ZyXEL Communications Internet Security Gateway ZyWALL 2 Series manual
- Read online or download the manual
- 614 pages
- 16.97 mb
Go to page of
Similar user manuals
-
Network Card
ZyXEL Communications VLC1324G
52 pages 1.72 mb -
Network Card
ZyXEL Communications ZyXEL ZyAIR B-1000
231 pages 6.14 mb -
Network Card
ZyXEL Communications EEC1020
8 pages 0.23 mb -
Network Card
ZyXEL Communications P-2302HWUDL-P1
16 pages 2.72 mb -
Network Card
ZyXEL Communications IDP 10
21 pages 0.79 mb -
Network Card
ZyXEL Communications ZyXEL ZyAIR AG-220
115 pages 1.41 mb -
Network Card
ZyXEL Communications ADSL2+ 4-port Gateway P-660H-D Series
10 pages 1.44 mb -
Network Card
ZyXEL Communications G-220 v3
125 pages 4.52 mb
A good user manual
The rules should oblige the seller to give the purchaser an operating instrucion of ZyXEL Communications Internet Security Gateway ZyWALL 2 Series, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.
What is an instruction?
The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of ZyXEL Communications Internet Security Gateway ZyWALL 2 Series one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.
Unfortunately, only a few customers devote their time to read an instruction of ZyXEL Communications Internet Security Gateway ZyWALL 2 Series. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.
What should a perfect user manual contain?
First and foremost, an user manual of ZyXEL Communications Internet Security Gateway ZyWALL 2 Series should contain:
- informations concerning technical data of ZyXEL Communications Internet Security Gateway ZyWALL 2 Series
- name of the manufacturer and a year of construction of the ZyXEL Communications Internet Security Gateway ZyWALL 2 Series item
- rules of operation, control and maintenance of the ZyXEL Communications Internet Security Gateway ZyWALL 2 Series item
- safety signs and mark certificates which confirm compatibility with appropriate standards
Why don't we read the manuals?
Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of ZyXEL Communications Internet Security Gateway ZyWALL 2 Series alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of ZyXEL Communications Internet Security Gateway ZyWALL 2 Series, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the ZyXEL Communications service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of ZyXEL Communications Internet Security Gateway ZyWALL 2 Series.
Why one should read the manuals?
It is mostly in the manuals where we will find the details concerning construction and possibility of the ZyXEL Communications Internet Security Gateway ZyWALL 2 Series item, and its use of respective accessory, as well as information concerning all the functions and facilities.
After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.
Table of contents for the manual
-
Page 1
ZyW ALL 2 Series Internet Security Gateway User’s Guide Version 3.62 June 2004[...]
-
Page 2
ZyWALL 2 Series User’s Guide ii Copyright Copyright Copyright © 2004 by Zy XEL Communications Corporation. The contents of this publ ication m ay not be repro duced in any pa rt or as a whole, tra nscribed, sto red in a retrieval system, translated into any langu age, or tr ansmitted in any form or by any means, electronic, mechanical, magnetic,[...]
-
Page 3
ZyWALL 2 Series User’s Guide FCC iii Federal Communications Commission (FCC) Interference S tatement This device complies with Part 15 of FCC rules. Operation is subject to the following two cond itions: This device m ay not cause harm ful interferen ce. This device must accept any interference received, including interfere nce that may cause und[...]
-
Page 4
ZyWALL 2 Series User’s Guide iv Information for Canadian Users Information for Canadian Users The Industry Canada label identifies certified equipmen t. This certification means that the equipment meets certain telecommunications network pr otective, op eration, and safety requirements. The Industr y Canada does not guarantee that the equipment w[...]
-
Page 5
ZyWALL 2 Series User’s Guide Warranty v ZyXEL Limited W arranty ZyXEL warrants to the original end us er (purchaser) that this product is free from any defects in materials or workmanshi p for a period of up to two y ears from the date of p urchase. D uring the warranty pe riod, an d upon proof of purchase, sho uld the p roduct have i ndicatio ns[...]
-
Page 6
ZyWALL 2 Series User’s Guide vi Customer Support Customer Support When you contact your cu stomer support repr esenta tive please have t he followi ng infor mation ready : Please have th e following i nformation re ady when you cont act customer s upport. • Product model and serial number. • Warranty Information. • Date that you received yo[...]
-
Page 7
ZyWALL 2 Series User’s Guide Table of Contents vii T able of Content s Copyright...................................................................................................................... ................................ii Federal Communications Commission (FCC) Interfer en ce S tatemen t................................................[...]
-
Page 8
ZyWALL 2 Series User’s Guide viii Table of Contents 5.6 Configur ing IP ................................................................................................................. ........... 5-3 5.7 Configuring St atic DHCP ........................................................................................................ ... 5-6 5.8 [...]
-
Page 9
ZyWALL 2 Series User’s Guide Table of Contents ix 10.3 Introduction to ZyXE L’s Firewall........................................................................................ 10-2 10.4 Denial of Service .............................................................................................................. .... 10-3 10.5 Stateful In spe[...]
-
Page 10
ZyWALL 2 Series User’s Guide x Table of Contents 14.13 Configuri ng Advanced IKE Setup ...................................................................................... 14- 24 14.14 Manual Key Setup............................................................................................................... 14-28 14.15 Configuring Edit Manu[...]
-
Page 11
ZyWALL 2 Series User’s Guide Table of Contents xi 17.9 Secure Telnet Using SSH Exam ples .................................................................................. 17-16 17.10 Secure FTP Using SS H Example ....................................................................................... 17-18 17.11 Telnet ...........................[...]
-
Page 12
ZyWALL 2 Series User’s Guide xii Table of Contents 23.3 Configuring Dial Back up i n Menu 2 ..................................................................................... 23-2 23.4 Advanced WAN Set up .......................................................................................................... 23- 3 23.5 Remote Node Profile (B[...]
-
Page 13
ZyWALL 2 Series User’s Guide Table of Contents xiii 30.5 Firewall Versus Filters ....................................................................................................... 3 0-16 30.6 Applying a Filte r .............................................................................................................. .. 30-17 Chapter 31 S[...]
-
Page 14
ZyWALL 2 Series User’s Guide xiv Table of Contents Appendix F T ypes of EAP Authentication ......................................................................................... .... F-1 Appendix G PPPoE ............................................................................................................... .................. G-1 Append[...]
-
Page 15
ZyWALL 2 Series User’s Guide List of Figures xv List of Figures Figure 1-1 Secure Internet Access vi a Cable, DSL or Wi reless Modem ........................................................ 1-6 Figure 1-2 Secure Internet Access and VP N Applica tion.......................................................................... ..... 1-7 Figure 2-1 Cha[...]
-
Page 16
ZyWALL 2 Series User’s Guide xvi List of Figures Figure 8-3 Mul tiple Serv ers Behind NA T Exam ple ................................................................................. ....... 8-6 Figure 8-4 SUA Server .......................................................................................................... .........................[...]
-
Page 17
ZyWALL 2 Series User’s Guide List of Figures xvii Figure 14-9 Advanced IKE VPN Rule Setup ................................................................................................ 14-25 Figure 14-10 Manual VPN Rule Setup ............................................................................................. ......... 14-29 Figure 14-[...]
-
Page 18
ZyWALL 2 Series User’s Guide xviii List of Figures Figure 17-21 SNMP Managem ent Model ............................................................................................. ...... 17-23 Figure 17 -22 SN MP .............................................................................................................. ...................... [...]
-
Page 19
ZyWALL 2 Series User’s Guide List of Figures xix Figure 23-9 Menu 1 1.5: Dial Backup Remote Node Filter ........................................................................ 23 -13 Figure 24-1 Menu 3: LAN Setup .................................................................................................. ............... 24-1 Figure 24-2 Me[...]
-
Page 20
ZyWALL 2 Series User’s Guide xx List of Figures Figure 28-20 Example 4: Menu 15.1 .1.1: Address Mapp ing Rule ............................................................. 28-16 Figure 28-21 Example 4: Menu 15.1 .1: Address Mapping Rules ............................................................... 28-16 Figure 28-22 T rigger Port Fo rwarding P[...]
-
Page 21
ZyWALL 2 Series User’s Guide List of Figures xxi Figure 33-12 Successful Restor ation Confirma tion Screen ....................................................................... 3 3-10 Figure 33-13 T elnet Into Menu 24.7 .1: Upload System Firmware.............................................................. 33-1 1 Figure 33-14 T elnet Into Menu[...]
-
Page 22
ZyWALL 2 Series User’s Guide xxii List of Tables List of T ables T able 1-1 Model Sp ecific Features .............................................................................................. ................... 1-1 T able 2-1 W eb Configur ator S creens Summary..................................................................................[...]
-
Page 23
ZyWALL 2 Series User’s Guide List of T ables xxiii T able 10-2 ICMP Commands That T rig ger Alerts ................................................................................... .... 10-6 T able 10-3 Legal NetBIOS Comm ands .............................................................................................. ......... 10-7 T able 10[...]
-
Page 24
ZyWALL 2 Series User’s Guide xxiv List of Tables T able 16-2 RADIUS .............................................................................................................. ....................... 16-4 T able 17-1 WWW ................................................................................................................. ..........[...]
-
Page 25
ZyWALL 2 Series User’s Guide List of T ables xxv T able 26-1 Menu 1 1.1: Remote Node Pr ofile for Ethernet Encapsulatio n ................................................... 26-2 T able 26-2 Fields in Menu 1 1.1 (PPPoE Enca psulation Specific) ............................................................... 26- 5 T able 26-3 Fields in Menu 1 1.1 ([...]
-
Page 26
ZyWALL 2 Series User’s Guide xxvi Preface Preface About This User's Manual Congratulations on your purchase of the ZyWALL 2 Internet Security Gateway Ser ies. This manual is designed to guide you through the configur ation of your ZyWALL for its various applications. Use the web configurator , System Management T erminal (SMT) or command int[...]
-
Page 27
ZyWALL 2 Series User’s Guide Preface xxvii • The version number on the title page is the latest firm ware version that is documented in this User’s Guide . Earlier versi ons may also be included. • “Enter” means for you t o type one or more charact ers and press the carriage return. “Select” or “Choose” means for you t o use one[...]
-
Page 28
[...]
-
Page 29
Getting S tarted I Part I: Getting Started This part help s you get to know your ZyWALL, in troduces the web configurator and covers how to configure the Wizard Setup screens.[...]
-
Page 30
[...]
-
Page 31
ZyW ALL 2 Serie s User ’s Guide Getting to Know Y our ZyW ALL 1-1 Chapter 1 Getting to Know Your ZyWALL This chapter introduces the main featu res and applications of the ZyWALL. 1.1 Introducing the ZyW ALL The ZyWALL is an ideal secure gateway for all data passing between the Internet and the LAN. By integrating NAT, firewall and VPN capability,[...]
-
Page 32
ZyW ALL 2 Serie s User ’s Guide 1-2 Getting to Know Y our ZyW ALL 1.2.1 Physical Features 4-Port Switch A combination of switch and router makes your ZyWA LL a cost-effective and viab le network solu tion. You can connect up to four com puters to the ZyWALL without the cost of a hub. Use a hub to add more than four computers to your LAN. Auto-neg[...]
-
Page 33
ZyW ALL 2 Serie s User ’s Guide Getting to Know Y our ZyW ALL 1-3 The ZyW ALL support s two simult aneous VPN connections. X-Auth (Extended Authentication) X-Auth pr ovides adde d security for VPN by requiring ea ch VPN cli ent to use a username and passwor d. Certificates The ZyWALL can use ce rtificates (also called digital IDs) to authenticate[...]
-
Page 34
ZyW ALL 2 Serie s User ’s Guide 1-4 Getting to Know Y our ZyW ALL Universal Plug and Play (UPnP) Using the standar d TCP/IP p rotocol, t he ZyWALL a nd other UPnP enable d devices can dynamical ly join a network, obtain an IP address and convey its cap abilities to other devices on th e network. Call Scheduling Configure call time periods to rest[...]
-
Page 35
ZyW ALL 2 Serie s User ’s Guide Getting to Know Y our ZyW ALL 1-5 Central Network Management Central Netwo rk Managem ent (CNM) allows an enter prise or ser vice provi der network a dminist rator to manage your ZyWA LL. The enterprise or service pro vider network administrator can conf igure your ZyWALL, perf orm firm ware upgrades and do trouble[...]
-
Page 36
ZyW ALL 2 Serie s User ’s Guide 1-6 Getting to Know Y our ZyW ALL Management Term inal) interface. The SMT is a menu-driv en interface that you can acce ss from a terminal emulator t hrough the c onsole port or over a t elnet connection. RoadRunner Support In addition to standard cable modem services, the ZyWALL supports Time Warner’s RoadRunne[...]
-
Page 37
ZyW ALL 2 Serie s User ’s Guide Getting to Know Y our ZyW ALL 1-7 1.3.2 Secure Broadband Internet Access and VPN You can conne ct a cable, DSL or wireless modem to the ZyWALL via Ethe rnet for bro adband In ternet access. The ZyWALL also provi des IP address sha r ing and a firewall-prot ected local network with traffic management . ZyWALL VPN is[...]
-
Page 38
[...]
-
Page 39
ZyW ALL 2 Serie s User ’s Guide Introducing the W eb Configurator 2-1 Chapter 2 Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and pr ovides an overview of its screens. 2.1 Web Configurator Overview The embedded web configu rator (ewc) allows you to manage th e ZyWALL from anywhere through a brow[...]
-
Page 40
ZyW ALL 2 Serie s User ’s Guide 2-2 Introducing the W eb Configurator Step 6. Click Apply in th e Replace Certificate screen to create a ce rtificate using your ZyWALL’s MAC address that will be specific to this devi ce. This feature is not availab le on the ZyWALL 2WE. Figure 2-2 Replace Certificate Screen Step 7. You should now see the MA IN [...]
-
Page 41
ZyW ALL 2 Serie s User ’s Guide Introducing the W eb Configurator 2-3 2.3.2 Uploading a Configurat ion File Via Console Port Step 3. Download the defau lt configuration file from th e ZyXEL Networks FTP site, unzip it and save it in a folder. Step 4. Turn off the Z yWALL, begi n a terminal emulation softwar e session and t u rn on the ZyWA LL aga[...]
-
Page 42
ZyW ALL 2 Serie s User ’s Guide 2-4 Introducing the W eb Configurator Follow the instructions you see in the MAIN MENU screen or click the icon (located in the top right corner of most screens) to v iew online help. The icon does not appear in the MAIN MENU screen. Figure 2-4 The MAIN MENU Screen of the Web Co nfigurator The followin g table desc[...]
-
Page 43
ZyW ALL 2 Serie s User ’s Guide Introducing the W eb Configurator 2-5 Table 2-1 Web Configurator Screens Summary LINK TA B FUNCTION General Use this screen to configure general s ystem settings. DDNS Use this screen to configure Dynamic Domain Name System settings. Password Use this screen to change your password. SYSTEM Time Setting Use this scr[...]
-
Page 44
ZyW ALL 2 Serie s User ’s Guide 2-6 Introducing the W eb Configurator Table 2-1 Web Configurator Screens Summary LINK TA B FUNCTION General This screen allo ws you to enable content filtering and block certain web features. Categories Use this screen to select which categories of web pages to filter out, as well as to register for external databa[...]
-
Page 45
ZyW ALL 2 Serie s User ’s Guide Introducing the W eb Configurator 2-7 Table 2-1 Web Configurator Screens Summary LINK TA B FUNCTION SNMP Use this screen to configure your Z yWALL’s settings for Simple Network Management Protocol managemen t. DNS Use this screen to configure through which interface(s) and from which IP address(es) users can send[...]
-
Page 46
[...]
-
Page 47
ZyW ALL 2 Serie s User ’s Guide Wizard Setup 3-1 Chapter 3 Wizard Setup This chapter provides information on the Wiza rd Setup screens in the web configurator. 3.1 Wizard Setup Overview The web configur ator’s setup wizard helps yo u config ure your device to access the Internet. T he second screen has thre e variations depending on what encaps[...]
-
Page 48
ZyW ALL 2 Serie s User ’s Guide 3-2 Wizard Setup Figure 3-1 Wizard 1 3.3 Internet Access The ZyWALL offers three c hoices of enca psulation. They are Ethernet , PPTP or PPPoE. 3.3.1 Ethernet Choose Eth erne t when the WAN port is used as a regula r Ethernet.[...]
-
Page 49
ZyW ALL 2 Serie s User ’s Guide Wizard Setup 3-3 Figure 3-2 Wizard 2: Ethernet Encapsulation The following table describes the labels in this screen. Table 3-1 Ethernet Encapsulation LA BEL DESCRIPTION ISP Parameters fo r Internet Access Encapsulation You must choo se the Ethernet option when the WAN port is used as a reg ular Ethernet. Otherwise[...]
-
Page 50
ZyW ALL 2 Serie s User ’s Guide 3-4 Wizard Setup Table 3-1 Ethernet Encapsulation LA BEL DESCRIPTION Login Server IP Address Type the authentication server IP address her e if your ISP gave you one. Login Server (Telia Login onl y) Type the domain name of the T elia login server, for example “login1.telia.com”. Alternatively, click the right [...]
-
Page 51
ZyW ALL 2 Serie s User ’s Guide Wizard Setup 3-5 Figure 3-3 Wizard2: PPPoE Encapsulation The following table describes the labels in this screen. Table 3-2 PPPoE Encapsulation LABEL DESCRIPTION ISP Parameter for Internet Access Encapsulation Choose a n encapsulation method from the p ull-down list box. PPPoE forms a dial-up connection. Service Na[...]
-
Page 52
ZyW ALL 2 Serie s User ’s Guide 3-6 Wizard Setup Table 3-2 PPPoE Encapsulation LABEL DESCRIPTION Idle Timeout Type the time in seconds that elapse s before the router automatically disconnects from the PPPoE server. The default time is 100 seconds. Next Click Next to continue. Back Click Back to return to the previous screen. 3.3.3 PPTP Encap sul[...]
-
Page 53
ZyW ALL 2 Serie s User ’s Guide Wizard Setup 3-7 Figure 3-4 Wizard 2: PPTP Encapsulation The following table describes the labels in this screen. Table 3-3 PPTP Encapsulation LABEL DESCRIPTION ISP Parameters fo r Internet Access Encapsulation Select PPTP from the drop-down list box. User Name Type the user name given to you by your ISP. Password [...]
-
Page 54
ZyW ALL 2 Serie s User ’s Guide 3-8 Wizard Setup Table 3-3 PPTP Encapsulation LABEL DESCRIPTION My IP Address Type the (static) IP address assigned to you by your ISP. My IP Subnet Mask Type the subnet mask assigned to you b y your ISP (if given). Server IP Address T ype the IP address of the PPTP server. Connection ID/Name Enter the connection I[...]
-
Page 55
ZyW ALL 2 Serie s User ’s Guide Wizard Setup 3-9 Regardless of your p articular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on addres s assignment, please refer to RFC 15 97, Address Allocation for Private Internet s and RFC 1466, Guidelines for Management of IP Address Sp ace. 3.4.2 [...]
-
Page 56
ZyW ALL 2 Serie s User ’s Guide 3-10 Wizard Setup 3.4.4 W AN MAC Address Every Ethernet device ha s a unique MAC (Media Access Control) address. The MAC address is assigned at the factory an d consists of six pairs of hexadeci mal characters, for exampl e, 00: A0:C5: 00:00:0 2. You can confi gure the WAN port's M AC address by ei ther using [...]
-
Page 57
ZyW ALL 2 Serie s User ’s Guide Wizard Setup 3-1 1 Figure 3-5 Wizard 3 The following table describes the labels in this screen. Table 3-6 Wizard 3 LA BEL DESCRIPTION WAN IP Address Assignment Get automatically from ISP Select this option If your ISP did not assign you a fixed IP address. T his is the default selection. Use fixed IP address Select[...]
-
Page 58
ZyW ALL 2 Serie s User ’s Guide 3-12 Wizard Setup Table 3-6 Wizard 3 LA BEL DESCRIPTION Remote IP Subnet Mask Enter the gateway IP subnet mask (if your ISP gave you o ne) in this field if you selected Use Fixed IP Address . This field is only available when you select PPTP encapsulatio n in the previous wizard screen. Gateway/Remote IP Address En[...]
-
Page 59
ZyW ALL 2 Serie s User ’s Guide Wizard Setu p 3-13 Figure 3-6 Internet Access Wizard Setup Complete[...]
-
Page 60
[...]
-
Page 61
System and LAN II Part II: System and LAN This part covers configuration of the system, and LAN screens.[...]
-
Page 62
[...]
-
Page 63
ZyWALL 2 Series User’s Guide System 4-1 Chapter 4 System Screens This chapter provides information on the System screens. 4.1 System Overview See the Wizard Setup cha pter for more info rmation on the next few sc reens. 4.2 Configuring General Setup Click SYSTEM to open the General screen. Figure 4-1 System General Setup The following table descr[...]
-
Page 64
ZyWALL 2 Series User’s Guide 4-2 System Table 4-1 System General Setup LABEL DESCRIPTION System Name Choose a descriptive name for i dentification purposes. It is recommended you enter your computer’s “Computer name” in this fiel d (see the Wizard Setup chapter for how to find your computer’s name). This name can be up to 30 alp hanumeric[...]
-
Page 65
ZyWALL 2 Series User’s Guide System 4-3 4.3 Dynamic DNS Dynamic DNS allows you to update your curr ent dynamic IP address with one or many dynamic DNS services so that anyone can c ontact you (in NetMee ting, CU-SeeMe, etc.). Yo u can also access your FTP server or We b site on y our own com puter using a domain nam e (for instance myhost.d hs.or[...]
-
Page 66
ZyWALL 2 Series User’s Guide 4-4 System Figure 4-2 DDNS The following table describes the fields in this screen. Table 4-2 DDNS LABEL DESCRIPTION Active Select this che ck box to use dynamic DNS. Service Provider Select the name of your Dynamic DNS service provider. DDNS Type Select the type of service that you are register ed for from your Dynam[...]
-
Page 67
ZyWALL 2 Series User’s Guide System 4-5 Table 4-2 DDNS LABEL DESCRIPTION Host Names 1~3 Enter the host names in the three fields provided. You can specify up to two host names in each field separated by a comma (","). User Enter your user name. You can use up to 31 alphanumeric c haracters (and the underscore). Spaces are not allowed. P[...]
-
Page 68
ZyWALL 2 Series User’s Guide 4-6 System Figure 4-3 Password The following table describes the fields in this screen. Table 4-3 Password LABEL DESCRIPTION Old Password Type the default password or the ex isting p assword you use to access the system in this field. New Password T ype the new password in this field. Retype to Confirm Type the ne w p[...]
-
Page 69
ZyWALL 2 Series User’s Guide System 4-7 Table 4-4 Default Time Servers ntp1.cs.wisc.edu ntp1.gbg.netnod.se ntp2.cs.wisc.edu tock.usno.navy.mil ntp3.cs.wisc.edu ntp.cs.strath.ac.uk ntp1.sp.se time1.stupi.se tick.stdtime.gov.tw tock.stdtime.gov.tw time.stdtime.gov.tw 4.7 Configuring T ime Setting To change your ZyWALL’s time and date, click SYSTE[...]
-
Page 70
ZyWALL 2 Series User’s Guide 4-8 System Figure 4-4 Time Setting The following table describes the fields in this screen. Table 4-5 Time Setting LABEL DESCRIPTION Time Protocol Select the time service protocol that your time server sends when you turn on the ZyWALL. Not all time servers support all pr otocols, so you may have to check with your IS[...]
-
Page 71
ZyWALL 2 Series User’s Guide System 4-9 Table 4-5 Time Setting LABEL DESCRIPTION Time Server Address Enter the address of your time server. Check with your ISP/net work administrator if you are unsure of this information (the def ault is tick.stdtime.gov.tw). Synchronize Now Click this button to get the time and date from the time server you spec[...]
-
Page 72
[...]
-
Page 73
ZyWALL 2 Series User’s Guide LAN 5-1 Chapter 5 LAN Screens This chapter describes how to configure LAN settings. 5.1 LAN Overview Local Area Network (L AN) is a shared comm unication sy stem to which many computers are attached. The LAN screens can help you configure a LAN DHCP server , manag e IP addresses, and partition your physical network in[...]
-
Page 74
ZyWALL 2 Series User’s Guide 5-2 LAN three numbers specify the network number while the last number identifies an indi vidual computer on that network. Once you have decided on t he network number, pick an IP address that is e asy to remember, for instance, 192.168.1 .1, for yo ur ZyWALL , but ma ke sure that no other de vice on you r network is [...]
-
Page 75
ZyWALL 2 Series User’s Guide LAN 5-3 RIP Version control s the for mat and the broadcasti ng metho d of the RIP packets th at the ZyWALL se nds (it recognizes both formats whe n receiving). RIP-1 is universally supported; but RIP-2 carries m ore informat ion. RIP-1 is probabl y adequate for most networks, unless you have an un usual net work top [...]
