ZyXEL Communications Internet Security Gateway ZyWALL 2 Series manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of ZyXEL Communications Internet Security Gateway ZyWALL 2 Series, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of ZyXEL Communications Internet Security Gateway ZyWALL 2 Series one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of ZyXEL Communications Internet Security Gateway ZyWALL 2 Series. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of ZyXEL Communications Internet Security Gateway ZyWALL 2 Series should contain:
- informations concerning technical data of ZyXEL Communications Internet Security Gateway ZyWALL 2 Series
- name of the manufacturer and a year of construction of the ZyXEL Communications Internet Security Gateway ZyWALL 2 Series item
- rules of operation, control and maintenance of the ZyXEL Communications Internet Security Gateway ZyWALL 2 Series item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of ZyXEL Communications Internet Security Gateway ZyWALL 2 Series alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of ZyXEL Communications Internet Security Gateway ZyWALL 2 Series, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the ZyXEL Communications service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of ZyXEL Communications Internet Security Gateway ZyWALL 2 Series.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the ZyXEL Communications Internet Security Gateway ZyWALL 2 Series item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    ZyW ALL 2 Series Internet Security Gateway User’s Guide Version 3.62 June 2004[...]

  • Page 2

    ZyWALL 2 Series User’s Guide ii Copyright Copyright Copyright © 2004 by Zy XEL Communications Corporation. The contents of this publ ication m ay not be repro duced in any pa rt or as a whole, tra nscribed, sto red in a retrieval system, translated into any langu age, or tr ansmitted in any form or by any means, electronic, mechanical, magnetic,[...]

  • Page 3

    ZyWALL 2 Series User’s Guide FCC iii Federal Communications Commission (FCC) Interference S tatement This device complies with Part 15 of FCC rules. Operation is subject to the following two cond itions: This device m ay not cause harm ful interferen ce. This device must accept any interference received, including interfere nce that may cause und[...]

  • Page 4

    ZyWALL 2 Series User’s Guide iv Information for Canadian Users Information for Canadian Users The Industry Canada label identifies certified equipmen t. This certification means that the equipment meets certain telecommunications network pr otective, op eration, and safety requirements. The Industr y Canada does not guarantee that the equipment w[...]

  • Page 5

    ZyWALL 2 Series User’s Guide Warranty v ZyXEL Limited W arranty ZyXEL warrants to the original end us er (purchaser) that this product is free from any defects in materials or workmanshi p for a period of up to two y ears from the date of p urchase. D uring the warranty pe riod, an d upon proof of purchase, sho uld the p roduct have i ndicatio ns[...]

  • Page 6

    ZyWALL 2 Series User’s Guide vi Customer Support Customer Support When you contact your cu stomer support repr esenta tive please have t he followi ng infor mation ready : Please have th e following i nformation re ady when you cont act customer s upport. • Product model and serial number. • Warranty Information. • Date that you received yo[...]

  • Page 7

    ZyWALL 2 Series User’s Guide Table of Contents vii T able of Content s Copyright...................................................................................................................... ................................ii Federal Communications Commission (FCC) Interfer en ce S tatemen t................................................[...]

  • Page 8

    ZyWALL 2 Series User’s Guide viii Table of Contents 5.6 Configur ing IP ................................................................................................................. ........... 5-3 5.7 Configuring St atic DHCP ........................................................................................................ ... 5-6 5.8 [...]

  • Page 9

    ZyWALL 2 Series User’s Guide Table of Contents ix 10.3 Introduction to ZyXE L’s Firewall........................................................................................ 10-2 10.4 Denial of Service .............................................................................................................. .... 10-3 10.5 Stateful In spe[...]

  • Page 10

    ZyWALL 2 Series User’s Guide x Table of Contents 14.13 Configuri ng Advanced IKE Setup ...................................................................................... 14- 24 14.14 Manual Key Setup............................................................................................................... 14-28 14.15 Configuring Edit Manu[...]

  • Page 11

    ZyWALL 2 Series User’s Guide Table of Contents xi 17.9 Secure Telnet Using SSH Exam ples .................................................................................. 17-16 17.10 Secure FTP Using SS H Example ....................................................................................... 17-18 17.11 Telnet ...........................[...]

  • Page 12

    ZyWALL 2 Series User’s Guide xii Table of Contents 23.3 Configuring Dial Back up i n Menu 2 ..................................................................................... 23-2 23.4 Advanced WAN Set up .......................................................................................................... 23- 3 23.5 Remote Node Profile (B[...]

  • Page 13

    ZyWALL 2 Series User’s Guide Table of Contents xiii 30.5 Firewall Versus Filters ....................................................................................................... 3 0-16 30.6 Applying a Filte r .............................................................................................................. .. 30-17 Chapter 31 S[...]

  • Page 14

    ZyWALL 2 Series User’s Guide xiv Table of Contents Appendix F T ypes of EAP Authentication ......................................................................................... .... F-1 Appendix G PPPoE ............................................................................................................... .................. G-1 Append[...]

  • Page 15

    ZyWALL 2 Series User’s Guide List of Figures xv List of Figures Figure 1-1 Secure Internet Access vi a Cable, DSL or Wi reless Modem ........................................................ 1-6 Figure 1-2 Secure Internet Access and VP N Applica tion.......................................................................... ..... 1-7 Figure 2-1 Cha[...]

  • Page 16

    ZyWALL 2 Series User’s Guide xvi List of Figures Figure 8-3 Mul tiple Serv ers Behind NA T Exam ple ................................................................................. ....... 8-6 Figure 8-4 SUA Server .......................................................................................................... .........................[...]

  • Page 17

    ZyWALL 2 Series User’s Guide List of Figures xvii Figure 14-9 Advanced IKE VPN Rule Setup ................................................................................................ 14-25 Figure 14-10 Manual VPN Rule Setup ............................................................................................. ......... 14-29 Figure 14-[...]

  • Page 18

    ZyWALL 2 Series User’s Guide xviii List of Figures Figure 17-21 SNMP Managem ent Model ............................................................................................. ...... 17-23 Figure 17 -22 SN MP .............................................................................................................. ...................... [...]

  • Page 19

    ZyWALL 2 Series User’s Guide List of Figures xix Figure 23-9 Menu 1 1.5: Dial Backup Remote Node Filter ........................................................................ 23 -13 Figure 24-1 Menu 3: LAN Setup .................................................................................................. ............... 24-1 Figure 24-2 Me[...]

  • Page 20

    ZyWALL 2 Series User’s Guide xx List of Figures Figure 28-20 Example 4: Menu 15.1 .1.1: Address Mapp ing Rule ............................................................. 28-16 Figure 28-21 Example 4: Menu 15.1 .1: Address Mapping Rules ............................................................... 28-16 Figure 28-22 T rigger Port Fo rwarding P[...]

  • Page 21

    ZyWALL 2 Series User’s Guide List of Figures xxi Figure 33-12 Successful Restor ation Confirma tion Screen ....................................................................... 3 3-10 Figure 33-13 T elnet Into Menu 24.7 .1: Upload System Firmware.............................................................. 33-1 1 Figure 33-14 T elnet Into Menu[...]

  • Page 22

    ZyWALL 2 Series User’s Guide xxii List of Tables List of T ables T able 1-1 Model Sp ecific Features .............................................................................................. ................... 1-1 T able 2-1 W eb Configur ator S creens Summary..................................................................................[...]

  • Page 23

    ZyWALL 2 Series User’s Guide List of T ables xxiii T able 10-2 ICMP Commands That T rig ger Alerts ................................................................................... .... 10-6 T able 10-3 Legal NetBIOS Comm ands .............................................................................................. ......... 10-7 T able 10[...]

  • Page 24

    ZyWALL 2 Series User’s Guide xxiv List of Tables T able 16-2 RADIUS .............................................................................................................. ....................... 16-4 T able 17-1 WWW ................................................................................................................. ..........[...]

  • Page 25

    ZyWALL 2 Series User’s Guide List of T ables xxv T able 26-1 Menu 1 1.1: Remote Node Pr ofile for Ethernet Encapsulatio n ................................................... 26-2 T able 26-2 Fields in Menu 1 1.1 (PPPoE Enca psulation Specific) ............................................................... 26- 5 T able 26-3 Fields in Menu 1 1.1 ([...]

  • Page 26

    ZyWALL 2 Series User’s Guide xxvi Preface Preface About This User's Manual Congratulations on your purchase of the ZyWALL 2 Internet Security Gateway Ser ies. This manual is designed to guide you through the configur ation of your ZyWALL for its various applications. Use the web configurator , System Management T erminal (SMT) or command int[...]

  • Page 27

    ZyWALL 2 Series User’s Guide Preface xxvii • The version number on the title page is the latest firm ware version that is documented in this User’s Guide . Earlier versi ons may also be included. • “Enter” means for you t o type one or more charact ers and press the carriage return. “Select” or “Choose” means for you t o use one[...]

  • Page 28

    [...]

  • Page 29

    Getting S tarted I Part I: Getting Started This part help s you get to know your ZyWALL, in troduces the web configurator and covers how to configure the Wizard Setup screens.[...]

  • Page 30

    [...]

  • Page 31

    ZyW ALL 2 Serie s User ’s Guide Getting to Know Y our ZyW ALL 1-1 Chapter 1 Getting to Know Your ZyWALL This chapter introduces the main featu res and applications of the ZyWALL. 1.1 Introducing the ZyW ALL The ZyWALL is an ideal secure gateway for all data passing between the Internet and the LAN. By integrating NAT, firewall and VPN capability,[...]

  • Page 32

    ZyW ALL 2 Serie s User ’s Guide 1-2 Getting to Know Y our ZyW ALL 1.2.1 Physical Features 4-Port Switch A combination of switch and router makes your ZyWA LL a cost-effective and viab le network solu tion. You can connect up to four com puters to the ZyWALL without the cost of a hub. Use a hub to add more than four computers to your LAN. Auto-neg[...]

  • Page 33

    ZyW ALL 2 Serie s User ’s Guide Getting to Know Y our ZyW ALL 1-3 The ZyW ALL support s two simult aneous VPN connections. X-Auth (Extended Authentication) X-Auth pr ovides adde d security for VPN by requiring ea ch VPN cli ent to use a username and passwor d. Certificates The ZyWALL can use ce rtificates (also called digital IDs) to authenticate[...]

  • Page 34

    ZyW ALL 2 Serie s User ’s Guide 1-4 Getting to Know Y our ZyW ALL Universal Plug and Play (UPnP) Using the standar d TCP/IP p rotocol, t he ZyWALL a nd other UPnP enable d devices can dynamical ly join a network, obtain an IP address and convey its cap abilities to other devices on th e network. Call Scheduling Configure call time periods to rest[...]

  • Page 35

    ZyW ALL 2 Serie s User ’s Guide Getting to Know Y our ZyW ALL 1-5 Central Network Management Central Netwo rk Managem ent (CNM) allows an enter prise or ser vice provi der network a dminist rator to manage your ZyWA LL. The enterprise or service pro vider network administrator can conf igure your ZyWALL, perf orm firm ware upgrades and do trouble[...]

  • Page 36

    ZyW ALL 2 Serie s User ’s Guide 1-6 Getting to Know Y our ZyW ALL Management Term inal) interface. The SMT is a menu-driv en interface that you can acce ss from a terminal emulator t hrough the c onsole port or over a t elnet connection. RoadRunner Support In addition to standard cable modem services, the ZyWALL supports Time Warner’s RoadRunne[...]

  • Page 37

    ZyW ALL 2 Serie s User ’s Guide Getting to Know Y our ZyW ALL 1-7 1.3.2 Secure Broadband Internet Access and VPN You can conne ct a cable, DSL or wireless modem to the ZyWALL via Ethe rnet for bro adband In ternet access. The ZyWALL also provi des IP address sha r ing and a firewall-prot ected local network with traffic management . ZyWALL VPN is[...]

  • Page 38

    [...]

  • Page 39

    ZyW ALL 2 Serie s User ’s Guide Introducing the W eb Configurator 2-1 Chapter 2 Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and pr ovides an overview of its screens. 2.1 Web Configurator Overview The embedded web configu rator (ewc) allows you to manage th e ZyWALL from anywhere through a brow[...]

  • Page 40

    ZyW ALL 2 Serie s User ’s Guide 2-2 Introducing the W eb Configurator Step 6. Click Apply in th e Replace Certificate screen to create a ce rtificate using your ZyWALL’s MAC address that will be specific to this devi ce. This feature is not availab le on the ZyWALL 2WE. Figure 2-2 Replace Certificate Screen Step 7. You should now see the MA IN [...]

  • Page 41

    ZyW ALL 2 Serie s User ’s Guide Introducing the W eb Configurator 2-3 2.3.2 Uploading a Configurat ion File Via Console Port Step 3. Download the defau lt configuration file from th e ZyXEL Networks FTP site, unzip it and save it in a folder. Step 4. Turn off the Z yWALL, begi n a terminal emulation softwar e session and t u rn on the ZyWA LL aga[...]

  • Page 42

    ZyW ALL 2 Serie s User ’s Guide 2-4 Introducing the W eb Configurator Follow the instructions you see in the MAIN MENU screen or click the icon (located in the top right corner of most screens) to v iew online help. The icon does not appear in the MAIN MENU screen. Figure 2-4 The MAIN MENU Screen of the Web Co nfigurator The followin g table desc[...]

  • Page 43

    ZyW ALL 2 Serie s User ’s Guide Introducing the W eb Configurator 2-5 Table 2-1 Web Configurator Screens Summary LINK TA B FUNCTION General Use this screen to configure general s ystem settings. DDNS Use this screen to configure Dynamic Domain Name System settings. Password Use this screen to change your password. SYSTEM Time Setting Use this scr[...]

  • Page 44

    ZyW ALL 2 Serie s User ’s Guide 2-6 Introducing the W eb Configurator Table 2-1 Web Configurator Screens Summary LINK TA B FUNCTION General This screen allo ws you to enable content filtering and block certain web features. Categories Use this screen to select which categories of web pages to filter out, as well as to register for external databa[...]

  • Page 45

    ZyW ALL 2 Serie s User ’s Guide Introducing the W eb Configurator 2-7 Table 2-1 Web Configurator Screens Summary LINK TA B FUNCTION SNMP Use this screen to configure your Z yWALL’s settings for Simple Network Management Protocol managemen t. DNS Use this screen to configure through which interface(s) and from which IP address(es) users can send[...]

  • Page 46

    [...]

  • Page 47

    ZyW ALL 2 Serie s User ’s Guide Wizard Setup 3-1 Chapter 3 Wizard Setup This chapter provides information on the Wiza rd Setup screens in the web configurator. 3.1 Wizard Setup Overview The web configur ator’s setup wizard helps yo u config ure your device to access the Internet. T he second screen has thre e variations depending on what encaps[...]

  • Page 48

    ZyW ALL 2 Serie s User ’s Guide 3-2 Wizard Setup Figure 3-1 Wizard 1 3.3 Internet Access The ZyWALL offers three c hoices of enca psulation. They are Ethernet , PPTP or PPPoE. 3.3.1 Ethernet Choose Eth erne t when the WAN port is used as a regula r Ethernet.[...]

  • Page 49

    ZyW ALL 2 Serie s User ’s Guide Wizard Setup 3-3 Figure 3-2 Wizard 2: Ethernet Encapsulation The following table describes the labels in this screen. Table 3-1 Ethernet Encapsulation LA BEL DESCRIPTION ISP Parameters fo r Internet Access Encapsulation You must choo se the Ethernet option when the WAN port is used as a reg ular Ethernet. Otherwise[...]

  • Page 50

    ZyW ALL 2 Serie s User ’s Guide 3-4 Wizard Setup Table 3-1 Ethernet Encapsulation LA BEL DESCRIPTION Login Server IP Address Type the authentication server IP address her e if your ISP gave you one. Login Server (Telia Login onl y) Type the domain name of the T elia login server, for example “login1.telia.com”. Alternatively, click the right [...]

  • Page 51

    ZyW ALL 2 Serie s User ’s Guide Wizard Setup 3-5 Figure 3-3 Wizard2: PPPoE Encapsulation The following table describes the labels in this screen. Table 3-2 PPPoE Encapsulation LABEL DESCRIPTION ISP Parameter for Internet Access Encapsulation Choose a n encapsulation method from the p ull-down list box. PPPoE forms a dial-up connection. Service Na[...]

  • Page 52

    ZyW ALL 2 Serie s User ’s Guide 3-6 Wizard Setup Table 3-2 PPPoE Encapsulation LABEL DESCRIPTION Idle Timeout Type the time in seconds that elapse s before the router automatically disconnects from the PPPoE server. The default time is 100 seconds. Next Click Next to continue. Back Click Back to return to the previous screen. 3.3.3 PPTP Encap sul[...]

  • Page 53

    ZyW ALL 2 Serie s User ’s Guide Wizard Setup 3-7 Figure 3-4 Wizard 2: PPTP Encapsulation The following table describes the labels in this screen. Table 3-3 PPTP Encapsulation LABEL DESCRIPTION ISP Parameters fo r Internet Access Encapsulation Select PPTP from the drop-down list box. User Name Type the user name given to you by your ISP. Password [...]

  • Page 54

    ZyW ALL 2 Serie s User ’s Guide 3-8 Wizard Setup Table 3-3 PPTP Encapsulation LABEL DESCRIPTION My IP Address Type the (static) IP address assigned to you by your ISP. My IP Subnet Mask Type the subnet mask assigned to you b y your ISP (if given). Server IP Address T ype the IP address of the PPTP server. Connection ID/Name Enter the connection I[...]

  • Page 55

    ZyW ALL 2 Serie s User ’s Guide Wizard Setup 3-9 Regardless of your p articular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on addres s assignment, please refer to RFC 15 97, Address Allocation for Private Internet s and RFC 1466, Guidelines for Management of IP Address Sp ace. 3.4.2 [...]

  • Page 56

    ZyW ALL 2 Serie s User ’s Guide 3-10 Wizard Setup 3.4.4 W AN MAC Address Every Ethernet device ha s a unique MAC (Media Access Control) address. The MAC address is assigned at the factory an d consists of six pairs of hexadeci mal characters, for exampl e, 00: A0:C5: 00:00:0 2. You can confi gure the WAN port's M AC address by ei ther using [...]

  • Page 57

    ZyW ALL 2 Serie s User ’s Guide Wizard Setup 3-1 1 Figure 3-5 Wizard 3 The following table describes the labels in this screen. Table 3-6 Wizard 3 LA BEL DESCRIPTION WAN IP Address Assignment Get automatically from ISP Select this option If your ISP did not assign you a fixed IP address. T his is the default selection. Use fixed IP address Select[...]

  • Page 58

    ZyW ALL 2 Serie s User ’s Guide 3-12 Wizard Setup Table 3-6 Wizard 3 LA BEL DESCRIPTION Remote IP Subnet Mask Enter the gateway IP subnet mask (if your ISP gave you o ne) in this field if you selected Use Fixed IP Address . This field is only available when you select PPTP encapsulatio n in the previous wizard screen. Gateway/Remote IP Address En[...]

  • Page 59

    ZyW ALL 2 Serie s User ’s Guide Wizard Setu p 3-13 Figure 3-6 Internet Access Wizard Setup Complete[...]

  • Page 60

    [...]

  • Page 61

    System and LAN II Part II: System and LAN This part covers configuration of the system, and LAN screens.[...]

  • Page 62

    [...]

  • Page 63

    ZyWALL 2 Series User’s Guide System 4-1 Chapter 4 System Screens This chapter provides information on the System screens. 4.1 System Overview See the Wizard Setup cha pter for more info rmation on the next few sc reens. 4.2 Configuring General Setup Click SYSTEM to open the General screen. Figure 4-1 System General Setup The following table descr[...]

  • Page 64

    ZyWALL 2 Series User’s Guide 4-2 System Table 4-1 System General Setup LABEL DESCRIPTION System Name Choose a descriptive name for i dentification purposes. It is recommended you enter your computer’s “Computer name” in this fiel d (see the Wizard Setup chapter for how to find your computer’s name). This name can be up to 30 alp hanumeric[...]

  • Page 65

    ZyWALL 2 Series User’s Guide System 4-3 4.3 Dynamic DNS Dynamic DNS allows you to update your curr ent dynamic IP address with one or many dynamic DNS services so that anyone can c ontact you (in NetMee ting, CU-SeeMe, etc.). Yo u can also access your FTP server or We b site on y our own com puter using a domain nam e (for instance myhost.d hs.or[...]

  • Page 66

    ZyWALL 2 Series User’s Guide 4-4 System Figure 4-2 DDNS The following table describes the fields in this screen. Table 4-2 DDNS LABEL DESCRIPTION Active Select this che ck box to use dynamic DNS. Service Provider Select the name of your Dynamic DNS service provider. DDNS Type Select the type of service that you are register ed for from your Dynam[...]

  • Page 67

    ZyWALL 2 Series User’s Guide System 4-5 Table 4-2 DDNS LABEL DESCRIPTION Host Names 1~3 Enter the host names in the three fields provided. You can specify up to two host names in each field separated by a comma (","). User Enter your user name. You can use up to 31 alphanumeric c haracters (and the underscore). Spaces are not allowed. P[...]

  • Page 68

    ZyWALL 2 Series User’s Guide 4-6 System Figure 4-3 Password The following table describes the fields in this screen. Table 4-3 Password LABEL DESCRIPTION Old Password Type the default password or the ex isting p assword you use to access the system in this field. New Password T ype the new password in this field. Retype to Confirm Type the ne w p[...]

  • Page 69

    ZyWALL 2 Series User’s Guide System 4-7 Table 4-4 Default Time Servers ntp1.cs.wisc.edu ntp1.gbg.netnod.se ntp2.cs.wisc.edu tock.usno.navy.mil ntp3.cs.wisc.edu ntp.cs.strath.ac.uk ntp1.sp.se time1.stupi.se tick.stdtime.gov.tw tock.stdtime.gov.tw time.stdtime.gov.tw 4.7 Configuring T ime Setting To change your ZyWALL’s time and date, click SYSTE[...]

  • Page 70

    ZyWALL 2 Series User’s Guide 4-8 System Figure 4-4 Time Setting The following table describes the fields in this screen. Table 4-5 Time Setting LABEL DESCRIPTION Time Protocol Select the time service protocol that your time server sends when you turn on the ZyWALL. Not all time servers support all pr otocols, so you may have to check with your IS[...]

  • Page 71

    ZyWALL 2 Series User’s Guide System 4-9 Table 4-5 Time Setting LABEL DESCRIPTION Time Server Address Enter the address of your time server. Check with your ISP/net work administrator if you are unsure of this information (the def ault is tick.stdtime.gov.tw). Synchronize Now Click this button to get the time and date from the time server you spec[...]

  • Page 72

    [...]

  • Page 73

    ZyWALL 2 Series User’s Guide LAN 5-1 Chapter 5 LAN Screens This chapter describes how to configure LAN settings. 5.1 LAN Overview Local Area Network (L AN) is a shared comm unication sy stem to which many computers are attached. The LAN screens can help you configure a LAN DHCP server , manag e IP addresses, and partition your physical network in[...]

  • Page 74

    ZyWALL 2 Series User’s Guide 5-2 LAN three numbers specify the network number while the last number identifies an indi vidual computer on that network. Once you have decided on t he network number, pick an IP address that is e asy to remember, for instance, 192.168.1 .1, for yo ur ZyWALL , but ma ke sure that no other de vice on you r network is [...]

  • Page 75

    ZyWALL 2 Series User’s Guide LAN 5-3 RIP Version control s the for mat and the broadcasti ng metho d of the RIP packets th at the ZyWALL se nds (it recognizes both formats whe n receiving). RIP-1 is universally supported; but RIP-2 carries m ore informat ion. RIP-1 is probabl y adequate for most networks, unless you have an un usual net work top [...]

  • Page 76

    ZyWALL 2 Series User’s Guide 5-4 LAN Figure 5-1 IP The following table describes the fields in this screen. Table 5-1 IP LABEL DESCRIPTION DHCP Setup[...]

  • Page 77

    ZyWALL 2 Series User’s Guide LAN 5-5 Table 5-1 IP LABEL DESCRIPTION DHCP Server DHCP (Dynamic Host Confi guration Pr otocol, RFC 2131 a nd RFC 2132) allows individual clients ( workstations) to obtain TCP/IP configuration at startup from a server. Unless you are instruct ed by your ISP, leave the DHCP Server check box selected. Clear it to disabl[...]

  • Page 78

    ZyWALL 2 Series User’s Guide 5-6 LAN Table 5-1 IP LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcas ting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receivin g). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is prob ably adequate for most networ[...]

  • Page 79

    ZyWALL 2 Series User’s Guide LAN 5-7 Figure 5-2 Static DHCP The following table describes the fields in this screen. Table 5-2 Static DHCP LABEL DESCRIPTION # This is the index number of th e Static IP table entry (row). MAC Address Type the MAC address (with colons) of a computer on your LAN. IP Address Type the IP address to be assigned to the [...]

