Instruction/ maintenance manual of the product 50 ZyXEL Communications
Go to page of 322
ZyW ALL 50 Internet Secu rity G ateway User’s Guide Version 3.50 November 2001.
ZyW ALL 50 Internet Securi ty Gatewa y ii Copyright Copyright Copyrigh t © 2001 by ZyXEL Commun ications Corporat ion. The contents of this publication may not be reproduced in any part or as a w hol.
ZyW ALL 50 Internet Securi ty Gatewa y FCC iii Federal Communications Commission (FCC) Interference S t atement This device co m plies with P art 15 of FCC rules. Operation i s subject to the following two conditio ns: • This device may not cause harmfu l interference.
ZyW ALL 50 Internet Securi ty Gatewa y iv Inform ation for Can adian U sers Information for Canadian Users The Industry Canada label identi fies certified equipment. This certification means that the equipment meets certain t elecommunications network prot ective operation and safety requirements.
ZyW ALL 50 Internet Securi ty Gatewa y Declarat ion of Conf orm ity v Declaration of Conformi t y We, the Manufacturer/Importer, ZyXEL Communications Corp .
ZyW ALL 50 Internet Securi ty Gatewa y vi ZyXEL Limited W ar ranty ZyXEL Limited W arranty ZyXEL warrants to the original end user (purch aser) that this product is free f rom any defects in materials or workman ship for a period of up to tw o years f rom the date of pu rchase.
ZyW ALL 50 Internet Securi ty Gatewa y Custom er Support vii Customer Support Please hav e the following i nformation ready w hen you contact cust omer support. • Product model and s erial number. • Information in Menu 24.2.1 – System Information .
P312 Broadband Sec urity Gate way viii Table Of Contents T able of Content s Copyright ...................................................................................................................... ............................... ii Federal Communications Commission (FCC) Interference S tate m ent .
ZyW ALL 50 Internet Securi ty Gatewa y Table Of Contents ix 3.1.1 Initial Screen ................................................................................................................. ...... 3-1 3.1.2 Entering the Password..................
P312 Broadband Sec urity Gate way x Table Of Contents Chapter 6 Internet Access ...................................................................................................... ................. 6-1 6.1 Intern et Access Setup ...................
ZyW ALL 50 Internet Securi ty Gatewa y Table Of Contents xi 6.2.1 SUA (Singl e User Account) Versus NA T .......................................................................... 6-6 6.2.2 Apply ing NAT ...............................................
P312 Broadband Sec urity Gate way xii Table Of Contents 7.6 Guidelines For Enhancing Security With You r Firewall .......................................................... 7-11 7.6.1 Security In General ...............................................
ZyW ALL 50 Internet Securi ty Gatewa y Table Of Contents xiii 10.2.3 Key Fields For Configuring Rules .................................................................................... 10-2 10.3 Conn ection Direction ................................
P312 Broadband Sec urity Gate way xiv Table Of Contents 14.3 Exem pt Computers ............................................................................................................... 14-1 14.4 Cust omizing .....................................
ZyW ALL 50 Internet Securi ty Gatewa y Table Of Contents xv 17.1 System Status .................................................................................................................. ...... 17-1 17.2 Sy stem Information and Console Port Speed.
P312 Broadband Sec urity Gate way xvi Table Of Contents 18.4.2 Configuration File Upload .............................................................................................. 18-11 18.4.3 FTP File Upload Command from the Command Line Ex ample .
ZyW ALL 50 Internet Securi ty Gatewa y Table Of Contents xvii 21.1 Introdu ction................................................................................................................... ........ 21-1 Chapter 22 Intr oduction to IPSec .......
P312 Broadband Sec urity Gate way xviii Table Of Contents 23.5 Manu al Setup ................................................................................................................... ... 23-15 23.5.1 Active Protocol .........................
ZyW ALL 50 Internet Securi ty Gatewa y List Of Figures xix List of Figures Figure 1-1 Secu re Internet Access via C able .................................................................................... .............. 1-4 Figure 1-2 Secu re Internet Access via DSL.
P312 Broadband Sec urity Gate way List Of Figures xx Figure 4-2 Menu 1 1.1 — Remote Node Profile for PPPoE En capsulation .................................................... 4-4 Figure 4-3 Menu 1 1.1 — Remote Node Profile for PPTP Encapsu lation .
ZyW ALL 50 Internet Securi ty Gatewa y List Of Figures xxi Figure 6-19 Ex ample 3: Final Menu 15.1.1....................................................................................... ........... 6-21 Figure 6-20 Ex ample 3: Menu 15.2 ............
P312 Broadband Sec urity Gate way List Of Figures xxii Figure 13-1 Activate the Firewall.............................................................................................. ................... 13-2 Figure 13-2 Ex ample 1: E-Mail Screen .....
ZyW ALL 50 Internet Securi ty Gatewa y List Of Figures xxiii Figure 15-16 Filtering Remote Node T raf fic ..................................................................................... ......... 15-19 Figure 16-1 SNMP Mana gement Model ........
P312 Broadband Sec urity Gate way List Of Figures xxiv Figure 18-14 T elnet Into Menu 24.7.2 — Sy stem Maintenance ................................................................ 18- 12 Figure 18-15 FTP Sess ion Example of Firmware File Upload ....
ZyW ALL 50 Internet Securi ty Gatewa y List Of Figures xxv Figure 23-5 HQ Zy W ALL Configu ration ............................................................................................ ......... 23-5 Figure 23-6 Men u 27.1 — IPSec Summary ....
ZyW ALL 50 Internet Security G ateway xxvi List of T ables List Of T ables T able 2-1 LED Descriptions ..................................................................................................... ...................... 2-1 T able 3-1 Main Menu C ommands .
ZyW ALL 50 Internet Securi ty Gatewa y List of Tables xxvii T able 6-3 Applying NA T in Menus 4 & 1 1.3 ....................................................................................... .......... 6-7 T able 6-4 SUA Address Mapping Rules ...
ZyW ALL 50 Internet Security G ateway xxviii List of T ables T able 15-3 TCP/I P Filter R ule Menu Fields ...................................................................................... ........... 15-8 T able 15-4 Generic Filter Rule Menu Fields .
ZyW ALL 50 Internet Securi ty Gatewa y List of T ables xxix T able 23-6 Active Protocol — Encapsu lation and Security Protocol ........................................................ 23-15 T able 23-7 Menu 27.1.1. 2 — Manu al Set up .............
.
ZyW ALL 50 Internet Securi ty Gatewa y Prefac e xxxi Preface A bout Y our Zy WA LL Congratu lations on y our purchase of t he ZyWALL 50 In ternet Security Gateway. Don’t forg et to register your ZyWALL (fast , easy online regist ration at www.z yxel.
ZyW ALL 50 Internet Security G ateway xxx ii Prefac e Our Qui ck Star t Guid e is d esigned to hel p yo u get yo ur ZyW ALL up and ru nning r ight a way.
Getting S tarted I Part I: Gett ing Started This part is structur ed as a step-by-ste p guide to help you connect, i nstall and s etup your Zy W ALL to operate on your net work and ac cess the Int ernet.
.
ZyWALL 50 Internet Sec urity Gat eway Getting to Know Y our ZyWALL 1-1 Chapter 1 Getting to Know Your ZyWALL This chapt er introduc es the main features and app lications of the ZyW ALL.
ZyWALL 50 Internet Sec urity Gat eway 1-2 Getting to Know Y our ZyWALL Y ou can configure mo st featu res of the Z yW A LL 50 v ia SMT b ut we recomme nd you configure the fire wall and Content Filters using the ZyW ALL web configurator .
ZyWALL 50 Internet Sec urity Gat eway Getting to Know Y our ZyWALL 1-3 Netwo rk Address T ranslatio n (NA T) NAT (Netw ork Address Transl ation - NA T, RFC 1631) allow s the transl ation of an Int ernet Protocol address used withi n one net wor k to a d iffere nt IP add ress kno wn wit hin ano ther networ k.
ZyWALL 50 Internet Sec urity Gat eway 1-4 Getting to Know Y our ZyWALL 1.3 Applications for th e Z y W ALL 50 1.3.1 Secure Broadband In ternet A ccess v ia Cable or DSL Modem A cable modem or xDSL modem can conn ect to the ZyWALL 50 for broadban d Internet access via Ethernet port on the m odem.
ZyWALL 50 Internet Sec urity Gat eway Getting to Know Y our ZyWALL 1-5 1.3.2 VPN A pplication ZyWALL VPN is an ideal cost- effective way to connect branch offices and business partners over the Internet without th e need (and expense) for leased lin es between sites.
.
ZyWALL 50 Internet Sec urity Gat eway Hardware In stallation 2-1 Chapter 2 Hardware Installation This chapt er explai ns the LEDs and ports as well as how to connec t the har dware and per form the initial set up. 2.1 Front Panel LEDs and Back Pane l Port s 2.
ZyWALL 50 Internet Sec urity Gat eway 2-2 Hardware Installatio n Table 2- 1 LED Descrip tions LED FUNCTION COLOR STA TUS MEANING Flashing The 10M LAN is sendin g/receiv ing packets. Off The 100M LAN is not co nnected. On The Zy WALL is conne cted to a 100M bps LAN.
ZyWALL 50 Internet Sec urity Gat eway Hardware In stallation 2-3 Figure 2 -2 ZyWALL 50 Rear P anel and Connec tions This section outlines how to c onnect your ZyWALL 50 to the LAN and the WAN.
ZyWALL 50 Internet Sec urity Gat eway 2-4 Hardware Installatio n port) of y our computer. You can use an extension RS-232 cabl e if th e enclosed one is too short. Af ter the initial setup, y ou can modify the configuratio n remotely through telnet connections.
ZyWALL 50 Internet Sec urity Gat eway Hardware In stallation 2-5 2.3 Additional Inst allation Requirements In addition to the contents of your package, there are other hardware an d soft ware requ irements you need before y ou can install and use your ZyWALL.
.
ZyWALL 50 Internet Sec urity Gat eway Initia l Setup 3-1 Chapter 3 Initial Setup This chapt er exp lains how t o perfor m initia l ZyW ALL setup and giv es an ov erview of SMT menus .
ZyWALL 50 Internet Sec urity Gat eway 3-2 Initia l Setup Figure 3- 2 Passw ord Scre en 3.2 Navigating the SMT Interface The SMT (System Management Terminal) is the interf ace that y ou use to configure your Zy WALL. Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table belo w.
ZyWALL 50 Internet Sec urity Gat eway Initia l Setup 3-3 3.2.1 Ma in Menu After you enter the password, the SMT displa y s the Zy WA LL Mai n Me nu , as sho wn ne xt. Figure 3-3 ZyWALL Main Menu 3.2.2 System Management T ermina l Interface Summary Table 3- 2 Main M enu Summary NO.
ZyWALL 50 Internet Sec urity Gat eway 3-4 Initia l Setup Table 3- 2 Main M enu Summary NO. MENU TITLE FUNCTION 23 System Passw ord Change your pa ssword in this menu (recommended). 24 System M aintenance From display ing syst em status to uploading firmw are, this menu prov ides comprehens ive syste m mainte nance.