-
Page 76
ZyWALL 2 Series User’s Guide 5-4 LAN Figure 5-1 IP The following table describes the fields in this screen. Table 5-1 IP LABEL DESCRIPTION DHCP Setup[...]
-
Page 77
ZyWALL 2 Series User’s Guide LAN 5-5 Table 5-1 IP LABEL DESCRIPTION DHCP Server DHCP (Dynamic Host Confi guration Pr otocol, RFC 2131 a nd RFC 2132) allows individual clients ( workstations) to obtain TCP/IP configuration at startup from a server. Unless you are instruct ed by your ISP, leave the DHCP Server check box selected. Clear it to disabl[...]
-
Page 78
ZyWALL 2 Series User’s Guide 5-6 LAN Table 5-1 IP LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcas ting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receivin g). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is prob ably adequate for most networ[...]
-
Page 79
ZyWALL 2 Series User’s Guide LAN 5-7 Figure 5-2 Static DHCP The following table describes the fields in this screen. Table 5-2 Static DHCP LABEL DESCRIPTION # This is the index number of th e Static IP table entry (row). MAC Address Type the MAC address (with colons) of a computer on your LAN. IP Address Type the IP address to be assigned to the [...]
-
Page 80
ZyWALL 2 Series User’s Guide 5-8 LAN When you use IP alias, y ou can also configure fire wall rules to control acce ss between the LAN's logical networks (s ubnets). The following f igure shows a LAN divided into subnets A, B, and C. Figure 5-3 Physical Network Figure 5-4 Partitioned Logical Networks. To change your ZyWALL’s IP alias setti[...]
-
Page 81
ZyWALL 2 Series User’s Guide LAN 5-9 The following table describes the fields in this screen. Table 5-3 IP Alias LABEL DESCRIPTION IP Alias 1,2 Select the check box to configure another L AN for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decim al notation. IP Subnet Mask Your ZyWALL will automatically calculate the subne[...]
-
Page 82
[...]
-
Page 83
WAN and Wireless LAN III Part III: WAN and Wireless LAN This part covers configuration of the W AN and Wireless LAN screens.[...]
-
Page 84
[...]
-
Page 85
ZyWALL 2 Series User’s Guide WAN Screens 6-1 Chapter 6 WAN Screens This chapter describes how to configure WAN settings. 6.1 W AN Overview See the LAN chapter for information about Primary and Seconda ry DNS Server , DNS Server Address Assignment and IP Address and Subnet Mask . 6.2 TCP/IP Priority (Metric) The metric represents the "cost of[...]
-
Page 86
ZyWALL 2 Series User’s Guide 6-2 WAN Screens Table 6-1 Private IP Address Ranges 10.0.0.0 - 10. 255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192. 168.255.255 You can obt ain your IP address fr om the IAN A, from an ISP or have it assigned by a priv ate network. If you belong to a small organization and your Internet access is t hrough an[...]
-
Page 87
ZyWALL 2 Series User’s Guide WAN Screens 6-3 Figure 6-1 WAN Setup: Route The following table describes the fields in this screen. Table 6-3 WAN Setup: Route LABEL DESCRIPTION WAN Traf fic Redirect Dial Backup The default WAN connection is "1” as your broadband conn ection via the WAN port should always be your preferred method of accessing[...]
-
Page 88
ZyWALL 2 Series User’s Guide 6-4 WAN Screens Figure 6-2 Ethernet Encapsulation The following table describes the fields in this screen. Table 6-4 Ethernet Encapsulation LABEL DESCRIPTION Encapsulation You must cho ose the Ethernet opt ion when the WAN port is used as a re gular Ethernet. Service Type Choose from Standard , Telstr a (RoadRunner Te[...]
-
Page 89
ZyWALL 2 Series User’s Guide WAN Screens 6-5 Table 6-4 Ethernet Encapsulation LABEL DESCRIPTION Reset Click Reset to begin co nfiguring this screen afresh. 6.5.2 PPPoE Encap sulation The ZyWALL sup ports PPPo E (Point -to-Point P rotocol o ver Ether net). PPPoE is an IETF Draft standa rd (RFC 2516) specifying how a personal computer (PC) interact[...]
-
Page 90
ZyWALL 2 Series User’s Guide 6-6 WAN Screens Figure 6-3 PPPoE Encapsulation The following table describes the fields in this screen. Table 6-5 PPPoE Encapsulation LABEL DESCRIPTION ISP Parameters fo r Internet Access Encapsulation The PPPoE choice is for a dial- up connection using PPPo E. The router supports PPPoE (Point-to-Point Protocol over E[...]
-
Page 91
ZyWALL 2 Series User’s Guide WAN Screens 6-7 Table 6-5 PPPoE Encapsulation LABEL DESCRIPTION Password T ype the password associated with the User Name above. Retype to Confirm Type your password agai n to make sure that you have entered is correctl y. Nailed-Up Connection Select Nailed-Up Connection if you do not want the connection to time out. [...]
-
Page 92
ZyWALL 2 Series User’s Guide 6-8 WAN Screens Figure 6-4 PPTP Encapsulation The following table describes the fields in this screen. Table 6-6 PPTP Encapsulation LABEL DESCRIPTION ISP Parameters fo r Internet Access Encapsulation Point-to-Point Tunneling Prot ocol (PPT P) is a network protocol that enabl es secure transfer of data from a remote cl[...]
-
Page 93
ZyWALL 2 Series User’s Guide WAN Screens 6-9 Table 6-6 PPTP Encapsulation LABEL DESCRIPTION User Name Type the user name given to you b y your ISP. Password T ype the password associated with the User Name above. Retype to Confirm Type your password agai n to make sure that you have entered is correctl y. Nailed-up Connection Select Nailed-Up Con[...]
-
Page 94
ZyWALL 2 Series User’s Guide 6-10 WAN Screens Figure 6-5 IP Setup The following table describes the fields in this screen. Table 6-7 IP Setup LA BEL DESCRIPTION WAN IP Address Assignment Get automatically from ISP Select this option If your ISP did not assign you a fixed IP address. T his is the default selection. Use fixed IP address Select this[...]
-
Page 95
ZyWALL 2 Series User’s Guide WAN Screens 6-11 Table 6-7 IP Setup LA BEL DESCRIPTION My WAN IP Address (or IP Address) Enter your WAN IP address in this field if yo u selected Use Fixed IP Address. My WAN IP Subnet Mask (Ethernet encapsulation only) Type your network's IP subnet mask. Remote IP Address (or Gateway IP Address) Type the IP addr[...]
-
Page 96
ZyWALL 2 Series User’s Guide 6-12 WAN Screens Table 6-7 IP Setup LA BEL DESCRIPTION Private (PPPoE and PPTP only) This parameter determines if the Z yWALL will include the route to this remote node in its RIP broadcasts. If set to Ye s, this route is kept private and not included in RIP broadcast. If No, the route to this remote node will be prop[...]
-
Page 97
ZyWALL 2 Series User’s Guide WAN Screens 6-13 Table 6-7 IP Setup LA BEL DESCRIPTION Windows Networking (NetBIOS over TCP/IP): Windo ws Networking (NetBIOS over TCP/IP): NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPP[...]
-
Page 98
ZyWALL 2 Series User’s Guide 6-14 WAN Screens The MAC address screen allows users to configure the WAN port' s MAC Addr ess by either usi ng the factory default or cloning the MAC addr ess from a computer on your LAN. Choose Factory De fault to select the factory assigned default MAC Address. Otherwise, click Spoof this computer's MAC a[...]
-
Page 99
ZyWALL 2 Series User’s Guide WAN Screens 6-15 Figure 6-8 Traffic Redirect LAN Setup 6.9 Configuring T raffic Redirect To change your ZyWALL’s Traf fic Redirect settings, click WAN , then the Traffic Redirect tab. The screen appear s as show n.[...]
-
Page 100
ZyWALL 2 Series User’s Guide 6-16 WAN Screens Figure 6-9 Traffic Redirect The following table describes the fields in this screen. Table 6-8 Traffic Redirect LABEL DESCRIPTION Active Select this check box to have the Zy WALL use traffic redirect if the normal WAN connection goes down. Backup Gateway IP Address Type the IP address of your backup g[...]
-
Page 101
ZyWALL 2 Series User’s Guide WAN Screens 6-17 Table 6-8 Traffic Redirect LABEL DESCRIPTION Check WAN IP Address Configuration of this field is optiona l. If you do not enter an IP address here, the ZyWALL will use the default gate way IP address. Confi gure this field to test your ZyWALL's W AN accessibility. Type the IP address of a reliabl[...]
-
Page 102
ZyWALL 2 Series User’s Guide 6-18 WAN Screens Figure 6-10 Dial Backup Setup[...]
-
Page 103
ZyWALL 2 Series User’s Guide WAN Screens 6-19 The following table describes the labels in this screen. Table 6-9 Dial Backup Setup LABEL DESCRIPTION Enable Dial Backup Select this che ck box to turn on dial backup. Basic Settings Login Name Type the login name assigned by your ISP. Password T ype the password assigned by your ISP. Retype to Confi[...]
-
Page 104
ZyWALL 2 Series User’s Guide 6-20 WAN Screens Table 6-9 Dial Backup Setup LABEL DESCRIPTION Get IP Address Automatically from Remote Server Type the login name assigned by your ISP for this remote node. Used Fixed IP Address Select this check box if your ISP assign ed you a fi xed IP address, then enter the IP address in the follo wing field. My [...]
-
Page 105
ZyWALL 2 Series User’s Guide WAN Screens 6-21 Table 6-9 Dial Backup Setup LABEL DESCRIPTION RIP Version T he RIP Version field controls the format and t he broadcasting metho d of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1 , RIP-2B or RIP-2M . RIP-1 is universally supported; but RIP-2 carries m[...]
-
Page 106
ZyWALL 2 Series User’s Guide 6-22 WAN Screens Table 6-9 Dial Backup Setup LABEL DESCRIPTION Configure Budget Select this check box to have the dial back up connection on during the time that you select. Allocated Budget Type the amount of time (in mi nutes) that the dial backup connecti on can be used during the time configured in the Period fiel[...]
-
Page 107
ZyWALL 2 Series User’s Guide WAN Screens 6-23 6.11.3 Response Strings The response strings tell the ZyWALL the ta gs, or la bels, immediately preceding the various call parameters sent from the WAN device. The response strings have not been standardized; pl ease consult the document ation of yo ur WAN devi ce to fin d the correct t ags. 6.12 Conf[...]
-
Page 108
ZyWALL 2 Series User’s Guide 6-24 WAN Screens Figure 6-11 Advanced Setup The following table describes the labels in this screen. Table 6-10 Advanced Setup LABEL DESCRIPTION EXAMPLE AT Command Strings Dial Type the AT Command string to make a call. atdt[...]
-
Page 109
ZyWALL 2 Series User’s Guide WAN Screens 6-25 Table 6-10 Advanced Setup LABEL DESCRIPTION EXAMPLE Drop T ype the AT Command string to drop a call. "~" represents a one second wait, for example, "~~~++ +~~ath" can be used if your modem has a slow response time. ~~+++~~ath Answer T ype the AT Command string to answer a call. ata[...]
-
Page 110
[...]
-
Page 111
ZyWALL 2 Series User’s Guide Wireless LAN Screens 7-1 Chapter 7 Wireless LAN Screens This chapter discusses how to configure Wireless LAN on the ZyWALL 2WE. 7.1 Wireless LAN Overview This section introduces the wireless LAN (WLAN) and so me basi c scenar ios. 7.1.1 Additional Installation Requirement s for Using 802.1x A computer with an IEEE[...]
-
Page 112
ZyWALL 2 Series User’s Guide 7-2 Wireless LAN Screens is they do not know if the channel is currently being use d . Therefore, they are c onsidered hidden from each other. Figure 7-1 RTS Threshold When station A sends data to the ZyWALL, it might not know that the station B is already using the channel. If these two stations send data at the same[...]
-
Page 113
ZyWALL 2 Series User’s Guide Wireless LAN Screens 7-3 A large Fragmentation Thre shold is recommend ed for networks no t prone to interfere nce while you shou ld set a smaller t hreshold for busy networ ks or netw orks that a re prone to i n terference . If the Fragmentation Thres hold value is smaller than the RTS/CTS value (see previously) yo u[...]
-
Page 114
ZyWALL 2 Series User’s Guide 7-4 Wireless LAN Screens 7.4 Configuring Wireless LAN If you are configuring the Zy W ALL from a computer conne cted to the wireless LAN and you change the Zy W ALL ’ s ESSID or WEP settings, you will lose your wireless connection when you press Apply to confirm. Y ou must then change the wireless settings of your c[...]
-
Page 115
ZyWALL 2 Series User’s Guide Wireless LAN Screens 7-5 Table 7-1 Wireless LABEL DESCRIPTION Enable Wireless LAN The wireless LAN is turned off b y default, before you enable the wireless LAN you should configure some security b y setting MAC filters and/or 802.1x security; otherwise your wireless LAN will be vuln erable upon enabling it. Sel ect t[...]
-
Page 116
ZyWALL 2 Series User’s Guide 7-6 Wireless LAN Screens 7.5 Configuring MAC Filter The MAC filter screen allows you to confi gure the ZyWALL to give exclusive access to specific devices ( Allow Association ) or exclude specific devices from accessing the Zy WALL ( Den y Association ). Ev ery Ethernet devic e has a uni que MAC (M edia Access C ontro[...]
-
Page 117
ZyWALL 2 Series User’s Guide Wireless LAN Screens 7-7 Table 7-2 MAC Address Filter LA BEL DESCRIPTION Active Select or clear the check box to ena ble or disable MAC addr ess filtering. Enable MAC address filtering to have the ro uter allow or deny access to wireless stations based on MAC addresses. Disabl e MAC address filtering to have the route[...]
-
Page 118
ZyWALL 2 Series User’s Guide 7-8 Wireless LAN Screens • Access-Request Sent by the ZyWALL request ing authenticati on. • Access-Reject Sent by a RADIUS server rejecting access . • Access-Accept Sent by a RADIUS server allowing access. • Access-Challenge Sent by a RADIUS server requesting m ore inform ation in order to allow access. The ac[...]
-
Page 119
ZyWALL 2 Series User’s Guide Wireless LAN Screens 7-9 Figure 7-5 EAP Authentication The details below provide a gener al description of how IEEE 802.1x EAP auth entication works. For an example list of EAP-MD5 authentication ste p s, see the IEE E 802.1x chapter in the Ap pendices . • The wireless station sends a “ start” message to the Zy [...]
-
Page 120
ZyWALL 2 Series User’s Guide 7-10 Wireless LAN Screens Figure 7-6 802.1X Authentication The following table describes the fields in this screen. Table 7-3 802.1X Authentication LABEL DESCRIPTION Authentication Type Select Authentication Required , No A ccess or No Authentication Required from the drop-down list box. Select Authentication Required[...]
-
Page 121
NAT and Static Route IV Part IV: NAT and Static Route This part covers Network Address T r anslation and setting up static routes.[...]
-
Page 122
[...]
-
Page 123
ZyWALL 2 Series User’s Guide NAT 8-1 Chapter 8 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 8.1 NA T Overview NAT (Network Address Tran slation - NAT, RFC 1631) is the translation of the IP addr ess of a host in a packet. For example, the so urce address of a n outgoin g packet, used within one netw[...]
-
Page 124
ZyWALL 2 Series User’s Guide 8-2 NAT local address before forwarding it to the original insid e host. Note that the IP address (either local or global ) of an outside host is neve r changed. The global IP a ddresses for the i nside hosts can be either static or dynam ically assigned b y the ISP. In addition, you can designate serv ers (for exampl[...]
-
Page 125
ZyWALL 2 Series User’s Guide NAT 8-3 8.1.4 NA T Application The following figure illu strates a possible NAT applicatio n, where three inside LANs (logical LANs using IP Alias) behi nd the ZyWALL can comm unicate with three disti nct WAN netwo rks. More e xamples follow at the end of this chapter. Figure 8-2 NAT Application With IP Alias 8.1.5 NA[...]
-
Page 126
ZyWALL 2 Series User’s Guide 8-4 NAT Many to One : In M any-to-On e mode, the Zy WALL maps multiple local IP addresses t o one gl obal IP address. Thi s is equivalent to SUA (i.e., PAT, port address translation), the Single User Account feature (the S UA Only option). Many to Many Overload : In Many-to-Many Overload mode, the ZyWALL maps [...]
-
Page 127
ZyWALL 2 Series User’s Guide NAT 8-5 8.2.1 SUA (Single User Account) V ersus NA T SUA (Single U ser Account) i s an im plementat ion of a s ubset of N AT that supp orts two t ypes of mapping, Many-to-One and Server . The ZyWALL also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or se[...]
-
Page 128
ZyWALL 2 Series User’s Guide 8-6 NAT Table 8-3 Services and Port Numbers SERVICES PORT NUMBER DNS (Domain Name System) 53 Finger 79 HTTP (Hyper Text Transfer proto col or WWW, We b) 80 POP3 (Post Office Protocol) 110 NNTP (Network News Transport Protocol) 119 SNMP (Simple Network Management Protocol) 161 SNMP trap 162 PPTP (Point-to-Point Tunneli[...]
-
Page 129
ZyWALL 2 Series User’s Guide NAT 8-7 8.4 Configuring SUA Server If you do not assign a Default Server IP address, the ZyW ALL discards all p ackets received for port s that are not specified here or in the remote management setup. Click SUA/NAT to open the SUA Server s creen. Refer to the firewall chapters for port numbers comm only used for part[...]
-
Page 130
ZyWALL 2 Series User’s Guide 8-8 NAT Table 8-4 SUA Server LABEL DESCRIPTION Default Server In addition to the servers for specified services, NAT supp orts a default server. A default server receives packets from ports t hat are not specified in this screen. If you do not assign a default server IP address, then all packets received for ports not[...]
-
Page 131
ZyWALL 2 Series User’s Guide NAT 8-9 Figure 8-5 Address Mapping The following table describes the fields in this screen. Table 8-5 Address Mapping LABEL DESCRIPTION Local Start IP This refers to the Inside Local Addre ss (ILA), that is the starti ng local IP address. Local IP addresses are N/ A for Server port mapping. Local End IP This is the en[...]
-
Page 132
ZyWALL 2 Series User’s Guide 8-10 NAT Table 8-5 Address Mapping LABEL DESCRIPTION Type 1. One-to-One mode maps one local IP address to one global IP addr ess. Note that port numbers do not change for the One-to-one NAT mapping type. 2. Many-to-One mode maps multiple local IP addresses to one global IP address. T his is equivalent to SUA (i.e., PA[...]
-
Page 133
ZyWALL 2 Series User’s Guide NAT 8-11 Table 8-6 Address Mapping Rule LABEL DESCRIPTION Type Choose the po rt mapping type from one of the following. 1. One-to-One : One-to-one mode maps one local IP addres s to one global IP address. Note that port numbers do not change for One-to-one NAT mapping type. 2. Many-to-One : Many-to-One mode maps multi[...]
-
Page 134
ZyWALL 2 Series User’s Guide 8-12 NAT receives a response wit h a specific port num ber and pr otoc ol ("incomi ng" port), the ZyWALL forwards the traffic to the LAN IP address of the c omputer that sent the request. After that com puter’s connection for that service closes, another com p uter on the LAN can use th e service in the sa[...]
-
Page 135
ZyWALL 2 Series User’s Guide NAT 8-13 Figure 8-8 Trigger Port The following table describes the fields in this screen. Table 8-7 Trigger Port LABEL DESCRIPTION No. This is the rule index number (read-onl y). Name Type a uniqu e name (up to 15 characters) fo r identificatio n purposes. All characters are permitted - including spaces.[...]
-
Page 136
ZyWALL 2 Series User’s Guide 8-14 NAT Table 8-7 Trigger Port LABEL DESCRIPTION Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The ZyWALL for wards the traffic with this port (or range of ports) to the client computer on the LAN th at requested the service. Start Port Type a [...]
-
Page 137
ZyWALL 2 Series User’s Guide Static Route Screens 9-1 Chapter 9 Static Route Screens This chapter shows you how to config ure static routes for your ZyWALL. 9.1 S t atic Route Overview Each remote n ode specifies only the netw ork to which the gateway is directly connected, and t he ZyWALL has no knowledge of the networ ks beyond. For instance, t[...]
-
Page 138
ZyWALL 2 Series User’s Guide 9-2 Static Route Screens Figure 9-2 Static Route Screen The following table describes the fields in this screen. Table 9-1 IP Static Route Summary LABEL DESCRIPTION # Number of an individual static route. Name Name that describes or identifies this route. Active This field shows whether this static route is active ( Y[...]
-
Page 139
ZyWALL 2 Series User’s Guide Static Route Screens 9-3 Table 9-1 IP Static Route Summary LABEL DESCRIPTION Gateway T his is the IP address of the gateway. The gateway is an immediate nei ghbor of your ZyWALL that will forward the packet to the de stination. On the LA N, the gat eway must be a router on the same segment as your Z yWALL; over the WA[...]
-
Page 140
ZyWALL 2 Series User’s Guide 9-4 Static Route Screens Table 9-2 Edit IP Static Route LABEL DESCRIPTION Active This field allows you to acti vate/deactivate this static route. Destination IP Address This parameter specifies the IP net work addr ess of the final destination. Routing is always based on net work number. If you need to specify a route[...]
-
Page 141
Firewall and Content Filters V Part V: Firewall and Content Filters This part introduces fire walls in general and the ZyW ALL firewall. It also explains how to configure the ZyW ALL firewall and content filtering.[...]
-
Page 142
[...]
-
Page 143
ZyWALL 2 Series User’s Guide Firewalls 10-1 Chapter 10 Firewalls This chapter gives some background information on firewalls and introduces the ZyWALL firewall. 10.1 Firewall Overview Originally, the term firewall referred to a construction techn ique designed to preven t the spread of fire from one room to another. The networki ng term “firewa[...]
-
Page 144
ZyWALL 2 Series User’s Guide 10-2 Firewalls i. Inform ation hiding prevent s the name s of internal sy stems from being made known via D NS to outside system s, since the a pplication gat eway i s the only host whose nam e must be m ade known to outside systems. ii. Robust au thentication and logging pre-au thenticat es application traffic before[...]
-
Page 145
ZyWALL 2 Series User’s Guide Firewalls 10-3 Figure 10-1 ZyWALL Fire w all Application 10.4 Denial of Service Denials of Service (DoS) attacks are aim ed at devices and networks with a connection to the Internet. T heir goal is not to steal information, but to disable a devi ce or network so users no longer ha ve access to network resources. The Z[...]
-
Page 146
ZyWALL 2 Series User’s Guide 10-4 Firewalls Table 10-1 Common IP Ports 21 FTP 53 DNS 23 Telnet 80 HTT P 25 SMTP 110 POP3 10.4.2 T ypes of DoS Attacks There are four types of DoS a ttacks: 1. Those that ex ploit bugs in a TCP/IP impl ementati on. 2. Those that exploit weaknesse s in the TCP/IP specification. 3. Brute-force attacks that flood a net[...]
-
Page 147
ZyWALL 2 Series User’s Guide Firewalls 10-5 Figure 10-2 Three-Way Handshake Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving serve r. The receiver se nds back an ACK (ac knowledgment) packet and its own SYN, and then the initiato r responds with an ACK (acknowledgment). Aft[...]
-
Page 148
ZyWALL 2 Series User’s Guide 10-6 Firewalls 2-b In a LAND Atta ck , hackers flood S YN packets i nto th e network with a spoofed source IP address of the targeted system. Th is makes it appear as if the host computer sent t h e packets to itself, making the system unavailable while the target system tries to respond to itself. 3. A brute-force at[...]
-
Page 149
ZyWALL 2 Series User’s Guide Firewalls 10-7 Illegal Commands (NetBIOS and SMTP) The only legal NetBIOS commands are th e following - all others are illegal. Table 10-3 Legal NetBIOS Command s MESSAGE: REQUEST: POSITIVE: NEGATIVE: RETARGET: KEEPALIVE: All SMTP commands are illegal excep t for th ose displayed in the following tables. Table 10-[...]
-
Page 150
ZyWALL 2 Series User’s Guide 10-8 Firewalls all communications to th e Internet th at originate from the LAN, and bl ocks all traffic to the LAN that originates from the In ternet. In summary, st ateful inspection: Allows all sessions originating from the LA N (local network) to th e WAN (Internet). Denies all sessions originatin g from t[...]
-
Page 151
ZyWALL 2 Series User’s Guide Firewalls 10-9 4. Based on the obtained state in form ation, a firewall rule creates a temporary access list entry that is inserted at the beginni ng of the WAN interfa ce's inbound extended access list. This tem porary access list entry is designed to permit inbound pa c kets of the same conn ec tion as the outb[...]
-
Page 152
ZyWALL 2 Series User’s Guide 10-10 Firewalls Below is a brief technical description of how these connections a re tracked. C onnections may either be defined by t he upper pr otocols (f or instance, TC P), or by t he ZyWALL its elf (as with the "virt ual connections" created for UDP and ICMP). 10.5.3 TCP Security The ZyWALL uses stat e [...]