  • Page 80

    ZyWALL 2 Series User’s Guide 5-8 LAN When you use IP alias, y ou can also configure fire wall rules to control acce ss between the LAN's logical networks (s ubnets). The following f igure shows a LAN divided into subnets A, B, and C. Figure 5-3 Physical Network Figure 5-4 Partitioned Logical Networks. To change your ZyWALL’s IP alias setti[...]

  • Page 81

    ZyWALL 2 Series User’s Guide LAN 5-9 The following table describes the fields in this screen. Table 5-3 IP Alias LABEL DESCRIPTION IP Alias 1,2 Select the check box to configure another L AN for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decim al notation. IP Subnet Mask Your ZyWALL will automatically calculate the subne[...]

  • Page 82

    [...]

  • Page 83

    WAN and Wireless LAN III Part III: WAN and Wireless LAN This part covers configuration of the W AN and Wireless LAN screens.[...]

  • Page 84

    [...]

  • Page 85

    ZyWALL 2 Series User’s Guide WAN Screens 6-1 Chapter 6 WAN Screens This chapter describes how to configure WAN settings. 6.1 W AN Overview See the LAN chapter for information about Primary and Seconda ry DNS Server , DNS Server Address Assignment and IP Address and Subnet Mask . 6.2 TCP/IP Priority (Metric) The metric represents the "cost of[...]

  • Page 86

    ZyWALL 2 Series User’s Guide 6-2 WAN Screens Table 6-1 Private IP Address Ranges 10.0.0.0 - 10. 255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192. 168.255.255 You can obt ain your IP address fr om the IAN A, from an ISP or have it assigned by a priv ate network. If you belong to a small organization and your Internet access is t hrough an[...]

  • Page 87

    ZyWALL 2 Series User’s Guide WAN Screens 6-3 Figure 6-1 WAN Setup: Route The following table describes the fields in this screen. Table 6-3 WAN Setup: Route LABEL DESCRIPTION WAN Traf fic Redirect Dial Backup The default WAN connection is "1” as your broadband conn ection via the WAN port should always be your preferred method of accessing[...]

  • Page 88

    ZyWALL 2 Series User’s Guide 6-4 WAN Screens Figure 6-2 Ethernet Encapsulation The following table describes the fields in this screen. Table 6-4 Ethernet Encapsulation LABEL DESCRIPTION Encapsulation You must cho ose the Ethernet opt ion when the WAN port is used as a re gular Ethernet. Service Type Choose from Standard , Telstr a (RoadRunner Te[...]

  • Page 89

    ZyWALL 2 Series User’s Guide WAN Screens 6-5 Table 6-4 Ethernet Encapsulation LABEL DESCRIPTION Reset Click Reset to begin co nfiguring this screen afresh. 6.5.2 PPPoE Encap sulation The ZyWALL sup ports PPPo E (Point -to-Point P rotocol o ver Ether net). PPPoE is an IETF Draft standa rd (RFC 2516) specifying how a personal computer (PC) interact[...]

  • Page 90

    ZyWALL 2 Series User’s Guide 6-6 WAN Screens Figure 6-3 PPPoE Encapsulation The following table describes the fields in this screen. Table 6-5 PPPoE Encapsulation LABEL DESCRIPTION ISP Parameters fo r Internet Access Encapsulation The PPPoE choice is for a dial- up connection using PPPo E. The router supports PPPoE (Point-to-Point Protocol over E[...]

  • Page 91

    ZyWALL 2 Series User’s Guide WAN Screens 6-7 Table 6-5 PPPoE Encapsulation LABEL DESCRIPTION Password T ype the password associated with the User Name above. Retype to Confirm Type your password agai n to make sure that you have entered is correctl y. Nailed-Up Connection Select Nailed-Up Connection if you do not want the connection to time out. [...]

  • Page 92

    ZyWALL 2 Series User’s Guide 6-8 WAN Screens Figure 6-4 PPTP Encapsulation The following table describes the fields in this screen. Table 6-6 PPTP Encapsulation LABEL DESCRIPTION ISP Parameters fo r Internet Access Encapsulation Point-to-Point Tunneling Prot ocol (PPT P) is a network protocol that enabl es secure transfer of data from a remote cl[...]

  • Page 93

    ZyWALL 2 Series User’s Guide WAN Screens 6-9 Table 6-6 PPTP Encapsulation LABEL DESCRIPTION User Name Type the user name given to you b y your ISP. Password T ype the password associated with the User Name above. Retype to Confirm Type your password agai n to make sure that you have entered is correctl y. Nailed-up Connection Select Nailed-Up Con[...]

  • Page 94

    ZyWALL 2 Series User’s Guide 6-10 WAN Screens Figure 6-5 IP Setup The following table describes the fields in this screen. Table 6-7 IP Setup LA BEL DESCRIPTION WAN IP Address Assignment Get automatically from ISP Select this option If your ISP did not assign you a fixed IP address. T his is the default selection. Use fixed IP address Select this[...]

  • Page 95

    ZyWALL 2 Series User’s Guide WAN Screens 6-11 Table 6-7 IP Setup LA BEL DESCRIPTION My WAN IP Address (or IP Address) Enter your WAN IP address in this field if yo u selected Use Fixed IP Address. My WAN IP Subnet Mask (Ethernet encapsulation only) Type your network's IP subnet mask. Remote IP Address (or Gateway IP Address) Type the IP addr[...]

  • Page 96

    ZyWALL 2 Series User’s Guide 6-12 WAN Screens Table 6-7 IP Setup LA BEL DESCRIPTION Private (PPPoE and PPTP only) This parameter determines if the Z yWALL will include the route to this remote node in its RIP broadcasts. If set to Ye s, this route is kept private and not included in RIP broadcast. If No, the route to this remote node will be prop[...]

  • Page 97

    ZyWALL 2 Series User’s Guide WAN Screens 6-13 Table 6-7 IP Setup LA BEL DESCRIPTION Windows Networking (NetBIOS over TCP/IP): Windo ws Networking (NetBIOS over TCP/IP): NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPP[...]

  • Page 98

    ZyWALL 2 Series User’s Guide 6-14 WAN Screens The MAC address screen allows users to configure the WAN port' s MAC Addr ess by either usi ng the factory default or cloning the MAC addr ess from a computer on your LAN. Choose Factory De fault to select the factory assigned default MAC Address. Otherwise, click Spoof this computer's MAC a[...]

  • Page 99

    ZyWALL 2 Series User’s Guide WAN Screens 6-15 Figure 6-8 Traffic Redirect LAN Setup 6.9 Configuring T raffic Redirect To change your ZyWALL’s Traf fic Redirect settings, click WAN , then the Traffic Redirect tab. The screen appear s as show n.[...]

  • Page 100

    ZyWALL 2 Series User’s Guide 6-16 WAN Screens Figure 6-9 Traffic Redirect The following table describes the fields in this screen. Table 6-8 Traffic Redirect LABEL DESCRIPTION Active Select this check box to have the Zy WALL use traffic redirect if the normal WAN connection goes down. Backup Gateway IP Address Type the IP address of your backup g[...]

  • Page 101

    ZyWALL 2 Series User’s Guide WAN Screens 6-17 Table 6-8 Traffic Redirect LABEL DESCRIPTION Check WAN IP Address Configuration of this field is optiona l. If you do not enter an IP address here, the ZyWALL will use the default gate way IP address. Confi gure this field to test your ZyWALL's W AN accessibility. Type the IP address of a reliabl[...]

  • Page 102

    ZyWALL 2 Series User’s Guide 6-18 WAN Screens Figure 6-10 Dial Backup Setup[...]

  • Page 103

    ZyWALL 2 Series User’s Guide WAN Screens 6-19 The following table describes the labels in this screen. Table 6-9 Dial Backup Setup LABEL DESCRIPTION Enable Dial Backup Select this che ck box to turn on dial backup. Basic Settings Login Name Type the login name assigned by your ISP. Password T ype the password assigned by your ISP. Retype to Confi[...]

  • Page 104

    ZyWALL 2 Series User’s Guide 6-20 WAN Screens Table 6-9 Dial Backup Setup LABEL DESCRIPTION Get IP Address Automatically from Remote Server Type the login name assigned by your ISP for this remote node. Used Fixed IP Address Select this check box if your ISP assign ed you a fi xed IP address, then enter the IP address in the follo wing field. My [...]

  • Page 105

    ZyWALL 2 Series User’s Guide WAN Screens 6-21 Table 6-9 Dial Backup Setup LABEL DESCRIPTION RIP Version T he RIP Version field controls the format and t he broadcasting metho d of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1 , RIP-2B or RIP-2M . RIP-1 is universally supported; but RIP-2 carries m[...]

  • Page 106

    ZyWALL 2 Series User’s Guide 6-22 WAN Screens Table 6-9 Dial Backup Setup LABEL DESCRIPTION Configure Budget Select this check box to have the dial back up connection on during the time that you select. Allocated Budget Type the amount of time (in mi nutes) that the dial backup connecti on can be used during the time configured in the Period fiel[...]

  • Page 107

    ZyWALL 2 Series User’s Guide WAN Screens 6-23 6.11.3 Response Strings The response strings tell the ZyWALL the ta gs, or la bels, immediately preceding the various call parameters sent from the WAN device. The response strings have not been standardized; pl ease consult the document ation of yo ur WAN devi ce to fin d the correct t ags. 6.12 Conf[...]

  • Page 108

    ZyWALL 2 Series User’s Guide 6-24 WAN Screens Figure 6-11 Advanced Setup The following table describes the labels in this screen. Table 6-10 Advanced Setup LABEL DESCRIPTION EXAMPLE AT Command Strings Dial Type the AT Command string to make a call. atdt[...]

  • Page 109

    ZyWALL 2 Series User’s Guide WAN Screens 6-25 Table 6-10 Advanced Setup LABEL DESCRIPTION EXAMPLE Drop T ype the AT Command string to drop a call. "~" represents a one second wait, for example, "~~~++ +~~ath" can be used if your modem has a slow response time. ~~+++~~ath Answer T ype the AT Command string to answer a call. ata[...]

  • Page 110

    [...]

  • Page 111

    ZyWALL 2 Series User’s Guide Wireless LAN Screens 7-1 Chapter 7 Wireless LAN Screens This chapter discusses how to configure Wireless LAN on the ZyWALL 2WE. 7.1 Wireless LAN Overview This section introduces the wireless LAN (WLAN) and so me basi c scenar ios. 7.1.1 Additional Installation Requirement s for Using 802.1x  A computer with an IEEE[...]

  • Page 112

    ZyWALL 2 Series User’s Guide 7-2 Wireless LAN Screens is they do not know if the channel is currently being use d . Therefore, they are c onsidered hidden from each other. Figure 7-1 RTS Threshold When station A sends data to the ZyWALL, it might not know that the station B is already using the channel. If these two stations send data at the same[...]

  • Page 113

    ZyWALL 2 Series User’s Guide Wireless LAN Screens 7-3 A large Fragmentation Thre shold is recommend ed for networks no t prone to interfere nce while you shou ld set a smaller t hreshold for busy networ ks or netw orks that a re prone to i n terference . If the Fragmentation Thres hold value is smaller than the RTS/CTS value (see previously) yo u[...]

  • Page 114

    ZyWALL 2 Series User’s Guide 7-4 Wireless LAN Screens 7.4 Configuring Wireless LAN If you are configuring the Zy W ALL from a computer conne cted to the wireless LAN and you change the Zy W ALL ’ s ESSID or WEP settings, you will lose your wireless connection when you press Apply to confirm. Y ou must then change the wireless settings of your c[...]

  • Page 115

    ZyWALL 2 Series User’s Guide Wireless LAN Screens 7-5 Table 7-1 Wireless LABEL DESCRIPTION Enable Wireless LAN The wireless LAN is turned off b y default, before you enable the wireless LAN you should configure some security b y setting MAC filters and/or 802.1x security; otherwise your wireless LAN will be vuln erable upon enabling it. Sel ect t[...]

  • Page 116

    ZyWALL 2 Series User’s Guide 7-6 Wireless LAN Screens 7.5 Configuring MAC Filter The MAC filter screen allows you to confi gure the ZyWALL to give exclusive access to specific devices ( Allow Association ) or exclude specific devices from accessing the Zy WALL ( Den y Association ). Ev ery Ethernet devic e has a uni que MAC (M edia Access C ontro[...]

  • Page 117

    ZyWALL 2 Series User’s Guide Wireless LAN Screens 7-7 Table 7-2 MAC Address Filter LA BEL DESCRIPTION Active Select or clear the check box to ena ble or disable MAC addr ess filtering. Enable MAC address filtering to have the ro uter allow or deny access to wireless stations based on MAC addresses. Disabl e MAC address filtering to have the route[...]

  • Page 118

    ZyWALL 2 Series User’s Guide 7-8 Wireless LAN Screens • Access-Request Sent by the ZyWALL request ing authenticati on. • Access-Reject Sent by a RADIUS server rejecting access . • Access-Accept Sent by a RADIUS server allowing access. • Access-Challenge Sent by a RADIUS server requesting m ore inform ation in order to allow access. The ac[...]

  • Page 119

    ZyWALL 2 Series User’s Guide Wireless LAN Screens 7-9 Figure 7-5 EAP Authentication The details below provide a gener al description of how IEEE 802.1x EAP auth entication works. For an example list of EAP-MD5 authentication ste p s, see the IEE E 802.1x chapter in the Ap pendices . • The wireless station sends a “ start” message to the Zy [...]

  • Page 120

    ZyWALL 2 Series User’s Guide 7-10 Wireless LAN Screens Figure 7-6 802.1X Authentication The following table describes the fields in this screen. Table 7-3 802.1X Authentication LABEL DESCRIPTION Authentication Type Select Authentication Required , No A ccess or No Authentication Required from the drop-down list box. Select Authentication Required[...]

  • Page 121

    NAT and Static Route IV Part IV: NAT and Static Route This part covers Network Address T r anslation and setting up static routes.[...]

  • Page 122

    [...]

  • Page 123

    ZyWALL 2 Series User’s Guide NAT 8-1 Chapter 8 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 8.1 NA T Overview NAT (Network Address Tran slation - NAT, RFC 1631) is the translation of the IP addr ess of a host in a packet. For example, the so urce address of a n outgoin g packet, used within one netw[...]

  • Page 124

    ZyWALL 2 Series User’s Guide 8-2 NAT local address before forwarding it to the original insid e host. Note that the IP address (either local or global ) of an outside host is neve r changed. The global IP a ddresses for the i nside hosts can be either static or dynam ically assigned b y the ISP. In addition, you can designate serv ers (for exampl[...]

  • Page 125

    ZyWALL 2 Series User’s Guide NAT 8-3 8.1.4 NA T Application The following figure illu strates a possible NAT applicatio n, where three inside LANs (logical LANs using IP Alias) behi nd the ZyWALL can comm unicate with three disti nct WAN netwo rks. More e xamples follow at the end of this chapter. Figure 8-2 NAT Application With IP Alias 8.1.5 NA[...]

  • Page 126

    ZyWALL 2 Series User’s Guide 8-4 NAT  Many to One : In M any-to-On e mode, the Zy WALL maps multiple local IP addresses t o one gl obal IP address. Thi s is equivalent to SUA (i.e., PAT, port address translation), the Single User Account feature (the S UA Only option).  Many to Many Overload : In Many-to-Many Overload mode, the ZyWALL maps [...]

  • Page 127

    ZyWALL 2 Series User’s Guide NAT 8-5 8.2.1 SUA (Single User Account) V ersus NA T SUA (Single U ser Account) i s an im plementat ion of a s ubset of N AT that supp orts two t ypes of mapping, Many-to-One and Server . The ZyWALL also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or se[...]

  • Page 128

    ZyWALL 2 Series User’s Guide 8-6 NAT Table 8-3 Services and Port Numbers SERVICES PORT NUMBER DNS (Domain Name System) 53 Finger 79 HTTP (Hyper Text Transfer proto col or WWW, We b) 80 POP3 (Post Office Protocol) 110 NNTP (Network News Transport Protocol) 119 SNMP (Simple Network Management Protocol) 161 SNMP trap 162 PPTP (Point-to-Point Tunneli[...]

  • Page 129

    ZyWALL 2 Series User’s Guide NAT 8-7 8.4 Configuring SUA Server If you do not assign a Default Server IP address, the ZyW ALL discards all p ackets received for port s that are not specified here or in the remote management setup. Click SUA/NAT to open the SUA Server s creen. Refer to the firewall chapters for port numbers comm only used for part[...]

  • Page 130

    ZyWALL 2 Series User’s Guide 8-8 NAT Table 8-4 SUA Server LABEL DESCRIPTION Default Server In addition to the servers for specified services, NAT supp orts a default server. A default server receives packets from ports t hat are not specified in this screen. If you do not assign a default server IP address, then all packets received for ports not[...]

  • Page 131

    ZyWALL 2 Series User’s Guide NAT 8-9 Figure 8-5 Address Mapping The following table describes the fields in this screen. Table 8-5 Address Mapping LABEL DESCRIPTION Local Start IP This refers to the Inside Local Addre ss (ILA), that is the starti ng local IP address. Local IP addresses are N/ A for Server port mapping. Local End IP This is the en[...]

  • Page 132

    ZyWALL 2 Series User’s Guide 8-10 NAT Table 8-5 Address Mapping LABEL DESCRIPTION Type 1. One-to-One mode maps one local IP address to one global IP addr ess. Note that port numbers do not change for the One-to-one NAT mapping type. 2. Many-to-One mode maps multiple local IP addresses to one global IP address. T his is equivalent to SUA (i.e., PA[...]

  • Page 133

    ZyWALL 2 Series User’s Guide NAT 8-11 Table 8-6 Address Mapping Rule LABEL DESCRIPTION Type Choose the po rt mapping type from one of the following. 1. One-to-One : One-to-one mode maps one local IP addres s to one global IP address. Note that port numbers do not change for One-to-one NAT mapping type. 2. Many-to-One : Many-to-One mode maps multi[...]

  • Page 134

    ZyWALL 2 Series User’s Guide 8-12 NAT receives a response wit h a specific port num ber and pr otoc ol ("incomi ng" port), the ZyWALL forwards the traffic to the LAN IP address of the c omputer that sent the request. After that com puter’s connection for that service closes, another com p uter on the LAN can use th e service in the sa[...]

  • Page 135

    ZyWALL 2 Series User’s Guide NAT 8-13 Figure 8-8 Trigger Port The following table describes the fields in this screen. Table 8-7 Trigger Port LABEL DESCRIPTION No. This is the rule index number (read-onl y). Name Type a uniqu e name (up to 15 characters) fo r identificatio n purposes. All characters are permitted - including spaces.[...]

  • Page 136

    ZyWALL 2 Series User’s Guide 8-14 NAT Table 8-7 Trigger Port LABEL DESCRIPTION Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The ZyWALL for wards the traffic with this port (or range of ports) to the client computer on the LAN th at requested the service. Start Port Type a [...]

  • Page 137

    ZyWALL 2 Series User’s Guide Static Route Screens 9-1 Chapter 9 Static Route Screens This chapter shows you how to config ure static routes for your ZyWALL. 9.1 S t atic Route Overview Each remote n ode specifies only the netw ork to which the gateway is directly connected, and t he ZyWALL has no knowledge of the networ ks beyond. For instance, t[...]

  • Page 138

    ZyWALL 2 Series User’s Guide 9-2 Static Route Screens Figure 9-2 Static Route Screen The following table describes the fields in this screen. Table 9-1 IP Static Route Summary LABEL DESCRIPTION # Number of an individual static route. Name Name that describes or identifies this route. Active This field shows whether this static route is active ( Y[...]

  • Page 139

    ZyWALL 2 Series User’s Guide Static Route Screens 9-3 Table 9-1 IP Static Route Summary LABEL DESCRIPTION Gateway T his is the IP address of the gateway. The gateway is an immediate nei ghbor of your ZyWALL that will forward the packet to the de stination. On the LA N, the gat eway must be a router on the same segment as your Z yWALL; over the WA[...]

  • Page 140

    ZyWALL 2 Series User’s Guide 9-4 Static Route Screens Table 9-2 Edit IP Static Route LABEL DESCRIPTION Active This field allows you to acti vate/deactivate this static route. Destination IP Address This parameter specifies the IP net work addr ess of the final destination. Routing is always based on net work number. If you need to specify a route[...]

  • Page 141

    Firewall and Content Filters V Part V: Firewall and Content Filters This part introduces fire walls in general and the ZyW ALL firewall. It also explains how to configure the ZyW ALL firewall and content filtering.[...]

  • Page 142

    [...]

  • Page 143

    ZyWALL 2 Series User’s Guide Firewalls 10-1 Chapter 10 Firewalls This chapter gives some background information on firewalls and introduces the ZyWALL firewall. 10.1 Firewall Overview Originally, the term firewall referred to a construction techn ique designed to preven t the spread of fire from one room to another. The networki ng term “firewa[...]

  • Page 144

    ZyWALL 2 Series User’s Guide 10-2 Firewalls i. Inform ation hiding prevent s the name s of internal sy stems from being made known via D NS to outside system s, since the a pplication gat eway i s the only host whose nam e must be m ade known to outside systems. ii. Robust au thentication and logging pre-au thenticat es application traffic before[...]

  • Page 145

    ZyWALL 2 Series User’s Guide Firewalls 10-3 Figure 10-1 ZyWALL Fire w all Application 10.4 Denial of Service Denials of Service (DoS) attacks are aim ed at devices and networks with a connection to the Internet. T heir goal is not to steal information, but to disable a devi ce or network so users no longer ha ve access to network resources. The Z[...]

  • Page 146

    ZyWALL 2 Series User’s Guide 10-4 Firewalls Table 10-1 Common IP Ports 21 FTP 53 DNS 23 Telnet 80 HTT P 25 SMTP 110 POP3 10.4.2 T ypes of DoS Attacks There are four types of DoS a ttacks: 1. Those that ex ploit bugs in a TCP/IP impl ementati on. 2. Those that exploit weaknesse s in the TCP/IP specification. 3. Brute-force attacks that flood a net[...]

  • Page 147

    ZyWALL 2 Series User’s Guide Firewalls 10-5 Figure 10-2 Three-Way Handshake  Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving serve r. The receiver se nds back an ACK (ac knowledgment) packet and its own SYN, and then the initiato r responds with an ACK (acknowledgment). Aft[...]

  • Page 148

    ZyWALL 2 Series User’s Guide 10-6 Firewalls 2-b In a LAND Atta ck , hackers flood S YN packets i nto th e network with a spoofed source IP address of the targeted system. Th is makes it appear as if the host computer sent t h e packets to itself, making the system unavailable while the target system tries to respond to itself. 3. A brute-force at[...]

  • Page 149

    ZyWALL 2 Series User’s Guide Firewalls 10-7  Illegal Commands (NetBIOS and SMTP) The only legal NetBIOS commands are th e following - all others are illegal. Table 10-3 Legal NetBIOS Command s MESSAGE: REQUEST: POSITIVE: NEGATIVE: RETARGET: KEEPALIVE: All SMTP commands are illegal excep t for th ose displayed in the following tables. Table 10-[...]

  • Page 150

    ZyWALL 2 Series User’s Guide 10-8 Firewalls all communications to th e Internet th at originate from the LAN, and bl ocks all traffic to the LAN that originates from the In ternet. In summary, st ateful inspection:  Allows all sessions originating from the LA N (local network) to th e WAN (Internet).  Denies all sessions originatin g from t[...]

  • Page 151

    ZyWALL 2 Series User’s Guide Firewalls 10-9 4. Based on the obtained state in form ation, a firewall rule creates a temporary access list entry that is inserted at the beginni ng of the WAN interfa ce's inbound extended access list. This tem porary access list entry is designed to permit inbound pa c kets of the same conn ec tion as the outb[...]

  • Page 152

    ZyWALL 2 Series User’s Guide 10-10 Firewalls Below is a brief technical description of how these connections a re tracked. C onnections may either be defined by t he upper pr otocols (f or instance, TC P), or by t he ZyWALL its elf (as with the "virt ual connections" created for UDP and ICMP). 10.5.3 TCP Security The ZyWALL uses stat e [...]

  • Page 153

    ZyWALL 2 Series User’s Guide Firewalls 10-11 10.5.5 Upper Layer Protocols Some higher layer protocols (such as FTP and RealAudio ) utilize multiple network connection s simultaneousl y. In ge neral term s, they usually have a "co ntrol connection" which is used for sending commands bet ween endpoints, and the n "data con nections&q[...]

  • Page 154

    ZyWALL 2 Series User’s Guide 10-12 Firewalls 10.7.1 Packet Filtering:  The router filters packets as they pass through the router’s in terface according to the filter rules you designed.  Packet filtering is a powerful tool, yet can be comple x to conf igure and maintain, especially if you n eed a chain of rules to filter a service.  P[...]

