User Guide
Page 13
... 256 14.2.1 The VPN Rules (IKE) Gateway Policy Edit Screen 257 14.2.2 The VPN Rules (IKE) Network Policy Edit Screen 263 14.2.3 The Network Policy Port Forwarding Screen 268 14.2.4 The Network Policy Move Screen 270 14.3 The VPN Rules (Manual) Screen 271 14.3.1 The VPN Rules (Manual) Edit Screen 272 14....4 The SA Monitor Screen 275 14.5 The Global Setting Screen 275 14.5.1 Configuring the Global Setting Screen 277 14.6 Telecommuter VPN/IPSec Examples 278 ZyWALL 2 Plus User's Guide 13
... 256 14.2.1 The VPN Rules (IKE) Gateway Policy Edit Screen 257 14.2.2 The VPN Rules (IKE) Network Policy Edit Screen 263 14.2.3 The Network Policy Port Forwarding Screen 268 14.2.4 The Network Policy Move Screen 270 14.3 The VPN Rules (Manual) Screen 271 14.3.1 The VPN Rules (Manual) Edit Screen 272 14....4 The SA Monitor Screen 275 14.5 The Global Setting Screen 275 14.5.1 Configuring the Global Setting Screen 277 14.6 Telecommuter VPN/IPSec Examples 278 ZyWALL 2 Plus User's Guide 13
User Guide
Page 15
... Overview Screen 332 17.3 The Address Mapping Screen 334 17.3.1 The Address Mapping Edit Screen 335 17.4 The Port Forwarding Screen 336 17.4.1 Configuring Servers Behind Port Forwarding (Example 337 17.4.2 Configuring the Port Forwarding Screen 338 17.5 The Port Triggering Screen 340 17.6 NAT Technical Reference 341 Chapter 18 Static Route Screens ...347 18.1 Overview ...347... ...365 20.1.1 What You Can Do in the DNS Screens 365 20.1.2 What You Need To Know About DNS 365 20.2 The System Screen ...367 ZyWALL 2 Plus User's Guide 15
... Overview Screen 332 17.3 The Address Mapping Screen 334 17.3.1 The Address Mapping Edit Screen 335 17.4 The Port Forwarding Screen 336 17.4.1 Configuring Servers Behind Port Forwarding (Example 337 17.4.2 Configuring the Port Forwarding Screen 338 17.5 The Port Triggering Screen 340 17.6 NAT Technical Reference 341 Chapter 18 Static Route Screens ...347 18.1 Overview ...347... ...365 20.1.1 What You Can Do in the DNS Screens 365 20.1.2 What You Need To Know About DNS 365 20.2 The System Screen ...367 ZyWALL 2 Plus User's Guide 15
User Guide
Page 20
... Public IP Addresses With Inside Servers 532 36.4.4 Example 4: NAT Unfriendly Application Programs 536 36.5 Trigger Port Forwarding 537 36.5.1 Two Points To Remember About Trigger Ports 537 Chapter 37 Introducing the ZyWALL Firewall 539 37.1 Using ZyWALL SMT Menus 539 37.1.1 Activating the Firewall 539 Chapter 38 Filter Configuration...541 38.1 Introduction to Filters... 38.6.2 Applying DMZ Filters 554 38.6.3 Applying Remote Node Filters 555 Chapter 39 SNMP Configuration ...557 39.1 SNMP Configuration ...557 39.2 SNMP Traps ...558 20 ZyWALL 2 Plus User's Guide
... Public IP Addresses With Inside Servers 532 36.4.4 Example 4: NAT Unfriendly Application Programs 536 36.5 Trigger Port Forwarding 537 36.5.1 Two Points To Remember About Trigger Ports 537 Chapter 37 Introducing the ZyWALL Firewall 539 37.1 Using ZyWALL SMT Menus 539 37.1.1 Activating the Firewall 539 Chapter 38 Filter Configuration...541 38.1 Introduction to Filters... 38.6.2 Applying DMZ Filters 554 38.6.3 Applying Remote Node Filters 555 Chapter 39 SNMP Configuration ...557 39.1 SNMP Configuration ...557 39.2 SNMP Traps ...558 20 ZyWALL 2 Plus User's Guide
