ZyXEL Communications ZyWALL 2 Series 14.12 IKE Phases

	ZyWALL 2 Series User’s Guide
	Table 14-7 Basic IKE VPN Rule Edit

LABEL	DESCRIPTION

Encryption	Select DES, 3DES, AES or NULL from the drop-down list box.
Algorithm	When you use one of these encryption algorithms for data communications, both the

	sending device and the receiving device must use the same secret key, which can be
	used to encrypt and decrypt the message or to generate and verify a message
	authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES)
	is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES.
	It also requires more processing power, resulting in increased latency and decreased
	throughput. This implementation of AES uses a 128-bit key. AES is faster than 3DES.
	Select NULL to set up a tunnel without encryption. When you select NULL, you do not
	enter an encryption key.

Authentication	Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and SHA1
Algorithm	(Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1
	algorithm is generally considered stronger than MD5, but is slower. Select MD5 for
	minimal security and SHA-1for maximum security.

AH	Select AH if you want to use AH (Authentication Header Protocol). The AH protocol (RFC
	2402) was designed for integrity, authentication, sequence integrity (replay resistance),
	and non-repudiation but not for confidentiality, for which the ESP was designed. If you
	select AH here, you must select options from the Authentication Algorithm field
	(described below).

Authentication	Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and SHA1
Algorithm	(Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1
	algorithm is generally considered stronger than MD5, but is slower. Select MD5 for
	minimal security and SHA-1for maximum security.

Advanced	Click Advanced to configure more detailed settings of your IKE key management.

Apply	Click Apply to save your customized settings and exit this screen.

Reset	Click Reset to begin configuring this screen afresh.

14.12 IKE Phases

There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and the second one uses that SA to negotiate SAs for IPSec.