  • Page 155

    ZyWALL 2 Series User’s Guide Firewalls 10-13 3. To selectively bl ock/allow inbound or outbound t raffic between i nside host/ networks and outside host/networks. Remember that filters canno t distingu ish traffic originating from an inside host or an outside host by IP address. 4. The firewall performs better than filteri ng if you need to check[...]

  • Page 156

    [...]

  • Page 157

    ZyWALL 2 Series User’s Guide Firewall Screens 11-1 Chapter 11 Firewall Screens This chapter shows you how to configure your ZyWALL firewall. 11.1 Access Methods The web confi gurator is, by far, the most comprehensive firewall configuration t ool your ZyWALL has t o offer. For this reason, it is recommended th at you conf igure your firewall u si[...]

  • Page 158

    ZyWALL 2 Series User’s Guide 11-2 Firewall Screens If you configure firewall rules without a good underst anding of how they work, you might inadvertently introduce security risks to the fire wall and to the protected network. Make sure y ou test your rules af ter you configure th em. For example, you may create rules t o : ♦ Block certain type[...]

  • Page 159

    ZyWALL 2 Series User’s Guide Firewall Screens 11-3 1. Does this rule stop LAN users from accessing critical reso urces on the Internet? Fo r example, if IRC is blocked, are t here users that require this service ? 2. Is it possible to modify the rule to be more specifi c? For example, if IRC is blocked for all users, will a rule that blocks just [...]

  • Page 160

    ZyWALL 2 Series User’s Guide 11-4 Firewall Screens policies for managing the ZyWALL through th e LAN in terface) and policies for L AN-to-LAN (t he policies that control r outing betwee n two subnets on the LA N) . Similarly, WAN to WAN/ZyWALL polices apply in the same way to the WAN ports. 11.4.1 LAN to W AN Rules The default rule for LAN to WAN[...]

  • Page 161

    ZyWALL 2 Series User’s Guide Firewall Screens 11-5 Figure 11-2 WAN to LA N Traffic 11.5 Alert s Alerts are reports on ev ents, such as attacks, that you may wan t to know about right away. You can choo se to generate an alert when a n attack is detected in the Attack Alert scree n (Figur e 11-12 - check the Gene rate alert when attack detected ch[...]

  • Page 162

    ZyWALL 2 Series User’s Guide 11-6 Firewall Screens Figure 11-3 Enabling the Fire wall The following table describes the fields in this screen. Select this check box to enable the firewall.[...]

  • Page 163

    ZyWALL 2 Series User’s Guide Firewall Screens 11-7 Table 11-1 Firewall Rules Summary: First Screen LA BEL DESCRIPTION Enable Firewall Select this che ck box to activate the firewall. The ZyWALL performs access control and protects against Denial o f Service (DoS) attacks when the firewall is activated. Bypass Triangle Route Select this check box [...]

  • Page 164

    ZyWALL 2 Series User’s Guide 11-8 Firewall Screens Table 11-1 Firewall Rules Summary: First Screen LA BEL DESCRIPTION Log This field shows you if a log is creat ed for packets that match the rule ( Match ), don't match the rule ( Not Match ), both ( Both ) or no log is created ( None ). Alert This field tells yo u whether this rule generate [...]

  • Page 165

    ZyWALL 2 Series User’s Guide Firewall Screens 11-9 Figure 11-4 Creating/Editing A Fire w all Rule[...]

  • Page 166

    ZyWALL 2 Series User’s Guide 11-10 Firewall Screens The following table describes the fields in this screen. Table 11-2 Creating/Editing A Fire wall Rule LABEL DESCRIPTION Active Check the Act iv e check bo x to have the ZyWALL use this rule. Leave it uncheck ed if you do not want the ZyWALL to use the rule after you apply it Packet Direction Use[...]

  • Page 167

    ZyWALL 2 Series User’s Guide Firewall Screens 11-11 Table 11-2 Creating/Editing A Fire wall Rule LABEL DESCRIPTION Log This field determines if a log i s creat ed for packets that match the rule ( Match ), don't match the rule ( Not Match ), both ( Both ) or no log is created ( None ). Go to the Log Settings page and select the Access C ontr[...]

  • Page 168

    ZyWALL 2 Series User’s Guide 11-12 Firewall Screens Table 11-3 Adding/Editing Source and Destination Addre sses LABEL DESCRIPTION Address Type Do you want your rule to app ly to pac kets with a particular (single) IP, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address? Select an option from the drop-down list[...]

  • Page 169

    ZyWALL 2 Series User’s Guide Firewall Screens 11-13 Table 11-4 Creating/Editing A Custo m Port LABEL DESCRIPTION Service Name Enter a unique name for your custom port. Service Type Choose the IP port ( TCP , UDP or Both ) that defines your cu stomized port from the drop down list box. Port Configuration Type Select Single to specify one port only[...]

  • Page 170

    ZyWALL 2 Series User’s Guide 11-14 Firewall Screens Figure 11-7 Fire wall IP Config Screen Step 4. Select Any in the Destination Address box and then click DestDelete . Select WA N to L AN from the drop-down list box[...]

  • Page 171

    ZyWALL 2 Series User’s Guide Firewall Screens 11-15 Step 5. Click DestAdd under t h e Destination Addre ss box. Step 6. Configure the Firewall Rule Edit IP screen as follows and click Apply . Figure 11-8 Firewall Rule Edit IP Example Step 7. In the firewall rule configuration screen, click Add under Custom Port to open the Edit Cus tom Port scree[...]

  • Page 172

    ZyWALL 2 Series User’s Guide 11-16 Firewall Screens Custom port s show up with an “*” before their names in the Services list box and the Rule Summary list box. Click Apply after y ou’ve created your custom port. Figure 11-10 My Service Rule Configuration This is the address range of the “My Service” servers. This is your “My Service?[...]

  • Page 173

    ZyWALL 2 Series User’s Guide Firewall Screens 11-17 On completing the configuration pro cedure for this Internet firewall rule, the Rule Summary screen should look like the following. Remember to click Apply when you hav e finished co nfiguring your rule(s) to save your settings back to the ZyWALL. Figure 11-11 My Service Example Rule Summary Rul[...]

  • Page 174

    ZyWALL 2 Series User’s Guide 11-18 Firewall Screens 11.8 Predefined Services The Available Services list box in the Rule Config (uration) screen (see Figure 11-4 ) displays all predefined services that the ZyWALL already s upports. Next to the na me of the se rvice, two fields appea r in brack ets. The first field indicat es the IP protocol type [...]

  • Page 175

    ZyWALL 2 Series User’s Guide Firewall Screens 11-19 Table 11-5 Predefined Services SERVICE DESCRIPTION IPSEC_TUNNEL(ESP:0) The IPSEC ESP (Encapsulation Se curity Protocol) tunnelin g protocol uses this service. IRC(TCP/UDP:6667) This is another popu lar Internet chat program. MSN Messenger(TCP:1863) Microsoft Net works’ messenger service uses t[...]

  • Page 176

    ZyWALL 2 Series User’s Guide 11-20 Firewall Screens Table 11-5 Predefined Services SERVICE DESCRIPTION SMTP(TCP:25) Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another. SNMP(TCP/UDP:161) Simple Net work Management Program. SNMP- TRAPS(TCP/UDP:162) Tra[...]

  • Page 177

    ZyWALL 2 Series User’s Guide Firewall Screens 11-21 11.9.1 Threshold V alues Tune these parameters when something is not work ing and after you have checked the firewall counters. These default values should work fi ne for normal small offices with ADSL bandwidth. Factors influencing choices for thre shold values a re: 1. The maxim um number of o[...]

  • Page 178

    ZyWALL 2 Series User’s Guide 11-22 Firewall Screens Whenever the number of hal f-open sessions with t he same dest ination hos t address rises above a threshol d ( TCP Maximum Incomplete ), the ZyWAL L starts deleting half-open sessions according to one of the followin g methods: 1. If the Blocking Period timeout is 0 (the default), then the ZyWA[...]

  • Page 179

    ZyWALL 2 Series User’s Guide Firewall Screens 11-23 Table 11-6 Attack Alert LABEL DESCRIPTION DEFAULT VALUES Generate alert when attack detected A detected attack automatically generates a log entry. Check this box to generate a n alert (as well as a log) whenever an attack is detected. See the chapter on logs for more information on logs and ale[...]

  • Page 180

    ZyWALL 2 Series User’s Guide 11-24 Firewall Screens Table 11-6 Attack Alert LABEL DESCRIPTION DEFAULT VALUES Maximum Incomplete High This is the number of existing half-open sessions that causes the firewall to start deleting half-open sessio ns. When the number of existing half-open sessions rises above this number, the Z yWALL deletes half- ope[...]

  • Page 181

    ZyWALL 2 Series User’s Guide Content Filtering Screens 12-1 Chapter 12 Content Filtering Screens This chapter provides a brief overview of content filtering using the web embedded configurator . 12.1 Introduction to Content Filtering Internet content filtering allows you to c reate and enforce Internet access policies tailored to their needs. Con[...]

  • Page 182

    ZyWALL 2 Series User’s Guide 12-2 Content Filtering Screens Figure 12-1 Content Filte r : General The following table describes the labels in this screen.[...]

  • Page 183

    ZyWALL 2 Series User’s Guide Content Filtering Screens 12-3 Table 12-1 Content Filter : General LABEL DESCRIPTION Enable Content Filter Select this ch eck box to enabl e the content filter. Restrict Web Features : Select the check box(es) to restrict a feature. When you do wnload a page containing a restricted feature, that part of the web page w[...]

  • Page 184

    ZyWALL 2 Series User’s Guide 12-4 Content Filtering Screens Table 12-1 Content Filter : General LABEL DESCRIPTION Exclude specified address ranges from the content filter enforcement Select this checkbox to exempt a specific range of users o n your LAN from content filter policies. Add Address Ranges From Type the beginnin g IP address (in dott e[...]

  • Page 185

    ZyWALL 2 Series User’s Guide Content Filtering Screens 12-5 Step 1. A computer se nds an HTTP request t o a web serve r . Step 2. The ZyWALL looks up the web site in its cache. If an attem pt to access the web site was made in the past, a record of that web site’s categ ory will be in the ZyWALL’s cache. The ZyWALL either blocks or forw ards [...]

  • Page 186

    ZyWALL 2 Series User’s Guide 12-6 Content Filtering Screens Figure 12-3 Content Filte r : Categories[...]

  • Page 187

    ZyWALL 2 Series User’s Guide Content Filtering Screens 12-7 The following table describes the labels in this screen. Table 12-2 Content Filter : Ca tegories LABEL DESCRIPTION Enable Web Site Auto Categorization Enable external database content f iltering to have the Z yWALL check an external database to find to which category a requested web page[...]

  • Page 188

    ZyWALL 2 Series User’s Guide 12-8 Content Filtering Screens Table 12-2 Content Filter : Ca tegories LABEL DESCRIPTION Select Categories Select All Categories Select this check box to restrict access to all site categories listed below. Clear All Categories Select this check bo x to clear the selected categories belo w. Adult/Mature Content Select[...]

  • Page 189

    ZyWALL 2 Series User’s Guide Content Filtering Screens 12-9 Table 12-2 Content Filter : Ca tegories LABEL DESCRIPTION Gambling Selecti ng this category exclu des pages where a user can place a bet or participate in a betting pool (includi ng lotteries) online. It also includes pages that provide information, assistance, re commend ations, or trai[...]

  • Page 190

    ZyWALL 2 Series User’s Guide 12-10 Content Filtering Screens Table 12-2 Content Filter : Ca tegories LABEL DESCRIPTION Education Selecti ng this category exclu des pages that offer educational inform ation, distance learning and trade s chool information or programs. It also inclu des pages that are sponsored b y schools, educat ional faciliti es[...]

  • Page 191

    ZyWALL 2 Series User’s Guide Content Filtering Screens 12-11 Table 12-2 Content Filter : Ca tegories LABEL DESCRIPTION Computers/Internet Selecti ng this category exclud e s pages that sponsor or provide inform ation on computers, technology, the Internet and tech nology-related organizati ons and companies. Hacking/Proxy Avoidance Pages providin[...]

  • Page 192

    ZyWALL 2 Series User’s Guide 12-12 Content Filtering Screens Table 12-2 Content Filter : Ca tegories LABEL DESCRIPTION Shopping Selecting this category exc ludes pages that provide or a dvertise the means to obtain goods or services. It does not include pages that can be class ified in other categories (such as vehicles or weapons). Auctions Sele[...]

  • Page 193

    ZyWALL 2 Series User’s Guide Content Filtering Screens 12-13 Table 12-2 Content Filter : Ca tegories LABEL DESCRIPTION Software Downloads Selecting this category exclu des pages that are dedicated to the electro nic download of software packages, whether for payment or at no charge. Pay to Surf Selecting this category exclu des pages that pay use[...]

  • Page 194

    ZyWALL 2 Series User’s Guide 12-14 Content Filtering Screens Table 12-2 Content Filter : Ca tegories LABEL DESCRIPTION Register Click Register to go to a w eb site where you can register for category-based content filtering (using an external da tabase). You can us e a trial application or register your iCard’s PIN. Refer to the web site’s on[...]

  • Page 195

    ZyWALL 2 Series User’s Guide Content Filtering Screens 12-15 Figure 12-4 Content Filte r : Customization[...]

  • Page 196

    ZyWALL 2 Series User’s Guide 12-16 Content Filtering Screens The following table describes the labels in this screen. Table 12-3 Content Filter : Customization LABEL DESCRIPTION Web Site List Customization Enable Web site customization Select this check box to allo w Trusted Domain web sites and block Forbidden Domain web sites. Content filter li[...]

  • Page 197

    ZyWALL 2 Series User’s Guide Content Filtering Screens 12-17 Table 12-3 Content Filter : Customization LABEL DESCRIPTION Delete Select a web site name from the Forbidden We b Site List , and then click this button to delete it from that list. Keyword Blocking Keyw ord Block ing allows you to block websites with URL s that contain certain keywords[...]

  • Page 198

    [...]

  • Page 199

    VPN/IPSec VI Part VI: VPN/IPSec This part prov ides information on how to configure VP N/IPSec.[...]

  • Page 200

    [...]

  • Page 201

    ZyWALL 2 Series User’s Guide Introduction to IPSec 13-1 Chapter 13 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 13.1 VPN Overview A VPN (Virt ual Private Network) pr ovides secure communi cations betwe en sites wi thout the expe nse of leased site-to-site lines. A secure VPN is a com bination of tunn eling, encryption, [...]

  • Page 202

    ZyWALL 2 Series User’s Guide 13-2 Introduction to IPSec Figure 13-1 Encryption and Dec ryption  Dat a Confidentiality The IPSec sender can enc rypt packets befo re transmitting them across a network.  Dat a Integrity The IPSec receiver ca n validate pack ets sent by the IPSec sender t o en sure that the data has not been altered duri ng tra[...]

  • Page 203

    ZyWALL 2 Series User’s Guide Introduction to IPSec 13-3 13.2 IPSec Architecture The overall IPSec architect ure is shown as follows. Figure 13-2 IPSec Architecture 13.2.1 IPSec Algorithms The ESP (Encapsula ting Securi ty Payloa d) Protoc ol (RFC 24 06) and AH (Authentication Heade r) protocol (RFC 2402) describe the packet formats and the defaul[...]

  • Page 204

    ZyWALL 2 Series User’s Guide 13-4 Introduction to IPSec 13.3 Encap sulation The two modes of ope ration for IPSec VPNs are Tr ansport mode and Tu nnel mode. Figure 13-3 Transport and Tunnel Mo de IPSec Encapsulation 13.3.1 T ransport Mode Transport m ode is used to protect u pper lay er protoc ols and only affects t he data in the IP packet. In T[...]

  • Page 205

    ZyWALL 2 Series User’s Guide Introduction to IPSec 13-5 13.4 IPSec and NA T Read this section if you are running IPS ec on a host computer be hind the ZyWALL. NAT is incompatible with the AH protocol in bot h Transport and Tunnel mode. An IPSec VPN usin g the AH protocol di gitally signs the outboun d packet, both dat a payload and headers , with[...]

  • Page 206

    [...]

  • Page 207

    ZyWALL 2 Series User’s Guide VPN Screens 14-1 Chapter 14 VPN Screens This chapter introduces the VPN Web configurat or. See the Logs chapter for information on viewing logs and the appendix for IPSe c log descriptions. 14.1 VPN/IPSec Overview Use the screens docum ented in this chapter to config uring and managing a VPN con nection. 14.2 IPSec Al[...]

  • Page 208

    ZyWALL 2 Series User’s Guide 14-2 VPN Sc reens Table 14-1 AH and ESP ESP AH DES (default) Data Encryption Standard (D ES) is a widely used method of data encryption using a pr ivate (secret) key. DES applies a 56-bit key to each 64-bit block of dat a. MD5 (default) MD5 (Message Digest 5) produces a 128-b it digest to authenticate packet data. 3DE[...]

  • Page 209

    ZyWALL 2 Series User’s Guide VPN Screens 14-3 You can also enter a remote secure g ateway’s domain name in the Secure Gateway Address field if the remote secure gateway has a dyn amic WAN IP address and is u sing DDNS. The ZyWALL has to rebu ild the VPN tunnel each time the remote secure gateway’s WA N IP address changes (there may be a delay[...]

  • Page 210

    ZyWALL 2 Series User’s Guide 14-4 VPN Sc reens Figure 14-2 VPN Rules The following table describes the fields in this screen. Table 14-2 VPN Rules LABEL DESCRIPTION # This field displays the VPN rule number. Name This field displa ys the identi fication name for this VPN policy. Active Y signifies that this VPN rule is active. Local IP Address Th[...]

  • Page 211

    ZyWALL 2 Series User’s Guide VPN Screens 14-5 Table 14-2 VPN Rules LABEL DESCRIPTION Remote IP Address This is the IP address(es) of computer(s) on the remote network be hind the remote IPSec router. This field displays N/A when th e Secure Gateway Address field displays 0.0.0.0 . In this case only the remote IPSec router can initiate the VPN. Th[...]

  • Page 212

    ZyWALL 2 Series User’s Guide 14-6 VPN Sc reens When there is outbound traffic w ith no inbound traffic, the ZyW ALL automatically drop s the tunnel af ter two minutes. 14.7 NA T T raversal NAT traversal allows you to set up a VPN connection when there are NAT router s between IPSec routers A and B. Figure 14-3 NAT Router Between IPSec Routers Nor[...]

  • Page 213

    ZyWALL 2 Series User’s Guide VPN Screens 14-7 14.7.2 X-Auth (Extended Authentication) Extended a uthentication provides a dded security by allowi ng you to use usernam es and passwords for VP N connections. This is esp ecially helpful when multiple ZyWALLs use one VPN rule t o connect to a single ZyWALL. An attacker cannot make a VP N connection [...]

  • Page 214

    ZyWALL 2 Series User’s Guide 14-8 VPN Sc reens If you do not specify an Intranet DNS server on the remote network, the n the VPN host must use IP addresses to access the compu ters on the remote net w ork. 14.8 ID T y pe and Content With aggressiv e negotiat ion m ode (see section 14.12.1 ), the ZyWALL identifies incoming SAs by ID ty pe and cont[...]

  • Page 215

    ZyWALL 2 Series User’s Guide VPN Screens 14-9 Table 14-4 Peer ID Type and Conten t Fields PEER ID TYPE= CONTENT= IP Type the IP address of the computer wi th which you will make the VPN connection or leave the field blank to have t he ZyWALL automatically use the address i n the Secure Gateway field. DNS T ype a domain name (up to 31 characters) [...]

  • Page 216

    ZyWALL 2 Series User’s Guide 14-10 VPN Screens Table 14-6 Mismatching ID Ty pe and Content Configuration Example ZYWALL A ZYW ALL B Peer ID type: E-mail Peer ID type: IP Peer ID content: aa@yahoo.com Peer ID content: N/A 14.9 Pre-Shared Key A pre-shared key identifies a comm unicating party during a phase 1 IKE negotiati on (see section 14.10 for[...]

  • Page 217

    ZyWALL 2 Series User’s Guide VPN Screens 14-11 Figure 14-6 Site-to-Site VPN Example 14.11 Configuring Basic IKE VPN Rule Setup Select one of the VPN rules i n the VPN Rules screen and clic k Edit or click the Rule Setu p tab on the ZyWALL 2WE to configure the rule’s setting s. Th e basic IKE rule setup screen is shown next.[...]

  • Page 218

    ZyWALL 2 Series User’s Guide 14-12 VPN Screens Figure 14-7 Basic IKE VPN Rule Edit[...]

  • Page 219

    ZyWALL 2 Series User’s Guide VPN Screens 14-13 The following table describes the fields in this screen. Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Active Select this che ck box to activate this VPN tunnel. This option determines whether a VPN rule is applied before a packet leaves the fire wall. Keep Alive Select this check box to turn [...]

  • Page 220

    ZyWALL 2 Series User’s Guide 14-14 VPN Screens Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Server Mode Select Server Mode to have this ZyWALL authenticat e extended auth entication clients that request this VPN connection. You must also configure the extended authe ntica tion clients’ usernames and pass words in the auth server’s loc[...]

  • Page 221

    ZyWALL 2 Series User’s Guide VPN Screens 14-15 Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Local IP Address Enter a static local IP addr ess. The local IP address must correspond to the remote IPSe c router's configured remote IP addresses. Site to Site Select this rad io button to establish a VPN between t wo sites (groups of IP ad[...]

  • Page 222

    ZyWALL 2 Series User’s Guide 14-16 VPN Screens Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Ending IP Address/ Subnet Mask When the Address T ype field is configured to Single Address , this field is N/A. When the Address Type field is configured to Range A d dress , enter the end (static) IP address, in a range of computers on the net wo[...]

  • Page 223

    ZyWALL 2 Series User’s Guide VPN Screens 14-17 Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Local ID Type Select IP to identify this ZyWALL by its IP address. Select DNS to identify this Z yWALL by a domain name. Select E-mail to identify this ZyWALL by an e-mail ad dress. You do not configure the local ID type a nd content when you set A[...]

  • Page 224

    ZyWALL 2 Series User’s Guide 14-18 VPN Screens Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Peer ID Type Select from the following when you set Authentication Method to Pre-shared Key .  Select IP to identify the remote IPSec router by its IP address.  Select DNS to identify the rem ote IPSe c router by a domain name.  Select E-m[...]

  • Page 225

    ZyWALL 2 Series User’s Guide VPN Screens 14-19 Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Content The configuration of the peer content dep ends on the peer ID type. Do the following when you set Authentication Method to Pre-shared Key .  For IP , type the IP address of the computer with which you will make the VPN connection. If you[...]

  • Page 226

    ZyWALL 2 Series User’s Guide 14-20 VPN Screens Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION My IP Address Enter the WAN IP address of your ZyWALL. The VPN tunnel has to be rebuilt if this IP address changes. The following applies if this field is configure d as 0.0.0.0 :  The ZyWALL uses the current ZyWALL WAN IP address (static or dyn[...]

  • Page 227

    ZyWALL 2 Series User’s Guide VPN Screens 14-21 Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Encryption Algorithm Select DES , 3DES , AE S or NULL from the drop-down list box. When you use one of these encryptio n algo rithms for data communications, both the sending device and the receiving device must use the same secret key, which can b[...]

  • Page 228

    ZyWALL 2 Series User’s Guide 14-22 VPN Screens Figure 14-8 T wo Phases to Set Up the IPSec SA In phase 1 you m ust:  Choose a negot iation m ode.  Authenticate the connection by en tering a pre-shar ed key.  Choo se an en cryption a lgorith m.  Choose an authentication algorithm.  Choose a D iffie-Hellman public-key cryptograph y k[...]

  • Page 229

    ZyWALL 2 Series User’s Guide VPN Screens 14-23 IPSec SA lifetime period ex pires. The ZyWALL als o automatically renegotiates th e IPSec SA if both IPSec routers have keep alive enabled, even i f there is no traffic. If an IPSec SA tim es out, then the IPSec router must renegotiate the SA the next time someone attempts to send traffic. 14.12.1 X-[...]

  • Page 230

    ZyWALL 2 Series User’s Guide 14-24 VPN Screens 14.12.5 Perfect Forward Secrecy (PFS) Enabling PFS means that the key is tran sient. The key is thrown away and replaced by a brand new key using a new Diffie -Hellm an exchange fo r each new I PSec SA set up. With PF S enabled, i f one key i s compro mised, previous an d subseque nt keys are not com[...]

  • Page 231

    ZyWALL 2 Series User’s Guide VPN Screens 14-25 Figure 14-9 Advanced IKE VPN Rule Setup The following table describes the fields in this screen. Table 14-8 Advanced IKE VPN Rule Setup LA BEL DESCRIPTION Protocol Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any protocol.[...]

  • Page 232

    ZyWALL 2 Series User’s Guide 14-26 VPN Screens Table 14-8 Advanced IKE VPN Rule Setup LA BEL DESCRIPTION Enable Replay Detection As a VPN setup is processing intensive, the system is vulnerable to Denial of Service (DoS) attacks The IPSec receiver can detect and reject old or duplicate p ackets to protect against replay attacks. Select YES from t[...]