User Guide
Page 26
... FTP Traffic to a Local Computer 104 Figure 57 Tutorial Example: NAT Address Mapping Edit: Server 104 Figure 58 Tutorial Example: NAT Port Forwarding 105 Figure 59 Tutorial Example: Forwarding Incoming FTP Traffic to a Local Computer 105 Figure 60 Tutorial Example: Firewall Default Rule 106 Figure 61 Tutorial Example: Firewall Rule: WAN to LAN... 119 Figure 79 SECURITY > CONTENT FILTER > Policy 120 Figure 80 SECURITY > CONTENT FILTER > Policy > External Database (Default 120 Figure 81 HOME > DHCP Table ...121 26 ZyWALL 2 Plus User's Guide
... FTP Traffic to a Local Computer 104 Figure 57 Tutorial Example: NAT Address Mapping Edit: Server 104 Figure 58 Tutorial Example: NAT Port Forwarding 105 Figure 59 Tutorial Example: Forwarding Incoming FTP Traffic to a Local Computer 105 Figure 60 Tutorial Example: Firewall Default Rule 106 Figure 61 Tutorial Example: Firewall Rule: WAN to LAN... 119 Figure 79 SECURITY > CONTENT FILTER > Policy 120 Figure 80 SECURITY > CONTENT FILTER > Policy > External Database (Default 120 Figure 81 HOME > DHCP Table ...121 26 ZyWALL 2 Plus User's Guide
User Guide
Page 29
...) > Edit Gateway Policy 258 Figure 173 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy 264 Figure 174 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding 269 Figure 175 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy 270 Figure 176 SECURITY > VPN > VPN Rules (Manual 271 Figure 177 SECURITY > VPN > VPN... 316 Figure 208 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import 318 Figure 209 SECURITY > CERTIFICATES > Directory Servers 319 Figure 210 SECURITY > CERTIFICATES > Directory Server > Add 320 ZyWALL 2 Plus User's Guide 29
...) > Edit Gateway Policy 258 Figure 173 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy 264 Figure 174 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding 269 Figure 175 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy 270 Figure 176 SECURITY > VPN > VPN Rules (Manual 271 Figure 177 SECURITY > VPN > VPN... 316 Figure 208 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import 318 Figure 209 SECURITY > CERTIFICATES > Directory Servers 319 Figure 210 SECURITY > CERTIFICATES > Directory Server > Add 320 ZyWALL 2 Plus User's Guide 29
User Guide
Page 30
... Figure 217 Port Translation Example 338 Figure 218 ADVANCED > NAT > Port Forwarding 339 Figure 219 Trigger Port Forwarding Process: Example 340 Figure 220 ADVANCED > NAT > Port Triggering 341 Figure... 221 How NAT Works ...343 Figure 222 NAT Application With IP Alias 344 Figure 223 Port...245 Replace Certificate ...382 Figure 246 Device-specific Certificate 382 Figure 247 Common ZyWALL Certificate 382 Figure 248 SSH Example 1: Store Host Key 383 Figure 249 SSH...
... Figure 217 Port Translation Example 338 Figure 218 ADVANCED > NAT > Port Forwarding 339 Figure 219 Trigger Port Forwarding Process: Example 340 Figure 220 ADVANCED > NAT > Port Triggering 341 Figure... 221 How NAT Works ...343 Figure 222 NAT Application With IP Alias 344 Figure 223 Port...245 Replace Certificate ...382 Figure 246 Device-specific Certificate 382 Figure 247 Common ZyWALL Certificate 382 Figure 248 SSH Example 1: Store Host Key 383 Figure 249 SSH...