-
Page 153
ZyWALL 2 Series User’s Guide Firewalls 10-11 10.5.5 Upper Layer Protocols Some higher layer protocols (such as FTP and RealAudio ) utilize multiple network connection s simultaneousl y. In ge neral term s, they usually have a "co ntrol connection" which is used for sending commands bet ween endpoints, and the n "data con nections&q[...]
-
Page 154
ZyWALL 2 Series User’s Guide 10-12 Firewalls 10.7.1 Packet Filtering: The router filters packets as they pass through the router’s in terface according to the filter rules you designed. Packet filtering is a powerful tool, yet can be comple x to conf igure and maintain, especially if you n eed a chain of rules to filter a service. P[...]
-
Page 155
ZyWALL 2 Series User’s Guide Firewalls 10-13 3. To selectively bl ock/allow inbound or outbound t raffic between i nside host/ networks and outside host/networks. Remember that filters canno t distingu ish traffic originating from an inside host or an outside host by IP address. 4. The firewall performs better than filteri ng if you need to check[...]
-
Page 156
[...]
-
Page 157
ZyWALL 2 Series User’s Guide Firewall Screens 11-1 Chapter 11 Firewall Screens This chapter shows you how to configure your ZyWALL firewall. 11.1 Access Methods The web confi gurator is, by far, the most comprehensive firewall configuration t ool your ZyWALL has t o offer. For this reason, it is recommended th at you conf igure your firewall u si[...]
-
Page 158
ZyWALL 2 Series User’s Guide 11-2 Firewall Screens If you configure firewall rules without a good underst anding of how they work, you might inadvertently introduce security risks to the fire wall and to the protected network. Make sure y ou test your rules af ter you configure th em. For example, you may create rules t o : ♦ Block certain type[...]
-
Page 159
ZyWALL 2 Series User’s Guide Firewall Screens 11-3 1. Does this rule stop LAN users from accessing critical reso urces on the Internet? Fo r example, if IRC is blocked, are t here users that require this service ? 2. Is it possible to modify the rule to be more specifi c? For example, if IRC is blocked for all users, will a rule that blocks just [...]
-
Page 160
ZyWALL 2 Series User’s Guide 11-4 Firewall Screens policies for managing the ZyWALL through th e LAN in terface) and policies for L AN-to-LAN (t he policies that control r outing betwee n two subnets on the LA N) . Similarly, WAN to WAN/ZyWALL polices apply in the same way to the WAN ports. 11.4.1 LAN to W AN Rules The default rule for LAN to WAN[...]
-
Page 161
ZyWALL 2 Series User’s Guide Firewall Screens 11-5 Figure 11-2 WAN to LA N Traffic 11.5 Alert s Alerts are reports on ev ents, such as attacks, that you may wan t to know about right away. You can choo se to generate an alert when a n attack is detected in the Attack Alert scree n (Figur e 11-12 - check the Gene rate alert when attack detected ch[...]
-
Page 162
ZyWALL 2 Series User’s Guide 11-6 Firewall Screens Figure 11-3 Enabling the Fire wall The following table describes the fields in this screen. Select this check box to enable the firewall.[...]
-
Page 163
ZyWALL 2 Series User’s Guide Firewall Screens 11-7 Table 11-1 Firewall Rules Summary: First Screen LA BEL DESCRIPTION Enable Firewall Select this che ck box to activate the firewall. The ZyWALL performs access control and protects against Denial o f Service (DoS) attacks when the firewall is activated. Bypass Triangle Route Select this check box [...]
-
Page 164
ZyWALL 2 Series User’s Guide 11-8 Firewall Screens Table 11-1 Firewall Rules Summary: First Screen LA BEL DESCRIPTION Log This field shows you if a log is creat ed for packets that match the rule ( Match ), don't match the rule ( Not Match ), both ( Both ) or no log is created ( None ). Alert This field tells yo u whether this rule generate [...]
-
Page 165
ZyWALL 2 Series User’s Guide Firewall Screens 11-9 Figure 11-4 Creating/Editing A Fire w all Rule[...]
-
Page 166
ZyWALL 2 Series User’s Guide 11-10 Firewall Screens The following table describes the fields in this screen. Table 11-2 Creating/Editing A Fire wall Rule LABEL DESCRIPTION Active Check the Act iv e check bo x to have the ZyWALL use this rule. Leave it uncheck ed if you do not want the ZyWALL to use the rule after you apply it Packet Direction Use[...]
-
Page 167
ZyWALL 2 Series User’s Guide Firewall Screens 11-11 Table 11-2 Creating/Editing A Fire wall Rule LABEL DESCRIPTION Log This field determines if a log i s creat ed for packets that match the rule ( Match ), don't match the rule ( Not Match ), both ( Both ) or no log is created ( None ). Go to the Log Settings page and select the Access C ontr[...]
-
Page 168
ZyWALL 2 Series User’s Guide 11-12 Firewall Screens Table 11-3 Adding/Editing Source and Destination Addre sses LABEL DESCRIPTION Address Type Do you want your rule to app ly to pac kets with a particular (single) IP, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address? Select an option from the drop-down list[...]
-
Page 169
ZyWALL 2 Series User’s Guide Firewall Screens 11-13 Table 11-4 Creating/Editing A Custo m Port LABEL DESCRIPTION Service Name Enter a unique name for your custom port. Service Type Choose the IP port ( TCP , UDP or Both ) that defines your cu stomized port from the drop down list box. Port Configuration Type Select Single to specify one port only[...]
-
Page 170
ZyWALL 2 Series User’s Guide 11-14 Firewall Screens Figure 11-7 Fire wall IP Config Screen Step 4. Select Any in the Destination Address box and then click DestDelete . Select WA N to L AN from the drop-down list box[...]
-
Page 171
ZyWALL 2 Series User’s Guide Firewall Screens 11-15 Step 5. Click DestAdd under t h e Destination Addre ss box. Step 6. Configure the Firewall Rule Edit IP screen as follows and click Apply . Figure 11-8 Firewall Rule Edit IP Example Step 7. In the firewall rule configuration screen, click Add under Custom Port to open the Edit Cus tom Port scree[...]
-
Page 172
ZyWALL 2 Series User’s Guide 11-16 Firewall Screens Custom port s show up with an “*” before their names in the Services list box and the Rule Summary list box. Click Apply after y ou’ve created your custom port. Figure 11-10 My Service Rule Configuration This is the address range of the “My Service” servers. This is your “My Service?[...]
-
Page 173
ZyWALL 2 Series User’s Guide Firewall Screens 11-17 On completing the configuration pro cedure for this Internet firewall rule, the Rule Summary screen should look like the following. Remember to click Apply when you hav e finished co nfiguring your rule(s) to save your settings back to the ZyWALL. Figure 11-11 My Service Example Rule Summary Rul[...]
-
Page 174
ZyWALL 2 Series User’s Guide 11-18 Firewall Screens 11.8 Predefined Services The Available Services list box in the Rule Config (uration) screen (see Figure 11-4 ) displays all predefined services that the ZyWALL already s upports. Next to the na me of the se rvice, two fields appea r in brack ets. The first field indicat es the IP protocol type [...]
-
Page 175
ZyWALL 2 Series User’s Guide Firewall Screens 11-19 Table 11-5 Predefined Services SERVICE DESCRIPTION IPSEC_TUNNEL(ESP:0) The IPSEC ESP (Encapsulation Se curity Protocol) tunnelin g protocol uses this service. IRC(TCP/UDP:6667) This is another popu lar Internet chat program. MSN Messenger(TCP:1863) Microsoft Net works’ messenger service uses t[...]
-
Page 176
ZyWALL 2 Series User’s Guide 11-20 Firewall Screens Table 11-5 Predefined Services SERVICE DESCRIPTION SMTP(TCP:25) Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another. SNMP(TCP/UDP:161) Simple Net work Management Program. SNMP- TRAPS(TCP/UDP:162) Tra[...]
-
Page 177
ZyWALL 2 Series User’s Guide Firewall Screens 11-21 11.9.1 Threshold V alues Tune these parameters when something is not work ing and after you have checked the firewall counters. These default values should work fi ne for normal small offices with ADSL bandwidth. Factors influencing choices for thre shold values a re: 1. The maxim um number of o[...]
-
Page 178
ZyWALL 2 Series User’s Guide 11-22 Firewall Screens Whenever the number of hal f-open sessions with t he same dest ination hos t address rises above a threshol d ( TCP Maximum Incomplete ), the ZyWAL L starts deleting half-open sessions according to one of the followin g methods: 1. If the Blocking Period timeout is 0 (the default), then the ZyWA[...]
-
Page 179
ZyWALL 2 Series User’s Guide Firewall Screens 11-23 Table 11-6 Attack Alert LABEL DESCRIPTION DEFAULT VALUES Generate alert when attack detected A detected attack automatically generates a log entry. Check this box to generate a n alert (as well as a log) whenever an attack is detected. See the chapter on logs for more information on logs and ale[...]
-
Page 180
ZyWALL 2 Series User’s Guide 11-24 Firewall Screens Table 11-6 Attack Alert LABEL DESCRIPTION DEFAULT VALUES Maximum Incomplete High This is the number of existing half-open sessions that causes the firewall to start deleting half-open sessio ns. When the number of existing half-open sessions rises above this number, the Z yWALL deletes half- ope[...]
-
Page 181
ZyWALL 2 Series User’s Guide Content Filtering Screens 12-1 Chapter 12 Content Filtering Screens This chapter provides a brief overview of content filtering using the web embedded configurator . 12.1 Introduction to Content Filtering Internet content filtering allows you to c reate and enforce Internet access policies tailored to their needs. Con[...]
-
Page 182
ZyWALL 2 Series User’s Guide 12-2 Content Filtering Screens Figure 12-1 Content Filte r : General The following table describes the labels in this screen.[...]
-
Page 183
ZyWALL 2 Series User’s Guide Content Filtering Screens 12-3 Table 12-1 Content Filter : General LABEL DESCRIPTION Enable Content Filter Select this ch eck box to enabl e the content filter. Restrict Web Features : Select the check box(es) to restrict a feature. When you do wnload a page containing a restricted feature, that part of the web page w[...]
-
Page 184
ZyWALL 2 Series User’s Guide 12-4 Content Filtering Screens Table 12-1 Content Filter : General LABEL DESCRIPTION Exclude specified address ranges from the content filter enforcement Select this checkbox to exempt a specific range of users o n your LAN from content filter policies. Add Address Ranges From Type the beginnin g IP address (in dott e[...]
-
Page 185
ZyWALL 2 Series User’s Guide Content Filtering Screens 12-5 Step 1. A computer se nds an HTTP request t o a web serve r . Step 2. The ZyWALL looks up the web site in its cache. If an attem pt to access the web site was made in the past, a record of that web site’s categ ory will be in the ZyWALL’s cache. The ZyWALL either blocks or forw ards [...]
-
Page 186
ZyWALL 2 Series User’s Guide 12-6 Content Filtering Screens Figure 12-3 Content Filte r : Categories[...]
-
Page 187
ZyWALL 2 Series User’s Guide Content Filtering Screens 12-7 The following table describes the labels in this screen. Table 12-2 Content Filter : Ca tegories LABEL DESCRIPTION Enable Web Site Auto Categorization Enable external database content f iltering to have the Z yWALL check an external database to find to which category a requested web page[...]
-
Page 188
ZyWALL 2 Series User’s Guide 12-8 Content Filtering Screens Table 12-2 Content Filter : Ca tegories LABEL DESCRIPTION Select Categories Select All Categories Select this check box to restrict access to all site categories listed below. Clear All Categories Select this check bo x to clear the selected categories belo w. Adult/Mature Content Select[...]
-
Page 189
ZyWALL 2 Series User’s Guide Content Filtering Screens 12-9 Table 12-2 Content Filter : Ca tegories LABEL DESCRIPTION Gambling Selecti ng this category exclu des pages where a user can place a bet or participate in a betting pool (includi ng lotteries) online. It also includes pages that provide information, assistance, re commend ations, or trai[...]
-
Page 190
ZyWALL 2 Series User’s Guide 12-10 Content Filtering Screens Table 12-2 Content Filter : Ca tegories LABEL DESCRIPTION Education Selecti ng this category exclu des pages that offer educational inform ation, distance learning and trade s chool information or programs. It also inclu des pages that are sponsored b y schools, educat ional faciliti es[...]
-
Page 191
ZyWALL 2 Series User’s Guide Content Filtering Screens 12-11 Table 12-2 Content Filter : Ca tegories LABEL DESCRIPTION Computers/Internet Selecti ng this category exclud e s pages that sponsor or provide inform ation on computers, technology, the Internet and tech nology-related organizati ons and companies. Hacking/Proxy Avoidance Pages providin[...]
-
Page 192
ZyWALL 2 Series User’s Guide 12-12 Content Filtering Screens Table 12-2 Content Filter : Ca tegories LABEL DESCRIPTION Shopping Selecting this category exc ludes pages that provide or a dvertise the means to obtain goods or services. It does not include pages that can be class ified in other categories (such as vehicles or weapons). Auctions Sele[...]
-
Page 193
ZyWALL 2 Series User’s Guide Content Filtering Screens 12-13 Table 12-2 Content Filter : Ca tegories LABEL DESCRIPTION Software Downloads Selecting this category exclu des pages that are dedicated to the electro nic download of software packages, whether for payment or at no charge. Pay to Surf Selecting this category exclu des pages that pay use[...]
-
Page 194
ZyWALL 2 Series User’s Guide 12-14 Content Filtering Screens Table 12-2 Content Filter : Ca tegories LABEL DESCRIPTION Register Click Register to go to a w eb site where you can register for category-based content filtering (using an external da tabase). You can us e a trial application or register your iCard’s PIN. Refer to the web site’s on[...]
-
Page 195
ZyWALL 2 Series User’s Guide Content Filtering Screens 12-15 Figure 12-4 Content Filte r : Customization[...]
-
Page 196
ZyWALL 2 Series User’s Guide 12-16 Content Filtering Screens The following table describes the labels in this screen. Table 12-3 Content Filter : Customization LABEL DESCRIPTION Web Site List Customization Enable Web site customization Select this check box to allo w Trusted Domain web sites and block Forbidden Domain web sites. Content filter li[...]
-
Page 197
ZyWALL 2 Series User’s Guide Content Filtering Screens 12-17 Table 12-3 Content Filter : Customization LABEL DESCRIPTION Delete Select a web site name from the Forbidden We b Site List , and then click this button to delete it from that list. Keyword Blocking Keyw ord Block ing allows you to block websites with URL s that contain certain keywords[...]
-
Page 198
[...]
-
Page 199
VPN/IPSec VI Part VI: VPN/IPSec This part prov ides information on how to configure VP N/IPSec.[...]
-
Page 200
[...]
-
Page 201
ZyWALL 2 Series User’s Guide Introduction to IPSec 13-1 Chapter 13 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 13.1 VPN Overview A VPN (Virt ual Private Network) pr ovides secure communi cations betwe en sites wi thout the expe nse of leased site-to-site lines. A secure VPN is a com bination of tunn eling, encryption, [...]
-
Page 202
ZyWALL 2 Series User’s Guide 13-2 Introduction to IPSec Figure 13-1 Encryption and Dec ryption Dat a Confidentiality The IPSec sender can enc rypt packets befo re transmitting them across a network. Dat a Integrity The IPSec receiver ca n validate pack ets sent by the IPSec sender t o en sure that the data has not been altered duri ng tra[...]
-
Page 203
ZyWALL 2 Series User’s Guide Introduction to IPSec 13-3 13.2 IPSec Architecture The overall IPSec architect ure is shown as follows. Figure 13-2 IPSec Architecture 13.2.1 IPSec Algorithms The ESP (Encapsula ting Securi ty Payloa d) Protoc ol (RFC 24 06) and AH (Authentication Heade r) protocol (RFC 2402) describe the packet formats and the defaul[...]
-
Page 204
ZyWALL 2 Series User’s Guide 13-4 Introduction to IPSec 13.3 Encap sulation The two modes of ope ration for IPSec VPNs are Tr ansport mode and Tu nnel mode. Figure 13-3 Transport and Tunnel Mo de IPSec Encapsulation 13.3.1 T ransport Mode Transport m ode is used to protect u pper lay er protoc ols and only affects t he data in the IP packet. In T[...]
-
Page 205
ZyWALL 2 Series User’s Guide Introduction to IPSec 13-5 13.4 IPSec and NA T Read this section if you are running IPS ec on a host computer be hind the ZyWALL. NAT is incompatible with the AH protocol in bot h Transport and Tunnel mode. An IPSec VPN usin g the AH protocol di gitally signs the outboun d packet, both dat a payload and headers , with[...]
-
Page 206
[...]
-
Page 207
ZyWALL 2 Series User’s Guide VPN Screens 14-1 Chapter 14 VPN Screens This chapter introduces the VPN Web configurat or. See the Logs chapter for information on viewing logs and the appendix for IPSe c log descriptions. 14.1 VPN/IPSec Overview Use the screens docum ented in this chapter to config uring and managing a VPN con nection. 14.2 IPSec Al[...]
-
Page 208
ZyWALL 2 Series User’s Guide 14-2 VPN Sc reens Table 14-1 AH and ESP ESP AH DES (default) Data Encryption Standard (D ES) is a widely used method of data encryption using a pr ivate (secret) key. DES applies a 56-bit key to each 64-bit block of dat a. MD5 (default) MD5 (Message Digest 5) produces a 128-b it digest to authenticate packet data. 3DE[...]
-
Page 209
ZyWALL 2 Series User’s Guide VPN Screens 14-3 You can also enter a remote secure g ateway’s domain name in the Secure Gateway Address field if the remote secure gateway has a dyn amic WAN IP address and is u sing DDNS. The ZyWALL has to rebu ild the VPN tunnel each time the remote secure gateway’s WA N IP address changes (there may be a delay[...]
-
Page 210
ZyWALL 2 Series User’s Guide 14-4 VPN Sc reens Figure 14-2 VPN Rules The following table describes the fields in this screen. Table 14-2 VPN Rules LABEL DESCRIPTION # This field displays the VPN rule number. Name This field displa ys the identi fication name for this VPN policy. Active Y signifies that this VPN rule is active. Local IP Address Th[...]
-
Page 211
ZyWALL 2 Series User’s Guide VPN Screens 14-5 Table 14-2 VPN Rules LABEL DESCRIPTION Remote IP Address This is the IP address(es) of computer(s) on the remote network be hind the remote IPSec router. This field displays N/A when th e Secure Gateway Address field displays 0.0.0.0 . In this case only the remote IPSec router can initiate the VPN. Th[...]
-
Page 212
ZyWALL 2 Series User’s Guide 14-6 VPN Sc reens When there is outbound traffic w ith no inbound traffic, the ZyW ALL automatically drop s the tunnel af ter two minutes. 14.7 NA T T raversal NAT traversal allows you to set up a VPN connection when there are NAT router s between IPSec routers A and B. Figure 14-3 NAT Router Between IPSec Routers Nor[...]
-
Page 213
ZyWALL 2 Series User’s Guide VPN Screens 14-7 14.7.2 X-Auth (Extended Authentication) Extended a uthentication provides a dded security by allowi ng you to use usernam es and passwords for VP N connections. This is esp ecially helpful when multiple ZyWALLs use one VPN rule t o connect to a single ZyWALL. An attacker cannot make a VP N connection [...]
-
Page 214
ZyWALL 2 Series User’s Guide 14-8 VPN Sc reens If you do not specify an Intranet DNS server on the remote network, the n the VPN host must use IP addresses to access the compu ters on the remote net w ork. 14.8 ID T y pe and Content With aggressiv e negotiat ion m ode (see section 14.12.1 ), the ZyWALL identifies incoming SAs by ID ty pe and cont[...]
-
Page 215
ZyWALL 2 Series User’s Guide VPN Screens 14-9 Table 14-4 Peer ID Type and Conten t Fields PEER ID TYPE= CONTENT= IP Type the IP address of the computer wi th which you will make the VPN connection or leave the field blank to have t he ZyWALL automatically use the address i n the Secure Gateway field. DNS T ype a domain name (up to 31 characters) [...]
-
Page 216
ZyWALL 2 Series User’s Guide 14-10 VPN Screens Table 14-6 Mismatching ID Ty pe and Content Configuration Example ZYWALL A ZYW ALL B Peer ID type: E-mail Peer ID type: IP Peer ID content: aa@yahoo.com Peer ID content: N/A 14.9 Pre-Shared Key A pre-shared key identifies a comm unicating party during a phase 1 IKE negotiati on (see section 14.10 for[...]
-
Page 217
ZyWALL 2 Series User’s Guide VPN Screens 14-11 Figure 14-6 Site-to-Site VPN Example 14.11 Configuring Basic IKE VPN Rule Setup Select one of the VPN rules i n the VPN Rules screen and clic k Edit or click the Rule Setu p tab on the ZyWALL 2WE to configure the rule’s setting s. Th e basic IKE rule setup screen is shown next.[...]
-
Page 218
ZyWALL 2 Series User’s Guide 14-12 VPN Screens Figure 14-7 Basic IKE VPN Rule Edit[...]
-
Page 219
ZyWALL 2 Series User’s Guide VPN Screens 14-13 The following table describes the fields in this screen. Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Active Select this che ck box to activate this VPN tunnel. This option determines whether a VPN rule is applied before a packet leaves the fire wall. Keep Alive Select this check box to turn [...]
-
Page 220
ZyWALL 2 Series User’s Guide 14-14 VPN Screens Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Server Mode Select Server Mode to have this ZyWALL authenticat e extended auth entication clients that request this VPN connection. You must also configure the extended authe ntica tion clients’ usernames and pass words in the auth server’s loc[...]
-
Page 221
ZyWALL 2 Series User’s Guide VPN Screens 14-15 Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Local IP Address Enter a static local IP addr ess. The local IP address must correspond to the remote IPSe c router's configured remote IP addresses. Site to Site Select this rad io button to establish a VPN between t wo sites (groups of IP ad[...]
-
Page 222
ZyWALL 2 Series User’s Guide 14-16 VPN Screens Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Ending IP Address/ Subnet Mask When the Address T ype field is configured to Single Address , this field is N/A. When the Address Type field is configured to Range A d dress , enter the end (static) IP address, in a range of computers on the net wo[...]
-
Page 223
ZyWALL 2 Series User’s Guide VPN Screens 14-17 Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Local ID Type Select IP to identify this ZyWALL by its IP address. Select DNS to identify this Z yWALL by a domain name. Select E-mail to identify this ZyWALL by an e-mail ad dress. You do not configure the local ID type a nd content when you set A[...]
-
Page 224
ZyWALL 2 Series User’s Guide 14-18 VPN Screens Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Peer ID Type Select from the following when you set Authentication Method to Pre-shared Key . Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the rem ote IPSe c router by a domain name. Select E-m[...]
-
Page 225
ZyWALL 2 Series User’s Guide VPN Screens 14-19 Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Content The configuration of the peer content dep ends on the peer ID type. Do the following when you set Authentication Method to Pre-shared Key . For IP , type the IP address of the computer with which you will make the VPN connection. If you[...]
-
Page 226
ZyWALL 2 Series User’s Guide 14-20 VPN Screens Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION My IP Address Enter the WAN IP address of your ZyWALL. The VPN tunnel has to be rebuilt if this IP address changes. The following applies if this field is configure d as 0.0.0.0 : The ZyWALL uses the current ZyWALL WAN IP address (static or dyn[...]
-
Page 227
ZyWALL 2 Series User’s Guide VPN Screens 14-21 Table 14-7 Basic IKE VPN Rule Edit LABEL DESCRIPTION Encryption Algorithm Select DES , 3DES , AE S or NULL from the drop-down list box. When you use one of these encryptio n algo rithms for data communications, both the sending device and the receiving device must use the same secret key, which can b[...]
-
Page 228
ZyWALL 2 Series User’s Guide 14-22 VPN Screens Figure 14-8 T wo Phases to Set Up the IPSec SA In phase 1 you m ust: Choose a negot iation m ode. Authenticate the connection by en tering a pre-shar ed key. Choo se an en cryption a lgorith m. Choose an authentication algorithm. Choose a D iffie-Hellman public-key cryptograph y k[...]
-
Page 229
ZyWALL 2 Series User’s Guide VPN Screens 14-23 IPSec SA lifetime period ex pires. The ZyWALL als o automatically renegotiates th e IPSec SA if both IPSec routers have keep alive enabled, even i f there is no traffic. If an IPSec SA tim es out, then the IPSec router must renegotiate the SA the next time someone attempts to send traffic. 14.12.1 X-[...]
-
Page 230
ZyWALL 2 Series User’s Guide 14-24 VPN Screens 14.12.5 Perfect Forward Secrecy (PFS) Enabling PFS means that the key is tran sient. The key is thrown away and replaced by a brand new key using a new Diffie -Hellm an exchange fo r each new I PSec SA set up. With PF S enabled, i f one key i s compro mised, previous an d subseque nt keys are not com[...]
