User Guide
Page 24
...Port Speed ...636 43.6 DNS Overview ...636 43.6.1 DNS Server Address Assignment 637 43.6.2 Configuring the DNS Screen 637 43.6.3 Address Record ...640 43.6.4 PTR Record ...640 43.6.5 Adding an Address/PTR Record 640 43.6.6 Domain Zone Forwarder 641 43.6.7 Adding a Domain Zone Forwarder...43.7.7 HTTPS Example ...654 43.8 SSH ...661 43.8.1 How SSH Works ...662 43.8.2 SSH Implementation on the ZyWALL 663 43.8.3 Requirements for Using SSH 663 43.8.4 Configuring SSH ...663 43.8.5 Secure Telnet Using SSH Examples 665... 44.1.1 What You Can Do In this Chapter 679 24 ZyWALL USG 20/20W User's Guide
...Port Speed ...636 43.6 DNS Overview ...636 43.6.1 DNS Server Address Assignment 637 43.6.2 Configuring the DNS Screen 637 43.6.3 Address Record ...640 43.6.4 PTR Record ...640 43.6.5 Adding an Address/PTR Record 640 43.6.6 Domain Zone Forwarder 641 43.6.7 Adding a Domain Zone Forwarder...43.7.7 HTTPS Example ...654 43.8 SSH ...661 43.8.1 How SSH Works ...662 43.8.2 SSH Implementation on the ZyWALL 663 43.8.3 Requirements for Using SSH 663 43.8.4 Configuring SSH ...663 43.8.5 Secure Telnet Using SSH Examples 665... 44.1.1 What You Can Do In this Chapter 679 24 ZyWALL USG 20/20W User's Guide
User Guide
Page 29
... increases LAN security by providing separate ports for reliable, secure service. ZyWALL USG 20/20W User's Guide 29 In addition, the ZyWALL provides excellent throughput, making it an ideal solution for connecting publicly accessible servers. The ZyWALL also provides two separate LAN networks. ...start or stop the ZyWALL. 1.1 Overview and Key Default Settings The ZyWALL is a comprehensive security device. It explains the front panel ports, LEDs, introduces the management methods, and lists different ways to Peer (P2P) control, NAT, port forwarding, policy routing, ...
... increases LAN security by providing separate ports for reliable, secure service. ZyWALL USG 20/20W User's Guide 29 In addition, the ZyWALL provides excellent throughput, making it an ideal solution for connecting publicly accessible servers. The ZyWALL also provides two separate LAN networks. ...start or stop the ZyWALL. 1.1 Overview and Key Default Settings The ZyWALL is a comprehensive security device. It explains the front panel ports, LEDs, introduces the management methods, and lists different ways to Peer (P2P) control, NAT, port forwarding, policy routing, ...
User Guide
Page 37
... management, NAT, port forwarding, policy routing, DHCP server and many other powerful features. The rest of this section provides more information about the features of the following: • Multiple WAN ports and configure load balancing between two sites over the Internet or any insecure network that uses TCP/IP for communication. ZyWALL USG 20/20W User's Guide...
... management, NAT, port forwarding, policy routing, DHCP server and many other powerful features. The rest of this section provides more information about the features of the following: • Multiple WAN ports and configure load balancing between two sites over the Internet or any insecure network that uses TCP/IP for communication. ZyWALL USG 20/20W User's Guide...
User Guide
Page 49
...For USG 20W only) Configure settings for users and groups. Bridge Create and manage bridges and virtual bridge interfaces. RIP Configure device-level RIP settings. Zone Configure zones used to force user authentication. HTTP Redirect Set up and manage port forwarding ... settings. VPN IPSec VPN VPN Connection Configure IPSec tunnels. ZyWALL USG 20/20W User's Guide 49 Chapter 3 Web Configurator Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION Interface Port Role Use this screen to each supported interface. Ethernet Manage...