  • Page 233

    ZyWALL 2 Series User’s Guide VPN Screens 14-27 Table 14-8 Advanced IKE VPN Rule Setup LA BEL DESCRIPTION Authentication Algorithm Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorith ms used to authenticate packet data. The SHA1 algorithm is generally conside red stronger than M[...]

  • Page 234

    ZyWALL 2 Series User’s Guide 14-28 VPN Screens Table 14-8 Advanced IKE VPN Rule Setup LA BEL DESCRIPTION SA Life Time (seconds) Define the length of time before an IKE SA autom atically renegotiates i n this field. It may range from 180 to 3,000,000 seconds (almost 35 days). A short SA Life Time increases security by forcing the t wo VPN gateways[...]

  • Page 235

    ZyWALL 2 Series User’s Guide VPN Screens 14-29 Select Manual Key (or Man ual ) in the Key Mana gement (or IPSec Keying Mode ) field to display the manual VPN rule setup screen . Figure 14-10 Manual VPN Rule Setup[...]

  • Page 236

    ZyWALL 2 Series User’s Guide 14-30 VPN Screens The following table describes the labels in this screen. Table 14-9 VPN Manual Setup LABEL DESCRIPTION Active Select this check box to activate this VPN policy. Name Type up to 32 characters to i dentify th is VPN policy. You ma y use any character, including spaces, but the Z yWALL drops trailing sp[...]

  • Page 237

    ZyWALL 2 Series User’s Guide VPN Screens 14-31 Table 14-9 VPN Manual Setup LABEL DESCRIPTION Remote: Remote IP addresses must be static and correspo nd to the remote IPSec router's configured local IP addresses. Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP a[...]

  • Page 238

    ZyWALL 2 Series User’s Guide 14-32 VPN Screens Table 14-9 VPN Manual Setup LABEL DESCRIPTION Secure Gateway Addr Type the WAN IP address or the URL (up to 31 characters) of the IPSec router with which you're making the VPN connection. SPI Type a unique SPI (Security Parameter Index) from one to four characters long. Valid Characters are &quo[...]

  • Page 239

    ZyWALL 2 Series User’s Guide VPN Screens 14-33 Table 14-9 VPN Manual Setup LABEL DESCRIPTION Authentication Key Type a unique authentication key to be used by IPSec if applicable. Enter 16 characters for MD5 authentication or 20 cha racters for SHA-1 authentication. Any characters may be used, including sp ac es, but trailing spaces are truncated[...]

  • Page 240

    ZyWALL 2 Series User’s Guide 14-34 VPN Screens The following table describes the fields in this screen. Table 14-10 VPN SA Monitor LA BEL DESCRIPTION # This is the security association inde x number. Name This field displays the identifi cation name for this VPN policy. Encapsulation This field displays Tunnel or Transport mode. IPSec Algorithm T[...]

  • Page 241

    ZyWALL 2 Series User’s Guide VPN Screens 14-35 Table 14-11 VPN Global Setting LA BEL DESCRIPTION Windows Networking (NetBIOS over TCP/IP) NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast pa ckets that enable a computer to connect to and communicate with a LAN. It may some times be necessary to allo w NetBIOS packets to pass th[...]

  • Page 242

    ZyWALL 2 Series User’s Guide 14-36 VPN Screens Figure 14-13 Telecommuters Sharing One VPN Ru le Example Table 14-12 Telecommuters Sharing One VPN Rule Example FIELDS TELECOMMUTERS HEADQUARTERS My IP Address: 0.0.0.0 (dynamic IP address assigned by the ISP) Public static IP address Secure Gateway IP Address: Public static IP address 0.0.0.0 With t[...]

  • Page 243

    ZyWALL 2 Series User’s Guide VPN Screens 14-37 See the following table and fi gure for an exam ple wh ere three telecommuters each use a diffe rent VPN rule for a VPN connection with a Zy W ALL located at he adquarters. The ZyWALL at headquarters (HQ in the figure) identifies each inc oming SA by its ID type and content and uses the appropriate V[...]

  • Page 244

    ZyWALL 2 Series User’s Guide 14-38 VPN Screens Table 14-13 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS Local IP Address: 192.168.2.12 Secure Gateway Address: telecommuter1.com Remote Address 192.168.2.12 Telecommuter B (telecommuter b.dydns.org) Hea dquarters ZyWALL Rule 2: Local ID Type: DNS Peer ID Type: DNS Local ID[...]

  • Page 245

    VPN/IPSec VII Part VII: Certificates This part provides informati on and configurat ion instructions for public-key certificates.[...]

  • Page 246

    [...]

  • Page 247

    ZyW ALL 2 Series User’s Guide Certificates 15-1 Chapter 15 Certificates This chapter gives background information about public-key certificates and explains how to use them. This chapter is only app licable to the ZyWALL 2. 15.1 Certificates Overview The ZyWALL can use ce rtificates (also called digital IDs) to authenticate users. Ce rtificates a[...]

  • Page 248

    ZyW ALL 2 Series User’s Guide 15-2 Certificates Certification authorities maintain directory servers w ith databases of valid and revok ed certificates. A directory of certificates that have been revoked before th e scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can chec k a peer’s certif icate against a director[...]

  • Page 249

    ZyW ALL 2 Series User’s Guide Certificates 15-3 15.4 My Certificates Click CERTIFICATES , My Certificates to open the ZyWALL’s summary list of certificates and certification requests. Certificates display in black and certification requests disp lay in gray. See the following figure. Figure 15-2 My Certifica tes The following table describes th[...]

  • Page 250

    ZyW ALL 2 Series User’s Guide 15-4 Certificates Table 15-1 My Certificate s LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percent age of the Zy WALL’s PKI storage space that is currently in use. When you are using 8 0% or less of the storage space, t he bar is green. When the amount of space used is over 80%, the bar is red. [...]

  • Page 251

    ZyW ALL 2 Series User’s Guide Certificates 15-5 Table 15-1 My Certificate s LABEL DESCRIPTION Details Select the radio button next to a cert ificate’s index number and the n click Details to open a screen with an in-depth list of information ab out that certificate. Refresh Click this button to display the curr ent validity status of the certif[...]

  • Page 252

    ZyW ALL 2 Series User’s Guide 15-6 Certificates 15.6 Importing a Certificate Click CERTIFICATES , My Certificates and then Import to open the My Certificate Import screen. Follow the instructions in this screen to save an exis ting certificate to the ZyWALL , see the following figure. 1. Y ou can only import a certificate that matches a correspon[...]

  • Page 253

    ZyW ALL 2 Series User’s Guide Certificates 15-7 Table 15-2 My Certificate Import LA BEL DESCRIPTION Apply Click Apply to save the certificate on the ZyWALL. Cancel Click Cancel to quit and return to the My Certificates screen. 15.7 Creating a Certificate Click CERTIFICATES , My Certificates and then Create to open the My Certificate Create screen[...]

  • Page 254

    ZyW ALL 2 Series User’s Guide 15-8 Certificates The following table describes the labels in this screen. Table 15-3 My Certificate Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characte rs (not including spaces) to identify this certificate. Subject Information Use these field s to record information that identifie s the owner of [...]

  • Page 255

    ZyW ALL 2 Series User’s Guide Certificates 15-9 Table 15-3 My Certificate Create LABEL DESCRIPTION Create a certification request and enroll for a certificate immediately online Select Create a certification requ est and en roll for a cert ificate immediately online to have the ZyWALL generate a request for a certificate and app ly to a certifica[...]

  • Page 256

    ZyW ALL 2 Series User’s Guide 15-10 Certificates After you click Apply in th e My Certificate Create screen, you see a screen that tells you the ZyWALL is generating the self-signed certifi cate or certification request. After the ZyWALL successfully enrolls a certificate or generates a certification request or a self-signe d certificate, you see[...]

  • Page 257

    ZyW ALL 2 Series User’s Guide Certificates 15-1 1 Figure 15-5 My Certificate Details[...]

  • Page 258

    ZyW ALL 2 Series User’s Guide 15-12 Certificates The following table describes the labels in this screen. Table 15-4 My Certificate Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to ident ify this certificate. You ma y use any character (not inc[...]

  • Page 259

    ZyW ALL 2 Series User’s Guide Certificates 15-13 Table 15-4 My Certificate Details LABEL DESCRIPTION Signature Algorithm This field displays the t ype of algorithm that was used to sign the certificate. The ZyWALL uses rsa-pkcs1-sha1 (RSA public- private key encryption algorith m and the SHA1 hash algorithm). Some certif ication authoriti es may [...]

  • Page 260

    ZyW ALL 2 Series User’s Guide 15-14 Certificates Table 15-4 My Certificate Details LABEL DESCRIPTION Certificate in PEM (Base-64) Encoded Format This read-only text bo x displa ys the certific ate or certif ication request in Privac y Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the binary certificate into a printable form.[...]

  • Page 261

    ZyW ALL 2 Series User’s Guide Certificates 15-15 Figure 15-6 Trusted CAs The following table describes the labels in this screen. Table 15-5 Trusted CAs LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percent age of the Zy WALL’s PKI storage space that is currently in use. When you are using 8 0% or less of the storage space, t[...]

  • Page 262

    ZyW ALL 2 Series User’s Guide 15-16 Certificates Table 15-5 Trusted CAs LABEL DESCRIPTION Issuer This field displa ys identifying informati on about the certificate’ s issuing certification authority, such as a common name, organ iza tional unit or department, organization or company and country. With self-signed cert ificates, this is the same[...]

  • Page 263

    ZyW ALL 2 Series User’s Guide Certificates 15-17 Y ou must remove any sp aces from the certificate’ s filename before you can import the certificate. Figure 15-7 Trusted CA Import The following table describes the labels in this screen. Table 15-6 Trusted CA Import LA BEL DESCRIPTION File Path Type in the location of the file you want to upload[...]

  • Page 264

    ZyW ALL 2 Series User’s Guide 15-18 Certificates Figure 15-8 Trusted CA Details[...]

  • Page 265

    ZyW ALL 2 Series User’s Guide Certificates 15-19 The following table describes the labels in this screen. Table 15-7 Trusted CA Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identif y this key certificate. You may us e any character (not inc[...]

  • Page 266

    ZyW ALL 2 Series User’s Guide 15-20 Certificates Table 15-7 Trusted CA Details LABEL DESCRIPTION Signature Algorithm This field displays the type of al gorithm that was used to sign the certificate. Some certification authorities use rsa-pkcs1-sh a1 (RSA public-private ke y encryption algorithm and the SHA1 hash algorithm). Other certificatio n a[...]

  • Page 267

    ZyW ALL 2 Series User’s Guide Certificates 15-21 Table 15-7 Trusted CA Details LABEL DESCRIPTION Certificate in PEM (Base-64) Encoded Format This read-only text bo x displa ys the certific ate or certif ication request in Privac y Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the binary certificate into a printable form. You[...]

  • Page 268

    ZyW ALL 2 Series User’s Guide 15-22 Certificates Figure 15-9 Trusted Remote Hosts The following table describes the labels in this screen. Table 15-8 Trusted Remo te Hosts LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percent age of the Zy WALL’s PKI storage space that is currently in use. When you are using 8 0% or less of t[...]

  • Page 269

    ZyW ALL 2 Series User’s Guide Certificates 15-23 Table 15-8 Trusted Remo te Hosts LABEL DESCRIPTION Subject This field displa ys identifying informa tion about the certificate’s o wner, such as CN (Common Name), OU (Organizational Unit or department), O (Organizatio n or company) and C (Country). It is recommend ed that each certificate have un[...]

  • Page 270

    ZyW ALL 2 Series User’s Guide 15-24 Certificates Table 15-9 Remote Host Certificates Step 3. Double-click the certificate’s icon to open the Certificate window. Click th e Details tab and scroll down to the Thumbprint Algorithm and Thumbpri nt fields. Table 15-10 Certificate Details 15.14 Importing a T r usted Remote Host’ s Certificate Click[...]

  • Page 271

    ZyW ALL 2 Series User’s Guide Certificates 15-25 The trusted remote host certi ficate must be a self-signed certificate; and you must remove any sp aces from its filename before y ou c an import it. Figure 15-10 Trusted Remote Ho st Import The following table describes the labels in this screen. Table 15-11 Trusted Remote Host Import LA BEL DESCR[...]

  • Page 272

    ZyW ALL 2 Series User’s Guide 15-26 Certificates Figure 15-11 Trusted Remote Ho st Details[...]

  • Page 273

    ZyW ALL 2 Series User’s Guide Certificates 15-27 The following table describes the labels in this screen. Table 15-12 Trusted Remote Host Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identif y this key certificate. You may us e any characte[...]

  • Page 274

    ZyW ALL 2 Series User’s Guide 15-28 Certificates Table 15-12 Trusted Remote Host Details LABEL DESCRIPTION Key Algorithm T his field displays the type of algo rithm that was used to generate the certificate’s key pair (the ZyWALL uses RSA encr yption) and the length of the key set in bits (1024 bits for example). Subject Alternative Name This f[...]

  • Page 275

    ZyW ALL 2 Series User’s Guide Certificates 15-29 15.16 Directory Servers Click CERTIFICATES , Directory Serve rs to open the Directory Servers screen. This screen displays a summary li st of directory servers (that contain l ists of vali d and revoke d certificates) that have bee n saved into the ZyWALL. If you decide to have the ZyWA LL chec k i[...]

  • Page 276

    ZyW ALL 2 Series User’s Guide 15-30 Certificates Table 15-13 Directory Servers LABEL DESCRIPTION Port This field displays the port num ber that the directory server uses. Protocol This field displays the prot ocol that the dire ctory server uses. Add Click Add to open a scre en where you can c onfigure information about a director y server so tha[...]

  • Page 277

    ZyW ALL 2 Serie s User ’s Guide Certificates 15-31 Table 15-14 Directory Server Add LABEL DESCRIPTION Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identif y this directory server. Access Protocol Use the drop-do wn list box to select the access protocol used by the directory server. LDAP (Lightweight[...]

  • Page 278

    [...]

  • Page 279

    Remote Management and UPnP VIII Part VIII: Authentication Server, Remote Management and UPnP This part prov ides information and config uration in structions for configuration of the authentication server screens, remote managem ent and Universal Plug and Play .[...]

  • Page 280

    [...]

  • Page 281

    ZyWALL 2 Series User’s Guide Authentication Server 16-1 Chapter 16 Authentication Server This chapter discusses how to configure the authentication server on the ZyWALL. 16.1 Authentication Server Overview A ZyWALL set to be a VPN extended authentication server can use either the local user database internal to the ZyWALL or an external RADIUS se[...]

  • Page 282

    ZyWALL 2 Series User’s Guide 16-2 Authentication Server Figure 16-1 Local User Database[...]

  • Page 283

    ZyWALL 2 Series User’s Guide Authentication Server 16-3 The following table describes the fields in this screen. Table 16-1 Local User Databa se LABEL DESCRIPTION Active Select this check box to enabl e the user profile. User Name Enter the user name of the user profil e. Password Enter a pass word up to 31 characters long for this user profile. [...]

  • Page 284

    ZyWALL 2 Series User’s Guide 16-4 Authentication Server Figure 16-2 RADIUS The following table describes the fields in this screen. Table 16-2 RADIUS LABEL DESCRIPTION Authentication Server Active Enable this feature to have the ZyWALL use an external authentication ser ver in performing user authentication. Disable this feature if you will not u[...]

  • Page 285

    ZyWALL 2 Series User’s Guide Authentication Server 16-5 Table 16-2 RADIUS LABEL DESCRIPTION Port Number The default por t of the RADIUS server for authentication is 1812 . You need not change this value unl ess your network adminis trator instructs you to do so with additional information. Key Enter a password (up to 31 alphanumer ic characters) [...]

  • Page 286

    [...]

  • Page 287

    ZyWALL 2 Series User’s Guide Remote Management Screens 17-1 Chapter 17 Remote Management Screens This chapter provides information on the Remote Management screens. 17.1 Remote Management Overview Remote management allows you to determ ine whic h services/protocols can access which ZyWALL interface (if any) fr om which computers . When you config[...]

  • Page 288

    ZyWALL 2 Series User’s Guide 17-2 Remote Management Screens 17.1.1 Remote Management Limitations Remote ma nagement over LAN or WAN wil l not work when: 1. A filter in SMT menu 3.1 (LAN) or in m enu 11.5 (WAN) is applied to block a Telnet, FTP or Web service. 2. You have di sabled that service in one of the remote ma nagement screens. 3. The IP a[...]

  • Page 289

    ZyWALL 2 Series User’s Guide Remote Management Screens 17-3 data), authenti cation (one party can identify the other pa rty) and data integrity ( you know if data has been changed). It relies upon certificates, public ke ys, and private keys (see the Certificates chapter for more info rmation). HTTPS on the ZyWALL is us ed so that you may s ecure[...]

  • Page 290

    ZyWALL 2 Series User’s Guide 17-4 Remote Management Screens If you disable HTTP Serv er Access ( Disable ) in the REMOTE MGMT WWW screen, then the ZyW ALL blocks all HTTP connection attempt s. 17.3 Configuring WWW To change your ZyWALL’s web settings, click REMOTE MG NT , then th e WWW tab. Th e scr een ap pears as shown. Figure 17-2 WWW The fo[...]

  • Page 291

    ZyWALL 2 Series User’s Guide Remote Management Screens 17-5 Table 17-1 WWW LABEL DESCRIPTION HTTPS: This feature is not availa ble on the ZyWALL 2WE. Server Certificate Select the Server Certificate that the ZyWALL will use to identify itself. The ZyWALL is the SSL server and must always authentic at e itself to the SSL client (the computer which[...]

  • Page 292

    ZyWALL 2 Series User’s Guide 17-6 Remote Management Screens Table 17-1 WWW LABEL DESCRIPTION Reset Click Reset to beg in configuring this screen afresh. 17.4 HTTPS Example If you haven’t changed the default HTTPS port on the ZyWALL, then in your browser enter “https://ZyWALL IP Address/” as the web site address where “ZyWALL IP Address”[...]

  • Page 293

    ZyWALL 2 Series User’s Guide Remote Management Screens 17-7 17.4.2 Netscape Navigator W arning Messages When you attempt to access the ZyWAL L HTTPS server, a Website Certified by a n Unknown Authority screen pops up asking if you trus t the server certificate. Click E xamine Certificate if you want to verify that the certificate is from the ZyWA[...]

  • Page 294

    ZyWALL 2 Series User’s Guide 17-8 Remote Management Screens Figure 17-5 Security Certifica te 2 (Netscape) 17.4.3 A voiding the Brow ser Warning Messages The following describes the main reason s that your browser disp lays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avo id seeing the warnings .  The issuing c[...]

  • Page 295

    ZyWALL 2 Series User’s Guide Remote Management Screens 17-9 Step 2. Click CERTIFICATES . Find the certificate and check its Subject column. CN sta nds for certificate’s common nam e (see Figure 17-9 for an examp le) . Use this procedure to have the ZyWALL use a cer tificate with a common name that matches the ZyWALL’s actual IP address. You c[...]

  • Page 296

    ZyWALL 2 Series User’s Guide 17-10 Remote Management Screens Figure 17-6 Login Screen (Internet E xplorer)[...]

  • Page 297

    ZyWALL 2 Series User’s Guide Remote Management Screens 17-11 Figure 17-7 Login Screen (Netsc ape) Click Login and you then see the ne xt screen. The factory default certificate is a comm on defau lt certificate for all ZyWALL models.[...]

  • Page 298

    ZyWALL 2 Series User’s Guide 17-12 Remote Management Screens Figure 17-8 Replace Certificate Click Apply in th e Replace Certificate screen to create a ce rtificate using your ZyWALL ’s MAC address that will be specific to this device. Click CERTIFICATES to open the My Certificates screen. You will see information similar to that shown in the f[...]

  • Page 299

    ZyWALL 2 Series User’s Guide Remote Management Screens 17-13 Click Ignore in th e Replace Certificate screen to use the common ZyWALL certificate. You will then see this information in the My Certificates screen. Figure 17-10 Common ZyWALL Certifi cate 17.5 SSH Overview Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shel l) [...]

  • Page 300

    ZyWALL 2 Series User’s Guide 17-14 Remote Management Screens Figure 17-11 SSH Communication Example 17.6 How SSH works The following table summarizes ho w a secure connection is established between two rem ote hosts. 1. Host Identificat ion The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. [...]

  • Page 301

    ZyWALL 2 Series User’s Guide Remote Management Screens 17-15 17.7 SSH Implement ation on the ZyW ALL Your ZyWAL L supports S SH versi on 1.5 usin g RSA aut h entication a nd three enc ryption m ethods (DES, 3DES and Bl owfish). T he SSH serve r is im plemented o n the Zy WALL for rem ote SMT m anagement and file transfer on port 22. Only o ne SSH[...]

  • Page 302

    ZyWALL 2 Series User’s Guide 17-16 Remote Management Screens Table 17-2 SSH LABEL DESCRIPTION Server Host Key Select the certif icate whose correspond ing private key is to be used to identif y the ZyWALL for SSH connections. You must have certificates alre ad y configured in the My Certificates screen (Click M y Certificates and see the Certific[...]

  • Page 303

    ZyWALL 2 Series User’s Guide Remote Management Screens 17-17 Step 3. A window di splays pr ompting y ou to store the host key in you com puter. Click Yes to continue. Figure 17-14 SSH Example 1: Store Host Key Enter the password to log in to the ZyWALL. The SMT main menu displays next. 17.9.2 Example 2: Linux This section describes how to access [...]

  • Page 304

    ZyWALL 2 Series User’s Guide 17-18 Remote Management Screens Step 2. Enter “ ssh –1 192.168.1.1 ”. This command forces your c omputer to connect to the ZyWALL using SSH version 1. If this is the first time you are connecting to th e ZyWALL usin g SSH, a m essage displays prompt ing you to save the host information of the ZyWALL. Type “ ye[...]

  • Page 305

    ZyWALL 2 Series User’s Guide Remote Management Screens 17-19 Step 3. Use the “ put ” command to upload a new firmware to the ZyWALL. Figure 17-17 Secure FTP: Firmware Upload Example 17.11 T elnet You can confi gure your ZyWALL for re mote Telnet access as sh own next. Figure 17-18 Telnet Configuration o n a TCP/IP Netw ork $ sftp -1 192.168.1[...]

  • Page 306

    ZyWALL 2 Series User’s Guide 17-20 Remote Management Screens 17.12 Configuring TELNET Click REMOTE MGNT to open the TEL NET screen. Figure 17-19 Telnet The following table describes the labels in this screen. Table 17-3 Telnet LABEL DESCRIPTION Server Port You ma y change the server port num ber for a service if needed, however you must use the s[...]

  • Page 307

    ZyWALL 2 Series User’s Guide Remote Management Screens 17-21 17.13 Configuring FTP You can upl oad and downl oad the ZyWALL’s fi rmware and co nfiguratio n files usi ng FTP, please see the chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP cl ient. To change your ZyWALL’s FT[...]

  • Page 308

    ZyWALL 2 Series User’s Guide 17-22 Remote Management Screens Table 17-4 FTP LABEL DESCRIPTION Secure Client IP Address A secure client is a “trusted” computer that is allowed to communicate with the ZyWALL using this service. Select Al l to allo w any computer to access the ZyWALL usin g this service. Choose Selected to just allo w the comput[...]

  • Page 309

    ZyWALL 2 Series User’s Guide Remote Management Screens 17-23 Figure 17-21 SNMP Management Mod el An SNMP m a naged netwo rk consists of two m ain types of compone nt: agents an d a manage r. An agent is a managem ent software m o dule that resides i n a managed device (the Zy WALL). An agent translates the local management information from the ma[...]

  • Page 310

    ZyWALL 2 Series User’s Guide 17-24 Remote Management Screens • Get - Allows the manager to retrieve an object variable from the agent. • GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get o[...]

  • Page 311

    ZyWALL 2 Series User’s Guide Remote Management Screens 17-25 17.14.3 REMOTE MANAGEMENT : SNMP To change your ZyWALL’s SNMP settings, click REMOTE MGNT , then th e SNMP tab . The sc reen appe ars as show n. Figure 17-22 SNMP The following table describes the fields in this screen.[...]

  • Page 312

    ZyWALL 2 Series User’s Guide 17-26 Remote Management Screens Table 17-6 SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community , which is the password for the incoming Get and GetNext requests from the management station. T he default is public and al lows all requests. Set Community Enter the Set community , which is the[...]

  • Page 313

    ZyWALL 2 Series User’s Guide Remote Management Screens 17-27 T o chang e your ZyW ALL ’ s DNS settings, click REMOTE MGNT , then the DNS tab. The screen appears as shown. Figure 17-23 DNS The following table describes the fields in this screen. Table 17-7 DNS LABEL DESCRIPTION Service Port The DNS service port num b er is 53 and cannot be cha n[...]