User Guide
Page 38
...> WLAN > Static DHCP 188 Table 44 NETWORK > WLAN > IP Alias 189 Table 45 NETWORK > WLAN > Port Roles 192 Table 46 Blocking All LAN to WAN IRC Traffic Example 197 Table 47 Limited LAN to WAN IRC Traffic...> VPN > VPN Rules (IKE) > Edit Network Policy 265 Table 67 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding 269 Table 68 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy 270 Table 69 SECURITY > VPN > VPN Rules (Manual 271 ...My Certificates > Import 304 Table 81 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 304 38 ZyWALL 2 Plus User's Guide
...> WLAN > Static DHCP 188 Table 44 NETWORK > WLAN > IP Alias 189 Table 45 NETWORK > WLAN > Port Roles 192 Table 46 Blocking All LAN to WAN IRC Traffic Example 197 Table 47 Limited LAN to WAN IRC Traffic...> VPN > VPN Rules (IKE) > Edit Network Policy 265 Table 67 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding 269 Table 68 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy 270 Table 69 SECURITY > VPN > VPN Rules (Manual 271 ...My Certificates > Import 304 Table 81 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 304 38 ZyWALL 2 Plus User's Guide
User Guide
Page 39
...Overview 333 Table 95 ADVANCED > NAT > Address Mapping 334 Table 96 ADVANCED > NAT > Address Mapping > Edit 336 Table 97 ADVANCED > NAT > Port Forwarding 339 Table 98 ADVANCED > NAT > Port Triggering 341 Table 99 ADVANCED > STATIC ROUTE > IP Static Route 348 Table 100 ADVANCED > STATIC ROUTE > IP Static Route > Edit 349 Table ...393 Table 119 ADVANCED > REMOTE MGMT > DNS 394 Table 120 ADVANCED > REMOTE MGMT > CNM 395 Table 121 ADVANCED > UPnP ...404 Table 122 ADVANCED > UPnP > Ports 405 Table 123 ADVANCED > Custom APP 408 Table 124 ADVANCED > ALG ...412 ZyWALL 2 Plus User's Guide 39
...Overview 333 Table 95 ADVANCED > NAT > Address Mapping 334 Table 96 ADVANCED > NAT > Address Mapping > Edit 336 Table 97 ADVANCED > NAT > Port Forwarding 339 Table 98 ADVANCED > NAT > Port Triggering 341 Table 99 ADVANCED > STATIC ROUTE > IP Static Route 348 Table 100 ADVANCED > STATIC ROUTE > IP Static Route > Edit 349 Table ...393 Table 119 ADVANCED > REMOTE MGMT > DNS 394 Table 120 ADVANCED > REMOTE MGMT > CNM 395 Table 121 ADVANCED > UPnP ...404 Table 122 ADVANCED > UPnP > Ports 405 Table 123 ADVANCED > Custom APP 408 Table 124 ADVANCED > ALG ...412 ZyWALL 2 Plus User's Guide 39
User Guide
Page 45
... bandwidth management, NAT, port forwarding, DHCP server and many other powerful features. You can do with your ZyWALL. 1.2.1 Secure Broadband Internet Access via Cable or DSL Modem For Internet access, connect the WAN Ethernet port to your existing Internet access gateway (company network, or ... an access point (AP) to DMZ. You can also deploy the ZyWALL as well. ZyWALL 2 Plus User's Guide 45 The ZyWALL's De-Militarized Zone (DMZ) increases LAN security by providing separate ports for the ZyWALL Here are some examples of features. 1.2 Applications for connecting publicly accessible ...
... bandwidth management, NAT, port forwarding, DHCP server and many other powerful features. You can do with your ZyWALL. 1.2.1 Secure Broadband Internet Access via Cable or DSL Modem For Internet access, connect the WAN Ethernet port to your existing Internet access gateway (company network, or ... an access point (AP) to DMZ. You can also deploy the ZyWALL as well. ZyWALL 2 Plus User's Guide 45 The ZyWALL's De-Militarized Zone (DMZ) increases LAN security by providing separate ports for the ZyWALL Here are some examples of features. 1.2 Applications for connecting publicly accessible ...