-
Page 231
ZyWALL 2 Series User’s Guide VPN Screens 14-25 Figure 14-9 Advanced IKE VPN Rule Setup The following table describes the fields in this screen. Table 14-8 Advanced IKE VPN Rule Setup LA BEL DESCRIPTION Protocol Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any protocol.[...]
-
Page 232
ZyWALL 2 Series User’s Guide 14-26 VPN Screens Table 14-8 Advanced IKE VPN Rule Setup LA BEL DESCRIPTION Enable Replay Detection As a VPN setup is processing intensive, the system is vulnerable to Denial of Service (DoS) attacks The IPSec receiver can detect and reject old or duplicate p ackets to protect against replay attacks. Select YES from t[...]
-
Page 233
ZyWALL 2 Series User’s Guide VPN Screens 14-27 Table 14-8 Advanced IKE VPN Rule Setup LA BEL DESCRIPTION Authentication Algorithm Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorith ms used to authenticate packet data. The SHA1 algorithm is generally conside red stronger than M[...]
-
Page 234
ZyWALL 2 Series User’s Guide 14-28 VPN Screens Table 14-8 Advanced IKE VPN Rule Setup LA BEL DESCRIPTION SA Life Time (seconds) Define the length of time before an IKE SA autom atically renegotiates i n this field. It may range from 180 to 3,000,000 seconds (almost 35 days). A short SA Life Time increases security by forcing the t wo VPN gateways[...]
-
Page 235
ZyWALL 2 Series User’s Guide VPN Screens 14-29 Select Manual Key (or Man ual ) in the Key Mana gement (or IPSec Keying Mode ) field to display the manual VPN rule setup screen . Figure 14-10 Manual VPN Rule Setup[...]
-
Page 236
ZyWALL 2 Series User’s Guide 14-30 VPN Screens The following table describes the labels in this screen. Table 14-9 VPN Manual Setup LABEL DESCRIPTION Active Select this check box to activate this VPN policy. Name Type up to 32 characters to i dentify th is VPN policy. You ma y use any character, including spaces, but the Z yWALL drops trailing sp[...]
-
Page 237
ZyWALL 2 Series User’s Guide VPN Screens 14-31 Table 14-9 VPN Manual Setup LABEL DESCRIPTION Remote: Remote IP addresses must be static and correspo nd to the remote IPSec router's configured local IP addresses. Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP a[...]
-
Page 238
ZyWALL 2 Series User’s Guide 14-32 VPN Screens Table 14-9 VPN Manual Setup LABEL DESCRIPTION Secure Gateway Addr Type the WAN IP address or the URL (up to 31 characters) of the IPSec router with which you're making the VPN connection. SPI Type a unique SPI (Security Parameter Index) from one to four characters long. Valid Characters are &quo[...]
-
Page 239
ZyWALL 2 Series User’s Guide VPN Screens 14-33 Table 14-9 VPN Manual Setup LABEL DESCRIPTION Authentication Key Type a unique authentication key to be used by IPSec if applicable. Enter 16 characters for MD5 authentication or 20 cha racters for SHA-1 authentication. Any characters may be used, including sp ac es, but trailing spaces are truncated[...]
-
Page 240
ZyWALL 2 Series User’s Guide 14-34 VPN Screens The following table describes the fields in this screen. Table 14-10 VPN SA Monitor LA BEL DESCRIPTION # This is the security association inde x number. Name This field displays the identifi cation name for this VPN policy. Encapsulation This field displays Tunnel or Transport mode. IPSec Algorithm T[...]
-
Page 241
ZyWALL 2 Series User’s Guide VPN Screens 14-35 Table 14-11 VPN Global Setting LA BEL DESCRIPTION Windows Networking (NetBIOS over TCP/IP) NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast pa ckets that enable a computer to connect to and communicate with a LAN. It may some times be necessary to allo w NetBIOS packets to pass th[...]
-
Page 242
ZyWALL 2 Series User’s Guide 14-36 VPN Screens Figure 14-13 Telecommuters Sharing One VPN Ru le Example Table 14-12 Telecommuters Sharing One VPN Rule Example FIELDS TELECOMMUTERS HEADQUARTERS My IP Address: 0.0.0.0 (dynamic IP address assigned by the ISP) Public static IP address Secure Gateway IP Address: Public static IP address 0.0.0.0 With t[...]
-
Page 243
ZyWALL 2 Series User’s Guide VPN Screens 14-37 See the following table and fi gure for an exam ple wh ere three telecommuters each use a diffe rent VPN rule for a VPN connection with a Zy W ALL located at he adquarters. The ZyWALL at headquarters (HQ in the figure) identifies each inc oming SA by its ID type and content and uses the appropriate V[...]
-
Page 244
ZyWALL 2 Series User’s Guide 14-38 VPN Screens Table 14-13 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS Local IP Address: 192.168.2.12 Secure Gateway Address: telecommuter1.com Remote Address 192.168.2.12 Telecommuter B (telecommuter b.dydns.org) Hea dquarters ZyWALL Rule 2: Local ID Type: DNS Peer ID Type: DNS Local ID[...]
-
Page 245
VPN/IPSec VII Part VII: Certificates This part provides informati on and configurat ion instructions for public-key certificates.[...]
-
Page 246
[...]
-
Page 247
ZyW ALL 2 Series User’s Guide Certificates 15-1 Chapter 15 Certificates This chapter gives background information about public-key certificates and explains how to use them. This chapter is only app licable to the ZyWALL 2. 15.1 Certificates Overview The ZyWALL can use ce rtificates (also called digital IDs) to authenticate users. Ce rtificates a[...]
-
Page 248
ZyW ALL 2 Series User’s Guide 15-2 Certificates Certification authorities maintain directory servers w ith databases of valid and revok ed certificates. A directory of certificates that have been revoked before th e scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can chec k a peer’s certif icate against a director[...]
-
Page 249
ZyW ALL 2 Series User’s Guide Certificates 15-3 15.4 My Certificates Click CERTIFICATES , My Certificates to open the ZyWALL’s summary list of certificates and certification requests. Certificates display in black and certification requests disp lay in gray. See the following figure. Figure 15-2 My Certifica tes The following table describes th[...]
-
Page 250
ZyW ALL 2 Series User’s Guide 15-4 Certificates Table 15-1 My Certificate s LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percent age of the Zy WALL’s PKI storage space that is currently in use. When you are using 8 0% or less of the storage space, t he bar is green. When the amount of space used is over 80%, the bar is red. [...]
-
Page 251
ZyW ALL 2 Series User’s Guide Certificates 15-5 Table 15-1 My Certificate s LABEL DESCRIPTION Details Select the radio button next to a cert ificate’s index number and the n click Details to open a screen with an in-depth list of information ab out that certificate. Refresh Click this button to display the curr ent validity status of the certif[...]
-
Page 252
ZyW ALL 2 Series User’s Guide 15-6 Certificates 15.6 Importing a Certificate Click CERTIFICATES , My Certificates and then Import to open the My Certificate Import screen. Follow the instructions in this screen to save an exis ting certificate to the ZyWALL , see the following figure. 1. Y ou can only import a certificate that matches a correspon[...]
-
Page 253
ZyW ALL 2 Series User’s Guide Certificates 15-7 Table 15-2 My Certificate Import LA BEL DESCRIPTION Apply Click Apply to save the certificate on the ZyWALL. Cancel Click Cancel to quit and return to the My Certificates screen. 15.7 Creating a Certificate Click CERTIFICATES , My Certificates and then Create to open the My Certificate Create screen[...]
-
Page 254
ZyW ALL 2 Series User’s Guide 15-8 Certificates The following table describes the labels in this screen. Table 15-3 My Certificate Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characte rs (not including spaces) to identify this certificate. Subject Information Use these field s to record information that identifie s the owner of [...]
-
Page 255
ZyW ALL 2 Series User’s Guide Certificates 15-9 Table 15-3 My Certificate Create LABEL DESCRIPTION Create a certification request and enroll for a certificate immediately online Select Create a certification requ est and en roll for a cert ificate immediately online to have the ZyWALL generate a request for a certificate and app ly to a certifica[...]
-
Page 256
ZyW ALL 2 Series User’s Guide 15-10 Certificates After you click Apply in th e My Certificate Create screen, you see a screen that tells you the ZyWALL is generating the self-signed certifi cate or certification request. After the ZyWALL successfully enrolls a certificate or generates a certification request or a self-signe d certificate, you see[...]
-
Page 257
ZyW ALL 2 Series User’s Guide Certificates 15-1 1 Figure 15-5 My Certificate Details[...]
-
Page 258
ZyW ALL 2 Series User’s Guide 15-12 Certificates The following table describes the labels in this screen. Table 15-4 My Certificate Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to ident ify this certificate. You ma y use any character (not inc[...]
-
Page 259
ZyW ALL 2 Series User’s Guide Certificates 15-13 Table 15-4 My Certificate Details LABEL DESCRIPTION Signature Algorithm This field displays the t ype of algorithm that was used to sign the certificate. The ZyWALL uses rsa-pkcs1-sha1 (RSA public- private key encryption algorith m and the SHA1 hash algorithm). Some certif ication authoriti es may [...]
-
Page 260
ZyW ALL 2 Series User’s Guide 15-14 Certificates Table 15-4 My Certificate Details LABEL DESCRIPTION Certificate in PEM (Base-64) Encoded Format This read-only text bo x displa ys the certific ate or certif ication request in Privac y Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the binary certificate into a printable form.[...]
-
Page 261
ZyW ALL 2 Series User’s Guide Certificates 15-15 Figure 15-6 Trusted CAs The following table describes the labels in this screen. Table 15-5 Trusted CAs LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percent age of the Zy WALL’s PKI storage space that is currently in use. When you are using 8 0% or less of the storage space, t[...]
-
Page 262
ZyW ALL 2 Series User’s Guide 15-16 Certificates Table 15-5 Trusted CAs LABEL DESCRIPTION Issuer This field displa ys identifying informati on about the certificate’ s issuing certification authority, such as a common name, organ iza tional unit or department, organization or company and country. With self-signed cert ificates, this is the same[...]
-
Page 263
ZyW ALL 2 Series User’s Guide Certificates 15-17 Y ou must remove any sp aces from the certificate’ s filename before you can import the certificate. Figure 15-7 Trusted CA Import The following table describes the labels in this screen. Table 15-6 Trusted CA Import LA BEL DESCRIPTION File Path Type in the location of the file you want to upload[...]
-
Page 264
ZyW ALL 2 Series User’s Guide 15-18 Certificates Figure 15-8 Trusted CA Details[...]
-
Page 265
ZyW ALL 2 Series User’s Guide Certificates 15-19 The following table describes the labels in this screen. Table 15-7 Trusted CA Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identif y this key certificate. You may us e any character (not inc[...]
-
Page 266
ZyW ALL 2 Series User’s Guide 15-20 Certificates Table 15-7 Trusted CA Details LABEL DESCRIPTION Signature Algorithm This field displays the type of al gorithm that was used to sign the certificate. Some certification authorities use rsa-pkcs1-sh a1 (RSA public-private ke y encryption algorithm and the SHA1 hash algorithm). Other certificatio n a[...]
-
Page 267
ZyW ALL 2 Series User’s Guide Certificates 15-21 Table 15-7 Trusted CA Details LABEL DESCRIPTION Certificate in PEM (Base-64) Encoded Format This read-only text bo x displa ys the certific ate or certif ication request in Privac y Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the binary certificate into a printable form. You[...]
-
Page 268
ZyW ALL 2 Series User’s Guide 15-22 Certificates Figure 15-9 Trusted Remote Hosts The following table describes the labels in this screen. Table 15-8 Trusted Remo te Hosts LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percent age of the Zy WALL’s PKI storage space that is currently in use. When you are using 8 0% or less of t[...]
-
Page 269
ZyW ALL 2 Series User’s Guide Certificates 15-23 Table 15-8 Trusted Remo te Hosts LABEL DESCRIPTION Subject This field displa ys identifying informa tion about the certificate’s o wner, such as CN (Common Name), OU (Organizational Unit or department), O (Organizatio n or company) and C (Country). It is recommend ed that each certificate have un[...]
-
Page 270
ZyW ALL 2 Series User’s Guide 15-24 Certificates Table 15-9 Remote Host Certificates Step 3. Double-click the certificate’s icon to open the Certificate window. Click th e Details tab and scroll down to the Thumbprint Algorithm and Thumbpri nt fields. Table 15-10 Certificate Details 15.14 Importing a T r usted Remote Host’ s Certificate Click[...]
-
Page 271
ZyW ALL 2 Series User’s Guide Certificates 15-25 The trusted remote host certi ficate must be a self-signed certificate; and you must remove any sp aces from its filename before y ou c an import it. Figure 15-10 Trusted Remote Ho st Import The following table describes the labels in this screen. Table 15-11 Trusted Remote Host Import LA BEL DESCR[...]
-
Page 272
ZyW ALL 2 Series User’s Guide 15-26 Certificates Figure 15-11 Trusted Remote Ho st Details[...]
-
Page 273
ZyW ALL 2 Series User’s Guide Certificates 15-27 The following table describes the labels in this screen. Table 15-12 Trusted Remote Host Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identif y this key certificate. You may us e any characte[...]
-
Page 274
ZyW ALL 2 Series User’s Guide 15-28 Certificates Table 15-12 Trusted Remote Host Details LABEL DESCRIPTION Key Algorithm T his field displays the type of algo rithm that was used to generate the certificate’s key pair (the ZyWALL uses RSA encr yption) and the length of the key set in bits (1024 bits for example). Subject Alternative Name This f[...]
-
Page 275
ZyW ALL 2 Series User’s Guide Certificates 15-29 15.16 Directory Servers Click CERTIFICATES , Directory Serve rs to open the Directory Servers screen. This screen displays a summary li st of directory servers (that contain l ists of vali d and revoke d certificates) that have bee n saved into the ZyWALL. If you decide to have the ZyWA LL chec k i[...]
-
Page 276
ZyW ALL 2 Series User’s Guide 15-30 Certificates Table 15-13 Directory Servers LABEL DESCRIPTION Port This field displays the port num ber that the directory server uses. Protocol This field displays the prot ocol that the dire ctory server uses. Add Click Add to open a scre en where you can c onfigure information about a director y server so tha[...]
-
Page 277
ZyW ALL 2 Serie s User ’s Guide Certificates 15-31 Table 15-14 Directory Server Add LABEL DESCRIPTION Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identif y this directory server. Access Protocol Use the drop-do wn list box to select the access protocol used by the directory server. LDAP (Lightweight[...]
-
Page 278
[...]
-
Page 279
Remote Management and UPnP VIII Part VIII: Authentication Server, Remote Management and UPnP This part prov ides information and config uration in structions for configuration of the authentication server screens, remote managem ent and Universal Plug and Play .[...]
-
Page 280
[...]
-
Page 281
ZyWALL 2 Series User’s Guide Authentication Server 16-1 Chapter 16 Authentication Server This chapter discusses how to configure the authentication server on the ZyWALL. 16.1 Authentication Server Overview A ZyWALL set to be a VPN extended authentication server can use either the local user database internal to the ZyWALL or an external RADIUS se[...]
-
Page 282
ZyWALL 2 Series User’s Guide 16-2 Authentication Server Figure 16-1 Local User Database[...]
-
Page 283
ZyWALL 2 Series User’s Guide Authentication Server 16-3 The following table describes the fields in this screen. Table 16-1 Local User Databa se LABEL DESCRIPTION Active Select this check box to enabl e the user profile. User Name Enter the user name of the user profil e. Password Enter a pass word up to 31 characters long for this user profile. [...]
-
Page 284
ZyWALL 2 Series User’s Guide 16-4 Authentication Server Figure 16-2 RADIUS The following table describes the fields in this screen. Table 16-2 RADIUS LABEL DESCRIPTION Authentication Server Active Enable this feature to have the ZyWALL use an external authentication ser ver in performing user authentication. Disable this feature if you will not u[...]
-
Page 285
ZyWALL 2 Series User’s Guide Authentication Server 16-5 Table 16-2 RADIUS LABEL DESCRIPTION Port Number The default por t of the RADIUS server for authentication is 1812 . You need not change this value unl ess your network adminis trator instructs you to do so with additional information. Key Enter a password (up to 31 alphanumer ic characters) [...]
-
Page 286
[...]
-
Page 287
ZyWALL 2 Series User’s Guide Remote Management Screens 17-1 Chapter 17 Remote Management Screens This chapter provides information on the Remote Management screens. 17.1 Remote Management Overview Remote management allows you to determ ine whic h services/protocols can access which ZyWALL interface (if any) fr om which computers . When you config[...]
-
Page 288
ZyWALL 2 Series User’s Guide 17-2 Remote Management Screens 17.1.1 Remote Management Limitations Remote ma nagement over LAN or WAN wil l not work when: 1. A filter in SMT menu 3.1 (LAN) or in m enu 11.5 (WAN) is applied to block a Telnet, FTP or Web service. 2. You have di sabled that service in one of the remote ma nagement screens. 3. The IP a[...]
-
Page 289
ZyWALL 2 Series User’s Guide Remote Management Screens 17-3 data), authenti cation (one party can identify the other pa rty) and data integrity ( you know if data has been changed). It relies upon certificates, public ke ys, and private keys (see the Certificates chapter for more info rmation). HTTPS on the ZyWALL is us ed so that you may s ecure[...]
-
Page 290
ZyWALL 2 Series User’s Guide 17-4 Remote Management Screens If you disable HTTP Serv er Access ( Disable ) in the REMOTE MGMT WWW screen, then the ZyW ALL blocks all HTTP connection attempt s. 17.3 Configuring WWW To change your ZyWALL’s web settings, click REMOTE MG NT , then th e WWW tab. Th e scr een ap pears as shown. Figure 17-2 WWW The fo[...]
-
Page 291
ZyWALL 2 Series User’s Guide Remote Management Screens 17-5 Table 17-1 WWW LABEL DESCRIPTION HTTPS: This feature is not availa ble on the ZyWALL 2WE. Server Certificate Select the Server Certificate that the ZyWALL will use to identify itself. The ZyWALL is the SSL server and must always authentic at e itself to the SSL client (the computer which[...]
-
Page 292
ZyWALL 2 Series User’s Guide 17-6 Remote Management Screens Table 17-1 WWW LABEL DESCRIPTION Reset Click Reset to beg in configuring this screen afresh. 17.4 HTTPS Example If you haven’t changed the default HTTPS port on the ZyWALL, then in your browser enter “https://ZyWALL IP Address/” as the web site address where “ZyWALL IP Address”[...]
-
Page 293
ZyWALL 2 Series User’s Guide Remote Management Screens 17-7 17.4.2 Netscape Navigator W arning Messages When you attempt to access the ZyWAL L HTTPS server, a Website Certified by a n Unknown Authority screen pops up asking if you trus t the server certificate. Click E xamine Certificate if you want to verify that the certificate is from the ZyWA[...]
-
Page 294
ZyWALL 2 Series User’s Guide 17-8 Remote Management Screens Figure 17-5 Security Certifica te 2 (Netscape) 17.4.3 A voiding the Brow ser Warning Messages The following describes the main reason s that your browser disp lays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avo id seeing the warnings . The issuing c[...]
-
Page 295
ZyWALL 2 Series User’s Guide Remote Management Screens 17-9 Step 2. Click CERTIFICATES . Find the certificate and check its Subject column. CN sta nds for certificate’s common nam e (see Figure 17-9 for an examp le) . Use this procedure to have the ZyWALL use a cer tificate with a common name that matches the ZyWALL’s actual IP address. You c[...]
-
Page 296
ZyWALL 2 Series User’s Guide 17-10 Remote Management Screens Figure 17-6 Login Screen (Internet E xplorer)[...]
-
Page 297
ZyWALL 2 Series User’s Guide Remote Management Screens 17-11 Figure 17-7 Login Screen (Netsc ape) Click Login and you then see the ne xt screen. The factory default certificate is a comm on defau lt certificate for all ZyWALL models.[...]
-
Page 298
ZyWALL 2 Series User’s Guide 17-12 Remote Management Screens Figure 17-8 Replace Certificate Click Apply in th e Replace Certificate screen to create a ce rtificate using your ZyWALL ’s MAC address that will be specific to this device. Click CERTIFICATES to open the My Certificates screen. You will see information similar to that shown in the f[...]
-
Page 299
ZyWALL 2 Series User’s Guide Remote Management Screens 17-13 Click Ignore in th e Replace Certificate screen to use the common ZyWALL certificate. You will then see this information in the My Certificates screen. Figure 17-10 Common ZyWALL Certifi cate 17.5 SSH Overview Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shel l) [...]
-
Page 300
ZyWALL 2 Series User’s Guide 17-14 Remote Management Screens Figure 17-11 SSH Communication Example 17.6 How SSH works The following table summarizes ho w a secure connection is established between two rem ote hosts. 1. Host Identificat ion The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. [...]
-
Page 301
ZyWALL 2 Series User’s Guide Remote Management Screens 17-15 17.7 SSH Implement ation on the ZyW ALL Your ZyWAL L supports S SH versi on 1.5 usin g RSA aut h entication a nd three enc ryption m ethods (DES, 3DES and Bl owfish). T he SSH serve r is im plemented o n the Zy WALL for rem ote SMT m anagement and file transfer on port 22. Only o ne SSH[...]
-
Page 302
ZyWALL 2 Series User’s Guide 17-16 Remote Management Screens Table 17-2 SSH LABEL DESCRIPTION Server Host Key Select the certif icate whose correspond ing private key is to be used to identif y the ZyWALL for SSH connections. You must have certificates alre ad y configured in the My Certificates screen (Click M y Certificates and see the Certific[...]
-
Page 303
ZyWALL 2 Series User’s Guide Remote Management Screens 17-17 Step 3. A window di splays pr ompting y ou to store the host key in you com puter. Click Yes to continue. Figure 17-14 SSH Example 1: Store Host Key Enter the password to log in to the ZyWALL. The SMT main menu displays next. 17.9.2 Example 2: Linux This section describes how to access [...]
-
Page 304
ZyWALL 2 Series User’s Guide 17-18 Remote Management Screens Step 2. Enter “ ssh –1 192.168.1.1 ”. This command forces your c omputer to connect to the ZyWALL using SSH version 1. If this is the first time you are connecting to th e ZyWALL usin g SSH, a m essage displays prompt ing you to save the host information of the ZyWALL. Type “ ye[...]
-
Page 305
ZyWALL 2 Series User’s Guide Remote Management Screens 17-19 Step 3. Use the “ put ” command to upload a new firmware to the ZyWALL. Figure 17-17 Secure FTP: Firmware Upload Example 17.11 T elnet You can confi gure your ZyWALL for re mote Telnet access as sh own next. Figure 17-18 Telnet Configuration o n a TCP/IP Netw ork $ sftp -1 192.168.1[...]
-
Page 306
ZyWALL 2 Series User’s Guide 17-20 Remote Management Screens 17.12 Configuring TELNET Click REMOTE MGNT to open the TEL NET screen. Figure 17-19 Telnet The following table describes the labels in this screen. Table 17-3 Telnet LABEL DESCRIPTION Server Port You ma y change the server port num ber for a service if needed, however you must use the s[...]
-
Page 307
ZyWALL 2 Series User’s Guide Remote Management Screens 17-21 17.13 Configuring FTP You can upl oad and downl oad the ZyWALL’s fi rmware and co nfiguratio n files usi ng FTP, please see the chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP cl ient. To change your ZyWALL’s FT[...]
-
Page 308
ZyWALL 2 Series User’s Guide 17-22 Remote Management Screens Table 17-4 FTP LABEL DESCRIPTION Secure Client IP Address A secure client is a “trusted” computer that is allowed to communicate with the ZyWALL using this service. Select Al l to allo w any computer to access the ZyWALL usin g this service. Choose Selected to just allo w the comput[...]
-
Page 309
ZyWALL 2 Series User’s Guide Remote Management Screens 17-23 Figure 17-21 SNMP Management Mod el An SNMP m a naged netwo rk consists of two m ain types of compone nt: agents an d a manage r. An agent is a managem ent software m o dule that resides i n a managed device (the Zy WALL). An agent translates the local management information from the ma[...]
-
Page 310
ZyWALL 2 Series User’s Guide 17-24 Remote Management Screens • Get - Allows the manager to retrieve an object variable from the agent. • GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get o[...]
-
Page 311
ZyWALL 2 Series User’s Guide Remote Management Screens 17-25 17.14.3 REMOTE MANAGEMENT : SNMP To change your ZyWALL’s SNMP settings, click REMOTE MGNT , then th e SNMP tab . The sc reen appe ars as show n. Figure 17-22 SNMP The following table describes the fields in this screen.[...]
-
Page 312
ZyWALL 2 Series User’s Guide 17-26 Remote Management Screens Table 17-6 SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community , which is the password for the incoming Get and GetNext requests from the management station. T he default is public and al lows all requests. Set Community Enter the Set community , which is the[...]