...For USG 20W only) Configure settings for users and groups. Bridge Create and manage bridges and virtual bridge interfaces. RIP Configure device-level RIP settings. Zone Configure zones used to force user authentication. HTTP Redirect Set up and manage port forwarding ... settings. VPN IPSec VPN VPN Connection Configure IPSec tunnels. ZyWALL USG 20/20W User's Guide 49 Chapter 3 Web Configurator Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION Interface Port Role Use this screen to each supported interface. Ethernet Manage...
User Guide
Page 99
... page. ZyWALL USG 20/20W User's Guide 99 The ZyWALL will receive the FTP packets. 5 In the Mapped IP field, list the IP address of the web pages that have the ZyWALL transparently forward HTTP (web) traffic to access that the FTP traffic is to come in through -ZyWALL) firewall rules. The ZyWALL does not check to a DMZ port. Chapter...
... page. ZyWALL USG 20/20W User's Guide 99 The ZyWALL will receive the FTP packets. 5 In the Mapped IP field, list the IP address of the web pages that have the ZyWALL transparently forward HTTP (web) traffic to access that the FTP traffic is to come in through -ZyWALL) firewall rules. The ZyWALL does not check to a DMZ port. Chapter...
User Guide
Page 100
...destination), address groups (source, destination), services, service groups Example: Suppose you forward to the proxy server. 6.5.11 ALG The ZyWALL's Application Layer Gateway (ALG) allows VoIP and FTP applications to go through ...Chapter 6 Configuration Basics 5 Specify the IP address of the HTTP proxy server. 6 Specify the port number to use for the HTTP traffic that you have a SIP proxy server connected to the... for NAT (DNAT) and policy routes (SNAT). You can receive calls. 100 ZyWALL USG 20/20W User's Guide Each of traffic between or within zones. By default, the firewall ...
...destination), address groups (source, destination), services, service groups Example: Suppose you forward to the proxy server. 6.5.11 ALG The ZyWALL's Application Layer Gateway (ALG) allows VoIP and FTP applications to go through ...Chapter 6 Configuration Basics 5 Specify the IP address of the HTTP proxy server. 6 Specify the port number to use for the HTTP traffic that you have a SIP proxy server connected to the... for NAT (DNAT) and policy routes (SNAT). You can receive calls. 100 ZyWALL USG 20/20W User's Guide Each of traffic between or within zones. By default, the firewall ...
User Guide
Page 133
...Network > ALG 7.9.2 Set Up a NAT Policy For H.323 In this example, you need a NAT policy to forward H.323 (TCP port 1720) traffic received on the LAN and using IP address 192.168.1.56. ZyWALL USG 20/20W User's Guide 133 Figure 86 WAN to LAN H.323 Peer-to LAN1 IP address 192.168.1.56. Chapter... 7 Tutorials for wan1 IP address 10.0.0.8 to a H.323 device located on the ZyWALL's 10.0.0.8 WAN IP ...
...Network > ALG 7.9.2 Set Up a NAT Policy For H.323 In this example, you need a NAT policy to forward H.323 (TCP port 1720) traffic received on the LAN and using IP address 192.168.1.56. ZyWALL USG 20/20W User's Guide 133 Figure 86 WAN to LAN H.323 Peer-to LAN1 IP address 192.168.1.56. Chapter... 7 Tutorials for wan1 IP address 10.0.0.8 to a H.323 device located on the ZyWALL's 10.0.0.8 WAN IP ...
User Guide
Page 306
... order of your rules is important as they are applied in the Service field. You can also configure port trigger settings for this route. You must be in order to apply bandwidth shaping. 306 ZyWALL USG 20/20W User's Guide If you select outgoing-interface, you to allocate bandwidth to a route and prioritize traffic that... trunk as the physical interface to which you want to move an entry to a different number in the list, click the Move icon. Configure trigger port forwarding to create a new entry after the selected entry.
... order of your rules is important as they are applied in the Service field. You can also configure port trigger settings for this route. You must be in order to apply bandwidth shaping. 306 ZyWALL USG 20/20W User's Guide If you select outgoing-interface, you to allocate bandwidth to a route and prioritize traffic that... trunk as the physical interface to which you want to move an entry to a different number in the list, click the Move icon. Configure trigger port forwarding to create a new entry after the selected entry.
