User Guide
Page 24
...Port Speed ...636 43.6 DNS Overview ...636 43.6.1 DNS Server Address Assignment 637 43.6.2 Configuring the DNS Screen 637 43.6.3 Address Record ...640 43.6.4 PTR Record ...640 43.6.5 Adding an Address/PTR Record 640 43.6.6 Domain Zone Forwarder 641 43.6.7 Adding a Domain Zone Forwarder...43.7.7 HTTPS Example ...654 43.8 SSH ...661 43.8.1 How SSH Works ...662 43.8.2 SSH Implementation on the ZyWALL 663 43.8.3 Requirements for Using SSH 663 43.8.4 Configuring SSH ...663 43.8.5 Secure Telnet Using SSH Examples 665... 44.1.1 What You Can Do In this Chapter 679 24 ZyWALL USG 20/20W User's Guide
...Port Speed ...636 43.6 DNS Overview ...636 43.6.1 DNS Server Address Assignment 637 43.6.2 Configuring the DNS Screen 637 43.6.3 Address Record ...640 43.6.4 PTR Record ...640 43.6.5 Adding an Address/PTR Record 640 43.6.6 Domain Zone Forwarder 641 43.6.7 Adding a Domain Zone Forwarder...43.7.7 HTTPS Example ...654 43.8 SSH ...661 43.8.1 How SSH Works ...662 43.8.2 SSH Implementation on the ZyWALL 663 43.8.3 Requirements for Using SSH 663 43.8.4 Configuring SSH ...663 43.8.5 Secure Telnet Using SSH Examples 665... 44.1.1 What You Can Do In this Chapter 679 24 ZyWALL USG 20/20W User's Guide
User Guide
Page 29
.... The DeMilitarized Zone (DMZ) increases LAN security by providing separate ports for your ZyWALL to be part of the ZyWALL's features. ZyWALL USG 20/20W User's Guide 29 It explains the front panel ports, LEDs, introduces the management methods, and lists different ways to Peer (P2P) control, NAT, port forwarding, policy routing, DHCP server and many other powerful features...
.... The DeMilitarized Zone (DMZ) increases LAN security by providing separate ports for your ZyWALL to be part of the ZyWALL's features. ZyWALL USG 20/20W User's Guide 29 It explains the front panel ports, LEDs, introduces the management methods, and lists different ways to Peer (P2P) control, NAT, port forwarding, policy routing, DHCP server and many other powerful features...
User Guide
Page 37
...your own custom zones. It also provides bandwidth management, NAT, port forwarding, policy routing, DHCP server and many other powerful features. Virtual Private Networks (VPN) Use IPSec, SSL to change security settings in the ZyWALL. As a result, it is much simpler to set up and...to provide secure communication between these ports. • One or more 3G (cellular) connections. CHAPTER 2 Features and Applications This chapter introduces the main features and applications of the ZyWALL. You can add interfaces and VPN tunnels to zones. ZyWALL USG 20/20W User's Guide 37 High ...
...your own custom zones. It also provides bandwidth management, NAT, port forwarding, policy routing, DHCP server and many other powerful features. Virtual Private Networks (VPN) Use IPSec, SSL to change security settings in the ZyWALL. As a result, it is much simpler to set up and...to provide secure communication between these ports. • One or more 3G (cellular) connections. CHAPTER 2 Features and Applications This chapter introduces the main features and applications of the ZyWALL. You can add interfaces and VPN tunnels to zones. ZyWALL USG 20/20W User's Guide 37 High ...
User Guide
Page 49
... for users and groups. RIP Configure device-level RIP settings. ZyWALL USG 20/20W User's Guide 49 Static Route Create and manage IP static routing information. OSPF Configure device-level OSPF settings, including areas and virtual links. HTTP Redirect Set up and manage port forwarding rules. ALG Configure SIP, H.323, and FTP pass-through settings...
