How it Works
ZyXEL Communications
Loading...
VGN-CR
User Manual
96 pgs2.51 Mb0

ZyXEL Communications VGN-CR User Manual

ZyWALL 10~100 Series
Internet Security Gateway
Reference Guide
Versions 3.52, 3.60 and 3.61
March 2003
Copyright
Copyright © 2003 by ZyXEL Communications Corporation.
The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved.
Disclaimer
ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any products described herein without notice.
This publication is subject to change without notice.
Trademarks
Trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.
ii Copyright
Federal Communications Commission (FCC)
Interference Statement
This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations. This equipment has been tested and found to comply with the limits for a CLASS B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. If this equipment does cause harmful interference to radio/television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and the receiver. Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. Consult the dealer or an experienced radio/TV technician for help.
Notice 1
Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment.
Certifications
Refer to the product page at www.zyxel.com.
FCC iii
Information for Canadian Users
The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction. Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company. The equipment must also be installed using an acceptable method of connection. In some cases, the company's inside wiring associated with a single line individual service may be extended by means of a certified connector assembly. The customer should be aware that the compliance with the above conditions may not prevent degradation of service in some situations. Repairs to certified equipment should be made by an authorized Canadian maintenance facility designated by the supplier. Any repairs or alterations made by the user to this equipment, or equipment malfunctions, may give the telecommunications company cause to request the user to disconnect the equipment. For their own protection, users should ensure that the electrical ground connections of the power utility, telephone lines, and internal metallic water pipe system, if present, are connected together. This precaution may be particularly important in rural areas.
Caution
Users should not attempt to make such connections themselves, but should contact the appropriate electrical inspection authority, or electrician, as appropriate.
Note
This digital apparatus does not exceed the class A limits for radio noise emissions from digital apparatus set out in the radio interference regulations of Industry Canada.
iv Information for Canadian Users
ZyXEL Limited Warranty
ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product is modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.
NOTE
Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind of character to the purchaser. To obtain the services of this warranty, contact ZyXEL's Service Center for your Return Material Authorization number (RMA). Products must be returned Postage Prepaid. It is recommended that the unit be insured when shipped. Any returned products without proof of purchase or those with an out-dated warranty will be repaired or replaced (at the discretion of ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty gives you specific legal rights, and you may also have other rights that vary from country to country.
Online Registration
Register online registration at www.zyxel.com for free future product updates and information.
Warranty v
Customer Support
When you contact your customer support representative please have the following information ready: Please have the following information ready when you contact customer support.
Product model and serial number.
Information in Menu 24.2.1 – System Information.
Warranty Information.
Date that you received your device.
Brief description of the problem and the steps you took to solve it.
LOCATION WORLDWIDE
AMERICA
METHOD
support@zyxel.com.tw
sales@zyxel.com.tw
support@zyxel.com +1-714-632-0882
sales@zyxel.com
support@zyxel.dk +45-3955-0700 www.zyxel.dk SCANDINAVIA
sales@zyxel.dk
support@zyxel.de +49-2405-6909-0 www.zyxel.de GERMANY
sales@zyxel.de
E-MAIL
SUPPORT/SALES
+886-3-578-2439 ftp.europe.zyxel.com
+1-714-632-0858 ftp.zyxel.com
+45-3955-0707 ftp.zyxel.dk
+49-2405-6909-99
TELEPHONE/FAX WEB SITE/ FTP SITE REGULAR MAIL
+886-3-578-3942 www.zyxel.com
www.europe.zyxel.com
www.zyxel.com NORTH
800-255-4101
ZyXEL Communications Corp., 6 Innovation Road II, Science­Based Industrial Park, Hsinchu 300, Taiwan
ZyXEL Communications Inc., 1650 Miraloma Avenue, Placentia, CA 92870, U.S.A.