User Guide
Page 310
... a different computer, you set the port(s) and IP address to forward a service (coming in brackets. The problem is listed in from AF11 through AF43. Chapter 13 Policy and Static Routes following example, you configure two services for each client computer. The decimal equivalent is that port forwarding only forwards a service to computer A. 310 ZyWALL USG 20/20W User's Guide
... a different computer, you set the port(s) and IP address to forward a service (coming in brackets. The problem is listed in from AF11 through AF43. Chapter 13 Policy and Static Routes following example, you configure two services for each client computer. The decimal equivalent is that port forwarding only forwards a service to computer A. 310 ZyWALL USG 20/20W User's Guide
User Guide
Page 311
... and then to remote server 1 using the same port triggering rule as they are connected to each policy route gets up to its bandwidth allotment. ZyWALL USG 20/20W User's Guide 311 When you enable maximize bandwidth usage, the ZyWALL first makes sure that a policy route is not ...closed or times out. Any other until the connection is still bandwidth available. Figure 189 Trigger Port Forwarding Example Maximize Bandwidth Usage The maximize bandwidth usage option allows the ZyWALL to divide up any allocated bandwidth that each other computers (such as B or C) cannot connect...
... and then to remote server 1 using the same port triggering rule as they are connected to each policy route gets up to its bandwidth allotment. ZyWALL USG 20/20W User's Guide 311 When you enable maximize bandwidth usage, the ZyWALL first makes sure that a policy route is not ...closed or times out. Any other until the connection is still bandwidth available. Figure 189 Trigger Port Forwarding Example Maximize Bandwidth Usage The maximize bandwidth usage option allows the ZyWALL to divide up any allocated bandwidth that each other computers (such as B or C) cannot connect...
User Guide
Page 337
...NAT network appears as a single host on a private network behind the ZyWALL available outside the private network. ZyWALL USG 20/20W User's Guide 337 For example, the source address of an outgoing packet, used within one public IP address, you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the...addresses and the ISP assigns the WAN IP address. NAT, RFC 1631) is changed to a third (C in the private network available by using ports to forward packets to view and manage the list of a host in this Chapter Use the NAT screens (see their configuration details.
...NAT network appears as a single host on a private network behind the ZyWALL available outside the private network. ZyWALL USG 20/20W User's Guide 337 For example, the source address of an outgoing packet, used within one public IP address, you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the...addresses and the ISP assigns the WAN IP address. NAT, RFC 1631) is changed to a third (C in the private network available by using ports to forward packets to view and manage the list of a host in this Chapter Use the NAT screens (see their configuration details.
User Guide
Page 338
...You Need to create a new entry. The following table describes the labels in this to Know NAT is also known as virtual server, port forwarding, or port translation. Figure 203 Configuration > Network > NAT The following screen appears, providing a summary of all NAT rules and their configuration. Table 94...create new NAT rules and edit and delete existing NAT rules. To access this screen allows you can modify the entry's settings. 338 ZyWALL USG 20/20W User's Guide Finding Out More • See Section 6.5.9 on page 98 for related information on these screens. • See Section ...
...You Need to create a new entry. The following table describes the labels in this to Know NAT is also known as virtual server, port forwarding, or port translation. Figure 203 Configuration > Network > NAT The following screen appears, providing a summary of all NAT rules and their configuration. Table 94...create new NAT rules and edit and delete existing NAT rules. To access this screen allows you can modify the entry's settings. 338 ZyWALL USG 20/20W User's Guide Finding Out More • See Section 6.5.9 on page 98 for related information on these screens. • See Section ...
User Guide
Page 342
... supports for the traffic it sends to which translated destination IP address subnet or IP address range this NAT rule forwards the packet. Port Mapping Type Use the drop-down list box to also access the server. this NAT rule supports. You might use...available if Mapping Type is Ports. Protocol Type Original Port Mapped Port Original Start Port Original End Port Mapped Start Port Mapped End Port Enable NAT Loopback See Appendix B on the rule's specified incoming interface. 342 ZyWALL USG 20/20W User's Guide This field is available if Mapping Type is Port. Select to the LAN ...