VPN Screens

14-21

Contents

User’s Guide Copyright Copyright © 2004 by ZyXEL Communications Corporation Disclaimer Trademarks Notice Certifications Information for Canadian Users Caution Note ZyXEL Limited Warranty NOTE Customer Support Table of Contents Chapter 7 Wireless LAN Screens NAT and Static Route Chapter 8 Network Address Translation (NAT) Chapter 9 Static Route Screens Chapter 10 Firewalls VPN/IPSec Certificates Chapter 15 Certificates Authentication Server, Remote Management and UPnP Chapter 16 Authentication Server Page Chapter 26 Remote Node Setup Chapter 28 Network Address Translation (NAT) Chapter 29 Introducing the Firewall Chapter 30 Filter Configuration A-1 B-1 C-1 D-1 E-1 Page List of Figures Page Page Page Page Page Page List of Tables Page Page Page Preface About This User's Manual Related Documentation User’s Guide Feedback Syntax Conventions Graphics Icons Key Page Part I: Getting Started Page 1.1Introducing the ZyWALL 1.2Features 1.2.1Physical Features 4-PortSwitch Auto-negotiating10/100 Mbps Ethernet LAN Auto-sensing10/100 Mbps Ethernet LAN Auto-negotiating10/100 Mbps Ethernet WAN X-Auth(Extended Authentication) Certificates SSH HTTPS Firewall Universal Plug and Play (UPnP) Call Scheduling PPPoE PPPoE Pass-through PPTP Encapsulation Central Network Management SNMP Network Address Translation (NAT) Traffic Redirect Port Forwarding 1.3Applications for the ZyWALL 1.3.1 Secure Broadband Internet Access via Cable or DSL Modem 1.3.2 Secure Broadband Internet Access and VPN Page 2.1Web Configurator Overview 2.2Accessing the ZyWALL Web Configurator 2.3Resetting the ZyWALL 2.3.1 Procedure To Use The Reset Button 2.3.2 Uploading a Configuration File Via Console Port 2.4Navigating the ZyWALL Web Configurator Follow the instructions you see in the MAIN MENU screen or click the icon (located in the top right corner of most screens) to view online help The icon does not appear in the MAIN MENU screen Figure 2-4The MAIN MENU Screen of the Web Configurator Table 2-1Web Configurator Screens Summary Page Page Page Page 3.1Wizard Setup Overview 3.2General Setup and System Name 3.2.1 Domain Name 3.3Internet Access 3.3.1 Ethernet Figure 3-2Wizard 2: Ethernet Encapsulation Table 3-1Ethernet Encapsulation 3.3.2 PPPoE Encapsulation Figure 3-3Wizard2: PPPoE Encapsulation Table 3-2PPPoE Encapsulation 3.3.3 PPTP Encapsulation Figure 3-4Wizard 2: PPTP Encapsulation Table 3-3PPTP Encapsulation 3.4WAN and DNS 3.4.1 WAN IP Address Assignment 3.4.2 IP Address and Subnet Mask 3.4.3 DNS Server Address Assignment 3.4.4 WAN MAC Address Figure 3-5Wizard Table 3-6Wizard 3.5Basic Setup Complete Figure 3-6Internet Access Wizard Setup Complete Page Part II: System and LAN Page 4.1System Overview 4.2Configuring General Setup Table 4-1System General Setup 4.3Dynamic DNS 4.3.1DYNDNS Wildcard 4.4Configuring Dynamic DNS Figure 4-2DDNS Table 4-2DDNS 4.5Configuring Password 4.6Pre-definedNTP Time Servers List 4.7Configuring Time Setting Figure 4-4Time Setting Table 4-5Time Setting Page Page 5.1LAN Overview 5.2DHCP Setup 5.2.1 IP Pool Setup 5.3IP Address and Subnet Mask 5.4DNS Server Address Assignment 5.5LAN TCP/IP 5.5.1Factory LAN Defaults 5.5.2RIP Setup 5.5.3Multicast 5.6Configuring IP Figure 5-1IP Table 5-1IP Page 5.7Configuring Static DHCP 5.8Configuring IP Alias Figure 5-3Physical Network Figure 5-4Partitioned Logical Networks IP Alias Figure 5-5IP Alias Table 5-3IP Alias Page Part III: WAN and Wireless LAN Page 6.1WAN Overview 6.2TCP/IP Priority (Metric) 6.3WAN IP Address Assignment 6.3.1WAN MAC Address 6.4Configuring Route 6.5Configuring WAN ISP 6.5.1 Ethernet Encapsulation Figure 6-2Ethernet Encapsulation Table 6-4Ethernet Encapsulation 6.5.2 PPPoE Encapsulation Figure 