ZyXEL Communications A/S, Columbusvej 5, 2860 Soeborg, Denmark
ZyXEL Deutschland GmbH. Adenauerstr. 20/A2 D-52146 Wuerselen, Germany
vi Customer Support
Table of Contents
Copyright......................................................................................................................................................ii
Federal Communications Commission (FCC) Interference Statement................................................. iii
Information for Canadian Users ...............................................................................................................iv
ZyXEL Limited Warranty ..........................................................................................................................v
Customer Support ......................................................................................................................................vi
List of Diagrams..........................................................................................................................................ix
List of Charts ...............................................................................................................................................x
Preface ........................................................................................................................................................xii
General Information........................................................................................................................................ I
Chapter 1 Setting up Your Computer’s IP Address.............................................................................. 1-1
Chapter 2 Triangle Route........................................................................................................................ 2-1
Chapter 3 The Big Picture ...................................................................................................................... 3-1
Chapter 4 Wireless LAN and IEEE 802.11............................................................................................ 4-1
Chapter 5 Wireless LAN With IEEE 802.1x .........................................................................................5-1
Chapter 6 PPPoE..................................................................................................................................... 6-1
Chapter 7 PPTP....................................................................................................................................... 7-1
Chapter 8 IP Subnetting.......................................................................................................................... 8-1
Command and Log Information....................................................................................................................II
Chapter 9 Command Interpreter ........................................................................................................... 9-1
Chapter 10 Firewall Commands........................................................................................................... 10-1
Chapter 11 NetBIOS Filter Commands ................................................................................................11-1
Chapter 12 Boot Commands................................................................................................................. 12-1
Chapter 13 Log Descriptions ................................................................................................................ 13-1
Chapter 14 Brute-Force Password Guessing Protection .................................................................... 14-1
Index............................................................................................................................................................... III
Table of Contents vii
Index ............................................................................................................................................................ A
viii Table of Contents
List of Diagrams
Diagram 2-1 Ideal Setup ................................................................................................................................ 2-1
Diagram 2-2 “Triangle Route” Problem ........................................................................................................ 2-2
Diagram 2-3 IP Alias...................................................................................................................................... 2-2
Diagram 2-4 Gateways on the WAN Side...................................................................................................... 2-3
Diagram 3-1 Big Picture— Filtering, Firewall, VPN and NAT ..................................................................... 3-1
Diagram 4-1 Peer-to-Peer Communication in an Ad-hoc Network................................................................ 4-3
Diagram 4-2 ESS Provides Campus-Wide Coverage..................................................................................... 4-4
Diagram 5-1 Sequences for EAP MD5–Challenge Authentication................................................................ 5-2
Diagram 6-1 Single-PC per Modem Hardware Configuration....................................................................... 6-1
Diagram 6-2 ZyWALL as a PPPoE Client ..................................................................................................... 6-2
Diagram 7-1 Transport PPP frames over Ethernet ......................................................................................... 7-1
Diagram 7-2 PPTP Protocol Overview .......................................................................................................... 7-2
Diagram 7-3 Example Message Exchange between PC and an ANT ............................................................ 7-3
Diagram 11-1 NetBIOS Display Filter Settings Command Without DMZ Example....................................11-2
Diagram 11-2 NetBIOS Display Filter Settings Command With DMZ Example.........................................11-2
Diagram 12-1 Option to Enter Debug Mode................................................................................................ 12-1
Diagram 12-2 Boot Module Commands...................................................................................................... 12-2
Diagram 13-1 Example VPN Initiator IPSec Log ...................................................................................... 13-12
Diagram 13-2 Example VPN Responder IPSec Log.................................................................................. 13-12
List of Diagrams ix
List of Charts
Chart 8-1 Classes of IP Addresses ..................................................................................................................8-1
Chart 8-2 Allowed IP Address Range By Class ..............................................................................................8-2
Chart 8-3 “Natural” Masks .............................................................................................................................8-2
Chart 8-4 Alternative Subnet Mask Notation..................................................................................................8-3
Chart 8-5 Subnet 1 ..........................................................................................................................................8-4
Chart 8-6 Subnet 2 ..........................................................................................................................................8-4
Chart 8-7 Subnet 1 ..........................................................................................................................................8-5
Chart 8-8 Subnet 2 ..........................................................................................................................................8-5
Chart 8-9 Subnet 3 ..........................................................................................................................................8-5
Chart 8-10 Subnet 4 ........................................................................................................................................8-6
Chart 8-11 Eight Subnets................................................................................................................................8-6
Chart 8-12 Class C Subnet Planning...............................................................................................................8-7
Chart 8-13 Class B Subnet Planning...............................................................................................................8-7
Chart 10-1 Firewall Commands....................................................................................................................10-1
Chart 11-1 NetBIOS Filter Default Settings ................................................................................................. 11-2
Chart 13-1 System Error Logs......................................................................................................................13-1
Chart 13-2 System Maintenance Logs..........................................................................................................13-1
Chart 13-3 UPnP Logs.................................................................................................................................. 13-2
Chart 13-4 Content Filtering Logs................................................................................................................13-2
Chart 13-5 Attack Logs.................................................................................................................................13-2
Chart 13-6 Access Logs ................................................................................................................................13-5
Chart 13-7 ACL Setting Notes ......................................................................................................................13-9
Chart 13-8 ICMP Notes ..............................................................................................................................13-10
Chart 13-9 Sys log ......................................................................................................................................13-11
Chart 13-10 Sample IKE Key Exchange Logs ...........................................................................................13-13
x List of Charts
Chart 13-11 Sample IPSec Logs During Packet Transmission .................................................................. 13-15
Chart 13-12 RFC-2408 ISAKMP Payload Types.......................................................................................13-16
Chart 13-13 Log Categories and Available Settings................................................................................... 13-17
Chart 14-1 Brute-Force Password Guessing Protection Commands............................................................ 14-1
List of Charts xi
Preface
About Your ZyWALL
Congratulations on your purchase of the ZyWALL Security Gateway.