... for users and groups. RIP Configure device-level RIP settings. ZyWALL USG 20/20W User's Guide 49 Static Route Create and manage IP static routing information. OSPF Configure device-level OSPF settings, including areas and virtual links. HTTP Redirect Set up and manage port forwarding rules. ALG Configure SIP, H.323, and FTP pass-through settings...
User Guide
Page 99
... time one of the FTP server. The ZyWALL does not check to-ZyWALL firewall rules for the original IP address. 6 In Mapping Type, select Port. 7 Enter 21 in through -ZyWALL) firewall rules. ZyWALL USG 20/20W User's Guide 99 The ZyWALL will receive the FTP packets. 5 In ...Configure this feature to have an FTP server with a private IP address connected to a DMZ port. You could configure a NAT rule to forwards FTP sessions from which you have the ZyWALL transparently forward HTTP (web) traffic to a proxy server. Chapter 6 Configuration Basics PREREQUISITES Interfaces, addresses (...
... time one of the FTP server. The ZyWALL does not check to-ZyWALL firewall rules for the original IP address. 6 In Mapping Type, select Port. 7 Enter 21 in through -ZyWALL) firewall rules. ZyWALL USG 20/20W User's Guide 99 The ZyWALL will receive the FTP packets. 5 In ...Configure this feature to have an FTP server with a private IP address connected to a DMZ port. You could configure a NAT rule to forwards FTP sessions from which you have the ZyWALL transparently forward HTTP (web) traffic to a proxy server. Chapter 6 Configuration Basics PREREQUISITES Interfaces, addresses (...
User Guide
Page 100
... groups, addresses (source, PREREQUISITES destination), address groups (source, destination), services, service groups Example: Suppose you forward to the proxy server. 6.5.11 ALG The ZyWALL's Application Layer Gateway (ALG) allows VoIP and FTP applications to go through NAT on the LAN can access ...also specify additional signaling port numbers. MENU ITEM(S) Configuration > Auth. You can authenticate users (require them to log in a different screen. You can access the network. Policy Use authentication policies to control who can receive calls. 100 ZyWALL USG 20/20W User's Guide...
... groups, addresses (source, PREREQUISITES destination), address groups (source, destination), services, service groups Example: Suppose you forward to the proxy server. 6.5.11 ALG The ZyWALL's Application Layer Gateway (ALG) allows VoIP and FTP applications to go through NAT on the LAN can access ...also specify additional signaling port numbers. MENU ITEM(S) Configuration > Auth. You can authenticate users (require them to log in a different screen. You can access the network. Policy Use authentication policies to control who can receive calls. 100 ZyWALL USG 20/20W User's Guide...
User Guide
Page 133
.... ZyWALL USG 20/20W User's Guide 133 Figure 86 WAN to LAN H.323 Peer-to a H.323 device located on the ZyWALL's 10.0.0.8 WAN IP address to LAN1 IP address 192.168.1.56. Figure 87 Configuration > Network > ALG 7.9.2 Set Up a NAT Policy For H.323 In this example, you need a NAT policy to forward H.323 (TCP port 1720...
.... ZyWALL USG 20/20W User's Guide 133 Figure 86 WAN to LAN H.323 Peer-to a H.323 device located on the ZyWALL's 10.0.0.8 WAN IP address to LAN1 IP address 192.168.1.56. Figure 87 Configuration > Network > ALG 7.9.2 Set Up a NAT Policy For H.323 In this example, you need a NAT policy to forward H.323 (TCP port 1720...