ZyWALL 50 Internet Sec urity Gat eway Initia l Setup 3-5 3.2.3 SMT Menus at a Glance Figure 3-4 Getting Star ted and A dvanced A pplications SMT M enus.
ZyWALL 50 Internet Sec urity Gat eway 3-6 Initia l Setup Figure 3-5 Advanced Management SMT Menus.
ZyWALL 50 Internet Sec urity Gat eway Initia l Setup 3-7 Figure 3-6 IPSec VPN Configuration S MT Menus 3.3 Changing the S y stem Pass w ord The first thi ng yo u sho uld do is cha nge the defa ult sys tem pa sswor d by fo llo wing the steps shown next.
ZyWALL 50 Internet Sec urity Gat eway 3-8 Initia l Setup Step 4. Re-typ e yo ur ne w syste m pas sword for c onfir matio n and press [E NTER] . Note that as you ty pe a password, the screen displays an (X) f or each character you type.
ZyWALL 50 Internet Sec urity Gat eway Initia l Setup 3-9 3.4.2 Procedure T o Us e The Reset Button Make sure the SYS led is on (not blinki ng) before y ou begin thi s procedure. 1. P ress the RESET button for ten seconds, then release it. If the SYS LED begins to blin k, the defaults h ave been restored and th e ZyWALL restarts.
.
ZyWALL 50 Internet Sec urity Gat eway General an d W AN Setup 4-1 Chapter 4 General And WAN Setup Menu 1 - Gener al Setup contai ns adm inistra tive an d system-rel ate d inform ation. C lone a L AN computer MAC addres s in t he Menu 2 - WAN Setup . 4.
ZyWALL 50 Internet Sec urity Gat eway 4-2 General an d W AN Setup First of all, you need to h ave registered a dyn amic DNS account with www.d ynd ns.or g . This is f or people with a dynamic IP from their ISP or DHCP server that w ould still like to have a DNS name.
ZyWALL 50 Internet Sec urity Gat eway General an d W AN Setup 4-3 FIELD DESCRIPTION EXAMPLE Host Enter the domai n name as signed to y our Zy WALL by your Dynamic DN S provider. me.dyndns. org EMAIL Enter your e- mail a ddress. mail@mai lserver USER Enter your user name.
ZyWALL 50 Internet Sec urity Gat eway 4-4 General an d W AN Setup Figure 4-2 Menu 2 — WAN Setup The MAC address field allows users to configu re the WAN port's MAC address by using either the factory default or clon ing the MAC address from a compu ter on your LAN.
.
.
ZyWALL 50 Internet Sec urity Gat eway LAN Setup 5-1 Chapter 5 LAN Setup This chapt er descr ibes how to config ure the LAN us ing Menu 3 – LAN Setu p . 5.1 Introduction This sectio n descr ibes ho w to c onfig ure the LAN using M enu 3 — LAN Setup .
ZyWALL 50 Internet Sec urity Gat eway 5-2 LAN Set up 5.3.1 Fact ory LAN Default s The LAN parameters of the ZyWALL are preset in the factory with the follo wing values: 1. IP address of 192.168. 1.1 w ith subnet mask of 255.255.2 55.0 (24 bi ts). 2. DHCP se rver enabled w ith 32 clien t IP addresses s tarting from 192.
ZyWALL 50 Internet Sec urity Gat eway LAN Setup 5-3 Wher e you o btain your ne twor k nu mber de pends o n your par ticular situa tio n. If t he ISP or your net work administrator as signs you a block of registered IP address es, follow their ins tructions in selecting the IP addresses and the su bnet mask.
ZyWALL 50 Internet Sec urity Gat eway 5-4 LAN Set up Regardless o f your partic ular sit uation, do not crea te an arb itrary IP addre ss; always follow the guidelines above.
ZyWALL 50 Internet Sec urity Gat eway LAN Setup 5-5 5.3.7 IP A lias IP Alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN interf aces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network .
ZyWALL 50 Internet Sec urity Gat eway 5-6 LAN Set up Figure 5-6 Menu 3.2 — TCP/IP and DHCP Ethernet Setup Follow the instruction s in the next table on how to configure the DHCP fields. Table 5-3 DHCP Ethernet Setup Menu Fields FIELD DESCRIPTION EXAMPLE DHCP This field enables/disables the DHCP server.
ZyWALL 50 Internet Sec urity Gat eway LAN Setup 5-7 Table 5-3 DHCP Ethernet Setup Menu Fields FIELD DESCRIPTION EXAMPLE DHCP Server Address If Relay is selec ted in t he DHCP field above, then type i n the IP addres s of the actual, remote DHCP server here.
ZyWALL 50 Internet Sec urity Gat eway 5-8 LAN Set up Figure 5-7 M enu 3.2. 1 — IP Alias Setup Use the instructions in the follo w ing table to configure IP Alias para meters. Table 5-5 IP Alias Setup Menu Fields FIELD DESCRIPTION EXAMPLE IP Alias Choose Yes t o configure the LAN network for the Zy WALL.
ZyWALL 50 Internet Sec urity Gat eway Inte rnet Acce ss 6-1 Chapter 6 Internet Access This chapt er shows y ou how to con figure y our ZyW ALL for Interne t access . 6.1 Internet A ccess Setup You will see three different menu 4 screens depending on whether you chose Ethe rnet, PPT P or PPPoE Encapsulat ion .
ZyWALL 50 Internet Sec urity Gat eway 6-2 Inte rnet Access Table 6- 1 Internet Access Set up M enu Fields FIELD DESCRIPTION Encapsulati on Press [SPACE BAR] and then press [ENTER] to choose Eth ernet . The encapsulat ion met hod influen ces your choices fo r IP Address.
ZyWALL 50 Internet Sec urity Gat eway Inte rnet Acce ss 6-3 The ZyW A LL 50 support s one PPTP server connection at any given time. 6.1.3 Configuring the PPTP Client T o confi gure a P PTP clie nt, you must c onfig ure t he My Login and Passwo rd fields for a PPP conn ection and the PPTP parameters for a PPTP conn ection.
ZyWALL 50 Internet Sec urity Gat eway 6-4 Inte rnet Access 6.1.4 PPPoE Encapsul ation The ZyWALL su pports PPPo E (Point- to-Poin t Protocol ov er Eth ernet). PPPoE is an IETF Draf t standard (RFC 2516) s pecifying h ow a personal comput er (PC) interacts with a broadband m odem (i.
ZyWALL 50 Internet Sec urity Gat eway Inte rnet Acce ss 6-5 Table 6- 3 New Field s in Men u 4 (PPPo E) scre en FIELD DESCRIPTION EXA MPLE Encapsulati on Press [SPACE BAR] and then pres s [ENTER] to choose PPPoE . T he encapsulat ion met hod influen ces your choices fo r IP Address.
Adv anced Ap plic ation s II Part II: Advanced Applica tions This part covers Rem ote Node Setup, IP S tatic Route Setup a nd Network Ad dress Translation.
ZyWALL 50 Internet Sec urity Gat eway Remote Node Setup 4-1 Chapter 4 Remote Node Setup This chapt er shows y ou how to c onfigure a r emote n ode. A remote node is required for placing calls to a remote g ateway. A remote node represents both the remote gate way and the ne twork b ehi nd it a cross a WAN co nnect ion.
ZyWALL 50 Internet Sec urity Gat eway 4-2 Remote Node Set up Figure 4-1 Menu 11.1 — Remote Node Profile for Ethernet Encapsulation Table 4- 1 Fields in M enu 11.1 FIELD DESCRIPTION EXA MPLE Rem Node Name Enter a descriptiv e name for t he remote node .
ZyWALL 50 Internet Sec urity Gat eway Remote Node Setup 4-3 Table 4- 1 Fields in M enu 11.1 FIELD DESCRIPTION EXA MPLE My Passw ord Enter the passw ord assigne d by your ISP w hen the Zy W AL L calls this remote n ode. Valid for PPPoE encaps ulation only .
ZyWALL 50 Internet Sec urity Gat eway 4-4 Remote Node Set up Figure 4-2 Menu 11.1 — Remote Node Profile for PPPoE E ncapsulation Outgoing A uthentication Protocol Generally speaking, you should employ the st rongest auth entication protocol pos sible, for o bvious reasons.
ZyWALL 50 Internet Sec urity Gat eway Remote Node Setup 4-5 Table 4- 2 Fields in M enu 11.1 (PPPoE Enc apsulati on Specifi c) FIELD DESCRIPTION EXAMPLE Authen This field sets the aut henticati on protocol u sed for outgo ing calls.
ZyWALL 50 Internet Sec urity Gat eway 4-6 Remote Node Set up Figure 4-3 Menu 11.1 — Remote Node Profile for PPTP Encapsulation The next table shows how to configure f ields in menu 11.1 not previ ously discussed abov e. Tabl e 4-3 Fields in Menu 11.
ZyWALL 50 Internet Sec urity Gat eway Remote Node Setup 4-7 4.2 Editing TCP/I P Options ( w ith Ethernet Encap sulation) Move the cursor to the Edit IP field in menu 11.1, press [SPA CE BAR] to s elect Yes . Press [ENTER] to open Menu 11.3 - Network Layer Options .
ZyWALL 50 Internet Sec urity Gat eway 4-8 Remote Node Set up Table 4- 4 Remote Node N etwo rk Layer Options M enu Fields FIELD DESCRIPTION EXAMPLE Metric This field i s valid only for PPTP/PPPoE encapsul ation. The metric represents th e “cost” of tra nsmission for routing pur poses.
ZyWALL 50 Internet Sec urity Gat eway Remote Node Setup 4-9 Figure 4-5 Menu 11.3 — Remote Node Network Layer Options The next tab le gi ves you i nstr uctio ns ab out co nfigur ing re mo te nod e net work la yer op tion s.
ZyWALL 50 Internet Sec urity Gat eway 4-10 Remote Node Setup Table 4- 5 Remote Node N etwo rk Layer Options M enu Fields FIELD DESCRIPTION EXAMPLE Metric The metric repres ents the “co st” of trans mission f or routing p urposes. IP routing use s hop count as the m easurement of c ost, w ith a minimum of 1 for dir ectly con nected netw orks.
ZyWALL 50 Internet Sec urity Gat eway Remote Node Setup 4-1 1 Use menu 11.5 to specify the filter set(s) to apply to the incoming and outgoin g traffic between this remote node and the ZyWALL to prevent certain packets from triggering calls. You can specify up to 4 filter sets separated by commas, e.
.
ZyWALL 50 Internet Sec urity Gat eway IP S tatic Route Set up 5-1 Chapter 5 IP Static Route Setup This chapt er shows y ou how to c onfigure s tatic rout es with yo ur ZyW ALL. Static routes tell the ZyWALL routing information that it cannot lear n automatically through other means.
ZyWALL 50 Internet Sec urity Gat eway 5-2 IP S tatic Route Set up 5.1 IP S t atic Route Setup You co nfig ure IP static route s in me nu 12. 1 by sele ctin g one of the IP static route s as sho wn ne xt.
ZyWALL 50 Internet Sec urity Gat eway IP S tatic Route Set up 5-3 Table 5-1 IP Static Route Menu Fields FIELD DESCRIPTION Route # This is the index number of th e static rout e that you chose in menu 12. Route Name Enter a descri ptive name for this ro ute.