6-3PPPoE Encapsulation Table 6-5PPPoE Encapsulation 6.5.3 PPTP Encapsulation Figure 6-4PPTP Encapsulation Table 6-6PPTP Encapsulation 6.6Configuring WAN IP Figure 6-5IP Setup Table 6-7IP Setup Page 6.7Configuring WAN MAC 6.8Traffic Redirect 6.9Configuring Traffic Redirect Figure 6-9Traffic Redirect Table 6-8Traffic Redirect 6.10 Configuring Dial Backup Figure 6-10Dial Backup Setup Table 6-9Dial Backup Setup Page Page 6.11 Advanced Modem Setup 6.11.1 AT Command Strings 6.11.2 DTR Signal 6.11.3 Response Strings 6.12 Configuring Advanced Modem Setup Figure 6-11Advanced Setup Table 6-10Advanced Setup Page Page 7.1Wireless LAN Overview 7.1.1 Additional Installation Requirements for Using 7.2Wireless LAN Basics 7.2.1 Channel 7.2.2 ESS ID 7.2.4 Fragmentation Threshold 7.3Wireless Security 7.3.1 WEP 7.4Configuring Wireless LAN Table 7-1Wireless 7.5Configuring MAC Filter 7.6802.1x Overview 7.6.1 RADIUS •Authentication •Accounting Types of RADIUS Messages 7.6.2 EAP Authentication Overview 7.7Local User Database 7.8Configuring Figure 7-6802.1X Authentication Table 7-3802.1X Authentication Part IV: NAT and Static Route Page 8.1NAT Overview 8.1.1 NAT Definitions 8.1.2 What NAT Does 8.1.3 How NAT Works 8.1.4 NAT Application 8.1.5 NAT Mapping Types 8.2Using NAT 8.2.1 SUA (Single User Account) Versus NAT 8.3SUA Server 8.3.1 Default Server IP Address 8.3.2 Port Forwarding: Services and Port Numbers 8.3.3 Configuring Servers Behind SUA (Example) 8.4Configuring SUA Server 8.5Configuring Address Mapping Figure 8-5Address Mapping Table 8-5Address Mapping Configuring Address Mapping 8.6Configuring Trigger Port Figure 8-7Trigger Port Forwarding Example Trigger Port Figure 8-8Trigger Port Table 8-7Trigger Port Page 9.1Static Route Overview 9.2Configuring IP Static Route Figure 9-2Static Route Screen Table 9-1IP Static Route Summary 9.2.1 Configuring Route Entry Page Part V: Firewall and Content Filters Page 10.1 Firewall Overview 10.2 Types of Firewalls 10.2.1 Packet Filtering Firewalls 10.2.2 Application-levelFirewalls 10.2.3 Stateful Inspection Firewalls 10.3 Introduction to ZyXEL’s Firewall 10.4 Denial of Service 10.4.1 Basics 10.4.2 Types of DoS Attacks Figure 10-2 Three-WayHandshake SYN Attack Figure 10-3SYN Flood LAND Attack brute-force Figure 10-4Smurf Attack Table 10-2ICMP Commands That Trigger Alerts 10.5 Stateful Inspection 10.5.1 Stateful Inspection Process 10.5.2 Stateful Inspection and the ZyWALL 10.5.3 TCP Security 10.5.4 UDP/ICMP Security 10.5.5 Upper Layer Protocols 10.6 Guidelines For Enhancing Security With Your Firewall 10.7 Packet Filtering Vs Firewall 10.7.1 Packet Filtering: When To Use Filtering 10.7.2 Firewall When To Use The Firewall Page Page 11.1 Access Methods 11.2 Firewall Policies Overview 11.3 Rule Logic Overview 11.3.1 Rule Checklist 11.3.2 Security Ramifications 11.3.3Key Fields For Configuring Rules Action 11.4 Connection Direction Examples 11.4.1 LAN to WAN Rules 11.4.2 WAN to LAN Rules 11.5 Alerts 11.6 Configuring Firewall Figure 11-3Enabling the Firewall Table 11-1Firewall Rules Summary: First Screen 11.6.1 Configuring Firewall Rules Figure 11-4Creating/Editing A Firewall Rule Table 11-2Creating/Editing A Firewall Rule 11.6.2 Configuring Source and Destination Addresses 11.6.3 Configuring Custom Ports 11.7 Example Firewall Rule Figure 11-7Firewall IP Config Screen Any Destination Address DestDelete Step 5. Click DestAdd under the Destination Address box Firewall Rule Edit IP Figure 11-8Firewall Rule Edit IP Example Edit Custom Port Figure 11-9Edit Custom Port Example Page Rule Summary Figure 11-11My Service Example Rule Summary 11.8 Predefined Services Page 11.9 Configuring Attack Alert 11.9.1 Threshold Values 11.9.2 Half-OpenSessions TCP