ZyWALL 2WG Support Notes
All contents copyright (c) 2006 ZyXEL Communications Corporation. 227
understand the ESP packet with protocol number 50, replace the source IP address of the IPSec gateway to the
router's WAN IP address. However, NAT should not change the source port of the UDP packets which are used
for key managements. Because the remote gateway checks this source port during connections, the port thus is
not allowed to be changed.
A28. How do I setup my ZyWALL for routing IPSec packets over NAT?
For outgoing IPSec tunnels, no extra setting is required. For forwarding the inbound IPSec ESP tunnel, A
'Default' server set in menu 15 is required. It is because NAT makes your LAN appear as a single machine to
the outside world. LAN users are invisible to outside users. So, to make an internal server for outside access, we
must specify the service port and the LAN IP of this server in Menu 15. Thus NAT is able to forward the
incoming packets to the requested service behind NAT and the outside users access the server using the
ZyWALL's WAN IP address. So, we have to configure the internal IPSec as a default server (unspecified
service port) in menu 15 when it acts a server gateway.
A29. What is STP (Spanning Tree Protocol) /RSTP (Rapid STP)?
When the ZyWALL is set to bridge mode, (R)STP detects and breaks network loops and provides backup
links between switches, bridges or routers. It allows a bridge to interact with other (R)STP-compliant
bridges in your network to ensure that only one path exists between any two stations on the network. The
configuration is especially for the advanced user who knows the protocol well.
A30. What is the flow ZyWALL handles inbound and outgoing traffic?
(1) For a ZyWALL with router mode, following are the inspection flow for inbound and outgoing traffic.
Traffic from WAN: -> NAT -> Firewall-> Policy Route -> Load Balance -> Static Route -> IDP -> AV
-> AS -> CF -> BWM
Traffic to WAN: -> Firewall -> Policy Route -> Load Balance -> Static Route -> IDP -> AV -> AS ->
CF -> BMW -> NAT