.
ZyWALL 50 Internet Sec urity Gat eway NA T 6-1 Chapter 6 Network Address Translation (NAT) This chapt er disc usses how to c onfigure N AT on the ZyW ALL. 6.1 Introduction NAT (Netw ork Address Translat ion - NAT, RFC 1631) i s the tran slation of the IP add ress of a host in a packet, e.
ZyWALL 50 Internet Sec urity Gat eway 6-2 NA T Table 6-1 NAT Definitions TERM DESCRIPTION WA N . NAT neve r cha nges the IP addre ss (eit her local or glo bal) of an outsi de host.
ZyWALL 50 Internet Sec urity Gat eway NA T 6-3 Figure 6-1 How N A T W orks 6.1.4 NA T Application The following figure illustrate s a possible NAT applicatio n, w here three inside LANs (logical LANs using IP Alias) behind the Zy WALL can co mmun icate with three distinct WAN networks.
ZyWALL 50 Internet Sec urity Gat eway 6-4 NA T Figure 6-2 NAT Application With IP A lias 6.1.5 NA T Mapping T y pes NAT su pports fiv e types of IP/ port ma pping. They are: 1. One to One : In One-t o-One mode, the ZyWALL m aps one local IP address to one global IP a ddress.
ZyWALL 50 Internet Sec urity Gat eway NA T 6-5 3. Many to Many Overload : In Many-to-Many Overload mode, the ZyWALL maps the multiple local IP addr esses to shar ed globa l IP add resses. 4. Many t o M any No Overload : In Many-to-Many No Overload mode, the Zy WALL maps the each local I P addr esses to uniq ue glo bal IP addresse s.
ZyWALL 50 Internet Sec urity Gat eway 6-6 NA T 6.2 Using NA T 6.2.1 SUA (Single User A ccount) V ersus NA T SUA (Sing le User Account) i s a ZyNOS im ple m entation of a subset of NA T that supports tw o ty pes of mapping , Many-to-One and S er ver . See section 6.
ZyWALL 50 Internet Sec urity Gat eway NA T 6-7 Step 2. Move the cursor to the Edit IP field, press [SPACE BAR] to select Ye s and th en press [ENTER] to bring up M enu 1 1.3 - Remote Node Network Layer Options. Figure 6-4 Menu 11.3 — Applying NAT to the Remote Node The follow ing table des cribes the option s for Network Addres s Translation .
ZyWALL 50 Internet Sec urity Gat eway 6-8 NA T 6.3 NA T Setup Use the Address Mapping Sets menus and subm enus to create the mapping table used to as sign global addresses t o computers on the LAN. You can s ee two NAT Address Mappi ng sets in menu 15.
ZyWALL 50 Internet Sec urity Gat eway NA T 6-9 SUA Addre ss M apping Set Enter 255 to display t he next screen (s ee also section 6.2.1) . The fi elds in this menu cannot be chan ged. Figure 6-7 M enu 15.1 .255 — SU A Addre ss Mapp ing Rules The following table explains the f ields in this screen.
ZyWALL 50 Internet Sec urity Gat eway 6-10 NA T Table 6-4 SUA Address Mapping Rules FIELD DESCRIPTION EXAMPLE Type These are the mapp ing type s discussed above (se e Table 6-2 ). Serve r allows us t o specify multiple s ervers of differen t types behind NAT to thi s machine .
ZyWALL 50 Internet Sec urity Gat eway NA T 6-1 1 Ordering Y our Rules Ordering y our rules is important because the Zy WALL applies the rules in the order that you s pecify. When a rule matches the cu rrent packet, the ZyWALL takes the correspondin g action and the remaining rules are ignor ed.
ZyWALL 50 Internet Sec urity Gat eway 6-12 NA T Figure 6-9 Menu 15.1.1.1 — Editing/Configuring an Indiv idual Rule in a Set Table 6-6 Menu 15.1.1.1 — Editing/Configuring an Indiv idual Rule in a Set FIELD DESCRIPTION EXAMPLE Type Press [SPACE BAR] to togg le through a t otal of five ty pes.
ZyWALL 50 Internet Sec urity Gat eway NA T 6-13 6.4 N A T Server Set s – Port Forwarding A NAT server set is a lis t of inside (behind NAT on the LAN) serv ers, for example, web or FTP, that y ou can make vi sible to the outs ide world even th ough NAT makes your wh ole inside network appear as a single machine to the outside world.
ZyWALL 50 Internet Sec urity Gat eway 6-14 NA T Table 6- 7 Services & Port Numbers SERVICES PORT NUMBER Finger 79 HTTP (Hy per Text Transfer pr otocol or WWW, W eb) 80 POP3 (Post Office Pr otocol).
ZyWALL 50 Internet Sec urity Gat eway NA T 6-15 Figure 6-1 0 M enu 15.2 — N A T Server Setup Figure 6-11 Multiple Servers Behind N A T Example Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------- 1.
ZyWALL 50 Internet Sec urity Gat eway 6-16 NA T 6.5 General NA T Examples 6.5.1 Int ernet Access Only In the following In ternet access example, you only need on e rule where all your ILAs (In side Local addresses ) map to one dy namic IGA (In side Global A ddress) assi gned by your IS P.
ZyWALL 50 Internet Sec urity Gat eway NA T 6-17 From m enu 4 shown above, simply choos e the SU A Onl y opt io n f r om th e Network Address Translation field. Thi s is the Many -to-One mappin g discuss ed in section 6.5. The SUA Only read-only option from the Network Ad dress Trans lation f ield in menus 4 an d 11.
ZyWALL 50 Internet Sec urity Gat eway 6-18 NA T Figure 6-1 5 Men u 15.2 — Specif ying an Ins ide Serv er 6.5.3 Example 3: Mu ltiple Public IP A ddresses With Inside Serv ers In this example, th ere are 3 IGAs from our ISP. There are many departments but two h ave their o wn FTP server.
ZyWALL 50 Internet Sec urity Gat eway NA T 6-19 The example s ituation l ooks somewhat like this: Figure 6-16 NAT Example 3 Step 1. In this case y ou need to configure A ddress Mapping Set 1 from Menu 1 5.
ZyWALL 50 Internet Sec urity Gat eway 6-20 NA T Step 6. Repeat the previous step for rules 2 to 4 as outlined above. Step 7. When fi nished, me nu 15.1.1 shou ld look l ike as show n in Figure 6-19. Figure 6-1 7 Example 3: Menu 11. 3 The following figure shows h ow to configure the first rule.
ZyWALL 50 Internet Sec urity Gat eway NA T 6-21 Figure 6-1 9 Example 3: Final M enu 15.1.1 Now conf igure the IGA3 to map to ou r we b server and mai l server on th e LAN. Step 8. Enter 15 f rom the ma in menu. Step 9. Now enter 2 from this menu and configure it as s hown in Figure 6-2 0 .
ZyWALL 50 Internet Sec urity Gat eway 6-22 NA T 6.5.4 Example 4: NA T Unfriendl y A pplication Programs Some appli cations do n ot support NA T Mapping u sing TCP or UDP port address t ranslati on.
ZyWALL 50 Internet Sec urity Gat eway NA T 6-23 Figure 6-2 2 Example 4: Menu 15.1.1. 1 — A ddres s M apping Rule After you’ve con figur ed your rule, you sho uld b e ab le to c heck the setti ngs in me nu 15 .1.1 as shown next. Figure 6-2 3 Example 4: Menu 15.
Firewall and Cont ent Filters III Part III: Firewal l and Content Filter s Part III in troduces f irewalls i n genera l and the Z y WALL firewall. It also ex plains c ustom ports and logs and gives exam ple fir ewall rules and an o verview of content f iltering.
.
ZyW ALL 50 Internet Securi ty Gatewa y Fire walls 7-1 Chapter 7 Firewalls This chapt er gives some bac kground inform ation on f irewalls and expla ins how to get s tarted w ith the ZyW ALL firewall.
ZyW ALL 50 Internet Security G ateway 7-2 Firewa lls i. Inform ation hiding prevents the nam es of intern al systems from being made kn own via DNS to outside syst ems, since the application gateway is the on ly host whose name must be made k nown to outside syste ms.
ZyW ALL 50 Internet Securi ty Gatewa y Fire walls 7-3 Figure 7-1 ZyWALL Firewall A pplication 7.4 Denial of Service Denials of Service (DoS) attack s are aimed at devi ces and networks with a connection to the Internet. Their goal is not to steal inform ation, but to disable a device or netw ork so users no longer hav e access to network resources.
ZyW ALL 50 Internet Security G ateway 7-4 Firewa lls for us e over a single port , such as Web on port 80, othe r ports are also active. If the person conf iguring or managing th e computer is not careful, a h acker could attack it over an unprotected port.
ZyW ALL 50 Internet Securi ty Gatewa y Fire walls 7-5 Figure 7-2 T hree-Wa y Handsh ake Under normal circumstances, the app lication that initiates a sessio n sends a SYN (synchronize) packet to the receiving s erver.
ZyW ALL 50 Internet Security G ateway 7-6 Firewa lls 2-b In a LAND Attack , h ackers flood SYN packet s into th e network with a s poofed source IP address of th e targeted system. This makes it appear as if the host computer sen t the packets to itself, making the system unavailable while the target syste m tries to respond to itself.
ZyW ALL 50 Internet Securi ty Gatewa y Fire walls 7-7 Table 7-3 Legal NetBIOS Commands MESSAGE: REQUEST: POSITIVE: NEGATIVE: RETARGET: KEEPALIVE: All SMTP co mm ands are illegal except for those displa yed in the following tables.
ZyW ALL 50 Internet Security G ateway 7-8 Firewa lls Denies all sessions orig inating from the WAN to the LAN. Figure 7-5 Stateful Inspec tion The previous figure shows the ZyWALL’s default firewall rules in action a s well as demonstrates how stateful inspection w orks.
ZyW ALL 50 Internet Securi ty Gatewa y Fire walls 7-9 3. The packet is inspected by a firew all rule to determine and record inf or m ation about the state of th e packet's connection . This information is recorded in a new state table entry created for the new connection.
ZyW ALL 50 Internet Security G ateway 7-10 Fire walls The ability to define firew all rules is a v ery powerful tool. Using cu stom rules, it is possible to disable all firew all protectio n or block all access t o the Intern et. Use extreme c aution w hen creatin g or delet ing firew all rules .
ZyW ALL 50 Internet Securi ty Gatewa y Fire walls 7- 11 little tracking information. For instance, ICMP redirect p ackets are nev er allowed in, since the y could b e used to reroute traffic through attacking machines.
ZyW ALL 50 Internet Security G ateway 7-12 Fire walls 7.6.1 Security In General You can never be too careful! Factors outside your firewall, filtering or NAT can cause security breaches. Below are some generalizations abou t what you can do to minimize them.
ZyW ALL 50 Internet Securi ty Gatewa y Fire walls 7- 13 7.7.1 Pack et Filtering: The router filters packets as they pass through the router’s interface according to the filter rules you designed. Packet filtering is a powerful tool, yet can be complex to configure and maintain, especially if you need a chain of rules to filter a service.