User Guide
Page 61
... and name server records. TELNET Use this screen to configure through the ZyWALL. ADVANCED NAT NAT Overview Use this screen to configure servers behind the ZyWALL. Port Forwarding Use this screen to enable NAT. Port Triggering Use this screen to enable UPnP on an interface. REMOTE MGMT...(s) and from which IP address(es) users can send DNS queries to the ZyWALL. ZyWALL 2 Plus User's Guide 61 SSH Use this screen to view the NAT port mapping rules that UPnP creates on the ZyWALL. Chapter 2 Introducing the Web Configurator Table 6 Screens Summary (continued) LINK TAB...
... and name server records. TELNET Use this screen to configure through the ZyWALL. ADVANCED NAT NAT Overview Use this screen to configure servers behind the ZyWALL. Port Forwarding Use this screen to enable NAT. Port Triggering Use this screen to enable UPnP on an interface. REMOTE MGMT...(s) and from which IP address(es) users can send DNS queries to the ZyWALL. ZyWALL 2 Plus User's Guide 61 SSH Use this screen to view the NAT port mapping rules that UPnP creates on the ZyWALL. Chapter 2 Introducing the Web Configurator Table 6 Screens Summary (continued) LINK TAB...
User Guide
Page 95
...Tutorials 4.2 Using NAT with Static Public IP Addresses To set up this example. • Assign the first public address (1.2.3.4) to the ZyWALL's WAN port. • Map the second and third public IP addresses (1.2.3.5 and 1.2.3.6) to the web and mail servers (192.168.1.12 and 192... address (1.2.3.4). 2 Configure NAT address mapping for future use. ZyWALL 2 Plus User's Guide 95 Public IP Addresses ZyWALL's LAN IP Address 1.2.3.4 to 1.2.3.7 192.168.1.1 The following table shows the public IP addresses from the WAN to forward FTP traffic from your ISP and your local network. Figure ...
...Tutorials 4.2 Using NAT with Static Public IP Addresses To set up this example. • Assign the first public address (1.2.3.4) to the ZyWALL's WAN port. • Map the second and third public IP addresses (1.2.3.5 and 1.2.3.6) to the web and mail servers (192.168.1.12 and 192... address (1.2.3.4). 2 Configure NAT address mapping for future use. ZyWALL 2 Plus User's Guide 95 Public IP Addresses ZyWALL's LAN IP Address 1.2.3.4 to 1.2.3.7 192.168.1.1 The following table shows the public IP addresses from the WAN to forward FTP traffic from your ISP and your local network. Figure ...
User Guide
Page 103
In this example, you want to forward FTP traffic using port 21 to a specific computer on page 105 for more information. 4.2.4 Forwarding Traffic from the WAN to another internal server when you expand your local network, you must also create a ... from the WAN to a Local Computer A server NAT address mapping rule allows computers behind the NAT be forwarded through the ZyXEL Device, you should also create a port forwarding (server mapping) rule. ZyWALL 2 Plus User's Guide 103 Refer to Section 4.2.5 on your network. Chapter 4 Tutorials 10 After the configurations, the...
In this example, you want to forward FTP traffic using port 21 to a specific computer on page 105 for more information. 4.2.4 Forwarding Traffic from the WAN to another internal server when you expand your local network, you must also create a ... from the WAN to a Local Computer A server NAT address mapping rule allows computers behind the NAT be forwarded through the ZyXEL Device, you should also create a port forwarding (server mapping) rule. ZyWALL 2 Plus User's Guide 103 Refer to Section 4.2.5 on your network. Chapter 4 Tutorials 10 After the configurations, the...