  • Page 314

    ZyWALL 2 Series User’s Guide 17-28 Remote Management Screens 17.16 Configuring Security T o change your ZyW ALL ’ s Security settings, click REMOTE MG NT , then the Security tab. T he screen appe ars as show n. If an outside user attempts to prob e an unsupported port on your ZyWALL, an ICMP response packet is automatically returned. This allow[...]

  • Page 315

    ZyWALL 2 Series User’s Guide Remote Management Screens 17-29 Table 17-8 Security LABEL DESCRIPTION Respond to Ping on The ZyWALL will not respond to an y incoming Ping requests when Disable is selected. Select LAN to repl y to incoming LAN Ping re quests . Select WA N to reply to incoming WAN Ping requests. Otherwise select LAN & WAN to reply[...]

  • Page 316

    [...]

  • Page 317

    ZyWALL 2 Series User’s Guide UPnP 18-1 Chapter 18 UPnP This chapter introduces the Universal Plug and Play feature. 18.1 Universal Plug and Play Overview Universal Plug and Play (U PnP) is a distri buted, open networking standard that uses TCP/IP fo r simple peer-to-peer network connectiv ity between dev ices. A UP nP device can dynamically join [...]

  • Page 318

    ZyWALL 2 Series User’s Guide 18-2 UPnP 18.1.3 Cautions with UPnP The automat ed nature of N AT traversal applicat ions in esta blishing t heir own servi ces and ope ning fire wall ports may present netwo rk security issues. Netw ork inform ation and configuration m ay also be obtained and modifi ed by users i n some net work envi ronments. All UP[...]

  • Page 319

    ZyWALL 2 Series User’s Guide UPnP 18-3 Figure 18-1 Configuring UPnP The following table describes the fields in this screen. Table 18-1 Configuring UPnP FIELD DESCRIPTION Device Name This identifies the device in UPnP applicatio ns. Enable the Universal Plug and Play (UPnP) feature Select this checkbox to activate UPnP. Be aware that anyone cou l[...]

  • Page 320

    ZyWALL 2 Series User’s Guide 18-4 UPnP Table 18-1 Configuring UPnP FIELD DESCRIPTION Reset Click Reset to begin co nfiguring this screen afresh 18.4 Displaying UPnP Port Mapping Click UPnP and then Ports to display the screen as shown nex t. Use t his screen to view the NAT port mapping rules that UPnP creates on the ZyWALL. Figure 18-2 UPnP Port[...]

  • Page 321

    ZyWALL 2 Series User’s Guide UPnP 18-5 Table 18-2 UPnP Ports LA BEL DESCRIPTION # This is the index number of the UPnP-created NAT mapping rule entry. Remote Host This field displays the source IP address (on the W AN) of inbound IP packets. Since this is often a wildcard, the field may be bla nk. When the field is blank, the ZyWALL forwards all [...]

  • Page 322

    ZyWALL 2 Series User’s Guide 18-6 UPnP 18.5.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windo ws Me. Click Start and Control Panel . Double-click Add/Remove Programs . Click on the Windows Setup tab and select Communication in the Components selection box. Click Details . In the Communications window, select the Univ[...]

  • Page 323

    ZyWALL 2 Series User’s Guide UPnP 18-7 Step 1. Click Start and Control Panel . Step 2. Double-click Network Connections . Step 3. In the Networ k Connections window, click Advanced in the main menu and select Optional Networking Components … . The Windows Opti onal Netw orking Components Wizard window displays. Step 4. Select Networking Service[...]

  • Page 324

    ZyWALL 2 Series User’s Guide 18-8 UPnP 18.6 Using UPnP in Windows XP Example This section sh ows you ho w to use t he UPnP feat ure in Windows XP. You must already hav e UPnP installed in Wind ows XP and UPnP activate d on the device. Make sure the computer is connected to a LAN po rt of the device. Turn on your computer and th e ZyWALL. 18.6.1 A[...]

  • Page 325

    ZyWALL 2 Series User’s Guide UPnP 18-9 Step 4. You may edit or delete the port mappings or click Add to ma nually add port ma ppings. When the UPnP-enabled device is disconn ected from your computer , all port mappings will be deleted automaticall y . Step 5. Select the Show icon in notification area when connected check box and click OK . An ico[...]

  • Page 326

    ZyWALL 2 Series User’s Guide 18-10 UPnP 18.6.2 Web Configurator Easy Access With UPnP, you can access the web-base d configurator wi thout first finding out its IP a ddress. This is helpful if you do not know the I P address of your ZyWALL. Follow the steps below to access the web configur ator. Step 1. Click Start and then Control Panel . Step 2[...]

  • Page 327

    Logs IX Part IX: Logs This part prov ides information and instru ctions for the logs and repo rts.[...]

  • Page 328

    [...]

  • Page 329

    ZyWALL 2 Series User’s Guide Log Screens 19-1 Chapter 19 Logs Screens This chapter contains informa tion about configuring general log s ettings and viewing the ZyWALL’s logs. Refer to appendices for example log message explanations. 19.1 Configuring View Log The web configurator allows you to look at all of the ZyWALL’s logs in one location.[...]

  • Page 330

    ZyWALL 2 Series User’s Guide 19-2 Log Screens Figure 19-1 View Log The following table describes the labels in this screen. Table 19-1 View Log LABEL DESCRIPTION Display T he categories that you select in the Log Settings page (see section 19.2 ) display in the drop-down list box. Select a category of logs to view; select A ll Logs to view logs f[...]

  • Page 331

    ZyWALL 2 Series User’s Guide Log Screens 19-3 Table 19-1 View Log LABEL DESCRIPTION Note This field displays additional informatio n about the log entry. Email Log Now Click Email Log Now to send the log screen to the e-mail address specified in the Log Settings page (make sure that you have first filled in the Address Info fields in Log Settings[...]

  • Page 332

    ZyWALL 2 Series User’s Guide 19-4 Log Screens Figure 19-2 Log Settings[...]

  • Page 333

    ZyWALL 2 Series User’s Guide Log Screens 19-5 The following table describes the labels in this screen. Table 19-2 Log Settings LABEL DESCRIPTION Address Info Mail Server Enter the server name or the IP address of the mail serv er for the e-mail addresses specified belo w. If this field is left blank, logs and alert messages will not be sent via e[...]

  • Page 334

    ZyWALL 2 Series User’s Guide 19-6 Log Screens Table 19-2 Log Settings LABEL DESCRIPTION Time for Sending Log Enter the time of the day in 24-hour fo rmat (for example 23:00 equals 11:00 pm) to send the logs. Log Select the categories of logs that y ou want to record. Logs include alerts. Send Immediate Alert Select the categories of alerts for wh[...]

  • Page 335

    ZyWALL 2 Series User’s Guide Log Screens 19-7 The ZyWALL records web site hits by counting the HTTP GET packets. Ma ny web sites include HTTP GET references to other web sites and the ZyWALL may count these as hits, thus the web hit count is not (yet) 100% accurate. Figure 19-3 Reports Enabling the ZyW ALL ’s reporting function decreases the ov[...]

  • Page 336

    ZyWALL 2 Series User’s Guide 19-8 Log Screens Table 19-3 Reports LABEL DESCRIPTION Refresh Click Refresh to update the re port display. The report also refreshes a utomatically when you close and reop en the screen. All of the recorded report s data is era sed when you turn off the Zy W ALL. 19.3.1 Viewing We b Site Hit s In the Reports screen, s[...]

  • Page 337

    ZyWALL 2 Series User’s Guide Log Screens 19-9 Table 19-4 Web Site Hits Report LABEL DESCRIPTION Web Site T his column lists the domain names of the web sites visited most often from computers on the LAN. The names are rank ed by the num ber of visits to each web site and listed in descending order with the most visited web site listed first. The [...]

  • Page 338

    ZyWALL 2 Series User’s Guide 19-10 Log Screens Table 19-5 Protocol/ Port Report LABEL DESCRIPTION Protocol/Port T his column lists the protocols or service ports for which the most traffic has gone through the ZyWALL. The prot ocols or se rvice ports are listed in desce nding order with the most used protocol or service port listed first. Directi[...]

  • Page 339

    ZyWALL 2 Series User’s Guide Log Screens 19-11 The following table describes the labels in this screen. Table 19-6 LAN IP Address Rep ort LABEL DESCRIPTION IP Address T his column lists the LAN IP addresses to and/or from which the most traffic has been sent. The LAN IP addresses are listed in des cend ing order with the LAN IP address to and/or [...]

  • Page 340

    [...]

  • Page 341

    Maintenance X Part X: Maintenance This part covers the maint enance screens.[...]

  • Page 342

    [...]

  • Page 343

    ZyWALL 2 Series User’s Guide Maintenance 20-1 Chapter 20 Maintenance This chapter displays system information such as firmware, port IP addresses and port traffic statistics. 20.1 Maintenance Overview The maintenance scree ns can help you view syst em info rm ation, uploa d new firm ware, manage configurat ion and restart your ZyWALL. 20.2 S t at[...]

  • Page 344

    ZyWALL 2 Series User’s Guide 20-2 Maintenance The following table describes the labels in this screen. Table 20-1 System Status LA BEL DESCRIPTION Syst em Na me This is the System Name you chose in the first Internet Access Wizard screen. It is for identification purposes Model Name The model na me identifies your device t ype. The model name sho[...]

  • Page 345

    ZyWALL 2 Series User’s Guide Maintenance 20-3 Figure 20-2 System Status: Sho w Statistics The following table describes the labels in this screen. Table 20-2 System Status: Sho w Statistics LA BEL DESCRIPTION Port This is the WAN or LAN port. Status This displays the port speed and duplex setting if you're usi ng Ethernet encapsulation and d[...]

  • Page 346

    ZyWALL 2 Series User’s Guide 20-4 Maintenance Table 20-2 System Status: Sho w Statistics LA BEL DESCRIPTION Stop Click Stop to stop refreshing statistics, click Stop . 20.3 DHCP T a ble Screen DHCP (Dynamic Ho st Configuration Protoco l, RFC 2131 and RFC 2132) allows indiv idual clients to obtain TCP/IP config uration at sta rt-up from a server. [...]

  • Page 347

    ZyWALL 2 Series User’s Guide Maintenance 20-5 Table 20-3 DHCP Table LABEL DESCRIPTION IP Address This field displays the IP address relativ e to the # field listed above. Host Name T his field displays the computer host name. MAC Address This field sho ws the MAC address of the computer with the name in the Host Name field. Every Ethernet device [...]

  • Page 348

    ZyWALL 2 Series User’s Guide 20-6 Maintenance The following table describes the fields in this screen. Figure 20-5 Firm ware Upload LA BEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse... Click Browse to find the .bin file you want to upl oad. Remember that you must deco[...]

  • Page 349

    ZyWALL 2 Series User’s Guide Maintenance 20-7 Figure 20-7 Net work Temporarily Disconnected After two m inutes, log in again an d check y our new fi rmware versi on in the System Status screen. If the upload was not successful, the fo llowing sc reen will appear. Click Return to go back to the F/W Upload screen. Figure 20-8 Firm ware Upload Error[...]

  • Page 350

    ZyWALL 2 Series User’s Guide 20-8 Maintenance Figure 20-9 Configuration 20.5.1 Backup Configuration Backup Configurat ion allows you to back up (save) t he current syst em (ZyWALL) co nfiguratio n to your computer. Backup is high ly recommended once your ZyWALL is fun ctioning properly. Click Backup to save your current Zy WALL configuration to y[...]

  • Page 351

    ZyWALL 2 Series User’s Guide Maintenance 20-9 20.5.2 Restore Configuration Restore Config uration allo ws you to restore a previ ously saved co nfigurati on file from your computer to you r ZyWALL. Table 20-4 Restore Confi guration LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to fin[...]

  • Page 352

    ZyWALL 2 Series User’s Guide 20-10 Maintenance If you uploaded the d efault configuration file you may need to change t h e IP addre ss of you r comput er to be in the same subnet as that o f the defaul t device IP a ddress (192.1 68.1.1). S ee your Quick Start Guide for details on how to set up your computer’s IP address. If the upload was not[...]

  • Page 353

    ZyWALL 2 Series User’s Guide Maintenance 20-11 You can also press the RESET button on the rear panel to reset the factory defaults of your ZyWALL. Refer to the section on resetting the ZyWALL for more information on the RES ET button. 20.6 Rest art Screen System restart allows you to reboot the ZyWALL without turning the power off. Click MAINTENA[...]

  • Page 354

    [...]

  • Page 355

    SMT General Configuration XI Part XI: SMT General Configuration This part introduces the Sy stem Management T e rminal and covers t he General setup menu, W AN, LAN and wireless LAN setup, and Internet access. See the web configurator p arts of this guide for background information on features configurable by web configurator a nd SMT .[...]

  • Page 356

    [...]

  • Page 357

    ZyWALL 2 Series User’s Guide Introducing the SMT 21-1 Chapter 21 Introducing the SMT This chapter explains how to a ccess the System Management Terminal and gives an overview of its menus. 21.1 Introduction to the SMT T he ZyWALL’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through t[...]

  • Page 358

    ZyWALL 2 Series User’s Guide 21-2 Introducing the SMT 21.2.2 Entering the Password The login sc reen appea rs after y ou press [E NTER] , prom pting you to ent er the pas sword, as s hown below. For your first login, en ter the default password “ 1234 ”. As you type the passwor d, the screen displays an “ X ” for each character you type. [...]

  • Page 359

    ZyWALL 2 Series User’s Guide Introducing the SMT 21-3 Table 21-1 Main Menu Commands OPERATION KEYSTROKES DESCRIPTION Entering information Fill in, or press [SPACE BAR], then press [ENTER] to select from choices. You need to fill in two types of fields. The first requir es you to type in the appropriate informatio n. The second allows you to c ycl[...]

  • Page 360

    ZyWALL 2 Series User’s Guide 21-4 Introducing the SMT Table 21-2 Main Menu Summary NO. Menu Title FUNCTION 1 General Setup Use this menu to set up dy namic DNS and administrativ e information. 2 WAN Setup Use this menu to clone a MAC address from a computer on your LAN and configure the backup WAN dial-up conn ection. 3 LAN Setup Use this menu to[...]

  • Page 361

    ZyWALL 2 Series User’s Guide Introducing the SMT 21-5 Menu 3 LAN S etup Menu 4 Internet Access Setu p Menu 12 S t atic Routing Setup Menu 11 Remote Node Setup Menu 1 1.1 Remote N ode Profil e (Backu p I SP) Menu 3.2 TCP/IP and DHCP Setu p ZyWALL Main Menu Menu 1 General Setup Menu 15 NA T Setup Menu 2 1 Filt er and Firew all Set up Menu 2 1 .1.x [...]

  • Page 362

    ZyWALL 2 Series User’s Guide 21-6 Introducing the SMT 21.4 Changing the System Password Change the sys tem passwor d by foll owing the ste ps shown next. Step 1. Enter 23 in the main menu to open Menu 23 - System Password as shown next. Figure 21-5 Menu 23: Sy stem Password Step 2. Type your exis ting passwo rd and press [ENTER] . Step 3. Type yo[...]

  • Page 363

    ZyWALL 2 Series User’s Guide SMT Menu 1 – General Setup 22-1 Chapter 22 SMT Menu 1 - General Setup Menu 1 - General Setup contains adm inistrative and system-related information. 22.1 Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. 22.2 Configuring General Setup Step 1. Enter 1 i n th[...]

  • Page 364

    ZyWALL 2 Series User’s Guide 22-2 SMT Menu 1 – General Setup Table 22-1 Menu 1: General Setup FIELD DESCRIPTION EXAMPLE Domain Name Enter the dom ain name (if you kno w it) here. If you leave this field blank, the ISP may assign a domain name via DHCP. You can go to menu 24.8 and type "sys dom ain name" to see the current domain name [...]

  • Page 365

    ZyWALL 2 Series User’s Guide SMT Menu 1 – General Setup 22-3 Figure 22-2 Configure Dy namic DNS Follow the instructions in the next tabl e to configure Dynamic DNS parame ters. Table 22-2 Configure Dynamic DNS FIELD DESCRIPTION EXAMPLE Service Provider This is the name of your Dynamic DNS service provider. WW W.DynDNS.ORG (default) Active Press[...]

  • Page 366

    ZyWALL 2 Series User’s Guide 22-4 SMT Menu 1 – General Setup Table 22-2 Configure Dynamic DNS FIELD DESCRIPTION EXAMPLE Offline T his field is only avail able when CustomDNS is selected i n the DDNS Type field. Press [SPACE BAR] and then [ENTER] to select Yes . When Yes is selected, http ://www.dyndns.org/ traffic is redirected to a URL that yo[...]

  • Page 367

    ZyWALL 2 Series User’s Guide WAN and Dial Backup Setup 23-1 Chapter 23 WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial- backup using menus 2.1 and 11.1. 23.1 Introduction to W AN This chapte r explains how to configure set tings for your WAN port. From the m ain menu, enter 2 to open m enu 2. Figure[...]

  • Page 368

    ZyWALL 2 Series User’s Guide 23-2 WAN and Dial Backu p Setup Table 23-1 MAC Address Cloning in WAN Setup FIELD DESCRIPTION EXAMPLE IP Address This field is applicable only if you choose the IP address attached on LA N method in the Ass igned By field. Enter the IP address of the computer on the LAN whose MAC you are cloni ng. 192.168.1.35 When yo[...]

  • Page 369

    ZyWALL 2 Series User’s Guide WAN and Dial Backup Setup 23-3 The following table describes the fields in this menu. Table 23-2 Menu 2: Dial Backup Setup FIELD DESCRIPTION EXAMPLE Dial-Backup: Active Use this field to turn the dial-backup feature on ( Yes ) or off ( No ). No Phone Number Enter the telephone number a ssigned to your line b y your te[...]

  • Page 370

    ZyWALL 2 Series User’s Guide 23-4 WAN and Dial Backu p Setup Figure 23-3 Menu 2.1 Adv anced WAN Setup The followin g table descri bes fields i n this m enu. Table 23-3 Advanced WAN Port Setup: AT Commands Fields FIELD DESCRIPTION DEFAULT AT Command Strings: Dial Enter the AT Command string to make a call. atdt Drop Enter the AT Command string to [...]

  • Page 371

    ZyWALL 2 Series User’s Guide WAN and Dial Backup Setup 23-5 Table 23-4 Advanced WAN Port Setup: Call Con trol Parameters FIELD DESCRIPTION DEFAULT Call Control Dial Timeout (sec) Enter a number of seconds for the ZyWALL to keep trying to set up an outgoing call before timi ng out (stopping). The ZyWALL times out and stops if it cannot set up an o[...]

  • Page 372

    ZyWALL 2 Series User’s Guide 23-6 WAN and Dial Backu p Setup Figure 23-4 Menu 11.1 Remote Node Profile (Back up ISP) The following table describes the fields in this menu. Table 23-5 Menu 11.1 Remote Node Profile (Back up ISP) FIELD DESCRIPTION EX AMPLE Rem Node Name Enter a descriptive name for the remote node. This field can be up to eight char[...]

  • Page 373

    ZyWALL 2 Series User’s Guide WAN and Dial Backup Setup 23-7 Table 23-5 Menu 11.1 Remote Node Profile (Back up ISP) FIELD DESCRIPTION EX AMPLE Pri Phone # Sec Phone # Enter the first (primary) phone number from the ISP for this remote node. If the Primary Phone number is busy o r does not answer, your ZyWALL dials the Second ary Phone number if av[...]

  • Page 374

    ZyWALL 2 Series User’s Guide 23-8 WAN and Dial Backu p Setup Table 23-5 Menu 11.1 Remote Node Profile (Back up ISP) FIELD DESCRIPTION EX AMPLE Idle Timeout Enter the number of seconds of idle time ( when there is no traffic from the ZyWALL to the remote node) that can elapse before th e ZyWALL automatically disconnects the PPP c onnectio n. This [...]

  • Page 375

    ZyWALL 2 Series User’s Guide WAN and Dial Backup Setup 23-9 23.7 Editing TCP/IP Options Move the cur sor to t he Edit IP field in m enu 11.1, the n press [SPACE BAR] to select Yes . Press [ENTER] to open Menu 11.3 - Remote Node Networ k Layer Options . Figure 23-7 Menu 11.3: Remote Nod e Network Layer Options The following table describes the fie[...]

  • Page 376

    ZyWALL 2 Series User’s Guide 23-10 WAN and Dial Backup Setup Table 23-6 Menu 11.3: Remote No de Network Layer Option s FIELD DESCRIPTION EXAMPLE Network Address Translation Network Address Translation (NAT ) allows the translation of an Internet protocol address used within one n e twork (for example a private IP address used in a local net work)[...]

  • Page 377

    ZyWALL 2 Series User’s Guide WAN and Dial Backup Setup 23-11 23.8 Editing Login Script For some remote gate ways, text l ogin is re quired before PPP neg otiation i s started. T he ZyWALL provides a script facility for this purpose. The scrip t has six programmable sets; each set is composed of an ‘Expect’ string and a ‘ Send’ stri ng. Af[...]

  • Page 378

    ZyWALL 2 Series User’s Guide 23-12 WAN and Dial Backup Setup Figure 23-8 Menu 11.4: Remote Nod e Script The following table describes the fields in this menu. T able 23-7 Menu 1 1.4: Remote Node Script FIELD DESCRIPTION EXAMPLE Active Press [SPACE BAR] and then [ENTER] to select either Yes to enable the AT strings or No to disable them. No (defau[...]

  • Page 379

    ZyWALL 2 Series User’s Guide WAN and Dial Backup Setup 23-13 Figure 23-9 Menu 11.5: Dial Backup Remote No de Filter Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL:[...]

  • Page 380

    [...]

  • Page 381

    ZyWALL 2 Series User’s Guide LAN Setup 24-1 Chapter 24 LAN Setup This chapter describes how to configure the LAN using Menu 3: LAN Setup . 24.1 Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN c onnections. 24.2 Accessing the LAN Menus From the m ain menu, enter 3 to open Menu 3 – LA N Setup . Figure 24-1 Men[...]

  • Page 382

    ZyWALL 2 Series User’s Guide 24-2 LAN Setup Figure 24-2 Menu 3.1: LAN Port Filte r Setup 24.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup. Figure 24-3 Menu 3: TCP/IP and DHCP Setup From m enu 3, select t he submenu opt ion TCP/IP and DHCP Setup a[...]

  • Page 383

    ZyWALL 2 Series User’s Guide LAN Setup 24-3 Figure 24-4 Menu 3.2: TCP/IP and DHCP Ethernet Setup Follow the instructions in the next table on how to con figure the DHCP fields. Table 24-1 DHCP Ethernet Setup Menu Fields FIELD DESCRIPTION EX AMPLE DHCP This field enables/disables the DHCP server. If set to Server , your ZyWALL will act as a DHCP s[...]

  • Page 384

    ZyWALL 2 Series User’s Guide 24-4 LAN Setup Table 24-2 LAN TCP/IP Setup Menu F ields FIELD DESCRIPTION EXAMPLE TCP/IP Setup: IP Address Enter the IP address of your ZyWALL in dotte d decimal notation 192.168.1.1 (default) IP Subnet Mask Your Z yWALL will automatically calculate the subnet mask based on the IP address that you assi gn. Unless you [...]

  • Page 385

    ZyWALL 2 Series User’s Guide LAN Setup 24-5 Figure 24-5 Physical Network Figure 24-6 Partitioned Logical Net work You must use menu 3.2 to confi gure the first networ k. Move the cursor t o the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to configure the second an d third network. Press [ENTER] to open Menu 3.2.1 - IP A[...]

  • Page 386

    ZyWALL 2 Series User’s Guide 24-6 LAN Setup Table 24-3 Menu 3.2.1: IP Alias Setup FIELD DESCRIPTION DEFAULT IP Address Enter the IP address of your ZyWALL in dotte d decimal notation. 192.168.2.1 IP Subnet Mask Your Z yWALL will automatically calculate the subnet mask based on the IP address that you assi gn. Unless you are implementing subnettin[...]

  • Page 387

    ZyWALL 2 Series User’s Guide LAN Setup 24-7 Figure 24-8 Menu 3.5: Wireless LAN Setup The settings of all client st ations on the wireless LAN must match those of the ZyW A LL. Follow the instructions in the next table on how to con figure the wireless LAN parameters. Table 24-4 Menu 3.5: Wireless LAN S etup FIELD DESCRIPTION EXAMPLE Enable Wirele[...]

  • Page 388

    ZyWALL 2 Series User’s Guide 24-8 LAN Setup Table 24-4 Menu 3.5: Wireless LAN S etup FIELD DESCRIPTION EXAMPLE Frag. Threshold The threshold (number of byte s) for the fragmentation boundary for directed messages. It is the maximum data fragment size that can be sent. Enter a value between 256 and 2432 . 2432 (default) WEP Select Disable to allo [...]