Maximum Incomplete and Blocking Period TCP Maximum Incomplete Blocking Period Figure 11-12Attack Alert Table 11-6Attack Alert Page 12.1 Introduction to Content Filtering 12.1.1 Restrict Web Features 12.1.2 Create a Filter List 12.1.3 Customize Web Site Access 12.1.4 Days and Times Figure 12-1Content Filter : General Table 12-1Content Filter : General 12.3 Content Filtering with an External Server 12.4 Checking Content Filtering Activation 12.5 Configuring for Registering and Categories Figure 12-3Content Filter : Categories Table 12-2Content Filter : Categories Page Page Page Page Page This field only displays whether or not you have successfully registered, not whether or not content filtering is active. See section 12.4 for how to check the content filtering activation 12.6 Configuring Customization Figure 12-4Content Filter : Customization Table 12-3Content Filter : Customization Page Page Part VI: VPN/IPSec Page 13.1 VPN Overview 13.1.1 IPSec 13.1.2 Security Association 13.1.3Other Terminology Encryption 13.1.4 VPN Applications 13.2 IPSec Architecture 13.2.1 IPSec Algorithms 13.2.2 Key Management 13.3 Encapsulation 13.3.1 Transport Mode 13.3.2 Tunnel Mode 13.4 IPSec and NAT Page 14.1 VPN/IPSec Overview 14.2 IPSec Algorithms 14.2.1 AH (Authentication Header) Protocol 14.2.2 ESP (Encapsulating Security Payload) Protocol 14.3 My IP Address 14.4 Secure Gateway Address 14.4.1 Dynamic Secure Gateway Address 14.5 Summary Screen Figure 14-2VPN Rules Table 14-2VPN Rules 14.6 Keep Alive 14.7 NAT Traversal 14.7.1 NAT Traversal Configuration 14.7.2 X-Auth(Extended Authentication) 14.7.3 Remote DNS Server 14.8 ID Type and Content 14.8.1 ID Type and Content Examples 14.9Pre-SharedKey 14.10VPN Implementation 14.10.1Client to Site VPN 14.10.2Site to site VPN 14.11Configuring Basic IKE VPN Rule Setup Figure 14-7Basic IKE VPN Rule Edit Table 14-7Basic IKE VPN Rule Edit Page Page Page Page Page Page Page 14.12 IKE Phases Figure 14-8Two Phases to Set Up the IPSec SA 14.12.1X-Authand IKE 14.12.2Negotiation Mode 14.12.3Pre-SharedKey 14.12.4Diffie-Hellman(DH) Key Groups 14.12.5Perfect Forward Secrecy (PFS) 14.13Configuring Advanced IKE Setup Figure 14-9Advanced IKE VPN Rule Setup Table 14-8Advanced IKE VPN Rule Setup Page Page 14.14Manual Key Setup 14.14.1Security Parameter Index (SPI) 14.15Configuring Edit Manual Setup Manual Key Manual Figure 14-10Manual VPN Rule Setup Table 14-9VPN Manual Setup Page Page 14.16 SA Monitor 14.17 Global Settings 14.18Telecommuter VPN/IPSec Examples 14.18.1Telecommuters Sharing One VPN Rule Example 14.18.2Telecommuters Using Unique VPN Rules Example Figure 14-14Telecommuters Using Unique VPN Rules Example Table 14-13Telecommuters Using Unique VPN Rules Example 14.19VPN and Remote Management Part VII: Certificates Page 15.1 Certificates Overview 15.1.1 Advantages of Certificates 15.2 Self-signedCertificates 15.3 Configuration Summary 15.4 My Certificates Table 15-1My Certificates 15.5 Certificate File Formats 15.6 Importing a Certificate 15.7 Creating a Certificate Table 15-3My Certificate Create Page 15.8 My Certificate Details Figure 15-5My Certificate Details Table 15-4My Certificate Details Page 15.9 Trusted CAs Figure 15-6Trusted CAs Table 15-5Trusted CAs 15.10Importing a Trusted CA’s Certificate 15.11Trusted CA Certificate Details Figure 15-8Trusted CA Details Table 15-7Trusted CA Details Page 15.12Trusted Remote Hosts Figure 15-9Trusted Remote Hosts Table 15-8Trusted Remote Hosts 15.13Verifying a Trusted Remote Host’s Certificate 15.13.1Trusted Remote Host Certificate Fingerprints 15.14Importing a Trusted Remote Host’s Certificate 15.15Trusted Remote Host Certificate Details Figure 15-11Trusted Remote Host Details Table 15-12Trusted Remote