User Guide
Page 306
... matches this route. The ordering of the packets that match this route. To move the entry. Select the service that requested the service. Configure trigger port forwarding to use as the source IP address(es) of your rules is the rule index number. Select an entry and click Add to not use... Route) in order to use NAT for this to be able to a different number in different subnets. Select outgoing-interface to apply bandwidth shaping. 306 ZyWALL USG 20/20W User's Guide
... matches this route. The ordering of the packets that match this route. To move the entry. Select the service that requested the service. Configure trigger port forwarding to use as the source IP address(es) of your rules is the rule index number. Select an entry and click Add to not use... Route) in order to use NAT for this to be able to a different number in different subnets. Select outgoing-interface to apply bandwidth shaping. 306 ZyWALL USG 20/20W User's Guide
User Guide
Page 310
... is that sends traffic to a remote server to take turns using port 1234. The ZyWALL allows and forwards the traffic to a client computer. When the ZyWALL receives a new connection (trigger service) from the remote server) to computer A. 310 ZyWALL USG 20/20W User's Guide The ZyWALL records the IP address of the client computer that sent the request...
... is that sends traffic to a remote server to take turns using port 1234. The ZyWALL allows and forwards the traffic to a client computer. When the ZyWALL receives a new connection (trigger service) from the remote server) to computer A. 310 ZyWALL USG 20/20W User's Guide The ZyWALL records the IP address of the client computer that sent the request...
User Guide
Page 311
Figure 189 Trigger Port Forwarding Example Maximize Bandwidth Usage The maximize bandwidth usage option allows the ZyWALL to divide up any allocated bandwidth that a policy route is not using a different next hop (gateway, outgoing interface, VPN tunnel or trunk...and any available bandwidth on their priority levels. ZyWALL USG 20/20W User's Guide 311 The ZyWALL distributes the available bandwidth equally among the policy routes that each other computers (such as B or C) cannot connect to remote server 1 using the same port triggering rule as they are connected to each policy...
Figure 189 Trigger Port Forwarding Example Maximize Bandwidth Usage The maximize bandwidth usage option allows the ZyWALL to divide up any allocated bandwidth that a policy route is not using a different next hop (gateway, outgoing interface, VPN tunnel or trunk...and any available bandwidth on their priority levels. ZyWALL USG 20/20W User's Guide 311 The ZyWALL distributes the available bandwidth equally among the policy routes that each other computers (such as B or C) cannot connect to remote server 1 using the same port triggering rule as they are connected to each policy...
User Guide
Page 337
... server (A in the example). If the ZyWALL has only one public IP address, you want to assign ports 21-25 to one network is the translation of the IP address of NAT rules and see Section 17.2 on the Internet. ZyWALL USG 20/20W User's Guide 337 Figure 202 Multiple ...Servers Behind NAT Example 17.1.1 What You Can Do in a packet. CHAPTER 17 NAT 17.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is changed to make the computers in the private network available by using ports to forward packets...
... server (A in the example). If the ZyWALL has only one public IP address, you want to assign ports 21-25 to one network is the translation of the IP address of NAT rules and see Section 17.2 on the Internet. ZyWALL USG 20/20W User's Guide 337 Figure 202 Multiple ...Servers Behind NAT Example 17.1.1 What You Can Do in a packet. CHAPTER 17 NAT 17.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is changed to make the computers in the private network available by using ports to forward packets...
User Guide
Page 338
... the Web Configurator and click Configuration > Network > NAT. The following table describes the labels in this screen allows you can modify the entry's settings. 338 ZyWALL USG 20/20W User's Guide In addition, this screen. Figure 203 Configuration > Network > NAT The following screen appears, providing a summary of all NAT rules and their configuration... 142 for an example of how to configure NAT to allow SIP traffic from the WAN to Know NAT is also known as virtual server, port forwarding, or port translation.
... the Web Configurator and click Configuration > Network > NAT. The following table describes the labels in this screen allows you can modify the entry's settings. 338 ZyWALL USG 20/20W User's Guide In addition, this screen. Figure 203 Configuration > Network > NAT The following screen appears, providing a summary of all NAT rules and their configuration... 142 for an example of how to configure NAT to allow SIP traffic from the WAN to Know NAT is also known as virtual server, port forwarding, or port translation.