  • Page 389

    ZyWALL 2 Series User’s Guide LAN Setup 24-9 Step 3. In the Edit MAC Address Filter field, press [SPACE BAR] to select Yes and press [ENTER]. Menu 3.5.1 – WLAN M AC Address Filter displays as shown next. Figure 24-9 Menu 3.5.1: WLAN M AC Address Filter The following table describes the fields in this menu. Table 24-5 Menu 3.5.1: WLAN MA C Addres[...]

  • Page 390

    [...]

  • Page 391

    ZyWALL 2 Series User’s Guide Internet Access 25-1 Chapter 25 Internet Access This chapter show s you how to configure you r ZyWALL for Internet acce ss. 25.1 Introduction to Internet Access Setup Use information from your ISP along with the instructio ns in this chapter to set up your ZyWALL to access the Internet. T here are three differe nt men[...]

  • Page 392

    ZyWALL 2 Series User’s Guide 25-2 Internet Access Table 25-1 Menu 4: Internet Acces s Setup (Ethernet) FIELD DESCRIPTION Encapsulation Press [SPACE BAR] and the n press [ENTER] to choose Ethernet . The encapsulation method influences your choices for the IP Address field. Service Type Press [SPACE BAR] and then [ENTER] to select Standard , RR-Tos[...]

  • Page 393

    ZyWALL 2 Series User’s Guide Internet Access 25-3 25.3 PPTP Encap sulation Point-to-Poi nt Tunnelin g Protocol (PPTP) is a network prot ocol that e nables secure tra nsfer of dat a from a remote client to a private server , creating a Vi rtual Private Network (VP N) using TC P/IP-based net works. PPTP supports on-demand, multi-protocol and virtua[...]

  • Page 394

    ZyWALL 2 Series User’s Guide 25-4 Internet Access Table 25-2 New Fields in Menu 4 (PPTP) Screen FIELD DESCRIPTION EXAMPLE Encapsulation Press [SPACE BAR] and the n press [ENTER] to choose PPTP . The encapsulation method influences your choices for the IP Address field. PPTP Idle Timeout T his value specifies the ti me, in seconds, that elapses be[...]

  • Page 395

    ZyWALL 2 Series User’s Guide Internet Access 25-5 Figure 25-3 Internet Access Setup (PPPoE) The following table contains instructions about the new fi elds when y ou choose PPPoE in the Encapsulation fiel d in m enu 4. Table 25-3 New Fields in Menu 4 (PPPoE) screen FIELD DESCRIPTION EXAMPLE Encapsulation Press [SPACE BAR] and then press [ENTER] t[...]

  • Page 396

    [...]

  • Page 397

    SMT Advanced Applications XII Part XII: SMT Advanced Applications This part covers setting up remote nodes, IP st atic routes and Network Address T ranslation. It also covers the SMT firewall menu, filters, SNMP , schedules and VPN setup. See the web configurator p arts of this guide for background information on features configurable by web config[...]

  • Page 398

    [...]

  • Page 399

    ZyWALL 2 Series User’s Guide Remote Node Setup 26-1 Chapter 26 Remote Node Setup This chapter shows you how to configure a remote node. 26.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and th e network be hind it acr oss a WAN c onnection. Note[...]

  • Page 400

    ZyWALL 2 Series User’s Guide 26-2 Remote Node Setup Figure 26-1Menu 11.1: Remote Node Profile for Ethernet Encapsulation The following table describes the fields in this screen. Table 26-1 Menu 11.1: Remote No de Profile for Ethernet Encapsulation FIELD DESCRIPTION EXAMPLE Rem Node Name Enter a descriptive name for the remote node. This field can[...]

  • Page 401

    ZyWALL 2 Series User’s Guide Remote Node Setup 26-3 Table 26-1 Menu 11.1: Remote No de Profile for Ethernet Encapsulation FIELD DESCRIPTION EXAMPLE My Password Enter the password assigned by your ISP when the ZyWALL calls this remote node. Valid for PPPoE encapsulation only. ***** Retype to Confirm Type your pass word again to make sure that you [...]

  • Page 402

    ZyWALL 2 Series User’s Guide 26-4 Remote Node Setup Encapsulation t o PPPoE, then you will see the next screen. Please see the appendix for m ore information on PPPoE. Figure 26-2 Menu 11.1: Remote No de Profile for PPPoE Encapsulation Outgoing Authentication Protocol Generally spea king, you should em ploy the strongest authen tication prot ocol[...]

  • Page 403

    ZyWALL 2 Series User’s Guide Remote Node Setup 26-5 Do not specify a nailed-up connection unless your telephone company offers flat- rate service or you need a constant connectio n and the co st is of no concern. The following tabl e describes the fields not already describe d in Table 26-1 . Metric See the Metric section in the WAN and Dial Back[...]

  • Page 404

    ZyWALL 2 Series User’s Guide 26-6 Remote Node Setup 26.2.3 PPTP Encap sulation If you change t he Encapsulation to PPTP in menu 11.1, then you will see the next screen. Please see the appendix for i nformati on on PPTP. Figure 26-3 Menu 11.1: Remote Node Profile for PPTP Encapsulation The next table shows how to configure fields in menu 11. 1 not[...]

  • Page 405

    ZyWALL 2 Series User’s Guide Remote Node Setup 26-7 26.3 Edit IP Move the cur sor to t he Edit IP field in m enu 11.1, the n press [SPACE BAR] to select Yes . Press [ENTER] to open Menu 11.3 - Netw ork Layer Opti ons . Figure 26-4 Menu 11.3: Remote Nod e Network Layer Options for Ethernet Encapsula tion This menu displays the My WAN Addr field fo[...]

  • Page 406

    ZyWALL 2 Series User’s Guide 26-8 Remote Node Setup Table 26-4 Remote Node Net work Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE My WAN Addr T his field is applicable to PPPoE and PPTP encapsulations only. Some implementations, especiall y the UNIX der iv atives, require the WAN link to have a separate IP network number from the LAN and ea[...]

  • Page 407

    ZyWALL 2 Series User’s Guide Remote Node Setup 26-9 Table 26-4 Remote Node Net work Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE Multicast IGMP (Internet Group Multicast Prot ocol) is a session-layer protocol us ed to establish membership in a Multicast group. The ZyWALL supports both IGMP version 1 ( IGMP-v1 ) and version 2 ( IGMP-v2) . P[...]

  • Page 408

    ZyWALL 2 Series User’s Guide 26-10 Remote Node Setup Figure 26-6 Menu 11.5: Remote Node Filter (PPPoE or PPTP Encapsulation) 26.5 T raffic Redirect To configure t he parameters for tra ffic redir ect, enter 11 from the main menu to display Menu 11.1— Remote Node Profile as shown next. Figure 26-7 Menu 11.1: Remote Nod e Profile To configure tra[...]

  • Page 409

    ZyWALL 2 Series User’s Guide Remote Node Setup 26-11 Table 26-5 Menu 11.1: Remote No de Profile (Traffic Redirect Field) FIELD DESCRIPTION EX AMPLE Edit Traffic Redirect Press [SPACE BAR] to select Yes or No . Select No (default) if you do not want to configure this feature. Select Yes and press [ENTER] to configure Menu 11.6 — T raffic Redirec[...]

  • Page 410

    ZyWALL 2 Series User’s Guide 26-12 Remote Node Setup Table 26-6 Menu 11.6: Traffic Redirect Setup FIELD DESCRIPTION EXAMPLE Active Press [SPACE BAR] and select Yes (to enable) or No (to disable) traffic redirect setup. The default is No . When the Ac t i ve field is Yes , you must configure every field in this scree n unless you are using PPPoE o[...]

  • Page 411

    ZyWALL 2 Series User’s Guide Remote Node Setup 26-13 Table 26-6 Menu 11.6: Traffic Redirect Setup FIELD DESCRIPTION EXAMPLE When you have completed thi s menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel” to save your configuration or press [E SC] to cancel and go back to the prev ious screen.[...]

  • Page 412

    [...]

  • Page 413

    ZyWALL 2 Series User’s Guide IP Static Route Setup 27-1 Chapter 27 IP Static Route Setup This chapter shows you how to configu re static routes with your ZyWALL. 27.1 IP S t atic Route Setup Enter 12 fr om the m ain menu. Select on e of the IP static routes as shown ne xt to configure IP static routes in menu 12. 1. Figure 27-1 Menu 12: IP Static[...]

  • Page 414

    ZyWALL 2 Series User’s Guide 27-2 IP Static Route Setup Figure 27-2 Menu 12. 1: Edit IP Static Route `The followi ng table de scribes t he IP Static R oute Menu fi elds. T able 27-1 Menu 12. 1: Edit IP St atic Route FIELD DESCRIPTION Route # This is the index number of the static route that y ou chose i n menu 12. Route Name Enter a descri ptive [...]

  • Page 415

    ZyWALL 2 Series User’s Guide NAT 28-1 Chapter 28 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 28.1 Using NA T Y ou must create a firewall rule in addition to setting up SUA/NA T , to allow traffic from the W AN to be forwarded through the ZyW ALL. 28.1.1 SUA (Single User Account) V ersus NA T SUA (S[...]

  • Page 416

    ZyWALL 2 Series User’s Guide 28-2 NAT Figure 28-1 Menu 4: Apply ing NAT for Internet Access The following fig ure shows how you appl y NAT to the rem ote node in menu 11.1. Step 1. Enter 11 from the main menu. Step 2. Move the cur sor to t he Edit IP field, press [SPACE BAR] to select Yes and then press [ENTER] to bring up Menu 11.3 - Remote Node[...]

  • Page 417

    ZyWALL 2 Series User’s Guide NAT 28-3 Table 28-1 Applying NAT in Menus 4 & 11.3 FIELD DESCRIPTION OPTIONS When you select this option the SMT will use Address Mapping Set 1 (menu 15.1 - see section 28.2.1 for further discussion). You can configure any of the mapping types describe d in the Web Configurator User’s Guide. Choose Full Feature [...]

  • Page 418

    ZyWALL 2 Series User’s Guide 28-4 NAT Configure LAN IP addresses in NA T menus 15.1 and 15.2. 28.2.1 Address Mapping Sets Enter 1 to brin g up Menu 15.1 — Address Mapping Se ts . Figure 28-4 Menu 15.1: Address Mapping Sets SUA Address Mapping Set Enter 255 to display the next screen (see also section 28.1.1 ) . The fields in t his me nu cannot [...]

  • Page 419

    ZyWALL 2 Series User’s Guide NAT 28-5 Table 28-2 SUA Address Mapping Rules FIELD DESCRIPTION EXAMPLE Set Name T his is the name of the set yo u selected in menu 15.1 or enter the name of a new set you want to create. SUA Idx This is the index or rule number. 1 Local Start IP Local Start IP is the starting local IP address (ILA). 0.0.0.0 Local End[...]

  • Page 420

    ZyWALL 2 Series User’s Guide 28-6 NAT Figure 28-6 Menu 15.1.1: First Set The T ype, Local and Global S t art/End IPs are configured in menu 15.1.1.1 (described later) and the v alues are displayed here. Ordering Y our Rules Ordering yo ur rules is important because the ZyWALL ap p lies the rules in the order that you specify. When a rule matches [...]

  • Page 421

    ZyWALL 2 Series User’s Guide NAT 28-7 Table 28-3 Fields in Menu 15.1.1 FIELD DESCRIPTION EX AMPLE Set Name Enter a name for this set of rules. Th is is a required field. If this field is left blank, the entire set will be deleted. NAT_ SE T Action The default is Edit . Edit means you want to edit a selected rule (see following field). Insert Befo[...]

  • Page 422

    ZyWALL 2 Series User’s Guide 28-8 NAT The following table describes the fields in this screen. Table 28-4 Menu 15.1.1.1: Editing/Configuring an Indiv idual Rule in a Set FIELD DESCRIPTION EX AMPLE Type Press [SPACE BAR] and then [ENTER] to select from a total of five types. These are the mapping typ es discussed in the Web Configu rator User’s [...]

  • Page 423

    ZyWALL 2 Series User’s Guide NAT 28-9 Step 5. Press [ENTER] at the “Press ENTER to confirm …” prompt to save your configuratio n after you define all the s ervers or press [ESC] at any time to cancel. Figure 28-8 Menu 15.2: NAT Serv er Setup You assign the private networ k IP addresse s. The NAT network appea rs as a single host on the Inte[...]

  • Page 424

    ZyWALL 2 Series User’s Guide 28-10 NAT 28.4.1 Internet Access Only In the following Internet access ex am ple, you only need one rule wh ere al l your ILAs (Inside Local addresses) map t o one dy namic IGA (I nside Glo bal Address) assi gned by your ISP. Figure 28-10 NAT Example 1 Figure 28-11 Menu 4: Internet Access & NAT Example From m enu [...]

  • Page 425

    ZyWALL 2 Series User’s Guide NAT 28-11 28.4.2 Example 2: Internet A ccess w ith an Inside Server Figure 28-12 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured S UA Only set) and also go to menu 15.2 to specify the Inside Server behin d the NAT as s hown in the next fi gure. Figure 28-13 Menu 15.2: Specifying [...]

  • Page 426

    ZyWALL 2 Series User’s Guide 28-12 NAT other LAN traffic to the remaining IGA. Map the third IGA to an insi de web server and m ail server. Fo ur rules need to be configured, two bi-directional and two uni-directional as follo ws. Rule 1. Map the first IGA to the first inside FTP server for FTP traffic in both directions ( 1 : 1 mapping, giving b[...]

  • Page 427

    ZyWALL 2 Series User’s Guide NAT 28-13 Step 5. Select Type as One-to-One (di rect mappin g for packets going bot h ways) , and enter the local Start IP as 192.168.1.10 (th e IP address of FTP Server 1), th e global Start I P as 10.132.50.1 (ou r first IGA). (See Figure 28-16). Step 6. Repeat the previous step for rules 2 to 4 as outlined abov e. [...]

  • Page 428

    ZyWALL 2 Series User’s Guide 28-14 NAT Figure 28-17 Example 3: Final Menu 15.1.1 Now conf igure th e IGA3 to map to our web serv er and mail serv er on the LAN. Step 8. Enter 15 from the main menu. Step 9. Now enter 2 from this menu and configur e it as shown in Figure 28-18 . Figure 28-18 Example 3: Menu 15.2 Menu 15.1.1 - Address Mapping Rules [...]

  • Page 429

    ZyWALL 2 Series User’s Guide NAT 28-15 28.4.4 Example 4: NA T Unfr iendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to -One mapping as port numbers do not change for Many -One-to-One (and One-to-One ) NAT m app ing types. The following fig[...]

  • Page 430

    ZyWALL 2 Series User’s Guide 28-16 NAT Figure 28-20 Example 4: Menu 15.1.1.1: Ad dress Mapping Rule After you’ve configured your rule, you should b e able to check the settings in menu 15.1.1 as shown next. Figure 28-21 Example 4: Menu 15.1.1: Address Ma pping Rules 28.5 T rigger Port Forwarding Some services use a dedicated range of po rts on [...]

  • Page 431

    ZyWALL 2 Series User’s Guide NAT 28-17 LAN comput er, you have t o manually replace the LA N com puter's IP address in the fo rwarding p ort with another LAN c omputer' s IP address, Trigger port forwardi ng solves this pro blem by all owing com puters on the LAN to dyna mically take turns using the service. T he ZyWALL records the IP a[...]

  • Page 432

    ZyWALL 2 Series User’s Guide 28-18 NAT 5. Only A can connect to the Real Audio server until th e connection is closed or times out. The ZyWALL times out in three minutes with UDP (Use r Datagram Protocol) or two hours w ith TCP/IP (Transfer Co ntrol Protoc ol/Internet Protocol) . 28.5.2 T wo Point s T o Remember About T rigger Ports 1. Trigger ev[...]

  • Page 433

    ZyWALL 2 Series User’s Guide NAT 28-19 T able 28-5 Menu 15.3: T rigger Port Setup FIELD DESCRIPTION EXA MPLE Rule This is the rule index numb er. 1 Name Enter a unique name for identification purposes. You may enter up to 15 characters in this field. All characters are permitted - includ ing spaces. Real Audio Incoming Incoming is a p ort (or a r[...]

  • Page 434

    [...]

  • Page 435

    ZyWALL 2 Series User’s Guide Introducing the Firewall 29-1 Chapter 29 Introducing the Firewall This chapter shows you how to get started with the firewall. 29.1 Using SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set an d Firewall Configuration to disp lay the screen shown next . Figure 29-1 Menu 21: Filter and Fire w all Setup [...]

  • Page 436

    ZyWALL 2 Series User’s Guide 29-2 Introducing the Firewall Figure 29-2 Menu 21.2: Fire w all Setup Configure the fire wall rules using the web configurator or CLI commands. Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned o[...]

  • Page 437

    ZyWALL 2 Series User’s Guide Filter Configuration 30-1 Chapter 30 Filter Configuration This chapter shows you how to create and apply filters. 30.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow pa ssage of a data packet and/or to make a call. There are two types of filter applications : data filtering and call filter[...]

  • Page 438

    ZyWALL 2 Series User’s Guide 30-2 Filter Configu ration Figure 30-1 Outgoing Packet Filtering Process For incoming packets, your ZyWALL ap plies data f ilters only. Packets are pro cessed depending up on whether a match is found. The following sections describ e how to configure filter sets. 30.1.1 Filter Structure A filter set consists of one or[...]

  • Page 439

    ZyWALL 2 Series User’s Guide Filter Configuration 30-3 Start Fetch First Filter Set Fetch First Filter Rule Active? Execute Filter Rule Fetch Next Filter Rule Next filter Rule Available? Fetch Next Filter Set Next Filter Set Available? Accept Packet Drop Packet Yes No Yes No Yes Packet into filter Filter Set Forward Drop No Check Next Rule Figure[...]

  • Page 440

    ZyWALL 2 Series User’s Guide 30-4 Filter Configu ration You can apply up to four filter sets to a particular port to b lock multiple types of packets. With each filter set having up t o six rules, you can have a maximum of 24 rul es active for a single port. 30.2 Configuring a Filter Set The ZyWALL includes filtering for NetBIOS over TCP/IP p ack[...]

  • Page 441

    ZyWALL 2 Series User’s Guide Filter Configuration 30-5 Step 4. Enter a descriptive name or comment in th e Edit Comments field and press [ENTER] . Step 5. Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1 .1 - Filter Rules Summary . This screen shows the summary of th e existing rules in the filter set. The following tables [...]

  • Page 442

    ZyWALL 2 Series User’s Guide 30-6 Filter Configu ration Table 30-2 Rule Abbreviations Used ABBREVIATION DESCRIPTION IP Pr Protocol SA Source Address SP Source Port number DA Destination Address DP Destination Port number GEN Off Offset Len Length Refer to the next section for information on configuring the filter ru les. 30.2.1 Configuring a Filt[...]

  • Page 443

    ZyWALL 2 Series User’s Guide Filter Configuration 30-7 To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.1.1 - TCP/IP Filt er Rule , as shown next. Figure 30-5 Menu 21.1.1.1: TCP/IP Filter Rul e The following table describes how to con figure your TCP/IP filter rule. Table 30-3 TCP[...]

  • Page 444

    ZyWALL 2 Series User’s Guide 30-8 Filter Configu ration Table 30-3 TCP/IP Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Port # Enter the destination port of t he packets that you wish to filter. The range of this field is 0 to 6553 5. This field is ignor ed if it is 0. 0-65535 Port # Comp Press [SPACE BAR] and then [ENTER] to select the compa[...]

  • Page 445

    ZyWALL 2 Series User’s Guide Filter Configuration 30-9 Table 30-3 TCP/IP Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Log Press [SPACE BAR] and then [ENT ER] to select a logging option from the following: None – No packets will be logged. Action Matched - Only packets that match the rule parameters will be logged. Action Not Matched - Only[...]

  • Page 446

    ZyWALL 2 Series User’s Guide 30-10 Filter Configuration Packet into IP Filter Matched Matched Yes Action Matched Action Not Matched More? No Filter Active? Check IP Protocol Drop Drop Packet Accept Packet Drop Forward Check Next Rule Check Next Rule Check Next Rule Forward Not Matched Yes No Check Src IP Addr Apply SrcAddrMask to Src Addr Matched[...]

  • Page 447

    ZyWALL 2 Series User’s Guide Filter Configuration 30-11 30.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of gen eric rules is to allow you to filter non-IP packets. For IP, it is genera lly easier to use the IP rules directly. For generic rules, the Zy WALL treats a packet as a by[...]

  • Page 448

    ZyWALL 2 Series User’s Guide 30-12 Filter Configuration Table 30-4 Menu 21.1.1.1: Generic Filter Rule FIELD DESCRIPTION OPTIONS Filter Type Use [SPACE BAR] and then [ENTER] to select a rule type. Parameters displayed belo w each type will be different. TCP/IP filter rule s are used to filter IP packets while generic filter rules allow filtering o[...]

  • Page 449

    ZyWALL 2 Series User’s Guide Filter Configuration 30-13 30.3 Example Filter Let’s look at an example to block outside users from accessing the ZyWALL via telnet. Please see our included disk for more example filters. Figure 30-8 Telnet Filter Example Step 1. Enter 21 from the m ain menu to open Menu 21 - Filter and Firewall Setup . Step 2. Ente[...]

  • Page 450

    ZyWALL 2 Series User’s Guide 30-14 Filter Configuration Figure 30-9 Example Filter: Menu 21. 1.3.1 When you press [ENTER] to confirm, you will see the following screen . Note that there is only one filter rule in this set. Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= [...]

  • Page 451

    ZyWALL 2 Series User’s Guide Filter Configuration 30-15 Figure 30-10 Example Filter Rules Summary : Men u 21.1.3 After you’ve created the filter set, you must apply it. Step 1. Enter 11 fr om the main menu to go to m enu 11. Step 2. Go to the Edit Filter Sets field, press [SPACE BAR] to select Yes and press [ENTER] . Step 3. This brings you to [...]

  • Page 452

    ZyWALL 2 Series User’s Guide 30-16 Filter Configuration 30.4 Filter T y pes and NA T There are two classe s of filter rules, Generic Filter (Device) rules and protocol filter ( TCP/ IP ) rules. Generic filter rules act on the raw data from/to LAN and WAN. Protocol filter rules act on the IP packets. Generic and TCP/IP filter rules are discussed i[...]

  • Page 453

    ZyWALL 2 Series User’s Guide Filter Configuration 30-17 30.6 Applying a Filter This section shows you wh ere to apply the filter(s ) after you design it (them). The ZyWALL already has filters to prevent NetBIOS traffic from triggeri ng calls, and blo ck incoming telnet, FTP and HTTP connections. If you do not activate the fire w all, it is advisa[...]

  • Page 454

    ZyWALL 2 Series User’s Guide 30-18 Filter Configuration Figure 30-13 Filtering Remote Node T raffic Menu 11.5 – Remote Node Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel:[...]

  • Page 455

    ZyWALL 2 Series User’s Guide SNMP Configuration 31-1 Chapter 31 SNMP Configuration This chapter explains SNMP configuration menu 22. 31.1 SNMP Configuration To configure SN MP, enter 22 from the main menu to display Menu 22 - SNMP Configura tion as shown next. The “co mmunity ” for Get , Set and Trap fields is SNMP te rminology for pass word.[...]

  • Page 456

    ZyWALL 2 Series User’s Guide 31-2 SNMP Configuration Table 31-1 Menu 22: SNMP Configuration FIELD DESCRIPTION EXAMPLE Trap Community Type the Trap community, which is the password se nt with each trap to the SNMP manager. Public Destination Type the IP address of the stat ion to send your SNMP traps to. 0.0.0.0 When you have completed thi s menu,[...]

  • Page 457

    SMT System Maintenance XIII Part XIII: SMT System Maintenance This part covers system in formation and diagnosi s, firmware and configuration file maintenance, as well as providing information on the system maintenan ce and information functions and how to configure remote managem ent and VPN. See the web configurator p arts of this guide for backg[...]

  • Page 458

    [...]

  • Page 459

    ZyWALL 2 Series User’s Guide System Information and Diagnosis 32-1 Chapter 32 System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 32.1 Introduction to System St atus This chapter cov ers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trac[...]

  • Page 460

    ZyWALL 2 Series User’s Guide 32-2 System Information and Diagnosis monitor your Z yWALL. Specifically, it gives you info rmation on y our system firmware version, number of packets sent and number of pa ckets received. To get to the System Status: Step 1. Enter number 24 to go to Menu 24 - System Maintenan ce . Step 2. In this menu, enter 1 to op[...]

  • Page 461

    ZyWALL 2 Series User’s Guide System Information and Diagnosis 32-3 Table 32-1 System Maintenance: Sta tus Menu Fields FIELD DESCRIPTION Status Shows the port speed and d uplex setting if you’r e using Ethernet Encapsulation and Dow n (line is down), idle (line (ppp) idle), dial (starting to trigger a call) and drop (dropping a call) if yo u’r[...]

  • Page 462

    ZyWALL 2 Series User’s Guide 32-4 System Information and Diagnosis Step 2. Enter 2 t o open Me nu 24.2 - System Information and Co nsole Port Speed. Step 3. From thi s menu you ha ve two choices as shown in t he next figure: Figure 32-3 Menu 24.2: Sy stem Information and Console Port Speed 32.3.1 System Information System Information gives you in[...]