-
Page 313
ZyWALL 2 Series User’s Guide Remote Management Screens 17-27 T o chang e your ZyW ALL ’ s DNS settings, click REMOTE MGNT , then the DNS tab. The screen appears as shown. Figure 17-23 DNS The following table describes the fields in this screen. Table 17-7 DNS LABEL DESCRIPTION Service Port The DNS service port num b er is 53 and cannot be cha n[...]
-
Page 314
ZyWALL 2 Series User’s Guide 17-28 Remote Management Screens 17.16 Configuring Security T o change your ZyW ALL ’ s Security settings, click REMOTE MG NT , then the Security tab. T he screen appe ars as show n. If an outside user attempts to prob e an unsupported port on your ZyWALL, an ICMP response packet is automatically returned. This allow[...]
-
Page 315
ZyWALL 2 Series User’s Guide Remote Management Screens 17-29 Table 17-8 Security LABEL DESCRIPTION Respond to Ping on The ZyWALL will not respond to an y incoming Ping requests when Disable is selected. Select LAN to repl y to incoming LAN Ping re quests . Select WA N to reply to incoming WAN Ping requests. Otherwise select LAN & WAN to reply[...]
-
Page 316
[...]
-
Page 317
ZyWALL 2 Series User’s Guide UPnP 18-1 Chapter 18 UPnP This chapter introduces the Universal Plug and Play feature. 18.1 Universal Plug and Play Overview Universal Plug and Play (U PnP) is a distri buted, open networking standard that uses TCP/IP fo r simple peer-to-peer network connectiv ity between dev ices. A UP nP device can dynamically join [...]
-
Page 318
ZyWALL 2 Series User’s Guide 18-2 UPnP 18.1.3 Cautions with UPnP The automat ed nature of N AT traversal applicat ions in esta blishing t heir own servi ces and ope ning fire wall ports may present netwo rk security issues. Netw ork inform ation and configuration m ay also be obtained and modifi ed by users i n some net work envi ronments. All UP[...]
-
Page 319
ZyWALL 2 Series User’s Guide UPnP 18-3 Figure 18-1 Configuring UPnP The following table describes the fields in this screen. Table 18-1 Configuring UPnP FIELD DESCRIPTION Device Name This identifies the device in UPnP applicatio ns. Enable the Universal Plug and Play (UPnP) feature Select this checkbox to activate UPnP. Be aware that anyone cou l[...]
-
Page 320
ZyWALL 2 Series User’s Guide 18-4 UPnP Table 18-1 Configuring UPnP FIELD DESCRIPTION Reset Click Reset to begin co nfiguring this screen afresh 18.4 Displaying UPnP Port Mapping Click UPnP and then Ports to display the screen as shown nex t. Use t his screen to view the NAT port mapping rules that UPnP creates on the ZyWALL. Figure 18-2 UPnP Port[...]
-
Page 321
ZyWALL 2 Series User’s Guide UPnP 18-5 Table 18-2 UPnP Ports LA BEL DESCRIPTION # This is the index number of the UPnP-created NAT mapping rule entry. Remote Host This field displays the source IP address (on the W AN) of inbound IP packets. Since this is often a wildcard, the field may be bla nk. When the field is blank, the ZyWALL forwards all [...]
-
Page 322
ZyWALL 2 Series User’s Guide 18-6 UPnP 18.5.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windo ws Me. Click Start and Control Panel . Double-click Add/Remove Programs . Click on the Windows Setup tab and select Communication in the Components selection box. Click Details . In the Communications window, select the Univ[...]
-
Page 323
ZyWALL 2 Series User’s Guide UPnP 18-7 Step 1. Click Start and Control Panel . Step 2. Double-click Network Connections . Step 3. In the Networ k Connections window, click Advanced in the main menu and select Optional Networking Components … . The Windows Opti onal Netw orking Components Wizard window displays. Step 4. Select Networking Service[...]
-
Page 324
ZyWALL 2 Series User’s Guide 18-8 UPnP 18.6 Using UPnP in Windows XP Example This section sh ows you ho w to use t he UPnP feat ure in Windows XP. You must already hav e UPnP installed in Wind ows XP and UPnP activate d on the device. Make sure the computer is connected to a LAN po rt of the device. Turn on your computer and th e ZyWALL. 18.6.1 A[...]
-
Page 325
ZyWALL 2 Series User’s Guide UPnP 18-9 Step 4. You may edit or delete the port mappings or click Add to ma nually add port ma ppings. When the UPnP-enabled device is disconn ected from your computer , all port mappings will be deleted automaticall y . Step 5. Select the Show icon in notification area when connected check box and click OK . An ico[...]
-
Page 326
ZyWALL 2 Series User’s Guide 18-10 UPnP 18.6.2 Web Configurator Easy Access With UPnP, you can access the web-base d configurator wi thout first finding out its IP a ddress. This is helpful if you do not know the I P address of your ZyWALL. Follow the steps below to access the web configur ator. Step 1. Click Start and then Control Panel . Step 2[...]
-
Page 327
Logs IX Part IX: Logs This part prov ides information and instru ctions for the logs and repo rts.[...]
-
Page 328
[...]
-
Page 329
ZyWALL 2 Series User’s Guide Log Screens 19-1 Chapter 19 Logs Screens This chapter contains informa tion about configuring general log s ettings and viewing the ZyWALL’s logs. Refer to appendices for example log message explanations. 19.1 Configuring View Log The web configurator allows you to look at all of the ZyWALL’s logs in one location.[...]
-
Page 330
ZyWALL 2 Series User’s Guide 19-2 Log Screens Figure 19-1 View Log The following table describes the labels in this screen. Table 19-1 View Log LABEL DESCRIPTION Display T he categories that you select in the Log Settings page (see section 19.2 ) display in the drop-down list box. Select a category of logs to view; select A ll Logs to view logs f[...]
-
Page 331
ZyWALL 2 Series User’s Guide Log Screens 19-3 Table 19-1 View Log LABEL DESCRIPTION Note This field displays additional informatio n about the log entry. Email Log Now Click Email Log Now to send the log screen to the e-mail address specified in the Log Settings page (make sure that you have first filled in the Address Info fields in Log Settings[...]
-
Page 332
ZyWALL 2 Series User’s Guide 19-4 Log Screens Figure 19-2 Log Settings[...]
-
Page 333
ZyWALL 2 Series User’s Guide Log Screens 19-5 The following table describes the labels in this screen. Table 19-2 Log Settings LABEL DESCRIPTION Address Info Mail Server Enter the server name or the IP address of the mail serv er for the e-mail addresses specified belo w. If this field is left blank, logs and alert messages will not be sent via e[...]
-
Page 334
ZyWALL 2 Series User’s Guide 19-6 Log Screens Table 19-2 Log Settings LABEL DESCRIPTION Time for Sending Log Enter the time of the day in 24-hour fo rmat (for example 23:00 equals 11:00 pm) to send the logs. Log Select the categories of logs that y ou want to record. Logs include alerts. Send Immediate Alert Select the categories of alerts for wh[...]
-
Page 335
ZyWALL 2 Series User’s Guide Log Screens 19-7 The ZyWALL records web site hits by counting the HTTP GET packets. Ma ny web sites include HTTP GET references to other web sites and the ZyWALL may count these as hits, thus the web hit count is not (yet) 100% accurate. Figure 19-3 Reports Enabling the ZyW ALL ’s reporting function decreases the ov[...]
-
Page 336
ZyWALL 2 Series User’s Guide 19-8 Log Screens Table 19-3 Reports LABEL DESCRIPTION Refresh Click Refresh to update the re port display. The report also refreshes a utomatically when you close and reop en the screen. All of the recorded report s data is era sed when you turn off the Zy W ALL. 19.3.1 Viewing We b Site Hit s In the Reports screen, s[...]
-
Page 337
ZyWALL 2 Series User’s Guide Log Screens 19-9 Table 19-4 Web Site Hits Report LABEL DESCRIPTION Web Site T his column lists the domain names of the web sites visited most often from computers on the LAN. The names are rank ed by the num ber of visits to each web site and listed in descending order with the most visited web site listed first. The [...]
-
Page 338
ZyWALL 2 Series User’s Guide 19-10 Log Screens Table 19-5 Protocol/ Port Report LABEL DESCRIPTION Protocol/Port T his column lists the protocols or service ports for which the most traffic has gone through the ZyWALL. The prot ocols or se rvice ports are listed in desce nding order with the most used protocol or service port listed first. Directi[...]
-
Page 339
ZyWALL 2 Series User’s Guide Log Screens 19-11 The following table describes the labels in this screen. Table 19-6 LAN IP Address Rep ort LABEL DESCRIPTION IP Address T his column lists the LAN IP addresses to and/or from which the most traffic has been sent. The LAN IP addresses are listed in des cend ing order with the LAN IP address to and/or [...]
-
Page 340
[...]
-
Page 341
Maintenance X Part X: Maintenance This part covers the maint enance screens.[...]
-
Page 342
[...]
-
Page 343
ZyWALL 2 Series User’s Guide Maintenance 20-1 Chapter 20 Maintenance This chapter displays system information such as firmware, port IP addresses and port traffic statistics. 20.1 Maintenance Overview The maintenance scree ns can help you view syst em info rm ation, uploa d new firm ware, manage configurat ion and restart your ZyWALL. 20.2 S t at[...]
-
Page 344
ZyWALL 2 Series User’s Guide 20-2 Maintenance The following table describes the labels in this screen. Table 20-1 System Status LA BEL DESCRIPTION Syst em Na me This is the System Name you chose in the first Internet Access Wizard screen. It is for identification purposes Model Name The model na me identifies your device t ype. The model name sho[...]
-
Page 345
ZyWALL 2 Series User’s Guide Maintenance 20-3 Figure 20-2 System Status: Sho w Statistics The following table describes the labels in this screen. Table 20-2 System Status: Sho w Statistics LA BEL DESCRIPTION Port This is the WAN or LAN port. Status This displays the port speed and duplex setting if you're usi ng Ethernet encapsulation and d[...]
-
Page 346
ZyWALL 2 Series User’s Guide 20-4 Maintenance Table 20-2 System Status: Sho w Statistics LA BEL DESCRIPTION Stop Click Stop to stop refreshing statistics, click Stop . 20.3 DHCP T a ble Screen DHCP (Dynamic Ho st Configuration Protoco l, RFC 2131 and RFC 2132) allows indiv idual clients to obtain TCP/IP config uration at sta rt-up from a server. [...]
-
Page 347
ZyWALL 2 Series User’s Guide Maintenance 20-5 Table 20-3 DHCP Table LABEL DESCRIPTION IP Address This field displays the IP address relativ e to the # field listed above. Host Name T his field displays the computer host name. MAC Address This field sho ws the MAC address of the computer with the name in the Host Name field. Every Ethernet device [...]
-
Page 348
ZyWALL 2 Series User’s Guide 20-6 Maintenance The following table describes the fields in this screen. Figure 20-5 Firm ware Upload LA BEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse... Click Browse to find the .bin file you want to upl oad. Remember that you must deco[...]
-
Page 349
ZyWALL 2 Series User’s Guide Maintenance 20-7 Figure 20-7 Net work Temporarily Disconnected After two m inutes, log in again an d check y our new fi rmware versi on in the System Status screen. If the upload was not successful, the fo llowing sc reen will appear. Click Return to go back to the F/W Upload screen. Figure 20-8 Firm ware Upload Error[...]
-
Page 350
ZyWALL 2 Series User’s Guide 20-8 Maintenance Figure 20-9 Configuration 20.5.1 Backup Configuration Backup Configurat ion allows you to back up (save) t he current syst em (ZyWALL) co nfiguratio n to your computer. Backup is high ly recommended once your ZyWALL is fun ctioning properly. Click Backup to save your current Zy WALL configuration to y[...]
-
Page 351
ZyWALL 2 Series User’s Guide Maintenance 20-9 20.5.2 Restore Configuration Restore Config uration allo ws you to restore a previ ously saved co nfigurati on file from your computer to you r ZyWALL. Table 20-4 Restore Confi guration LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to fin[...]
-
Page 352
ZyWALL 2 Series User’s Guide 20-10 Maintenance If you uploaded the d efault configuration file you may need to change t h e IP addre ss of you r comput er to be in the same subnet as that o f the defaul t device IP a ddress (192.1 68.1.1). S ee your Quick Start Guide for details on how to set up your computer’s IP address. If the upload was not[...]
-
Page 353
ZyWALL 2 Series User’s Guide Maintenance 20-11 You can also press the RESET button on the rear panel to reset the factory defaults of your ZyWALL. Refer to the section on resetting the ZyWALL for more information on the RES ET button. 20.6 Rest art Screen System restart allows you to reboot the ZyWALL without turning the power off. Click MAINTENA[...]
-
Page 354
[...]
-
Page 355
SMT General Configuration XI Part XI: SMT General Configuration This part introduces the Sy stem Management T e rminal and covers t he General setup menu, W AN, LAN and wireless LAN setup, and Internet access. See the web configurator p arts of this guide for background information on features configurable by web configurator a nd SMT .[...]
-
Page 356
[...]
-
Page 357
ZyWALL 2 Series User’s Guide Introducing the SMT 21-1 Chapter 21 Introducing the SMT This chapter explains how to a ccess the System Management Terminal and gives an overview of its menus. 21.1 Introduction to the SMT T he ZyWALL’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through t[...]
-
Page 358
ZyWALL 2 Series User’s Guide 21-2 Introducing the SMT 21.2.2 Entering the Password The login sc reen appea rs after y ou press [E NTER] , prom pting you to ent er the pas sword, as s hown below. For your first login, en ter the default password “ 1234 ”. As you type the passwor d, the screen displays an “ X ” for each character you type. [...]
-
Page 359
ZyWALL 2 Series User’s Guide Introducing the SMT 21-3 Table 21-1 Main Menu Commands OPERATION KEYSTROKES DESCRIPTION Entering information Fill in, or press [SPACE BAR], then press [ENTER] to select from choices. You need to fill in two types of fields. The first requir es you to type in the appropriate informatio n. The second allows you to c ycl[...]
-
Page 360
ZyWALL 2 Series User’s Guide 21-4 Introducing the SMT Table 21-2 Main Menu Summary NO. Menu Title FUNCTION 1 General Setup Use this menu to set up dy namic DNS and administrativ e information. 2 WAN Setup Use this menu to clone a MAC address from a computer on your LAN and configure the backup WAN dial-up conn ection. 3 LAN Setup Use this menu to[...]
-
Page 361
ZyWALL 2 Series User’s Guide Introducing the SMT 21-5 Menu 3 LAN S etup Menu 4 Internet Access Setu p Menu 12 S t atic Routing Setup Menu 11 Remote Node Setup Menu 1 1.1 Remote N ode Profil e (Backu p I SP) Menu 3.2 TCP/IP and DHCP Setu p ZyWALL Main Menu Menu 1 General Setup Menu 15 NA T Setup Menu 2 1 Filt er and Firew all Set up Menu 2 1 .1.x [...]
-
Page 362
ZyWALL 2 Series User’s Guide 21-6 Introducing the SMT 21.4 Changing the System Password Change the sys tem passwor d by foll owing the ste ps shown next. Step 1. Enter 23 in the main menu to open Menu 23 - System Password as shown next. Figure 21-5 Menu 23: Sy stem Password Step 2. Type your exis ting passwo rd and press [ENTER] . Step 3. Type yo[...]
-
Page 363
ZyWALL 2 Series User’s Guide SMT Menu 1 – General Setup 22-1 Chapter 22 SMT Menu 1 - General Setup Menu 1 - General Setup contains adm inistrative and system-related information. 22.1 Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. 22.2 Configuring General Setup Step 1. Enter 1 i n th[...]
-
Page 364
ZyWALL 2 Series User’s Guide 22-2 SMT Menu 1 – General Setup Table 22-1 Menu 1: General Setup FIELD DESCRIPTION EXAMPLE Domain Name Enter the dom ain name (if you kno w it) here. If you leave this field blank, the ISP may assign a domain name via DHCP. You can go to menu 24.8 and type "sys dom ain name" to see the current domain name [...]
-
Page 365
ZyWALL 2 Series User’s Guide SMT Menu 1 – General Setup 22-3 Figure 22-2 Configure Dy namic DNS Follow the instructions in the next tabl e to configure Dynamic DNS parame ters. Table 22-2 Configure Dynamic DNS FIELD DESCRIPTION EXAMPLE Service Provider This is the name of your Dynamic DNS service provider. WW W.DynDNS.ORG (default) Active Press[...]
-
Page 366
ZyWALL 2 Series User’s Guide 22-4 SMT Menu 1 – General Setup Table 22-2 Configure Dynamic DNS FIELD DESCRIPTION EXAMPLE Offline T his field is only avail able when CustomDNS is selected i n the DDNS Type field. Press [SPACE BAR] and then [ENTER] to select Yes . When Yes is selected, http ://www.dyndns.org/ traffic is redirected to a URL that yo[...]
-
Page 367
ZyWALL 2 Series User’s Guide WAN and Dial Backup Setup 23-1 Chapter 23 WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial- backup using menus 2.1 and 11.1. 23.1 Introduction to W AN This chapte r explains how to configure set tings for your WAN port. From the m ain menu, enter 2 to open m enu 2. Figure[...]
-
Page 368
ZyWALL 2 Series User’s Guide 23-2 WAN and Dial Backu p Setup Table 23-1 MAC Address Cloning in WAN Setup FIELD DESCRIPTION EXAMPLE IP Address This field is applicable only if you choose the IP address attached on LA N method in the Ass igned By field. Enter the IP address of the computer on the LAN whose MAC you are cloni ng. 192.168.1.35 When yo[...]
-
Page 369
ZyWALL 2 Series User’s Guide WAN and Dial Backup Setup 23-3 The following table describes the fields in this menu. Table 23-2 Menu 2: Dial Backup Setup FIELD DESCRIPTION EXAMPLE Dial-Backup: Active Use this field to turn the dial-backup feature on ( Yes ) or off ( No ). No Phone Number Enter the telephone number a ssigned to your line b y your te[...]
-
Page 370
ZyWALL 2 Series User’s Guide 23-4 WAN and Dial Backu p Setup Figure 23-3 Menu 2.1 Adv anced WAN Setup The followin g table descri bes fields i n this m enu. Table 23-3 Advanced WAN Port Setup: AT Commands Fields FIELD DESCRIPTION DEFAULT AT Command Strings: Dial Enter the AT Command string to make a call. atdt Drop Enter the AT Command string to [...]
-
Page 371
ZyWALL 2 Series User’s Guide WAN and Dial Backup Setup 23-5 Table 23-4 Advanced WAN Port Setup: Call Con trol Parameters FIELD DESCRIPTION DEFAULT Call Control Dial Timeout (sec) Enter a number of seconds for the ZyWALL to keep trying to set up an outgoing call before timi ng out (stopping). The ZyWALL times out and stops if it cannot set up an o[...]
-
Page 372
ZyWALL 2 Series User’s Guide 23-6 WAN and Dial Backu p Setup Figure 23-4 Menu 11.1 Remote Node Profile (Back up ISP) The following table describes the fields in this menu. Table 23-5 Menu 11.1 Remote Node Profile (Back up ISP) FIELD DESCRIPTION EX AMPLE Rem Node Name Enter a descriptive name for the remote node. This field can be up to eight char[...]
-
Page 373
ZyWALL 2 Series User’s Guide WAN and Dial Backup Setup 23-7 Table 23-5 Menu 11.1 Remote Node Profile (Back up ISP) FIELD DESCRIPTION EX AMPLE Pri Phone # Sec Phone # Enter the first (primary) phone number from the ISP for this remote node. If the Primary Phone number is busy o r does not answer, your ZyWALL dials the Second ary Phone number if av[...]
-
Page 374
ZyWALL 2 Series User’s Guide 23-8 WAN and Dial Backu p Setup Table 23-5 Menu 11.1 Remote Node Profile (Back up ISP) FIELD DESCRIPTION EX AMPLE Idle Timeout Enter the number of seconds of idle time ( when there is no traffic from the ZyWALL to the remote node) that can elapse before th e ZyWALL automatically disconnects the PPP c onnectio n. This [...]
-
Page 375
ZyWALL 2 Series User’s Guide WAN and Dial Backup Setup 23-9 23.7 Editing TCP/IP Options Move the cur sor to t he Edit IP field in m enu 11.1, the n press [SPACE BAR] to select Yes . Press [ENTER] to open Menu 11.3 - Remote Node Networ k Layer Options . Figure 23-7 Menu 11.3: Remote Nod e Network Layer Options The following table describes the fie[...]
-
Page 376
ZyWALL 2 Series User’s Guide 23-10 WAN and Dial Backup Setup Table 23-6 Menu 11.3: Remote No de Network Layer Option s FIELD DESCRIPTION EXAMPLE Network Address Translation Network Address Translation (NAT ) allows the translation of an Internet protocol address used within one n e twork (for example a private IP address used in a local net work)[...]
-
Page 377
ZyWALL 2 Series User’s Guide WAN and Dial Backup Setup 23-11 23.8 Editing Login Script For some remote gate ways, text l ogin is re quired before PPP neg otiation i s started. T he ZyWALL provides a script facility for this purpose. The scrip t has six programmable sets; each set is composed of an ‘Expect’ string and a ‘ Send’ stri ng. Af[...]
-
Page 378
ZyWALL 2 Series User’s Guide 23-12 WAN and Dial Backup Setup Figure 23-8 Menu 11.4: Remote Nod e Script The following table describes the fields in this menu. T able 23-7 Menu 1 1.4: Remote Node Script FIELD DESCRIPTION EXAMPLE Active Press [SPACE BAR] and then [ENTER] to select either Yes to enable the AT strings or No to disable them. No (defau[...]
-
Page 379
ZyWALL 2 Series User’s Guide WAN and Dial Backup Setup 23-13 Figure 23-9 Menu 11.5: Dial Backup Remote No de Filter Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL:[...]
-
Page 380
[...]
-
Page 381
ZyWALL 2 Series User’s Guide LAN Setup 24-1 Chapter 24 LAN Setup This chapter describes how to configure the LAN using Menu 3: LAN Setup . 24.1 Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN c onnections. 24.2 Accessing the LAN Menus From the m ain menu, enter 3 to open Menu 3 – LA N Setup . Figure 24-1 Men[...]
-
Page 382
ZyWALL 2 Series User’s Guide 24-2 LAN Setup Figure 24-2 Menu 3.1: LAN Port Filte r Setup 24.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup. Figure 24-3 Menu 3: TCP/IP and DHCP Setup From m enu 3, select t he submenu opt ion TCP/IP and DHCP Setup a[...]
-
Page 383
ZyWALL 2 Series User’s Guide LAN Setup 24-3 Figure 24-4 Menu 3.2: TCP/IP and DHCP Ethernet Setup Follow the instructions in the next table on how to con figure the DHCP fields. Table 24-1 DHCP Ethernet Setup Menu Fields FIELD DESCRIPTION EX AMPLE DHCP This field enables/disables the DHCP server. If set to Server , your ZyWALL will act as a DHCP s[...]
-
Page 384
ZyWALL 2 Series User’s Guide 24-4 LAN Setup Table 24-2 LAN TCP/IP Setup Menu F ields FIELD DESCRIPTION EXAMPLE TCP/IP Setup: IP Address Enter the IP address of your ZyWALL in dotte d decimal notation 192.168.1.1 (default) IP Subnet Mask Your Z yWALL will automatically calculate the subnet mask based on the IP address that you assi gn. Unless you [...]
-
Page 385
ZyWALL 2 Series User’s Guide LAN Setup 24-5 Figure 24-5 Physical Network Figure 24-6 Partitioned Logical Net work You must use menu 3.2 to confi gure the first networ k. Move the cursor t o the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to configure the second an d third network. Press [ENTER] to open Menu 3.2.1 - IP A[...]
-
Page 386
ZyWALL 2 Series User’s Guide 24-6 LAN Setup Table 24-3 Menu 3.2.1: IP Alias Setup FIELD DESCRIPTION DEFAULT IP Address Enter the IP address of your ZyWALL in dotte d decimal notation. 192.168.2.1 IP Subnet Mask Your Z yWALL will automatically calculate the subnet mask based on the IP address that you assi gn. Unless you are implementing subnettin[...]
-
Page 387
ZyWALL 2 Series User’s Guide LAN Setup 24-7 Figure 24-8 Menu 3.5: Wireless LAN Setup The settings of all client st ations on the wireless LAN must match those of the ZyW A LL. Follow the instructions in the next table on how to con figure the wireless LAN parameters. Table 24-4 Menu 3.5: Wireless LAN S etup FIELD DESCRIPTION EXAMPLE Enable Wirele[...]
-
Page 388
ZyWALL 2 Series User’s Guide 24-8 LAN Setup Table 24-4 Menu 3.5: Wireless LAN S etup FIELD DESCRIPTION EXAMPLE Frag. Threshold The threshold (number of byte s) for the fragmentation boundary for directed messages. It is the maximum data fragment size that can be sent. Enter a value between 256 and 2432 . 2432 (default) WEP Select Disable to allo [...]