ZyW ALL 50 Internet Security G ateway 7-14 Fire walls 3. To selectiv ely block/all ow inbound or out bound traffi c between inside hos t/networks and outs ide host/networks. Reme mber that filters can not distinguish traffic originating fro m an inside host or an outsi de host by IP addres s.
ZyW ALL 50 Internet Securi ty Gatewa y Introduc ing the Z y W ALL Fire wall 8-1 Chapter 8 Introducing the ZyWALL Firewall This chapt er shows y ou how to g et started w ith the Zy WALL firewa ll. 8.1 Remote Management and the Firewall When SMT menu 24.
ZyW ALL 50 Internet Security G ateway 8-2 Introduc ing the Z y W ALL Fire wall Figure 8-2 Menu 21.2 — Firewall Setup Configure the firewall rules using the web configurator or CLI commands. 8.3.2 Vie wing the Firewall Log In menu 21, enter 3 to view the firew all log.
ZyW ALL 50 Internet Securi ty Gatewa y Introduc ing the Z y W ALL Fire wall 8-3 Table 8-1 View Firew all Log FIELD DESCRIPTION EXAMPLES # This is the index number of th e firewall log. 128 entr ies are availabl e numbered fr om 0 to 127. Once th ey are all used, th e log w ill wrap arou nd and the ol d logs will be lost.
.
ZyW ALL 50 Internet Securi ty Gatewa y Using the Z yW ALL W eb Conf igurator 9-1 Chapter 9 Using the ZyWALL Web Configurator This chapt er shows y ou how to con figure y our firewa ll with the web confi gurator. 9.1 Web Configur ator Login and M ain Menu Screens Use the ZyWALL web conf igurator, to configure y our firewall.
ZyW ALL 50 Internet Security G ateway 9-2 Using the Z y W ALL W eb Conf igurator Figure 9-1 Main Menu Use the icon (located in th e upper right port ion of m ost screens) f or online HTML h elp. If you forget your password, refer to th e Resetting the Zy WALL section to see ho w to reset the default confi gur ation fi le.
ZyW ALL 50 Internet Securi ty Gatewa y Using the Z yW ALL W eb Conf igurator 9-3 9.2 Enabling the Fi rewall Click Advanced , Firewall , Configurat ion and then the Config tab. Enable (or activate) the fi rewall b y clic king t he Firewall Enable d check box as seen in the following screen.
ZyW ALL 50 Internet Security G ateway 9-4 Using the Z y W ALL W eb Conf igurator 10-4) . When an event generates an alert, a message is immediately sent to an e-mail account specified by you.
ZyW ALL 50 Internet Securi ty Gatewa y Using the Z yW ALL W eb Conf igurator 9-5 Table 9- 1 E-mail FIELD DESCRIPTION OPTIONS Address Info Mail Serv er Enter the IP addre ss of your mail serv er in dotted decimal not ation. Your Int ernet Service Prov ider (ISP) should be ab le to provi de this i nformation.
ZyW ALL 50 Internet Security G ateway 9-6 Using the Z y W ALL W eb Conf igurator 9.3.3 SMTP Error Mes sages If there are difficulties in sending e-mail the following error messages appear. Please see the Suppor t Note s on the inclu ded disk for inform ation on other ty pes of error mess ages.
ZyW ALL 50 Internet Securi ty Gatewa y Using the Z yW ALL W eb Conf igurator 9-7 Figure 9-4 E-mail Log 9.4 A tt ack Alert Attack alerts are the first defense against DOS attacks. In the Attack Alert scre en, sho wn la ter, yo u may choose to gen erate an alert whenever an attack is detected.
ZyW ALL 50 Internet Security G ateway 9-8 Using the Z y W ALL W eb Conf igurator 2. The minimum capacity of server backlog in y our LAN net work. 3. The CPU pow er of servers in your LAN n etwork. 4. Netw ork bandwidth . 5. Type of traff ic for certain servers.
ZyW ALL 50 Internet Securi ty Gatewa y Using the Z yW ALL W eb Conf igurator 9-9 2. If the Blocki ng Time timeout is greater than 0, then the ZyWALL blocks all new connectio n requests to the hos t givi ng the serve r ti me to hand le the p rese nt con necti ons.
ZyW ALL 50 Internet Security G ateway 9-10 Us ing the Z y W ALL W eb Configurator Table 9-3 A tta ck Alert FIELD DESCRIPTION DEFAULT VALUES Denial of Servi ce Threshol ds One M inute Low This is the rate of new half-op en sessions that causes the firew all to stop deleting half-open se ssions.
ZyW ALL 50 Internet Securi ty Gatewa y Using the Z yW ALL W eb Conf igurator 9-11 Table 9-3 A tta ck Alert FIELD DESCRIPTION DEFAULT VALUES Incomplete host IP addres s that cau ses the firew all to start dropping half-open s essions t o that same desti nation host IP addr ess.
.
ZyW ALL 50 Internet Securi ty Gatewa y Creating C ustom Rules 10-1 Chapter 10 Creating Custom Rules This chapt er cont ains instr uctions for defini ng both Loc al Network and Inter net rules . 10.1 Rules Overview Firew all rules are subdi vided into “L ocal Network” and “ Internet”.
ZyW ALL 50 Internet Security G ateway 10-2 Creating C ustom Rules 2. Is the intent of the rule to forward o r block traff ic? 3. What is the direction conn ection: from the LAN to the Internet, or from the Internet to the LAN? 4. What IP services will be affected? 5.
ZyW ALL 50 Internet Securi ty Gatewa y Creating C ustom Rules 10-3 Source A ddress What is the conn ection’s source address; is it on the LAN or WAN? Is it a sing le IP, a range of IPs or a su bn et.
ZyW ALL 50 Internet Security G ateway 10-4 Creating C ustom Rules 10.3.2 W AN to LAN Rules The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If y ou wish to allow certain WAN users to have access to your LAN, you will need to create custom rules to allow it.
ZyW ALL 50 Internet Securi ty Gatewa y Creating C ustom Rules 10-5 Figure 10-3 Firewall Rules Summary — First Screen The following table describes the fields in this screen. Table 10- 1 Firew all Rules Summar y — First Screen FIELD DESCRIPTION OPTIONS General Name This is the name of the firewall rule set.
ZyW ALL 50 Internet Security G ateway 10-6 Creating Custom Rules Table 10- 1 Firew all Rules Summar y — First Screen FIELD DESCRIPTION OPTIONS Default Poli cy Log Click this check box to log all matched rule s in th e ACL default set. The follow ing fields summar ize the rule s you have cre ated.
ZyW ALL 50 Internet Securi ty Gatewa y Creating C ustom Rules 10-7 10.5 Predefined Services The Available Services list box in the Rule Config (uration) screen (see Figure 10-4 ) displays all predefined services that the ZyWALL already su pports. Next t o the name of the servi ce, two fields appear in brackets.
ZyW ALL 50 Internet Security G ateway 10-8 Creating Custom Rules Table 10- 2 Predefin ed Serv ices SERVICE DESCRIPTION MSN M essenger(TCP:186 3) Microsoft Networks ’ messenge r service u ses this pr otocol. MULT ICAST(IGMP:0) Internet Group M ulticast Proto col is used w hen sendi ng packets t o a specific gr oup of h osts.
ZyW ALL 50 Internet Securi ty Gatewa y Creating C ustom Rules 10-9 Table 10- 2 Predefin ed Serv ices SERVICE DESCRIPTION STRM WORKS(UDP:1558) Stream W ork s Protocol. TACAC S(UDP:49) Login Host Protocol used for ( Terminal A ccess Controll er Acce ss Control System).
ZyW ALL 50 Internet Security G ateway 10-10 Creating C ustom Rules 10.5.1 Creating/Editing Fire wall Rules To create a new ru le, click a number ( No. ) then click Ed it in the last screen sho wn to displ ay the following screen.
ZyW ALL 50 Internet Securi ty Gatewa y Creating C ustom Rules 10-11 Table 10- 3 Creating/ Editing A Firew all Rule FIELD DESCRIPTION OPTIONS Please see th e follow ing secti on on adding and editing dest ination addresses . DestEdit DestDelete Services Available/Sel ected Services Please see T able 10-2 for more information on services av ailable.
ZyW ALL 50 Internet Security G ateway 10-12 Creating C ustom Rules Figure 10-5 Adding/Editing Source and Destination Addresses.
ZyW ALL 50 Internet Securi ty Gatewa y Creating C ustom Rules 10-13 Table 10-4 Adding/Editing Source and Destination A ddresses FIELD DESCRIPTION OPTIONS Address Ty pe Do y ou want your rule to apply to packets w ith a partic ular (single) IP address, a r ange of IP addr esses (e.
ZyW ALL 50 Internet Security G ateway 10-14 Creating C ustom Rules Figure 10-6 Timeout Sc reen.
ZyW ALL 50 Internet Securi ty Gatewa y Creating C ustom Rules 10-15 Table 10-5 Timeout Menu FIELD DESCRIPTION DEFA ULT VALUE TCP T imeout Valu es Connectio n Timeout This is the len gth of time t he Zy WALL waits for a T CP session to r each the e stablish ed state befor e dropping the sessio n.
.
ZyW ALL 50 Internet Securi ty Gatewa y Custom Ports 11- 1 Chapter 11 Custom Ports This chapt er cov ers creatin g, viewin g and edit ing cus tom ports . 11.1 Introduction Configu re customized ports for serv ices not predefined by the Zy WALL (see Figure 10-4) .
ZyW ALL 50 Internet Security G ateway 11-2 Custom Ports Table 11- 1 Custom Ports FIELD DESCRIPTION Customiz ed Services No. This is the num ber of your customized port. Status Indicates whether ports have a lready been configured or are stil l empty. Name This is the nam e of your c ustomized port.
ZyW ALL 50 Internet Securi ty Gatewa y Custom Ports 11- 3 11.2 Creating/Editing A Custom Port Click Edit i n the previou s screen to create a new custo m port or edit an existing on e. This action displays the following screen. Figure 11-2 Creating/Editing A Custom Port The next table describes the fields in this screen.
ZyW ALL 50 Internet Security G ateway 11-4 Custom Ports Table 11- 2 Creating/ Editing A Custom Po rt FIELD DESCRIPTION OPTIONS Service Na me Enter a uni que name for y our cust om port. Service Ty pe Choose the IP por t ( TCP , UDP or Both ) that defines your custo mized port fr om the drop dow n list box.
ZyW ALL 50 Internet Securi ty Gatewa y Logs 12-1 Chapter 12 Logs This chapt er cont ains inf ormation abo ut using the log screen to vie w the resul ts of the r ules you have conf igured. 12.1 Log Screen When y ou configure a new rule you also h ave the option to log events that mat ch, don’t match (or both) thi s rule (see Figur e 10-4 ).
ZyW ALL 50 Internet Security G ateway 12-2 Logs Table 12-1 Log Scr een FIELD DESCRIPTION EXAMPLES No. This is the ind ex number of the firewall log. 128 entries are av ailable nu mbered from 0 to 127. Once they are all use d, the log will w rap around and the old l ogs w ill be lost.
ZyW ALL 50 Internet Securi ty Gatewa y Exam ple Firewa ll Rules 13-1 Chapter 13 Example Firewall Rules This chapt er gives ex amples for configuring v arious rul es for W AN to LAN and LA N to WAN.
