select the Many-to-One type and enter 192.168.1.1 as the local start IP address, 192.168.1.254 as the local end IP addres s and[...]

  • Página 118

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 11 8 Figure 57 T utorial Example: NA T Address Mapping Done " T o allow traffic from t he W A N to be forwarded throu gh the ZyXEL Device, you must also create a firewall rule. Refe r to Section 4.2.5 on page 120 for more information. 4.2.4 Forwarding T raffic from the W AN to a Local Computer A ser[...]

  • Página 119

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 11 9 Figure 58 T utorial Example: Forwarding Incoming FTP T raffic to a Loca l Computer 1 Click ADV ANCED > NA T > Address Mappi ng . 2 Click the forth rule’ s Edit icon ( ) to configure a server rule. Figure 59 T utoria l Example: NA T Ad dress Mapp ing Edit: Se rver 3 Click the Port Forwarding [...]

  • Página 120

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 120 Figure 60 T utorial Example: NA T Port Forwarding 4.2.5 Allow W AN-to-LAN T raffic through the Firewall By default, the ZyW ALL blocks any traffic i n itiated from the W AN to the LAN. T o have the ZyW ALL forward traffic initiated from W AN 1 to a local computer or server on the LAN, you need to con[...]

  • Página 121

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 121 Figure 62 T utorial Example: Firewall Default Rule 3 Go to the Rule Summary screen. 4 Select W AN1 to LAN as the packet direction and click Refresh . 5 Click the insert icon to create a new firewall rule. Figure 63 T utorial Example: Firewall Rule: WAN1 to LAN 6 Configure a firewall rule to allow HTT[...]

  • Página 122

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 122 Enter a descriptive name (W -L_W eb for example). Select Any in the Destination Address(es) box and click Delete . Select Single Addr ess as the destination address type. Enter 192.168 .1.12 and click Add . Figure 64 T utorial Example: Firewall Rule: WAN t o LAN Addres s Edit for Web Server 7 Select [...]

  • Página 123

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 123 Figure 65 T utorial Example: Firewall Rule: WAN t o LAN Service Edit for Web Server 8 Click the insert icon to configure a firewall rule to allow traf fic from the W AN to the mail server . Enter a descriptive name (W -L_Mail for example). Select Any in the Destination Address(es) box and click Delet[...]

  • Página 124

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 124 Figure 66 T utorial Example: Firewall Rule: WAN t o LAN Addres s Edit for Ma il Server 9 Select Any(All) in the A vailable Services box on the left, and click >> to add it to the Selected Service(s) box on the right. Click Apply . Figure 67 T utorial Example: Firewall Rule: WAN to LAN Service E[...]

  • Página 125

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 125 10 Click the insert icon to configure a firewall rule to allow FT P traffic from the W AN to the FTP server . Enter a descriptive name (W -L_FTP for example). Select Any in the Destination Address(es) box and click Delete . Select Single Addr ess as the destination address type. Enter 192.168 .1.39 a[...]

  • Página 126

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 126 Figure 69 T utorial Example: Firewall Rule: WAN to LAN Service Edit for FTP Server 12 When you are done, the Rule Summary screen looks as shown. Figure 70 T utorial Example: Firewall Rule Summary[...]

  • Página 127

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 127 4.2.6 T esting the Connections 1 Open the web browser on one of the local co mputers and enter any web site’ s URL in the address bar . If you can access the web site, your W AN 1 connection and NA T address mapping are configured successfully . If you cannot access it, make sure you entered the co[...]

  • Página 128

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 128 Figure 71 T utorial Example: NA T Address Mapping Done: Game Playing " T o allow traffic from t he W A N to be forwarded throu gh the ZyXEL Device, you must also create a firewall rule. Refe r to Section 4.2.5 on page 120 for more information. 4.4 How to Manage the ZyW ALL’ s Bandwid th This s[...]

  • Página 129

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 129 Figure 72 T utorial Example: Bandwidth Managemen t The following table shows t h e example information you confi gure in the bandwidth management screens. 4.4.2 Configuring Bandwid th Management Rules Follow the steps below to set up bandwidt h management rules for different traf fic. 1 Click ADV ANC[...]

  • Página 130

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 130 Figure 73 T utorial Example: Bandwidth Managemen t Summary 7 Click the Class Setup tab. 8 Select the WA N 1 interface and click the Add Sub-Class button to create a rule for V oIP traffic. Figure 74 T utorial Example: Bandwidth Management Class Setup 9 Enter a descriptive name (“W AN1_V oIP” for [...]

  • Página 131

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 131 Figure 75 T utorial Example: Bandwidth Management Class Setup: V o IP 12 Click the Add Sub-Class button to create a rule for FTP traf fic as follows. Click Apply . Figure 76 T utorial Example: Bandwidth Management Class Setup: FTP 13 Click the Add Sub-Class button to create a rule for WWW traf fic as[...]

  • Página 132

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 132 Figure 77 T utorial Example: Bandwidth Management Class Setup: WWW 14 When you are finished, the Class Setup screen looks as shown. Figure 78 T utorial Example: Bandwid th Management Class Setup Done 15 Use the Monitor screen to view the bandwidth usage and allotments for the W AN interface.[...]

  • Página 133

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 133 Figure 79 T utorial Example: Bandwidth Managemen t Monitor 4.5 Configuring Content Filtering Y ou can use the ZyW ALL’ s content filtering pol icies to apply specific content filtering settings to specific users. Y ou ca n even filter certain things at certain times. For example, you decide to set [...]

  • Página 134

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 134 1 Click SECURITY > CONTENT FIL TER . 2 Enable the content filter and exte rnal database content filtering. 3 Click Apply . Figure 80 SECURITY > CONTENT FIL TER > General 4.5.2 Block Categories of Web Content Here is how to block access to web pa ges by category of conte nt. 1 Click SECURITY [...]

  • Página 135

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 135 Figure 81 SECURITY > CONTENT FIL TER > Policy 2 Select Active . 3 Select the categories to block. 4 Click Apply . Figure 82 SECURITY > CONTENT FIL TER > Policy > External Database (Default)[...]

  • Página 136

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 136 4.5.3 Assign Bob’ s Computer a Sp ecific IP Address Y ou will configure a content filtering policy for traf fic from Bob’ s computer ’ s IP address. Do the following to have the Zy W ALL always give Bob’ s computer the same IP address (192.168.1.33 in this example). 1 Click HOME > DHCP T a[...]

  • Página 137

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 137 5 Click Apply . Figure 85 SECURITY > CONTENT FIL TER > Policy > Insert 4.5.5 Set the Content Filter Schedule Y o u want to let Bob access arts and entertainmen t web pa ges, but only during lunch. So you configure a schedu le to only apply th e Bob policy from 12:00 to 13:00. For the rest of[...]

  • Página 138

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 138 4 Click Apply . Figure 87 SECURITY > CONTENT FIL TER > Policy > Schedule (Bob) 4.5.6 Block Categories of Web Content for Bob Now you select the categories of we b pages to block Bob from accessing. 1 Click SECURITY > CONTENT FIL TER > Policy and then the Bob policy’ s external databa[...]

  • Página 139

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 139 Figure 88 SECURITY > CONTENT FIL TER > Policy 2 Select Active . 3 Select the categories to block. This is very similar to Section 4.5.2 on page 134 , except you do not select the arts and entertainment category . 4 Click Apply . Figure 89 SECURITY > CONTENT FIL TER > Policy > External [...]

  • Página 140

    Chapter 4 Tutorial ZyWALL 2WG User’s Guide 140[...]

  • Página 141

    ZyWALL 2WG User’s Guide 141 C HAPTER 5 Registration 5.1 myZyXEL.com overview myZyXEL.com is ZyXEL ’ s online services center wh ere you can register your Zy W ALL and manage subscription services available for the ZyW ALL. " Y ou need to create an account before y ou can register y our device and activate the services at myZyXEL.com. Y ou [...]

  • Página 142

    Chapter 5 Registration ZyWALL 2WG User’s Guide 142 5.2 Registration T o register your ZyW ALL with myZyXEL.com and activate the content filtering service, click REGISTRA TI ON in the navigation panel to open the screen as shown next. Figure 90 REGISTRA TION The following table describes the labels in this screen. T able 21 REGISTRATION LABEL DESC[...]

  • Página 143

    Chapter 5 Registration ZyWALL 2WG User’s Guide 143 " If the ZyW ALL is register ed already , this screen is read-only and indicates whether trial services are activated. Use the Service screen to update your service subscription status. Figure 91 REGISTRA TION: Registered Device 5.3 Service After you activate a trial, you can also use the Se[...]

  • Página 144

    Chapter 5 Registration ZyWALL 2WG User’s Guide 144 Figure 92 REGISTRA TION > Service The following table describes the labels in this screen. T able 22 REGISTRATION > Service LABEL DESCRIPTION Service Manage ment Service This field displays the service name ava ilable on the ZyW A LL. S tatus This field displays whether a servi ce is activa[...]

  • Página 145

    145 P ART II Network and W ireless LAN Screens (147) Bridge Screens (159) W AN Screens (165) DMZ Screens (201) W ireless LAN (21 1)[...]

  • Página 146

    146[...]

  • Página 147

    ZyWALL 2WG User’s Guide 147 C HAPTER 6 LAN Screens This chapter describes how to configure LAN settin gs. This chapter is on ly applicable when the ZyW ALL is in router mode. 6.1 LAN, W AN and the ZyW ALL A network is a shared commun ication system to which ma ny computers are attached. The Local Area Network (LAN) includes the comp ut ers and ne[...]

  • Página 148

    Chapter 6 LAN Screens ZyWALL 2WG User’s Guide 148 Where you obtain your netwo rk number depends on your particular situation. If the ISP or your network administrator assigns yo u a bloc k of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the ISP did not expl icitly give you an IP network [...]

  • Página 149

    Chapter 6 LAN Screens ZyWALL 2WG User’s Guide 149 6.3 DHCP The ZyW ALL can use DHCP (Dynamic Host Configuration Pro tocol, RFC 2131 and RFC 2132) to automatically assign IP addresses subnet masks, gateways, and some network information like the IP addresses of DNS serve rs to the computers on your LAN. Y ou can alternatively have the ZyW ALL rela[...]

  • Página 150

    Chapter 6 LAN Screens ZyWALL 2WG User’s Guide 150 224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assi gned to the permanent group of all IP hosts (including gateways). All hosts must join the 22 4.0 .0.1 group in orde r to participate in IGMP . The address 224.[...]

  • Página 151

    Chapter 6 LAN Screens ZyWALL 2WG User’s Guide 151 Figure 94 NETWORK > LAN The following table describes the labels in this screen. T able 23 NETWORK > LAN LABEL DESCRIPTION LAN TCP/IP IP Address T ype the IP address of your ZyWALL in dotted decimal notation. 192.168.1.1 is the factory default. Alternatively , click the ri ght mouse button t[...]

  • Página 152

    Chapter 6 LAN Screens ZyWALL 2WG User’s Guide 152 RIP V ersion The RIP V ersion field controls the format and th e broadcasting method of the RIP packet s that the ZyWALL sends (it reco gnizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you h[...]

  • Página 153

    Chapter 6 LAN Screens ZyWALL 2WG User’s Guide 153 6.8 LAN St atic DHCP This table allows you to assign IP addresses on the LAN to specific individual computers based on their MAC Addresses. Every Ethernet device has a unique MAC (Med ia Access Control) addre ss. The MAC address is assigned at the factory and consists of six pairs of hexadec imal [...]

  • Página 154

    Chapter 6 LAN Screens ZyWALL 2WG User’s Guide 154 Figure 95 NETWORK > LAN > S tatic DHCP The following table describes the labels in this screen. 6.9 LAN IP Alias IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface. T able 24 NETWORK > LAN > Static DHCP LABEL DESCRIPTI[...]

  • Página 155

    Chapter 6 LAN Screens ZyWALL 2WG User’s Guide 155 The ZyW ALL has a single LAN in terface. Even though more than o ne of ports 1~4 may be in the LAN port role, they are all still part of a si ngle physical Ethernet interface and all use the same IP address. The ZyW ALL supports three logical LAN interfa ces via its single physical LAN Ethernet in[...]

  • Página 156

    Chapter 6 LAN Screens ZyWALL 2WG User’s Guide 156 The following table describes the labels in this screen. 6.10 LAN Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface . Ports 1~4 on the ZyW ALL can be part of the LAN, DMZ or WLAN interface. " Do the following if you ar e configuring from a comput [...]

  • Página 157

    Chapter 6 LAN Screens ZyWALL 2WG User’s Guide 157 " Y our changes are also reflected in the DMZ Port Roles and WLAN Port Roles screens. Figure 98 NETWORK > LAN > Port Rol es The following table describes the labels in this screen. After you change the LAN/DMZ/WLAN port roles and click Apply , please wait for few seconds until the follo[...]

  • Página 158

    Chapter 6 LAN Screens ZyWALL 2WG User’s Guide 158[...]

  • Página 159

    ZyWALL 2WG User’s Guide 159 C HAPTER 7 Bridge Screens This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyW ALL is in bridge mode. 7.1 Bridge Loop The ZyW ALL ca n act as a bridge between a switch a nd a wired LAN or between two rou ters. Be careful to avoid bridge lo ops when you en able bridging i[...]

  • Página 160

    Chapter 7 Bridge Sc reens ZyWALL 2WG User’s Guide 160 7.2 Sp anning T ree Protocol (STP) STP detects and breaks network loops and provide s backup links betw een switches, brid ges or routers. It allows a bridge to interact with o ther STP-compliant bridges in your networ k to ensure that only one route exists be tween any two stations on the net[...]

  • Página 161

    Chapter 7 Bridge Screens ZyWALL 2WG User’s Guide 161 Once a stable network topology has been esta blished, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) tr ansmitted from the root bridge. If a bridge does not ge t a Hello BPDU after a predefined interval (Max Age), th e bridge assume s that the link to the root bridge is down. T[...]

  • Página 162

    Chapter 7 Bridge Sc reens ZyWALL 2WG User’s Guide 162 Figure 101 NETWORK > Bridge The following table describes the labels in this screen. T able 29 NETWORK > Bridge LABEL DESCRIPTION Bridge IP Address Setup IP Address T ype the IP addre ss of your ZyW ALL in dotted decimal no tation. IP Subnet Mask The subnet mask specifies the network num[...]

  • Página 163

    Chapter 7 Bridge Screens ZyWALL 2WG User’s Guide 163 7.4 Bridge Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface . Ports 1~4 on the ZyW ALL can be part of the LAN, DMZ or WLAN interface. T o change your ZyW ALL’ s port role se ttings, click NETWORK > BRIDGE > Port Roles . The screen appears a[...]

  • Página 164

    Chapter 7 Bridge Sc reens ZyWALL 2WG User’s Guide 164 Figure 102 NETWORK > Bridge > Port Roles The following table describes the labels in this screen. After you change the LAN/DMZ/WLAN port roles and click Apply , please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 103 Po[...]

  • Página 165

    ZyWALL 2WG User’s Guide 165 C HAPTER 8 WAN Screens This chapter describes how to configure W AN settings. " W AN 2 refers to the 3G card on the supported Zy W ALL in router mode. 8.1 W AN Overview • Use the W AN General screen to configure load balanc ing, rout e priority and connection test for the ZyW ALL. • Use the W AN 1 screen to co[...]

  • Página 166

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 166 The ZyW ALL's NA T feature allows you to config ure sets of rules for one W AN interface and separate sets of rules for the other W AN interface. Refer to Chapter 17 on page 385 for details. Y ou can select through which W AN interface you want to send out traf fic from UPnP-enabled applicati[...]

  • Página 167

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 167 Figure 104 Least Load Fi rst Example If the outbound bandwidth utiliza tion is used as the load bala ncing index and the measured outbound throughpu t of W AN 1 is 412K and W AN 2 is 198K, the Zy W ALL calculates the load balancing index as sh own in the table below . Since W AN 2 has a smaller lo[...]

  • Página 168

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 168 This algorithm is best suited for situations when the bandwidths set for the two W AN interfaces are different. For example, in the figure belo w , the configured available bandwidth of W AN1 is 1M and W AN2 is 512K. Y ou can set the ZyW ALL to di stribute the network traffic between the two inter[...]

  • Página 169

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 169 8.5 W AN Interface to Local Host Mapping Timeout Y o u can set the ZyW ALL to send all of a lo cal computer ’ s traffic through the same W AN interface. This is useful when a redirect server forwards a user reques t for a file and informs the file server that a particular W AN IP addres s is req[...]

  • Página 170

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 170 8.6 TCP/IP Priority (Metric) The metric represents the "cost of transmissi on". A router determines the best route for transmission by choosing a path with the lowest "cost". RI P routing uses hop count as the measurement of cost, with a minimum of "1" for directly co[...]

  • Página 171

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 171 Figure 108 NETWORK > W AN General[...]

  • Página 172

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 172 The following table describes the labels in this screen. T able 33 NETWORK > W AN General LABEL DESCRIPTION Active/Passive (Fail Over) Mode Select the Active/Passive (fail over) op eration mode to have the ZyWALL use the second highest priority WAN interface as a back up. This means that the Zy[...]

  • Página 173

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 173 Check Fail To l e r a n c e T ype how many W AN con nection checks can fail (1-10) before the conne ction is considered "down" (not co nnected). The ZyW ALL still checks a "down" connection to detect if it reconnects. Check W AN1/2 Connectivity Select the check box to have the [...]

  • Página 174

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 174 8.8 Configuring Load Balancing T o configure load balanc ing on the ZyW ALL, click NE TWORK > WA N in the navigation panel. The WA N G e n e r a l screen displays by default. Select Active/Active Mode under Operation Mode to enable load balancing on the ZyW ALL. The WA N G e n e r a l screen va[...]

  • Página 175

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 175 8.8.2 W eighted Round Robin T o load balance using the weight ed round robin method, select W eighted Round Robin in the Load Balancing Algorithm field. Figure 1 10 Load Balancin g: Weighted Round Robin The following table describes the re lated fields in this screen. T ime Frame Y ou can set the [...]

  • Página 176

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 176 8.8.3 Spillover T o load balance using th e spillover method, select Spillover in the Load Balancing Algorithm field. Configure the Route Priority metrics in the W AN General screen to determine the primary and secondary W ANs. By default, W AN 1 is the primary W AN and W AN 2 is the secondary WA [...]

  • Página 177

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 177 8.9 W AN IP Address Assignment Every computer on the Internet must have a unique IP address. If your networks are is olated from the Internet, for instance, only between your two branch of fices, you can as sign any IP addresses to the hosts without problems. However , the Internet Assigned Number[...]

  • Página 178

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 178 8.1 1 W AN MAC Address Every Ethernet device has a unique MAC (Med ia Access Control) addre ss. The MAC address is assigned at the factory and consists of six pairs of hexadec imal characters, for example, 00:A0:C5:00:00:02. Y ou can configure the W AN port's MAC address by either using the f[...]

  • Página 179

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 179 Figure 1 12 NETWORK > W AN > WAN 1 (Ethe r net Encapsulation) The following table describes the labels in this screen. T able 38 NETWORK > WAN > W AN 1 (Ethernet Encapsulatio n) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Y ou must choose the Ethernet option when[...]

  • Página 180

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 180 Login Server (T elia Login only) T ype the domain name of the T elia login server , for example logi n1.telia.com. Relogin Every(min) (T elia Login only) The T elia server logs the ZyW ALL out if the ZyWALL does not log in periodically . T ype the number of minutes from 1 to 59 (30 default) for th[...]

  • Página 181

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 181 8.12.2 PPPoE Encap sulation The ZyW ALL supports PPPoE (Point-to-Point Pr otocol over Ethernet). PPPoE is an IETF standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.) connection. The PP PoE option is for a dial-up connection usin[...]

  • Página 182

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 182 Figure 1 13 NETWORK > W AN > WAN 1 (PPPoE Encap sulation) The following table describes the labels in this screen. T able 39 NETWORK > WAN > W AN 1 (PPPoE Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPPoE for a dial-up connection using PPPoE[...]

  • Página 183

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 183 Authentication Ty p e The ZyW ALL suppo rts P AP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentica tion Protoc ol). CHAP is more secure than P AP; however , P AP is readily available on more platforms. Use the drop-down list box to select an au thentication protocol for o[...]

  • Página 184

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 184 8.12.3 PPTP Encap sulation Point-to-Point T unneling Protocol (PP TP) is a ne twork protocol that enables secure transfer of data from a remote client to a private server , creating a V irtual Private Network (VPN) using TCP/IP-based networks. PP TP supports on-demand, multi-proto col and virtual [...]

  • Página 185

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 185 Figure 1 14 NETWORK > W AN > WAN 1 (PP TP Encapsulation) The following table describes the labels in this screen. T able 40 NETWORK > WAN > W AN 1 (PPTP Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Se t the encapsulation method to PPTP . The ZyW ALL[...]

  • Página 186

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 186 Authentication Ty p e The ZyW ALL suppo rts P AP (Password Authentication Protocol) and CHAP (Challenge Handshake Authenticatio n Protoc ol). CHAP is more secure than P AP; however , P AP is readily availa ble on more p latforms. Use the drop-down li st box to select an authenticatio n protocol fo[...]

  • Página 187

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 187 8.13 W AN 2 (3G W AN) 3G (Third Generation) is a digital, packet-s witched wireless technology . Bandwidth usage is optimized as multiple users shar e the same channel and bandwidt h is only allocated to users when they send data. It allows fast transf er of voice and no n-voice data and provides [...]

  • Página 188

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 188 " The actual data rate you obt ain varies depending on the 3G ca rd you use, the signal strength of the servic e provider ’ s base station, your service plan, etc. If the signal strength of a 3G network is too lo w , the 3G card may switch to an available 2.5G or 2.75G network. See the foll[...]

  • Página 189

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 189 " T urn the ZyW ALL off before you in st all or remove the 3G card. " The W AN 1 and W AN 2 IP addresses of a ZyW ALL with multiple W AN interfaces must be on different subnet s.[...]

  • Página 190

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 190 Figure 1 15 N E T W O R K > WA N > WA N 2 ( 3 G WA N ) The following table describes the labels in this screen. T able 42 NETWORK > WAN > W AN 2 (3G WAN) LABEL DESCRIPTION W AN2 Se tup Enable Select this option to enable WAN 2 . 3G Card Configuration The fields below display only when [...]

  • Página 191

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 191 3G Wireless Card This displays the manufacturer and model name of your 3G card if you inserted one in the ZyWALL. Otherwise, it displays Not Inst alled . Network T ype Select the type of the network ( UMTS/HSDP A only , GPRS/EDGE only , GSM all or WCDMA all ) to which you want the card to connect.[...]

  • Página 192

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 192 Phone Number Enter the phone number (dial string) used to dial up a connection to your service provider ’s base station. Y our ISP shoul d provide the dial string. By default, *99# is the dial string for GSM-based networks and #777 is the dial string for CDMA-based networks. Nailed-Up Select Nai[...]

  • Página 193

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 193 8.14 T raffic Redirect T raffic redirect forwards W AN traffic to a backup gateway when the ZyW ALL cannot connect to the Internet through its normal gate way . Connect the backup gateway on the W AN so that the ZyW A LL still provides firewall protection for the LAN. Figure 1 16 T raffic Redirect[...]

  • Página 194

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 194 IP alias allows you to avoid triangle route security issues when th e backup gateway is connected to the LAN or DMZ. Use IP alias to configure the LAN into two or three logical networks with the ZyW ALL itself as the gateway for each LAN network. Put the protected LAN in one subn et (Subnet 1 in t[...]

  • Página 195

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 195 8.16 Configuring Dial Backup Click NETWORK > WA N > Dial Backup to display the Dial Backup screen. Use this screen to configure the ba ckup W AN di al-up connection. Figure 1 19 NETWORK > W AN > Dial Backup The following table describes the labels in this screen. T able 44 NETWORK >[...]

  • Página 196

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 196 Login Name T ype the login name assigned by your ISP . Password T ype the password assigned by you r ISP . Retype to Confirm T ype your password again to ma ke sure that you have en tered is correctly . Authentication Ty p e Use the drop-down list box to select an authentication protocol for outgo[...]

  • Página 197

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 197 8.17 Advanced Modem Setup 8.17.1 A T Command S trings For regular telephone lines, the default Dial st ring tells the modem that the line uses tone dialing. ATDT is the command for a switc h that requ ires tone dialing. If your switch requires pulse dialing, change th e string to ATDP . For ISDN l[...]

  • Página 198

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 198 8.17.2 DTR Signal The majority of W AN devices default to hang ing up the current call when the DTR (Data T erminal Ready) signal is dropped by the DTE. When the Drop DTR When Hang Up check box is selected, the ZyW ALL uses this hardware signal to force the W AN device to hang up, in addition to i[...]

  • Página 199

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 199 The following table describes the labels in this screen. T able 45 NETWORK > WAN > Dial Backup > Edit LABEL DESCRIPTION A T Command St r i n g s Dial T ype the A T Command string to make a call. Drop T ype the A T Command string to drop a call. "~" represents a one second wait, [...]

  • Página 200

    Chapter 8 WAN Screens ZyWALL 2WG User’s Guide 200[...]

  • Página 201

    ZyWALL 2WG User’s Guide 201 C HAPTER 9 DMZ Screens This chapter describes how to configure the ZyW ALL’ s DMZ. 9.1 DMZ The DeMilitarized Zone (DMZ) pr ovides a way for public servers (W eb, e-mail, FTP , etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of D [...]

  • Página 202

    Chapter 9 DMZ Scre ens ZyWALL 2WG User’s Guide 202 Figure 121 NETWORK > DMZ The following table describes the labels in this screen. T able 46 NETWORK > DMZ LABEL DESCRIPTION DMZ TCP/IP IP Address T ype the IP address of your ZyWALL’ s DMZ p ort in dotted decimal no tation. Note: Make sure the IP addresses of the LAN, W AN, WLAN and DMZ a[...]

  • Página 203

    Chapter 9 DMZ Screens ZyWALL 2WG User’s Guide 203 RIP V ersion The RIP V ersion field controls the format and the broadcasting method of the RIP packet s that th e ZyW ALL sends (it recog nizes both formats when receiving). RIP-1 is universally supported bu t RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you[...]

  • Página 204

    Chapter 9 DMZ Scre ens ZyWALL 2WG User’s Guide 204 9.3 DMZ S t atic DHCP This table allows you to assign IP addresses on the DMZ to specific individual computers based on their MAC Addresses. Every Ethernet device has a unique MAC (Med ia Access Control) addre ss. The MAC address is assigned at the factory and consists of six pairs of hexadec ima[...]

  • Página 205

    Chapter 9 DMZ Screens ZyWALL 2WG User’s Guide 205 Figure 122 NETWORK > DMZ > S tatic DHCP The following table describes the labels in this screen. 9.4 DMZ IP Alias IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface. T able 47 NETWORK > D MZ > Static DHCP LABEL DESCRIP[...]

  • Página 206

    Chapter 9 DMZ Scre ens ZyWALL 2WG User’s Guide 206 The ZyW ALL has a single DMZ interface. Eve n though more than on e of ports 1~4 may be in the DMZ port role, they ar e all sti ll part of a single physical Ethernet interface and all use the same IP address. The ZyW ALL supports three logical DMZ interf aces via its single physical DMZ Ethernet [...]

  • Página 207

    Chapter 9 DMZ Screens ZyWALL 2WG User’s Guide 207 9.5 DMZ Public IP Address Example The following figure shows a simple network set up with public IP addresses on the W AN and DMZ and private IP addresses on the LAN. Lowe r case letters represent public IP addresses (like a.b.c.d for example). The LAN port and co nnected computers (A th rough C) [...]