User Guide
Page 104
Chapter 4 Tutorials Figure 56 Tutorial Example: Forwarding Incoming FTP Traffic to a Local Computer 1 Click ADVANCED > NAT > Address Mapping. 2 Click the forth rule's Edit icon ( ) to configure a server rule. Figure 57 Tutorial Example: NAT Address Mapping Edit: Server 3 Click the Port Forwarding tab. 4 Select the Active check box, enter a descriptive name (FTP for example), incoming port number (21) and 192.168.1.39 as the server IP address. Click Apply. 104 ZyWALL 2 Plus User's Guide
Chapter 4 Tutorials Figure 56 Tutorial Example: Forwarding Incoming FTP Traffic to a Local Computer 1 Click ADVANCED > NAT > Address Mapping. 2 Click the forth rule's Edit icon ( ) to configure a server rule. Figure 57 Tutorial Example: NAT Address Mapping Edit: Server 3 Click the Port Forwarding tab. 4 Select the Active check box, enter a descriptive name (FTP for example), incoming port number (21) and 192.168.1.39 as the server IP address. Click Apply. 104 ZyWALL 2 Plus User's Guide
User Guide
Page 105
ZyWALL 2 Plus User's Guide 105 Figure 58 Tutorial Example: NAT Port Forwarding Chapter 4 Tutorials 4.2.5 Allow WAN-to-LAN Traffic through the Firewall By default, the ZyWALL blocks any traffic initiated from the WAN to the LAN is enabled and traffic from the WAN to allow traffic from the WAN to the ...following servers on the LAN, you create the firewall rules to allow it. To have the ZyWALL forward traffic initiated from the WAN to a local computer or server on the LAN: • Web server • Mail server • FTP server Figure 59 ...
ZyWALL 2 Plus User's Guide 105 Figure 58 Tutorial Example: NAT Port Forwarding Chapter 4 Tutorials 4.2.5 Allow WAN-to-LAN Traffic through the Firewall By default, the ZyWALL blocks any traffic initiated from the WAN to the LAN is enabled and traffic from the WAN to allow traffic from the WAN to the ...following servers on the LAN, you create the firewall rules to allow it. To have the ZyWALL forward traffic initiated from the WAN to a local computer or server on the LAN: • Web server • Mail server • FTP server Figure 59 ...
User Guide
Page 112
In this example, you cannot access the FTP server, make sure the NAT port forwarding rule is active and there is in the same subnet as shown. 112 ZyWALL 2 Plus User's Guide If you have four static IP addresses (1.2.3.4 to 1.2.3.7) from the outside network to other outgoing LAN traffic. See Section 4.2.3 on page 99 for...
In this example, you cannot access the FTP server, make sure the NAT port forwarding rule is active and there is in the same subnet as shown. 112 ZyWALL 2 Plus User's Guide If you have four static IP addresses (1.2.3.4 to 1.2.3.7) from the outside network to other outgoing LAN traffic. See Section 4.2.3 on page 99 for...
User Guide
Page 207
... want to allow a WAN computer to manage the ZyWALL or restrict management from probing attempts. Configure this screen. You can specify which of the packets. Apply Cancel Note: You may also need to configure NAT port forwarding (or full featured NAT address mapping rules) if ... packet (for a TCP packet) or an ICMP destination-unreachable message (for unused ports. Select Permit to the sender. Click Cancel to exit this rule. Figure 134 SECURITY > FIREWALL > Anti-Probing ZyWALL 2 Plus User's Guide 207 Click Apply to save your customized settings and exit this screen ...
... want to allow a WAN computer to manage the ZyWALL or restrict management from probing attempts. Configure this screen. You can specify which of the packets. Apply Cancel Note: You may also need to configure NAT port forwarding (or full featured NAT address mapping rules) if ... packet (for a TCP packet) or an ICMP destination-unreachable message (for unused ports. Select Permit to the sender. Click Cancel to exit this rule. Figure 134 SECURITY > FIREWALL > Anti-Probing ZyWALL 2 Plus User's Guide 207 Click Apply to save your customized settings and exit this screen ...