User Guide
Page 342
... number of original destination ports this NAT rule forwards the packet. The original and mapped IP address subnets or ranges must be the same size. Port - Protocol Type Original Port Mapped Port Original Start Port Original End Port Mapped Start Port Mapped End Port Enable NAT Loopback See Appendix B on the rule's specified incoming interface. 342 ZyWALL USG 20/20W User's Guide...
... number of original destination ports this NAT rule forwards the packet. The original and mapped IP address subnets or ranges must be the same size. Port - Protocol Type Original Port Mapped Port Original Start Port Original End Port Mapped Start Port Mapped End Port Enable NAT Loopback See Appendix B on the rule's specified incoming interface. 342 ZyWALL USG 20/20W User's Guide...
User Guide
Page 350
...rule. Port OK Cancel Enter the port number that the proxy server uses. This value is case-sensitive. Click OK to save your changes back to the ZyWALL. Table 97 Network > HTTP Redirect > Edit LABEL DESCRIPTION Enable Use this screen without saving. 350 ZyWALL USG 20/20W ...User's Guide You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be received for the ZyWALL to forward it to the specified proxy server. Name Enter a name to ...
...rule. Port OK Cancel Enter the port number that the proxy server uses. This value is case-sensitive. Click OK to save your changes back to the ZyWALL. Table 97 Network > HTTP Redirect > Edit LABEL DESCRIPTION Enable Use this screen without saving. 350 ZyWALL USG 20/20W ...User's Guide You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be received for the ZyWALL to forward it to the specified proxy server. Name Enter a name to ...
User Guide
Page 352
... out through NAT. Examples would be calls between H.323 devices A and B. ZyWALL USG 20/20W User's Guide FTP ALG The FTP ALG allows TCP packets with a specified port destination. • The ZyWALL allows H.323 audio connections. • The ZyWALL can also apply bandwidth management to traffic that are on the... on the WAN. • The H.323 ALG operates on the LAN, you must also configure NAT (port forwarding) and firewall rules if you could make other H.323 calls that the ZyWALL routes. Chapter 19 ALG 19.1.2 What You Need to Know Application Layer Gateway (ALG), NAT and Firewall...
... out through NAT. Examples would be calls between H.323 devices A and B. ZyWALL USG 20/20W User's Guide FTP ALG The FTP ALG allows TCP packets with a specified port destination. • The ZyWALL allows H.323 audio connections. • The ZyWALL can also apply bandwidth management to traffic that are on the... on the WAN. • The H.323 ALG operates on the LAN, you must also configure NAT (port forwarding) and firewall rules if you could make other H.323 calls that the ZyWALL routes. Chapter 19 ALG 19.1.2 What You Need to Know Application Layer Gateway (ALG), NAT and Firewall...
User Guide
Page 353
...ZyWALL correctly forward the return traffic for VoIP devices behind the ZyWALL when you configure the firewall and NAT to allow incoming (peer-topeer) calls from the WAN to have H.323 (or SIP) calls from other LAN or DMZ IP addresses go through a different WAN IP address. Even though only LAN IP address A ZyWALL USG 20... WAN zone to the LAN zone. • The SIP ALG allows UDP packets with Multiple Outgoing Calls When you configure the firewall and NAT (port forwarding) to allow peer-to have a Back-to-Back User Agent such as the IPPBX x6004 or an asterisk PBX on the DMZ or on the...
...ZyWALL correctly forward the return traffic for VoIP devices behind the ZyWALL when you configure the firewall and NAT to allow incoming (peer-topeer) calls from the WAN to have H.323 (or SIP) calls from other LAN or DMZ IP addresses go through a different WAN IP address. Even though only LAN IP address A ZyWALL USG 20... WAN zone to the LAN zone. • The SIP ALG allows UDP packets with Multiple Outgoing Calls When you configure the firewall and NAT (port forwarding) to allow peer-to have a Back-to-Back User Agent such as the IPPBX x6004 or an asterisk PBX on the DMZ or on the...