  • Página 208

    Chapter 9 DMZ Scre ens ZyWALL 2WG User’s Guide 208 Figure 124 DMZ Public Addres s Example 9.6 DMZ Private and Public IP Address Example The following figure shows a network setup with both private and public IP addresses on the DMZ. Lower case letters represent public IP addresses (like a.b.c.d for example). The LAN port and connected co mputers [...]

  • Página 209

    Chapter 9 DMZ Screens ZyWALL 2WG User’s Guide 209 Figure 125 DMZ Private and Public Address Example 9.7 DMZ Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface . Ports 1~4 on the ZyW ALL can be part of the LAN, DMZ or WLAN interface. " Do the following if you ar e configuring from a comput er conne[...]

  • Página 210

    Chapter 9 DMZ Scre ens ZyWALL 2WG User’s Guide 210 Figure 126 NETWORK > DMZ > Port Roles The following table describes the labels in this screen. T able 49 NETWORK > D MZ > Port Roles LABEL DESCRIPTION LAN Select a port’s LAN radio button to use the port as part of the LAN. T he port will use the ZyW ALL’s LAN IP address and MAC a[...]

  • Página 211

    ZyWALL 2WG User’s Guide 21 1 C HAPTER 10 Wireless LAN This chapter discusses how to conf igure wireless LAN on the ZyW ALL. 10.1 Wireless LAN Introduction A wireless LAN can be as simple as two computers with wireless LAN adapters communicating in a peer-to-p eer network or as complex as a number of computers with wireless LAN adapters communicat[...]

  • Página 212

    Chapter 10 Wire less LAN ZyWALL 2WG User’s Guide 212 • Every wireless client in the same wireless network must use the s ame SSID. The SSID is the name of the wireless netw ork. It stands for Service Set IDentity . • If two wireless networks overla p, th ey should use different channels. Like radio stations or television channels, e ach wirel[...]

  • Página 213

    Chapter 10 Wireless LAN ZyWALL 2WG User’s Guide 213 Figure 128 NETWORK > WLAN The following table describes the labels in this screen. T able 50 NETWORK > WLAN LABEL DESCRIPTION WLAN TCP/IP IP Address T ype the IP addres s of your ZyWALL’ s WLAN interface in do tted decimal notation. Alternatively , click the right mouse butto n to copy a[...]

  • Página 214

    Chapter 10 Wire less LAN ZyWALL 2WG User’s Guide 214 RIP V ersion The RIP V ersion field controls the format and th e broadcasting method of the RIP packet s that the ZyWALL sends (it reco gnizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless yo[...]

  • Página 215

    Chapter 10 Wireless LAN ZyWALL 2WG User’s Guide 215 10.3 WLAN S tatic DHCP This table allows you to assign IP addresses on the WLAN to specific individual computers based on their MAC addresses. Every Ethernet device has a unique MAC (Med ia Access Control) addre ss. The MAC address is assigned at the factory and consists of six pairs of hexadec [...]

  • Página 216

    Chapter 10 Wire less LAN ZyWALL 2WG User’s Guide 216 Figure 129 NETWORK > WLAN > S tatic DHCP The following table describes the labels in this screen. 10.4 WLAN IP Alias IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface. T able 51 NETWORK > W LAN > Static DHCP LABEL [...]

  • Página 217

    Chapter 10 Wireless LAN ZyWALL 2WG User’s Guide 217 The ZyW ALL has a single WLAN interface. Even though more than one of po rts 1~4 may be in the WLAN port role, they are all still part of a single physical Ethernet interface and all use the same IP addre ss. The ZyW A LL support s three logica l WLAN inte rfaces via its single physical WLAN Eth[...]

  • Página 218

    Chapter 10 Wire less LAN ZyWALL 2WG User’s Guide 218 10.5 WLAN Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface . Ports 1~4 on the ZyW ALL can be part of the LAN, DMZ or WLAN interface. Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyW A LL’ s wireless LAN coverage. The [...]

  • Página 219

    Chapter 10 Wireless LAN ZyWALL 2WG User’s Guide 219 Figure 131 WLAN Port Role Example " Do the following if you ar e configuring from a comput er connected to a LAN, DMZ or WLAN port and c hanging the port's role: 1 A port's IP address varies as its role changes, make sure your computer's IP address is in the same subnet as th[...]

  • Página 220

    Chapter 10 Wire less LAN ZyWALL 2WG User’s Guide 220 Figure 132 NETWORK > WLAN > Port Roles The following table describes the labels in this screen. After you change the LAN/DMZ/WLAN port roles and click Apply , please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 133 NETWO[...]

  • Página 221

    Chapter 10 Wireless LAN ZyWALL 2WG User’s Guide 221 10.6.1 SSID Normally , the AP acts like a beacon and regularl y broa dcasts the SSID in the area. Y ou can hide the SSID instead, in which case the AP do es not broadcast the SSID. In addition, you should change the default SSID to so mething that is difficult to guess. This type of security is [...]

  • Página 222

    Chapter 10 Wire less LAN ZyWALL 2WG User’s Guide 222 Unauthorized devices can still see th e information that is sent in the wireless network, even if they cannot use the wireless network. Furtherm ore, there are ways for unauthorized wireless users to get a valid user name and password. Th en, they c an use that user name and password to use the[...]

  • Página 223

    Chapter 10 Wireless LAN ZyWALL 2WG User’s Guide 223 " It is not possible to use WP A-PSK , WP A or stronger encryp tion with a local user database. In this case, it is bet ter to set up stronger encryption with no authentication than to set up weaker enc ryption with the local user database. If some wireless clients support WP A and some sup[...]

  • Página 224

    Chapter 10 Wire less LAN ZyWALL 2WG User’s Guide 224 Figure 134 WIRELESS > Wi-Fi > Wireless Card The following table describes the labels in this screen. T able 55 WIRELESS > Wi-Fi > Wireless Card LABEL DESCRIPTION Enable Wireless Card The wireless LAN thro ugh a wireless LAN card is turned off by default, before you enable the wirele[...]

  • Página 225

    Chapter 10 Wireless LAN ZyWALL 2WG User’s Guide 225 802.1 1 Mode Select 802.1 1b Only to allow only IEEE 802.1 1b compliant WLAN devices to associate with the ZyWALL. Select 802.1 1g Only to allow only IEEE 802.1 1g compliant WLAN devices to associate with the ZyWALL. Select 802.1 1b+g to allow both IEEE802.1 1b a nd IEEE802.1 1g compliant WLAN d[...]

  • Página 226

    Chapter 10 Wire less LAN ZyWALL 2WG User’s Guide 226 10.7.1 SSID Profile Configure wireless network secu rity by configuring and applying an SSID profile. Y ou can configure multiple profiles but you ca n only apply one to your network. Use the Wireless Card screen to see information about the SSID profiles on the ZyW ALL, and use the Wir eless C[...]

  • Página 227

    Chapter 10 Wireless LAN ZyWALL 2WG User’s Guide 227 The following table describes the labels in this screen. 10.8 Configuring Wireless Security Click WIRELESS > W i-Fi > Security to open the Security screen. Use this screen to create security profiles. A security profile is a group of configuration settings which can be assigned to an SSID [...]

  • Página 228

    Chapter 10 Wire less LAN ZyWALL 2WG User’s Guide 228 Figure 136 WIRELESS > Wi-Fi > Security The following table describes the labels in this screen. 10.8.1 No Security " If you do not enable any wireless se curity on your ZyW ALL, your network is accessible to any wireless net working device within range. WP A2-MIX Sele ct this to use [...]

  • Página 229

    Chapter 10 Wireless LAN ZyWALL 2WG User’s Guide 229 Figure 137 WIRELESS > Wi-Fi > Security: None The following table describes the wireless LAN security labels in this screen. 10.8.2 S tatic WEP Stat ic WEP provides a mechanism for encrypting data usin g encryption keys. Both the AP and the wireless stations must use the same WEP key to enc[...]

  • Página 230

    Chapter 10 Wire less LAN ZyWALL 2WG User’s Guide 230 The following table describes the labels in this screen. 10.8.3 IEEE 802.1x Only Click the WIRELESS > Wi-Fi > Security > Edit . Select 8021X-Only from the Security Mode list. Figure 139 WIRELESS > Wi-Fi > Security: 802.1x Only The following table describes the labels in this scre[...]

  • Página 231

    Chapter 10 Wireless LAN ZyWALL 2WG User’s Guide 231 10.8.4 IEEE 802.1x + St atic WEP Click the WIRELESS > Wi-Fi > Security > Edit . Select 8021X-S tatic 64 or 8021X- S tatic128 in the Security Mode field to display the following screen. Figure 140 WIRELESS > Wi-Fi > Security: 802.1x + S tatic WEP The following table describes the l[...]

  • Página 232

    Chapter 10 Wire less LAN ZyWALL 2WG User’s Guide 232 10.8.5 WP A, WP A2, WP A2-MIX Click WIRELESS > W i-Fi > Security > Edit . Select WP A , WP A2 or WP A2-MIX from the Security Mode list. Figure 141 WIRELESS > Wi-Fi > Security: WP A, WP A2 or WP A2-MIX Key 1 to Key 4 If you chose 8 021X-St a tic64 in the Security Mode field, then [...]

  • Página 233

    Chapter 10 Wireless LAN ZyWALL 2WG User’s Guide 233 The following table describes the labels in this screen. 10.8.6 WP A-PSK, WP A2-PSK, WP A2-PSK-MIX Click WIRELESS > Wi-Fi > Security > Edit . Select WP A-PSK , WP A2-PSK or WP A2- PSK-MIX from the Security Mode list. T able 63 WIRELESS > Wi-Fi > Security: WPA, WPA2 or WPA2-MIX LAB[...]

  • Página 234

    Chapter 10 Wire less LAN ZyWALL 2WG User’s Guide 234 Figure 142 WIRELESS > Wi-Fi > Security: WP A(2)-PSK The following table describes the labels in this screen. T able 64 WIRELESS > Wi-Fi > Security: WPA(2)-PSK LABEL DESCRIPTION Name T ype a name to id entify this security profile. Security Mode Select WP A-PSK , WP A2-PSK or WP A2-P[...]

  • Página 235

    Chapter 10 Wireless LAN ZyWALL 2WG User’s Guide 235 10.9 MAC Filter The MAC filter screen allows you to config ure the ZyW ALL to give exclusive access to specific devices ( Allow ) or exclude specific devi ces from accessing the ZyW ALL ( Deny ). Every Ethernet device has a unique MAC (Med ia Access Control) addre ss. The MAC address is assigned[...]

  • Página 236

    Chapter 10 Wire less LAN ZyWALL 2WG User’s Guide 236 MAC Address Enter the MAC addre sses (in XX:XX:XX:XX:XX:XX format) of the wireless stations that are allowed or denied access to the ZyWALL in these address fields. Apply Click Apply to save your changes back to the ZyW ALL. Reset Click Reset to begin configuring this screen afresh. T able 65 W[...]

  • Página 237

    237 P ART III Security Firewall (239) Content Filtering Screens (271) Content Filtering Reports (293) IPSec VPN (301) Certificates (349) Authentication Server (379)[...]

  • Página 238

    238[...]

  • Página 239

    ZyWALL 2WG User’s Guide 239 C HAPTER 11 Firewall This chapter shows you how to co nfigure your ZyW ALL’ s firewall. 1 1.1 Firewall Overview The networking term firewall is a system or group of systems that enforces an access-control policy between two networks. It is generally a mechanism used to protect a trusted network from an untrusted netw[...]

  • Página 240

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 240 Y our customized rules take precedence and override the ZyW ALL’ s default settings. The ZyW ALL checks the source IP address, destinatio n IP address and IP protocol type of network traffic against the firewall rules (in the order yo u list them). When the traffic matches a rule, the ZyW ALL take[...]

  • Página 241

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 241 Packets have a source and a destination. The pack et direction matrix in the lower part of the screen sets what the ZyW ALL does with packets tr aveling in a specific direction t h at do not match any of the firewall rules. T o set the ZyW ALL to by default silently bl ock traffic from W AN 1 from g[...]

  • Página 242

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 242 1 1.3 Packet Direction Examples Firewall rules are grouped based on the direction of travel of packets to which they apply . This section gives some examples of why you migh t configure firewall rules for specific connection directions. By default, the ZyW ALL allows packets traveling in the followi[...]

  • Página 243

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 243 See Chapter 4 on page 101 for information about packets traveling to or from the VPN tunnels. 1 1.3.1 T o VPN Packet Direction The ZyW ALL can apply firewall rules to traffi c before encrypting it to send through a VPN tunnel. To V P N means traffic that comes in through th e selected “from” int[...]

  • Página 244

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 244 In order to do this, you would con figure the SECURITY > FIREW ALL > Default Rule screen as follows . Figure 148 Block DMZ to VPN T raffic by Default Example 1 1.3.2 From VPN Packet Direction Y ou can also apply firewall rules to traffic th at comes in through the ZyW ALL’ s VPN tunnels. The[...]

  • Página 245

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 245 Figure 149 From VPN to LAN Example In order to do this, you would con figure the SECURITY > FIREW ALL > Default Rule screen as follows .[...]

  • Página 246

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 246 Figure 150 Block VPN to LAN T raffic by Default Example 1 1.3.3 From VPN T o VPN Packet Direction From VPN T o VPN firewall rules apply to traffic th at comes in through one of the ZyW ALL’ s VPN tunnels and terminates at th e ZyW ALL (like for remote management) or goes out through another of the[...]

  • Página 247

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 247 Figure 151 From VPN to VPN Example Y ou would configure the SECURITY > FIREW ALL > Default Rule screen as follows. Figure 152 Block VPN to VPN T raffic by Default Example[...]

  • Página 248

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 248 1 1.4 Security Considerations " Incorrectly configuri ng the firewall may block valid access or introduce security risks to the ZyW ALL and your protected network. Use caution when creating or deleting firewall rules and test your rules afte r you configure them. Consider these security ramific[...]

  • Página 249

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 249 Y our firewall would have the following configuration. • The first row blocks LAN access to the IRC service on the W AN. • The second row is the firewall’ s default policy that allows all traf fic from the LAN to go to the W AN. The ZyW ALL applies the firewall rules in order . So for this exa[...]

  • Página 250

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 250 • The first row allows the LAN computer at IP address 192.168.1.7 to access the IRC service on the W AN. • The second row blocks LAN access to the IRC servic e on the W AN. • The third row is (still) the fi rewall’ s default policy of allowi ng all traf fic from the LAN to go to the W AN. Th[...]

  • Página 251

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 251 Figure 155 Using IP Alias to Solve the T riangle Route Problem 1 1.7 Firewall Default Rule (Router Mode) Click SECURITY > FIREW ALL to open the Default Rule screen. Use this screen to configure general firewall sett ings when the ZyW ALL is set to router mode. Figure 156 SECURITY > FIREW ALL &[...]

  • Página 252

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 252 The following table describes the labels in this screen. T able 68 SECURITY > FIR EW ALL > Default Rule (R outer Mode) LABEL DESCRIPTION 0-100% This bar displays the percentage of the ZyWALL’ s firewal l rules storage space that is currently in use. When the storage space is almost full, yo [...]

  • Página 253

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 253 1 1.8 Firewall Default Rule (Bridge Mode) Click SECURITY > FIREW ALL to open the Default Rule screen. Use this screen to configure ge neral firewall settings when the ZyW ALL is set to bridge mode. See Section 1 1.1 on page 239 for more informatio n about the firewall. From, T o The firewall rule[...]

  • Página 254

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 254 Figure 157 SECURITY > FIREW ALL > Default Rule (Bridge Mode) The following table describes the labels in this screen. T able 69 SECURITY > FIREWALL > Default Rule (Bridge Mode) LABEL DESCRIPTION 0-100% This bar displays the percentage of the ZyWALL’ s firewal l rules storage space that[...]

  • Página 255

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 255 1 1.9 Firewall Rule Summary Click SECURITY > FIREW ALL > Rule Summary to open the screen. This screen displays a list of the configured firewall rules. From, T o The firewall rules are grouped by the di rection of packet travel. This displays the number of rules for each packet direction. Clic[...]

  • Página 256

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 256 " The ordering of your rules is very important as rule s are applied in the order that they are listed. See Section 1 1.1 on page 239 for more informatio n about the firewall. Figure 158 SECURITY > FIREW ALL > Rule Summary The following table describes the labels in this screen. T able 70[...]

  • Página 257

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 257 1 1.9.1 Firewall Edit Rule In the Rule Summary screen, click the edit icon or the insert icon to display the Fire wall Edit Rule screen. Use this screen to create or edit a firewall rule . Refer to the following table for information on the labels. See Section 1 1.1 on page 239 for more informatio n[...]

  • Página 258

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 258 Figure 159 SECURITY > FIREW ALL > Rule Summary > Edit[...]

  • Página 259

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 259 The following table describes the labels in this screen. T able 71 SECURITY > FIR EWALL > Rule Summary > Edit LABEL DESCRIPTION Rule Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the firewall rule. S paces are allowed. Edit Sourc[...]

  • Página 260

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 260 1 1.10 Anti-Probing Click SECURITY > FIREW ALL > Anti-Pro bing to open the follo wing screen. Configure this screen to help keep the ZyW ALL hidden fro m probing attempts. Y o u can specify which of the ZyW ALL’ s interfaces will respond to Ping re quests and whether or not the ZyW ALL is to[...]

  • Página 261

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 261 The following table describes the labels in this screen. 1 1.1 1 Firewall Thresholds For DoS attacks, the ZyW ALL uses thre sholds to determine when to start dropping sessions that do not become fully estab lished (half-open sessions). These thresholds apply globally to all sessions. For TCP , half-[...]

  • Página 262

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 262 1 1.1 1.1 Threshold V alues If everything is working properly , you probably do not need to ch ange the threshold settings as the default threshold values should work for mo st small of fices. Tune these parameters when you believe the ZyW ALL has been receiving DoS a ttacks that are not recorded in[...]

  • Página 263

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 263 The following table describes the labels in this screen. T able 73 SECURITY > FIREWALL > Threshold LABEL DESCRIPTION Disable DoS Attack Protec tion on Select the check boxes of any interfaces (or all VPN tunnels) for which you want the ZyW ALL to not use the Denial of Serv ice protection thres[...]

  • Página 264

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 264 1 1.13 Service Click SECURITY > FIREW ALL > Service to open the screen as shown next. Use this screen to configure custom services for use in firewall rules or view the services that are predefined in the ZyW ALL. See Section 1 1.1 on page 239 for more informatio n about the firewall. Figure 1[...]

  • Página 265

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 265 1 1.13.1 Firewall Ed it Custom Service Click SECURITY > FIREW ALL > Service > Add to display the followi ng screen. Use this screen to configure a custom service entry not is not predefined in the ZyW ALL. See Appendix D on page 737 the use r ’ s guide appendices for a list of commonly u [...]

  • Página 266

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 266 The following table describes the labels in this screen. 1 1.14 My Service Firewall Rule Example The following Internet firewa ll rule example allows a hypot hetical My Service connection from the Internet. 1 In the Service screen, click Add to open th e Edit Custom Service screen. Figure 165 My Ser[...]

  • Página 267

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 267 Figure 166 My Service Firewall Rule Exam ple: Edit Custom Service 3 Click Rule Summary . Select WA N 1 and LAN from the Packet Dir ection drop-down list boxes and click Refresh to display existing firewall rules for the selected direction of travel of packets. 4 Click the insert icon at the top of t[...]

  • Página 268

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 268 Figure 168 My Service Fi rewall Rule Example: Rule Edit: Source and Destination Addresses 8 In the Edit Service section, use the arrows between A vailable Services and Selected Service(s) to configure it as follows. Click Apply w hen you are do ne. " Custom services show up with an * before the[...]

  • Página 269

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 269 Figure 169 My Service Firewall Rule Example: Edit Rule: Service Configuration Rule 1 allows a My Service connection fro m W AN 1 to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN.[...]

  • Página 270

    Chapter 11 Firewall ZyWALL 2WG User’s Guide 270 Figure 170 My Service Firewall Rule Exam ple: Rule Summa ry: Completed[...]

  • Página 271

    ZyWALL 2WG User’s Guide 271 C HAPTER 12 Content Filtering Screens This chapter provides an over view of content filtering. 12.1 Content Filtering Overview Content filtering all ows you to block certain web features, such as Cookies, and/or block access to specific websites. W ith cont ent filtering, you can do the following: 12.1.1 Restrict Web F[...]

  • Página 272

    Chapter 12 Content Filtering Screens ZyWALL 2WG User’s Guide 272 Figure 171 Content Filtering Looku p Procedure 1 A computer behind the ZyW ALL tries to access a web site. 2 The ZyW ALL looks up the web site in its cache. If an attempt to access the web site wa s made in the past, a record of that web site ’ s category will be in the ZyW ALL’[...]

  • Página 273

    Chapter 12 Content Filtering Scree ns ZyWALL 2WG User’s Guide 273 Figure 172 SECURITY > CONTENT FIL TER > General The following table describes the labels in this screen. T able 76 SECURITY > CONTENT FILT ER > Gene ral LABEL DESCRIPTION General Setup Enable Content Filter Select this check box to ena bl e the content filter . Cont ent[...]

  • Página 274

    Chapter 12 Content Filtering Screens ZyWALL 2WG User’s Guide 274 Matched Web Pages Se lect Block to prevent users from accessing web pages that match the categories that you select belo w . When external database c o ntent filter ing blocks access to a web p age, it displays the denied access message that you config ured in the CONTENT FIL TER Ge[...]

  • Página 275

    Chapter 12 Content Filtering Scree ns ZyWALL 2WG User’s Guide 275 12.4 Content Filter Policy Click SECURITY > CONTENT FIL TER > Policy to display the following screen. This screen lists groups of content filtering settings called policies. Co ntent filtering policies allow you to have dif ferent content filtering settin gs for different use[...]

  • Página 276

    Chapter 12 Content Filtering Screens ZyWALL 2WG User’s Guide 276 Figure 173 SECURITY > CONTENT FIL TER > Policy The following table describes the labels in this screen. T able 77 SECURITY > CONTENT FIL TER > Policy LABEL DESCRIPTION Content Filter S torage S pace in Use This bar displays the percentage of the ZyWALL’ s conte nt filt[...]

  • Página 277

    Chapter 12 Content Filtering Scree ns ZyWALL 2WG User’s Guide 277 12.5 Content Filter Policy: General Click SECURITY > CONTENT FIL TER > Policy and use the Insert button or a po licy’ s general icon to dis pla y the following screen. Use this screen to restrict web features and edit the source (user) addresses or ranges of addresses to wh[...]

  • Página 278

    Chapter 12 Content Filtering Screens ZyWALL 2WG User’s Guide 278 12.6 Content Filter Policy: External Dat abase Click SECURITY > CONTENT FIL TER > Policy and then a policy’ s external database icon to display th e followin g screen. Use this screen to edit which content categories the content filter policy blocks. Restrict Web Features Se[...]

  • Página 279

    Chapter 12 Content Filtering Scree ns ZyWALL 2WG User’s Guide 279 Figure 175 SECURITY > CONTENT FIL TER > Policy > External Dat abase The following table describes the labels in this screen. T able 79 SECURITY > CONTENT FIL TER > Policy > External Database LABEL DESCRIPTION Policy Name This is the name of the content filter poli[...]

  • Página 280

    Chapter 12 Content Filtering Screens ZyWALL 2WG User’s Guide 280 Sex Education Selecting this category exclud es pages that provide grap hic information (sometimes graphic) on reproduction, sexual development, safe sex practices, sexuality , bi rth control, and sexual development. It also includes pages that offer tips for be tter sex as well as [...]

  • Página 281

    Chapter 12 Content Filtering Scree ns ZyWALL 2WG User’s Guide 281 Hacking Selecting this category excludes pages that distribute, promote, or provide hacking tools and/or informati on which may help gain unauthorized access to computer systems a nd/or computerized communication systems. Hacking encom p a sses instructions on illegal or questionab[...]

  • Página 282

    Chapter 12 Content Filtering Screens ZyWALL 2WG User’s Guide 282 Government/Legal Selecting this category excl udes pages sponsored b y or which provide information on government, government agencie s and government services such a s taxation and emergency servi ces. It also includes pages that discuss or explain laws of various governmental enti[...]

  • Página 283

    Chapter 12 Content Filtering Scree ns ZyWALL 2WG User’s Guide 283 Reference Selecting this category excludes pages containing personal, professional, or educational refer ence, inclu ding online dictionaries, maps, census, almanacs, library catalogues, genealogy-related pages and scientific information. Open Image/Media Search Selecting this cate[...]

  • Página 284

    Chapter 12 Content Filtering Screens ZyWALL 2WG User’s Guide 284 Society/Lifestyle Selecting this category excludes pages providing information on matters of daily life. This does not include pages rela ting to entertainment, sports, jobs, sex or p ages promoting alternative lifestyles such a s homosexuality . Personal homepages fall within this [...]

  • Página 285

    Chapter 12 Content Filtering Scree ns ZyWALL 2WG User’s Guide 285 12.7 Content Filter Policy: Customization Click SECURITY > CONTENT FIL TER > Policy and then a policy’ s customization icon to display the following screen. Use this screen to select good (allowed) web site addresses for this policy and bad (blocked) web site addresses. Y o[...]

  • Página 286

    Chapter 12 Content Filtering Screens ZyWALL 2WG User’s Guide 286 Figure 176 SECURITY > CONTENT FIL TER > Policy > Customization The following table describes the labels in this screen. T able 80 SECURITY > C ONTENT FIL T ER > Policy > Customization LABEL DESCRIPTION Policy Name This is the name of the content filter policy that [...]

  • Página 287

    Chapter 12 Content Filtering Scree ns ZyWALL 2WG User’s Guide 287 12.8 Content Filter Policy: Schedule Click SECURITY > CONTENT FIL TER > Policy and then a policy’ s schedule icon to display the following screen. Use this screen to set for which da ys and times the policy applies. Available T rusted Object This list displays the trusted h[...]

  • Página 288

    Chapter 12 Content Filtering Screens ZyWALL 2WG User’s Guide 288 Figure 177 SECURITY > CONTENT FIL T ER > Policy > Schedule The following table describes the labels in this screen. 12.9 Content Filter Object Click SECURITY > CONTENT FIL TER > Object to display the following screen. T able 81 SECURITY > CONTENT FIL T ER > Poli[...]

  • Página 289

    Chapter 12 Content Filtering Scree ns ZyWALL 2WG User’s Guide 289 Use this screen to a list of allowed web site ad dresses for this policy a nd a list of blocked web site addresses. Y ou can also block web sites based on whether the web site’ s address contains a keyword. Use this screen to add or remove specif ic sites or keywords from the fil[...]

  • Página 290

    Chapter 12 Content Filtering Screens ZyWALL 2WG User’s Guide 290 12.10 Customizing Keyword Blocking URL Checking Y ou can use commands to set ho w much of a website’ s URL the content filter is to check for keyword blocking. See the appendices for info rmation on how to access and use the command interpreter . 12.10.1 Domain Name or IP Address [...]

  • Página 291

    Chapter 12 Content Filtering Scree ns ZyWALL 2WG User’s Guide 291 12.10.2 Full Path URL Checking Full path URL checking has the ZyW ALL c heck the cha racters that come before the last slash in the URL. For example, with th e URL www .zyxel.com.tw/news/pres sroom.php , full path URL checking searches for keywords within www .zyxel.com.tw/news/ . [...]