-
Page 389
ZyWALL 2 Series User’s Guide LAN Setup 24-9 Step 3. In the Edit MAC Address Filter field, press [SPACE BAR] to select Yes and press [ENTER]. Menu 3.5.1 – WLAN M AC Address Filter displays as shown next. Figure 24-9 Menu 3.5.1: WLAN M AC Address Filter The following table describes the fields in this menu. Table 24-5 Menu 3.5.1: WLAN MA C Addres[...]
-
Page 390
[...]
-
Page 391
ZyWALL 2 Series User’s Guide Internet Access 25-1 Chapter 25 Internet Access This chapter show s you how to configure you r ZyWALL for Internet acce ss. 25.1 Introduction to Internet Access Setup Use information from your ISP along with the instructio ns in this chapter to set up your ZyWALL to access the Internet. T here are three differe nt men[...]
-
Page 392
ZyWALL 2 Series User’s Guide 25-2 Internet Access Table 25-1 Menu 4: Internet Acces s Setup (Ethernet) FIELD DESCRIPTION Encapsulation Press [SPACE BAR] and the n press [ENTER] to choose Ethernet . The encapsulation method influences your choices for the IP Address field. Service Type Press [SPACE BAR] and then [ENTER] to select Standard , RR-Tos[...]
-
Page 393
ZyWALL 2 Series User’s Guide Internet Access 25-3 25.3 PPTP Encap sulation Point-to-Poi nt Tunnelin g Protocol (PPTP) is a network prot ocol that e nables secure tra nsfer of dat a from a remote client to a private server , creating a Vi rtual Private Network (VP N) using TC P/IP-based net works. PPTP supports on-demand, multi-protocol and virtua[...]
-
Page 394
ZyWALL 2 Series User’s Guide 25-4 Internet Access Table 25-2 New Fields in Menu 4 (PPTP) Screen FIELD DESCRIPTION EXAMPLE Encapsulation Press [SPACE BAR] and the n press [ENTER] to choose PPTP . The encapsulation method influences your choices for the IP Address field. PPTP Idle Timeout T his value specifies the ti me, in seconds, that elapses be[...]
-
Page 395
ZyWALL 2 Series User’s Guide Internet Access 25-5 Figure 25-3 Internet Access Setup (PPPoE) The following table contains instructions about the new fi elds when y ou choose PPPoE in the Encapsulation fiel d in m enu 4. Table 25-3 New Fields in Menu 4 (PPPoE) screen FIELD DESCRIPTION EXAMPLE Encapsulation Press [SPACE BAR] and then press [ENTER] t[...]
-
Page 396
[...]
-
Page 397
SMT Advanced Applications XII Part XII: SMT Advanced Applications This part covers setting up remote nodes, IP st atic routes and Network Address T ranslation. It also covers the SMT firewall menu, filters, SNMP , schedules and VPN setup. See the web configurator p arts of this guide for background information on features configurable by web config[...]
-
Page 398
[...]
-
Page 399
ZyWALL 2 Series User’s Guide Remote Node Setup 26-1 Chapter 26 Remote Node Setup This chapter shows you how to configure a remote node. 26.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and th e network be hind it acr oss a WAN c onnection. Note[...]
-
Page 400
ZyWALL 2 Series User’s Guide 26-2 Remote Node Setup Figure 26-1Menu 11.1: Remote Node Profile for Ethernet Encapsulation The following table describes the fields in this screen. Table 26-1 Menu 11.1: Remote No de Profile for Ethernet Encapsulation FIELD DESCRIPTION EXAMPLE Rem Node Name Enter a descriptive name for the remote node. This field can[...]
-
Page 401
ZyWALL 2 Series User’s Guide Remote Node Setup 26-3 Table 26-1 Menu 11.1: Remote No de Profile for Ethernet Encapsulation FIELD DESCRIPTION EXAMPLE My Password Enter the password assigned by your ISP when the ZyWALL calls this remote node. Valid for PPPoE encapsulation only. ***** Retype to Confirm Type your pass word again to make sure that you [...]
-
Page 402
ZyWALL 2 Series User’s Guide 26-4 Remote Node Setup Encapsulation t o PPPoE, then you will see the next screen. Please see the appendix for m ore information on PPPoE. Figure 26-2 Menu 11.1: Remote No de Profile for PPPoE Encapsulation Outgoing Authentication Protocol Generally spea king, you should em ploy the strongest authen tication prot ocol[...]
-
Page 403
ZyWALL 2 Series User’s Guide Remote Node Setup 26-5 Do not specify a nailed-up connection unless your telephone company offers flat- rate service or you need a constant connectio n and the co st is of no concern. The following tabl e describes the fields not already describe d in Table 26-1 . Metric See the Metric section in the WAN and Dial Back[...]
-
Page 404
ZyWALL 2 Series User’s Guide 26-6 Remote Node Setup 26.2.3 PPTP Encap sulation If you change t he Encapsulation to PPTP in menu 11.1, then you will see the next screen. Please see the appendix for i nformati on on PPTP. Figure 26-3 Menu 11.1: Remote Node Profile for PPTP Encapsulation The next table shows how to configure fields in menu 11. 1 not[...]
-
Page 405
ZyWALL 2 Series User’s Guide Remote Node Setup 26-7 26.3 Edit IP Move the cur sor to t he Edit IP field in m enu 11.1, the n press [SPACE BAR] to select Yes . Press [ENTER] to open Menu 11.3 - Netw ork Layer Opti ons . Figure 26-4 Menu 11.3: Remote Nod e Network Layer Options for Ethernet Encapsula tion This menu displays the My WAN Addr field fo[...]
-
Page 406
ZyWALL 2 Series User’s Guide 26-8 Remote Node Setup Table 26-4 Remote Node Net work Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE My WAN Addr T his field is applicable to PPPoE and PPTP encapsulations only. Some implementations, especiall y the UNIX der iv atives, require the WAN link to have a separate IP network number from the LAN and ea[...]
-
Page 407
ZyWALL 2 Series User’s Guide Remote Node Setup 26-9 Table 26-4 Remote Node Net work Layer Options Menu Fields FIELD DESCRIPTION EXAMPLE Multicast IGMP (Internet Group Multicast Prot ocol) is a session-layer protocol us ed to establish membership in a Multicast group. The ZyWALL supports both IGMP version 1 ( IGMP-v1 ) and version 2 ( IGMP-v2) . P[...]
-
Page 408
ZyWALL 2 Series User’s Guide 26-10 Remote Node Setup Figure 26-6 Menu 11.5: Remote Node Filter (PPPoE or PPTP Encapsulation) 26.5 T raffic Redirect To configure t he parameters for tra ffic redir ect, enter 11 from the main menu to display Menu 11.1— Remote Node Profile as shown next. Figure 26-7 Menu 11.1: Remote Nod e Profile To configure tra[...]
-
Page 409
ZyWALL 2 Series User’s Guide Remote Node Setup 26-11 Table 26-5 Menu 11.1: Remote No de Profile (Traffic Redirect Field) FIELD DESCRIPTION EX AMPLE Edit Traffic Redirect Press [SPACE BAR] to select Yes or No . Select No (default) if you do not want to configure this feature. Select Yes and press [ENTER] to configure Menu 11.6 — T raffic Redirec[...]
-
Page 410
ZyWALL 2 Series User’s Guide 26-12 Remote Node Setup Table 26-6 Menu 11.6: Traffic Redirect Setup FIELD DESCRIPTION EXAMPLE Active Press [SPACE BAR] and select Yes (to enable) or No (to disable) traffic redirect setup. The default is No . When the Ac t i ve field is Yes , you must configure every field in this scree n unless you are using PPPoE o[...]
-
Page 411
ZyWALL 2 Series User’s Guide Remote Node Setup 26-13 Table 26-6 Menu 11.6: Traffic Redirect Setup FIELD DESCRIPTION EXAMPLE When you have completed thi s menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel” to save your configuration or press [E SC] to cancel and go back to the prev ious screen.[...]
-
Page 412
[...]
-
Page 413
ZyWALL 2 Series User’s Guide IP Static Route Setup 27-1 Chapter 27 IP Static Route Setup This chapter shows you how to configu re static routes with your ZyWALL. 27.1 IP S t atic Route Setup Enter 12 fr om the m ain menu. Select on e of the IP static routes as shown ne xt to configure IP static routes in menu 12. 1. Figure 27-1 Menu 12: IP Static[...]
-
Page 414
ZyWALL 2 Series User’s Guide 27-2 IP Static Route Setup Figure 27-2 Menu 12. 1: Edit IP Static Route `The followi ng table de scribes t he IP Static R oute Menu fi elds. T able 27-1 Menu 12. 1: Edit IP St atic Route FIELD DESCRIPTION Route # This is the index number of the static route that y ou chose i n menu 12. Route Name Enter a descri ptive [...]
-
Page 415
ZyWALL 2 Series User’s Guide NAT 28-1 Chapter 28 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 28.1 Using NA T Y ou must create a firewall rule in addition to setting up SUA/NA T , to allow traffic from the W AN to be forwarded through the ZyW ALL. 28.1.1 SUA (Single User Account) V ersus NA T SUA (S[...]
-
Page 416
ZyWALL 2 Series User’s Guide 28-2 NAT Figure 28-1 Menu 4: Apply ing NAT for Internet Access The following fig ure shows how you appl y NAT to the rem ote node in menu 11.1. Step 1. Enter 11 from the main menu. Step 2. Move the cur sor to t he Edit IP field, press [SPACE BAR] to select Yes and then press [ENTER] to bring up Menu 11.3 - Remote Node[...]
-
Page 417
ZyWALL 2 Series User’s Guide NAT 28-3 Table 28-1 Applying NAT in Menus 4 & 11.3 FIELD DESCRIPTION OPTIONS When you select this option the SMT will use Address Mapping Set 1 (menu 15.1 - see section 28.2.1 for further discussion). You can configure any of the mapping types describe d in the Web Configurator User’s Guide. Choose Full Feature [...]
-
Page 418
ZyWALL 2 Series User’s Guide 28-4 NAT Configure LAN IP addresses in NA T menus 15.1 and 15.2. 28.2.1 Address Mapping Sets Enter 1 to brin g up Menu 15.1 — Address Mapping Se ts . Figure 28-4 Menu 15.1: Address Mapping Sets SUA Address Mapping Set Enter 255 to display the next screen (see also section 28.1.1 ) . The fields in t his me nu cannot [...]
-
Page 419
ZyWALL 2 Series User’s Guide NAT 28-5 Table 28-2 SUA Address Mapping Rules FIELD DESCRIPTION EXAMPLE Set Name T his is the name of the set yo u selected in menu 15.1 or enter the name of a new set you want to create. SUA Idx This is the index or rule number. 1 Local Start IP Local Start IP is the starting local IP address (ILA). 0.0.0.0 Local End[...]
-
Page 420
ZyWALL 2 Series User’s Guide 28-6 NAT Figure 28-6 Menu 15.1.1: First Set The T ype, Local and Global S t art/End IPs are configured in menu 15.1.1.1 (described later) and the v alues are displayed here. Ordering Y our Rules Ordering yo ur rules is important because the ZyWALL ap p lies the rules in the order that you specify. When a rule matches [...]
-
Page 421
ZyWALL 2 Series User’s Guide NAT 28-7 Table 28-3 Fields in Menu 15.1.1 FIELD DESCRIPTION EX AMPLE Set Name Enter a name for this set of rules. Th is is a required field. If this field is left blank, the entire set will be deleted. NAT_ SE T Action The default is Edit . Edit means you want to edit a selected rule (see following field). Insert Befo[...]
-
Page 422
ZyWALL 2 Series User’s Guide 28-8 NAT The following table describes the fields in this screen. Table 28-4 Menu 15.1.1.1: Editing/Configuring an Indiv idual Rule in a Set FIELD DESCRIPTION EX AMPLE Type Press [SPACE BAR] and then [ENTER] to select from a total of five types. These are the mapping typ es discussed in the Web Configu rator User’s [...]
-
Page 423
ZyWALL 2 Series User’s Guide NAT 28-9 Step 5. Press [ENTER] at the “Press ENTER to confirm …” prompt to save your configuratio n after you define all the s ervers or press [ESC] at any time to cancel. Figure 28-8 Menu 15.2: NAT Serv er Setup You assign the private networ k IP addresse s. The NAT network appea rs as a single host on the Inte[...]
-
Page 424
ZyWALL 2 Series User’s Guide 28-10 NAT 28.4.1 Internet Access Only In the following Internet access ex am ple, you only need one rule wh ere al l your ILAs (Inside Local addresses) map t o one dy namic IGA (I nside Glo bal Address) assi gned by your ISP. Figure 28-10 NAT Example 1 Figure 28-11 Menu 4: Internet Access & NAT Example From m enu [...]
-
Page 425
ZyWALL 2 Series User’s Guide NAT 28-11 28.4.2 Example 2: Internet A ccess w ith an Inside Server Figure 28-12 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured S UA Only set) and also go to menu 15.2 to specify the Inside Server behin d the NAT as s hown in the next fi gure. Figure 28-13 Menu 15.2: Specifying [...]
-
Page 426
ZyWALL 2 Series User’s Guide 28-12 NAT other LAN traffic to the remaining IGA. Map the third IGA to an insi de web server and m ail server. Fo ur rules need to be configured, two bi-directional and two uni-directional as follo ws. Rule 1. Map the first IGA to the first inside FTP server for FTP traffic in both directions ( 1 : 1 mapping, giving b[...]
-
Page 427
ZyWALL 2 Series User’s Guide NAT 28-13 Step 5. Select Type as One-to-One (di rect mappin g for packets going bot h ways) , and enter the local Start IP as 192.168.1.10 (th e IP address of FTP Server 1), th e global Start I P as 10.132.50.1 (ou r first IGA). (See Figure 28-16). Step 6. Repeat the previous step for rules 2 to 4 as outlined abov e. [...]
-
Page 428
ZyWALL 2 Series User’s Guide 28-14 NAT Figure 28-17 Example 3: Final Menu 15.1.1 Now conf igure th e IGA3 to map to our web serv er and mail serv er on the LAN. Step 8. Enter 15 from the main menu. Step 9. Now enter 2 from this menu and configur e it as shown in Figure 28-18 . Figure 28-18 Example 3: Menu 15.2 Menu 15.1.1 - Address Mapping Rules [...]
-
Page 429
ZyWALL 2 Series User’s Guide NAT 28-15 28.4.4 Example 4: NA T Unfr iendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to -One mapping as port numbers do not change for Many -One-to-One (and One-to-One ) NAT m app ing types. The following fig[...]
-
Page 430
ZyWALL 2 Series User’s Guide 28-16 NAT Figure 28-20 Example 4: Menu 15.1.1.1: Ad dress Mapping Rule After you’ve configured your rule, you should b e able to check the settings in menu 15.1.1 as shown next. Figure 28-21 Example 4: Menu 15.1.1: Address Ma pping Rules 28.5 T rigger Port Forwarding Some services use a dedicated range of po rts on [...]
-
Page 431
ZyWALL 2 Series User’s Guide NAT 28-17 LAN comput er, you have t o manually replace the LA N com puter's IP address in the fo rwarding p ort with another LAN c omputer' s IP address, Trigger port forwardi ng solves this pro blem by all owing com puters on the LAN to dyna mically take turns using the service. T he ZyWALL records the IP a[...]
-
Page 432
ZyWALL 2 Series User’s Guide 28-18 NAT 5. Only A can connect to the Real Audio server until th e connection is closed or times out. The ZyWALL times out in three minutes with UDP (Use r Datagram Protocol) or two hours w ith TCP/IP (Transfer Co ntrol Protoc ol/Internet Protocol) . 28.5.2 T wo Point s T o Remember About T rigger Ports 1. Trigger ev[...]
-
Page 433
ZyWALL 2 Series User’s Guide NAT 28-19 T able 28-5 Menu 15.3: T rigger Port Setup FIELD DESCRIPTION EXA MPLE Rule This is the rule index numb er. 1 Name Enter a unique name for identification purposes. You may enter up to 15 characters in this field. All characters are permitted - includ ing spaces. Real Audio Incoming Incoming is a p ort (or a r[...]
-
Page 434
[...]
-
Page 435
ZyWALL 2 Series User’s Guide Introducing the Firewall 29-1 Chapter 29 Introducing the Firewall This chapter shows you how to get started with the firewall. 29.1 Using SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set an d Firewall Configuration to disp lay the screen shown next . Figure 29-1 Menu 21: Filter and Fire w all Setup [...]
-
Page 436
ZyWALL 2 Series User’s Guide 29-2 Introducing the Firewall Figure 29-2 Menu 21.2: Fire w all Setup Configure the fire wall rules using the web configurator or CLI commands. Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned o[...]
-
Page 437
ZyWALL 2 Series User’s Guide Filter Configuration 30-1 Chapter 30 Filter Configuration This chapter shows you how to create and apply filters. 30.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow pa ssage of a data packet and/or to make a call. There are two types of filter applications : data filtering and call filter[...]
-
Page 438
ZyWALL 2 Series User’s Guide 30-2 Filter Configu ration Figure 30-1 Outgoing Packet Filtering Process For incoming packets, your ZyWALL ap plies data f ilters only. Packets are pro cessed depending up on whether a match is found. The following sections describ e how to configure filter sets. 30.1.1 Filter Structure A filter set consists of one or[...]
-
Page 439
ZyWALL 2 Series User’s Guide Filter Configuration 30-3 Start Fetch First Filter Set Fetch First Filter Rule Active? Execute Filter Rule Fetch Next Filter Rule Next filter Rule Available? Fetch Next Filter Set Next Filter Set Available? Accept Packet Drop Packet Yes No Yes No Yes Packet into filter Filter Set Forward Drop No Check Next Rule Figure[...]
-
Page 440
ZyWALL 2 Series User’s Guide 30-4 Filter Configu ration You can apply up to four filter sets to a particular port to b lock multiple types of packets. With each filter set having up t o six rules, you can have a maximum of 24 rul es active for a single port. 30.2 Configuring a Filter Set The ZyWALL includes filtering for NetBIOS over TCP/IP p ack[...]
-
Page 441
ZyWALL 2 Series User’s Guide Filter Configuration 30-5 Step 4. Enter a descriptive name or comment in th e Edit Comments field and press [ENTER] . Step 5. Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1 .1 - Filter Rules Summary . This screen shows the summary of th e existing rules in the filter set. The following tables [...]
-
Page 442
ZyWALL 2 Series User’s Guide 30-6 Filter Configu ration Table 30-2 Rule Abbreviations Used ABBREVIATION DESCRIPTION IP Pr Protocol SA Source Address SP Source Port number DA Destination Address DP Destination Port number GEN Off Offset Len Length Refer to the next section for information on configuring the filter ru les. 30.2.1 Configuring a Filt[...]
-
Page 443
ZyWALL 2 Series User’s Guide Filter Configuration 30-7 To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.1.1 - TCP/IP Filt er Rule , as shown next. Figure 30-5 Menu 21.1.1.1: TCP/IP Filter Rul e The following table describes how to con figure your TCP/IP filter rule. Table 30-3 TCP[...]
-
Page 444
ZyWALL 2 Series User’s Guide 30-8 Filter Configu ration Table 30-3 TCP/IP Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Port # Enter the destination port of t he packets that you wish to filter. The range of this field is 0 to 6553 5. This field is ignor ed if it is 0. 0-65535 Port # Comp Press [SPACE BAR] and then [ENTER] to select the compa[...]
-
Page 445
ZyWALL 2 Series User’s Guide Filter Configuration 30-9 Table 30-3 TCP/IP Filter Rule Menu Fields FIELD DESCRIPTION OPTIONS Log Press [SPACE BAR] and then [ENT ER] to select a logging option from the following: None – No packets will be logged. Action Matched - Only packets that match the rule parameters will be logged. Action Not Matched - Only[...]
-
Page 446
ZyWALL 2 Series User’s Guide 30-10 Filter Configuration Packet into IP Filter Matched Matched Yes Action Matched Action Not Matched More? No Filter Active? Check IP Protocol Drop Drop Packet Accept Packet Drop Forward Check Next Rule Check Next Rule Check Next Rule Forward Not Matched Yes No Check Src IP Addr Apply SrcAddrMask to Src Addr Matched[...]
-
Page 447
ZyWALL 2 Series User’s Guide Filter Configuration 30-11 30.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of gen eric rules is to allow you to filter non-IP packets. For IP, it is genera lly easier to use the IP rules directly. For generic rules, the Zy WALL treats a packet as a by[...]
-
Page 448
ZyWALL 2 Series User’s Guide 30-12 Filter Configuration Table 30-4 Menu 21.1.1.1: Generic Filter Rule FIELD DESCRIPTION OPTIONS Filter Type Use [SPACE BAR] and then [ENTER] to select a rule type. Parameters displayed belo w each type will be different. TCP/IP filter rule s are used to filter IP packets while generic filter rules allow filtering o[...]
-
Page 449
ZyWALL 2 Series User’s Guide Filter Configuration 30-13 30.3 Example Filter Let’s look at an example to block outside users from accessing the ZyWALL via telnet. Please see our included disk for more example filters. Figure 30-8 Telnet Filter Example Step 1. Enter 21 from the m ain menu to open Menu 21 - Filter and Firewall Setup . Step 2. Ente[...]
-
Page 450
ZyWALL 2 Series User’s Guide 30-14 Filter Configuration Figure 30-9 Example Filter: Menu 21. 1.3.1 When you press [ENTER] to confirm, you will see the following screen . Note that there is only one filter rule in this set. Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= [...]
-
Page 451
ZyWALL 2 Series User’s Guide Filter Configuration 30-15 Figure 30-10 Example Filter Rules Summary : Men u 21.1.3 After you’ve created the filter set, you must apply it. Step 1. Enter 11 fr om the main menu to go to m enu 11. Step 2. Go to the Edit Filter Sets field, press [SPACE BAR] to select Yes and press [ENTER] . Step 3. This brings you to [...]
-
Page 452
ZyWALL 2 Series User’s Guide 30-16 Filter Configuration 30.4 Filter T y pes and NA T There are two classe s of filter rules, Generic Filter (Device) rules and protocol filter ( TCP/ IP ) rules. Generic filter rules act on the raw data from/to LAN and WAN. Protocol filter rules act on the IP packets. Generic and TCP/IP filter rules are discussed i[...]
-
Page 453
ZyWALL 2 Series User’s Guide Filter Configuration 30-17 30.6 Applying a Filter This section shows you wh ere to apply the filter(s ) after you design it (them). The ZyWALL already has filters to prevent NetBIOS traffic from triggeri ng calls, and blo ck incoming telnet, FTP and HTTP connections. If you do not activate the fire w all, it is advisa[...]
-
Page 454
ZyWALL 2 Series User’s Guide 30-18 Filter Configuration Figure 30-13 Filtering Remote Node T raffic Menu 11.5 – Remote Node Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel:[...]
-
Page 455
ZyWALL 2 Series User’s Guide SNMP Configuration 31-1 Chapter 31 SNMP Configuration This chapter explains SNMP configuration menu 22. 31.1 SNMP Configuration To configure SN MP, enter 22 from the main menu to display Menu 22 - SNMP Configura tion as shown next. The “co mmunity ” for Get , Set and Trap fields is SNMP te rminology for pass word.[...]
-
Page 456
ZyWALL 2 Series User’s Guide 31-2 SNMP Configuration Table 31-1 Menu 22: SNMP Configuration FIELD DESCRIPTION EXAMPLE Trap Community Type the Trap community, which is the password se nt with each trap to the SNMP manager. Public Destination Type the IP address of the stat ion to send your SNMP traps to. 0.0.0.0 When you have completed thi s menu,[...]
-
Page 457
SMT System Maintenance XIII Part XIII: SMT System Maintenance This part covers system in formation and diagnosi s, firmware and configuration file maintenance, as well as providing information on the system maintenan ce and information functions and how to configure remote managem ent and VPN. See the web configurator p arts of this guide for backg[...]
-
Page 458
[...]
-
Page 459
ZyWALL 2 Series User’s Guide System Information and Diagnosis 32-1 Chapter 32 System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 32.1 Introduction to System St atus This chapter cov ers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trac[...]
-
Page 460
ZyWALL 2 Series User’s Guide 32-2 System Information and Diagnosis monitor your Z yWALL. Specifically, it gives you info rmation on y our system firmware version, number of packets sent and number of pa ckets received. To get to the System Status: Step 1. Enter number 24 to go to Menu 24 - System Maintenan ce . Step 2. In this menu, enter 1 to op[...]
-
Page 461
ZyWALL 2 Series User’s Guide System Information and Diagnosis 32-3 Table 32-1 System Maintenance: Sta tus Menu Fields FIELD DESCRIPTION Status Shows the port speed and d uplex setting if you’r e using Ethernet Encapsulation and Dow n (line is down), idle (line (ppp) idle), dial (starting to trigger a call) and drop (dropping a call) if yo u’r[...]