Host Details Page 15.16Directory Servers 15.17Add or Edit a Directory Server Table 15-14Directory Server Add Page Part VIII: Authentication Server, Remote Management and UPnP Page 16.1 Authentication Server Overview 16.2 Local User Database 16.3 Configuring Local User Database Figure 16-1Local User Database 16.4 Configuring RADIUS Figure 16-2RADIUS Table 16-2RADIUS Page Page 17.1 Remote Management Overview 17.1.1 Remote Management Limitations 17.1.2 Remote Management and NAT 17.1.3 System Timeout 17.2 Introduction to HTTPS Authenticate Client Certificates REMOTE MGMT, WWW Figure 17-1HTTPS Implementation 17.3 Configuring WWW Table 17-1WWW 17.4 HTTPS Example 17.4.1 Internet Explorer Warning Messages 17.4.2 Netscape Navigator Warning Messages 17.4.3 Avoiding the Browser Warning Messages 17.4.4 Login Screen Figure 17-6Login Screen (Internet Explorer) Figure 17-7Login Screen (Netscape) Figure 17-8Replace Certificate Figure 17-9 Device-specificCertificate 17.5 SSH Overview 17.6 How SSH works 17.7 SSH Implementation on the ZyWALL 17.7.1 Requirements for Using SSH 17.8 Configuring SSH 17.9 Secure Telnet Using SSH Examples 17.9.1 Example 1: Microsoft Windows 17.9.2 Example 2: Linux 17.10Secure FTP Using SSH Example 17.11Telnet 17.12Configuring TELNET 17.13Configuring FTP 17.14Configuring SNMP Figure 17-21SNMP Management Model 17.14.1Supported MIBs 17.14.2SNMP Traps 17.14.3REMOTE MANAGEMENT: SNMP 17.15Configuring DNS Figure 17-23DNS Table 17-7DNS 17.16Configuring Security Page Page 18.1 Universal Plug and Play Overview 18.1.1 How Do I Know If I'm Using UPnP 18.1.2 NAT Traversal 18.1.3 Cautions with UPnP 18.2 UPnP Implementation 18.3 Configuring UPnP Figure 18-1Configuring UPnP Table 18-1Configuring UPnP 18.4 Displaying UPnP Port Mapping 18.5 Installing UPnP in Windows Example 18.5.1 Installing UPnP in Windows Me 18.5.2 Installing UPnP in Windows XP Page 18.6 Using UPnP in Windows XP Example 18.6.1 Auto-discoverYour UPnP-enabledNetwork Device When the UPnP-enableddevice is disconnected from your computer, all port mappings will be deleted automatically 18.6.2 Web Configurator Easy Access Part IX: Logs Page 19.1 Configuring View Log Figure 19-1View Log Table 19-1View Log 19.2 Configuring Log Settings Figure 19-2Log Settings Table 19-2Log Settings 19.3 Configuring Reports Figure 19-3Reports Enabling the ZyWALL’s reporting function decreases the overall throughput by about 1 Mbps Table 19-3Reports 19.3.1 Viewing Web Site Hits 19.3.2 Viewing Protocol/Port 19.3.3 Viewing LAN IP Address 19.3.4 Reports Specifications Page Part X: Maintenance Page 20.1 Maintenance Overview 20.2 Status Screen 20.2.1 System Statistics Figure 20-2System Status: Show Statistics Table 20-2System Status: Show Statistics 20.3 DHCP Table Screen 20.4 F/W Upload Screen Figure 20-5Firmware Upload Do not turn off the ZyWALL while firmware upload is in progress Firmware Upload in Process Figure 20-6Firmware Upload In Process 20.5 Configuration Screen 20.5.1 Backup Configuration 20.5.2 Restore Configuration 20.5.3 Back to Factory Defaults 20.6 Restart Screen Page Part XI: SMT General Configuration Page 21.1 Introduction to the SMT 21.2 Accessing the SMT via the Console Port 21.2.1 Initial Screen 21.2.2 Entering the Password 21.3 Navigating the SMT Interface 21.3.1 Main Menu 21.3.2 SMT Menus at a Glance Figure 21-4ZyWALL 2 SMT Menu Overview Example 21.4 Changing the System Password 21.5 Resetting the ZyWALL 22.1 Introduction to General Setup 22.2 Configuring General Setup 22.2.1 Configuring Dynamic DNS Figure 22-2Configure Dynamic DNS Table 22-2Configure Dynamic DNS Page 23.1 Introduction to WAN 23.2 Dial Backup 23.3 Configuring Dial Backup in Menu 23.4 Advanced WAN Setup Figure 23-3Menu 2.1 Advanced WAN