  • Página 292

    Chapter 12 Content Filtering Screens ZyWALL 2WG User’s Guide 292 Figure 179 SECURITY > CONTENT FIL TER > Cache The following table describes the labels in this screen. T able 83 SECURITY > CONTENT FIL TER > Cache LABEL DESCRIPTION URL Cache Setup Maximum TTL T ype the maximum time to live (TTL) (1 to 720 hours). This sets how long the[...]

  • Página 293

    ZyWALL 2WG User’s Guide 293 C HAPTER 13 Content Filtering Reports This chapter describes how to view content filtering reports after yo u have activated the category-based content filtering subscription service. See Chapter 5 on pa ge 141 on how to create a myZyXEL.com account, register your device and activate the subscr iption services using th[...]

  • Página 294

    Chapter 13 Content Filtering Reports ZyWALL 2WG User’s Guide 294 Figure 180 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyW ALL’ s model name and/or MAC address under Registered ZyXEL Pr oducts . Y ou can change the descriptive name for your ZyW ALL using the Rename button in the Service Management screen (see Figure 182 on page [...]

  • Página 295

    Chapter 13 Content Filtering Reports ZyWALL 2WG User’s Guide 295 Figure 182 myZyXEL.com: Service Manage ment 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. Y ou can find this MAC address in the Service Management screen ( Figure 182 on page 295 ). T ype your myZyXEL.com account password in the Password field. 6 Cl[...]

  • Página 296

    Chapter 13 Content Filtering Reports ZyWALL 2WG User’s Guide 296 Figure 184 Content Filtering Reports Main Screen 8 Select items under Global Reports or Single Use r Reports to view the corresponding reports. Figure 185 Blue Coat: Report Ho me 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Ta k e n field a[...]

  • Página 297

    Chapter 13 Content Filtering Reports ZyWALL 2WG User’s Guide 297 Figure 186 Global Report Screen Example 11 Y ou can click a ca tegory in the Categories report or click URLs in the Report Home screen to see the URLs that were requested.[...]

  • Página 298

    Chapter 13 Content Filtering Reports ZyWALL 2WG User’s Guide 298 Figure 187 Requested URLs Example 13.3 W eb Site Submission Y ou may find that a web site has not be en accura tely categorized or that a web site’ s contents have changed and the content filtering cate gory needs to be updat ed. Use the following procedure to submit the web site [...]

  • Página 299

    Chapter 13 Content Filtering Reports ZyWALL 2WG User’s Guide 299 Figure 188 Web Pag e Review Process Screen 3 T ype the web site’ s URL in the field and click Sub mit to ha ve the web site reviewed.[...]

  • Página 300

    Chapter 13 Content Filtering Reports ZyWALL 2WG User’s Guide 300[...]

  • Página 301

    ZyWALL 2WG User’s Guide 301 C HAPTER 14 IPSec VPN This chapter explains how to set up and ma intain IPSec VPNs in the ZyW ALL. First, it provides an overview of IPSec VPNs. Then, it introduces each screen for IPSec VPN in the ZyW ALL. 14.1 IPSec VPN Overview A virtual private network (VPN) provides secu re communications between sites without the[...]

  • Página 302

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 302 A VPN tunnel is usually established in tw o phases. Each phase establishes a security association (SA), a contract indicating what secu rity parameters the ZyW ALL and the remote IPSec router will use. The first phase establish es an Internet Key Exchange (IKE) SA between the ZyW ALL and remote IPS[...]

  • Página 303

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 303 Y ou can usually provide a static IP address or a domain name for the ZyW ALL. Sometimes, your ZyW ALL might also of fer another alternative, such as using the IP address of a port or interface. Y ou can usually provide a static IP address or a domain name for the remote IPSec router as well. Somet[...]

  • Página 304

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 304 Figure 193 SECURITY > VPN > VPN Rules (IKE) The following table describes the labels in this screen. T able 84 SECURITY > VPN > VPN Rules (IKE) LABEL DESCRIPTION VPN Rules These VPN rules define the settin gs for creating VPN tunnels fo r secure connection to other computers or networks[...]

  • Página 305

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 305 14.3 IKE SA Setup This section provides more details about IKE SAs. 14.3.1 IKE SA Proposal The IKE SA proposal is used to identify the encryption algorithm, au thentication algorithm, and Diffie-Hellman (DH) key group that the Zy W ALL and remote IPSec router use in the IKE SA. In main mode, this i[...]

  • Página 306

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 306 " Both routers must use the same encryption algorithm , authentication algorithm, and DH key group. See the field descriptions for information abou t specific encryption algorithms, authentication algorithms, and DH ke y groups. See Section 14.3.1.1 on page 306 for more information about DH ke[...]

  • Página 307

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 307 " The ZyW ALL and the remote IPSec router must use th e same pre-shared key . Router identity consists of ID type and ID content. The ID ty pe can be IP ad dress, domain name, or e-mail address, and the ID content is a specific IP address, domain name, or e-mail address. The ID content is only[...]

  • Página 308

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 308 • Instead of using the pre -shared key , the ZyW ALL and remote IPSec router check each other ’ s certificates. • The local ID type and ID content come from the certificate. On th e ZyW ALL, you simply select which certificate to use. • If you set the peer ID type to Any , the ZyW ALL authe[...]

  • Página 309

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 309 Step 2: The remote IPSec router selects an acce ptable proposal and sends it back to the ZyW ALL. It also finishes the Diffie-Hellman key exchange, authenticates the ZyW ALL, and sends its (unencry pted) identity to the Zy W ALL for authentication. Step 3: The ZyW ALL authenticates the remote I PSe[...]

  • Página 310

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 310 14.4.1 SA Life T ime SAs have a lifetime that specifi es how long the SA lasts until it times out. When an SA times out, the ZyW ALL automatically renegotiates the SA in the following situations: • There is traf fic when the SA life time expires • The IPSec SA is configured on the ZyW ALL as na[...]

  • Página 311

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 31 1 Figure 198 IPSec High Availability When setting up an IPSec high availabili ty VPN tunnel , the remote IPSec router: • Must have multiple W AN connections • Only needs one corr esponding IPSec rule • Should only have IPSec high availability settin gs in its corresponding IPSec rule if your Z[...]

  • Página 312

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 312 14.5 VPN Rules (IKE) Gateway Policy Edit In the VPN Rule (IKE) screen, click the add gateway polic y ( ) icon or the edit ( ) icon to display the VPN-Gatew ay Policy -Edit screen. Use this screen to configure a VPN gateway po licy . The gateway policy identifies the IPSec routers at either end of a[...]

  • Página 313

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 313 Figure 199 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy[...]

  • Página 314

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 314 The following table describes the labels in this screen. T able 87 SECURITY > VPN > VPN Rules (I KE) > Edit Gateway Policy LABEL DESCRIPTION Property Name T ype up to 32 characters to iden tify this VPN gateway polic y . Y ou may use any character , including spaces, but the ZyW ALL drops [...]

  • Página 315

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 315 Fall back to Primary Rem ote Gateway when possible Select this to have the ZyW ALL ch ang e back to using the primary remote gateway if the connection becomes avai lable again. Fall Back Check Interval* Set how often the ZyWALL should check the connection to th e primary remote gateway while connec[...]

  • Página 316

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 316 Peer ID T ype Select from th e following when you set Authentication Key to Pre-shared Key . Select IP to identify the remote IPSe c router by its IP address. Select DNS to identify the remote IPSec router by a domain name. Select E-mail to identify the remote IPSec ro uter by an e-ma il address. S[...]

  • Página 317

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 317 Server Mode Select Server Mode to have this ZyWALL authent icate extended authentication clients that request this VPN connecti on. Y ou must also configure the extended auth entication clients’ usernames a nd passwords in the authentication server ’s local user d atabase or a RADIUS se rver (s[...]

  • Página 318

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 318 14.6 IPSec SA Overview Once the ZyW ALL a nd remote IPSec router have established the IKE SA, they can securely negotiate an IPSec SA through which to send data between computers on the network s. " The IPSec SA stays connected even if the underlying IKE SA is not available anymore. This secti[...]

  • Página 319

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 319 In most cases you should use vi rtual address mapping (see Section 14.6.2 on page 319 ) to avoid overlapping local and remote network IP addresses. See Section 14.17 on page 338 for how the ZyW ALL handles ov erlapping local and remote network IP addresses. 14.6.2 V irtual Address Mapping V irtua l[...]

  • Página 320

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 320 14.6.3 Active Protocol The active protocol controls the format of each packet. It a lso spec ifies how much of each packet is protected by the en cryption and authentication algor ithms. IPSec VPN includes two active protocols, AH (Authentication Header , RFC 2402) and ESP (Encapsulating Security P[...]

  • Página 321

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 321 In transport mode, the encapsulation depends on the active protocol. W ith AH, the ZyW ALL includes part of the original IP header when it encapsulates the pack et. W ith ESP, however , the ZyW ALL does not include the IP header wh en it encapsulates the packet, so it is not possible to verify the [...]

  • Página 322

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 322 Figure 202 SECURITY > VPN > VPN Rules (I KE) > Edit Network Policy[...]

  • Página 323

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 323 The following table describes the labels in this screen. T able 88 SECURITY > VPN > VPN Rules (I KE) > Edit N etwork Policy LABEL DESCRIPTION Active If the Active check box is selected, packets for the tunnel trigger the ZyW ALL to build the tunnel . Clear th e Active che ck box to turn th[...]

  • Página 324

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 324 Port Forwarding Rules If you are configuring a Many-to-One rule, click this button to go to a screen where you can configure port forwarding for your VPN tunnels. The VPN network policy port forwarding rules let the ZyWALL forward traf fic coming in through the VPN tunnel to the appropriate IP addr[...]

  • Página 325

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 325 Ending IP Address/ Subnet Mask When the Address T ype field is configured to Single Address , this field is N/A. When the Addres s T ype field is configured to Range Address , enter the end (static) IP address, in a range of comp uters on the LAN behind your ZyW A LL. When the Addres s T ype field [...]

  • Página 326

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 326 14.8 Network Policy Port Forwarding Click SECURITY > VPN and the add network po licy ( ) icon in the VPN Rules (IKE) screen to display the VPN-Network Policy -Edit screen. Then, under Virtual Addr ess Mapping Rule , select Many-to-One as the Ty p e and click the Port Forwarding Rules button to o[...]

  • Página 327

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 327 Figure 203 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > P ort Forwarding The following table describes the labels in this screen. T able 89 SECURITY > VPN > VPN Rules (IKE) > Ed it Netw ork Policy > Port Forwar ding LABEL DESCRIPTION Default Server In addition to[...]

  • Página 328

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 328 14.9 Network Policy Move Click the move ( ) icon in the VPN Rules (IKE) screen to display the VPN Rules (IKE): Network Policy Move screen. A VPN (V irtual Private Network) tunnel gives yo u a secure connection to another computer or network. Each VPN tunnel uses a single gateway policy and one or m[...]

  • Página 329

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 329 14.10 Dialing the VPN T unnel via Web Configurator T o test whether the IPSec routers can build th e VPN tunnel, click the dial ( ) icon in the VPN Rules (IKE) screen to ha ve the IPSec routers set u p the tunn el. If you find a disconnect ( ) icon next to the rule you just created in the VPN Rules[...]

  • Página 330

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 330 Figure 207 VPN T unnel Esta blished 14.1 1 VPN T roubleshooting If the IPSec tunnel does not build properly , the pr oblem is likely a configuration error at one of the IPSec routers. Log into the web conf igurators of both ZyXEL IPSec routers. Check the settings in each fi eld methodically and slo[...]

  • Página 331

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 331 Figure 208 VPN Log Example 14.12 IPSec Debug If you are having difficulty building an IPSec tun nel to a non-ZyXEL IPSec router , advan ced users may wish to examine the IPSe c debug feature (in the commands). ras> sys log disp ike ipsec # .time source destination notes message 0|01/11/2001 18:4[...]

  • Página 332

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 332 " If any of your VPN rules have an active network po licy set to nailed-up, using the IPSec debug feature may cause the ZyW ALL to continuously display new information. T ype ipsec debug level 0 and press [ENTER] to stop it. Figure 209 IKE/IPSec Debug Example ras> ipsec debug type level dis[...]

  • Página 333

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 333 14.13 IPSec SA Using Manual Keys Y ou might set up an IPSec SA using manual keys when you want to establish a VPN tunnel quickly , for example, for troubleshootin g. Y ou should only do this as a temporary solution, however , because it is not as secure as a regular IPSec SA . In IPSec SAs using ma[...]

  • Página 334

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 334 Figure 210 SECURITY > VPN > VPN Rules (Manual) The following table describes the labels in this screen. T able 91 SECURITY > VPN > VPN Rules (Manual) LABEL DESCRIPTION # This is the VPN policy index number . Name This field displays the identification name for this VPN policy . Active T[...]

  • Página 335

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 335 14.15 VPN Rules (Manual) Edit Click the Add button or the edit icon on the VPN Rules (Manual) screen to open the following screen. Use this screen to configure VPN rul e s that use manual keys. Manual key management is useful if you h ave problems with IKE key management. See Section 14.13 on page [...]

  • Página 336

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 336 Allow NetBIOS T raffic Throug h IPSec T unnel This field is not available when the ZyWALL is in bridge mode. NetBIOS (Network Basic I nput/Output System) are TCP or UDP packets that enable a computer to find other computers. It may sometimes be necessary to allow NetBIOS packets to p ass through VP[...]

  • Página 337

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 337 My ZyW ALL When the ZyW ALL is in router mode, enter the WAN IP address of your ZyW ALL or leave the field set to 0.0.0.0 . The ZyW A LL uses its current W AN IP addre ss (static or dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0 . If the W AN connection go es down, the ZyW[...]

  • Página 338

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 338 14.16 VPN SA Monitor In the web configurator , click SECURITY > VPN > SA Monitor . Use this screen to display and manage activ e VPN connections. A Security Association (SA) is the group of se cu rity settings related to a specific VPN tunnel. This screen displays active VPN connections. Use [...]

  • Página 339

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 339 14.17.1.1 Dynamic VPN Rule Local and remote network IP addresses can o verlap when you configure a dynamic VPN rule for a remote site (see Figure 213 ). For example, when you confi gure ZyW ALL X , you configure the local n etwork as 192.168.1.0/24 and the remote network as any (0.0. 0.0). The “a[...]

  • Página 340

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 340 Figure 214 Overlap in IP Alias and VPN Remote Networks In this case, if you want to send packets from network A to an overlapped IP (ex. 10.1.2.241) that is in the IP alias network M , you hav e to set Local and Remote IP Addr ess Conflict Resolution to The Local Network . Figure 215 SECURITY > [...]

  • Página 341

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 341 14.18 T elecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyW ALL at headquarters. The telecommut ers use IPSec routers with dynamic W AN IP addresses. The ZyW ALL a t headquarters has a static public IP address. Gateway Domai[...]

  • Página 342

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 342 14.18.1 T elecommuters Shar ing One VPN Rule Example See the following figure and table for an exampl e configuration that allows multiple telecommuters ( A , B and C in the figure) to use one VPN rule to simultaneously access a ZyW ALL at headquarters ( HQ in the figure). The telecommuters do not [...]

  • Página 343

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 343 See the following table and figure for an ex ample where three telecommuters each use a different VPN rule for a VPN connection with a ZyW ALL located at he adquarters. The ZyW ALL at headquarters (HQ in the figure) identifies each inco ming SA by its ID type and content and uses the appropriate VP[...]

  • Página 344

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 344 14.19 VPN and Remote Management Y o u can allow someone to use a service (like T elnet or HTTP) through a VPN tunnel to manage the ZyW ALL. One of the ZyW ALL’ s port s must be part of the VPN rule’ s local network. This can be the ZyW ALL’ s LAN port if you do not want to allow remote manage[...]

  • Página 345

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 345 Figure 219 VPN T opo logies Hub-and-spoke VPN reduces the number of VPN conn ections that you have to set up and maintain in the network. Small of fice or tele commuter IPSec routers that support a limited number of VPN tunnels are also able to use VP N to connect to more networks. Hub-and-spoke VP[...]

  • Página 346

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 346 Figure 220 Hub-and-sp oke VPN Example 14.20.2 Hub-and-spoke E xample VPN Rule Addresses The VPN rules for this hub-and-spoke exampl e would use the following address settings. Branch Office A: • Remote Gateway: 10.0.0.1 • Local IP address: 192. 168.167.0/255.255.255.0 • Remote IP address: 192[...]

  • Página 347

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 347 The hub router must have at least one separat e VPN rule for each spoke. In the local IP address, specify the IP addresses of the hub-and-s poke networks with which the spoke is to be able to have a VPN tunnel. This may requ ire you to use more than one VPN rule. If you want to have the spok e rout[...]

  • Página 348

    Chapter 14 IPSec VPN ZyWALL 2WG User’s Guide 348[...]

  • Página 349

    ZyWALL 2WG User’s Guide 349 C HAPTER 15 Certificates This chapter gives background in formation about public-key certificates and explains how to use them. 15.1 Certificates Overview The ZyW ALL can use certificates (also called digita l IDs) to authenticate users. Certificates are based on public-priva te key pairs. A certificate contains the ce[...]

  • Página 350

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 350 Certification authorities maintain directory ser vers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled exp iration is called a CRL (Certificate Revocation List). The ZyW ALL can check a peer ’ s certificate against a dire[...]

  • Página 351

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 351 Figure 222 Certificate Details 4 Use a secure method to verify that the certificate owner ha s the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection.[...]

  • Página 352

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 352 15.5 My Certificates Click SECURITY > CER TIFICA TES > My Ce rtificates to open the My Certificates screen. This is the ZyW ALL’ s summary list of certificates and certification requests. Certificates dis play in black and cer tification requests display in gray . Figure 224 SECURITY >[...]

  • Página 353

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 353 Subject This field displays identi fying informa t ion about the certificate’s owner , such as CN (Common Name), OU (Organiza tional Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information. Issuer This field disp[...]

  • Página 354

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 354 15.6 My Certificate Det ails Click SECURITY > CER TIFICA TES > My Certificates to open the My Certificates screen (see Figure 224 on page 352 ). Click the details icon to open the My Certificate Details screen. Y ou can use this screen to view in -depth certificate inform ation and change [...]

  • Página 355

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 355 T ype This field displa ys general informati on about the certificat e. CA-signed mea ns that a Certification Authority signed the certificate . Self-signed means that the certificate’s owner signed the certificate (not a certification authority). “X.509” means that this certificate was cr[...]

  • Página 356

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 356 15.7 My Certificate Export Click SECURITY > CER TI FICA TES > My Certificates and then a certificate’ s export icon to open the My Certificate Export screen. Follow the instructions in this screen to choose the file format to use for saving the ce rtificate from the ZyW ALL to a computer[...]

  • Página 357

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 357 15.8 My Certificate Import Click SECURITY > CER TIFICA TES > My Ce rtificates and then Import to open the My Certificate I mport screen. Follow the instructions in this screen to save an existing certificate from a computer to the ZyW ALL. " Y ou can only import a cert ificate that ma[...]

  • Página 358

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 358 • Binary PKCS#12: This is a format for transfe rring public key and private key certificates. The private key in a PKCS #12 file is within a password-encrypted envelope. The file’ s password is not connected to your certificate’ s public or private passwords. Exporting a PKCS #12 file crea[...]

  • Página 359

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 359 Figure 228 SECURITY > CERTIFICA TES > My Ce rtificates > Import: PKCS#12 The following table describes the labels in this screen. 15.9 My Certificate Create Click SECURITY > CER TIFICA TES > My Certificates > Create to open the My Certificate Cr eate screen. Use this screen to [...]

  • Página 360

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 360 Figure 229 SECURITY > CERTIFICA TES > My Ce rtificates > Crea te (Basic)[...]

  • Página 361

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 361 Figure 230 SECURITY > CERTIFICA TES > My Cert ificates > Crea te (Advanced) The following table describes the labels in this screen. T able 102 SECURITY > CERTIFICATES > My Certificates > Create LABEL DESCRIPTION Certificate Name T ype up to 31 ASCII characters (not includi ng [...]

  • Página 362

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 362 Common Name Select a radio button to identify th e certificate’s owner by IP address, domain name or e-mail address. T y pe the IP address (in dotted decimal notation), domain name or e-mail address in the field provide d. The domain name or e- mail address can be up to 31 ASCII char acters. T[...]

  • Página 363

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 363 Subject Alternative Name Select a radio button to identify the cert ifica te’s owner by IP address, domain name or e-mail address. T y pe the IP address (in dotted decimal notation), domain name or e-mail address in the field provide d. The domain name or e- mail address can be up to 31 ASCII [...]

  • Página 364

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 364 After you click Apply in the My Certificate Create screen, you see a screen that tells you the ZyW ALL is generating the self-signed cert ificate or certification request. After the ZyW ALL successfully enrolls a certifi cate or generates a certification request or a self-signed certificate, you[...]

  • Página 365

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 365 Figure 231 SECURITY > CERTIFICA TES > T rusted CAs The following table describes the labels in this screen. T able 103 SECURITY > CERTIFICA TES > Trusted CAs LABEL DESCRIPTION PKI S torage S pace in Use This bar displays the percentage of the ZyW ALL’s PKI storage space that is cur[...]

  • Página 366

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 366 15.1 1 T rusted CA Det ails Click SECURITY > CER TIFICA TES > T rusted CAs to open the T rusted CAs screen. Click the details icon to open the T rusted CA Details screen. Use this screen to view in-depth information about the certification authority’ s certif icate, change the c ertifica[...]

  • Página 367

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 367 Figure 232 SECURITY > CERTIFICA TES > T rusted CAs > Details The following table describes the labels in this screen. T able 104 SECURITY > CERTIFICA T ES > T rus ted CAs > Details LABEL DESCRIPTION Name This field displ ays the identifying name o f this certificate. If you wan[...]

  • Página 368

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 368 Certification Path Click the Refresh button to have this read-only text box display th e end entity’s certificat e and a list of cert ification authority certificat es that shows the hierarchy of certification author ities that validate the end entity’ s certificate. If the issuing certifica[...]

  • Página 369

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 369 15.12 T rusted CA Import Click SECURITY > CER TIFICA TES > T rusted CAs to open the T rusted CAs screen an d then click Import to open the T rusted CA Import screen. Follow the instruct ions in this screen to save a trusted certification authority ’ s certificate from a computer to the Z[...]

  • Página 370

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 370 Figure 233 SECURITY > CERTIFICA TES > T rusted CAs > Import The following table describes the labels in this screen. 15.13 T rusted Remote Host s Click SECURITY > CER TIFICA TES > T rusted Remote Hosts to open the T rusted Remote Hosts screen. This screen displays a list of th e c[...]

  • Página 371

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 371 Figure 234 SECURITY > CERTIFICA TES > Trusted Remote Hosts The following table describes the labels in this screen. T able 106 SECURITY > CERTIFICA T ES > T rusted Remote Hosts LABEL DESCRIPTION PKI S torage S pace in Use This bar displays the percentage of the ZyW ALL’s PKI storag[...]

  • Página 372

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 372 15.14 T rusted Remote Host s Import Click SECURITY > CER TIFICA TES > T rusted Remote Hosts to open the T rusted Remote Hosts screen and then click Import to open the T rusted Remote Host Import screen. Y ou may have peers with certificates that you want to trust, but the certificates were[...]

  • Página 373

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 373 15.15 T rusted Remote Host Certificate Det ails Click SECURITY > CER TIFICA TES > T rusted Remote Hosts to open the T rusted Remote Hosts screen. Click the details icon to open the T rusted Remote Host Details screen. Y ou can use this screen to view in-dep th information about the trusted[...]

  • Página 374

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 374 The following table describes the labels in this screen. T able 108 SECURITY > CERTIFICA T ES > T rusted Remote Hosts > Details LABEL DESCRIPTION Name This field displays the identifyin g name of this certificate. If you want to change the name, ty pe up to 31 characters to id entify th[...]

  • Página 375

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 375 15.16 Directory Servers Click SECURITY > CER TIFICA TES > Dire c tory Servers to open the Dir ec tory Servers screen. This screen displays a summary list of di rectory servers (that contain lists of valid and revoked certificates) that have bee n saved into the ZyW ALL. If you decide to ha[...]

  • Página 376

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 376 The following table describes the labels in this screen. 15.17 Directory Server Add or Edit Click SECURITY > CER TIFICA TES > Dir ector y Servers to open the Directory Servers screen. Click Add (or the details icon) to open the Directory Server Add screen. Use this screen to configure info[...]

  • Página 377

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 377 The following table describes the labels in this screen. T able 1 10 SECURITY > CERTIFICATES > Directory Server > Add LABEL DESCRIPTION Directory Service Setting Name T ype up to 31 ASCII characters (spa ces are not permitted) to identify this directory server . Access Protocol Use the [...]

  • Página 378

    Chapter 15 Certificates ZyWALL 2WG User’s Guide 378[...]

  • Página 379

    ZyWALL 2WG User’s Guide 379 C HAPTER 16 Authentication Server This chapter discusses how to configure the ZyW ALL’ s authentication server feature. 16.1 Authentication Server Overview A ZyW ALL set to be a VPN extended authenti cation server can us e either the local user database internal to the ZyW ALL or an extern al RADIUS server for an unl[...]

  • Página 380

    Chapter 16 Authen tication Serv er ZyWALL 2WG User’s Guide 380 Figure 239 SECURITY > AUTH SERVER > Local User Database[...]

  • Página 381

    Chapter 16 Authentication Server ZyWALL 2WG User’s Guide 381 The following table describes the labels in this screen. 16.3 RADIUS Click SECURITY > AUTH SER VER > RADIUS to open the RADIUS screen. Configure this screen to use an external RA DIUS server to authenticate users. Figure 240 SECURITY > AUTH SERVER > RADIUS The following tabl[...]

  • Página 382

    Chapter 16 Authen tication Serv er ZyWALL 2WG User’s Guide 382 Key Enter a p asswo rd (up to 31 alphanume ri c characters) as the key to be sh ared between the external auth entic ation server and the ZyWALL. The key is not sent over the network . This key must be the same on the external authenticatio n server and ZyWALL. Accounting Server Activ[...]

  • Página 383

    383 P ART IV Advanced Network Address T ranslation (NA T) (385) S tatic Route (401) Policy Route (405) Bandwidth Management (4 11) DNS (427) Remote Management (439) UPnP (461) Custom Application (471) ALG Screen (473)[...]

  • Página 384

    384[...]

  • Página 385

    ZyWALL 2WG User’s Guide 385 C HAPTER 17 Network Address Translation (NAT) This chapter discusses how to configure NA T on the ZyW ALL. 17.1 NA T Overview NA T (Network Address Translation - NA T , RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outg oing packet, used within one network i[...]

  • Página 386

    Chapter 17 Network Addr ess Translation (NAT) ZyWALL 2WG User’s Guide 386 " NA T never changes the IP address (e ither local or global) of an out side host. 17.1.2 What NA T Does In the simplest form, NA T changes the sour ce IP address in a packet received from a subscriber (the inside local address) to anothe r (the inside global address) [...]

  • Página 387

    Chapter 17 N etwork A ddress Trans lation (NAT ) ZyWALL 2WG User’s Guide 387 Figure 241 How NA T Works 17.1.4 NA T Application The following figure illustrates a possible NA T application, wher e three inside LANs (logical LANs using IP alias) behind the ZyW ALL can communicate with three distinct W AN networks. More examples follow at the end of[...]