ZyW ALL 50 Internet Security G ateway 13-2 Ex ample F irewall Ru les Step 1. Activate the firewall. You may activate the firewall through the web configurator as shown next (click Configuratio n , the Config tab, then click the Firewall Enabled c heck b ox) o r thro ugh SMT menu 21.
ZyW ALL 50 Internet Securi ty Gatewa y Exam ple Firewa ll Rules 13-3 Step 2. Go to the E-mail screen by clicking Advanced , Firewall , Configura tion , then the E-mail tab . Configu re the E-mail scree n as follows. Figure 1 3-2 Exampl e 1: E-M ail Screen Enter 1 0.
ZyW ALL 50 Internet Security G ateway 13-4 Ex ample F irewall Ru les Step 3. Configure your firewall rule as sho wn in the following screen. The default firewall blocks all Internet traffic en tering our local network, bu t you want to create a hole for web s ervice from the Internet.
ZyW ALL 50 Internet Securi ty Gatewa y Exam ple Firewa ll Rules 13-5 Step 4. Click DestAdd in the previous screen to conf igure the destination address as the IP of y our server on the LA N. Figure 1 3-4 Example 1: Destinatio n Address f or Traf fic Originatin g from the Internet 10.
ZyW ALL 50 Internet Security G ateway 13-6 Ex ample F irewall Ru les Step 5. When you ha ve fin ished confi guri ng your r ules, the R ule S ummar y scree n sho uld lo ok li ke thi s. Click Apply i n this screen to save your configuration back to the ZyWALL.
ZyW ALL 50 Internet Securi ty Gatewa y Exam ple Firewa ll Rules 13-7 i. A mail server with an IP of 192.168 .10.2. ii. Tw o FTP servers. You want FTP server 1 (I P of 192. 168.10.3) to be accessible f rom the Internet, but FTP server 2 (19 2.168.10.4) m ay only be access ed by internal users , i.
ZyW ALL 100 Internet S ecurity Gate way 13-8 Ex ample F irewall Ru les Step 3. Now you want to restrict acces s to the Internet except f or the HTTP proxy server an d your mail server.
ZyW ALL 100 Internet Securit y Gateway Exam ple Firewa ll Rules 13-9 Network to see the R ule Sum m ary screen. Now click an available No. (rule num ber) button, then click Edit to b ring up the next scr een. Step 5. Click SrcAdd under the Source Address box and enter the IP address of the mail server (192.
ZyW ALL 100 Internet S ecurity Gate way 13-10 Ex ample F irewall Ru les Step 7. The Rule Summary screen shou ld look lik e Figure 13-9 . Don’ t forget to click Apply whe n yo u have finis hed co nfigur ing your r ule(s) to save your setting s b ack to t he ZyW ALL.
ZyW ALL 100 Internet Securit y Gateway Exam ple Firewall Rules 13-11 screen. Now click on the DestAdd button un der the Destinatio n Address box and en ter the IP of FTP server On e (192.168.10.3 ). Step 9. On completing the procedu re the Rul e Summ ary f or this Internet f irewall ru le should l ook like the following screen.
ZyW ALL 100 Internet S ecurity Gate way 13-12 Ex ample F irewall Ru les 13.1.3 Example 3: DHCP Negotiation and Syslog Connection from the Internet The following are some Internet firewall rule examples that allow DHCP negotiation between the ISP and the ZyWALL and allow a sy slog connection from the Internet.
ZyW ALL 100 Internet Securit y Gateway Exam ple Firewall Rules 13-13 Step 2. Follow the procedures ou tlined in the previous ex amples to configure all your rules. You shou ld configure the ru le configuratio n screen like the one below and apply it. Figure 13-12 Syslog Rule Configuration This is your Syslog custo m po rt.
ZyW ALL 100 Internet S ecurity Gate way 13-14 Ex ample F irewall Ru les Step 3. On completing the conf iguration procedure for these Intern et firewall rules, the Ru le S umm ary screen should look like the follo w ing. Don’t forget to click Apply when yo u have fin ishe d configuring your rule(s) to save your settings back to the ZyWALL.
ZyW ALL 100 Internet Securit y Gateway Content Fi ltering 14-1 Chapter 14 Content Filtering This chapter provides a brief overview of content filter ing using the we b embedded configur ator. For more detailed inf ormation, c onsult t he embedded HTM L help.
ZyW ALL 100 Internet S ecurity Gate way 14-2 Content Filtering 14.4 Customizing Customize the content filter list by adding or removing specific si tes from the filter list . 14.5 Key w ords The ZyWALL can also be configu red to block certain Web sites by using URL k eywords.
Advance d Managem ent IV Part IV: Advan ced Manage ment This part provides inf orm ation on Filter Configur ation, SNMP Configur ation, S y st em Information and Diagnos is, Fir mware a nd Configurat ion Fi le Maint enance, S ystem Maint enanc e and In f o r m ation a nd Remote Management .
ZyWALL 50 Internet Sec urity Gat eway Filter Conf iguration 15-1 Chapter 15 Filter Configuration This chapt er shows y ou how to cr eate and a pply filter s. 15.1 About Fil tering Your Zy WALL uses filters to decide whether to allow passage of a data packet and/or to m ake a call.
ZyWALL 50 Internet Sec urity Gat eway 15-2 Filter Config uration Figure 15-1 Outgoing Pa cket Filtering Process For incoming packets, your ZyWALL applies data filters o nly. Packets are processed depending upon whether a match is found. T he following sections describe ho w to configure filter sets.
ZyWALL 50 Internet Sec urity Gat eway Filter Conf iguration 15-3 Start Fetch First Filter Set Fetch First Filter Rule Active? Execute Filter Rule Fetch Next Filter Rule Next filter Rule Available? Fet.
ZyWALL 50 Internet Sec urity Gat eway 15-4 Filter Config uration You can apply up to four filter sets to a particular port to block multiple types o f packets. With each filter set ha ving up to six r ules, you can ha ve a ma ximum o f 24 rules ac tive fo r a sin gle po rt.
ZyWALL 50 Internet Sec urity Gat eway Filter Conf iguration 15-5 Step 3. Select the filter set you wish to configure (1-12) and press [ENTER] . Step 4. Enter a descriptiv e name or comment in the Edi t Commen ts field and press [ENT ER] . Step 5. Pre ss [ENTER] at the message [Press ENT ER to conf irm] to open Menu 21.
ZyWALL 50 Internet Sec urity Gat eway 15-6 Filter Config uration 15.2.1 Filter Rules Summar y Menu This screen shows the summar y of the existing rules in the filter set. The following tables contain a brief description of the abbreviation s used in the previous menus.
ZyWALL 50 Internet Sec urity Gat eway Filter Conf iguration 15-7 Table 15- 2 Rule Abbreviations Used ABBREVIATION DESCRIPTION DP De stination Port number GEN Off Offset Len Length Refer to the next section for information on configuring the filter rules.
ZyWALL 50 Internet Sec urity Gat eway 15-8 Filter Config uration Figure 15- 8 Menu 21.1.1.1 — T CP/IP Filter Ru le The following table describes ho w to configure your TCP/IP filter rule. Table 15- 3 TCP/IP F ilter Ru le Menu Fields FIELD DESCRIPTION OPTIONS Active Yes activ ates the fi lter rule an d No deactivat es it.
ZyWALL 50 Internet Sec urity Gat eway Filter Conf iguration 15-9 Table 15- 3 TCP/IP F ilter Ru le Menu Fields FIELD DESCRIPTION OPTIONS Port # Enter the destinati on port of th e packet s that you w ish to filter. The ra nge of t his field is 0 to 65535 .
ZyWALL 50 Internet Sec urity Gat eway 15-10 Filter Config uration Table 15- 3 TCP/IP F ilter Ru le Menu Fields FIELD DESCRIPTION OPTIONS Drop Action Not Matched Select the ac tion for a pa cket not m atching the rul e. Check Next Rule Forward Drop Press [SPACE BAR] to sel ect properties for fields t hat do not need to be ty ped in.
ZyWALL 50 Internet Sec urity Gat eway Filter Conf iguration 15-1 1 Packet into IP Filter Matched Matched Yes Action Matched Action Not Matched More? No Filter Active? Check IP Protocol Drop Drop Packe.
ZyWALL 50 Internet Sec urity Gat eway 15-12 Filter Config uration 15.2.4 Generic Filt er Rule Thi s sectio n sho ws you how to config ure a ge ner ic fil ter rul e. T he pur pose of gener ic rule s is to allo w you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly.
ZyWALL 50 Internet Sec urity Gat eway Filter Conf iguration 15-13 Table 15- 4 Generic Fi lter Rule M enu F ields FIELD DESCRIPTION OPTIONS Filter # T his is the filter set, f ilter rule c o-ordinates, i .e., 2,3 refer s to the seco nd filter set and the thir d rule of th at set.
ZyWALL 50 Internet Sec urity Gat eway 15-14 Filter Config uration Table 15- 4 Generic Fi lter Rule M enu F ields FIELD DESCRIPTION OPTIONS Drop Once you h ave comp leted filli ng in Menu 21.4.1.1 - G eneric Filter Rule , press [ENT ER] at the messag e “Press ENTER to Confirm” to save your c onfiguration , or press [ESC ] to can cel.
ZyWALL 50 Internet Sec urity Gat eway Filter Conf iguration 15-15 Step 3. Enter a descriptiv e name or comment in the Edi t Commen ts field and press [ENT ER]. Step 4. Pre ss [ENTER] at the message [Press ENT ER to conf irm] to open Menu 21.1 .1 - Filter Rul es Sum ma ry .
ZyWALL 50 Internet Sec urity Gat eway 15-16 Filter Config uration When y ou press [ENTE R] to conf irm, you will see the f ollo wing screen. Note that there is only one filter rule in this set. Figure 15- 13 Examp le Filter Rul es Summa ry — M enu 21.
ZyWALL 50 Internet Sec urity Gat eway Filter Conf iguration 15-17 15.4 Filter T ypes and NA T There are two classes of filter rules, Generic Filter (Device) rules and Protocol Filter ( TCP/IP ) rules. Generic Filter rules act on the raw data from/to LAN and WAN.
ZyWALL 50 Internet Sec urity Gat eway 15-18 Filter Config uration 15.6 Appl y ing a Fi lter and Factory Defaults This section shows you where to apply the filter(s) after you design it (them).
ZyWALL 50 Internet Sec urity Gat eway Filter Conf iguration 15-19 numbers separated by commas. T he factory default filter set, NetBIOS_WAN, can be applied in menu 11.5 to bloc k loc al Ne tBIOS t raf fic f rom t rigg ering calls to th e ISP (w he n you are usin g PPPoE or PP TP encapsulation only).
.
ZyWALL 50 Internet Sec urity Gat eway SNMP 16-1 Chapter 16 SNMP Configuration This chapter d iscusses SN MP for network management and moni toring. 16.1 A bout SNM P SNMP (Sim ple Network Management Protocol) i s a protoco l used f or exchanging m anagement inform ation between n etwork devi ces.