  • Page 463

    ZyWALL 2 Series User’s Guide System Information and Diagnosis 32-5 Table 32-2 Fields in System Maintenance: Info rmation FIELD DESCRIPTION ZyN OS F/W Version Refers to the ZyNOS (ZyXEL Network Oper ating System) system firmware version. ZyNOS is a registered trademark of ZyXEL Communic ations Corporation. Ethernet Address Refers to the Ethernet M[...]

  • Page 464

    ZyWALL 2 Series User’s Guide 32-6 System Information and Diagnosis Figure 32-6 Menu 24.3: Sy stem Maintenance: Log and Trace 32.4.1 UNIX Syslog The ZyWALL uses the UNIX syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server. Syslog and ac counting can be configured in Menu 24.3.2 - System Maintenance - Unix Sys[...]

  • Page 465

    ZyWALL 2 Series User’s Guide System Information and Diagnosis 32-7 Table 32-3 System Maintenance Men u Syslog Parameters PARAMETER DESCRIPTION Log Facility Press [SPACE BAR] and then [ENTER] to select a location. The log facilit y allows you to log the messages to different file s in the syslog server. Refer to the documentation of your syslog pr[...]

  • Page 466

    ZyWALL 2 Series User’s Guide 32-8 System Information and Diagnosis Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D). Src: Source A[...]

  • Page 467

    ZyWALL 2 Series User’s Guide System Information and Diagnosis 32-9 32.4.2 Call-T riggering Packet Call-Triggering Packet displays info rmation about th e packet that triggered a dial-out call in an easy readable fo rmat. Equi valent in formation i s avail able in m enu 24.1 in hex form at. An example is show n next. Figure 32-8 Call-Triggering Pa[...]

  • Page 468

    ZyWALL 2 Series User’s Guide 32-10 System Information and Diagnosis Follow the procedure below to get to Menu 24.4 - System Mainten ance – Diagnostic. Step 1. From the m ain menu, sel ect option 2 4 to open Menu 24 - System Main tenance . Step 2. From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Mainte nance - Diagn[...]

  • Page 469

    ZyWALL 2 Series User’s Guide System Information and Diagnosis 32-11 Figure 32-10 WAN & LAN DHCP The following table describes the diagnostic tests available in menu 24.4 for your ZyWALL and associa ted connections. Table 32-4 System Maintenance Men u Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP ad dress) on y[...]

  • Page 470

    [...]

  • Page 471

    ZyWALL 2 User’s Guide Firmware and Configuration File Maintenance 33-1 Chapter 33 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configurati on file as well as upload new firmware and a new configuration file. 33.1 Introduction Use the instructions in this chapter to change the ZyWALL’s config[...]

  • Page 472

    ZyWALL 2 User’s Guide 33-2 Firmware and Configuration File Maintenan ce ftp> get rom-0 config.cfg This is a sample FTP session saving the current configuration to t he computer file “confi g.cfg”. If your (T)FTP client does not allow you to have a de stination filename differen t than the source, you will need to renam e them as the ZyWA L[...]

  • Page 473

    ZyWALL 2 User’s Guide Firmware and Configuration File Maintenance 33-3 preferred metho d for backing up your cur rent configuration to your computer since it is faster. You can also perform back up and rest ore using m enu 24 through the c onsole po rt. Any seri al communi cations prog ram should wo rk fine; h owever, y ou must use Xmodem protoco[...]

  • Page 474

    ZyWALL 2 User’s Guide 33-4 Firmware and Configuration File Maintenan ce Step 6. Use “get” to transfer files from the ZyW ALL to the computer , for example, “get rom-0 config.rom” transfers the c onfig uration file on the ZyW A LL to your computer and renames it “config.rom”. See earlier in this c hapter for more information on filenam[...]

  • Page 475

    ZyWALL 2 User’s Guide Firmware and Configuration File Maintenance 33-5 33.3.5 File Maintenance Over W AN TFTP, FTP and Telnet over the WAN will not work when: 1. The firewall is active (turn the firewall off in menu 21.2 or create a firewall rule to allow access from the WAN). 2. You have di sabled Telnet service in m enu 24.11. 3. You have appli[...]

  • Page 476

    ZyWALL 2 User’s Guide 33-6 Firmware and Configuration File Maintenan ce TFTP client program. For UNIX, use “get” to tra nsfer from the ZyWALL to the computer an d “bin ary” to set binary t ransfer m ode. 33.3.7 TFTP Command Example The following is an exam ple TFTP command: tftp [-i] host get rom-0 config.rom Where “i” specifies binar[...]

  • Page 477

    ZyWALL 2 User’s Guide Firmware and Configuration File Maintenance 33-7 Step 1. Display m enu 24.5 an d enter “y ” at the following screen. Figure 33-3 System Maintena nce: Backup Configuration Step 2. The followin g screen indicates t hat the Xm odem downl oad has start ed. Figure 33-4 System Maintena nce: Starting Xmodem Do w nload Screen St[...]

  • Page 478

    ZyWALL 2 User’s Guide 33-8 Firmware and Configuration File Maintenan ce 33.4 Restore Configuration This section sh ows you ho w to restore a previously save d co nfiguration. Note that this function erases the current confi g uration be fore restori ng a pre vious back up config uration; please do not at tempt to restore unless you have a backup [...]

  • Page 479

    ZyWALL 2 User’s Guide Firmware and Configuration File Maintenance 33-9 Step 1. Launch the FTP client on your c omputer. Step 2. Enter “open”, followed by a space and the IP addres s of your Zy WALL. Step 3. Press [ENTER] when prom pted for a username. Step 4. Enter your password as re quested (the default is “1234”). Step 5. Enter “bin?[...]

  • Page 480

    ZyWALL 2 User’s Guide 33-10 Firmware and Configuration File Maintenance Step 1. Display m enu 24.6 an d enter “y ” at the following screen. Figure 33-9 System Maintena nce: Restore Con figuration Step 2. The followin g screen indicates t hat the Xm odem downl oad has start ed. Figure 33-10 System Mainten ance: Starting Xmodem Do wnload Screen[...]

  • Page 481

    ZyWALL 2 User’s Guide Firmware and Configuration File Maintenance 33-11 33.5 Uploading Firmware and Configuration Files This section s hows you how to upl oad firmware and co nfiguratio n files. You can upl oad config uration fi les by followin g the proce dure in the pre v ious Rest ore Configurat ion section or by following the instructions in [...]

  • Page 482

    ZyWALL 2 User’s Guide 33-12 Firmware and Configuration File Maintenance 33.5.2 Configuration File Upload You see the following screen when you telnet into menu 24.7.2 . Figure 33-14 Telnet Into Menu 24.7.2: System Maintenance To upload the firmware and the conf iguration file, follow these examples 33.5.3 FTP File Upload Command from the DOS Prom[...]

  • Page 483

    ZyWALL 2 User’s Guide Firmware and Configuration File Maintenance 33-13 transfers the confi gura tion file on the ZyWALL to your computer and renames it “config.rom.” See earlier in this chapter for more information on filename conventions. Step 7. Enter “quit” to exit the ftp prompt. 33.5.4 FTP Session Example of Firmware File Upload Fig[...]

  • Page 484

    ZyWALL 2 User’s Guide 33-14 Firmware and Configuration File Maintenance Step 3. Enter the command “sys stdio 0” to disable the co nsole timeou t, so the TFTP transfer will no t be interrupte d. Enter “comm and sys stdio 5” to rest ore the fiv e-mi nute console t imeout (defa ult) when the file transfer is complete. Step 4. Launch the TFTP[...]

  • Page 485

    ZyWALL 2 User’s Guide Firmware and Configuration File Maintenance 33-15 33.5.8 Uploading Firmw are File V ia Console Port Step 1. Select 1 from M enu 24.7 – System Maintena nce – Upload Firmware to d ispla y Menu 24.7.1 - System Mai ntenance - Upload System Firmware , and then follow the instructions as shown in the following screen. Figure 3[...]

  • Page 486

    ZyWALL 2 User’s Guide 33-16 Firmware and Configuration File Maintenance Figure 33-17 Example Xmodem Upload After the firmware upload process has completed, the ZyWALL will automatically restart. 33.5.10 Uploading Configuration File Vi a Console Port Step 1. Select 2 from M enu 24.7 – System Maintena nce – Upload Firmware to d ispla y Menu 24.[...]

  • Page 487

    ZyWALL 2 User’s Guide Firmware and Configuration File Maintenance 33-17 Figure 33-18 Menu 24.7.2 As Seen Using the Console Port Step 2. After the "St arting Xm odem upload" message ap pears, activat e the Xmod em prot ocol on y our computer. Fol low the procedure as shown p reviously for the Hy perTerminal program . The procedure fo r o[...]

  • Page 488

    ZyWALL 2 User’s Guide 33-18 Firmware and Configuration File Maintenance Figure 33-19 Example Xmodem Upload After the co nfiguratio n uploa d process has compl eted, restart t he ZyWAL L by enteri ng “atgo”. Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send .[...]

  • Page 489

    ZyWALL 2 User’s Guide System Maintenance & Information 34-1 Chapter 34 System Maintenance Menus 8 to 10 This chapter leads you through SM T menus 24.8 to 24.10. 34.1 Command Interpreter Mode The Comm and Interpreter (CI) is a pa rt of the main r outer firm ware. The CI provides much of the same functionality as the SMT, while adding some low-[...]

  • Page 490

    ZyWALL 2 User’s Guide 34-2 System Maintenance & Information 34.1.1 Command Syntax The comm and keywords are i n courier new font. Enter the com mand keyw ords exactly as shown, do not abbre viate. The required fields in a c ommand are enclosed in angle brackets <> . The optional fields in a c ommand are enclosed in s quare brackets [] .[...]

  • Page 491

    ZyWALL 2 User’s Guide System Maintenance & Information 34-3 Table 34-1 Valid Commands ether These commands display Ethernet info rmation and configu re Ethernet settings. aux These commands display dial backup inform ation a nd control dial backup conn ections. ip These commands display IP informatio n and configure IP settings. ipsec These c[...]

  • Page 492

    ZyWALL 2 User’s Guide 34-4 System Maintenance & Information Figure 34-4 Budget Managemen t The total budget is the time limit on the accum u lated time for outgoing calls to a rem ote node. When this limit is reached, the call will be droppe d and further out going calls t o that remote node will be blocked. After each period, the total budge[...]

  • Page 493

    ZyWALL 2 User’s Guide System Maintenance & Information 34-5 Figure 34-5 Call History The following table describes the fields in this screen. Table 34-3 Call History Fields FIELD DESCRIPTION Phone Number The PPPoE service names ar e shown here. Dir T his shows whether the call was incoming or outgo ing. Rate This is the transfer rate of the c[...]

  • Page 494

    ZyWALL 2 User’s Guide 34-6 System Maintenance & Information Select menu 24 in the main menu to open Menu 24 - System Maintenance , as shown next. Figure 34-6 Menu 24: Sy stem Maintenance Enter 10 to go to Menu 24.10 - S ystem Maintenance - Ti me and Date Setting to update the time and date settings of your ZyWALL as shown in the fo llowing sc[...]

  • Page 495

    ZyWALL 2 User’s Guide System Maintenance & Information 34-7 Table 34-4 Menu 24.10 System Main tenance: Time and Date Setting FIELD DESCRIPTION Enter the time service protocol that your timeserver sends when you turn on the ZyWALL. Not all timeservers support all pr otocols, so you may have to che ck with your ISP/network administrator or use [...]

  • Page 496

    ZyWALL 2 User’s Guide 34-8 System Maintenance & Information ii. When the ZyWALL starts up, if there is a timeserver configured in menu 24.10. iii. 24-hour intervals after starting.[...]

  • Page 497

    ZyWALL 2 User’s Guide Remote Management 35-1 Chapter 35 Remote Management This chapter covers remote management found in SMT menu 24.11. 35.1 Remote Management Remote management allows you to determ ine which services/protocols can access which ZyWALL interface (if any) from whic h computers. You may manage your ZyWALL from a remote location via:[...]

  • Page 498

    ZyWALL 2 User’s Guide 35-2 Remote Management Figure 35-1 Menu 24.11 – Remote Manageme nt Control The following table describes the fields in this screen. Table 35-1 Menu 24.11 – Remote Managemen t Control FIELD DESCRIPTION EXAMPLE Telnet Server FTP Server SSH Server HTTPS Server HTTP Server SNMP Service DNS Service Each of these read-only l a[...]

  • Page 499

    ZyWALL 2 User’s Guide Remote Management 35-3 Table 35-1 Menu 24.11 – Remote Managemen t Control FIELD DESCRIPTION EXAMPLE Once you have filled in this menu, press [ENT ER] at the message "Press ENTER to Confirm or ESC to Cancel" to save your configur ation, or press [ESC] to cancel. 35.1.1 Remote Management Limitations Remote m anagem[...]

  • Page 500

    [...]

  • Page 501

    SMT Advanced Management XIV Part XIV: SMT Advanced Management This part provides informati on on how to configure call scheduling, and VPN/IPSec. See the web configurator p arts of this guide for background information on features configurable by web configurator a nd SMT .[...]

  • Page 502

    [...]

  • Page 503

    ZyWA LL 2 Series User ’ s Guide Call Scheduling 36-1 Chapter 36 Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 36.1 Introduction to Call Scheduling The call schedul ing feature all ows the ZyWALL t o manage a rem o te node and dict ate when a rem ote node should be called and fo r how l[...]

  • Page 504

    ZyW ALL 2 Series User’s Guide 36-2 Call Scheduli ng To set up a schedule set, select the schedule set you want to setup fr om menu 26 (1-12) an d press [ENTER] to see Menu 26.1 - Sch edule Set Setup as sho wn next. Figure 36-2 Schedule Set Setup If a connection has been already established, your Zy WALL will not drop it. On ce the connection is d[...]

  • Page 505

    ZyWA LL 2 Series User ’ s Guide Call Scheduling 36-3 Table 36-1 Schedule Set Setup FIELD DESCRIPTION OPTIONS Day If you selected Weekl y in the How Often field above, then select the day(s) when the set should activate (and rec ur) by going to that day(s) and pressing [SPACE BAR] to select Yes , then press [ENTER]. Yes No N/A Start Time Enter the[...]

  • Page 506

    ZyW ALL 2 Series User’s Guide 36-4 Call Scheduli ng Figure 36-3 Applying Schedule Set( s) to a Remote Node (PPPoE) You can ap ply up to f our schedul e sets, separ ated by com mas, for one rem ote node. Cha nge the sc hedule set numbers to your prefe rence(s). Figure 36-4 Apply ing Schedule Set( s) to a Remote Node (PPTP) Menu 11.1 - Remote Node [...]

  • Page 507

    ZyWA LL 2 Series User ’ s Guide VPN/IPSec Setup 37-1 Chapter 37 VPN/IPSec Setup This chapter introduces the VPN SMT menus. 37.1 Introduction The VPN/IPSe c main SMT menu has these main subm enus: 1. Define VPN policies i n menu 2 7.1 submenu s, includi ng security policies, endpoint IP addresses, peer IPSec router IP address and key manage ment. [...]

  • Page 508

    ZyW ALL 2 Series User’s Guide 37-2 VPN/IPSec Setup Figure 37-2 Menu 27: VPN/IPSec Setup 37.2 IPSec Summary Screen Type 1 in m enu 27 and then press [ENTE R] to display Menu 27.1 — IPSec Sum mary . This is a summary read-only m enu of your IPSec rule s (tunnels ). Edit or c reate an IP Sec rule by select ing an in dex num ber and then configurin[...]

  • Page 509

    ZyWA LL 2 Series User ’ s Guide VPN/IPSec Setup 37-3 Table 37-1 Menu 27.1: IPSec Summary FIELD DESCRIPTION EX AMPLE Name This field displays the unique ide n tification na me for this VPN rule. The name may be up to 32 characters long but onl y 10 characters will be displayed her e. Taiwan A Y signifies that this VPN rule is active. Y Local Addr [...]

  • Page 510

    ZyW ALL 2 Series User’s Guide 37-4 VPN/IPSec Setup Table 37-1 Menu 27.1: IPSec Summary FIELD DESCRIPTION EX AMPLE Key Mgt T his field displays the SA’s type of key management, ( IKE or Manual ). IKE Remote Addr Start When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Single , this is a static IP address on the network behind t[...]

  • Page 511

    ZyWA LL 2 Series User ’ s Guide VPN/IPSec Setup 37-5 Table 37-1 Menu 27.1: IPSec Summary FIELD DESCRIPTION EX AMPLE Select Command Press [SPACE BAR] to choose from None , Edit , Delete , Go To Rule , Next Page or Previous Page and then press [ENTER]. You must select a rule in the next field when you choose the Edit , Delete or Go To commands. Sel[...]

  • Page 512

    ZyW ALL 2 Series User’s Guide 37-6 VPN/IPSec Setup Figure 37-4 Menu 27.1.1: IPSec Setup Y ou must also configure menu 27.1.1.1 or menu 27.1.1.2 to full y configure and use a VPN. The following table describes the fields in this screen. Table 37-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Index This is the VPN rule inde x number you se le[...]

  • Page 513

    ZyWA LL 2 Series User ’ s Guide VPN/IPSec Setup 37-7 Table 37-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE NAT Traversal Select this check box to enable NAT traversal. NAT traversal allows you to set up a VPN connection when ther e are NAT routers bet ween the two IPSec routers. The remote IPSec router must also have NA T traversal enable[...]

  • Page 514

    ZyW ALL 2 Series User’s Guide 37-8 VPN/IPSec Setup Table 37-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Peer ID type Press [SPACE BAR] to choose IP , DNS , or E-mail and press [ENTER]. Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the rem ote IPSe c router by a domain name. Select E-mail to ident[...]

  • Page 515

    ZyWA LL 2 Series User ’ s Guide VPN/IPSec Setup 37-9 Table 37-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Local Loca l IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses. Two active SAs can have the same configur ed local or remote IP address, but not both. You can conf igure multi[...]

  • Page 516

    ZyW ALL 2 Series User’s Guide 37-10 VPN/IPSec Setup Table 37-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE End Enter a port number in this field to define a port range. This port number must be greater than that specified in the previous field. T his field is N/A when 0 is configured in the Port Start field. N/A Remote Remote IP add resses[...]

  • Page 517

    ZyWA LL 2 Series User ’ s Guide VPN/IPSec Setup 37-1 1 Table 37-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Port Start 0 is the default and signifies any port. Type a port number from 0 to 65535. Someone behind the remote IPSec router cannot create a VPN tunnel when attempting to connect using a port number that do es not match this port[...]

  • Page 518

    ZyW ALL 2 Series User’s Guide 37-12 VPN/IPSec Setup Figure 37-5 Menu 27.1.1.1: IKE Setup Table 37-3 Menu 27.1.1.1: IKE Setup FIELD DESCRIPTION EXAMPLE Phase 1 Negotiation Mode Press [SPACE BAR] to choose from Main or Aggressive and then press [ENTER]. See earlier for a discussi on of thes e modes. Multiple SAs connecting through a secure gate way[...]

  • Page 519

    ZyWA LL 2 Series User ’ s Guide VPN/IPSec Setup 37-13 Table 37-3 Menu 27.1.1.1: IKE Setup FIELD DESCRIPTION EXAMPLE Encryption Algorithm When DES is used for data communications, both sender and receiver mus t know the same secret key, which can be used to encrypt and decrypt the message or to generate and verif y a message authentication code. Z[...]

  • Page 520

    ZyW ALL 2 Series User’s Guide 37-14 VPN/IPSec Setup Table 37-3 Menu 27.1.1.1: IKE Setup FIELD DESCRIPTION EXAMPLE Encapsulation Press [SPACE BAR] to choose from Tunnel mode or Transport mode and then press [ENTER]. See earlier for a discuss ion of these. Tunnel Perfect Forward Secrecy (PFS) Perfect Forward Secrecy (PFS) is disabled ( None ) by de[...]

  • Page 521

    ZyWA LL 2 Series User ’ s Guide VPN/IPSec Setup 37-15 To edit this menu, move the curso r to the Edit Manual Setup field in Menu 27.1.1 – IPSec Se tup press [SPACE BAR] to select Yes and then press [ENTER] to go to Menu 27 .1.1.2 – Manual Se tup . Figure 37-6 Menu 27.1.1.2: Manu al Setup Table 37-5 Menu 27.1.1.2: Manual Setup FIELD DESCRIPTIO[...]

  • Page 522

    ZyW ALL 2 Series User’s Guide 37-16 VPN/IPSec Setup Table 37-5 Menu 27.1.1.2: Manual Setup FIELD DESCRIPTION EXAMPLE Key3 Enter a unique eight-character key. It can be comprised of any character including spaces (but trailing spaces are truncated). Authentication Algorithm Press [SPACE BAR] to choose from MD5 or SHA1 and then press [ENTER]. MD5 K[...]

  • Page 523

    ZyWA LL 2 Series User ’ s Guide SA Monitor 38-1 Chapter 38 SA Monitor This chapter teaches you how to manage your SA s by using the SA Monitor in SMT menu 27.2. 38.1 Introduction A Security Association (SA) is the group of security settings related to a specific VPN tunnel. Th is menu (shown next) displays activ e VPN connections. When there is o[...]

  • Page 524

    ZyW ALL 2 Series User’s Guide 38-2 SA Monitor Table 38-1 Menu 27.2: SA Monitor FIELD DESCRIPTION EXAMPLE # This is the security association index number. Name This field displ ays th e identification name for this VPN policy. This name is unique for each connection where the secure gateway IP address is a public static IP address. When the secure[...]

  • Page 525

    General Appendice s XV Part XV: General Appendices This part prov ides background information abo ut troubleshooting, setting up your compute r ’s IP address, triangle route, how functions are re lated, PPPoE, PPTP , wireless LAN, 802.1x, EAP authentication, IP subnetting and safety warnings.[...]

  • Page 526

    [...]

  • Page 527

    ZyWALL 2 Series User’s Guide T roubleshooting A-1 Appendix A Troubleshooting This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our included disk for further information. Problems St arting Up the ZyW ALL Chart 1 [...]

  • Page 528

    ZyWALL 2 Series User’s Guide Troubleshooting A-2 Problems with the LAN Interface Chart 3 Troubleshooting the L AN Interface PROBLEM CORRECTIVE ACTION Check your Ethernet cable t ype and connections. Refer to the Quick Start Guide for LAN connection instructions. Cannot access the ZyWALL from the LAN. Make sure the computer’s Ethernet adapter is[...]

  • Page 529

    ZyWALL 2 Series User’s Guide T roubleshooting A-3 Problems with Internet Acces s Chart 5 Troubleshooting Internet Acc ess PROBLEM CORRECTIVE ACTION Connect your cable/DSL mod em with t he ZyWALL using the appropriate c able. Check with the manufacturer of your cabl e/DSL devic e about your cable requirement because some devices may requir e cross[...]

  • Page 530

    [...]

  • Page 531

    ZyWALL 2 Series User’s Guide Setting Up Y our Computer ’s IP Address B-1 Appendix B Setting up Your Computer’s IP Address All computers must have a 10M or 10 0M Ethe rnet adapte r card and TCP/IP installed. Windows 95/ 98/Me/NT/ 2000/XP, Maci ntosh OS 7 and lat er operati ng system s and all versions of UNIX/LINU X include t he software c omp[...]

  • Page 532

    ZyWALL 2 Series User’s Guide Setting Up Your Computer’s IP Address B-2 The Network window Configuration ta b displays a list of i nstalled com ponents. You need a network adapter, the T CP/IP prot ocol an d Client for Micros oft Network s. If yo u need th e adap ter: a. In the Network window, click Add . b. Select Ad a p te r and then click Ad [...]

  • Page 533

    ZyWALL 2 Series User’s Guide Setting Up Y our Computer ’s IP Address B-3 1. Click the IP Address tab. -If your IP address is dynamic, select Obtain an IP address automatically . -If you have a static IP address, select Specify an IP address and type your informatio n into the IP Address and Subne t Mask fields. 2. Click the DNS Configuration ta[...]

  • Page 534

    ZyWALL 2 Series User’s Guide Setting Up Your Computer’s IP Address B-4 3. Click the Gateway tab. -If you do not know your gateway’s IP address, remove previously installed gate ways. -If you have a gateway IP address, type it in the Ne w ga te way fie ld and click Add . 4. Click OK to save and close the TCP/IP Properties wind o w. 5. Click OK[...]

  • Page 535

    ZyWALL 2 Series User’s Guide Setting Up Y our Computer ’s IP Address B-5 1. For Windows XP, click Start , Control Panel . In Windows 2000/NT, click Start , Settings , Control Panel . 2. For Windows XP, click Network Connections . For Windows 2000/NT, click Network and Dial-up Connections . 3. Right-click Local Area Connection and then click Pro[...]