Setup Table 23-3Advanced WAN Port Setup: AT Commands Fields 23.5 Remote Node Profile (Backup ISP) Figure 23-4Menu 11.1 Remote Node Profile (Backup ISP) Table 23-5Menu 11.1 Remote Node Profile (Backup ISP) Page 23.6 Editing PPP Options 23.7 Editing TCP/IP Options Page 23.8 Editing Login Script 23.9 Remote Node Filter Figure 23-9Menu 11.5: Dial Backup Remote Node Filter Page 24.1 Introduction to LAN Setup 24.2 Accessing the LAN Menus 24.3 LAN Port Filter Setup 24.4 TCP/IP and DHCP Ethernet Setup Menu Figure 24-4Menu 3.2: TCP/IP and DHCP Ethernet Setup Table 24-1DHCP Ethernet Setup Menu Fields 24.4.1 IP Alias Setup Figure 24-5Physical Network Figure 24-6Partitioned Logical Network Edit IP Alias Menu 3.2.1 - IP Alias Setup Figure 24-7Menu 3.2.1: IP Alias Setup 24.5 Wireless LAN Setup Figure 24-8Menu 3.5: Wireless LAN Setup The settings of all client stations on the wireless LAN must match those of the ZyWALL Table 24-4Menu 3.5: Wireless LAN Setup 24.5.1 MAC Address Filter Setup Edit MAC Address Filter Menu 3.5.1 – WLAN MAC Address Filter Figure 24-9Menu 3.5.1: WLAN MAC Address Filter Table 24-5Menu 3.5.1: WLAN MAC Address Filter Page 25.1 Introduction to Internet Access Setup 25.2 Ethernet Encapsulation Page 25.3 PPTP Encapsulation 25.3.1 Configuring the PPTP Client 25.4 PPPoE Encapsulation 25.4.1 Configuring the PPPoE Client 25.5 Basic Setup Complete Page Part XII: SMT Advanced Applications Page 26.1 Introduction to Remote Node Setup 26.2 Remote Node Setup 26.2.1 Ethernet Encapsulation Figure 26-1Menu11.1: Remote Node Profile for Ethernet Encapsulation Table 26-1Menu 11.1: Remote Node Profile for Ethernet Encapsulation 26.2.2 PPPoE Encapsulation Outgoing Authentication Protocol Nailed-UpConnection Metric 26.2.3 PPTP Encapsulation 26.3 Edit IP Page 26.4 Remote Node Filter 26.5 Traffic Redirect 26.5.1 Traffic Redirect Setup Table 26-6Menu 11.6: Traffic Redirect Setup Page Page 27.1 IP Static Route Setup Figure 27-2Menu 12. 1: Edit IP Static Route Table 27-1Menu 12. 1: Edit IP Static Route 28.1 Using NAT 28.1.1 SUA (Single User Account) Versus NAT 28.1.2 Applying NAT Figure 28-1Menu 4: Applying NAT for Internet Access Menu 11.3 - Remote Node Network Layer Options 28.2 NAT Setup 28.2.1 Address Mapping Sets SUA Address Mapping Set User-DefinedAddress Mapping Sets Ordering Your Rules Table 28-3Fields in Menu No changes to the set take place until this action is taken Menu 15.1.1.1 - Address Mapping Rule Local Global 28.3 Configuring a Server behind NAT 28.4 General NAT Examples 28.4.1 Internet Access Only 28.4.2 Example 2: Internet Access with an Inside Server 28.4.3 Example 3: Multiple Public IP Addresses With Inside Servers 1 : Many : Figure 28-14NAT Example Menu 15.1 - Address Mapping Sets Edit Action Start IP Figure 28-15Example 3: Menu Figure 28-16Example 3: Menu Figure 28-17Example 3: Final Menu Figure 28-18Example 3: Menu 28.4.4 Example 4: NAT Unfriendly Application Programs 28.5 Trigger Port Forwarding 28.5.1 Trigger Port Forwarding Process 28.5.2 Two Points To Remember About Trigger Ports Table 28-5Menu 15.3: Trigger Port Setup Page 29.1 Using SMT Menus 29.1.1 Activating the Firewall Figure 29-2Menu 21.2: Firewall Setup Configure the firewall rules using the web configurator or CLI commands 30.1 Introduction to Filters 30.1.1Filter Structure Figure 30-2Filter Rule Process 30.2 Configuring a Filter Set Edit Comments Table 30-1Abbreviations Used in the Filter Rules Summary Menu 30.2.1 Configuring a Filter Rule 30.2.2 Configuring a TCP/IP Filter Rule TCP/IP Filter Rule Filter Type open Menu 21.1.1.1 - TCP/IP Filter Rule, as shown next Figure 30-5Menu 21.1.1.1: TCP/IP Filter Rule Table 30-3TCP/IP Filter Rule Menu Fields Page Page Figure 30-6Executing an IP