ZyWALL 50 Internet Sec urity Gat eway 16-2 SNMP Figure 16-1 SNMP Management Model An SNMP mana ged ne twor k consi sts of t wo ma in co mpone nts: a gents a nd a manager . An age nt is a manage ment soft ware module t hat r esides i n a mana ged d evice (the Z yWA LL).
ZyWALL 50 Internet Sec urity Gat eway SNMP 16-3 Table 16- 1 General SNM P Commands COMMAND DESCRIPTION Get Allows the man ager to retrieve an obje ct variable from the agent. GetNex t Allows the manager to re trieve the n ext object v ariable fro m a table or list within an agent.
ZyWALL 50 Internet Sec urity Gat eway 16-4 SNMP Figure 16-2 Menu 22 — SNMP Configuration The following table describes the SNMP configuration parameters.
ZyWALL 50 Internet Sec urity Gat eway SNMP 16-5 Table 16- 3 SNM P Traps TRAP # TRAP NAME DESCRIPTION 0 coldStart (defined in RFC-1215 ) A trap i s sent after booting (po wer on). 1 warmStart (defined in RFC-1 215 ) A trap is sent after booting (so ftw are reboot).
.
ZyWALL 50 Internet Sec urity Gat eway System Inform ation & Diagnos is 17-1 Chapter 17 System Information & Di agnosis This chapt er cover s SMT menus 24.1 to 2 4.4. This chapter covers the diagnostic to ols that help you to maintain y our ZyWALL.
ZyWALL 50 Internet Sec urity Gat eway 17-2 System Inf ormation & Di agnosis Step 2. In this menu, enter 1 to open System Maintena nce - Status . Step 3. T here are three com mands in Me nu 24.1 - System Mainte nance - Status . Entering 1 drops th e WAN connection, 9 resets th e counters and [ESC] takes y ou back to the previous s creen.
ZyWALL 50 Internet Sec urity Gat eway System Inform ation & Diagnos is 17-3 Table 17-1 System Maintenance — Status Menu Fields FIELD DESCRIPTION Cols The number of collisio ns on thi s port. Tx B/s Shows the tra nsmission speed in By tes per se cond on thi s port.
ZyWALL 50 Internet Sec urity Gat eway 17-4 System Inf ormation & Di agnosis Figure 17-3 Menu 24.2 — Syste m Information and Console Port Speed 17.2.1 Sy stem Information System Information gi ves you information about your s ystem as shown below.
ZyWALL 50 Internet Sec urity Gat eway System Inform ation & Diagnos is 17-5 Table 17- 2 Fields in System M aintenance — In format ion FIELD DESCRIPTION IP Address This is the IP address of the Zy W ALL in d otted deci mal notat ion. IP Mask T his shows the IP mask o f the Zy WALL.
ZyWALL 50 Internet Sec urity Gat eway 17-6 System Inf ormation & Di agnosis Step 1. Select opt ion 24 from the main m enu to open Menu 2 4 - System Mainte nance . Step 2. From m enu 24, select option 3 to open Me nu 24.3 - System Ma intenance - Log and Trace .
ZyWALL 50 Internet Sec urity Gat eway System Inform ation & Diagnos is 17-7 17.3.2 U NIX Syslog The ZyWALL uses the UNIX s yslog facility to log the CDR (Call Detail Record) and syste m m essa ges to a syslog s erver. Syslog an d accounting can be conf igured in Menu 2 4.
ZyWALL 50 Internet Sec urity Gat eway 17-8 System Inf ormation & Di agnosis Table 17- 3 System M aintenance M enu S yslog Para meters PARAMETER DESCRIPTION Filter log No filters are logge d when th is field is s et to No . Filter s with t he individu al filter Log Filter field set to Yes (Menu 2 1.
ZyWALL 50 Internet Sec urity Gat eway System Inform ation & Diagnos is 17-9 Data: We will send forty-eight Hex characters to the server Jul 19 1 1:28:39 192.168. 102.2 Zy XEL: Pack et Trigger : Protoc ol=1, Data=45 00003c10 010000 1f010004 c0a866 14ca849 a7b0800 4a5c020 0010061 6263646 5666768 696a6b6 c6d6e6f7 071727 374 Jul 19 11:28:56 192.
ZyWALL 50 Internet Sec urity Gat eway 17-10 System Inf ormation & Di agnosis 4. PPP log PPP Log Message Format sdcmdSyslogSend( SYSL OG_PPPLOG, SYSLOG_NOTICE, String ); String = ppp:Proto Starting.
ZyWALL 50 Internet Sec urity Gat eway System Inform ation & Diagnos is 17-1 1 Figure 17-9 Call-Triggering Packet Exa mple 17.4 Diagnostic The diagnostic facility allo ws y ou to test t he different aspects of your ZyWALL to deter m ine if it is working properly.
ZyWALL 50 Internet Sec urity Gat eway 17-12 System Inf ormation & Di agnosis Figure 17-10 Menu 24.4 — System Maintenance — Diagnostic Follow the proced ure below to get to Menu 24.4 - Sys tem Maintenance – Diagnos tic. Step 1. From the main menu, select optio n 24 to open M enu 24 - Syste m M aintenance .
ZyWALL 50 Internet Sec urity Gat eway System Inform ation & Diagnos is 17-13 Figure 17-11 W AN & LAN DHCP The follo w ing table describes the diagnostic tests a vailable in menu 24.
.
ZyWALL 50 Internet Sec urity Gat eway Firm ware and Config uration F ile Mainten ance 18-1 Chapter 18 Firmware and Configuration Maintenance This chapt er tells you how to back up and rest ore your c onfiguration f ile as w ell as upl oad new firmware an d a new co nfiguration file.
ZyWALL 50 Internet Sec urity Gat eway 18-2 Firm ware and Conf iguratio n File Mai ntenance you have uploaded the correct firmw are version. The AT command is th e command you enter after you press “y” w hen prompted in the SMT menu to go into debu g mode.
ZyWALL 50 Internet Sec urity Gat eway Firm ware and Config uration F ile Mainten ance 18-3 Figure 18-1 Telnet in M enu 24.5 18.2.2 Using the FTP Comm and from the Command Line Step 1. Launc h the FTP client o n your comp uter. Step 2. Enter “open ”, followed by a space and th e IP address of y our ZyWALL.
ZyWALL 50 Internet Sec urity Gat eway 18-4 Firm ware and Conf iguratio n File Mai ntenance Figure 18-2 FTP Session Exa mple 18.2.4 GUI-B ased FTP Cli ent s The following table describes some of the commands that you may see in GUI-Based FTP clien ts.
ZyWALL 50 Internet Sec urity Gat eway Firm ware and Config uration F ile Mainten ance 18-5 • There is an SMT console ses sion running . • The firewall is active. The default firewall policies block all traffic from the W AN, so to enable TFTP over the WAN, you must turn the firewall off (menu 21.
ZyWALL 50 Internet Sec urity Gat eway 18-6 Firm ware and Conf iguratio n File Mai ntenance TFTP [-i] host get rom-0 config.rom where “i” specifies bin ary image transfer mode (use this m ode w hen.
ZyWALL 50 Internet Sec urity Gat eway Firm ware and Config uration F ile Mainten ance 18-7 Step 2. The following screen indicates th at the Xmodem download has started.
ZyWALL 50 Internet Sec urity Gat eway 18-8 Firm ware and Conf iguratio n File Mai ntenance FTP is the preferred methods for restor ing y our current computer configuration to y our ZyW ALL since it is faster. Please note that you must wait for the syste m to auto matically restart after the file transfer is complete.
ZyWALL 50 Internet Sec urity Gat eway Firm ware and Config uration F ile Mainten ance 18-9 Step 3. Pre ss [ENTER] when prompted for a usern ame. Step 4. Enter y our password as requested (th e defaul t is “1234”). Step 5. Enter “bin” to set transfer mode to binary.
ZyWALL 50 Internet Sec urity Gat eway 18-10 Firm ware and Conf iguratio n File Mai ntenance Figure 18- 10 System M aintenan ce — Start ing Xmod em Download Screen Step 3. Run t he Hyper Te rminal p rogr am by cli cki ng Transf er , then Receive File as shown in the following screen.
ZyWALL 50 Internet Sec urity Gat eway Firm ware and Config uration F ile Mainten ance 18-1 1 WAR N I N G ! DO N OT I N TER UP T THE FIL E TRA NSFE R PR OCES S A S TH IS MA Y PERM ANENTL Y DA M A GE YOUR ZYW A LL. 18.4.1 Firmware File Uplo ad FTP is the preferred m ethod for uploading the firmware and conf iguration.
ZyWALL 50 Internet Sec urity Gat eway 18-12 Firm ware and Conf iguratio n File Mai ntenance Figure 18- 14 Telnet In to M enu 24.7.2 — S ystem Maint enance To upload the firmware and the configuration file, follow these examples 18.4.3 FTP File Upload Command from the Command Line Example Step 1.
ZyWALL 50 Internet Sec urity Gat eway Firm ware and Config uration F ile Mainten ance 18-13 18.4.4 FTP Session Example of Firm ware File Upload Figure 1 8-15 FTP S ession Exa mple of Fir mware F ile Upload More commands (found in GUI-Based FT P clients) are listed earlier in this chapter.
ZyWALL 50 Internet Sec urity Gat eway 18-14 Firm ware and Conf iguratio n File Mai ntenance Step 5. Use the TFTP client (see the exam ple below) to transfer files between the ZyWALL and the computer.
ZyWALL 50 Internet Sec urity Gat eway Firm ware and Config uration F ile Mainten ance 18-15 Figure 1 8-16 Men u 24.7.1 as seen using the Con sole Port Step 2. After t he "Starting Xmodem upload" me ssage appears, acti vate the Xm odem protocol on you r computer.
ZyWALL 50 Internet Sec urity Gat eway 18-16 Firm ware and Conf iguratio n File Mai ntenance 18.4.10 Uploading a Configuration File V ia Console Port Step 1. Select 2 from Menu 24.7 – System Maintenance – Upl oad Firmware to display Menu 24.7.2 - Syste m M aintenance - Uploa d System Configurat ion File .
ZyWALL 50 Internet Sec urity Gat eway Firm ware and Config uration F ile Mainten ance 18-17 Figure 18-19 Example Xmodem Upload After the configuration upload pr ocess has completed, restart the ZyWALL by entering “atgo”. Type the conf iguration file’s location, or click Brows e to search for it.
.
ZyWALL 50 Internet Sec urity Gat eway System Maintenance & Inf ormation 19-1 Chapter 19 System Mai ntenance & Information This chapt er leads y ou through SMT men us 24.8 to 24.11. 19.1 Command Interpreter M ode The Command Interpreter (C I) is a part of th e main system firmware.
ZyWALL 50 Internet Sec urity Gat eway 19-2 System Maintenanc e & Inf ormation Figure 19-2 Valid Commands 19.2 Call Control Suppor t The ZyWALL provides tw o call control functions: budget man agement and call history. Please note that this menu is only applicable when Encap sulation is set to PPPo E or PPTP in menu 4 or m enu 11.
ZyWALL 50 Internet Sec urity Gat eway System Maintenance & Inf ormation 19-3 Figure 19-4 Budget Management The total budget is th e time limit on the accumulated time for outgoing calls to a remote node. When th is limit is reached, th e call will be dropped and furth er outgoing calls to that rem ote node will be blocked.