User Guide
Page 216
...the selected "from the LAN and going out through any of the ZyWALL's VPN tunnels. For example, you may create rules to: • Allow certain types of the ZyWALL's VPN tunnels. Note: You also need to configure NAT port forwarding (or full featured NAT address mapping rules) to allow a WAN ...See Chapter 4 on page 87 for an example. • WAN to WAN By default the ZyWALL stops computers connected to the WAN from going out through any of the ZyWALL's VPN tunnels. 216 ZyWALL 2 Plus User's Guide For example, by default the From LAN To VPN default firewall rule allows traffic...
...the selected "from the LAN and going out through any of the ZyWALL's VPN tunnels. For example, you may create rules to: • Allow certain types of the ZyWALL's VPN tunnels. Note: You also need to configure NAT port forwarding (or full featured NAT address mapping rules) to allow a WAN ...See Chapter 4 on page 87 for an example. • WAN to WAN By default the ZyWALL stops computers connected to the WAN from going out through any of the ZyWALL's VPN tunnels. 216 ZyWALL 2 Plus User's Guide For example, by default the From LAN To VPN default firewall rule allows traffic...
User Guide
Page 266
...-to-One or Many One-to-One in the Type field, enter the beginning (static) IP address in a range of computers on your ZyWALL. 266 ZyWALL 2 Plus User's Guide Two active SAs can use the VPN tunnel. Select Single Address for traffic going to -One in a range of IP addresses.... their subnet mask. Starting IP Address When the Address Type field is configured to a single virtual IP address. The VPN network policy port forwarding rules let the ZyWALL forward traffic coming in the Type field, enter the (static) IP address of the devices behind your LAN to Range Address, enter the ...
...-to-One or Many One-to-One in the Type field, enter the beginning (static) IP address in a range of computers on your ZyWALL. 266 ZyWALL 2 Plus User's Guide Two active SAs can use the VPN tunnel. Select Single Address for traffic going to -One in a range of IP addresses.... their subnet mask. Starting IP Address When the Address Type field is configured to a single virtual IP address. The VPN network policy port forwarding rules let the ZyWALL forward traffic coming in the Type field, enter the (static) IP address of the devices behind your LAN to Range Address, enter the ...
User Guide
Page 268
.... The IPSec receiver can detect and reject old or duplicate packets to the appropriate IP address on the LAN. 268 ZyWALL 2 Plus User's Guide Clear this screen to configure port forwarding for encryption. Apply Click Apply to encrypt and decrypt information. Chapter 14 IPSec VPN Screens Table 66 SECURITY > VPN... a 1024-bit random number DH5 - Then, under Virtual Address Mapping Rule, select Many-to-One as the Type and click the Port Forwarding Rules button to display the VPN-Network Policy -Edit screen. A short SA Life Time increases security by selecting this field. Perfect...
.... The IPSec receiver can detect and reject old or duplicate packets to the appropriate IP address on the LAN. 268 ZyWALL 2 Plus User's Guide Clear this screen to configure port forwarding for encryption. Apply Click Apply to encrypt and decrypt information. Chapter 14 IPSec VPN Screens Table 66 SECURITY > VPN... a 1024-bit random number DH5 - Then, under Virtual Address Mapping Rule, select Many-to-One as the Type and click the Port Forwarding Rules button to display the VPN-Network Policy -Edit screen. A short SA Life Time increases security by selecting this field. Perfect...
User Guide
Page 269
... it again in this field. Server IP Address Type your changes. ZyWALL 2 Plus User's Guide 269 Start Port Type a port number in this field. To forward only one port, type the port number again in the End Port field. Apply Click this button to begin configuring this screen afresh.... address in this screen. Table 67 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding LABEL DESCRIPTION Default Server In addition to activate the port forwarding server entry. If you do not assign a default server IP address, all packets received for identifying purposes. ...
... it again in this field. Server IP Address Type your changes. ZyWALL 2 Plus User's Guide 269 Start Port Type a port number in this field. To forward only one port, type the port number again in the End Port field. Apply Click this button to begin configuring this screen afresh.... address in this screen. Table 67 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding LABEL DESCRIPTION Default Server In addition to activate the port forwarding server entry. If you do not assign a default server IP address, all packets received for identifying purposes. ...