Filter 30.2.3 Configuring a Generic Filter Rule Page 30.3 Example Filter Figure 30-9Example Filter: Menu Figure 30-10Example Filter Rules Summary: Menu 30.4 Filter Types and NAT 30.5 Firewall Versus Filters 30.6 Applying a Filter 30.6.1 Applying LAN Filters 30.6.2 Applying Remote Node Filters Figure 30-13Filtering Remote Node Traffic 31.1 SNMP Configuration 31.2 SNMP Traps Part XIII: SMT System Maintenance Page 32.1 Introduction to System Status 32.2 System Status Step 1. Enter number 24 to go to Menu 24 - System Maintenance Menu 24.1 - System Maintenance - Status Figure 32-2Menu 24.1: System Maintenance: Status Table 32-1System Maintenance: Status Menu Fields 32.3 System Information and Console Port Speed 32.3.1 System Information 32.3.2 Console Port Speed 32.4 Log and Trace 32.4.1 UNIX Syslog Page Page 32.4.2 Call-TriggeringPacket 32.4.3 Diagnostic 32.4.4 WAN DHCP Figure 32-10WAN & LAN DHCP Table 32-4System Maintenance Menu Diagnostic Page 33.1 Introduction 33.2 Filename Conventions 33.3 Backup Configuration 33.3.1 Backup Configuration 33.3.2 Using the FTP Command from the Command Line 33.3.3 Example of FTP Commands from the Command Line 33.3.4 GUI-basedFTP Clients 33.3.5 File Maintenance Over WAN 33.3.6 Backup Configuration Using TFTP 33.3.7 TFTP Command Example 33.3.8 GUI-basedTFTP Clients 33.3.9 Backup Via Console Port Figure 33-3System Maintenance: Backup Configuration Figure 33-4System Maintenance: Starting Xmodem Download Screen Receive File Figure 33-5Backup Configuration Example Figure 33-6Successful Backup Confirmation Screen 33.4 Restore Configuration 33.4.1 Restore Using FTP 33.4.2 Restore Using FTP Session Example 33.4.3 Restore Via Console Port Figure 33-9System Maintenance: Restore Configuration Figure 33-10System Maintenance: Starting Xmodem Download Screen Figure 33-11Restore Configuration Example Figure 33-12Successful Restoration Confirmation Screen 33.5 Uploading Firmware and Configuration Files 33.5.1 Firmware File Upload 33.5.2 Configuration File Upload 33.5.3 FTP File Upload Command from the DOS Prompt Example 33.5.4 FTP Session Example of Firmware File Upload 33.5.5 TFTP File Upload 33.5.6 TFTP Upload Command Example 33.5.7 Uploading Via Console Port 33.5.8 Uploading Firmware File Via Console Port 33.5.9 Example Xmodem Firmware Upload Using HyperTerminal 33.5.10Uploading Configuration File Via Console Port 33.5.11Example Xmodem Configuration Upload Using HyperTerminal Figure 33-19Example Xmodem Upload 34.1 Command Interpreter Mode 34.1.1 Command Syntax 34.1.2 Command Usage 34.2 Call Control Support 34.2.1 Budget Management 34.2.2 Call History 34.3 Time and Date Setting Figure 34-6Menu 24: System Maintenance Figure 34-7Menu 24.10 System Maintenance: Time and Date Setting 34.3.1 Resetting the Time Page 35.1 Remote Management Figure 35-1Menu 24.11 – Remote Management Control Table 35-1Menu 24.11 – Remote Management Control 35.1.1 Remote Management Limitations Page Part XIV: SMT Advanced Management Page 36.1 Introduction to Call Scheduling Menu 26.1 - Schedule Set Setup Figure 36-2Schedule Set Setup Duration Table 36-1Schedule Set Setup Page Figure 36-3Applying Schedule Set(s) to a Remote Node (PPPoE) Figure 36-4Applying Schedule Set(s) to a Remote Node (PPTP) 37.1 Introduction 37.2 IPSec Summary Screen Page Page 37.3 IPSec Setup Figure 37-4Menu 27.1.1: IPSec Setup a VPN Table 37-2Menu 27.1.1: IPSec Setup Page Page Page Page 37.4 IKE Setup Figure Page 37.5 Manual Setup 37.5.1 Active Protocol 37.5.2 Security Parameter Index (SPI) Edit Manual Setup Figure 37-6Menu 27.1.1.2: Manual Setup Table 37-5Menu 27.1.1.2: Manual Setup Page 38.1 Introduction 38.2Using SA Monitor Table 38-1Menu 27.2: SA Monitor Part XV: General Appendices Page Appendix