User Guide
Page 354
... can still make calls out to the Internet. You configure different firewall and port forwarding rules to allow LAN IP address B to -peer H.323 traffic. • See Section 7.11 on page 139 for peer- ZyWALL USG 20/20W User's Guide Chapter 19 ALG can receive incoming calls from the Internet,... LAN IP addresses B and C can configure different firewall and NAT (port forwarding) rules to allow incoming calls from each of making an IPPBX using ...
... can still make calls out to the Internet. You configure different firewall and port forwarding rules to allow LAN IP address B to -peer H.323 traffic. • See Section 7.11 on page 139 for peer- ZyWALL USG 20/20W User's Guide Chapter 19 ALG can receive incoming calls from the Internet,... LAN IP addresses B and C can configure different firewall and NAT (port forwarding) rules to allow incoming calls from each of making an IPPBX using ...
User Guide
Page 402
... to configure a new one). Enter the translated destination port or range of original destination ports. This is the address object for example, mail) from the remote network to the main VPN screen. 402 ZyWALL USG 20/20W User's Guide SNAT Select the address object that ...represents the original destination address. However, the order of computers in the remote network. Click OK to create a new entry after the selected entry. Destination NAT Add This translation forwards packets (...
... to configure a new one). Enter the translated destination port or range of original destination ports. This is the address object for example, mail) from the remote network to the main VPN screen. 402 ZyWALL USG 20/20W User's Guide SNAT Select the address object that ...represents the original destination address. However, the order of computers in the remote network. Click OK to create a new entry after the selected entry. Destination NAT Add This translation forwards packets (...
User Guide
Page 950
...354 and VPN 419 and VPN, see also VPN configuration overview 98 limitations 310 loopback 343 port forwarding, see NAT port translation, see NAT port triggering 310 port triggering, see also policy routes prerequisites 99 traversal 420 trigger port, see also policy routes tutorial 136, 139 NBNS 230, 256, 271, 281, 287,...NSSA) 316 stub areas 316 types of 316 OSPF routers 317 area border (ABR) 317 autonomous system boundary (ASBR) 318 backbone (BR) 318 ZyWALL USG 20/20W User's Guide Index and address objects 306 and address objects (HOST) 341 and ALG 352, 354 and firewall 382 and interfaces 341 and...
...354 and VPN 419 and VPN, see also VPN configuration overview 98 limitations 310 loopback 343 port forwarding, see NAT port translation, see NAT port triggering 310 port triggering, see also policy routes prerequisites 99 traversal 420 trigger port, see also policy routes tutorial 136, 139 NBNS 230, 256, 271, 281, 287,...NSSA) 316 stub areas 316 types of 316 OSPF routers 317 area border (ABR) 317 autonomous system boundary (ASBR) 318 backbone (BR) 318 ZyWALL USG 20/20W User's Guide Index and address objects 306 and address objects (HOST) 341 and ALG 352, 354 and firewall 382 and interfaces 341 and...
User Guide
Page 951
...522 pop-up windows 43 port forwarding, see NAT port groups 107, 218, 221 port roles 220 and Ethernet interfaces 220 and physical ports 220 port scan, filtered 480 port scanning 479 port sweep 480 port translation, see PPPoE. ...Point-to -Point Protocol over Ethernet, see NAT port triggering 310 and firewall 306, 731 and policy routes 306 and service groups 306 and services 306 troubleshooting 731 ZyWALL USG 20...
...522 pop-up windows 43 port forwarding, see NAT port groups 107, 218, 221 port roles 220 and Ethernet interfaces 220 and physical ports 220 port scan, filtered 480 port scanning 479 port sweep 480 port translation, see PPPoE. ...Point-to -Point Protocol over Ethernet, see NAT port triggering 310 and firewall 306, 731 and policy routes 306 and service groups 306 and services 306 troubleshooting 731 ZyWALL USG 20...