  • Página 388

    Chapter 17 Network Addr ess Translation (NAT) ZyWALL 2WG User’s Guide 388 17.1.5 Port Restricted Cone NA T ZyW ALL ZyNOS version 4.00 and later uses port restricted cone NA T . Port restricted cone NA T maps all outgoing packets from an internal IP address and port to a single IP address and port on the external network. In the follow ing example[...]

  • Página 389

    Chapter 17 N etwork A ddress Trans lation (NAT ) ZyWALL 2WG User’s Guide 389 • Server : This type allows you to specify insi de servers of different services behind the NA T to be accessible to the outside world a lt hough, it is highly recommended that you use the DMZ port for these servers instead. " Port numbers do not change for One-to[...]

  • Página 390

    Chapter 17 Network Addr ess Translation (NAT) ZyWALL 2WG User’s Guide 390 Selecting SUA means (latent) multiple W A N-to-LAN an d W AN-to-DMZ address translation. That means that computers on your DMZ with public IP addresses will still have to under go NA T mapping if you ’re using SUA NA T mapping. If this is not your intention, then select F[...]

  • Página 391

    Chapter 17 N etwork A ddress Trans lation (NAT ) ZyWALL 2WG User’s Guide 391 17.4 NA T Address Mapping Click ADV ANCED > NA T > Addr ess Mapping to open the following scre en. 17.4.1 What NA T Does In the simplest form, NA T changes the sour ce IP address in a packet received from a subscriber (the inside local address) to anothe r (the ins[...]

  • Página 392

    Chapter 17 Network Addr ess Translation (NAT) ZyWALL 2WG User’s Guide 392 Ordering your rules is important because the Zy W A LL applies the rules in the order that you specify . When a rule matche s the current pack et, the ZyW ALL takes the corresponding action and the remaining rules are ignored. If there are an y empty rules before your new c[...]

  • Página 393

    Chapter 17 N etwork A ddress Trans lation (NAT ) ZyWALL 2WG User’s Guide 393 17.4.2 NA T Address Mapping Edit Click the edit icon to display the NA T Addr ess Mapping Edit screen. Use this screen to edit an address mapping rule. See Section 17.1 on page 385 for information on NA T and address mapping. Figure 246 ADV ANCED > NA T > Address M[...]

  • Página 394

    Chapter 17 Network Addr ess Translation (NAT) ZyWALL 2WG User’s Guide 394 The following table describes the labels in this screen. 17.5 Port Forwarding A port forwarding set is a list of inside (behind NA T on the LAN) servers, for example, web or FTP , that you can make visible to the o utside world even though NA T makes your whole inside netwo[...]

  • Página 395

    Chapter 17 N etwork A ddress Trans lation (NAT ) ZyWALL 2WG User’s Guide 395 " If you do not assign a Default Server IP address, the Zy W ALL discards all packet s received for ports that are not specified here or in the remote management setup. 17.5.2 Port Forwarding: Services and Port Numbers The ZyW ALL provides the add itional safety of [...]

  • Página 396

    Chapter 17 Network Addr ess Translation (NAT) ZyWALL 2WG User’s Guide 396 Figure 247 Multiple Servers Behind NA T Example 17.5.4 NA T and Multiple W AN The ZyW ALL has two W AN interfaces. Y ou can c onfigure port forwarding and trigger port rule sets for the first W AN interface and separ ate sets of rules for the second W A N interface. 17.5.5 [...]

  • Página 397

    Chapter 17 N etwork A ddress Trans lation (NAT ) ZyWALL 2WG User’s Guide 397 Figure 248 Port T ranslation Example 17.6 Port Forwarding Screen Click ADV ANCED > NA T > Port Forwarding to open the Port Forwarding screen. " If you do not assign a Default Server IP address, the Zy W ALL discards all packet s received for ports that are not[...]

  • Página 398

    Chapter 17 Network Addr ess Translation (NAT) ZyWALL 2WG User’s Guide 398 Figure 249 ADV ANCED > NA T > Port Forwarding The following table describes the labels in this screen. T able 1 19 ADVANCED > NAT > Port Forwarding LABEL DESCRIPTION W AN Interface Select the W AN i nterface for which yo u want to view or con figure address mapp[...]

  • Página 399

    Chapter 17 N etwork A ddress Trans lation (NAT ) ZyWALL 2WG User’s Guide 399 17.7 Port T riggering Some services use a dedicated range of ports on the client side and a dedica ted range of ports on the server side. W ith regular port forwarding you set a forwarding port in NA T to forward a service (coming in from the server on the W AN) to the I[...]

  • Página 400

    Chapter 17 Network Addr ess Translation (NAT) ZyWALL 2WG User’s Guide 400 Click ADV ANCED > NA T > Port T riggering to open the following screen. Use this screen to change your ZyW ALL’ s trigger port settings. Figure 251 ADV ANCED > NA T > Port T riggering The following table describes the labels in this screen. T able 120 ADVANCED[...]

  • Página 401

    ZyWALL 2WG User’s Guide 401 C HAPTER 18 Static Route This chapter shows you how to config ure static routes for your ZyW ALL. 18.1 IP S t atic Route The ZyW ALL usually uses the de fault gateway to route outbound traffic from local computers to the Internet. T o have the ZyW ALL send data to devices not reachable through the default gateway , use[...]

  • Página 402

    Chapter 18 Static Rou te ZyWALL 2WG User’s Guide 402 18.2 IP S t atic Route Click ADV ANCED > ST A TIC ROUTE to open the IP S tatic Route sc reen. The first two static route entries are for defa ult W AN 1 and W A N 2 routes on a Zy W ALL w ith multiple W AN interfaces. Y ou cannot modify or delete a static default route. The default route is [...]

  • Página 403

    Chapter 18 Static Route ZyWALL 2WG User’s Guide 403 The following table describes the labels in this screen. 18.2.1 IP St atic Route Edit Click the edit icon in the IP S tatic Route screen. The screen shown next appears. Use this screen to configure the required information for a static route. Figure 254 ADV ANCED > ST A TIC ROUTE > IP S ta[...]

  • Página 404

    Chapter 18 Static Rou te ZyWALL 2WG User’s Guide 404 Gateway IP Address Enter the IP address of the g ateway . The gateway is a route r or switch on the same network segment as the device's LAN or WA N port. The gateway helps forward packets to their destinations. Metric Metric represents the “cost” of transmission for routing purposes. [...]

  • Página 405

    ZyWALL 2WG User’s Guide 405 C HAPTER 19 Policy Route This chapter covers setting and applyi ng policies used for IP routing. 19.1 Policy Route T raditionally , routing is based on the destination address only and the ZyW ALL takes the shortest path to forward a packet. IP Policy Routing (IPPR) prov ides a mechanism to override the default routing[...]

  • Página 406

    Chapter 19 Po licy Route ZyWALL 2WG User’s Guide 406 IPPR follows the existing packet filtering fac ility of RAS in style and in implementation. 19.4 IP Routing Policy Setup Click ADV ANCED > POLICY ROUTE to open the Policy Route Summary screen. Figure 255 ADV ANCED > POLICY ROUTE > Policy Route Summary[...]

  • Página 407

    Chapter 19 Policy Route ZyWALL 2WG User’s Guide 407 The following table describes the labels in this screen. 19.5 Policy Route Edit Click ADV ANCED > POLICY ROUTE to open the Policy Route Summary screen. Then click the edit icon to open the Edit IP Policy Route screen. W AN 2 refers to the 3G card on the supported ZyW ALL in router mode. Use t[...]

  • Página 408

    Chapter 19 Po licy Route ZyWALL 2WG User’s Guide 408 Figure 256 Edit IP Policy Route The following table describes the labels in this screen. T able 124 ADV ANCED > POLICY ROUTE > Edit LABEL DESCRIPTION Criteria Activ e Select the check box to activate the policy . Rule Index This is the index number of the policy route. IP Protocol Select [...]

  • Página 409

    Chapter 19 Policy Route ZyWALL 2WG User’s Guide 409 Length Comparison Choose fr om Equal , Not Equal , Less , Greater , Less or Equal or Greater or Equal . Applicati on Select a predefined application ( FTP , H.323 or SIP ) for the policy rule. If you do not want to use a predefined applicati on, select Custom . Y ou can also configure the source[...]

  • Página 410

    Chapter 19 Po licy Route ZyWALL 2WG User’s Guide 410 Gateway Select User-Defin ed and enter the IP address of the gateway if you want to specify the IP address of the gateway . Th e gateway is an immediate neighbor of your ZyW ALL that will forward the packet to the desti nation. The gate way must be a router on the same segment as y our ZyW ALL [...]

  • Página 411

    ZyWALL 2WG User’s Guide 41 1 C HAPTER 20 Bandwidth Management This chapter describes the functions and conf iguration of bandwidth management with multiple levels of sub-classes. 20.1 Bandwid th Management Overview Bandwidth management allo ws you to allocate an interface’ s outgoing capacity to specific types of traffic. It can also help you m[...]

  • Página 412

    Chapter 20 Bandwid th Manageme nt ZyWALL 2WG User’s Guide 412 20.3 Proportional Bandwid th Allocation Bandwidth management allo ws you to define ho w much bandwidth each class gets; however , the actual bandwidth a llotted to each clas s de creases or increases in proportion to actual available bandwidth. 20.4 Application-based Bandwid th Managem[...]

  • Página 413

    Chapter 20 Bandwidth Management ZyWALL 2WG User’s Guide 413 20.7 Scheduler The scheduler divides up an interface’ s bandwidth among the bandwidth classes. The ZyW ALL has two types of scheduler: fairness-based and priority-bas ed. 20.7.1 Priority-based Scheduler W ith the priority-based scheduler , the ZyW A LL forwards traffic from bandwidth c[...]

  • Página 414

    Chapter 20 Bandwid th Manageme nt ZyWALL 2WG User’s Guide 414 2 Do not enable the interface’ s Maximize Bandwidth Usage option. 3 Do not enable bandwidth borrowi ng on the sub-classes that ha ve the root class as their parent (see Section 20.8 on page 415 ). 20.7.5 Maximize Ba ndwid th Usage Exam ple Here is an example of a ZyW ALL tha t has ma[...]

  • Página 415

    Chapter 20 Bandwidth Management ZyWALL 2WG User’s Guide 415 20.7.5.2 Fairness-based Allot ment of Unused and Unbudgeted Bandwid th The following table shows the amount of bandwidth that each class gets. Suppose that all of the classes except for th e administration class need more bandwidth. • Each class gets up to its budg eted bandwidth. The [...]

  • Página 416

    Chapter 20 Bandwid th Manageme nt ZyWALL 2WG User’s Guide 416 Refer to the product specifications in the appendix to se e how many class levels you can configure on your ZyW ALL. • The Bill class can borrow un used bandwidth from the Sales USA class because the Bill class has bandwidth borrowing enabled. • The Bill class can also borrow unuse[...]

  • Página 417

    Chapter 20 Bandwidth Management ZyWALL 2WG User’s Guide 417 4 If the bandwidth requirements of all of the traffic classes are met and there is still some unbudgeted bandwidth , the ZyW ALL assig ns it to traffic that d oes not match any of the classes. 20.10 Over Allotment of Bandwid th It is possible to set the bandwidth manageme nt speed for an[...]

  • Página 418

    Chapter 20 Bandwid th Manageme nt ZyWALL 2WG User’s Guide 418 Figure 258 ADV ANCED > BW MGMT > Summary The following table describes the labels in this screen. T able 131 ADVANCED > BW MGMT > Summary LABEL DESCRIPTION Class These read-only label s represent the physical in terfaces. Select a n interface’s check box to enable bandwid[...]

  • Página 419

    Chapter 20 Bandwidth Management ZyWALL 2WG User’s Guide 419 20.12 Configuring Class Setup The Class Setup screen displays the configured band wi dth classes by individual interface. Select an interface and click the buttons to pe rform th e actions described n ext. Click “+” to expand the class tree or click “-“ to collapse th e clas s tr[...]

  • Página 420

    Chapter 20 Bandwid th Manageme nt ZyWALL 2WG User’s Guide 420 20.12.1 Bandwid th Manage r Class Configuration Configure a bandwidth management class in the Class Setup scree n. Y ou must use the Summary screen to en able bandwidth management on an interface before you can configure classes for that interface. Click ADV ANCED > BW MGMT > Cla[...]

  • Página 421

    Chapter 20 Bandwidth Management ZyWALL 2WG User’s Guide 421 Figure 260 ADV ANCED > BW MGMT > Cla ss Setup > Add Sub-Class The following table describes the labels in this screen. T able 133 ADV ANCED > BW MGMT > Class Setup > Add Sub-Class LABEL DESCRIPTION Class Configuration Class Name Use the auto-generated na me or ente r a [...]

  • Página 422

    Chapter 20 Bandwid th Manageme nt ZyWALL 2WG User’s Guide 422 Enable Bandwi dth Filter Select Enable Bandwid th Filter to have the ZyW ALL use this bandwidth filter when it performs bandwidth management. Y ou must enter a value in at least one of the following fi elds (other than the Subnet Mask fi elds which are only available when you enter the[...]

  • Página 423

    Chapter 20 Bandwidth Management ZyWALL 2WG User’s Guide 423 20.12.2 Bandwid th Management St atistics Click ADV ANCED > BW MGMT > Class Setup > St a t i s t i c s to open the Bandwidth Management S tatistics screen. This screen displays the selected bandwidth class’ s bandwidth usage and allotments. Source End Address / Subnet Mask If [...]

  • Página 424

    Chapter 20 Bandwid th Manageme nt ZyWALL 2WG User’s Guide 424 Figure 261 ADV ANCED > BW MGMT > Class Setup > S tatistics The following table describes the labels in this screen. 20.13 Bandwid th Manager Monitor Click ADV ANCED > BW MGMT > Monitor to open the following screen. Use this screen to view the device’ s bandwidth usage [...]

  • Página 425

    Chapter 20 Bandwidth Management ZyWALL 2WG User’s Guide 425 Figure 262 ADV ANCED > BW MGMT > Monitor The following table describes the labels in this screen. T able 136 ADVANCED > BW MGMT > Monitor LABEL DESCRIPTION Interface Select an interface from the drop-down list bo x to view the bandwidth usage of its bandwidth classes. Class T[...]

  • Página 426

    Chapter 20 Bandwid th Manageme nt ZyWALL 2WG User’s Guide 426[...]

  • Página 427

    ZyWALL 2WG User’s Guide 427 C HAPTER 21 DNS This chapter shows you how to configure the DNS screens. 21.1 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely impo rtant because without it, you must know the IP address of a machine before you can access it. [...]

  • Página 428

    Chapter 21 DNS ZyWALL 2WG User’s Guide 428 21.4 Address Record An address record contains the mapping of a fu lly qualified domain na me (FQDN) to an IP address. An FQDN consists of a hos t and doma in name and includes the top-level domain. For example, www .zyxel.com.tw is a fully qualif ied domain name, where “www” is the host, “zyxel”[...]

  • Página 429

    Chapter 21 DNS ZyWALL 2WG User’s Guide 429 Figure 263 Private DNS Server Example " If you do not spec ify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computer s on the remote private network. 21.6 System Screen Click ADV ANCED > DN S to display the following screen. Use this screen t[...]

  • Página 430

    Chapter 21 DNS ZyWALL 2WG User’s Guide 430 Figure 264 ADV ANCED > DNS > System DNS The following table describes the labels in this screen. T able 137 ADV ANCED > DNS > System DNS LABEL DESCRIPTION Address Record An address record specifies the mapping of a fully qual ified domain name (FQDN) to an IP address. An FQDN consists of a ho[...]

  • Página 431

    Chapter 21 DNS ZyWALL 2WG User’s Guide 431 21.6.1 Adding an Address Record Click Add in the System screen to open this screen. Use th is screen to add an address record. An address record contains the mapping of a fu lly qualified domain na me (FQDN) to an IP address. Configure address records about the ZyW ALL itself or another device to keep a [...]

  • Página 432

    Chapter 21 DNS ZyWALL 2WG User’s Guide 432 The following table describes the labels in this screen. 21.6.2 Inserting a Name Server Record Click Inser t in the System screen to open this screen. Use this screen to insert a name server record. A name server record c ontains a DNS server ’ s IP a ddress. The ZyW ALL can query the DNS server to res[...]

  • Página 433

    Chapter 21 DNS ZyWALL 2WG User’s Guide 433 The following table describes the labels in this screen. 21.7 DNS Cache DNS cache is the temporary storage area where a router stores responses from DNS servers. When the ZyW ALL receives a positive or negati ve response for a DNS query , it records the response in the DNS cache. A positive respon se mea[...]

  • Página 434

    Chapter 21 DNS ZyWALL 2WG User’s Guide 434 Figure 267 ADV ANCED > DNS > Cache The following table describes the labels in this screen. T able 140 ADV ANCED > DNS > Cache LABEL DESCRIPTION DNS Cache Setup Cache Positive DNS Resolutions Select the check box to record the positive DNS resolutions in the cache. Caching positive DNS resolu[...]

  • Página 435

    Chapter 21 DNS ZyWALL 2WG User’s Guide 435 21.9 Configuring DNS DHCP Click ADV ANCED > DN S > DHCP to open the DNS DHCP screen shown next. Use this screen to configure the DNS server information that the ZyW ALL sends to its LAN, DMZ or WLAN DHCP clients. Figure 268 ADV ANCED > DN S > DHCP The following table describes the labels in t[...]

  • Página 436

    Chapter 21 DNS ZyWALL 2WG User’s Guide 436 21.10 Dynamic DNS Dynamic DNS allows you to update your curre nt dynamic IP address with one or many dynamic DNS services so that anyone can c ont act you (in NetMeeting, CU-SeeMe, etc.). Y ou can also access your FTP server or W eb site on your own computer using a domain name (for instance myhost.dhs.o[...]

  • Página 437

    Chapter 21 DNS ZyWALL 2WG User’s Guide 437 " If you have a private W A N IP address, then you cannot use Dynamic DNS. 21.10.2 High A vailability A DNS server maps a domain name to a port's IP address. If that W AN port loses its connection, high availability allo ws the router to substitute anot her port's IP address for the domain[...]

  • Página 438

    Chapter 21 DNS ZyWALL 2WG User’s Guide 438 Username Enter your user name. Y ou can use up to 31 alphanumeri c characters (an d the underscore). S paces are not allowed. Password Enter the password associated with the user name above . Y ou can use up to 31 alphanumeric characters (and the un derscore). S paces are not allowed. My Domain Names Dom[...]

  • Página 439

    ZyWALL 2WG User’s Guide 439 C HAPTER 22 Remote Management This chapter provides information on the Remote Management screens. 22.1 Remote Management Overview Remote management allows you to determ ine which services/protocols can access which ZyW ALL interface (if any) from which computers. The following figure shows secu re and insecure manageme[...]

  • Página 440

    Chapter 22 Remo te Management ZyWALL 2WG User’s Guide 440 3 Te l n e t 4 HTTPS and HTTP 22.1.1 Remote Management Limit ations Remote management do es not work when: 1 Y o u have not enabled that service on th e interface in the corresponding remote management screen. 2 Y ou have disabled that service in one of the remote management screens. 3 The[...]

  • Página 441

    Chapter 22 Remote Manag ement ZyWALL 2WG User’s Guide 441 2 HTTP connection requests from a web browser go to port 80 (by default) on the ZyW ALL’ s WS (web server). Figure 271 HTTPS Implement ation " If you disable the HTTP service in the REMOTE MGMT > WWW screen, then the ZyW ALL blocks all HTTP connection attempts. 22.3 WWW Click ADV[...]

  • Página 442

    Chapter 22 Remo te Management ZyWALL 2WG User’s Guide 442 Figure 272 ADV ANCED > REMOTE MGMT > WWW The following table describes the labels in this screen. T able 143 ADVANCED > RE MOTE MGMT > WWW LABEL DESCRIPTION HTTPS Serve r Certifica te Select the Server Certificate that the ZyWALL will use to identify itself. The ZyW ALL is the [...]

  • Página 443

    Chapter 22 Remote Manag ement ZyWALL 2WG User’s Guide 443 22.4 HTTPS Example If you haven’t changed the default HTTPS port on the ZyW ALL, then in your browser enter “https://ZyW ALL IP Address/” as the web site address where “Z yW ALL IP Address” is the IP address or domain name of the ZyW ALL you wish to access. 22.4.1 Internet Explor[...]

  • Página 444

    Chapter 22 Remo te Management ZyWALL 2WG User’s Guide 444 If Accept this certificate temporarily for this session is selected, then click OK to continue in Netscape. Select Accept this certificate permanently to import the ZyW ALL’ s certificate into the SSL client. Figure 274 Security Certificate 1 (Net scape) Figure 275 Security Certificate 2[...]

  • Página 445

    Chapter 22 Remote Manag ement ZyWALL 2WG User’s Guide 445 • The actual IP address of the HTTPS server (the IP address of the ZyW ALL’ s port that you are trying to access) does not match the common name specified in the ZyW ALL’ s HTTPS server certificate that your browse r recei v ed. Do the following to check the common name specified in [...]

  • Página 446

    Chapter 22 Remo te Management ZyWALL 2WG User’s Guide 446 Figure 277 Replace Certificate Click Apply in the Replace Certificate scre en to create a certificate using your ZyW ALL’ s MAC address that will be spec ific to this device. Click CER TIFICA TES to open the My Certificates scree n. Y ou will see information similar to that shown in the [...]

  • Página 447

    Chapter 22 Remote Manag ement ZyWALL 2WG User’s Guide 447 Figure 279 Common ZyW ALL Certificate 22.5 SSH Y ou can use SSH (Secure SHell) to se curely access the ZyW ALL’ s SMT or command line interface. Specify which interfaces allow SS H acces s and from which IP address the access can come. Unlike T elnet or FTP , which transmit data in pl ai[...]

  • Página 448

    Chapter 22 Remo te Management ZyWALL 2WG User’s Guide 448 Figure 281 How SSH Works 1 Host Identification The SSH client s ends a connection reque s t to the SSH server . The server identifies itself with a host key . The client encrypts a rand omly generated session ke y with the host key and server key and sends the result back to the server . T[...]

  • Página 449

    Chapter 22 Remote Manag ement ZyWALL 2WG User’s Guide 449 22.8 Configuring SSH Click ADV ANCED > REMOTE MGMT > SSH to change your ZyW ALL’ s Secure Shell settings. " It is recommended that y ou disable T elnet and FTP when you configure SSH for secure connections. Figure 282 ADV ANCED > REMOTE MGMT > SSH The following table des[...]

  • Página 450

    Chapter 22 Remo te Management ZyWALL 2WG User’s Guide 450 22.9 Secure T elnet Us ing SSH Examples This section shows two examples using a comm and interface and a graphical interface SSH client program to remotely access the ZyW ALL. The configuration and connection steps are similar for most SSH client pr ograms. Refer to your SSH client program[...]

  • Página 451

    Chapter 22 Remote Manag ement ZyWALL 2WG User’s Guide 451 2 Enter “ ssh –1 192.168.1.1 ”. This command forces your computer to connect to the ZyW ALL using SSH version 1. If this is the first ti me you are connecting to the ZyW ALL using SSH, a message displays prompting you to save the host informatio n of the ZyW ALL. T ype “ yes ” an[...]

  • Página 452

    Chapter 22 Remo te Management ZyWALL 2WG User’s Guide 452 Figure 286 Secure FTP: Firmware Upload Example 22.1 1 T e lnet Y ou can use T elnet to access the ZyW ALL’ s SMT or command line interface. Specify which interfaces allow T elnet access and fro m which IP address the access ca n come. 22.12 Configuring TELNET Click ADV ANCED > REMOTE [...]

  • Página 453

    Chapter 22 Remote Manag ement ZyWALL 2WG User’s Guide 453 The following table describes the labels in this screen. 22.13 FTP Y ou can use FTP (File T ransfer Protocol) to up load and download the ZyW ALL’ s firmware and configuration files, please see the User ’ s Gu ide chapter on firmware and configuration file maintenance for details. T o [...]

  • Página 454

    Chapter 22 Remo te Management ZyWALL 2WG User’s Guide 454 The following table describes the labels in this screen. 22.14 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP pro tocol suite. Y our ZyW ALL supports SNMP agent fu nctionality , which [...]

  • Página 455

    Chapter 22 Remote Manag ement ZyWALL 2WG User’s Guide 455 Figure 289 SNMP Managemen t Model An SNMP managed network consis ts of two main types of comp onent: agen ts and a manager . An agent is a management software module th at resi des in a managed device (the ZyW ALL). An agent translates the local management info rmation from the managed dev[...]

  • Página 456

    Chapter 22 Remo te Management ZyWALL 2WG User’s Guide 456 22.14.2 SNMP T rap s The ZyW ALL will send traps to the SNMP mana ger when any one of the following events occurs: 22.14.3 REMOTE MANAGEMENT : SNMP T o change your ZyW ALL’ s SNMP settings, click ADV AN CED > REMOTE MGMT > SNMP . The screen appears as shown. Figure 290 ADV ANCED &g[...]

  • Página 457

    Chapter 22 Remote Manag ement ZyWALL 2WG User’s Guide 457 The following table describes the labels in this screen. 22.15 DNS Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. Refer to Chapter 8 on page 165 for more information. Click ADV ANCED > REMOTE MGMT > DNS to change your ZyW ALL’ s DN[...]

  • Página 458

    Chapter 22 Remo te Management ZyWALL 2WG User’s Guide 458 Figure 291 ADV ANCED > REMOTE MGMT > DNS The following table describes the labels in this screen. 22.16 Introducing V ant age CNM V antage C NM (Centralized Network Manage ment) is a browser-based global mana gement solution that allows an administrator from any location to easily co[...]

  • Página 459

    Chapter 22 Remote Manag ement ZyWALL 2WG User’s Guide 459 Figure 292 ADV ANCED > REMOTE MGMT > CNM The following table describes the labels in this screen. T able 150 ADV ANCED > REMOTE MGMT > CNM LABEL DESCRIPTION Registration Information Registration S tatus This read only field displays No t Registered when Enable is not selected. [...]

  • Página 460

    Chapter 22 Remo te Management ZyWALL 2WG User’s Guide 460 22.17.1 Additional Configuration for V ant age CNM If you have NA T routers or firewalls between the ZyW ALL and the V antage CNM server , you must configure them to forward TCP ports 8080 (HTTP), 443 (HTTPS) and 20 and 21 (FTP). They must also forward UDP ports 1864 and 1865. Encryption A[...]

  • Página 461

    ZyWALL 2WG User’s Guide 461 C HAPTER 23 UPnP This chapter introduces the Universal Plug and Pl ay feature. This chapter is only applicable when the ZyW ALL is in router mode. 23.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectiv it[...]

  • Página 462

    Chapter 23 UPnP ZyWALL 2WG User’s Guide 462 When a UPnP device joins a network, it announ ces its presence with a multicast mess age. For security reasons, th e ZyW ALL allows multicast messages on the LAN only . All UPnP-enabled devices may communicate freely with eac h other without additional configuration. Disable UPnP if this is not your int[...]

  • Página 463

    Chapter 23 UPnP ZyWALL 2WG User’s Guide 463 23.3 Displaying UPnP Port Mapping Click ADV ANCED > UPnP > Ports to display the UPnP Ports screen. Use this screen to view the NA T port mapping rules th at UPnP creates on the ZyW ALL. Figure 294 ADV ANCED > UPnP > Ports The following table describes the labels in this screen. Allow UPnP to[...]