-
Page 462
ZyWALL 2 Series User’s Guide 32-4 System Information and Diagnosis Step 2. Enter 2 t o open Me nu 24.2 - System Information and Co nsole Port Speed. Step 3. From thi s menu you ha ve two choices as shown in t he next figure: Figure 32-3 Menu 24.2: Sy stem Information and Console Port Speed 32.3.1 System Information System Information gives you in[...]
-
Page 463
ZyWALL 2 Series User’s Guide System Information and Diagnosis 32-5 Table 32-2 Fields in System Maintenance: Info rmation FIELD DESCRIPTION ZyN OS F/W Version Refers to the ZyNOS (ZyXEL Network Oper ating System) system firmware version. ZyNOS is a registered trademark of ZyXEL Communic ations Corporation. Ethernet Address Refers to the Ethernet M[...]
-
Page 464
ZyWALL 2 Series User’s Guide 32-6 System Information and Diagnosis Figure 32-6 Menu 24.3: Sy stem Maintenance: Log and Trace 32.4.1 UNIX Syslog The ZyWALL uses the UNIX syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server. Syslog and ac counting can be configured in Menu 24.3.2 - System Maintenance - Unix Sys[...]
-
Page 465
ZyWALL 2 Series User’s Guide System Information and Diagnosis 32-7 Table 32-3 System Maintenance Men u Syslog Parameters PARAMETER DESCRIPTION Log Facility Press [SPACE BAR] and then [ENTER] to select a location. The log facilit y allows you to log the messages to different file s in the syslog server. Refer to the documentation of your syslog pr[...]
-
Page 466
ZyWALL 2 Series User’s Guide 32-8 System Information and Diagnosis Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D). Src: Source A[...]
-
Page 467
ZyWALL 2 Series User’s Guide System Information and Diagnosis 32-9 32.4.2 Call-T riggering Packet Call-Triggering Packet displays info rmation about th e packet that triggered a dial-out call in an easy readable fo rmat. Equi valent in formation i s avail able in m enu 24.1 in hex form at. An example is show n next. Figure 32-8 Call-Triggering Pa[...]
-
Page 468
ZyWALL 2 Series User’s Guide 32-10 System Information and Diagnosis Follow the procedure below to get to Menu 24.4 - System Mainten ance – Diagnostic. Step 1. From the m ain menu, sel ect option 2 4 to open Menu 24 - System Main tenance . Step 2. From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Mainte nance - Diagn[...]
-
Page 469
ZyWALL 2 Series User’s Guide System Information and Diagnosis 32-11 Figure 32-10 WAN & LAN DHCP The following table describes the diagnostic tests available in menu 24.4 for your ZyWALL and associa ted connections. Table 32-4 System Maintenance Men u Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP ad dress) on y[...]
-
Page 470
[...]
-
Page 471
ZyWALL 2 User’s Guide Firmware and Configuration File Maintenance 33-1 Chapter 33 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configurati on file as well as upload new firmware and a new configuration file. 33.1 Introduction Use the instructions in this chapter to change the ZyWALL’s config[...]
-
Page 472
ZyWALL 2 User’s Guide 33-2 Firmware and Configuration File Maintenan ce ftp> get rom-0 config.cfg This is a sample FTP session saving the current configuration to t he computer file “confi g.cfg”. If your (T)FTP client does not allow you to have a de stination filename differen t than the source, you will need to renam e them as the ZyWA L[...]
-
Page 473
ZyWALL 2 User’s Guide Firmware and Configuration File Maintenance 33-3 preferred metho d for backing up your cur rent configuration to your computer since it is faster. You can also perform back up and rest ore using m enu 24 through the c onsole po rt. Any seri al communi cations prog ram should wo rk fine; h owever, y ou must use Xmodem protoco[...]
-
Page 474
ZyWALL 2 User’s Guide 33-4 Firmware and Configuration File Maintenan ce Step 6. Use “get” to transfer files from the ZyW ALL to the computer , for example, “get rom-0 config.rom” transfers the c onfig uration file on the ZyW A LL to your computer and renames it “config.rom”. See earlier in this c hapter for more information on filenam[...]
-
Page 475
ZyWALL 2 User’s Guide Firmware and Configuration File Maintenance 33-5 33.3.5 File Maintenance Over W AN TFTP, FTP and Telnet over the WAN will not work when: 1. The firewall is active (turn the firewall off in menu 21.2 or create a firewall rule to allow access from the WAN). 2. You have di sabled Telnet service in m enu 24.11. 3. You have appli[...]
-
Page 476
ZyWALL 2 User’s Guide 33-6 Firmware and Configuration File Maintenan ce TFTP client program. For UNIX, use “get” to tra nsfer from the ZyWALL to the computer an d “bin ary” to set binary t ransfer m ode. 33.3.7 TFTP Command Example The following is an exam ple TFTP command: tftp [-i] host get rom-0 config.rom Where “i” specifies binar[...]
-
Page 477
ZyWALL 2 User’s Guide Firmware and Configuration File Maintenance 33-7 Step 1. Display m enu 24.5 an d enter “y ” at the following screen. Figure 33-3 System Maintena nce: Backup Configuration Step 2. The followin g screen indicates t hat the Xm odem downl oad has start ed. Figure 33-4 System Maintena nce: Starting Xmodem Do w nload Screen St[...]
-
Page 478
ZyWALL 2 User’s Guide 33-8 Firmware and Configuration File Maintenan ce 33.4 Restore Configuration This section sh ows you ho w to restore a previously save d co nfiguration. Note that this function erases the current confi g uration be fore restori ng a pre vious back up config uration; please do not at tempt to restore unless you have a backup [...]
-
Page 479
ZyWALL 2 User’s Guide Firmware and Configuration File Maintenance 33-9 Step 1. Launch the FTP client on your c omputer. Step 2. Enter “open”, followed by a space and the IP addres s of your Zy WALL. Step 3. Press [ENTER] when prom pted for a username. Step 4. Enter your password as re quested (the default is “1234”). Step 5. Enter “bin?[...]
-
Page 480
ZyWALL 2 User’s Guide 33-10 Firmware and Configuration File Maintenance Step 1. Display m enu 24.6 an d enter “y ” at the following screen. Figure 33-9 System Maintena nce: Restore Con figuration Step 2. The followin g screen indicates t hat the Xm odem downl oad has start ed. Figure 33-10 System Mainten ance: Starting Xmodem Do wnload Screen[...]
-
Page 481
ZyWALL 2 User’s Guide Firmware and Configuration File Maintenance 33-11 33.5 Uploading Firmware and Configuration Files This section s hows you how to upl oad firmware and co nfiguratio n files. You can upl oad config uration fi les by followin g the proce dure in the pre v ious Rest ore Configurat ion section or by following the instructions in [...]
-
Page 482
ZyWALL 2 User’s Guide 33-12 Firmware and Configuration File Maintenance 33.5.2 Configuration File Upload You see the following screen when you telnet into menu 24.7.2 . Figure 33-14 Telnet Into Menu 24.7.2: System Maintenance To upload the firmware and the conf iguration file, follow these examples 33.5.3 FTP File Upload Command from the DOS Prom[...]
-
Page 483
ZyWALL 2 User’s Guide Firmware and Configuration File Maintenance 33-13 transfers the confi gura tion file on the ZyWALL to your computer and renames it “config.rom.” See earlier in this chapter for more information on filename conventions. Step 7. Enter “quit” to exit the ftp prompt. 33.5.4 FTP Session Example of Firmware File Upload Fig[...]
-
Page 484
ZyWALL 2 User’s Guide 33-14 Firmware and Configuration File Maintenance Step 3. Enter the command “sys stdio 0” to disable the co nsole timeou t, so the TFTP transfer will no t be interrupte d. Enter “comm and sys stdio 5” to rest ore the fiv e-mi nute console t imeout (defa ult) when the file transfer is complete. Step 4. Launch the TFTP[...]
-
Page 485
ZyWALL 2 User’s Guide Firmware and Configuration File Maintenance 33-15 33.5.8 Uploading Firmw are File V ia Console Port Step 1. Select 1 from M enu 24.7 – System Maintena nce – Upload Firmware to d ispla y Menu 24.7.1 - System Mai ntenance - Upload System Firmware , and then follow the instructions as shown in the following screen. Figure 3[...]
-
Page 486
ZyWALL 2 User’s Guide 33-16 Firmware and Configuration File Maintenance Figure 33-17 Example Xmodem Upload After the firmware upload process has completed, the ZyWALL will automatically restart. 33.5.10 Uploading Configuration File Vi a Console Port Step 1. Select 2 from M enu 24.7 – System Maintena nce – Upload Firmware to d ispla y Menu 24.[...]
-
Page 487
ZyWALL 2 User’s Guide Firmware and Configuration File Maintenance 33-17 Figure 33-18 Menu 24.7.2 As Seen Using the Console Port Step 2. After the "St arting Xm odem upload" message ap pears, activat e the Xmod em prot ocol on y our computer. Fol low the procedure as shown p reviously for the Hy perTerminal program . The procedure fo r o[...]
-
Page 488
ZyWALL 2 User’s Guide 33-18 Firmware and Configuration File Maintenance Figure 33-19 Example Xmodem Upload After the co nfiguratio n uploa d process has compl eted, restart t he ZyWAL L by enteri ng “atgo”. Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send .[...]
-
Page 489
ZyWALL 2 User’s Guide System Maintenance & Information 34-1 Chapter 34 System Maintenance Menus 8 to 10 This chapter leads you through SM T menus 24.8 to 24.10. 34.1 Command Interpreter Mode The Comm and Interpreter (CI) is a pa rt of the main r outer firm ware. The CI provides much of the same functionality as the SMT, while adding some low-[...]
-
Page 490
ZyWALL 2 User’s Guide 34-2 System Maintenance & Information 34.1.1 Command Syntax The comm and keywords are i n courier new font. Enter the com mand keyw ords exactly as shown, do not abbre viate. The required fields in a c ommand are enclosed in angle brackets <> . The optional fields in a c ommand are enclosed in s quare brackets [] .[...]
-
Page 491
ZyWALL 2 User’s Guide System Maintenance & Information 34-3 Table 34-1 Valid Commands ether These commands display Ethernet info rmation and configu re Ethernet settings. aux These commands display dial backup inform ation a nd control dial backup conn ections. ip These commands display IP informatio n and configure IP settings. ipsec These c[...]
-
Page 492
ZyWALL 2 User’s Guide 34-4 System Maintenance & Information Figure 34-4 Budget Managemen t The total budget is the time limit on the accum u lated time for outgoing calls to a rem ote node. When this limit is reached, the call will be droppe d and further out going calls t o that remote node will be blocked. After each period, the total budge[...]
-
Page 493
ZyWALL 2 User’s Guide System Maintenance & Information 34-5 Figure 34-5 Call History The following table describes the fields in this screen. Table 34-3 Call History Fields FIELD DESCRIPTION Phone Number The PPPoE service names ar e shown here. Dir T his shows whether the call was incoming or outgo ing. Rate This is the transfer rate of the c[...]
-
Page 494
ZyWALL 2 User’s Guide 34-6 System Maintenance & Information Select menu 24 in the main menu to open Menu 24 - System Maintenance , as shown next. Figure 34-6 Menu 24: Sy stem Maintenance Enter 10 to go to Menu 24.10 - S ystem Maintenance - Ti me and Date Setting to update the time and date settings of your ZyWALL as shown in the fo llowing sc[...]
-
Page 495
ZyWALL 2 User’s Guide System Maintenance & Information 34-7 Table 34-4 Menu 24.10 System Main tenance: Time and Date Setting FIELD DESCRIPTION Enter the time service protocol that your timeserver sends when you turn on the ZyWALL. Not all timeservers support all pr otocols, so you may have to che ck with your ISP/network administrator or use [...]
-
Page 496
ZyWALL 2 User’s Guide 34-8 System Maintenance & Information ii. When the ZyWALL starts up, if there is a timeserver configured in menu 24.10. iii. 24-hour intervals after starting.[...]
-
Page 497
ZyWALL 2 User’s Guide Remote Management 35-1 Chapter 35 Remote Management This chapter covers remote management found in SMT menu 24.11. 35.1 Remote Management Remote management allows you to determ ine which services/protocols can access which ZyWALL interface (if any) from whic h computers. You may manage your ZyWALL from a remote location via:[...]
-
Page 498
ZyWALL 2 User’s Guide 35-2 Remote Management Figure 35-1 Menu 24.11 – Remote Manageme nt Control The following table describes the fields in this screen. Table 35-1 Menu 24.11 – Remote Managemen t Control FIELD DESCRIPTION EXAMPLE Telnet Server FTP Server SSH Server HTTPS Server HTTP Server SNMP Service DNS Service Each of these read-only l a[...]
-
Page 499
ZyWALL 2 User’s Guide Remote Management 35-3 Table 35-1 Menu 24.11 – Remote Managemen t Control FIELD DESCRIPTION EXAMPLE Once you have filled in this menu, press [ENT ER] at the message "Press ENTER to Confirm or ESC to Cancel" to save your configur ation, or press [ESC] to cancel. 35.1.1 Remote Management Limitations Remote m anagem[...]
-
Page 500
[...]
-
Page 501
SMT Advanced Management XIV Part XIV: SMT Advanced Management This part provides informati on on how to configure call scheduling, and VPN/IPSec. See the web configurator p arts of this guide for background information on features configurable by web configurator a nd SMT .[...]
-
Page 502
[...]
-
Page 503
ZyWA LL 2 Series User ’ s Guide Call Scheduling 36-1 Chapter 36 Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 36.1 Introduction to Call Scheduling The call schedul ing feature all ows the ZyWALL t o manage a rem o te node and dict ate when a rem ote node should be called and fo r how l[...]
-
Page 504
ZyW ALL 2 Series User’s Guide 36-2 Call Scheduli ng To set up a schedule set, select the schedule set you want to setup fr om menu 26 (1-12) an d press [ENTER] to see Menu 26.1 - Sch edule Set Setup as sho wn next. Figure 36-2 Schedule Set Setup If a connection has been already established, your Zy WALL will not drop it. On ce the connection is d[...]
-
Page 505
ZyWA LL 2 Series User ’ s Guide Call Scheduling 36-3 Table 36-1 Schedule Set Setup FIELD DESCRIPTION OPTIONS Day If you selected Weekl y in the How Often field above, then select the day(s) when the set should activate (and rec ur) by going to that day(s) and pressing [SPACE BAR] to select Yes , then press [ENTER]. Yes No N/A Start Time Enter the[...]
-
Page 506
ZyW ALL 2 Series User’s Guide 36-4 Call Scheduli ng Figure 36-3 Applying Schedule Set( s) to a Remote Node (PPPoE) You can ap ply up to f our schedul e sets, separ ated by com mas, for one rem ote node. Cha nge the sc hedule set numbers to your prefe rence(s). Figure 36-4 Apply ing Schedule Set( s) to a Remote Node (PPTP) Menu 11.1 - Remote Node [...]
-
Page 507
ZyWA LL 2 Series User ’ s Guide VPN/IPSec Setup 37-1 Chapter 37 VPN/IPSec Setup This chapter introduces the VPN SMT menus. 37.1 Introduction The VPN/IPSe c main SMT menu has these main subm enus: 1. Define VPN policies i n menu 2 7.1 submenu s, includi ng security policies, endpoint IP addresses, peer IPSec router IP address and key manage ment. [...]
-
Page 508
ZyW ALL 2 Series User’s Guide 37-2 VPN/IPSec Setup Figure 37-2 Menu 27: VPN/IPSec Setup 37.2 IPSec Summary Screen Type 1 in m enu 27 and then press [ENTE R] to display Menu 27.1 — IPSec Sum mary . This is a summary read-only m enu of your IPSec rule s (tunnels ). Edit or c reate an IP Sec rule by select ing an in dex num ber and then configurin[...]
-
Page 509
ZyWA LL 2 Series User ’ s Guide VPN/IPSec Setup 37-3 Table 37-1 Menu 27.1: IPSec Summary FIELD DESCRIPTION EX AMPLE Name This field displays the unique ide n tification na me for this VPN rule. The name may be up to 32 characters long but onl y 10 characters will be displayed her e. Taiwan A Y signifies that this VPN rule is active. Y Local Addr [...]
-
Page 510
ZyW ALL 2 Series User’s Guide 37-4 VPN/IPSec Setup Table 37-1 Menu 27.1: IPSec Summary FIELD DESCRIPTION EX AMPLE Key Mgt T his field displays the SA’s type of key management, ( IKE or Manual ). IKE Remote Addr Start When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Single , this is a static IP address on the network behind t[...]
-
Page 511
ZyWA LL 2 Series User ’ s Guide VPN/IPSec Setup 37-5 Table 37-1 Menu 27.1: IPSec Summary FIELD DESCRIPTION EX AMPLE Select Command Press [SPACE BAR] to choose from None , Edit , Delete , Go To Rule , Next Page or Previous Page and then press [ENTER]. You must select a rule in the next field when you choose the Edit , Delete or Go To commands. Sel[...]
-
Page 512
ZyW ALL 2 Series User’s Guide 37-6 VPN/IPSec Setup Figure 37-4 Menu 27.1.1: IPSec Setup Y ou must also configure menu 27.1.1.1 or menu 27.1.1.2 to full y configure and use a VPN. The following table describes the fields in this screen. Table 37-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Index This is the VPN rule inde x number you se le[...]
-
Page 513
ZyWA LL 2 Series User ’ s Guide VPN/IPSec Setup 37-7 Table 37-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE NAT Traversal Select this check box to enable NAT traversal. NAT traversal allows you to set up a VPN connection when ther e are NAT routers bet ween the two IPSec routers. The remote IPSec router must also have NA T traversal enable[...]
-
Page 514
ZyW ALL 2 Series User’s Guide 37-8 VPN/IPSec Setup Table 37-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Peer ID type Press [SPACE BAR] to choose IP , DNS , or E-mail and press [ENTER]. Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the rem ote IPSe c router by a domain name. Select E-mail to ident[...]
-
Page 515
ZyWA LL 2 Series User ’ s Guide VPN/IPSec Setup 37-9 Table 37-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Local Loca l IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses. Two active SAs can have the same configur ed local or remote IP address, but not both. You can conf igure multi[...]
-
Page 516
ZyW ALL 2 Series User’s Guide 37-10 VPN/IPSec Setup Table 37-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE End Enter a port number in this field to define a port range. This port number must be greater than that specified in the previous field. T his field is N/A when 0 is configured in the Port Start field. N/A Remote Remote IP add resses[...]
-
Page 517
ZyWA LL 2 Series User ’ s Guide VPN/IPSec Setup 37-1 1 Table 37-2 Menu 27.1.1: IPSec Setup FIELD DESCRIPTION EXAMPLE Port Start 0 is the default and signifies any port. Type a port number from 0 to 65535. Someone behind the remote IPSec router cannot create a VPN tunnel when attempting to connect using a port number that do es not match this port[...]
-
Page 518
ZyW ALL 2 Series User’s Guide 37-12 VPN/IPSec Setup Figure 37-5 Menu 27.1.1.1: IKE Setup Table 37-3 Menu 27.1.1.1: IKE Setup FIELD DESCRIPTION EXAMPLE Phase 1 Negotiation Mode Press [SPACE BAR] to choose from Main or Aggressive and then press [ENTER]. See earlier for a discussi on of thes e modes. Multiple SAs connecting through a secure gate way[...]
-
Page 519
ZyWA LL 2 Series User ’ s Guide VPN/IPSec Setup 37-13 Table 37-3 Menu 27.1.1.1: IKE Setup FIELD DESCRIPTION EXAMPLE Encryption Algorithm When DES is used for data communications, both sender and receiver mus t know the same secret key, which can be used to encrypt and decrypt the message or to generate and verif y a message authentication code. Z[...]
-
Page 520
ZyW ALL 2 Series User’s Guide 37-14 VPN/IPSec Setup Table 37-3 Menu 27.1.1.1: IKE Setup FIELD DESCRIPTION EXAMPLE Encapsulation Press [SPACE BAR] to choose from Tunnel mode or Transport mode and then press [ENTER]. See earlier for a discuss ion of these. Tunnel Perfect Forward Secrecy (PFS) Perfect Forward Secrecy (PFS) is disabled ( None ) by de[...]
-
Page 521
ZyWA LL 2 Series User ’ s Guide VPN/IPSec Setup 37-15 To edit this menu, move the curso r to the Edit Manual Setup field in Menu 27.1.1 – IPSec Se tup press [SPACE BAR] to select Yes and then press [ENTER] to go to Menu 27 .1.1.2 – Manual Se tup . Figure 37-6 Menu 27.1.1.2: Manu al Setup Table 37-5 Menu 27.1.1.2: Manual Setup FIELD DESCRIPTIO[...]
-
Page 522
ZyW ALL 2 Series User’s Guide 37-16 VPN/IPSec Setup Table 37-5 Menu 27.1.1.2: Manual Setup FIELD DESCRIPTION EXAMPLE Key3 Enter a unique eight-character key. It can be comprised of any character including spaces (but trailing spaces are truncated). Authentication Algorithm Press [SPACE BAR] to choose from MD5 or SHA1 and then press [ENTER]. MD5 K[...]
-
Page 523
ZyWA LL 2 Series User ’ s Guide SA Monitor 38-1 Chapter 38 SA Monitor This chapter teaches you how to manage your SA s by using the SA Monitor in SMT menu 27.2. 38.1 Introduction A Security Association (SA) is the group of security settings related to a specific VPN tunnel. Th is menu (shown next) displays activ e VPN connections. When there is o[...]
-
Page 524
ZyW ALL 2 Series User’s Guide 38-2 SA Monitor Table 38-1 Menu 27.2: SA Monitor FIELD DESCRIPTION EXAMPLE # This is the security association index number. Name This field displ ays th e identification name for this VPN policy. This name is unique for each connection where the secure gateway IP address is a public static IP address. When the secure[...]
-
Page 525
General Appendice s XV Part XV: General Appendices This part prov ides background information abo ut troubleshooting, setting up your compute r ’s IP address, triangle route, how functions are re lated, PPPoE, PPTP , wireless LAN, 802.1x, EAP authentication, IP subnetting and safety warnings.[...]
-
Page 526
[...]
-
Page 527
ZyWALL 2 Series User’s Guide T roubleshooting A-1 Appendix A Troubleshooting This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our included disk for further information. Problems St arting Up the ZyW ALL Chart 1 [...]
-
Page 528
ZyWALL 2 Series User’s Guide Troubleshooting A-2 Problems with the LAN Interface Chart 3 Troubleshooting the L AN Interface PROBLEM CORRECTIVE ACTION Check your Ethernet cable t ype and connections. Refer to the Quick Start Guide for LAN connection instructions. Cannot access the ZyWALL from the LAN. Make sure the computer’s Ethernet adapter is[...]
-
Page 529
ZyWALL 2 Series User’s Guide T roubleshooting A-3 Problems with Internet Acces s Chart 5 Troubleshooting Internet Acc ess PROBLEM CORRECTIVE ACTION Connect your cable/DSL mod em with t he ZyWALL using the appropriate c able. Check with the manufacturer of your cabl e/DSL devic e about your cable requirement because some devices may requir e cross[...]
-
Page 530
[...]
-
Page 531
ZyWALL 2 Series User’s Guide Setting Up Y our Computer ’s IP Address B-1 Appendix B Setting up Your Computer’s IP Address All computers must have a 10M or 10 0M Ethe rnet adapte r card and TCP/IP installed. Windows 95/ 98/Me/NT/ 2000/XP, Maci ntosh OS 7 and lat er operati ng system s and all versions of UNIX/LINU X include t he software c omp[...]
-
Page 532
ZyWALL 2 Series User’s Guide Setting Up Your Computer’s IP Address B-2 The Network window Configuration ta b displays a list of i nstalled com ponents. You need a network adapter, the T CP/IP prot ocol an d Client for Micros oft Network s. If yo u need th e adap ter: a. In the Network window, click Add . b. Select Ad a p te r and then click Ad [...]
-
Page 533
ZyWALL 2 Series User’s Guide Setting Up Y our Computer ’s IP Address B-3 1. Click the IP Address tab. -If your IP address is dynamic, select Obtain an IP address automatically . -If you have a static IP address, select Specify an IP address and type your informatio n into the IP Address and Subne t Mask fields. 2. Click the DNS Configuration ta[...]
-
Page 534
ZyWALL 2 Series User’s Guide Setting Up Your Computer’s IP Address B-4 3. Click the Gateway tab. -If you do not know your gateway’s IP address, remove previously installed gate ways. -If you have a gateway IP address, type it in the Ne w ga te way fie ld and click Add . 4. Click OK to save and close the TCP/IP Properties wind o w. 5. Click OK[...]