ZyWALL 50 Internet Sec urity Gat eway 19-4 System Maintenanc e & Inf ormation 19.2.2 C all History This is the second o ption in Menu 24.9 - Syst em Ma intenance - Call Cont rol . It displays information about past incoming an d outgoing calls. Enter 2 f rom Menu 2 4.
ZyWALL 50 Internet Sec urity Gat eway System Maintenance & Inf ormation 19-5 19.3 T ime and Date Set ting The ZyWALL has a Real Time Chip (R TC) that keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server wh en you turn on your ZyWALL.
ZyWALL 50 Internet Sec urity Gat eway 19-6 System Maintenanc e & Inf ormation Figure 19-7 Menu 24.10 System Maintenanc e — T ime and Da te Setting Table 19- 3 Time and Dat e Setting F ields FIELD DESCRIPTION Enter the time service pro tocol that your time serv er sends w hen you turn o n the Zy W ALL.
ZyWALL 50 Internet Sec urity Gat eway System Maintenance & Inf ormation 19-7 Table 19- 3 Time and Dat e Setting F ields FIELD DESCRIPTION Daylight Savi ng If you use daylight savings time, the n choose Yes . Start Date If using day light sav ings time, enter the month and day that it starts on.
.
ZyWALL 50 Internet Sec urity Gat eway Remote Mana gement 20-1 Chapter 20 Remote Management This chapt er cover s remote managemen t found in SMT menu 24 .11. 20.1 T elnet The only wa y to con figure the ZyWAL L for r emote manage ment is thr ough a n SMT sessio n using the console port.
ZyWALL 50 Internet Sec urity Gat eway 20-2 Rem ote Management 20.3 W eb You can use the Zy WALL’s embedded web conf igurator for config uration and file management. See the Using t he ZyWALL Web Configurat or chapter f or an introduct ion to the w eb configurator.
ZyWALL 50 Internet Sec urity Gat eway Remote Mana gement 20-3 Table 20- 1 Menu 24.11 – Remote M anagement Control FIELD DESCRIPTION EXAMPLE TELN ET S erve r FTP Server W eb Ser ver These read-on ly labels denote the kind of server that you may remotely ma nage.
ZyWALL 50 Internet Sec urity Gat eway 20-4 Rem ote Management 6. There is a w eb re m ote management ses sion running with a Telnet se ssion. A Telnet sessio n will be disconnected if you begin a web session; it will not begin if there alread y is a web sessio n.
Call Sch eduling a nd VPN/I PSec V Part V: Call Sch eduling and VP N/IPS ec Part V pr ovides i nform ation about Ca ll Schedu ling and VPN/IP Sec..
.
ZyWALL 50 Internet Sec urity Gat eway Call Sch eduling 21- 1 Chapter 21 Call Scheduling Call schedu ling al lows you to d ictate when a r emote n ode should b e called an d for how long . 21.1 Introduction The call scheduling f eature allo w s the ZyWALL to manage a rem ote node and dictate when a remote node should be called and f or how long.
ZyWALL 50 Internet Sec urity Gat eway 21-2 Call Scheduling You c an desi gn up t o twel ve s chedule sets b ut you c an o nly a pply up to fo ur sche dule se ts fo r a re mote node. T o delete a schedule set , enter th e set num ber and press [SP ACE B A R] or [DELET E] in th e Edi t Name field.
ZyWALL 50 Internet Sec urity Gat eway Call Sch eduling 21- 3 Table 21-1 Schedule Set Setup Fields FIELD DESCRIPTION OPTION How O ften Should this schedule s et recur w eekly or be used just o nce only ? Press [SPACE BAR] to toggle betw een Once and Weekly .
ZyWALL 50 Internet Sec urity Gat eway 21-4 Call Scheduling Figure 21-3 Apply ing Schedule Set(s) to a Remote Node (PPP oE) You can apply up to 4 schedu le sets, se parated by commas, for on e remot e node. Change the schedule s et numbers to y our preference(s).
ZyWALL 50 Internet Sec urity Gat eway Introduct ion to IPSec 22- 1 Chapter 22 Introduction to IPSec This chapt er introduc es the bas ics of I PSec VPNs. 22.1 Introduction 22.1.1 VPN A VPN (Virtual Private Network) provides secu re communications between sites without the ex pense of leased site-to-site li nes.
ZyWALL 50 Internet Sec urity Gat eway 22-2 Introduct ion to IPSec Figure 22-1 Encryption and Decryption Data Confidentiality The IPSec sender can encrypt pack ets before transmitting them across a n etwork.
ZyWALL 50 Internet Sec urity Gat eway Introduct ion to IPSec 22- 3 Figure 22-2 VPN Applica tion 22.2 IPSec A rchitecture The overall IPSec architecture is shown as follo ws.
ZyWALL 50 Internet Sec urity Gat eway 22-4 Introduct ion to IPSec Figure 2 2-3 IPSe c Archite cture 22.2.1 IPSe c Algorit hms The ESP (En capsulating S ecurity Pay load) Protocol (R FC 2406) an d AH (.
ZyWALL 50 Internet Sec urity Gat eway Introduct ion to IPSec 22- 5 22.3 Encap sulation The two m odes of operation for IPSec VPNs are Transport mode and Tunnel m ode.
ZyWALL 50 Internet Sec urity Gat eway 22-6 Introduct ion to IPSec A NAT device in between th e IP Sec endpoin ts will rewrite either the source or destin ation address with one of its own choos ing.
ZyWALL 50 Internet Sec urity Gat eway VPN/IP Sec Setup 23- 1 Chapter 23 VPN/IPSec Setup This chapt er introduc es the VP N SMT m enus. 23.1 VPN/IPSec Setup The VPN/IPSec main SMT menu has three main submenus.
ZyWALL 50 Internet Sec urity Gat eway 23-2 VPN/IPSec Setup Figure 23-2 Menu 27 — VPN/IPSec Setup 23.2 IPSec A lgorithms The ESP an d AH protocols are neces sary to create a Security Association (SA), the foun dation of an IPSec VPN. An SA is built from the authentica tion provided by the AH and ESP protocols .
ZyWALL 50 Internet Sec urity Gat eway VPN/IP Sec Setup 23- 3 Tabl e 23-1 AH and ESP ESP AH Select DES for minimal sec urity and 3DES for max imum. Select M D5 for minimal s ecurity and SHA-1 for maximum sec urity. DES (default) Data Encryption Standard (DE S) is a w idely used metho d of data encry ption usin g a private (s ecret) key.
ZyWALL 50 Internet Sec urity Gat eway 23-4 VPN/IPSec Setup My IP Addr is the (initiator) ZyWALL W AN IP address. If this field is configured as 0.0.0.0, then the ZyWALL will use the current ZyWALL WAN IP address (static or d y namic) to set up the VP N tunnel.
ZyWALL 50 Internet Sec urity Gat eway VPN/IP Sec Setup 23- 5 Figure 23-5 HQ ZyWALL Configuration The Secu re Gatew ay IP Address ma y be configure d as 0.0.0. 0 only wh en using IKE key negotiation and not Manual key negotiation. A Z y W A L L w i t h Secure Gate way IP Addres s set to 0.
ZyWALL 50 Internet Sec urity Gat eway 23-6 VPN/IPSec Setup Table 23- 3 Menu 27.1 — IPSec Summary FIELD DESCRIPTION EXAMPLE # This is the VPN policy in dex number . 1 Name This field d isplays t he unique i dentificatio n name for th is VPN rule. T he name may b e up to 32 c haracters l ong but only 10 charac ters will be displayed here.
ZyWALL 50 Internet Sec urity Gat eway VPN/IP Sec Setup 23- 7 Table 23- 3 Menu 27.1 — IPSec Summary FIELD DESCRIPTION EXAMPLE commands. Select None and then press [ ENTER ] to go to the “Press E NTER to Confirm…” pro mpt. Use Edit to create or e dit a rule.
ZyWALL 50 Internet Sec urity Gat eway 23-8 VPN/IPSec Setup Figure 23-7 Menu 27.1.1 — IPSec Setup Table 23- 4 Men u 27.1.1 — IPS ec Setup FIELD DESCRIPTION EXAMPLE Index This is the VPN r ule ind ex number y ou selec ted in the pr evious men u. 1 Name Enter a unique identificat ion n ame for this VPN r ule.
ZyWALL 50 Internet Sec urity Gat eway VPN/IP Sec Setup 23- 9 Table 23- 4 Men u 27.1.1 — IPS ec Setup FIELD DESCRIPTION EXAMPLE Secure Gateway IP Addr This is the W AN IP address o f the IPSec ro uter with w hich you’re making the VPN conn ection. If th e peer has a dynami c WAN IP addr ess, se t this fie ld to 0.
ZyWALL 50 Internet Sec urity Gat eway 23-10 VPN/IPSec Setup Table 23- 4 Men u 27.1.1 — IPS ec Setup FIELD DESCRIPTION EXAMPLE Press [SPACE BAR] to select Yes or No . Choo se Yes and press [ENT ER] to enable repl ay detecti on. Key Management Press [SPACE BAR] to choose eit her IKE or Ma nual and then press [ENTER].
ZyWALL 50 Internet Sec urity Gat eway VPN/IP Sec Setup 23-1 1 Figure 2 3-8 Tw o Phases to set up the I PSec SA In phas e 1 you must: Choose a negotiatio n mode Authenticate the connection by e.
ZyWALL 50 Internet Sec urity Gat eway 23-12 VPN/IPSec Setup Aggress ive M ode is quicker than Ma i n Mo de becaus e it eliminates several steps when the communicating parties are negotiating authentication (phase 1). How ever the trade-off is that faster speed limits its ne gotiating power and it also do es not provide id entity protection.
ZyWALL 50 Internet Sec urity Gat eway VPN/IP Sec Setup 23-13 Figure 23-9 Menu 27. 1.1.1 — IKE Setup Table 23- 5 Menu 27.1.1.1 — IKE Setup FIELD DESCRIPTION EXAMPLE Phase 1 Negotiatio n Mode Press [SPACE BAR] to choose from Main or A ggressive an d then pre ss [ENTER].
ZyWALL 50 Internet Sec urity Gat eway 23-14 VPN/IPSec Setup Table 23- 5 Menu 27.1.1.1 — IKE Setup FIELD DESCRIPTION EXAMPLE Authenticatio n Algorithm MD5 (M essage Dige st 5) and SHA 1 (Secure Hash Algorith m) are hash algorith ms used to auth enticat e packet dat a.
ZyWALL 50 Internet Sec urity Gat eway VPN/IP Sec Setup 23-15 23.5 Manual Setup You o nly co nfig ure Menu 27.1.1.2 – Manual Setu p when you sele ct Manua l in the Key Man agement field in Menu 27.1.1 – IP Sec Setu p . Manua l ke y mana geme nt is usefu l if you have p rob lems wit h IKE ke y mana geme nt.
ZyWALL 50 Internet Sec urity Gat eway 23-16 VPN/IPSec Setup Figure 2 3-10 Men u 27.1.1.2 — M anual Set up Table 23- 7 Menu 27.1.1.2 — M anual Setu p FIELD DESCRIPTION EXAMPLE Active Protocol Press [SPACE BAR] to choose from ESP Tunnel , ESP Transport , AH Tunnel or A H Transport and then pr ess [ENT ER].