  • Página 464

    Chapter 23 UPnP ZyWALL 2WG User’s Guide 464 23.4 Inst alling UPnP in Windows Example This section shows ho w to install UPnP in W indows Me and W indows XP . Remote Host This field displays the source IP address (on the WAN) of inbound IP p ackets. Since this is often a wildcard, the field may be blank. When the field is blank, th e ZyW ALL forwa[...]

  • Página 465

    Chapter 23 UPnP ZyWALL 2WG User’s Guide 465 23.4.1 Inst alling UPnP in Windows Me Follow the steps below to in stall UPnP in Wi ndows Me. 1 Click St a r t , Settings and Control Panel . Double-click Add/Remove Programs . 2 Click on the Win d o ws S et u p tab and select Communication in the Components selection box. Click Details . 3 In the Commu[...]

  • Página 466

    Chapter 23 UPnP ZyWALL 2WG User’s Guide 466 23.4.2 Inst alling UPnP in Windows XP Follow the steps below to install UPnP in W indows XP . 23.5 Using UPnP in Windows XP Example This section shows yo u how to use the UPnP feature in W indows XP . Y ou must already have UPnP installed in W indows XP and UPnP activated on the ZyXEL device. Make sure [...]

  • Página 467

    Chapter 23 UPnP ZyWALL 2WG User’s Guide 467 23.5.1 Auto-discover Y our UPnP-enabled Network Device 1 Click St a r t and Control Panel . Double-click Network Connections . An icon disp lays under Inte rnet Gateway . 2 Right-click the icon and select Properties . 3 In the Internet Connection Properties window , click Settings to see the port mappin[...]

  • Página 468

    Chapter 23 UPnP ZyWALL 2WG User’s Guide 468 " When the UPnP-enabled device is disconn ected from your computer , all port mappings will be delet ed automatically . 23.5.2 We b Configurator Easy Access W ith UPnP , you can access the web-based configur ator on the ZyXEL device without finding out the IP address of the ZyXEL device first. This[...]

  • Página 469

    Chapter 23 UPnP ZyWALL 2WG User’s Guide 469 Follow the steps below to access the web configurator . 1 Click St a r t and then Control Panel . 2 Double-click Network Connections . 3 Select My Network Places under Other Places . 4 An icon with the d escription for each UPnP-enabled device displays under Local Network . 5 Right-click the icon for yo[...]

  • Página 470

    Chapter 23 UPnP ZyWALL 2WG User’s Guide 470 6 Right-click the icon for your ZyXEL device and select Properties . A properties window displays with basic information about the ZyXEL device.[...]

  • Página 471

    ZyWALL 2WG User’s Guide 471 C HAPTER 24 Custom Application This chapter covers how to set the ZyW ALL’ s to monitor custom po rt numbers for specific applications. 24.1 Custom Applicaton Use custom application to ha ve the ZyW ALL’ s ALG and content filtering features monitor traffic on custom ports, in addition to the default ports. By defau[...]

  • Página 472

    Chapter 24 Custom Application ZyWALL 2WG User’s Guide 472 Figure 295 ADV ANCED > Custom APP The following table describes the labels in this screen. T able 153 ADV ANCED > Custom APP LABEL DESCRIPTION Applic ation Select the application for which you want t he ZyWALL to monitor specific ports. Y ou can use the same application in more than [...]

  • Página 473

    ZyWALL 2WG User’s Guide 473 C HAPTER 25 ALG Screen This chapter covers how to use the ZyW ALL’ s AL G feature to allow certain applications to pass through the ZyW ALL. 25.1 ALG Introduction An Application Layer Gateway (ALG) manages a specific protocol (such as SIP , H.323 or FTP) at the application layer . The ZyW ALL can function as an ALG t[...]

  • Página 474

    Chapter 25 ALG Screen ZyWALL 2WG User’s Guide 474 25.1.3 ALG and Multiple W AN When the ZyW ALL has two W AN interfaces and uses the second highest priority W AN interfaces as a back up, traffic cannot pass through when the primar y W AN connection fails. The ZyW ALL does not automatically chan ge the connection to the secondary W AN interfaces. [...]

  • Página 475

    Chapter 25 ALG Scr een ZyWALL 2WG User’s Guide 475 • Y ou must configure the firewall and port fo rwarding to allow in coming (peer-to-peer) calls from the W AN to a private IP address on the LAN, DMZ or WLAN. The following example shows H.323 signalin g (1) and audio (2) sessions between H.323 devic es A and B. Figure 296 H.323 ALG Examp le ?[...]

  • Página 476

    Chapter 25 ALG Screen ZyWALL 2WG User’s Guide 476 Figure 298 H.323 Calls from the W AN with Multiple Outgoing Calls • The H.323 ALG operat es on TCP packets with a port 1720 destination. • The ZyW ALL allows H.323 audio con nections. • The ZyW ALL can also apply bandwid th management to traffic that goes th rough the H.323 ALG . 25.5 SIP Th[...]

  • Página 477

    Chapter 25 ALG Scr een ZyWALL 2WG User’s Guide 477 Figure 299 SIP ALG Example 25.5.3 SIP Signaling Session Ti meout Most SIP clients have an “ expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packe ts to the SIP server periodically and keeps the session alive in the ZyW ALL. If the SIP cli[...]

  • Página 478

    Chapter 25 ALG Screen ZyWALL 2WG User’s Guide 478 Figure 300 ADV ANCED > ALG The following table describes the labels in this screen. T able 154 ADV ANCED > ALG LABEL DESCRIPTION Enable FT P ALG Select this check box to allow FTP sessi ons to pass through the ZyWALL. FTP (File T ransfer Program) is a program that enables fast transfer of fi[...]

  • Página 479

    479 P ART V Logs and Maintenance Logs Screens (481) Maintenance (51 1)[...]

  • Página 480

    480[...]

  • Página 481

    ZyWALL 2WG User’s Guide 481 C HAPTER 26 Logs Screens This chapter contains inform ation about configuring genera l log settings and viewing the ZyW ALL’ s logs. Refer to Section 26.5 on page 492 for example log message explanations. 26.1 Configuring V iew Log The web confi gurator allows you to look at all of the ZyW ALL’ s logs in one locati[...]

  • Página 482

    Chapter 26 Logs Scre ens ZyWALL 2WG User’s Guide 482 The following table describes the labels in this screen. 26.2 Log Description Example The following is an example of how a log di splays in the command line interpreter and a description of the sample log. Refer to the Section 26.5 on page 492 for more log message descriptions an d the appendx [...]

  • Página 483

    Chapter 2 6 Logs Scre ens ZyWALL 2WG User’s Guide 483 26.2.1 About the Cert ificate Not T rusted Log myZyXEL.com and the update server use cer tificates signed by V eriSign to identify themselves. If the ZyW ALL does not have a CA ce rtificate signed by V eriSign as a trusted CA, the ZyW ALL will not trust the certificate fro m myZyXEL.com and th[...]

  • Página 484

    Chapter 26 Logs Scre ens ZyWALL 2WG User’s Guide 484 Figure 303 myZyXEL.com: Certificate Download 26.3 Configuring Log Settings T o change your ZyW A LL’ s log settings, click LOGS > Log Settings . The screen appears as shown. Use the Log Settings screen to configure to where the Zy W ALL is to send logs; the schedule for when the ZyW ALL is[...]

  • Página 485

    Chapter 2 6 Logs Scre ens ZyWALL 2WG User’s Guide 485 Figure 304 LOGS > Log Settings[...]

  • Página 486

    Chapter 26 Logs Scre ens ZyWALL 2WG User’s Guide 486 The following table describes the labels in this screen. T able 157 LOGS > Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below . If this field is left blank, logs and alert messages[...]

  • Página 487

    Chapter 2 6 Logs Scre ens ZyWALL 2WG User’s Guide 487 26.4 Configuring Report s The Reports sc reen displays which comp uters on the LAN, DMZ or WLAN se nd and receive the most traffic, what kinds of traf fic are us ed the most and which we b sites are visited the most often. The ZyW ALL can record and di splay the following network usage details[...]

  • Página 488

    Chapter 26 Logs Scre ens ZyWALL 2WG User’s Guide 488 Figure 305 LOGS > Report s " Enabling the ZyW ALL’ s reporting function decreases the overall throughput by about 1 Mbps. The following table describes the labels in this screen. T able 158 LOGS > Reports LABEL DESCRIPTION Collect St a t i s t i c s Select the check box and click A[...]

  • Página 489

    Chapter 2 6 Logs Scre ens ZyWALL 2WG User’s Guide 489 " All of the recorded reports dat a is erased when you turn off the ZyW ALL. 26.4.1 V iewing Web Site Hit s In the Reports sc reen, select W eb Site Hits from the Report T ype drop-down list box to hav e the ZyW ALL rec ord and display which web sites h ave been visited the most often and[...]

  • Página 490

    Chapter 26 Logs Scre ens ZyWALL 2WG User’s Guide 490 " Computers take turns using dynamical ly assigned LAN, DM Z or WLAN IP addresses. The ZyW ALL continues recording the bytes sent to or from a LAN, DMZ or WLAN IP address when it is assigned to a diff erent computer . Figure 307 LOGS > Reports: Hos t IP Addres s Example The following ta[...]

  • Página 491

    Chapter 2 6 Logs Scre ens ZyWALL 2WG User’s Guide 491 Figure 308 LOGS > Reports: Pro tocol/Por t Example The following table describes the labels in this screen. T able 161 LOGS > Reports: Protocol/ Port LABEL DESCRIPTION Protoc ol/Port This column lists the protocols or servic e ports for which the most traf fic has gone through the ZyWA L[...]

  • Página 492

    Chapter 26 Logs Scre ens ZyWALL 2WG User’s Guide 492 26.4.4 System Report s Specifications The following table lists detailed specifications on the reports feature. 26.5 Log Descriptions This section provides descriptio ns of example log messages. T able 162 Report Specifications LABEL DESCRIPTION Number of web sites/p rotocols or ports/IP addres[...]

  • Página 493

    Chapter 2 6 Logs Scre ens ZyWALL 2WG User’s Guide 493 Time initialized by NTP server The router got the time and da te from the NTP se rver . Connect to Daytime server fail The router was n ot able to connect to the Daytime server . Connect to Time server fail The router was n ot able to connect to the Time server . Connect to NTP server fail The[...]

  • Página 494

    Chapter 26 Logs Scre ens ZyWALL 2WG User’s Guide 494 T able 164 System Error Logs LOG MESSAGE DESCRIPTION %s exceeds the max. number of session per host! This attempt to create a NA T session exceeds the maximum number of NA T session table entries allowed to be created per host. setNetBIOSFilter: calloc error The router fail ed to alloca te memo[...]

  • Página 495

    Chapter 2 6 Logs Scre ens ZyWALL 2WG User’s Guide 495 F or type and code details, see T able 181 on page 506 . T able 166 TCP Rese t Logs LOG MESSAGE DESCRIPTION Under SYN flood attack, sent TCP RST The router sent a TCP reset packet when a host was under a SYN flood attack (the TCP incomplete count is per destination ho st.) Exceed TCP MAX incom[...]

  • Página 496

    Chapter 26 Logs Scre ens ZyWALL 2WG User’s Guide 496 Packet without a NAT table entry blocked: ICMP The router blocked a packet that didn’t have a corresponding NA T table entry . Unsupported/out-of-order ICMP: ICMP The firewall does not sup port this kind of ICMP packets or the ICMP packets are out of order . Router reply ICMP packet: ICMP The[...]

  • Página 497

    Chapter 2 6 Logs Scre ens ZyWALL 2WG User’s Guide 497 Budget counters are reset, budget control is resumed. The ZyW ALL restarted budget calculation from 0 after resetting the existing statistics. Budget control is resumed. The ZyW ALL kept the existi ng budget control statistics and continue a counting. Budget control is disabled. Budget control[...]

  • Página 498

    Chapter 26 Logs Scre ens ZyWALL 2WG User’s Guide 498 Warning: (%ESN% or %IMSI%) Over data budget! (budget =%CONFIGURED_BUDGET%(2 decimals Mbytes, used = %USED_VOLUME%(2 decimals) Mbytes). This shows that the preconfigured d ata limit was exceeded . The IMSI of the SIM ca rd in an inse rted GSM 3G card or the ESN of the inserted CDMA 3G card is di[...]

  • Página 499

    Chapter 2 6 Logs Scre ens ZyWALL 2WG User’s Guide 499 For type and code details, see T able 181 on page 506 . DNS resolving failed The ZyW ALL cannot ge t the IP address of the external content filtering via DNS query . Creating socket failed The ZyW A LL cannot issue a query because TCP/IP socket creation failed, port:port number . Connecting to[...]

  • Página 500

    Chapter 26 Logs Scre ens ZyWALL 2WG User’s Guide 500 Firewall sent TCP packet in response to DoS attack TCP The firewall sent TCP packet in response to a DoS att ack ICMP Source Quench ICMP The firewall detected an ICMP Source Quench attack. ICMP Time Exceed ICMP The firewall detected an ICMP Time Exceed attack. ICMP Destination Unreachable ICMP [...]

  • Página 501

    Chapter 2 6 Logs Scre ens ZyWALL 2WG User’s Guide 501 Receive IPSec packet, but no corresponding tunnel exists The router droppe d an inbound packet for w hich SPI could not find a corresponding phase 2 SA. Rule <%d> idle time out, disconnect The router droppe d a connection that had outbound tra ffic and no inbound traffic for a certain ti[...]

  • Página 502

    Chapter 26 Logs Scre ens ZyWALL 2WG User’s Guide 502 Cannot resolve Secure Gateway Addr for rule <%d> The router couldn ’t resolve the IP address from the domain name that was used fo r the secure gateway add ress. Peer ID: <peer id> <My remote type> -<My local type> The displayed ID informati on did not match between th[...]

  • Página 503

    Chapter 2 6 Logs Scre ens ZyWALL 2WG User’s Guide 503 XAUTH fail! Username: <Username> The router wa s not able to u se extended a uthentication to authenticate the listed us ername. Rule[%d] Phase 1 negotiation mode mismatch The listed rule’s IKE phase 1 negotiation mode did not match between the router a nd the peer. Rule [%d] Phase 1 e[...]

  • Página 504

    Chapter 26 Logs Scre ens ZyWALL 2WG User’s Guide 504 Rule [%d] phase 1 mismatch The listed rule’s IKE phase 1 did not match between the router and the peer . Rule [%d] phase 2 mismatch The listed rule’s IKE phase 2 did not match between the router and the peer . Rule [%d] Phase 2 key length mismatch The listed rule’s IKE phase 2 key lengths[...]

  • Página 505

    Chapter 2 6 Logs Scre ens ZyWALL 2WG User’s Guide 505 Failed to decode the received user cert The router received a corrupted user certificate from the LDAP server whose address and port are recorded in the Source field. Failed to decode the received CRL The router received a corrupted CRL (Certificate Revocation List) from the LDAP server wh ose[...]

  • Página 506

    Chapter 26 Logs Scre ens ZyWALL 2WG User’s Guide 506 22 CRL contains duplicate serial numbers. 23 T ime interval is not continuous. 24 T ime information not avai lable. 25 Database method failed due to timeout. 26 Database method failed. 27 Path was not verified. 28 Maximum path length reached. T able 180 ACL Setting Notes P ACKET DIRECTION DIREC[...]

  • Página 507

    Chapter 2 6 Logs Scre ens ZyWALL 2WG User’s Guide 507 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fra gmentation was dropped because it was set to Don't Fragment (DF) 5 Source route failed 4 Source Quench 0 A gateway may discard internet datagrams if it does not have th e buffer space needed to queue the datagrams for ou[...]

  • Página 508

    Chapter 26 Logs Scre ens ZyWALL 2WG User’s Guide 508 26.6 Syslog Logs There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session " is terminated. A traf fic log[...]

  • Página 509

    Chapter 2 6 Logs Scre ens ZyWALL 2WG User’s Guide 509 The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Event Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" ob="&l[...]

  • Página 510

    Chapter 26 Logs Scre ens ZyWALL 2WG User’s Guide 510[...]

  • Página 511

    ZyWALL 2WG User’s Guide 51 1 C HAPTER 27 Maintenance This chapter displays informat ion on the maintenance screens. 27.1 Maintenance Overview The maintenanc e screens can help you view system informa tio n, upload new firmware, manage configuratio n and restart your ZyW ALL. 27.2 General Setup and System Name General Setup contains administrative[...]

  • Página 512

    Chapter 27 Maintenance ZyWALL 2WG User’s Guide 512 Figure 309 MAINTENANCE > General Setup The following table describes the labels in this screen. 27.3 Configuring Password Click MAINTENANCE > Password to open the following scre en. Use this screen to change the ZyW ALL’ s management password. T able 184 MAINTENANCE > General Setup LAB[...]

  • Página 513

    Chapter 27 Maintenance ZyWALL 2WG User’s Guide 513 Figure 310 MAINTENANCE > Password The following table describes the labels in this screen. 27.4 T ime and Date The ZyW ALL’ s Real T ime Chip (R TC) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external[...]

  • Página 514

    Chapter 27 Maintenance ZyWALL 2WG User’s Guide 514 Figure 31 1 MAINTENANCE > Time and Date The following table describes the labels in this screen. T able 186 MAINTE NANCE > Time and Date LABEL DESCRIPTION Current T ime and Date Current T ime This field displays th e ZyW A LL’s present time. Current Date This field di splays the ZyWALL’[...]

  • Página 515

    Chapter 27 Maintenance ZyWALL 2WG User’s Guide 515 T ime Protocol Select the time service protocol that your time server uses. Not all time servers support all protocols, so you may ha ve to check with your ISP/network administrator or use trial and error to find a protocol that works. The main difference between them is the format. Daytime (RFC [...]

  • Página 516

    Chapter 27 Maintenance ZyWALL 2WG User’s Guide 516 27.5 Pre-defined NTP T ime Server Pools When you turn on the ZyW ALL for the first time, the date an d time start at 2000 -01-01 00:00:00. The ZyW ALL then attemp ts to synchronize with an N TP time server from one of the 0.pool.ntp.or g, 1.pool.ntp.or g or 2.pool.ntp.org NTP time server pools. T[...]

  • Página 517

    Chapter 27 Maintenance ZyWALL 2WG User’s Guide 517 Figure 313 Synchronization is Successful If the update was not successful, the following screen appears. Click Return to go back to the Tim e an d Da t e screen. Figure 314 Synchronization Fail 27.6 Introduction T o T ransp arent Bridging A transparent bridge is invisibl e to the operatio n of a [...]

  • Página 518

    Chapter 27 Maintenance ZyWALL 2WG User’s Guide 518 For example, if a bridge receives a frame via port 1 from host A (MAC address 00a0c5123478), the brid ge associates host A with port 1. When the bridge receives another frame on one of its ports with destination address 00a0c5123478, it forwards the frame directly through port 1 after checking th[...]

  • Página 519

    Chapter 27 Maintenance ZyWALL 2WG User’s Guide 519 Figure 315 MAINTENANCE > Device M ode (Router Mode) The following table describes the labels in this screen. 27.9 Configuring Device Mode (Bridge) Click MAINTENANCE > Device Mode to open the following screen. Use this screen to configure your Zy W ALL as a router o r a bridge. T able 188 MA[...]

  • Página 520

    Chapter 27 Maintenance ZyWALL 2WG User’s Guide 520 In bridge mode, the ZyW ALL functions as a tr ansparent firewall (also known as a bridge firewall). The ZyW ALL bridges traffic traveling between the ZyW ALL's interfaces and still filters and inspects packets. Y ou do not need to change the configuration of your existing network. In bridge [...]

  • Página 521

    Chapter 27 Maintenance ZyWALL 2WG User’s Guide 521 27.10 F/W Upload Screen Find firmware at www .zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, "zywall.bin". The upload process uses HTTP (Hypertext T ransfer Protocol) and may take up to two minutes. Afte r a successful upload, th e syst[...]

  • Página 522

    Chapter 27 Maintenance ZyWALL 2WG User’s Guide 522 The following table describes the labels in this screen. 1 Do not turn off the ZyW A LL whil e firmware upload is in progress! After you see the Firmware Upload in Pr ocess screen, wait two minutes before logging into the ZyW ALL again. Figure 318 Firmware Uplo ad In Proce ss The ZyW ALL automati[...]

  • Página 523

    Chapter 27 Maintenance ZyWALL 2WG User’s Guide 523 Figure 320 Firmware Upload Error 27.1 1 Backup and Restore See Section 43.5 on page 655 for transferring configuration files using FTP/TFTP commands. Click MAINTENANCE > Backup & Restor e . Information related to fa ctory defaults, backup configuration, and restorin g configuration appears[...]

  • Página 524

    Chapter 27 Maintenance ZyWALL 2WG User’s Guide 524 27.1 1.1 Backup Configuration Backup configuration allows you to back up (save) the Zy W ALL’ s current configuration to a file on your computer . Once your ZyW ALL is configured and functioning properly , it is highly recommended tha t you back up your config uration file before making configu[...]

  • Página 525

    Chapter 27 Maintenance ZyWALL 2WG User’s Guide 525 If you uploaded the default co nfiguration file you may ne ed to change the IP address of your computer to be in the same subnet as that of the default de vice IP address (192. 168.1.1). See your Quick S tart Guide for details on how to set up your computer ’ s IP address. If the upload was not[...]

  • Página 526

    Chapter 27 Maintenance ZyWALL 2WG User’s Guide 526 Figure 326 MAINTENANCE > Restart 27.13 Diagnostics Use the Diagnostics screen to have the ZyW ALL generate and send diagnostic files by e-mail and/or the console port. The diagnostics f iles contain the ZyW ALL’ s configuration and diagnostic information. Y ou may need to genera te this file[...]

  • Página 527

    Chapter 27 Maintenance ZyWALL 2WG User’s Guide 527 Figure 327 MAINTENANCE > Diagnostics The following table describes the labels in this screen. T able 192 MAINTENANCE > Diagnostics LABEL DESCRIPTION Enable Diagnostics Se lect this option to turn on the diagnosti cs feature. Perform Diagnostics Now Click this button to generate and send a d[...]

  • Página 528

    Chapter 27 Maintenance ZyWALL 2WG User’s Guide 528 Day for Diagnostics Use the drop down list box to select which da y of the week to generate and send diagnostic files. T ime for Dia gnostics Enter the time of day in 24-hour format (fo r example 23:00 equals 1 1:00 pm) to generate and send diagnostic files. Display on Console Select this option [...]

  • Página 529

    529 P ART VI SMT Introducing the SMT (531) SMT Menu 1 - General Setup (539) W AN and Dial Backup Setup (545) LAN Setup (559) Internet Access (565) DMZ Setup (571) Route Setup (575) W ireless Setup (579) Remote Node Setup (583) IP Static Route Setup (591) Network Address T ranslation (NA T) (595) Introducing the ZyW ALL Firewall (615) Filter Configu[...]

  • Página 530

    530[...]

  • Página 531

    ZyWALL 2WG User’s Guide 531 C HAPTER 28 Introducing the SMT This chapter explains how to access the System Management T erminal and gives an overview of its menus. 28.1 Introduction to the SMT T he ZyW ALL’ s SMT (System Management T erminal) is a menu-driven interface t hat you can access from a terminal emulator through the cons ole port or o[...]

  • Página 532

    Chapter 28 Introd ucing the SMT ZyWALL 2WG User’s Guide 532 Figure 328 Initial Screen 28.2.2 Entering the Password The login screen appears after you press [ENTER] , prompting you to enter the password, as shown below . For your first login, en ter the default password “ 1234 ”. As you type the password, the screen displays an “ X ” for e[...]

  • Página 533

    Chapter 28 Introdu cing the SMT ZyWALL 2WG User’s Guide 533 Several operations that you should be fam iliar with before you a ttempt to modify the configuration are listed in the table below . 28.3.1 Main Menu After you enter the passwor d, the SMT displays the ZyW ALL Main Menu , as sh own next. T able 193 Main Menu Commands OPERATION KEYSTROKES[...]

  • Página 534

    Chapter 28 Introd ucing the SMT ZyWALL 2WG User’s Guide 534 Figure 330 Main Menu (Route r Mode) Figure 331 Main Menu (Bridge Mode) The following table describes the fields in this menu. Copyright (c) 1994 - 200 7 ZyXEL Communications Corp. ZyWALL 2W G Main Menu Getting Started Advanced Management 1. General Setup 21. Filter and Firewall Setup 2. [...]

  • Página 535

    Chapter 28 Introdu cing the SMT ZyWALL 2WG User’s Guide 535 28.3.2 SMT Menus Overview The following table gi ves you an overview of your ZyW ALL’ s various SMT menus. 4 Internet Access Setup Configure your Internet access setu p (Internet addre ss, gateway , login, etc.) with this menu. 5 DMZ Setup U se this menu to apply DMZ filters, and confi[...]

  • Página 536

    Chapter 28 Introd ucing the SMT ZyWALL 2WG User’s Guide 536 1 1 Remote Node Setup 1 1.1 Remote Node Profile 1 1.1.2 Remote Node Network Layer Options 1 1 .1.4 Remo te Node Filter 1 1 .2 Remote Node Profi le (3G WA N ) 1 1 .2.2 Remote Nod e Network Layer Options 1 1 .2.3 Remo te Node Script 1 1 .2.4 Remo te Node Filter 1 1 .3 Remote Node Profile ([...]

  • Página 537

    Chapter 28 Introdu cing the SMT ZyWALL 2WG User’s Guide 537 28.4 Changing the System Password Change the system password by following the steps shown next. 1 Enter 23 in the main menu to open Menu 23 - System Password as shown next. Figure 332 Menu 23: System Password 2 T ype your existing password and p ress [ENTER] . 24 System Maintenance 24.1 [...]

  • Página 538

    Chapter 28 Introd ucing the SMT ZyWALL 2WG User’s Guide 538 3 T ype your new system password and press [ENTER] . 4 Re-type your new system password for confirmation and press [ENTER] . Note that as you type a password, the screen displays an “x” for each character you type. 28.5 Resetting the ZyW ALL See Section 2.3 on page 5 9 for directions[...]

  • Página 539

    ZyWALL 2WG User’s Guide 539 C HAPTER 29 SMT Menu 1 - General Setup Menu 1 - General Setup contains administra tive an d system-related information. 29.1 Introduction to General Setup Menu 1 - General Setup contains administra tive an d system-related information. 29.2 Configuring General Setup 1 Enter 1 in the main menu to open Menu 1 - General S[...]

  • Página 540

    Chapter 29 SM T Menu 1 - General Setup ZyWALL 2WG User’s Guide 540 Figure 334 Menu 1: General Setup (Bridge Mode) The following table describes the fiel ds not previously discussed (see T able 196 on page 539 ). Device Mode Press [SP ACE BAR] and th en [ ENTER] to select Router Mode . Edit Dynamic DNS Press [SP ACE BAR] and then [ENTER] to select[...]

  • Página 541

    Chapter 29 SMT Menu 1 - Gene ral Setup ZyWALL 2WG User’s Guide 541 29.2.1 Configuring Dynamic DNS T o configure Dynamic DNS, set the ZyW ALL to router mode in menu 1 or in th e MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and pres s [SP ACE BAR] to select Ye s in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1 - C[...]