-
Page 535
ZyWALL 2 Series User’s Guide Setting Up Y our Computer ’s IP Address B-5 1. For Windows XP, click Start , Control Panel . In Windows 2000/NT, click Start , Settings , Control Panel . 2. For Windows XP, click Network Connections . For Windows 2000/NT, click Network and Dial-up Connections . 3. Right-click Local Area Connection and then click Pro[...]
-
Page 536
ZyWALL 2 Series User’s Guide Setting Up Your Computer’s IP Address B-6 4. Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties . 5. The Internet Protocol TCP/IP Prope rties window opens (the General tab in Windows XP). -If you have a dynamic IP address click Obtain an IP address automatically . -If you have a[...]
-
Page 537
ZyWALL 2 Series User’s Guide Setting Up Y our Computer ’s IP Address B-7 6. -If you do not know your gateway's IP address, remove any previously installed gate ways in the IP Settin gs tab and click OK . Do one or more of the following if you want to configure additional IP addres ses: -In the IP Settings tab, in IP addresses, click Add . [...]
-
Page 538
ZyWALL 2 Series User’s Guide Setting Up Your Computer’s IP Address B-8 7. In the Internet Protocol TCP/IP Properties window (the Gene ral tab in Windows XP): -Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). -If you know your DNS server IP address(es), click Use the follow ing DNS server addresses[...]
-
Page 539
ZyWALL 2 Series User’s Guide Setting Up Y our Computer ’s IP Address B-9 1. Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel . 2. Select Ethernet built-in from the Connect v ia list. 3. For d ynamically assigned settings, select Using DHCP Server from the Configure: list.[...]
-
Page 540
ZyWALL 2 Series User’s Guide Setting Up Your Computer’s IP Address B-10 4. For staticall y assigned settings, do the following: -From the Configure box, select Manually . -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your ZyWALL in the Router address box. 5. Close the TCP/IP [...]
-
Page 541
ZyWALL 2 Series User’s Guide Setting Up Y our Computer ’s IP Address B-1 1 2. Click Network in the icon bar. - Select Automatic from the Location list. - Select Built-in Ethernet from the Show list. - Click the TCP/IP tab. 3. For dynamically assigned settings, sel ect Using DHCP from the Configur e list. 4. For statically assigned setting s, do[...]
-
Page 542
[...]
-
Page 543
ZyWALL 2 Series User’s Guide T riangle Route C-1 Appendix C Triangle Route The Ideal Setup When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Internet. In an ideal network top ology, all i ncoming an d outgoin g network traf fic passes thr ough the Zy WALL to prot ect your LAN against attacks. Diagram 1 Ideal S[...]
-
Page 544
ZyWALL 2 Series User’s Guide Triangle Route C-2 Diagram 2 “Triangle Route” Problem The “T riangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logi cal sections over the same Ethernet interface. Your ZyWALL supports up to three [...]
-
Page 545
ZyWALL 2 Series User’s Guide T riangle Route C-3 Diagram 3 IP Alias Gateways on the W AN Side A second sol ution to the “triangle route” pr oblem i s to put all of y our network gateways on the WAN side as the following fig ure shows. This en sures that all incoming netwo rk traffic pa sses through your ZyWALL to your LAN. Therefo re your LAN[...]
-
Page 546
ZyWALL 2 Series User’s Guide Triangle Route C-4 Step 3. Use the following commands to allow/disallo w triangle route. sys firewall ignore triangle all off This command allows triangle route. sys firewall ignore triangle all on This command disall ows triangle route.[...]
-
Page 547
ZyWALL 2 Series User’s Guide Wireless LAN and IEEE 802.1 1 D-1 Appendix D Wireless LAN and IEEE 802.11 A wireless LAN (WLA N) provides a flexi ble data commun ications system that y ou can use to acces s various services (navigating the Internet, em ail, prin ter services, etc.) without the use of a ca bled connection. In effect a wireless LAN en[...]
-
Page 548
ZyWALL 2 Series User’s Guide D-2 Wireless LAN and IEEE 802.11 Spread Spectrum (DSSS) an d Fre quency-Hopping Spread S pectrum (FHSS), i n the 2.4 t o 2.4825 GHz unlicensed ISM (Industrial, Scientific and Medical) ba nd. The th ird method is infrared technology, using very high fre quencies, just below visi ble light i n the electrom agnetic spect[...]
-
Page 549
ZyWALL 2 Series User’s Guide Wireless LAN and IEEE 802.1 1 D-3 could be any type of net w ork, it i s almost inva riably an Ethe rnet LAN. M obile nodes can roam between Access Points and seam less campus-wide coverage is possible. Diagram D-2 ESS Provides Campus-Wide Coverage[...]
-
Page 550
[...]
-
Page 551
ZyWALL 2 Series User’s Guide Wireless LAN with IEEE 802.1x E-1 Appendix E Wireless LAN With IEEE 802.1x As wireless networks becom e popular for both portable com puting an d corporate networks, sec urity is now a priority. Security Flaws w ith IEEE 802.1 1 Wireless networks based on the o riginal IEEE 802 .11 have a poor reputation for safety. T[...]
-
Page 552
ZyWALL 2 Series User’s Guide Wireless LAN with IEEE 802.1x E-2 RADIUS Server Authen tication Sequence The following fig ure depicts a typical wirel ess network with a remote RADIUS ser v er for user authentication using EAPOL (EAP Over LAN). Diagram E-1 Sequences for EAP MD5–Challenge Authentication Client computer access authorized. Client com[...]
-
Page 553
ZyWALL 2 Series User’s Guide T ypes of EAP Authentication F-1 Appendix F Types of EAP Authentication This appendix discu sses three popular EAP auth entication types: EAP-MD5 , EAP-TLS and EAP-TTLS . The type of a uthenticatio n you use de pends on the R ADIUS serve r or the AP. Consult y our network administrator for m ore information. EAP-MD5 ([...]
-
Page 554
ZyWALL 2 Series User’s Guide Types of EAP Authentication F-2 TTLS supports EAP me thods and legacy authenticatio n m e thods such as PAP, CH AP, MS-CHAP and MS- CHAP v2. EAP-MD5 EAP-TLS EA P-TTLS Mutual Authentication No Yes Yes Certificate – Client No Yes Optional Certificate – Server No Yes Yes Dynamic Key Exchange No Yes Yes Credential Sec[...]
-
Page 555
ZyWALL 2 Series User’s Guide PPPoE G-1 Appendix G PPPoE PPPoE in Action An ADSL m odem brid ges a PPP sessi on over Ethe rnet (PPP o ver Ether net, RFC 25 16) from your PC t o an ATM PVC (Pe rmanent Virt ual Circuit), which con nects to a DSL Access Conce ntrator wh ere the PPP session terminates (see the next figure). One PVC can suppor t any nu[...]
-
Page 556
ZyWALL 2 Series User’s Guide G-2 PPPoE The PPPoE driver m akes the Ethernet appear as a serial link to the PC a nd the PC runs PPP over it, while the modem bridges the Et hernet frames to the Access Concen trator (AC). Bet ween the AC and an ISP, the AC is acting as a L2TP (Layer 2 T unneling Protocol) LAC (L 2TP Access Conc entrator) and tunnels[...]
-
Page 557
ZyWALL 2 Series User’s Guide PPTP H-1 Appendix H PPTP What is PPTP? PPTP (Point -to-Point T unneling Pr otocol) i s a Micros oft prop rietary prot ocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Ne twor[...]
-
Page 558
ZyWALL 2 Series User’s Guide H-2 PPTP PPTP is very si milar to L2TP, since L2T P is based on both PPTP and L2F (Cisco’s Lay er 2 Forwa rding). Conceptually, there are three parties in PPTP, name ly the PNS (PPTP Network Serve r), the PAC (PPTP Access Concentrator) and the PPTP user. The PNS is the box that hosts both the PPP and the PPTP stack [...]
-
Page 559
ZyWALL 2 Series User’s Guide PPTP H-3 Diagram H-3 Example Message Exchange bet w een PC and an ANT PPP Data Connection The PPP frames are tunneled betwee n the PNS and PAC over GRE (General Ro uting Encapsulation, RFC 1701, 1702). The indiv idual calls within a tunnel are distingu ished using the Call ID field in the GRE header.[...]
-
Page 560
[...]
-
Page 561
ZyWALL 2 Series User’s Guide IP Subnetting I-1 Appendix I IP Subnetting IP Addres sing Routers “route” base d on the network num ber. The rout er that delivers the data packet to the correct destination hos t uses the host ID. IP Classes An IP address is made up of four octets (ei ght bits), written in dotted deci mal notation, for ex ample, [...]
-
Page 562
ZyWALL 2 Series User’s Guide I-2 IP Subnetting A class “A” address (24 host bits) can have 2 24 –2 hosts (a pproxim ately 16 million hosts). Since the first octet of a class “A” IP addre ss must c ontain a “0”, the first octet of a class “A” ad dress can have a value of 0 to 127. Similarly the first octet of a class “B” must[...]
-
Page 563
ZyWALL 2 Series User’s Guide IP Subnetting I-3 of ones beginning from the left most bit of the mask, followed by a continuou s sequence of zeros, for a total number of 32 bi ts. Since the m ask is always a c ontinuous number of ones beginni ng from the left, follo wed by a c ontinuous number of zer os for the remainde r of the 32 bit ma sk, you c[...]
-
Page 564
ZyWALL 2 Series User’s Guide I-4 IP Subnetting Divide the network 19 2.168.1. 0 into two separate s ubnets by converting one of t he host ID bi ts of the IP address to a networ k number bit. The “borrow ed” host ID bit can be either “0” or “1” thus giving two subnets; 192.168.1.0 with mask 255 .255.255.128 and 19 2.168.1.128 with mask[...]
-
Page 565
ZyWALL 2 Series User’s Guide IP Subnetting I-5 actual host for the first subn et is 192.168.1.1 and the highest is 192.168.1 .126. Similarly the host ID range for the second subnet is 192.16 8.1.129 to 192.168.1.254. Example: Four Subnet s The above exam ple illustrated using a 25-bit subnet mask to divide a class “C” address s pace into two [...]
-
Page 566
ZyWALL 2 Series User’s Guide I-6 IP Subnetting Chart I-10 Subnet 4 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. 192 IP Address (Binary) 11000000.1 0101000.000000 01. 11 000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11 000000 Subnet Address: 192. 168.1.192 Lo west Ho st ID: 192.168.1.193 Broadcast Address: 192.168. 1.255 Hig[...]
-
Page 567
ZyWALL 2 Series User’s Guide IP Subnetting I-7 4 255.255.255.240 (/28) 16 14 5 255.255.255.248 (/29) 32 6 6 255.255.255.252 (/30) 64 2 7 255.255.255.254 (/31) 128 1 Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet m ask al so determines which bits are part of the networ k number an d which a r[...]
-
Page 568
ZyWALL 2 Series User’s Guide I-8 IP Subnetting Chart I-13 Class B Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET (/29) 14 255.255.255.252 (/30) 16384 2 15 255.255.255.254 (/31) 32768 1[...]
-
Page 569
ZyWALL 2 Series User’s Guide Safety Warnings and Instructions J-1 Appendix J Safety Warnings and Instructions 1. Be sure to read and follow all warning notices and instructions. 2. The maxim um recomm ended ambi ent temperat ure for the ZyWALL is 40º Cel sius (104º Fah renheit). Care must be taken to allow sufficient air circ ulation or space b[...]
-
Page 570
[...]
-
Page 571
Command, Log Appendices and Ind ex XVI Part XVI: Command, Log Appendices and Index This part prov ides information on the command lin e interface, firewall and NetBIOS comma nds, logs and password p rotection. There is also an index of key terms.[...]
-
Page 572
[...]
-
Page 573
ZyWALL 2 Series User’s Guide Command Interpreter K-1 Appendix K Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system m a intenance m enu. Enter 8 to go t o Menu 24.8 - Comm and Interpreter Mode . See the included disk or zyxel.c o m for m ore detail ed informat ion on the[...]
-
Page 574
[...]
-
Page 575
ZyWALL 2 Series User’s Guide Firewall Commands L-1 Appendix L Firewall Commands The foll o wi n g descr i bes t h e f i rewall c o mm a nd s . S e e the Command Interpreter appendix for information on t h e c o mma nd str u ctu r e. Chart L-1 Firewall Comma nds FUNCTION COMMAND DESCRIPTION F F i i r r e e w w a a l l l l S S e e t t - - U U p p c[...]
-
Page 576
ZyWALL 2 User’s Guide L-2 Firewall Comm ands Chart L-1 Firewall Comma nds FUNCTION COMMAND DESCRIPTION config display firewall e-mail This command shows all of the e-mail settings. config display firewall ? This command shows all of the available firewall sub commands. E E d d i i t t E E - - m m a a i i l l config edit firewall e-mail mail- serv[...]
-
Page 577
ZyWALL 2 Series User’s Guide Firewall Commands L-3 Chart L-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall attack block <yes | no> Set this command to yes to block new traffic after the tcp-max-incomplete threshold is exceeded. Set it to no to delete the oldest half-open session when traffic exceeds the tcp-ma x-incomp[...]
-
Page 578
ZyWALL 2 User’s Guide L-4 Firewall Comm ands Chart L-1 Firewall Comma nds FUNCTION COMMAND DESCRIPTION Config edit firewall set <set #> default-permit <forward | block> This command sets whether a packet is dropped or allowed through, when it does not meet a rule within the set. Config edit firewall set <set #> icmp-timeout <[...]
-
Page 579
ZyWALL 2 Series User’s Guide Firewall Commands L-5 Chart L-1 Firewall Commands FUNCTION COMMAND DESCRIPTION Config edit firewall set <set #> rule <rule #> protocol <integer protocol value > This command sets the pr otocol specification number made in this rule for ICMP. Config edit firewall set <set #> rule <rule #> [...]
-
Page 580
ZyWALL 2 User’s Guide L-6 Firewall Comm ands Chart L-1 Firewall Comma nds FUNCTION COMMAND DESCRIPTION config edit firewall set <set #> rule <rule #> TCP destport-single <port #> This command sets a rule to have the ZyWALL check for TCP traffic with this destination address. You may repeat this command to enter various, non-cons[...]
-
Page 581
ZyWALL 2 Series User’s Guide NetBIOS Filter Commands M-1 Appendix M NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See the Command Interpreter appendix for in formation o n the command str ucture. Introduction NetBIOS (Network Basic Input/Output System ) are TCP or UDP broadcast packets that enable a computer [...]
-
Page 582
ZyWALL 2 User’s Guide M-2 NetBIOS Filter Commands Chart M-1 NetBIOS Filter Default Settings NAME DESCRIPTION EX AMPLE Between LAN and WAN This field displays whether NetBIOS packets are blocked o r forwarded between the LAN and the W AN. Forward IPSec Packets This field displa ys whet her NetBIOS packets sent through a VPN connection are blocked [...]
-
Page 583
ZyWALL 2 Series User’s Guide NetBIOS Filter Commands M-3 Command: sys filter netbios config 4 off This command stops NetBIOS commands from initiatin g calls.[...]
-
Page 584
[...]
-
Page 585
ZyWALL 2 Series User’s Guide Boot Commands N-1 Appendix N Boot Commands The BootMod ule AT comm an ds execute from within the router’s bootu p software, w hen debug m ode is selected before the m ain router firm ware (ZyNOS) is started. When yo u start up your Zy WALL, you are given a choi ce to go int o debug m ode by pressing a key at t he pr[...]
-
Page 586
ZyWALL 2 User’s Guide N-2 Boot Commands Diagram N-2 Boot Module Command s AT just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) ch[...]
-
Page 587
ZyWALL 2 Series User’s Guide Log Descriptions O-1 Appendix O Log Descriptions Chart O-1 System Error Logs LOG MESSAGE DESCRIPTION %s exceeds the max. number of session per host! This attempt to create a SUA/NAT session exceeds the maximum number of SUA/NAT session table ent ries allo wed to be created per host. Chart O-2 System Mainte nance Logs [...]
-
Page 588
ZyWALL 2 User’s Guide O-2 Log Descriptions Chart O-2 System Mainte nance Logs TELNET Login Fail Someo ne has failed to log on to the router via telnet. FTP Login Successfully Someone has logged on to the router via ftp. FTP Login Fail Someone has failed to log on to the router via ftp. NAT Session Table is Full! The maximum number of SUA/NAT sess[...]
-
Page 589
ZyWALL 2 Series User’s Guide Log Descriptions O-3 Chart O-5 Attack Logs LOG MESSAGE DESCRIPTION attack IGMP The firewall detected an IGMP attack. attack ESP The firewall detected an ESP attack. attack GRE The firewall detected a GRE attack. attack OSPF The firewall detected an OSPF attack. attack ICMP (type:%d, code:%d) The firewall detected an I[...]
-
Page 590
ZyWALL 2 User’s Guide O-4 Log Descriptions Chart O-5 Attack Logs LOG MESSAGE DESCRIPTION syn flood TCP The firewall detected a T CP syn flood attack. ports scan TCP T he firewall detected a TCP port scan attack. teardrop TCP The firewall detected a TCP teardrop attack. teardrop UDP The firewall detected an UDP teardrop attack. teardrop ICMP (type[...]
-
Page 591
ZyWALL 2 Series User’s Guide Log Descriptions O-5 Chart O-6 Access Logs LOG MESSAGE DESCRIPTION Firewall default policy: TCP (set:%d) TCP access matched the default po licy of the listed ACL set and the ZyWALL blocked or for warded it according to the ACL set’s configuration. Firewall default policy: UDP (set:%d) UDP access matched the default [...]
-
Page 592
ZyWALL 2 User’s Guide O-6 Log Descriptions Chart O-6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule match: ESP (set:%d, rule:%d) ESP access matched the listed firewall rule and the Z yWALL blocked or forwarded it according to the rule’s configuration. Firewall rule match: GRE (set:%d, rule:%d) GRE access matched the listed firewall rule and [...]
-
Page 593
ZyWALL 2 Series User’s Guide Log Descriptions O-7 Chart O-6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule NOT match: (set:%d, rule:%d) Access did not match the listed firewall rule and the Z yWALL logged it. Filter default policy DROP! TCP access matched a default filter polic y and the ZyWALL drop ped the packet to block access. Filter defau[...]
-
Page 594
ZyWALL 2 User’s Guide O-8 Log Descriptions Chart O-6 Access Logs LOG MESSAGE DESCRIPTION Filter match DROP <set %d/rule %d> Access matched the listed filter rule an d the ZyWALL dropped the packet to block access. Filter match DROP <set %d/rule %d> Access matched the listed filter rule (denie d LAN IP) and the ZyWALL dropped the packe[...]
-
Page 595
ZyWALL 2 Series User’s Guide Log Descriptions O-9 Chart O-6 Access Logs LOG MESSAGE DESCRIPTION Packet without a NAT table entry blocked The router blocked a packet that did not have a corresponding SUA/NAT table entr y. Out of order TCP handshake packet blocked The router blocked a T CP handshak e packet that came out of the proper order Drop un[...]
-
Page 596
ZyWALL 2 User’s Guide O-10 Log Descriptions Chart O-8 ICMP Notes TYPE CODE DESCRIPTION 3 Destination Unreachabl e 0 Net unreachable 1 Host unrea chable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) 5 Source route failed 4 Source Quench 0 A gateway may disc[...]
-
Page 597
ZyWALL 2 Series User’s Guide Log Descriptions O-11 Chart O-8 ICMP Notes TYPE CODE DESCRIPTION 14 Timestamp Reply 0 Timestamp reply message 15 Information Request 0 Information request message 16 Information Reply 0 Information reply message Chart O-9 Sys log LOG MESSAGE DESCRIPTION Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" ds[...]
-
Page 598
ZyWALL 2 User’s Guide O-12 Log Descriptions Diagram O-1 Example VPN Initiator IPSec Log VPN Responder IPSec Log The following f igure shows a typical log from the VPN c onnection pee r. Diagram O-2 Example VPN Responder IPSec Log This menu is useful f or troublesh ooting. A log inde x number, t he date and time the log was created and a log messa[...]
-
Page 599
ZyWALL 2 Series User’s Guide Log Descriptions O-13 A PYLD_MALFORMED packet usuall y means that the tw o ends of the VPN tunnel are not using the same pre-shared k ey . Chart O-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION Send <Symbol> Mode request to <IP> Send <Symbol> Mode request to <IP> The ZyWALL has started[...]
-
Page 600
ZyWALL 2 User’s Guide O-14 Log Descriptions Chart O-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION !! Invalid IP <IP start>/<IP end> The peer’s “Local IP Addr” range is invalid. !! Remote IP <IP start> / <IP end> conflicts If the security gateway is “0.0.0.0”, the ZyWALL will use the peer’s “Local Ad[...]
-
Page 601
ZyWALL 2 Series User’s Guide Log Descriptions O-15 Chart O-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION vs. My Local <IP address> The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the loc al router. The log displays this router’s configur ed local IP addr[...]
-
Page 602
ZyWALL 2 User’s Guide O-16 Log Descriptions The following table shows RFC-2408 I SAKMP payload types that the log displays. Please re fer to the RFC for detailed information on each type. Chart O-12 RFC-2408 ISAKMP Payload Ty pes LOG DISPLAY PAYLOAD TYPE SA Security Association PROP Proposal TRANS Transform KE Key Exchange ID Identification CER C[...]
-
Page 603
ZyWALL 2 Series User’s Guide Log Descriptions O-17 Chart O-13 Log Categories and Av aila ble Settings LOG CATEGORIES AVAILABLE PA R AMETERS attack 0, 1, 2, 3 error 0, 1, 2, 3 ike 0, 1, 2, 3 ipsec 0, 1, 2, 3 javablocked 0, 1, 2, 3 mten 0, 1 upnp 0, 1 urlblocked 0, 1, 2, 3 urlforward 0, 1 Use 0 to not record logs for that category, 1 to record onl [...]
-
Page 604
ZyWALL 2 User’s Guide O-18 Log Descriptions ras> sys logs display access # .time source destination notes message 0|11/11/2002 15:10:12 |172.22.3.80:137 |172.22.255.255:137 |ACCESS BLOCK Firewall default policy: UDP(set:8) 1|11/11/2002 15:10:12 |172.21.4.17:138 |172.21.255.255:138 |ACCESS BLOCK Firewall default policy: UDP(set:8) 2|11/11/2002 [...]
-
Page 605
ZyWALL 2 Series User’s Guide Brute-Force Password Gu essing Protection P-1 Appendix P Brute-Force Password Guessing Protection The followin g describes t he commands for enabling, disabl ing and c onfiguri ng the brute -force password guessing pr otection m echanism for the passwo rd. See the Command Interpreter appe ndix for i nformat ion on the[...]
-
Page 606
[...]
-
Page 607
ZyWALL 2 Series User’s Guide Index Q-1 Appendix Q Index 1 10/100 Mbps Ethernet WA N ........................... 1-2 4 4-Port Switch ................................................... 1-2 A Access Point ............................................ 7-5, 24-7 Action for Matched Packets ......................... 11-10 Active ........................[...]
-
Page 608
ZyWALL 2 Series User’s Guide Q-2 Index Configuration Fi le Uplo ad ................................ 33-16 File Bac kup ........................................................ 33-6 File Uplo ad....................................................... 33-15 Restoring Fi les ................................................... 33-9 Content Filtering .[...]
-
Page 609
ZyWALL 2 Series User’s Guide Index Q-3 Filter ................................. 23-12, 24 -1, 26-9, 30-1 Applying .......................................................... 30-17 Configura tion ..................................................... 30-1 Configurin g ........................................................ 30-4 Example ............[...]
-
Page 610
ZyWALL 2 Series User’s Guide Q-4 Index Inside Local A ddress ....................................... 8-1 Internet A ccess............................................... 25-1 ISP's Name ......................................................... 25-1 Internet Access Setu p ................... 25-1, 28-2, A-2 Internet Cont rol Message Protocol ([...]
-
Page 611
ZyWALL 2 Series User’s Guide Index Q-5 N Nailed-up C onnection .................................... 26-4 Nailed-Up Connection .......................... 23-7, 26-5 NAT .... 3-4, 3-9, 5-1, 8-5, 8-6, 23-1 0, 26-8, 30-16 Applicati on........................................................... 8-3 Applying NAT in the SMT Men us .................... 28[...]
-
Page 612
ZyWALL 2 Series User’s Guide Q-6 Index Replacement ........................................................ v Reports ........................................................... 19-6 Required fields ............................................... 21-3 Reset Button .................................................... 1-2 Resetting the Tim e ......[...]
-
Page 613
ZyWALL 2 Series User’s Guide Index Q-7 System Manageme nt Terminal ...................... 21-2 System Nam e .......................................... 4-2, 22-1 System Status ................................................. 32-1 System Tim eout ............................................. 17-2 T TCP Maximum Incom p lete .... 11-21, 11-22, 11-24[...]
-
Page 614
ZyWALL 2 Series User’s Guide Q-8 Index Wireless LAN Setup ...................................... 24-6 Wizard Setup ................................................... 3-1 WLAN ..................................... See Wireless LAN www.dyndns.or g ............................................ 22-4 www.zyxel.com .....................................[...]