... supports for the traffic it sends to which translated destination IP address subnet or IP address range this NAT rule forwards the packet. Port Mapping Type Use the drop-down list box to also access the server. this NAT rule supports. You might use...available if Mapping Type is Ports. Protocol Type Original Port Mapped Port Original Start Port Original End Port Mapped Start Port Mapped End Port Enable NAT Loopback See Appendix B on the rule's specified incoming interface. 342 ZyWALL USG 20/20W User's Guide This field is available if Mapping Type is Port. Select to the LAN ...
User Guide
Page 350
...name to exit this rule. Click Cancel to identify this screen without saving. 350 ZyWALL USG 20/20W User's Guide Chapter 18 HTTP Redirect 18.2.1 The HTTP Redirect Edit Screen Click Network > HTTP Redirect to the ZyWALL. Then click the Add or Edit icon to the specified proxy server. Proxy Server...or off. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be received for the ZyWALL to forward it to open the HTTP Redirect screen. This value is case-sensitive. Port OK Cancel Enter the port number that the proxy server uses.
...name to exit this rule. Click Cancel to identify this screen without saving. 350 ZyWALL USG 20/20W User's Guide Chapter 18 HTTP Redirect 18.2.1 The HTTP Redirect Edit Screen Click Network > HTTP Redirect to the ZyWALL. Then click the Add or Edit icon to the specified proxy server. Proxy Server...or off. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be received for the ZyWALL to forward it to open the HTTP Redirect screen. This value is case-sensitive. Port OK Cancel Enter the port number that the proxy server uses.
User Guide
Page 352
...NAT or that do not go out through NAT. The ALG on the LAN, you must also configure NAT (port forwarding) and firewall rules if you could make other H.323 calls that the ZyWALL routes. You can also make a call from the WAN. If the FTP server is located on the...from a private IP address on the LAN to a peer device on the WAN. • The H.323 ALG operates on TCP packets with a specified port destination to pass through. The following example shows H.323 signaling (1) and audio (2) sessions between LAN IP addresses that goes through the H.323 ALG. ZyWALL USG 20/20W User's Guide
...NAT or that do not go out through NAT. The ALG on the LAN, you must also configure NAT (port forwarding) and firewall rules if you could make other H.323 calls that the ZyWALL routes. You can also make a call from the WAN. If the FTP server is located on the...from a private IP address on the LAN to a peer device on the WAN. • The H.323 ALG operates on TCP packets with a specified port destination to pass through. The following example shows H.323 signaling (1) and audio (2) sessions between LAN IP addresses that goes through the H.323 ALG. ZyWALL USG 20/20W User's Guide
User Guide
Page 353
... NAT (port forwarding) to peer calls from the LAN IP addresses. Examples would be on SIP traffic. • The SIP ALG handles SIP calls that go through NAT or that the ZyWALL routes. VoIP Calls from the WAN with a specified port destination to pass through. • The ZyWALL allows SIP...ALG allows UDP packets with Multiple Outgoing Calls When you configure the firewall and NAT (port forwarding) to allow peer-to a specific IP address on the LAN (or DMZ). Even though only LAN IP address A ZyWALL USG 20/20W User's Guide 353 Chapter 19 ALG • There should be only one SIP ...
... NAT (port forwarding) to peer calls from the LAN IP addresses. Examples would be on SIP traffic. • The SIP ALG handles SIP calls that go through NAT or that the ZyWALL routes. VoIP Calls from the WAN with a specified port destination to pass through. • The ZyWALL allows SIP...ALG allows UDP packets with Multiple Outgoing Calls When you configure the firewall and NAT (port forwarding) to allow peer-to a specific IP address on the LAN (or DMZ). Even though only LAN IP address A ZyWALL USG 20/20W User's Guide 353 Chapter 19 ALG • There should be only one SIP ...