  • Página 542

    Chapter 29 SM T Menu 1 - General Setup ZyWALL 2WG User’s Guide 542 Figure 336 Menu 1.1.1: DDNS Host Summ ary The following table describes the fields in this screen. 5 Select Edit in the Select Command fie ld; type the index nu mber of the DDNS hos t you want to configure in the Select Rule field and press [ENTER] to open Menu 1.1.1 - DDNS Edit H[...]

  • Página 543

    Chapter 29 SMT Menu 1 - Gene ral Setup ZyWALL 2WG User’s Guide 543 Figure 337 Menu 1.1.1: DDNS Edit Host The following table describes the fields in this screen. Menu 1.1.1 - DDNS Edit Host Hostname= ZyWALL DDNS Type= DynamicDNS Enable Wildcard Option= Yes Enable Off Line Option= N/A Bind WAN= 1 HA= Yes IP Address Update Policy: Let DDNS Server A[...]

  • Página 544

    Chapter 29 SM T Menu 1 - General Setup ZyWALL 2WG User’s Guide 544 The IP address updates when you reconfigure menu 1 or perform DHCP client renewal. IP Address Update Policy: Y ou can select Ye s in ei ther the Let DDNS Se rver Auto Detect field (recom mended) or the Use User-Defined field, but not both. With the Let DDNS Server Auto Detect and [...]

  • Página 545

    ZyWALL 2WG User’s Guide 545 C HAPTER 30 WAN and Dial Backup Setup This chapter describes how to configure the W AN using menu 2 and dial-backup using menu s 2.1 and 1 1.1. 30.1 Introduction to W AN, 3G W AN and Dial Backup Setup This chapter explains how to configure settings for your W AN interface(s), a 3G W AN connection and a dial backup conn[...]

  • Página 546

    Chapter 30 WA N and Dial B ackup Setup ZyWALL 2WG User’s Guide 546 The following table describes the fields in this screen. 30.3 Dial Backup The Dial Backup port can be used in reser ve, as a traditional dial- up connection should the broadband connection to the W AN port fail. T o set up the au xiliary port (Dial Backup) for use in the event tha[...]

  • Página 547

    Chapter 30 WAN and Dial Backup Setup ZyWALL 2WG User’s Guide 547 Figure 339 Menu 2: Dial Backup Setup The following table describes the fields in this menu. 30.3.2 Advanced W AN Setup " Consult the manual of y our W AN device connected to your Dial Backup port for specific A T commands. Menu 2 - WAN Setu p WAN 1 MAC Address: Assigned By= Fac[...]

  • Página 548

    Chapter 30 WA N and Dial B ackup Setup ZyWALL 2WG User’s Guide 548 T o edit the advanced setup for the Dial Backup port, move the cursor to the Edit Advanced Setup field in Menu 2 - W A N Setup , press the [SP ACE BAR] to select Ye s and then press [ENTER]. Figure 340 Menu 2.1: Adva nced WAN Setup The following table describes fields in this menu[...]

  • Página 549

    Chapter 30 WAN and Dial Backup Setup ZyWALL 2WG User’s Guide 549 30.3.3 Remote Node Profile (Backup ISP) Enter 3 in Menu 1 1 - Remote Node Setup to open Menu 1 1.3 - Remote Node Profile (Backup ISP) (shown below) and configure th e setup for your Dial Backu p port connection. Not all fields are available on all models. Figure 341 Menu 1 1.3: Remo[...]

  • Página 550

    Chapter 30 WA N and Dial B ackup Setup ZyWALL 2WG User’s Guide 550 The following table describes the fields in this menu. T able 205 Menu 1 1.3: Remote Nod e Profile (Backup ISP) FIELD DESCRIPTION Rem Node Name Enter a descriptiv e name for the remote node. This field can be up to eight characters. Activ e Press [SP ACE BAR] and then [ENTER] to s[...]

  • Página 551

    Chapter 30 WAN and Dial Backup Setup ZyWALL 2WG User’s Guide 551 30.3.4 Editing TCP/IP Options Move the cu rs or to the Edit IP field in menu 1 1.3, then press [SP ACE BAR] to se lect Ye s . Press [ENTER] to open Menu 1 1 .3.2 - Remote Node Network Layer Options . Figure 342 Menu 1 1.3.2: Remote Node Network Layer Options The following table desc[...]

  • Página 552

    Chapter 30 WA N and Dial B ackup Setup ZyWALL 2WG User’s Guide 552 30.3.5 Editing Login Script For some remote gateways, text login is required before PPP negotiation is started. The ZyW ALL provides a script facility for this purpose. The script has six programmable sets; each set is composed of an ‘Expe ct’ string an d a ‘Send’ string. [...]

  • Página 553

    Chapter 30 WAN and Dial Backup Setup ZyWALL 2WG User’s Guide 553 Please note that the ordering of the sets is si gnificant, i.e., starting from set 1, the ZyW ALL will wait until the ‘Expect’ string is matched before it proceeds to set 2, and so on for the rest of the script. When both the ‘Expect’ and the ‘S end’ fields of the curren[...]

  • Página 554

    Chapter 30 WA N and Dial B ackup Setup ZyWALL 2WG User’s Guide 554 30.3.6 Remote Node Filter Move the cu rsor to the field Edit Filter Sets in menu 1 1.3, and then press [SP ACE BAR] to set the value to Ye s . Press [ENTER] to open Menu 1 1 .3.4 - Remote Node Filter . Use menu 1 1.3.4 to specify the filter set(s) to apply to the incoming and outg[...]

  • Página 555

    Chapter 30 WAN and Dial Backup Setup ZyWALL 2WG User’s Guide 555 Figure 345 3G Modem Setup in WAN Se tup The following table describes the fields in this screen. Me nu 2 - WAN Setup WAN 1 MA C Address: Assign ed By= Factory default IP Add ress= N/A Dial-Bac kup: Active = No Port S peed= 115200 AT Com mand String: Init = at&fs0=0 Edit A dvance[...]

  • Página 556

    Chapter 30 WA N and Dial B ackup Setup ZyWALL 2WG User’s Guide 556 30.4.2 Remote Node Profile (3G W AN) Enter 2 in Menu 1 1 - Remote Node Setup to open Menu 1 1.2 - Remote Node Profile (3G W AN) (shown below) and configure the setup for your 3G connection. Figure 346 Menu 1 1.2: Remote N ode Profile (3G WA N) The following table describes the fie[...]

  • Página 557

    Chapter 30 WAN and Dial Backup Setup ZyWALL 2WG User’s Guide 557 Edit IP This field leads to a “hidden” menu. Press [SP ACE BAR] to select Ye s and pr ess [ENTER] to go to Menu 1 1.3.2 - Remote No de Network La yer Options . See Section 30.3.4 on page 551 for more information. Edit Scri pt Options Press [SP ACE BAR] to select Ye s and press [[...]

  • Página 558

    Chapter 30 WA N and Dial B ackup Setup ZyWALL 2WG User’s Guide 558[...]

  • Página 559

    ZyWALL 2WG User’s Guide 559 C HAPTER 31 LAN Setup This chapter describes how to configure the LAN using Menu 3 - LAN Setup . 31.1 Introduction to LAN Setup This chapter describes how to configure the ZyW ALL for LAN and wireless LAN connections. 31.2 Accessing the LAN Menus From the main menu, enter 3 to open Menu 3 - LAN Setup . Figure 347 Menu [...]

  • Página 560

    Chapter 31 LAN Set up ZyWALL 2WG User’s Guide 560 Figure 348 Menu 3.1: LAN Port Filter Setu p 31.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1 155) and DHCP Ethernet setu p. Figure 349 Menu 3: TCP/IP and DHCP Setup From menu 3, select the submenu option TCP/IP and DHCP Setu[...]

  • Página 561

    Chapter 31 LAN Setup ZyWALL 2WG User’s Guide 561 Figure 350 Menu 3.2: TCP/IP and DHCP Ethernet Setup Follow the instructions in the next tabl e on how to configure the DHCP fields. Menu 3.2 - TCP/IP and DHCP Eth ernet Setup DHCP= Server TC P/IP Setup: Client IP Pool: Starting Address= 192.168.1.33 IP Address= 192.168.1.1 Size of Client IP Pool= 1[...]

  • Página 562

    Chapter 31 LAN Set up ZyWALL 2WG User’s Guide 562 Use the instructions in the following table to configure TCP/IP parameters for the LAN port. " LAN and DMZ IP addresses mu st be on separate subnet s. First DNS Server Second DNS Serve r Third DN S Serve r The ZyW ALL passes a DNS (Domain Name System) server IP address (in the order you speci[...]

  • Página 563

    Chapter 31 LAN Setup ZyWALL 2WG User’s Guide 563 31.4.1 IP Alias Setup IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface. The ZyW ALL supports th ree logi cal LAN interfaces via its single physical Ethernet interface with the ZyW ALL itself as the gateway for each LAN network. U[...]

  • Página 564

    Chapter 31 LAN Set up ZyWALL 2WG User’s Guide 564[...]

  • Página 565

    ZyWALL 2WG User’s Guide 565 C HAPTER 32 Internet Access This chapter shows you how to config ure your ZyW ALL for Internet access. 32.1 Introduction to Internet Access Setup Use information from your ISP along with the in st ructions in this chapter to set up your ZyW ALL to access the Inte rnet. There are three different menu 4 screens depending[...]

  • Página 566

    Chapter 32 Internet Access ZyWALL 2WG User’s Guide 566 Figure 352 Menu 4: Internet Access Setup (Ethernet) The following table describes the fields in this menu. Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= Etherne t Service Type= Standa rd My Login= N/A My Password= N/A Retype to Confirm= N /A Login Server= N/A Relogin Ev[...]

  • Página 567

    Chapter 32 Internet Access ZyWALL 2WG User’s Guide 567 32.3 Configuring the PPTP Client " The ZyW ALL supports only one PP TP serv er connection at any given time. T o configure a PP TP client, you must configure the My Login and Password fields for a PPP connection and the PP TP parame ters for a PP TP connection. After configuring My Login[...]

  • Página 568

    Chapter 32 Internet Access ZyWALL 2WG User’s Guide 568 Figure 353 Internet Access Setup (PPTP) The following table contains in structions about the new fie lds when you choose PPTP in the Encapsula tion field in menu 4. 32.4 Configuring the PPPoE Client If you enable PPPoE in menu 4, you will see the next screen. Menu 4 - Internet Access Setup IS[...]

  • Página 569

    Chapter 32 Internet Access ZyWALL 2WG User’s Guide 569 Figure 354 Internet Access Setup (PPPoE) The following table contains instructions about the new fields when you choose PPPoE in the Encapsula tion field in menu 4. If you need a PPPoE service name to identify and reach the P PPoE server , please go to menu 1 1 and enter the PPPoE service na [...]

  • Página 570

    Chapter 32 Internet Access ZyWALL 2WG User’s Guide 570[...]

  • Página 571

    ZyWALL 2WG User’s Guide 571 C HAPTER 33 DMZ Setup This chapter describes how to co nfigure the ZyW ALL’ s DMZ using Menu 5 - DMZ Setup . 33.1 Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup . Figure 355 Menu 5: DMZ Setup 33.2 DMZ Port Filter Setup This menu allows you to specify the filter sets that you wish to ap[...]

  • Página 572

    Chapter 33 DMZ Setup ZyWALL 2WG User’s Guide 572 33.3 TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to Chapter 6 on page 147 . 33.3.1 IP Address From the main menu, enter 5 to ope n Menu 5 - DMZ Setup to configure TCP/IP (RFC 1 155). Figure 357 Menu 5: DMZ Setup From menu 5, select th e submen[...]

  • Página 573

    Chapter 33 DMZ Setup ZyWALL 2WG User’s Guide 573 " DMZ, WLAN and LAN IP addresses must be on sep a rate subnets. Y ou must also configure NA T for the DMZ port (see Chapter 38 on page 595 ) in menus 15.1 and 15.2. 33.3.2 IP Alias Setup Use menu 5.2 to config ure the first network. Move the cursor to the Edit IP Alias field, press [SP ACE BAR[...]

  • Página 574

    Chapter 33 DMZ Setup ZyWALL 2WG User’s Guide 574[...]

  • Página 575

    ZyWALL 2WG User’s Guide 575 C HAPTER 34 Route Setup This chapter describes how to config ure the ZyW ALL's traffic redirect. 34.1 Configuring Route Setup From the main menu, enter 6 to open Menu 6 - Route Setup . Figure 360 Menu 6: Route Setup 34.2 Route Assessment This menu allows you to config ure traffic redirect properties. Figure 361 Me[...]

  • Página 576

    Chapter 34 Route Setup ZyWALL 2WG User’s Guide 576 The following table describes the fields in this menu. 34.3 T raffic Redirect T o configure the parameters for traf fic redirect, enter 2 in Menu 6 - Route Setup to open Menu 6.2 - T raffic Redirect as shown next. Figure 362 Menu 6.2: T raffic Redir ect The following table describes the fields in[...]

  • Página 577

    Chapter 34 Route Setu p ZyWALL 2WG User’s Guide 577 34.4 Route Failover This menu allows you to configure how the ZyW ALL uses the rout e assessment ping check function. Figure 363 Menu 6.3: Route Failover The following table describes the fields in this menu. Menu 6.3 - Route Failover Period= 5 Timeout=: 3 Fail Tolerance= 3 Press ENTER to Confir[...]

  • Página 578

    Chapter 34 Route Setup ZyWALL 2WG User’s Guide 578[...]

  • Página 579

    ZyWALL 2WG User’s Guide 579 C HAPTER 35 Wireless Setup Use menu 7 to configure the IP address for ZyW A LL’ s WLAN interface, other TCP/IP and DHCP settings. 35.1 TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to Chapter 6 on page 147 . 35.1.1 IP Address From the main menu, enter 7 to open Me[...]

  • Página 580

    Chapter 35 Wire less Setup ZyWALL 2WG User’s Guide 580 Figure 365 Menu 7.2: TCP/IP and DHCP Ethernet Setup The DHCP and TCP/IP setup fields are the same as the ones in Menu 3.2 - TCP/IP and DHCP Ethernet Setup . Each public server will need a unique IP address. Refer to Section 31.4 on page 560 for information on how to configure these fields. &q[...]

  • Página 581

    Chapter 35 Wireless Setup ZyWALL 2WG User’s Guide 581 Figure 366 Menu 7.2.1: IP Alias Setup Refer to T able 212 on page 563 for instructions on config uring IP alias parameters. Menu 7.2.1 - IP Ali as Setup IP Alias 1= No IP Address= N/ A IP Subnet Mask = N/A RIP Direction= N/A Version= N/A IP Alias 2= No IP Address= N/ A IP Subnet Mask = N/A RIP[...]

  • Página 582

    Chapter 35 Wire less Setup ZyWALL 2WG User’s Guide 582[...]

  • Página 583

    ZyWALL 2WG User’s Guide 583 C HAPTER 36 Remote Node Setup This chapter shows you how to configure a remote node. 36.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gatewa y . A remote node represents both the remote gateway an d the network behind it across a W AN connection. Note that when you use menu[...]

  • Página 584

    Chapter 36 Remot e Node Setup ZyWALL 2WG User’s Guide 584 36.3.1 Ethernet Encap sulation There are three variations of m enu 1 1.1 depend ing on whether you ch oose Ethernet Encap sulation , PPPoE Encap sulation or PPTP Encap sulation . Y ou must choose the Ethernet option when the W AN port is used as a regular Ethernet. The first menu 11 .1 scr[...]

  • Página 585

    Chapter 36 Remote Node Setup ZyWALL 2WG User’s Guide 585 36.3.2 PPPoE Encap sulation The ZyW ALL supports PPPoE (Point-to-Point Pr otocol over Ethernet). Y ou can only use PPPoE encapsulation when you’re using th e ZyW ALL with a DSL modem as the W AN device. If you change the Encapsulation to PPPoE, then you will see the next screen. Figure 36[...]

  • Página 586

    Chapter 36 Remot e Node Setup ZyWALL 2WG User’s Guide 586 36.3.2.1 Outgoing Authentication Protocol Generally speaking, you sh ould employ the strongest authent ication protocol possible, for obvious reasons. However , some ve ndor ’ s impl ementation includes a specific authentication protocol in the user profile. It will disconnect if the neg[...]

  • Página 587

    Chapter 36 Remote Node Setup ZyWALL 2WG User’s Guide 587 Figure 370 Menu 1 1.1: Remote Node Prof ile for PPTP Encapsulation The next table shows h o w to configure field s in menu 1 1.1 not previously discussed. 36.4 Edit IP Move the cu rs or to the Edit IP field in menu 1 1.1, then press [SP ACE BAR] to se lect Ye s . Press [ENTER] to open Menu [...]

  • Página 588

    Chapter 36 Remot e Node Setup ZyWALL 2WG User’s Guide 588 Figure 371 Menu 1 1.1.2: Remote Node Network Layer O ptions for Ethernet Encapsulation This menu displays the My W A N Addr field for PPPoE and PPTP encapsulations and Gateway IP Addr field for Ethernet encapsulation. The following table describes the fields in this menu. Menu 11.1.2 - Rem[...]

  • Página 589

    Chapter 36 Remote Node Setup ZyWALL 2WG User’s Guide 589 36.5 Remote Node Filter Move the cu rsor to the field Edit Filter Sets in menu 1 1.1, and then press [SP ACE BAR] to set the value to Ye s . Press [ENTER] to open Menu 1 1 .1.4 - Remote Node Filter . Use menu 1 1.1.4 to specify the filter set(s) to apply to the incoming and outgoing traf fi[...]

  • Página 590

    Chapter 36 Remot e Node Setup ZyWALL 2WG User’s Guide 590 Figure 372 Menu 1 1.1.4: Remote Node Filter (Ethernet Encap sulation) Figure 373 Menu 1 1.1.4: Remote Node Filter (PPP oE or PPTP Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter[...]

  • Página 591

    ZyWALL 2WG User’s Guide 591 C HAPTER 37 IP Static Route Setup This chapter shows you how to config ure static routes with your ZyW ALL. 37.1 IP S t atic Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.1. " The first two static route entries are fo r default W [...]

  • Página 592

    Chapter 37 IP Static Rout e Setup ZyWALL 2WG User’s Guide 592 Figure 374 Menu 12: IP S tatic Route Setup Now , enter the index number of the static ro ute that you want to configure. Figure 375 Menu 12. 1: Edit IP S tatic Route `The following table describes the IP Static Route Menu fields. Menu 12 - IP Static Route Se tup 1.Reserved 16.______ __[...]

  • Página 593

    Chapter 37 IP Static Route Setup ZyWALL 2WG User’s Guide 593 IP Subnet Mask Enter the IP subnet mask for this destination. Gateway IP Address Enter the IP address of the gateway . The ga teway is an i mmediate neighbor of your ZyW ALL that will forward the packet to the destination . On the LAN, the gateway must be a router on the sa me segment a[...]

  • Página 594

    Chapter 37 IP Static Rout e Setup ZyWALL 2WG User’s Guide 594[...]

  • Página 595

    ZyWALL 2WG User’s Guide 595 C HAPTER 38 Network Address Translation (NAT) This chapter discusses how to configure NA T on the ZyW ALL. 38.1 Using NA T " Y ou must create a firewall rule in addi tion to setting up SUA/NA T , to allow traffic from the W AN to be forwarded through the ZyW ALL. 38.1.1 SUA (Single User Account) V ersus NA T SUA ([...]

  • Página 596

    Chapter 38 Network Addr ess Translation (NAT) ZyWALL 2WG User’s Guide 596 Figure 376 Menu 4: Applying NA T for Internet Access The following figure shows how you apply NA T to the remote node in menu 1 1.1. 1 Enter 1 1 from the main menu. 2 Enter 1 to open Menu 1 1.1 - Remote Node Pr ofile . 3 Move the cu rs or to the Edit IP field, press [SP ACE[...]

  • Página 597

    Chapter 38 N etwork A ddress Trans lation (NAT ) ZyWALL 2WG User’s Guide 597 The following table describes the fields in this menu. 38.2 NA T Setup Use the address mapping sets me nus and submenus to create the mapping table used to assign global addresses to computers on the LAN, DMZ and WLAN. Set 255 is used for SUA. When you select Full Featur[...]

  • Página 598

    Chapter 38 Network Addr ess Translation (NAT) ZyWALL 2WG User’s Guide 598 " Configure DMZ, WLAN and LAN IP addresses in NA T menus 15.1 and 15.2. DMZ, WLAN and LAN IP addresses must be on separate subnet s. 38.2.1 Address Mapping Set s Enter 1 to bring up Menu 15.1 - Addr ess Mapping Sets . Figure 379 Menu 15.1: Address Ma pping Sets 38.2.1.[...]

  • Página 599

    Chapter 38 N etwork A ddress Trans lation (NAT ) ZyWALL 2WG User’s Guide 599 " Menu 15.1.255 is read-only . 38.2.1.2 User-Defined Address Mapping Sets Now look at option 1 in menu 15.1. Enter 1 to bring up this menu . Look at the differen ces from the previous menu. Note the extra Action and Select Rule fields mean yo u can configure rules i[...]

  • Página 600

    Chapter 38 Network Addr ess Translation (NAT) ZyWALL 2WG User’s Guide 600 Figure 381 Menu 15.1.1: First Set " The T ype, Local and Global S tart/End IP s are configured in menu 15.1.1.1 (described later) and the values are displayed here. 38.2.1.3 Ordering Y our Rules Ordering your rules is important because the Zy W A LL applies the rules i[...]

  • Página 601

    Chapter 38 N etwork A ddress Trans lation (NAT ) ZyWALL 2WG User’s Guide 601 " Y ou must press [ENTER] at the bottom of the screen to save the whole set. Y ou must do this again if you make an y changes to the set – including deleting a rule. No changes to the set take place until this action is t aken. Selecting Edit in the Action field a[...]

  • Página 602

    Chapter 38 Network Addr ess Translation (NAT) ZyWALL 2WG User’s Guide 602 The following table describes the fields in this menu. 38.3 Configuring a Server behind NA T " If you do not assign a Default Server IP address, the Zy W ALL discards all packet s received for ports that are not specified here or in the remote management setup. Follow [...]

  • Página 603

    Chapter 38 N etwork A ddress Trans lation (NAT ) ZyWALL 2WG User’s Guide 603 3 Enter 1 or 2 to go to Menu 15.2.x - NA T Server Setup and configure the address mapping rules for the W AN 1 or W AN 2 interface on a ZyW ALL with multiple W AN interfaces. Figure 384 Menu 15.2.x: NA T Server Set s 4 Select Edit Rule in the Select Command field; type t[...]

  • Página 604

    Chapter 38 Network Addr ess Translation (NAT) ZyWALL 2WG User’s Guide 604 The following table describes the fields in this screen. 5 Enter a port number in the St a r t P o r t field. T o forward only one port, enter it again in the End Port field. T o specify a range of ports, ente r the last port to be forwarded in the End Port field. 6 Enter t[...]

  • Página 605

    Chapter 38 N etwork A ddress Trans lation (NAT ) ZyWALL 2WG User’s Guide 605 Figure 387 Server Behind NA T Example 38.4 General NA T Examples The following are some exam ples of NA T configuration. 38.4.1 Internet Access Only In the following Internet access example, you only need one rule where all your ILAs (Inside Local addresses) map to one d[...]

  • Página 606

    Chapter 38 Network Addr ess Translation (NAT) ZyWALL 2WG User’s Guide 606 Figure 389 Menu 4: Internet Access & NA T Example From menu 4 sho wn abov e, simply choose the SUA Only option from the Network Address Tr a n s l a t i o n field. This is the Many-to-One mapping discussed in Section 38.4 on page 605 . The SUA Only read-only option from[...]

  • Página 607

    Chapter 38 N etwork A ddress Trans lation (NAT ) ZyWALL 2WG User’s Guide 607 Figure 391 Menu 15.2.1: S pecifying an Inside Server 38.4.3 Example 3: Multiple Public IP Addresses With Inside Servers In this example, there are 3 IGAs from our IS P . There are many departments but two have their own FTP server . All departments share th e same router[...]

  • Página 608

    Chapter 38 Network Addr ess Translation (NAT) ZyWALL 2WG User’s Guide 608 Figure 392 NA T Exam ple 3 1 In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets . Therefore you must choose the Full Feature option from the Network Address T ranslation field (in menu 4 or menu 1 1.3) in Figure 393 on page 608 . [...]

  • Página 609

    Chapter 38 N etwork A ddress Trans lation (NAT ) ZyWALL 2WG User’s Guide 609 Figure 394 Example 3: Menu 15.1.1.1 Figure 395 Example 3: Final Menu 15.1.1 Now configure the IGA3 to map to our web server and mail server on the LAN. 1 Enter 15 from the main menu. 2 Enter 2 to go to menu 15 .2. 3 (Enter 1 or 2 from menu 15.2 on a ZyW A LL with multipl[...]

  • Página 610

    Chapter 38 Network Addr ess Translation (NAT) ZyWALL 2WG User’s Guide 610 Figure 396 Example 3: Menu 15.2.1 38.4.4 Example 4: NA T Unfr iendly Application Programs Some applications do not support NA T Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not change for Many[...]

  • Página 611

    Chapter 38 N etwork A ddress Trans lation (NAT ) ZyWALL 2WG User’s Guide 61 1 " Other applications su ch as some gaming pr ograms are NA T unfriendly because they embed addressing inform ation in the data stream. These applications won’t work through NA T even when using One-to-One and Many-One-to-One mapping types. Follow the steps outlin[...]

  • Página 612

    Chapter 38 Network Addr ess Translation (NAT) ZyWALL 2WG User’s Guide 612 38.5 T rigger Port Forwarding Some services use a dedicated range of ports on the client side and a dedica ted range of ports on the server side. W ith regular port forwarding you set a forwarding port in NA T to forward a service (coming in from the server on the W AN) to [...]

  • Página 613

    Chapter 38 N etwork A ddress Trans lation (NAT ) ZyWALL 2WG User’s Guide 613 Figure 400 Menu 15.3.1: T rigger Port Setup The following table describes the fields in this menu. Menu 15.3.1 - Trigger Port Setup Incoming Trigger Rule Name Start Port End Port Start Port End Port ------------------------------------ -------------------------- 1. Real [...]

  • Página 614

    Chapter 38 Network Addr ess Translation (NAT) ZyWALL 2WG User’s Guide 614[...]

  • Página 615

    ZyWALL 2WG User’s Guide 615 C HAPTER 39 Introducing the ZyWALL Firewall This chapter shows you how to ge t started with the ZyW ALL firewall. 39.1 Using ZyW ALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next. Figure 401 Menu 21: Filter and Firewa ll Setup 39.1.1 Acti[...]

  • Página 616

    Chapter 39 Intro ducing the ZyWALL Firewall ZyWALL 2WG User’s Guide 616 Figure 402 Menu 21.2: Fi rewall Setup " Configure the firewall ru les using the web confi gurator or CLI commands. Menu 21.2 - Firewall Se tup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attack s when the[...]

  • Página 617

    ZyWALL 2WG User’s Guide 617 C HAPTER 40 Filter Configuration This chapter shows you how to create and apply filters. 40.1 Introduction to Filters Y our ZyW ALL uses filte rs to decide whether to a llow passage of a data packet a nd/or to make a call. There are two types of filter applications : data filtering and call filtering. Filters are subdi[...]

  • Página 618

    Chapter 40 Filter Configuration ZyWALL 2WG User’s Guide 618 40.1.1 The Filter Structure of the ZyW ALL A filter set consists of one or more filter rules. Usually , you would group related rules, e.g., all the rules for NetBIOS, into a s ingle set and give it a descriptive name. The ZyW ALL allows you to configure up to twelve filte r sets with si[...]