ZyWALL 50 Internet Sec urity Gat eway VPN/IP Sec Setup 23-17 Table 23- 7 Menu 27.1.1.2 — M anual Setu p FIELD DESCRIPTION EXAMPLE Authenticatio n Algorithm Press [SPACE BAR] to choose from MD5 or SHA1 and th en press [ENTER]. MD5 Key Enter the au thenticatio n key to be u sed by IPSec if applica ble.
.
ZyWALL 50 Internet Sec urity Gat eway SA Monitor 24- 1 Chapter 24 SA Monitor This chapt er teaches you h ow to manage your SAs by using the SA Monit or in S MT menu 27 .2. 1.1. Introducti on A Security Association (SA) is the gro up of security settings related to a specific VPN tunnel.
ZyWALL 50 Internet Sec urity Gat eway 24-2 S A Monitor Table 24- 1 Menu 27.2 — SA Mon itor FIELD DESCRIPTION EXAMPLE Name T his field disp lays the i dentific ation name fo r this VPN p olicy. T his name is unique for each conn ection w here the se cure gat eway IP add ress is a public stat ic IP addr ess.
ZyWALL 50 Internet Sec urity Gat eway IPSec Lo g 25- 1 Chapter 25 IPSec Log This chapt er interpr ets com mon IPSec log mess ages. To view the IPSec and IKE connection log , type 3 in menu 27 an d press [ENTER] to displa y the IPSec log as shown next.
ZyWALL 50 Internet Sec urity Gat eway 25-2 IPSec Log This menu is us eful for troubleshooting . A log index number, the date and tim e the log was created and a log message are display ed. Double exclamation mar ks (!!) denote an er ror or warning messag e.
ZyWALL 50 Internet Sec urity Gat eway IPSec Lo g 25- 3 Table 25-1 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION !! Local / remote IPs of incoming request conflict with rule <#d> If the security gatew ay is “0.0. 0.0”, the Zy W ALL will use the peer’ s “Local Addr” as its “Re mote Addr”.
ZyWALL 50 Internet Sec urity Gat eway 25-4 IPSec Log Table 25-2 Sample IPSec Logs During Packe t Transmission LOG MESSAGE DESCRIPTION !! Inbound packet decryption failed The decrypti on conf iguration s ettings are i ncorrect.
T r ouble s hoo t i n g, Ap p en d i c e s and In d ex VI Part VI: Troubleshooting, Appendices and Index This part provides Troubleshooting , follo wed b y some Appendices and an In dex.
ZyW ALL 50 Internet Securi ty Gatewa y Troubles hooting 26-1 Chapter 26 Troubleshooting This chapt er cover s potential pr oblems a nd possibl e remedies . After eac h problem descripti on, some ins tructions are prov ided to h elp you to d iagnos e and to so lve the pro blem.
ZyW ALL 50 Internet Securi ty Gatewa y 26-2 Troubles hooting 26.2 Problems with th e LA N Interface Table 26-2 Troubleshooting the LA N Interface PROBLEM CORRECTIVE ACTION Check the 10M/100M LEDs on the fr ont panel. O ne of these LEDs should be on . If they are both off, check the cables betw een y our Zy W ALL and hub or the stati on.
ZyW ALL 50 Internet Securi ty Gatewa y Troubles hooting 26-3 Table 26-3 Troubleshooting the WAN interfa ce PROBLEM CORRECTIVE ACTION Can’t conn ect to a rem ote node or ISP. Check menu 2 4.1 to verify the line status. If it indic ates Down , then refer to the se ction on the line problems.
ZyW ALL 50 Internet Securi ty Gatewa y 26-4 Troubles hooting Table 26-6 Troubleshooting Remote Management PROBLEM CORRECTIVE ACTION Refer to the Rem ote M anagement Limitat ions section for scenarios when remote manag ement may not be po ssible. W hen NA T is en abl ed: Use the Zy WALL’s WAN IP ad dress w hen configuri ng from the W AN .
ZyW ALL 50 Internet Securi ty Gatewa y The Big Pictur e A Appendix A The Big Picture The following figure gives an overview of how filtering, the firewall, VPN and NAT are related.
.
ZyW ALL 50 Internet Securi ty Gatewa y PPPoE C Appendix B PPPoE PPPoE in A ction An AD SL modem bri dges a PPP sess ion ove r Ethern et (PPP ove r Ethern et, RFC 2516) from y our PC to an ATM PVC (Permanent Virtual Circu it) that connects to a xDSL Access Concentrator where the PPP sess ion term inates (see th e next figure).
ZyW ALL 50 Internet Securi ty Gatewa y D PPPoE How PPPoE Works The P PPoE dr ive r mak es th e Ethe rnet appear as a s eria l link to t he PC and th e PC ru ns PPP over i t, w hil e the modem bridg es the Ethernet frames to the Access Concentrator (AC).
ZyW ALL 50 Internet Securi ty Gatewa y PPTP E Appendix C PPTP What is PPT P? PPTP (Poin t-to- Point Tunneling Protocol) is a Mi crosoft pr oprietary protocol (R FC 2637 f or PPTP is informational only) to tunnel PPP fram es.
ZyW ALL 50 Internet Securi ty Gatewa y F PPTP PPTP is v ery sim ilar to L2TP, s ince L2TP is based on both PPTP and L2F (Cisco’ s Layer 2 Forw arding). Conceptually, there are th ree parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Ac cess C oncentr ator) an d th e PPTP u ser.
ZyW ALL 50 Internet Securi ty Gatewa y PPTP G PPP Data Connection The PPP frames are tunneled betw een the PNS and PAC over GRE (General R outing Encapsulation, RFC 1701, 1702). The in dividual call s within a tun nel are distingu ished usi ng the Call I D field in the GRE header.
ZyW ALL 50 Internet Securi ty Gatewa y H Hardware Spec ifications Appendix D Hardware Specifications Power Specifi cation I/P AC 120V / 60Hz ; O/P DC 12V 12 00 mA MTBF 10000 0 hrs Operation T emperatu.
ZyW ALL 50 Internet Securi ty Gatewa y Sa fety Ins truc tion s I Appendix E Import ant Safety Instructions The following safety instructions apply to the ZyWALL. 1. Be sure to read and follo w all war ning notices and instructions. 2. The maximum recommended am bient temperature for the ZyWALL is 40º Celsius (104 º Fahrenheit).
ZyW ALL 50 Internet Securi ty Gatewa y J Safety Instru ctions • Never install telephone jacks i n wet location unless the jack is speciall y designed for wet location. • Never touch uninsulated telephone wires or ter minals unless the telephone line has been disconnected at the n etwork interface.
ZyW ALL 50 Internet Securi ty Gatewa y Boot Com mands K Appendix F Boot Commands The BootModul e AT commands execute from within the router’ s bootup s oftware, when debug mode is selected before the m ain system firmware (ZyNOS) is started.
ZyW ALL 50 Internet Securi ty Gatewa y L Boot Comm ands Diagram 8 Boot Module Commands ======= Debug Command Listing ======= AT just answer OK ATHE print help ATBAx change baudrate.
ZyW ALL 50 Internet Securi ty Gatewa y Firewa ll CLI C omm ands M Appendix G Firewall CLI Commands The following table describes the syntax used to configure your firew all using Command Line Interface (CLI) commands. Se lect Men u 24.8 - Command Interpreter Mode from the main menu to go into CLI mode.
ZyW ALL 50 Internet Securi ty Gatewa y N Fire wall CLI Com m ands FUNCTION CLI SYNTAX DESCRIPTION config edit firewall e-mail email-to <e-mail address> Edits t he mail address which you want t o send the alert to.
ZyW ALL 50 Internet Securi ty Gatewa y Fire wall CLI C omm ands O FUNCTION CLI SYNTAX DESCRIPTION config edit firewall attack tcp- max-incomplete <0-255> The threshold to start executi ng the block field. S S e e t t s s config edit firewall set <set #> name <desired name> Edits the name for a specified set.
ZyW ALL 50 Internet Securi ty Gatewa y P Fire wall CLI C omm ands FUNCTION CLI SYNTAX DESCRIPTION rule <rule #> alert <yes | no> DOS attack occurs or t here is a violation of any alert settings. In case of such instances, the function will send an e-mail to the SMTP destination address and log an alert.
ZyW ALL 50 Internet Securi ty Gatewa y Fire wall CLI C omm ands Q FUNCTION CLI SYNTAX DESCRIPTION config edit firewall set <set #> rule <rule #> UDP destport-single <port #> Selects and edits t he destination port of the traffic which comply with this rule.
ZyW ALL 50 Internet Securi ty Gatewa y R Power Adapt er Specif icatio ns Appendix H Power Adapter Specifications AC Power Adapter Specifica tions North America AC Power Adapter model AD48-1201200DUY Input power: AC120Volts/ 60Hz/0.25A Output pow er: DC12Volts/1.
ZyW ALL 50 Internet Securi ty Gatewa y Power Ad apter Specif icatio ns S Plug: Europe an Union stan dards Safety standar ds: TUV, CE (E N 60950) UK AC Power Adapter model AD- 1201200DK Input power: AC230Volts/ 50Hz/0.
.
ZyW ALL 50 Internet Securi ty Gatewa y Index U Index A Action for M atched Packe ts .......................... 10-11 Activate The F irewall....................................... 13-3 Alert Schedule ................................................... 9-5 Application-l evel Firewalls.
ZyW ALL 50 Internet Securi ty Gatewa y V Index Types ............................................................ 7-4 DoS (Denial of Serv ice) .................................... 1-1 Dynamic DNS ................................................... 4-1 E E-mail Log Example.
ZyW ALL 50 Internet Securi ty Gatewa y Index W IGMP (Internet Gr oup Multica st Protocol) ......... 5-4 Initial Screen ..................................................... 3-1 Installation Requirement s ................................. 2-5 Internet Acce ss Setup .
ZyW ALL 50 Internet Securi ty Gatewa y X Index PPTP Encapsulati on .................... 1-2, 6-2, 4-5, 4-8 Private ................................ 5-3, 5-4, 4-8 , 4-10, 5-3 Private IP Addres ses ........................................ 5-3 R Read Me First .
ZyW ALL 50 Internet Securi ty Gatewa y Index Y T TCP M aximum Incomplete...... 9-8, 9-9, 9-1 1, 9-11 TCP Security................................................... 7-10 TCP/IP 5-1, 5- 2, 5-5, 5-7, 4-7, 4-10, 7- 3, 7-4, 15-7, 15-8, 15-10, 15- 13, 15-17, 20- 1 TCP/IP filter ru le.
An important point after buying a device ZyXEL Communications 50 (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought ZyXEL Communications 50 yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data ZyXEL Communications 50 - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, ZyXEL Communications 50 you will learn all the available features of the product, as well as information on its operation. The information that you get ZyXEL Communications 50 will certainly help you make a decision on the purchase.
If you already are a holder of ZyXEL Communications 50, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime ZyXEL Communications 50.
However, one of the most important roles played by the user manual is to help in solving problems with ZyXEL Communications 50. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device ZyXEL Communications 50 along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center