User Guide
Page 354
... multiple WAN IP addresses on . Chapter 19 ALG can receive incoming calls from the Internet (the WAN zone). You configure different firewall and port forwarding rules to allow incoming calls from the WAN with Multiple Outgoing Calls VoIP with Multiple WAN IP Addresses 354 Finding Out More • See... screens. • See Section 7.9 on page 132 for a tutorial showing how to have calls from LAN IP address A go to the Internet. ZyWALL USG 20/20W User's Guide Use policy routing to use the ALG for the calls initiated from LAN IP address B go out through WAN IP address 2.
... multiple WAN IP addresses on . Chapter 19 ALG can receive incoming calls from the Internet (the WAN zone). You configure different firewall and port forwarding rules to allow incoming calls from the WAN with Multiple Outgoing Calls VoIP with Multiple WAN IP Addresses 354 Finding Out More • See... screens. • See Section 7.9 on page 132 for a tutorial showing how to have calls from LAN IP address A go to the Internet. ZyWALL USG 20/20W User's Guide Use policy routing to use the ALG for the calls initiated from LAN IP address B go out through WAN IP address 2.
User Guide
Page 402
... . The size of the original source address range (Source) must be equal to configure a new one). Destination NAT Add This translation forwards packets (for example, mail) from the remote network to create a new entry. Move To change an entry's position in the remote ...VPN screen. 402 ZyWALL USG 20/20W User's Guide Remove Select an entry and click this to type a number for the remote network. However, the order of the translated source address range (SNAT). Mapped IP Protocol Original Port Start / Original Port End Mapped Port Start / Mapped Port End OK Cancel Select...
... . The size of the original source address range (Source) must be equal to configure a new one). Destination NAT Add This translation forwards packets (for example, mail) from the remote network to create a new entry. Move To change an entry's position in the remote ...VPN screen. 402 ZyWALL USG 20/20W User's Guide Remove Select an entry and click this to type a number for the remote network. However, the order of the translated source address range (SNAT). Mapped IP Protocol Original Port Start / Original Port End Mapped Port Start / Mapped Port End OK Cancel Select...
User Guide
Page 414
... Name and the Password. Type the password the ZyWALL sends to exit this screen without saving. 414 ZyWALL USG 20/20W User's Guide Click Cancel to the remote IPSec router. The remote IPSec router must also enable NAT traversal, and the NAT routers have to forward packets with UDP port 500 and UDP 4500 headers unchanged. If...
... Name and the Password. Type the password the ZyWALL sends to exit this screen without saving. 414 ZyWALL USG 20/20W User's Guide Click Cancel to the remote IPSec router. The remote IPSec router must also enable NAT traversal, and the NAT routers have to forward packets with UDP port 500 and UDP 4500 headers unchanged. If...
User Guide
Page 420
... IPSec router, or you configure router A to forward these packets unchanged, router X and router Y can set up the ZyWALL to forward packets with telecommuters. Chapter 23 IPSec VPN If router A does NAT, it depends on the standard(s) the ZyWALL and remote IPSec router support. If router A ...be UDP port 500 or UDP port 4500, depending on this might change the IP addresses, port numbers, or both. The routers cannot establish a VPN tunnel. In extended authentication, one of the negotiation mode (steps 7-10 in main mode, steps 4-7 in aggressive mode). 420 ZyWALL USG 20/20W User's ...
... IPSec router, or you configure router A to forward these packets unchanged, router X and router Y can set up the ZyWALL to forward packets with telecommuters. Chapter 23 IPSec VPN If router A does NAT, it depends on the standard(s) the ZyWALL and remote IPSec router support. If router A ...be UDP port 500 or UDP port 4500, depending on this might change the IP addresses, port numbers, or both. The routers cannot establish a VPN tunnel. In extended authentication, one of the negotiation mode (steps 7-10 in main mode, steps 4-7 in aggressive mode). 420 ZyWALL USG 20/20W User's ...