  • Página 619

    Chapter 40 Filter Configuration ZyWALL 2WG User’s Guide 619 Figure 404 Filter Rule Process Y ou can apply up to four filter sets to a particular port to block multiple types of packets. W ith each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.[...]

  • Página 620

    Chapter 40 Filter Configuration ZyWALL 2WG User’s Guide 620 40.2 Configuring a Filter Set The ZyW ALL includes filtering for NetBIOS over TCP/IP packets by default. T o configure another filter set, follow the procedure below . 1 Enter 21 in the main me nu to open menu 2 1. Figure 405 Menu 21: Filter and Firewa ll Setup 2 Enter 1 to bring up the [...]

  • Página 621

    Chapter 40 Filter Configuration ZyWALL 2WG User’s Guide 621 The protocol dependent filter rules abbreviation are listed as follows: Refer to the next section for inform ation on configurin g the filter rules. 40.2.1 Configuring a Filter Rule T o configure a filter rule, type its number in Menu 21.1.x - Filter Rules Summary an d press [ENTER] to o[...]

  • Página 622

    Chapter 40 Filter Configuration ZyWALL 2WG User’s Guide 622 40.2.2 Configuring a TCP/IP Filter Rule This section shows you how to configure a TCP/IP filter rule. TCP/IP rules allow you to base the rule on the fiel ds in the IP and the upper layer protocol, for example, UDP and TCP headers. T o configure TCP/IP rules, select TCP/IP Filter Rule fro[...]

  • Página 623

    Chapter 40 Filter Configuration ZyWALL 2WG User’s Guide 623 The following figure illustrates th e logic flow of an IP filter . Port # Comp Press [SP ACE BAR] and then [ENTER] to select th e comparison to apply to the destination port in the packet against the value gi ven in Destination: Port # . Options are None , Equal , Not Equal , Less and Gr[...]

  • Página 624

    Chapter 40 Filter Configuration ZyWALL 2WG User’s Guide 624 Figure 408 Executing an IP Filter 40.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generi c filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP , it is generally easier to us e the IP rules directly .[...]

  • Página 625

    Chapter 40 Filter Configuration ZyWALL 2WG User’s Guide 625 For generic rules, the ZyW ALL treats a packet as a byte stre am as opposed to an IP or IPX packet. Y ou specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes. The ZyW ALL applie s th e Mask (bit-wise ANDing) to the data portion before c[...]

  • Página 626

    Chapter 40 Filter Configuration ZyWALL 2WG User’s Guide 626 40.3 Example Filter Let’ s look at an example to block outside us ers from accessing the ZyW ALL via telnet. Please see our included disk for more example filters. Figure 410 T eln et Filter Example 1 Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup . 2 Enter 1 t[...]

  • Página 627

    Chapter 40 Filter Configuration ZyWALL 2WG User’s Guide 627 Figure 41 1 Example Filter: Menu 21.1.3.1 The port number for the telnet service (TCP protocol) is 23 . See RFC 1060 for port numbers of well-known services. When you press [ENTER] to confirm, you will see the fo llowing screen. Note that there i s only one filter rule in this set. Figur[...]

  • Página 628

    Chapter 40 Filter Configuration ZyWALL 2WG User’s Guide 628 After you’ve created the filte r set, you must apply it. 1 Enter 1 1 from the main menu to go to menu 1 1. 2 Enter 1 or 2 to open Menu 1 1.x - Remote Node Pr ofile . 3 Go to the Edit Filter Sets field, press [SP ACE BAR] to select Ye s and press [ENTER] . 4 This brings you to menu 1 1.[...]

  • Página 629

    Chapter 40 Filter Configuration ZyWALL 2WG User’s Guide 629 40.5.1.1 When T o Use Filtering 1 T o block/allow LAN packet s by their MAC addresses. 2 T o block/allow special IP packets which are neith er TCP nor UDP , nor ICMP packets. 3 T o block/allow bo th inbound (W AN to LAN) and outbound (LAN to W AN) traffic between the specific inside host[...]

  • Página 630

    Chapter 40 Filter Configuration ZyWALL 2WG User’s Guide 630 " If you do not activate the firewa ll, it is advisable to apply filters. 40.6.1 Applying LAN Filters LAN traffic filter sets may be useful to bloc k certain packets, reduce traffic and prevent security breaches. Go to menu 3. 1 (shown next) and enter the number(s) of the filter set[...]

  • Página 631

    Chapter 40 Filter Configuration ZyWALL 2WG User’s Guide 631 40.6.3 Applying Re mote Node Filters Go to menu 1 1.1.4 (shown be low – note that call filter sets are only present for PPPoE encapsulation) and enter the numb er(s) of the filter set(s) as appropriate. Y ou can cascade up to four filter sets by entering their numbers separated by comm[...]

  • Página 632

    Chapter 40 Filter Configuration ZyWALL 2WG User’s Guide 632[...]

  • Página 633

    ZyWALL 2WG User’s Guide 633 C HAPTER 41 SNMP Configuration This chapter explains SNMP configuratio n menu 22. 41.1 SNMP Configuration T o configure SNMP , enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get , Set and Tr a p fields is SNMP terminology for password. Figure 417 Menu 22: SNMP[...]

  • Página 634

    Chapter 41 SNMP Configuration ZyWALL 2WG User’s Guide 634 41.2 SNMP T rap s The ZyW ALL will send traps to the SNMP mana ger when any one of the following events occurs: Destination T ype the IP add ress of the station to send your SNMP traps to. When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] t[...]

  • Página 635

    ZyWALL 2WG User’s Guide 635 C HAPTER 42 System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 42.1 Introduction to System St atus This chapter covers the diagnostic tools that he lp you to maintain your ZyW ALL. These tools include updates on system status, port status and log and trace capabilities. Select menu 24 in th [...]

  • Página 636

    Chapter 42 System In formation & Diagnosis ZyWALL 2WG User’s Guide 636 3 There are three commands in Menu 24.1 - System Maintenance - S tatus . Entering 1 or 2 drops the W AN1 or W AN2 connection, 9 resets the counters and [ESC] takes you back to the previous screen. Figure 419 Menu 24.1: System Maintenance: S tatus The following table descri[...]

  • Página 637

    Chapter 42 System Information & Diagnosis ZyWALL 2WG User’s Guide 637 42.3 System Information and Console Port S peed This section describes your system and allows you to choose different console port speeds. T o get to the System Informa tion and Console Port Speed: 1 Enter 24 to go to Menu 24 - System Maintenance . 2 Enter 2 to open Menu 24[...]

  • Página 638

    Chapter 42 System In formation & Diagnosis ZyWALL 2WG User’s Guide 638 Figure 421 Menu 24.2. 1: System Ma intenanc e: Informa tion The following table describes the fields in this screen. 42.3.2 Console Port Speed Y ou can change the speed of the console po rt through Menu 24.2.2 – Console Port Speed . Y our ZyW ALL supports 9600 (default),[...]

  • Página 639

    Chapter 42 System Information & Diagnosis ZyWALL 2WG User’s Guide 639 Figure 422 Menu 24.2.2: System Maintenance: Change Cons ole Port S pee d 42.4 Log and T race There are two logging facilities in the ZyW ALL. Th e first is the error logs and trace records that are stored locally . The second is the UNIX syslog facility for message logging.[...]

  • Página 640

    Chapter 42 System In formation & Diagnosis ZyWALL 2WG User’s Guide 640 Figure 424 Examples of Error and Information Messages 42.4.2 Syslog Logging The ZyW ALL uses the syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server . Syslog an d accounting can be configured in Menu 24.3.2 - System Maintenance - Sysl[...]

  • Página 641

    Chapter 42 System Information & Diagnosis ZyWALL 2WG User’s Guide 641 1 CDR 2 Packet triggered 3 Filter log CDR Message Format SdcmdSyslogSend( SYSLOG_ CDR, SYSLOG_INFO, S tring ); S tring = board xx line xx channel xx, call xx, str board = the hardware board ID line = the W AN ID in a board Channel = channel ID within the WAN call = the call[...]

  • Página 642

    Chapter 42 System In formation & Diagnosis ZyWALL 2WG User’s Guide 642 4 PPP log Filter log Message F ormat SdcmdSyslogSend(SYSLOG_FILLOG , SYSLOG_NOTICE, S tring ); S tring = IP[Src=xx.xx.xx.xx Dst=xx.xx. xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) [...]

  • Página 643

    Chapter 42 System Information & Diagnosis ZyWALL 2WG User’s Guide 643 5 Firewall log 42.4.3 Call-T riggering Packet Call-T riggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equiva lent information is available in menu 24.1 in hex format. An example is shown next. Firewall Log Mes[...]

  • Página 644

    Chapter 42 System In formation & Diagnosis ZyWALL 2WG User’s Guide 644 Figure 426 Call-T riggering Packet Example 42.5 Diagnostic The diagnostic facility allows you to test th e dif ferent aspects of your ZyW ALL to determine if it is working properly . Menu 24.4 all ows you to choose among various types of diagnost ic tests to evaluate your [...]

  • Página 645

    Chapter 42 System Information & Diagnosis ZyWALL 2WG User’s Guide 645 Figure 427 Menu 24.4: System Maintenance: Diagnostic 42.5.1 W AN DHCP DHCP functionality can be enable d on the LAN or W AN as show n in Figure 428 on page 645 . LAN DHCP has already been discussed. The ZyW ALL can act either as a W AN DHCP client ( IP Address Assignment fi[...]

  • Página 646

    Chapter 42 System In formation & Diagnosis ZyWALL 2WG User’s Guide 646 T able 239 System M aintenance Menu Diag nostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on you r LAN, DMZ, WLAN or W AN. Enter its IP address in the Host IP Address field below . W AN DHCP Re lease Enter 2 to release your W AN DHCP sett[...]

  • Página 647

    ZyWALL 2WG User’s Guide 647 C HAPTER 43 Firmware and Configuration File Maintenance This chapter tells you how t o back up and rest ore your configuration file as well as upload new firmware and a new configura tion file. 43.1 Introduction Use the instructions in this chapter to change the ZyW ALL’ s configuration file or upgrade its firmware. [...]

  • Página 648

    Chapter 43 Firmware and Conf iguration File Main tenance ZyWALL 2WG User’s Guide 648 The following table is a summary . Please note that the internal filename refe rs to the filename on the ZyW ALL and the external file name refers to the filename not on the ZyW ALL, that is, on your computer , local network or FTP site and so the name (but not t[...]

  • Página 649

    Chapter 43 Firmw are and Co nfiguration File Maintenance ZyWALL 2WG User’s Guide 649 Figure 429 T elnet into Menu 24. 5 43.3.2 Using the FTP Command from the Comman d Line 1 Launch the FTP client on your computer . 2 Enter “open”, followed by a space and the IP address of your ZyW ALL. 3 Press [ENTER] when prompted for a username. 4 Enter you[...]

  • Página 650

    Chapter 43 Firmware and Conf iguration File Main tenance ZyWALL 2WG User’s Guide 650 43.3.4 GUI-based FTP Clients The following table describes some of the commands that you may see in GUI-based FTP clients. 43.3.5 File Maintenance Over W AN TFTP , FTP and T elnet over the W AN will not work when: 1 The firewall is active (turn the firewall off i[...]

  • Página 651

    Chapter 43 Firmw are and Co nfiguration File Maintenance ZyWALL 2WG User’s Guide 651 4 Launch the TFTP client on your computer and connect to th e ZyW ALL. Set the transfer mode to binary before starting data transfer . 5 Use the TFTP cli ent (see the example below ) to transfer files between the ZyW A LL and the computer . The file name for the [...]

  • Página 652

    Chapter 43 Firmware and Conf iguration File Main tenance ZyWALL 2WG User’s Guide 652 Figure 431 System Maintenance: Backup Configuration 2 The following screen indicates that the Xmodem download has started. Figure 432 System Maintenance: S tarting Xmodem Download Screen 3 Run the HyperT erminal program by clicking Tr a n s f e r , then Receive F[...]

  • Página 653

    Chapter 43 Firmw are and Co nfiguration File Maintenance ZyWALL 2WG User’s Guide 653 FTP is the preferred method for restoring your current computer configuration to your ZyW ALL since FTP is faster . Please note that yo u must wait for the syst em to automatically restart after the file transfer is complete. " W ARNING! Do not interrupt the[...]

  • Página 654

    Chapter 43 Firmware and Conf iguration File Main tenance ZyWALL 2WG User’s Guide 654 8 Enter “quit” to exit the ftp prompt. The ZyW ALL will automatically restart after a successful restore process. 43.4.2 Restore Usin g FTP Session Example Figure 436 Restore Using FTP Session Example Refer to Section 43.3.5 o n page 650 to read about configu[...]

  • Página 655

    Chapter 43 Firmw are and Co nfiguration File Maintenance ZyWALL 2WG User’s Guide 655 Figure 439 Restore Configuration Example 4 After a successful restoration you will see the following screen. Press any key to restart the ZyW ALL and return to the SMT menu. Figure 440 Successful Restoration Confirmati on Screen 43.5 Uploading Firmware and Config[...]

  • Página 656

    Chapter 43 Firmware and Conf iguration File Main tenance ZyWALL 2WG User’s Guide 656 Figure 441 T elnet Into Menu 24.7.1: Upload System Firmware 43.5.2 Configuration File Upload Y ou see the following screen when you telnet into menu 24.7.2. Figure 442 T elnet Into Menu 24.7.2 : System Maintenance T o upload the firmware and the configuration fil[...]

  • Página 657

    Chapter 43 Firmw are and Co nfiguration File Maintenance ZyWALL 2WG User’s Guide 657 43.5.3 FTP File Upload Comman d from the DOS Prompt Example 1 Launch the FTP client on your computer . 2 Enter “open”, followed by a space and the IP address of your ZyW ALL. 3 Press [ENTER] when prompted for a username. 4 Enter your password as requested (th[...]

  • Página 658

    Chapter 43 Firmware and Conf iguration File Main tenance ZyWALL 2WG User’s Guide 658 2 Put the SMT in command interprete r (CI) mode by entering 8 in Menu 24 – System Maintenance . 3 Enter the command “sys stdio 0” to disable the console timeout, so the TFTP transfer will not be interrupted. Enter “command sys stdio 5” to re store the f[...]

  • Página 659

    Chapter 43 Firmw are and Co nfiguration File Maintenance ZyWALL 2WG User’s Guide 659 Figure 444 Menu 24.7.1 As Seen Using th e Console Port 2 After the "Starting Xmodem upload" message appears, activate the Xmodem protocol on your computer . Follow the procedure as sh own previously for the HyperT erminal program. The procedure fo r oth[...]

  • Página 660

    Chapter 43 Firmware and Conf iguration File Main tenance ZyWALL 2WG User’s Guide 660 Figure 446 Menu 24.7.2 As Seen Using th e Console Port 2 After the "Starting Xmodem upload" message appears, activate the Xmodem protocol on your computer . Follow the procedure as sh own previously for the HyperT erminal program. The procedure fo r oth[...]

  • Página 661

    ZyWALL 2WG User’s Guide 661 C HAPTER 44 System Maintenance Menus 8 to 10 This chapter leads you through SM T menus 24.8 to 24.10. 44.1 Command Interpreter Mode The Command Interpre ter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT , while a dding some low-level se tup and diagnostic function[...]

  • Página 662

    Chapter 44 System Maintenance Menu s 8 to 10 ZyWALL 2WG User’s Guide 662 44.1.1 Command Synt ax The command keywords are in courier n ew font. Enter the command keywords exactly as shown, do not abbreviate. The required fields in a command ar e enclosed in angle b rackets <> . The optional fields in a c ommand are enclosed in s quare bracke[...]

  • Página 663

    Chapter 4 4 System Ma intenance M enus 8 to 10 ZyWALL 2WG User’s Guide 663 44.2 Call Control Support The ZyW ALL provides two cal l control functions: budget management and call history . Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 1 1.1. The budget management func tion allows you to [...]

  • Página 664

    Chapter 44 System Maintenance Menu s 8 to 10 ZyWALL 2WG User’s Guide 664 Figure 451 Budget Manage ment The total budget is the time li mit on the accumulated time for ou tgoing calls to a remo te node. When this limit is reached, th e call will be dropped and further outgoing calls to that remote node will be blocked. After each period, the total[...]

  • Página 665

    Chapter 4 4 System Ma intenance M enus 8 to 10 ZyWALL 2WG User’s Guide 665 Figure 452 Call History The following table describes the fields in this screen. 44.3 T ime and Date Setting The ZyW ALL’ s Real T ime Chip (R TC ) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and d[...]

  • Página 666

    Chapter 44 System Maintenance Menu s 8 to 10 ZyWALL 2WG User’s Guide 666 Figure 453 Menu 24: System Maintenan ce Enter 10 to go to Menu 24.10 - System Maintena nce - Time and Date Setting to update the time and date settings of your ZyW ALL as shown in the following screen. Figure 454 Menu 24.10 System Maintenance : Time and Da te Setting Menu 24[...]

  • Página 667

    Chapter 4 4 System Ma intenance M enus 8 to 10 ZyWALL 2WG User’s Guide 667 The following table describes the fields in this screen. T able 246 Menu 24.10 System Maintenance: Time and Da te Setting FIELD DESCRIPTION T ime Protocol Enter the time service protocol that your timeserver uses. Not all time servers support all protocols, so you may ha v[...]

  • Página 668

    Chapter 44 System Maintenance Menu s 8 to 10 ZyWALL 2WG User’s Guide 668[...]

  • Página 669

    ZyWALL 2WG User’s Guide 669 C HAPTER 45 Remote Management This chapter covers remote management found in SMT menu 24.1 1. 45.1 Remote Management Remote management allows you to determ ine which services/protocols can access which ZyW ALL interface (if any) from which computers. " When you configure remote managem ent to allow management from[...]

  • Página 670

    Chapter 45 Remo te Management ZyWALL 2WG User’s Guide 670 Figure 455 Menu 24.1 1 – Remote Managemen t Control The following table describes the fields in this screen. Menu 24.11 - Remot e Management Control TELNET Server: Port = 23 Access = Disable Secure Client IP = 0.0.0.0 FTP Server: Port = 21 Access = LAN+WAN1+DMZ+WLAN+WAN2 Secure Client IP[...]

  • Página 671

    Chapter 45 Remote Manag ement ZyWALL 2WG User’s Guide 671 45.1.1 Remote Management Limit ations Remote management over LAN or W AN will not work when: 1 A filter in menu 3.1 (LAN) or in menu 1 1.5 (W AN) is applied to block a T elnet, FTP or W eb service. 2 Y ou have disabled that service in menu 24.1 1. 3 The IP address in the Secure Client IP f[...]

  • Página 672

    Chapter 45 Remo te Management ZyWALL 2WG User’s Guide 672[...]

  • Página 673

    ZyWALL 2WG User’s Guide 673 C HAPTER 46 IP Policy Routing This chapter covers setting and applyi ng policies used for IP routing. 46.1 IP Routing Policy Summary Menu 25 shows the summary of a policy rule, including the criteria and the action of a si ngle policy , and whether a policy is ac tive or not. Each policy contains two lines. The former [...]

  • Página 674

    Chapter 46 IP Policy Routing ZyWALL 2WG User’s Guide 674 46.2 IP Routing Policy Setup T o setup a routing policy , perform the fol lowing procedures: 1 T ype 25 in the main menu to open Menu 25 - IP Routing Policy Summary . Criteria/Action Thi s displays the details about to which packets the policy applies and how the policy has the ZyWALL handl[...]

  • Página 675

    Chapter 46 IP Policy Routing ZyWALL 2WG User’s Guide 675 2 Select Edit in the Select Command field; type the in dex number of the rule you want to configure in th e Select Rule field and press [ENTER] to open Menu 25.1 - IP Routing Policy Setup (see the next figure). Figure 457 Menu 25.1: IP Routing Policy Setup The following table describes the [...]

  • Página 676

    Chapter 46 IP Policy Routing ZyWALL 2WG User’s Guide 676 46.2.1 Applying Policy to Packet s T o apply the policy to packets received on the selected interface(s), go to Menu 25.1: IP Routing Policy Setup and press [SP ACE BAR] to select Ye s in the Edit policy to packets received fr om field. Press [ENTER] to display Menu 25.1.1 - IP Routing Poli[...]

  • Página 677

    Chapter 46 IP Policy Routing ZyWALL 2WG User’s Guide 677 Figure 458 Menu 25.1.1: IP Routing Policy Setup The following table describes the fields in this screen. 46.3 IP Policy Routing Example If a network has both Internet and remote node connections, you can route W eb packets to the Internet using one policy and route FTP packets to a remote n[...]

  • Página 678

    Chapter 46 IP Policy Routing ZyWALL 2WG User’s Guide 678 Figure 459 Example of IP Policy Routing T o force W eb packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the W AN port of the ZyW ALL, follow the steps as shown next. 1 Create a rule in Menu 25.1 - IP Routing Policy Setup as show [...]

  • Página 679

    Chapter 46 IP Policy Routing ZyWALL 2WG User’s Guide 679 2 Select Ye s in the LAN field in menu 25.1.1 to app ly the policy to packets re ceived on the LAN port. 3 Check Menu 25 - IP Routing Policy Summary to see if the rule is added correctly . 4 Create another rule in menu 25.1 for this ru le to route packets from a ny host (IP=0.0.0.0 means an[...]

  • Página 680

    Chapter 46 IP Policy Routing ZyWALL 2WG User’s Guide 680[...]

  • Página 681

    ZyWALL 2WG User’s Guide 681 C HAPTER 47 Call Scheduling Call scheduling allows you to dictate when a re mote node sho uld be called and for how long. 47.1 Introduction to Call Scheduling The call scheduling feature allows the ZyW ALL to manage a remote node and dictate when a remote node should be called and for ho w long. This feature is similar[...]

  • Página 682

    Chapter 47 Call Scheduling ZyWALL 2WG User’s Guide 682 " T o delete a schedule set, enter the set number and press [SP ACE BAR] and then [ENTER] or [DEL] in the Edit Name field. T o set up a schedule set, selec t the schedule se t you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next. Fig[...]

  • Página 683

    Chapter 47 Call Scheduling ZyWALL 2WG User’s Guide 683 Once your schedule sets are conf igured , you must then apply them to the desired remote node(s). Enter 1 1 from the Main Menu and then enter the tar get remo te node index. Press [SP ACE BAR] and then [ENTER] to select PPPoE in the Encapsulation field to make the schedule sets field availabl[...]

  • Página 684

    Chapter 47 Call Scheduling ZyWALL 2WG User’s Guide 684 Figure 465 Applying Schedule Set(s ) to a Remote Node (PPTP) Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Ed it IP= No Service Type= Standard T elco Option: Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login= Schedule s= 1,2,3,4 My P[...]

  • Página 685

    685 P ART VII T roubleshooting and S pecifications T roubleshooting (687) Product Specification s (693)[...]

  • Página 686

    686[...]

  • Página 687

    ZyWALL 2WG User’s Guide 687 C HAPTER 48 Troubleshooting This chapter offers some sugg estions to solve problems you might encounter . The potential problems are divided into the following categories. • Power , Hardware Connections, and LEDs • ZyW ALL Access and Login • Internet Access 48.1 Power , Hardware Connections, and LEDs V The ZyW AL[...]

  • Página 688

    Chapter 48 Trou bleshooting ZyWALL 2WG User’s Guide 688 48.2 ZyW ALL Access and Login V I forgot the LAN IP address for the ZyW ALL. 1 The default LAN IP address is 192.168.1.1 . 2 Use the console port to log in to the ZyW ALL. 3 If you changed the IP addre ss and have forgotten it, you might get the IP addre ss of the ZyW ALL by lookin g up the [...]

  • Página 689

    Chapter 48 Trou bleshooting ZyWALL 2WG User’s Guide 689 • If there is a DHCP server on your netwo r k, make sure your computer is u sing a dynamic IP address. See Appendix B on pag e 713 . Y our ZyW ALL is a DHCP server by default. 6 Reset the device to its factory defaults, an d try to access the ZyW ALL with the default IP address. See Sectio[...]

  • Página 690

    Chapter 48 Trou bleshooting ZyWALL 2WG User’s Guide 690 See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator . Ignore the suggestions about your bro wser . V I cannot use FTP to upload / download the configuratio n file. / I cannot use FTP to upload new firmware. See the troubleshooting suggestio[...]

  • Página 691

    Chapter 48 Trou bleshooting ZyWALL 2WG User’s Guide 691 V I cannot access the Internet anymore. I had access to the Internet (with the ZyW ALL), but my Internet connection is not available anymore. 1 Check the hardware connections , and make su re the LEDs are be having as expected. See the Quick S tart Guide and Section 1.4.4 on p age 56 . 2 Che[...]

  • Página 692

    Chapter 48 Trou bleshooting ZyWALL 2WG User’s Guide 692[...]

  • Página 693

    ZyWALL 2WG User’s Guide 693 C HAPTER 49 Product Specifications his chapter gives details about your Zy W ALL’ s hardware and firmware features. 49.1 General ZyW ALL Specifications The following tables summarize the ZyW ALL’ s hardware and firmware fea tures. T able 253 Hardware Specifications Dimensions 220 (W) x 148 (D) x 30.5 (H) mm Weight [...]

  • Página 694

    Chapter 49 Product Specifications ZyWALL 2WG User’s Guide 694 T able 254 Firmware Specifications FEATURE DESCRIPTION Default IP Address 192.168 .1.1 Default Subnet Mask 2 55.255.255.0 (24 bits) Default Password 1234 Default DHCP Pool 1 92.168.1.33 to 19 2.168.1.160 Device Management Use the web config urator to ea sily configure t he ri ch range [...]

  • Página 695

    Chapter 49 Product Specifications ZyWALL 2WG User’s Guide 695 Firewall Y ou can configure fire wall on the ZyXEL D evice for secure Intern et access. When the fire wall is on, by default, all incoming traffic from the Internet to your network is blocke d unless it is initiated from your network. This means that probes from the outside to your net[...]

  • Página 696

    Chapter 49 Product Specifications ZyWALL 2WG User’s Guide 696 49.2 Comp atible 3G Cards At the time of writing, you can use the following 3G wireless cards in the ZyW ALL. The table also shows you the 3G features supp orted by the compatible 3G cards. User Licenses Unlimited Output Power (Maximum) IEEE 802. 1 1a: 14 dBm at 54 Mbps OFDM IEEE 802.1[...]

  • Página 697

    Chapter 49 Product Specifications ZyWALL 2WG User’s Guide 697 49.3 3G Card Inst allation " Do not insert or remove a ca rd with the ZyW ALL turned on. Make sure the ZyW ALL is off before inserting or removing a 3G card (to avoid d amage). Slide the connector end of the card into the slot. " Only use a compatible 3G card. Do not force, b[...]

  • Página 698

    Chapter 49 Product Specifications ZyWALL 2WG User’s Guide 698 Figure 466 W all-mounting Example The following are dimension s of an M4 tap screw and maso nry plug used for wall mounting. All measurements are in millimeters (mm). Figure 467 Masonry Plug and M4 T ap Screw[...]

  • Página 699

    Chapter 49 Product Specifications ZyWALL 2WG User’s Guide 699 49.5 Power Adaptor Sp ecifications NORTH AMERICAN PLUG ST ANDARDS AC POWER ADAP TOR MODEL PSA18R-120P (ZA)-R INPUT POWER 100-240 V AC, 50/60 HZ, 0.5A OUTPUT POWER 12VDC, 1.5A POWER CONSUMPTION 18 W MAX. SAFETY ST ANDARD S UL, CUL (UL 60950-1 FIRST EDITIONCSA C22.2 NO. 60950-1-03 1ST .)[...]