A Troubleshooting Problems Starting Up the ZyWALL Chart 1 Troubleshooting the Start-Upof Your ZyWALL Problems with the Password Problems with the LAN Interface Chart 3 Troubleshooting the LAN Interface Problems with the WAN Interface Chart 4 Troubleshooting the WAN Interface Problems with Internet Access Chart 5 Troubleshooting Internet Access Problems with Remote Management Chart 6 Troubleshooting Telnet Page Windows 95/98/Me Page Page Windows 2000/NT/XP Page Page Page Macintosh OS 8/9 Page TCP/IP Control Panel Macintosh OS Check your TCP/IP properties in the Network window Page Appendix C Triangle Route The Ideal Setup Diagram 1 Ideal Setup The “Triangle Route” Problem Diagram 2 “Triangle Route” Problem The “Triangle Route” Solutions IP Aliasing Diagram 3 IP Alias Gateways on the WAN Side Diagram 4 Gateways on the WAN Side How To Configure Triangle Route: Page Appendix D Wireless LAN and IEEE Benefits of a Wireless LAN IEEE Ad-hocWireless LAN Configuration Diagram D-1 Peer-to-PeerCommunication in an Ad-hocNetwork Infrastructure Wireless LAN Configuration Diagram D-2ESS Provides Campus-WideCoverage Page Appendix E Wireless LAN With IEEE Security Flaws with IEEE Deployment Issues with IEEE Advantages of the IEEE RADIUS Server Authentication Sequence Appendix F Types of EAP Authentication EAP-MD5 EAP-TLS EAP-TTLS Page Appendix G PPPoE PPPoE in Action Benefits of PPPoE Traditional Dial-upScenario ZyWALL as a PPPoE Client Diagram G-2ZyWALL as a PPPoE Client Appendix H PPTP What is PPTP How can we transport PPP frames from a PC to a broadband modem over Ethernet Diagram H-1Transport PPP frames over Ethernet Diagram H-2PPTP Protocol Overview Control & PPP connections Diagram H-3Example Message Exchange between PC and an ANT Page Appendix IP Subnetting IP Addressing IP Classes Chart I-1Classes of IP Addresses Chart I-2Allowed IP Address Range By Class Subnet Masks Chart I-3“Natural” Masks Subnetting Chart I-4Alternative Subnet Mask Notation Example: Two Subnets Chart I-5Subnet Chart I-6Subnet Example: Four Subnets Chart I-7Subnet Chart I-8Subnet Chart I-9Subnet Chart I-10Subnet Example Eight Subnets Chart I-11Eight Subnets Chart I-12Class C Subnet Planning Subnetting With Class A and Class B Networks Chart I-13Class B Subnet Planning Page Page Page Part XVI: Command, Log Appendices and Index Page Appendix K Command Interpreter Menu 24.8 - Command Interpreter Mode Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable Page Appendix L Firewall Commands Chart L-1 Page Page Page Page Page Appendix M NetBIOS Filter Commands Introduction Display NetBIOS Filter Settings Diagram Chart M-1NetBIOS Filter Default Settings NetBIOS Filter Configuration Page Page Appendix N Boot Commands Diagram N-1Option to Enter Debug Mode Diagram N-2Boot Module Commands Appendix O Log Descriptions Chart O-1System Error Logs Chart O-2System Maintenance Logs Chart O-3UPnP Logs Chart O-4Content Filtering Logs Chart O-5Attack Logs Page Page Chart O-6Access Logs Page Page Page Chart O-7ACL Setting Notes Chart O-8ICMP Notes Page Chart O-9Sys log VPN/IPSec logs Diagram O-1Example VPN Initiator IPSec Log VPN Responder IPSec Log Diagram O-2Example VPN Responder IPSec Log Double exclamation marks (!!) denote an error or warning message A PYLD_MALFORMED packet usually means that the two ends of the VPN tunnel are not using the same pre-sharedkey Chart O-10Sample IKE Key Exchange Logs Page Chart O-11Sample IPSec Logs During Packet Transmission Chart O-12 RFC-2408ISAKMP Payload Types Log Commands Chart O-13Log Categories and Available Settings Log Command Example Page Appendix P Brute-ForcePassword Guessing Protection Chart P-1 Brute-ForcePassword Guessing Protection Commands Page Appendix Q Index