  • Page 536

    ZyWALL 2 Series User’s Guide Setting Up Your Computer’s IP Address B-6 4. Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties . 5. The Internet Protocol TCP/IP Prope rties window opens (the General tab in Windows XP). -If you have a dynamic IP address click Obtain an IP address automatically . -If you have a[...]

  • Page 537

    ZyWALL 2 Series User’s Guide Setting Up Y our Computer ’s IP Address B-7 6. -If you do not know your gateway's IP address, remove any previously installed gate ways in the IP Settin gs tab and click OK . Do one or more of the following if you want to configure additional IP addres ses: -In the IP Settings tab, in IP addresses, click Add . [...]

  • Page 538

    ZyWALL 2 Series User’s Guide Setting Up Your Computer’s IP Address B-8 7. In the Internet Protocol TCP/IP Properties window (the Gene ral tab in Windows XP): -Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). -If you know your DNS server IP address(es), click Use the follow ing DNS server addresses[...]

  • Page 539

    ZyWALL 2 Series User’s Guide Setting Up Y our Computer ’s IP Address B-9 1. Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel . 2. Select Ethernet built-in from the Connect v ia list. 3. For d ynamically assigned settings, select Using DHCP Server from the Configure: list.[...]

  • Page 540

    ZyWALL 2 Series User’s Guide Setting Up Your Computer’s IP Address B-10 4. For staticall y assigned settings, do the following: -From the Configure box, select Manually . -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your ZyWALL in the Router address box. 5. Close the TCP/IP [...]

  • Page 541

    ZyWALL 2 Series User’s Guide Setting Up Y our Computer ’s IP Address B-1 1 2. Click Network in the icon bar. - Select Automatic from the Location list. - Select Built-in Ethernet from the Show list. - Click the TCP/IP tab. 3. For dynamically assigned settings, sel ect Using DHCP from the Configur e list. 4. For statically assigned setting s, do[...]

  • Page 542

    [...]

  • Page 543

    ZyWALL 2 Series User’s Guide T riangle Route C-1 Appendix C Triangle Route The Ideal Setup When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Internet. In an ideal network top ology, all i ncoming an d outgoin g network traf fic passes thr ough the Zy WALL to prot ect your LAN against attacks. Diagram 1 Ideal S[...]

  • Page 544

    ZyWALL 2 Series User’s Guide Triangle Route C-2 Diagram 2 “Triangle Route” Problem The “T riangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logi cal sections over the same Ethernet interface. Your ZyWALL supports up to three [...]

  • Page 545

    ZyWALL 2 Series User’s Guide T riangle Route C-3 Diagram 3 IP Alias Gateways on the W AN Side A second sol ution to the “triangle route” pr oblem i s to put all of y our network gateways on the WAN side as the following fig ure shows. This en sures that all incoming netwo rk traffic pa sses through your ZyWALL to your LAN. Therefo re your LAN[...]

  • Page 546

    ZyWALL 2 Series User’s Guide Triangle Route C-4 Step 3. Use the following commands to allow/disallo w triangle route. sys firewall ignore triangle all off This command allows triangle route. sys firewall ignore triangle all on This command disall ows triangle route.[...]

  • Page 547

    ZyWALL 2 Series User’s Guide Wireless LAN and IEEE 802.1 1 D-1 Appendix D Wireless LAN and IEEE 802.11 A wireless LAN (WLA N) provides a flexi ble data commun ications system that y ou can use to acces s various services (navigating the Internet, em ail, prin ter services, etc.) without the use of a ca bled connection. In effect a wireless LAN en[...]

  • Page 548

    ZyWALL 2 Series User’s Guide D-2 Wireless LAN and IEEE 802.11 Spread Spectrum (DSSS) an d Fre quency-Hopping Spread S pectrum (FHSS), i n the 2.4 t o 2.4825 GHz unlicensed ISM (Industrial, Scientific and Medical) ba nd. The th ird method is infrared technology, using very high fre quencies, just below visi ble light i n the electrom agnetic spect[...]

  • Page 549

    ZyWALL 2 Series User’s Guide Wireless LAN and IEEE 802.1 1 D-3 could be any type of net w ork, it i s almost inva riably an Ethe rnet LAN. M obile nodes can roam between Access Points and seam less campus-wide coverage is possible. Diagram D-2 ESS Provides Campus-Wide Coverage[...]

  • Page 550

    [...]

  • Page 551

    ZyWALL 2 Series User’s Guide Wireless LAN with IEEE 802.1x E-1 Appendix E Wireless LAN With IEEE 802.1x As wireless networks becom e popular for both portable com puting an d corporate networks, sec urity is now a priority. Security Flaws w ith IEEE 802.1 1 Wireless networks based on the o riginal IEEE 802 .11 have a poor reputation for safety. T[...]

  • Page 552

    ZyWALL 2 Series User’s Guide Wireless LAN with IEEE 802.1x E-2 RADIUS Server Authen tication Sequence The following fig ure depicts a typical wirel ess network with a remote RADIUS ser v er for user authentication using EAPOL (EAP Over LAN). Diagram E-1 Sequences for EAP MD5–Challenge Authentication Client computer access authorized. Client com[...]

  • Page 553

    ZyWALL 2 Series User’s Guide T ypes of EAP Authentication F-1 Appendix F Types of EAP Authentication This appendix discu sses three popular EAP auth entication types: EAP-MD5 , EAP-TLS and EAP-TTLS . The type of a uthenticatio n you use de pends on the R ADIUS serve r or the AP. Consult y our network administrator for m ore information. EAP-MD5 ([...]

  • Page 554

    ZyWALL 2 Series User’s Guide Types of EAP Authentication F-2 TTLS supports EAP me thods and legacy authenticatio n m e thods such as PAP, CH AP, MS-CHAP and MS- CHAP v2. EAP-MD5 EAP-TLS EA P-TTLS Mutual Authentication No Yes Yes Certificate – Client No Yes Optional Certificate – Server No Yes Yes Dynamic Key Exchange No Yes Yes Credential Sec[...]

  • Page 555

    ZyWALL 2 Series User’s Guide PPPoE G-1 Appendix G PPPoE PPPoE in Action An ADSL m odem brid ges a PPP sessi on over Ethe rnet (PPP o ver Ether net, RFC 25 16) from your PC t o an ATM PVC (Pe rmanent Virt ual Circuit), which con nects to a DSL Access Conce ntrator wh ere the PPP session terminates (see the next figure). One PVC can suppor t any nu[...]

  • Page 556

    ZyWALL 2 Series User’s Guide G-2 PPPoE The PPPoE driver m akes the Ethernet appear as a serial link to the PC a nd the PC runs PPP over it, while the modem bridges the Et hernet frames to the Access Concen trator (AC). Bet ween the AC and an ISP, the AC is acting as a L2TP (Layer 2 T unneling Protocol) LAC (L 2TP Access Conc entrator) and tunnels[...]

  • Page 557

    ZyWALL 2 Series User’s Guide PPTP H-1 Appendix H PPTP What is PPTP? PPTP (Point -to-Point T unneling Pr otocol) i s a Micros oft prop rietary prot ocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Ne twor[...]

  • Page 558

    ZyWALL 2 Series User’s Guide H-2 PPTP PPTP is very si milar to L2TP, since L2T P is based on both PPTP and L2F (Cisco’s Lay er 2 Forwa rding). Conceptually, there are three parties in PPTP, name ly the PNS (PPTP Network Serve r), the PAC (PPTP Access Concentrator) and the PPTP user. The PNS is the box that hosts both the PPP and the PPTP stack [...]

  • Page 559

    ZyWALL 2 Series User’s Guide PPTP H-3 Diagram H-3 Example Message Exchange bet w een PC and an ANT PPP Data Connection The PPP frames are tunneled betwee n the PNS and PAC over GRE (General Ro uting Encapsulation, RFC 1701, 1702). The indiv idual calls within a tunnel are distingu ished using the Call ID field in the GRE header.[...]

  • Page 560

    [...]

  • Page 561

    ZyWALL 2 Series User’s Guide IP Subnetting I-1 Appendix I IP Subnetting IP Addres sing Routers “route” base d on the network num ber. The rout er that delivers the data packet to the correct destination hos t uses the host ID. IP Classes An IP address is made up of four octets (ei ght bits), written in dotted deci mal notation, for ex ample, [...]

  • Page 562

    ZyWALL 2 Series User’s Guide I-2 IP Subnetting A class “A” address (24 host bits) can have 2 24 –2 hosts (a pproxim ately 16 million hosts). Since the first octet of a class “A” IP addre ss must c ontain a “0”, the first octet of a class “A” ad dress can have a value of 0 to 127. Similarly the first octet of a class “B” must[...]

  • Page 563

    ZyWALL 2 Series User’s Guide IP Subnetting I-3 of ones beginning from the left most bit of the mask, followed by a continuou s sequence of zeros, for a total number of 32 bi ts. Since the m ask is always a c ontinuous number of ones beginni ng from the left, follo wed by a c ontinuous number of zer os for the remainde r of the 32 bit ma sk, you c[...]

  • Page 564

    ZyWALL 2 Series User’s Guide I-4 IP Subnetting Divide the network 19 2.168.1. 0 into two separate s ubnets by converting one of t he host ID bi ts of the IP address to a networ k number bit. The “borrow ed” host ID bit can be either “0” or “1” thus giving two subnets; 192.168.1.0 with mask 255 .255.255.128 and 19 2.168.1.128 with mask[...]

  • Page 565

    ZyWALL 2 Series User’s Guide IP Subnetting I-5 actual host for the first subn et is 192.168.1.1 and the highest is 192.168.1 .126. Similarly the host ID range for the second subnet is 192.16 8.1.129 to 192.168.1.254. Example: Four Subnet s The above exam ple illustrated using a 25-bit subnet mask to divide a class “C” address s pace into two [...]

  • Page 566

    ZyWALL 2 Series User’s Guide I-6 IP Subnetting Chart I-10 Subnet 4 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. 192 IP Address (Binary) 11000000.1 0101000.000000 01. 11 000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11 000000 Subnet Address: 192. 168.1.192 Lo west Ho st ID: 192.168.1.193 Broadcast Address: 192.168. 1.255 Hig[...]

  • Page 567

    ZyWALL 2 Series User’s Guide IP Subnetting I-7 4 255.255.255.240 (/28) 16 14 5 255.255.255.248 (/29) 32 6 6 255.255.255.252 (/30) 64 2 7 255.255.255.254 (/31) 128 1 Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet m ask al so determines which bits are part of the networ k number an d which a r[...]

  • Page 568

    ZyWALL 2 Series User’s Guide I-8 IP Subnetting Chart I-13 Class B Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET (/29) 14 255.255.255.252 (/30) 16384 2 15 255.255.255.254 (/31) 32768 1[...]

  • Page 569

    ZyWALL 2 Series User’s Guide Safety Warnings and Instructions J-1 Appendix J Safety Warnings and Instructions 1. Be sure to read and follow all warning notices and instructions. 2. The maxim um recomm ended ambi ent temperat ure for the ZyWALL is 40º Cel sius (104º Fah renheit). Care must be taken to allow sufficient air circ ulation or space b[...]

  • Page 570

    [...]

  • Page 571

    Command, Log Appendices and Ind ex XVI Part XVI: Command, Log Appendices and Index This part prov ides information on the command lin e interface, firewall and NetBIOS comma nds, logs and password p rotection. There is also an index of key terms.[...]

  • Page 572

    [...]

  • Page 573

    ZyWALL 2 Series User’s Guide Command Interpreter K-1 Appendix K Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system m a intenance m enu. Enter 8 to go t o Menu 24.8 - Comm and Interpreter Mode . See the included disk or zyxel.c o m for m ore detail ed informat ion on the[...]

  • Page 574

    [...]

  • Page 575

    ZyWALL 2 Series User’s Guide Firewall Commands L-1 Appendix L Firewall Commands The foll o wi n g descr i bes t h e f i rewall c o mm a nd s . S e e the Command Interpreter appendix for information on t h e c o mma nd str u ctu r e. Chart L-1 Firewall Comma nds FUNCTION COMMAND DESCRIPTION F F i i r r e e w w a a l l l l S S e e t t - - U U p p c[...]

  • Page 576

    ZyWALL 2 User’s Guide L-2 Firewall Comm ands Chart L-1 Firewall Comma nds FUNCTION COMMAND DESCRIPTION config display firewall e-mail This command shows all of the e-mail settings. config display firewall ? This command shows all of the available firewall sub commands. E E d d i i t t E E - - m m a a i i l l config edit firewall e-mail mail- serv[...]

  • Page 577

    ZyWALL 2 Series User’s Guide Firewall Commands L-3 Chart L-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall attack block <yes | no> Set this command to yes to block new traffic after the tcp-max-incomplete threshold is exceeded. Set it to no to delete the oldest half-open session when traffic exceeds the tcp-ma x-incomp[...]

  • Page 578

    ZyWALL 2 User’s Guide L-4 Firewall Comm ands Chart L-1 Firewall Comma nds FUNCTION COMMAND DESCRIPTION Config edit firewall set <set #> default-permit <forward | block> This command sets whether a packet is dropped or allowed through, when it does not meet a rule within the set. Config edit firewall set <set #> icmp-timeout <[...]

  • Page 579

    ZyWALL 2 Series User’s Guide Firewall Commands L-5 Chart L-1 Firewall Commands FUNCTION COMMAND DESCRIPTION Config edit firewall set <set #> rule <rule #> protocol <integer protocol value > This command sets the pr otocol specification number made in this rule for ICMP. Config edit firewall set <set #> rule <rule #> [...]

  • Page 580

    ZyWALL 2 User’s Guide L-6 Firewall Comm ands Chart L-1 Firewall Comma nds FUNCTION COMMAND DESCRIPTION config edit firewall set <set #> rule <rule #> TCP destport-single <port #> This command sets a rule to have the ZyWALL check for TCP traffic with this destination address. You may repeat this command to enter various, non-cons[...]

  • Page 581

    ZyWALL 2 Series User’s Guide NetBIOS Filter Commands M-1 Appendix M NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See the Command Interpreter appendix for in formation o n the command str ucture. Introduction NetBIOS (Network Basic Input/Output System ) are TCP or UDP broadcast packets that enable a computer [...]

  • Page 582

    ZyWALL 2 User’s Guide M-2 NetBIOS Filter Commands Chart M-1 NetBIOS Filter Default Settings NAME DESCRIPTION EX AMPLE Between LAN and WAN This field displays whether NetBIOS packets are blocked o r forwarded between the LAN and the W AN. Forward IPSec Packets This field displa ys whet her NetBIOS packets sent through a VPN connection are blocked [...]

  • Page 583

    ZyWALL 2 Series User’s Guide NetBIOS Filter Commands M-3 Command: sys filter netbios config 4 off This command stops NetBIOS commands from initiatin g calls.[...]

  • Page 584

    [...]

  • Page 585

    ZyWALL 2 Series User’s Guide Boot Commands N-1 Appendix N Boot Commands The BootMod ule AT comm an ds execute from within the router’s bootu p software, w hen debug m ode is selected before the m ain router firm ware (ZyNOS) is started. When yo u start up your Zy WALL, you are given a choi ce to go int o debug m ode by pressing a key at t he pr[...]

  • Page 586

    ZyWALL 2 User’s Guide N-2 Boot Commands Diagram N-2 Boot Module Command s AT just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) ch[...]

  • Page 587

    ZyWALL 2 Series User’s Guide Log Descriptions O-1 Appendix O Log Descriptions Chart O-1 System Error Logs LOG MESSAGE DESCRIPTION %s exceeds the max. number of session per host! This attempt to create a SUA/NAT session exceeds the maximum number of SUA/NAT session table ent ries allo wed to be created per host. Chart O-2 System Mainte nance Logs [...]

  • Page 588

    ZyWALL 2 User’s Guide O-2 Log Descriptions Chart O-2 System Mainte nance Logs TELNET Login Fail Someo ne has failed to log on to the router via telnet. FTP Login Successfully Someone has logged on to the router via ftp. FTP Login Fail Someone has failed to log on to the router via ftp. NAT Session Table is Full! The maximum number of SUA/NAT sess[...]

  • Page 589

    ZyWALL 2 Series User’s Guide Log Descriptions O-3 Chart O-5 Attack Logs LOG MESSAGE DESCRIPTION attack IGMP The firewall detected an IGMP attack. attack ESP The firewall detected an ESP attack. attack GRE The firewall detected a GRE attack. attack OSPF The firewall detected an OSPF attack. attack ICMP (type:%d, code:%d) The firewall detected an I[...]

  • Page 590

    ZyWALL 2 User’s Guide O-4 Log Descriptions Chart O-5 Attack Logs LOG MESSAGE DESCRIPTION syn flood TCP The firewall detected a T CP syn flood attack. ports scan TCP T he firewall detected a TCP port scan attack. teardrop TCP The firewall detected a TCP teardrop attack. teardrop UDP The firewall detected an UDP teardrop attack. teardrop ICMP (type[...]

  • Page 591

    ZyWALL 2 Series User’s Guide Log Descriptions O-5 Chart O-6 Access Logs LOG MESSAGE DESCRIPTION Firewall default policy: TCP (set:%d) TCP access matched the default po licy of the listed ACL set and the ZyWALL blocked or for warded it according to the ACL set’s configuration. Firewall default policy: UDP (set:%d) UDP access matched the default [...]

  • Page 592

    ZyWALL 2 User’s Guide O-6 Log Descriptions Chart O-6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule match: ESP (set:%d, rule:%d) ESP access matched the listed firewall rule and the Z yWALL blocked or forwarded it according to the rule’s configuration. Firewall rule match: GRE (set:%d, rule:%d) GRE access matched the listed firewall rule and [...]

  • Page 593

    ZyWALL 2 Series User’s Guide Log Descriptions O-7 Chart O-6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule NOT match: (set:%d, rule:%d) Access did not match the listed firewall rule and the Z yWALL logged it. Filter default policy DROP! TCP access matched a default filter polic y and the ZyWALL drop ped the packet to block access. Filter defau[...]

  • Page 594

    ZyWALL 2 User’s Guide O-8 Log Descriptions Chart O-6 Access Logs LOG MESSAGE DESCRIPTION Filter match DROP <set %d/rule %d> Access matched the listed filter rule an d the ZyWALL dropped the packet to block access. Filter match DROP <set %d/rule %d> Access matched the listed filter rule (denie d LAN IP) and the ZyWALL dropped the packe[...]

  • Page 595

    ZyWALL 2 Series User’s Guide Log Descriptions O-9 Chart O-6 Access Logs LOG MESSAGE DESCRIPTION Packet without a NAT table entry blocked The router blocked a packet that did not have a corresponding SUA/NAT table entr y. Out of order TCP handshake packet blocked The router blocked a T CP handshak e packet that came out of the proper order Drop un[...]

  • Page 596

    ZyWALL 2 User’s Guide O-10 Log Descriptions Chart O-8 ICMP Notes TYPE CODE DESCRIPTION 3 Destination Unreachabl e 0 Net unreachable 1 Host unrea chable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) 5 Source route failed 4 Source Quench 0 A gateway may disc[...]

  • Page 597

    ZyWALL 2 Series User’s Guide Log Descriptions O-11 Chart O-8 ICMP Notes TYPE CODE DESCRIPTION 14 Timestamp Reply 0 Timestamp reply message 15 Information Request 0 Information request message 16 Information Reply 0 Information reply message Chart O-9 Sys log LOG MESSAGE DESCRIPTION Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" ds[...]

  • Page 598

    ZyWALL 2 User’s Guide O-12 Log Descriptions Diagram O-1 Example VPN Initiator IPSec Log VPN Responder IPSec Log The following f igure shows a typical log from the VPN c onnection pee r. Diagram O-2 Example VPN Responder IPSec Log This menu is useful f or troublesh ooting. A log inde x number, t he date and time the log was created and a log messa[...]

  • Page 599

    ZyWALL 2 Series User’s Guide Log Descriptions O-13 A PYLD_MALFORMED packet usuall y means that the tw o ends of the VPN tunnel are not using the same pre-shared k ey . Chart O-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION Send <Symbol> Mode request to <IP> Send <Symbol> Mode request to <IP> The ZyWALL has started[...]

  • Page 600

    ZyWALL 2 User’s Guide O-14 Log Descriptions Chart O-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION !! Invalid IP <IP start>/<IP end> The peer’s “Local IP Addr” range is invalid. !! Remote IP <IP start> / <IP end> conflicts If the security gateway is “0.0.0.0”, the ZyWALL will use the peer’s “Local Ad[...]

  • Page 601

    ZyWALL 2 Series User’s Guide Log Descriptions O-15 Chart O-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION vs. My Local <IP address> The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the loc al router. The log displays this router’s configur ed local IP addr[...]

  • Page 602

    ZyWALL 2 User’s Guide O-16 Log Descriptions The following table shows RFC-2408 I SAKMP payload types that the log displays. Please re fer to the RFC for detailed information on each type. Chart O-12 RFC-2408 ISAKMP Payload Ty pes LOG DISPLAY PAYLOAD TYPE SA Security Association PROP Proposal TRANS Transform KE Key Exchange ID Identification CER C[...]

  • Page 603

    ZyWALL 2 Series User’s Guide Log Descriptions O-17 Chart O-13 Log Categories and Av aila ble Settings LOG CATEGORIES AVAILABLE PA R AMETERS attack 0, 1, 2, 3 error 0, 1, 2, 3 ike 0, 1, 2, 3 ipsec 0, 1, 2, 3 javablocked 0, 1, 2, 3 mten 0, 1 upnp 0, 1 urlblocked 0, 1, 2, 3 urlforward 0, 1 Use 0 to not record logs for that category, 1 to record onl [...]

  • Page 604

    ZyWALL 2 User’s Guide O-18 Log Descriptions ras> sys logs display access # .time source destination notes message 0|11/11/2002 15:10:12 |172.22.3.80:137 |172.22.255.255:137 |ACCESS BLOCK Firewall default policy: UDP(set:8) 1|11/11/2002 15:10:12 |172.21.4.17:138 |172.21.255.255:138 |ACCESS BLOCK Firewall default policy: UDP(set:8) 2|11/11/2002 [...]

  • Page 605

    ZyWALL 2 Series User’s Guide Brute-Force Password Gu essing Protection P-1 Appendix P Brute-Force Password Guessing Protection The followin g describes t he commands for enabling, disabl ing and c onfiguri ng the brute -force password guessing pr otection m echanism for the passwo rd. See the Command Interpreter appe ndix for i nformat ion on the[...]

  • Page 606

    [...]

  • Page 607

    ZyWALL 2 Series User’s Guide Index Q-1 Appendix Q Index 1 10/100 Mbps Ethernet WA N ........................... 1-2 4 4-Port Switch ................................................... 1-2 A Access Point ............................................ 7-5, 24-7 Action for Matched Packets ......................... 11-10 Active ........................[...]

  • Page 608

    ZyWALL 2 Series User’s Guide Q-2 Index Configuration Fi le Uplo ad ................................ 33-16 File Bac kup ........................................................ 33-6 File Uplo ad....................................................... 33-15 Restoring Fi les ................................................... 33-9 Content Filtering .[...]

  • Page 609

    ZyWALL 2 Series User’s Guide Index Q-3 Filter ................................. 23-12, 24 -1, 26-9, 30-1 Applying .......................................................... 30-17 Configura tion ..................................................... 30-1 Configurin g ........................................................ 30-4 Example ............[...]

  • Page 610

    ZyWALL 2 Series User’s Guide Q-4 Index Inside Local A ddress ....................................... 8-1 Internet A ccess............................................... 25-1 ISP's Name ......................................................... 25-1 Internet Access Setu p ................... 25-1, 28-2, A-2 Internet Cont rol Message Protocol ([...]

  • Page 611

    ZyWALL 2 Series User’s Guide Index Q-5 N Nailed-up C onnection .................................... 26-4 Nailed-Up Connection .......................... 23-7, 26-5 NAT .... 3-4, 3-9, 5-1, 8-5, 8-6, 23-1 0, 26-8, 30-16 Applicati on........................................................... 8-3 Applying NAT in the SMT Men us .................... 28[...]

  • Page 612

    ZyWALL 2 Series User’s Guide Q-6 Index Replacement ........................................................ v Reports ........................................................... 19-6 Required fields ............................................... 21-3 Reset Button .................................................... 1-2 Resetting the Tim e ......[...]

  • Page 613

    ZyWALL 2 Series User’s Guide Index Q-7 System Manageme nt Terminal ...................... 21-2 System Nam e .......................................... 4-2, 22-1 System Status ................................................. 32-1 System Tim eout ............................................. 17-2 T TCP Maximum Incom p lete .... 11-21, 11-22, 11-24[...]

  • Page 614

    ZyWALL 2 Series User’s Guide Q-8 Index Wireless LAN Setup ...................................... 24-6 Wizard Setup ................................................... 3-1 WLAN ..................................... See Wireless LAN www.dyndns.or g ............................................ 22-4 www.zyxel.com .....................................[...]