  • Página 700

    Chapter 49 Product Specifications ZyWALL 2WG User’s Guide 700 49.6 Cable Pin Assignment s In a serial communications connection, gene rally a computer is DTE (Data T erminal Equipment) and a modem is DCE (Data Circ uit-terminating Equipment). The ZyW ALL is DCE when you connect a computer to the co nsole port. The ZyW ALL is DTE when you connect [...]

  • Página 701

    Chapter 49 Product Specifications ZyWALL 2WG User’s Guide 701 RX 3 2 CTS 4 8 GND 5 5 TX 6 3 RTS 7 7 DCD 8 1 N/A 9 T able 259 Ethernet Cable Pin Assignments W AN / LAN ETHERNET CABLE PIN LAYOUT Straight-through Crossover (Switch) (Adapter) (Switch ) (Switch) 1 IRD + 1 OTD + 1 IRD + 1 IRD + 2 IRD - 2 OTD - 2 IRD - 2 IRD - 3O T D + 3 IRD + 3 OTD + 3[...]

  • Página 702

    Chapter 49 Product Specifications ZyWALL 2WG User’s Guide 702[...]

  • Página 703

    703 P ART VIII Appendices and Index " The appendices provide general informatio n. Some details may not apply to your ZyW ALL. Pop-up W indows, JavaScripts and Java Permissions (705) Setting up Y our Computer ’ s IP Address (713) IP Addresses and Subnetting (729) Common Services (737) W ireless LANs (741) Importing Certificates (755) Legal I[...]

  • Página 704

    704[...]

  • Página 705

    ZyWALL 2WG User’s Guide 705 A PPENDIX A Pop-up Windows, JavaScript s and Java Permissions In order to use the web configurator you need to allow: • W eb browser pop-up win dows from your device. • JavaScripts (enabled by default). • Java permissions (enabled by default). " Internet Explorer 6 screens are used here. Screens for other In[...]

  • Página 706

    Appendix A Po p-up Wind ows, JavaS cripts and Ja va Permission s ZyWALL 2WG User’s Guide 706 2 Clear the Block pop-ups check box in the Pop-up Block e r section of the screen. This disables any web po p-up blockers you may have ena bled. Figure 470 Internet Options: Privacy 3 Click Apply to save this setting. Enable Pop-up Blockers with Exception[...]

  • Página 707

    Appendix A Pop-u p Windows, JavaScripts and Java Permissio ns ZyWALL 2WG User’s Guide 707 Figure 471 Internet Options: Privacy 3 T ype the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.167.1. 4 Click Add to move the IP address to the list of Allowed sites .[...]

  • Página 708

    Appendix A Po p-up Wind ows, JavaS cripts and Ja va Permission s ZyWALL 2WG User’s Guide 708 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. JavaScript s If pages of the web configura tor do not display properly in Internet Explorer, check that JavaScripts are allowed. 1 In Internet Explorer , click T ools , Int[...]

  • Página 709

    Appendix A Pop-u p Windows, JavaScripts and Java Permissio ns ZyWALL 2WG User’s Guide 709 Figure 474 Security Settings - Java Scripting Java Permissions 1 From Internet Explorer , click To o l s , Internet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM . 4 Under Java permissions make sure that[...]

  • Página 710

    Appendix A Po p-up Wind ows, JavaS cripts and Ja va Permission s ZyWALL 2WG User’s Guide 710 JA V A (Sun) 1 From Internet Explorer , click To o l s , Internet Options and then the Advanced tab. 2 Make sure that Use Java 2 for <applet> under Java (Sun) is sele cted. 3 Click OK to clos e the window . Figure 476 Java (Sun) Mozilla Firefox Mozi[...]

  • Página 711

    Appendix A Pop-u p Windows, JavaScripts and Java Permissio ns ZyWALL 2WG User’s Guide 71 1 Figure 477 Mozilla Firefox: T ools > Options Click Content .to show the screen below . Select the check boxes as shown in the following screen. Figure 478 Mozilla Firefox Content Security[...]

  • Página 712

    Appendix A Po p-up Wind ows, JavaS cripts and Ja va Permission s ZyWALL 2WG User’s Guide 712[...]

  • Página 713

    ZyWALL 2WG User’s Guide 713 A PPENDIX B Setting up Y our Computer ’ s IP Address All computers must have a 10M or 100M Et hernet adapter card and TCP/IP installed. W indows 95/98/Me/NT/2000/XP , Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/ IP on your c[...]

  • Página 714

    Appendix B Setting up Your Computer’s IP Address ZyWALL 2WG User’s Guide 714 Figure 479 WIndows 95/98 /Me: Networ k: Configura tion Inst alling Components The Network window Configuration tab displays a list of installed components. Y ou need a network adapter , the TCP/IP protocol and Client for Microso ft Networks. If you need the adapter: 1 [...]

  • Página 715

    Appendix B Setting up Your Computer’s IP Address ZyWALL 2WG User’s Guide 715 Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab. • If your IP address is dynamic, select Obtain an IP address automatically . • If you have a static IP address, s[...]

  • Página 716

    Appendix B Setting up Your Computer’s IP Address ZyWALL 2WG User’s Guide 716 Figure 481 Windows 95/98/Me : TCP/IP Pr operties: DNS Configuration 4 Click the Gateway tab. • If you do not know you r gateway’ s IP addr ess, remove previously installed gateways. • If you have a gateway IP address, type it in the New gateway field and click Ad[...]

  • Página 717

    Appendix B Setting up Your Computer’s IP Address ZyWALL 2WG User’s Guide 717 Figure 482 Windows XP: S t art Menu 2 In the Control Panel , double-click Network Connections ( Network and Dial-up Connections in W indow s 2000/NT). Figure 483 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Pr operties .[...]

  • Página 718

    Appendix B Setting up Your Computer’s IP Address ZyWALL 2WG User’s Guide 718 Figure 484 Windows XP: Control Panel: Network Connections: Pro perties 4 Select Internet Protocol (TCP/IP) (under the Genera l tab in W in XP) and then click Properties . Figure 485 Windows XP: Local Area Conne ction Properties 5 The Internet Protocol TCP/IP Pr opertie[...]

  • Página 719

    Appendix B Setting up Your Computer’s IP Address ZyWALL 2WG User’s Guide 719 Figure 486 Windows XP: Internet Protocol (TCP/IP) Propert ies 6 If you do not know your gateway's IP ad dress, remove any previously installed gateways in the IP Settings tab and click OK . Do one or more of the fo llowing if you want to configure additi onal IP a[...]

  • Página 720

    Appendix B Setting up Your Computer’s IP Address ZyWALL 2WG User’s Guide 720 Figure 487 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Pr operties window (the General tab in W indow s XP): • Click Obtain DNS server address automatically if yo u do not know your DNS server IP address(es). • If you know your DNS serv[...]

  • Página 721

    Appendix B Setting up Your Computer’s IP Address ZyWALL 2WG User’s Guide 721 Figure 488 Windows XP: Internet Protocol (TCP/IP) Propert ies 8 Click OK to close the Internet Protocol (TCP/IP) Properties window . 9 Click Close ( OK in W indows 2000/NT) to close the Local Area Connection Properties window . 10 Close the Network Connections w indow [...]

  • Página 722

    Appendix B Setting up Your Computer’s IP Address ZyWALL 2WG User’s Guide 722 Figure 489 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 490 Macintosh O S 8/9: TC P/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the follow[...]

  • Página 723

    Appendix B Setting up Your Computer’s IP Address ZyWALL 2WG User’s Guide 723 • T ype your IP address in the IP Address box. • T ype your subnet mask in the Subnet mask box. • T ype the IP address of your ZyW ALL in the Router address bo x. 5 Close the TCP/IP Contr ol Panel . 6 Click Save if prompted, to save chan ges to your configuratio [...]

  • Página 724

    Appendix B Setting up Your Computer’s IP Address ZyWALL 2WG User’s Guide 724 Figure 492 Macintosh O S X: Netw ork 4 For statically assigned settings, do the following: •F r o m t h e Configure box, select Manually . • T ype your IP address in the IP Address box. • T ype your subnet mask in the Subnet mask box. • T ype the IP address of [...]

  • Página 725

    Appendix B Setting up Your Computer’s IP Address ZyWALL 2WG User’s Guide 725 " Make sure you are logged in as the root administrator . Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Setting and cl[...]

  • Página 726

    Appendix B Setting up Your Computer’s IP Address ZyWALL 2WG User’s Guide 726 • If you have a dyna mic IP address, clic k Automatically obtain IP address settings with and select dhcp from the drop down list. • If you have a static IP address, click S tatically set IP Addresses and fill in the Address , Sub net mask , and Default Gateway Add[...]

  • Página 727

    Appendix B Setting up Your Computer’s IP Address ZyWALL 2WG User’s Guide 727 Figure 497 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 • If you have a static IP address, enter static in t he BOOTPROTO= field. T ype IPADDR = followed by the IP address (in do tted decimal notation) and type NETMASK = followed by the subnet mask. The f[...]

  • Página 728

    Appendix B Setting up Your Computer’s IP Address ZyWALL 2WG User’s Guide 728 V erifying Settings Enter ifconfig in a terminal screen to ch eck your TCP/IP properties. Figure 501 Red Hat 9.0: Checking TCP/IP Properties [root@localhost]# ifconfig eth0 Link encap:Ethernet HWadd r 00:50:BA:72:5B:44 inet addr:172.23.19.129 B cast:172.23.19.255 Mask:[...]

  • Página 729

    ZyWALL 2WG User’s Guide 729 A PPENDIX C IP Addresses and Subnetting This appendix introduces IP addresses and subnet masks. IP addresses identify ind ividual devices on a network. Every networking device (includin g computers, servers, routers, printe rs, etc.) ne eds an IP address to communicate across the network. These networking devices a re [...]

  • Página 730

    Appendix C IP Addresses a nd Subnetti ng ZyWALL 2WG User’s Guide 730 Figure 502 Network Number and Host ID How much of the IP address is the network number and how much is the host ID varies according to the s ubnet mask. Subnet Masks A subnet mask is used to dete rmine which bits are part of th e network number , and which bits are part of the h[...]

  • Página 731

    Appendix C IP Addresses and Subnetting ZyWALL 2WG User’s Guide 731 Subnet masks are expressed in dotted decimal no tation just like IP addresses. The follow ing examples show the binary and decimal not ation for 8-bit, 16-bit, 24-bit an d 29-bit subnet masks. Network Size The size of the network number determines the maximum number of possible ho[...]

  • Página 732

    Appendix C IP Addresses a nd Subnetti ng ZyWALL 2WG User’s Guide 732 Subnetting Y o u can use subnetting to divide one network into multiple sub-networks. In the following example a network administrator creates two sub-networks to isolate a group of servers from the rest of the c ompany network for security reasons. In this example, the company [...]

  • Página 733

    Appendix C IP Addresses and Subnetting ZyWALL 2WG User’s Guide 733 Figure 504 Subnetting Example: Af ter Subnetting In a 25-bit subnet the host ID has 7 bits , so each sub-network has a maximum of 2 7 – 2 or 126 possible hosts (a host ID of all zeroes is the subnet’ s address itself, all ones is the subnet’ s broadcast address). 192.168.1.0[...]

  • Página 734

    Appendix C IP Addresses a nd Subnetti ng ZyWALL 2WG User’s Guide 734 Example: Eight Subnet s Similarly , use a 27-bit mask to create eight subnets (000, 001, 010, 01 1, 100, 101, 1 10 and 111 ) . The following table shows IP address last octet values for each subnet. T able 265 Subnet 2 IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VA L U E IP Add[...]

  • Página 735

    Appendix C IP Addresses and Subnetting ZyWALL 2WG User’s Guide 735 Subnet Planning The following table is a summary for su bnet planning on a network with a 24-bit network number . The following table is a summary for su bnet planning on a network with a 16-bit network number . 5 128 129 158 159 6 160 161 190 191 7 192 193 222 223 8 224 225 254 2[...]

  • Página 736

    Appendix C IP Addresses a nd Subnetti ng ZyWALL 2WG User’s Guide 736 Configuring IP Addresses Where you obtain your netwo rk number depends on your particular situation. If the ISP or your network administrator assigns yo u a bloc k of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the ISP[...]

  • Página 737

    ZyWALL 2WG User’s Guide 737 A PPENDIX D Common Services The following table l ists some commonly-used se rvices and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site . • Name : This is a short, descrip tive name[...]

  • Página 738

    Appendix D Common Services ZyWALL 2WG User’s Guide 738 FTP TCP TCP 20 21 File Tr a nsfer Program, a program to enable fast transfer of files, including large fil es that may not be possible by e-mail. H.323 TCP 1720 NetMeeting uses this protocol. HTTP TCP 80 Hyper T ext T ransfe r Protocol - a client/ server protocol for the world wide web. HTTPS[...]

  • Página 739

    Appendix D Common Services ZyWALL 2WG User’s Guide 739 RTE L N ET TC P 107 Remote T elnet. RTS P TCP/UDP 55 4 The Real Time S treaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. SFTP TCP 11 5 Simple File Transfer Protocol. SMTP TCP 25 Simple Mail Transfer Protocol is the message-exchange standard for the I[...]

  • Página 740

    Appendix D Common Services ZyWALL 2WG User’s Guide 740[...]

  • Página 741

    ZyWALL 2WG User’s Guide 741 A PPENDIX E W ireless LANs Wireless LAN T opologies This section discusses ad-hoc and in frastructure w ireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an inde pendent (Ad-hoc) WLAN that connects a se t of computers with wireless adapters (A, B, C). An y time two or more wir[...]

  • Página 742

    Appendix E Wireless LANs ZyWALL 2WG User’s Guide 742 Figure 506 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlappi ng BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless [...]

  • Página 743

    Appendix E Wir eless LANs ZyWALL 2WG User’s Guide 743 Figure 507 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your g eographical area. Y ou may have a choice of chann e ls (for your region) so you should use a channel different from an adjacen[...]

  • Página 744

    Appendix E Wireless LANs ZyWALL 2WG User’s Guide 744 Figure 508 RTS/ CT S When station A sends data to the AP , it might not know that the station B is already using the channel. If these two stations se nd data at the same time, collis ions may occur when both sets of data arrive at the AP at the same time, r esulting in a loss of me ssages for [...]

  • Página 745

    Appendix E Wir eless LANs ZyWALL 2WG User’s Guide 745 If the Fragmentation Threshold value is smaller than the RT S / C T S value (see previously) you set then the R TS (Request T o Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmen ted before they reach R TS/CTS size. Preamble T ype Preamble is used to signal tha[...]

  • Página 746

    Appendix E Wireless LANs ZyWALL 2WG User’s Guide 746 W ireless security methods available on the Zy W ALL are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyW ALL identity . The following figure shows th e relative effectiveness of th ese wireless security methods available on your ZyW A[...]

  • Página 747

    Appendix E Wir eless LANs ZyWALL 2WG User’s Guide 747 Determines the network services available to authenticated users once they are connected to the network. • Accounting Keeps track of the client’ s network activity . RADIUS is a simple package exchange in whic h your AP acts as a message rela y between the wireless client and the network R[...]

  • Página 748

    Appendix E Wireless LANs ZyWALL 2WG User’s Guide 748 For EAP-TLS authentication type, you must firs t hav e a wired connection to the network and obtain the certificate(s) from a certificate authorit y (CA). A certificate (als o called digital IDs) can be used to authenticate users and a CA issu es certificates and guar antees the identity of eac[...]

  • Página 749

    Appendix E Wir eless LANs ZyWALL 2WG User’s Guide 749 Dynamic WEP Key Exchange The AP maps a unique ke y that is generated w ith the RADIUS server . This key expires when the wireless connection times out, disconnects or reauthentic ation times out. A new WEP key is generated each time r eauthentication is performed. If this feature is enabled, i[...]

  • Página 750

    Appendix E Wireless LANs ZyWALL 2WG User’s Guide 750 Encryption Both WP A and WP A2 improve data encryption by using T emporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IE EE 802.1x. WP A and WP A2 use Advanced Encryption S tandard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CC[...]

  • Página 751

    Appendix E Wir eless LANs ZyWALL 2WG User’s Guide 751 Wireless Client WP A Supplicant s A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WP A. At the time of writing, the most wi dely available supplicant is the WP A patch for W indows XP , Funk Software's Od yssey clien[...]

  • Página 752

    Appendix E Wireless LANs ZyWALL 2WG User’s Guide 752 3 The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. 4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create temp[...]

  • Página 753

    Appendix E Wir eless LANs ZyWALL 2WG User’s Guide 753 Antenna Overview An antenna couples RF signals onto air . A tran smitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air . The antenna also operates in reverse by capturing RF signals fro m the air . Positioning the antennas properly incr[...]

  • Página 754

    Appendix E Wireless LANs ZyWALL 2WG User’s Guide 754 Positioning Antennas In general, antennas should be mounted as high as practically possible and free of obstructions. In point-to–point ap plication, position both antennas at the same height and in a direct line of si ght to each othe r to attain the best performance. For omni-directional an[...]

  • Página 755

    ZyWALL 2WG User’s Guide 755 A PPENDIX F Importing Certificates This appendix shows importing certificat es examples using In ternet Ex plorer 5. Import ZyW ALL Certificates into Net scape Navigator In Netscape Navigator , you ca n permanently trust the ZyW ALL’ s server certificate by importing it into your operating system as a trusted certifi[...]

  • Página 756

    Appendix F Importi ng Certificates ZyWALL 2WG User’s Guide 756 Figure 512 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 513 Certificate General Information befor e Import 3 Click Next to begin the Install Certificate wizard.[...]

  • Página 757

    Appendix F Importing Certificates ZyWALL 2WG User’s Guide 757 Figure 514 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next . Figure 515 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard.[...]

  • Página 758

    Appendix F Importi ng Certificates ZyWALL 2WG User’s Guide 758 Figure 516 Certificate Import Wizard 3 6 Click Ye s to add the ZyW ALL certifi cate to the root store. Figure 517 Root Certificate S tore[...]

  • Página 759

    Appendix F Importing Certificates ZyWALL 2WG User’s Guide 759 Figure 518 Certificate General Information af ter Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyW ALL. Y ou must have imported at least one trusted CA to the ZyW ALL in order for the Au[...]

  • Página 760

    Appendix F Importi ng Certificates ZyWALL 2WG User’s Guide 760 Figure 519 ZyW ALL T rusted CA Screen The CA sends you a package containing the CA ’ s trusted certificate(s), your persona l certificate(s) and a password to inst all the personal certificate(s). Inst allin g the CA ’s Certificate 1 Double click the CA ’ s trusted certificate t[...]

  • Página 761

    Appendix F Importing Certificates ZyWALL 2WG User’s Guide 761 Figure 520 CA Certificate Example 2 Click Install Certificate and follow the wizard as show n earlier in this appendix. Inst allin g Y our Personal Certificate(s) Y ou need a password in advance. The CA may is sue the password or you may hav e to specify it during the enrollment. Doubl[...]

  • Página 762

    Appendix F Importi ng Certificates ZyWALL 2WG User’s Guide 762 2 The file name and path of the certificate y ou double-clicked should automatically appear in the File name text box. Click Br ow se if you wish to import a different certificate. Figure 522 Personal Certificate Import Wizard 2 3 Enter the password give n to you by the CA. Figure 523[...]

  • Página 763

    Appendix F Importing Certificates ZyWALL 2WG User’s Guide 763 Figure 524 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process. Figure 525 Personal Certificate Import Wizard 5 6 Y o u should see the following screen when the ce rtificate is correctly installed on your computer . Figure 526 Persona[...]

  • Página 764

    Appendix F Importi ng Certificates ZyWALL 2WG User’s Guide 764 Using a Certificate When Accessing the ZyW ALL Example Use the following procedure to access the ZyW ALL via HTTPS. 1 Enter ‘https://ZyW ALL IP Address/ in your browser ’ s web address field. Figure 527 Access the ZyW ALL Vi a HTTPS 2 When Authenticate Client Certificates is selec[...]

  • Página 765

    ZyWALL 2WG User’s Guide 765 A PPENDIX G Legal Information Copyright Copyright © 2007 by ZyXEL Communications Corporation. The contents of this publication may not be reprod uced in any part or as a whole, transcribed, stored in a retrieval system, tran slated into any language, or transmitted in any form or by any means, el ectronic, mechanical [...]

  • Página 766

    Appendix G Legal Information ZyWALL 2WG User’s Guide 766 This device has been tested and foun d to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. Thes e limits are designed to provide reasonable protection against harmful interference in a resi dential installation. This device generates, uses, and can r[...]

  • Página 767

    Appendix G Legal Information ZyWALL 2WG User’s Guide 767 This device has been designed for the WLAN 2. 4 GHz and 5 GHz networks thro ughout the EC region and Switzerland, with restrictions in France. This Class B digital apparatus complies with Canadian ICES-003. Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada. V[...]

  • Página 768

    Appendix G Legal Information ZyWALL 2WG User’s Guide 768[...]

  • Página 769

    ZyWALL 2WG User’s Guide 769 A PPENDIX H Customer Support Please have the following information r eady when you contact customer support. Required Information • Product model and serial number . • W arranty Information. • Date that you received your de vice. • Brief description of the problem and the steps you took to solv e it. “+” is[...]

  • Página 770

    Appendix H Custo mer Support ZyWALL 2WG User’s Guide 770 • Re g u l a r Ma i l: ZyXEL C ommunications, Czech s.r .o., Modranská 621, 143 01 Praha 4 - Modrany , Ceská Republika Denmark • Support E-mail: support@zyxel.dk • Sales E-mail: sales@zyxel.dk • T elephone: +45-39-55-07-00 • Fax: +45-39-55-07-07 • W eb: www .zyxel.dk • Re g [...]

  • Página 771

    Appendix H Customer Support ZyWALL 2WG User’s Guide 771 India • Support E-mail: support@zyxel.in • Sales E-mail: sales@zyxel.in • T elephone: +91-1 1-30888144 to +91-1 1-30888153 • Fax: +91-1 1-30888149, +91 -11-2 6810715 • W eb: http://www .zyxel.in • Re g u l a r Ma i l : India - ZyXEL T echnology Indi a Pvt Ltd. , I I - F l oo r, F[...]

  • Página 772

    Appendix H Custo mer Support ZyWALL 2WG User’s Guide 772 • Regular Mail: ZyXEL Communications Inc., 1 1 30 N. Miller St ., Anaheim, CA 92806- 2001, U.S.A. Norway • Support E-mail: support@zyxel.no • Sales E-mail: sales@zyxel.no • T elephone: +47-22-80-61-80 • Fax: +47-22-80-61-81 • W eb: www .zyxel.no • Re g u l a r M a i l : ZyXEL [...]

  • Página 773

    Appendix H Customer Support ZyWALL 2WG User’s Guide 773 Sweden • Support E-mail: support@zyxel.se • Sales E-mail: sales@zyxel.se • T elephone: +46-31-744-7700 • Fax: +46-31-744-7701 • W eb: www .zyxel.se • Re g u l ar M a il : ZyXEL Communications A/S, Sjö porten 4, 41764 Götebor g, Sweden Thailand • Support E-mail: support@zyxel.[...]

  • Página 774

    Appendix H Custo mer Support ZyWALL 2WG User’s Guide 774[...]

  • Página 775

    Index ZyWALL 2WG User’s Guide 775 Index Numerics 3G introduction 187 3G . see third generation 187 9600 baud 531 A Access point See also AP . access point 21 1 active protocol 320 AH 320 and encapsulation 320 ESP 320 Address Assignment 427 address assignment 177 Advanced Encryption St andard See AES. AES 750 AH 320 and transport mode 321 ALG 473 [...]

  • Página 776

    Index ZyWALL 2WG User’s Guide 776 C CA 349 , 748 call back delay 549 call control 663 call history 664 call scheduling 681 max number of schedule sets 681 PPPoE 683 precedence 681 setting up a schedule 682 call-triggering packet 643 certificate 315 Certificate Authority See CA. certificates 349 and IKE SA 307 CA 349 thumbprint algorithms 350 thum[...]

  • Página 777

    Index ZyWALL 2WG User’s Guide 777 disclaimer 765 DMZ IP alias setup 573 port filter setup 57 1 setup 571 TCP/IP setup 572 DNS 457 DNS Server For VPN Host 428 DNS server address assignment 177 DNS service 395 domain name 51 1 , 638 Domain Name System. See DNS. DoS 239 , 263 drop timeout 549 DSL modem 585 DTR 198 , 548 Dynamic DNS 436 , 437 Dynamic[...]

  • Página 778

    Index ZyWALL 2WG User’s Guide 778 file maintenance 647 upload 521 firmware upload 655 FTP 655 flow control 531 fragment ation threshold 744 FTP 436 , 453 commands 649 file upload 657 firmware upload 655 GUI-based clients 650 restoring files 653 service 395 G gateway IP address 567 , 588 , 593 general setup 51 1 , 539 GMT 515 Greenwic h Mean Time [...]

  • Página 779

    Index ZyWALL 2WG User’s Guide 779 local and remote network any 318 local policy 31 8 manual keys 333 misconfiguration 318 nail up 310 Perfect Forward Secrecy (PFS) 321 proposal 321 remote policy 318 SA life time 310 Security Parameter In dex (SPI) (manual keys) 333 transport mode 320 tunnel mode 320 when IKE SA is disconnected 310 , 318 IPSec SA.[...]

  • Página 780

    Index ZyWALL 2WG User’s Guide 780 NetBIOS 152 NetBIOS Name Server . See NBNS. Network Address T ranslati on. See NA T . Network Basic Input/Output System. See NetBIOS. NNTP service 395 NTP time protocol 515 O one minute high 263 one minute low 263 online services center 141 outgoing protocol filter 563 overlap in VPN 319 P packet filtering 628 Pa[...]

  • Página 781

    Index ZyWALL 2WG User’s Guide 781 HTTPS example 443 limitations 440 , 671 secure FTP using SSH 451 secure telnet using SSH 450 SNMP 454 SSH 447 SSH implementation 448 system timeout 440 Te l n e t 452 WWW 441 remote node 583 filter 554 , 589 reports 487 host IP address 488 , 48 9 protocol/port 488 , 490 web site hits 488 , 489 required fields 533[...]

  • Página 782

    Index ZyWALL 2WG User’s Guide 782 passwor d 633 Set 455 Tr a p 455 trusted host 63 3 SNMP service 395 source address 259 , 278 source-based routing 405 S panning T ree Protocol . See STP . SSH 447 how SSH works 447 implem entation 448 SSID 212 hide 221 SSID profile 226 stateful inspection firewall 239 static route 591 static WEPkey 229 stop bit 5[...]

  • Página 783

    Index ZyWALL 2WG User’s Guide 783 V V antage CN M 458 virtual address mapping 319 virtual address mapping over VPN 323 virtual interfaces vs asymmetrical routes 250 vs triangle routes 250 Virtual Private Network. See VPN. VPN 184 , 301 active protocol 320 adjust TCP maximum segment size 341 and NA T 309 and the firewall 101 avoiding overlap 319 c[...]

  • Página 784

    Index ZyWALL 2WG User’s Guide 784 X Xmodem 659 file upload 659 protocol 648 Z ZyNOS 638 , 648 ZyW ALL registration 142 ZyXEL ’s Network Operating System. See ZyNOS.[...]