About This User's Manual
This manual is designed to provide background information on some of the ZyWALL’s features. It also includes commands for use with the command interpreter. This manual may refer to the ZyWALL Internet Security Gateway as the ZyWALL. This manual covers the ZyWALL 10 to 100 models. Supported features and the details of the features, vary from model to model. Not every feature applies to every model; refer to the Model Comparison Chart in chapter 1 of the Web Configurator User’s Guide to see what features are specific to your ZyWALL model.
You may use the System Management Terminal (SMT), web configurator or
command interpreter interface to configure your ZyWALL. Not all features can be
configured through all interfaces.
Related Documentation
Support Disk
Refer to the included CD for support documents.
Read Me First or Quick Start Guide
The Read Me First or Quick Start Guide is designed to help you get up and running right away. It contains a detailed easy-to-follow connection diagram, default settings, handy checklists and information on setting up your network and configuring for Internet access.
SMT User’s Guide
This manual is designed to guide you through the configuration of your ZyWALL using the System Management Terminal.
Web Configurator User’s Guide
This manual is designed to guide you through the configuration of your ZyWALL using the embedded web configurator.
Web Configurator Online Help
Embedded web help for descriptions of individual screens and supplementary information.
Packing List Card
The Packing List Card lists all items that should have come in the package.
Certifications
Refer to the product page at www.zyxel.com
ZyXEL Glossary and Web Site Please refer to www.zyxel.com for an online glossary of networking terms and additional support
documentation.
for information on product certifications.
xii Preface
Syntax Conventions
“Enter” means for you to type one or more characters and press the carriage return. “Select” or “Choose” means for you to use one of the predefined choices.
The SMT menu titles and labels are in Bold Times New Roman font.
The choices of a menu item are in Bold Arial font.
A single keystroke is in Arial font and enclosed in square brackets, for instance, [ENTER] means the
Enter, or carriage return, key; [ESC] means the escape key and [SPACE BAR] means the space bar. [UP] and [DOWN] are the up and down arrow keys.
Mouse action sequences are denoted using a comma. For example, “click the Apple icon, Control Panels and then Modem” means first click the Apple icon, then point your mouse pointer to Control Panels and then click Modem.
For brevity’s sake, we will use “e.g.” as a shorthand for “for instance” and “i.e.” for “that is” or “in other words” throughout this manual.
Preface xiii
General Information
Part I:
General Information
This part provides background information about setting up your computer’s IP address, triangle
route, how functions are related, wireless LAN, 802.1x, PPPoE, PPTP and IP subnetting.
I
Chapter 1
Setting up Your Computer’s IP Address
All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed.
Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer. Windows 3.1 requires the purchase of a third-party TCP/IP application package.
TCP/IP should already be installed on computers using Windows NT/2000/XP, Macintosh OS 7 and later operating systems.
After the appropriate TCP/IP components are installed, configure the TCP/IP settings in order to "communicate" with your network.
If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the ZyWALL's LAN port.
Windows 95/98/Me
Click Start, Settings, Control Panel and double-click the Network icon to open the Network window.
Setting Up Your Computer’s IP Address 1-1
The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks.
If you need the adapter:
In the Network window, click Add.
a.
Select Adapter and then click Add.
b.
Select the manufacturer and model of your network adapter and then click OK.
c.
If you need TCP/IP:
In the Network window, click Add.
a.
Select Protocol and then click Add.
b.
Select Microsoft from the list of manufacturers.
c.
Select TCP/IP from the list of network protocols and then click OK.
d.
If you need Client for Microsoft Networks:
Click Add.
a.
Select Client and then click Add.
b.
Select Microsoft from the list of manufacturers.
c.
Select Client for Microsoft Networks from the list of network clients and then click OK.
d.
e. Restart your computer so the changes you made take effect.
In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties.
1-2
Setting Up Your Computer’s IP Address
Click the IP Address tab.
1.
-If your IP address is dynamic, select Obtain an IP address automatically.
-If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields.
Click the DNS Configuration tab.
2.
-If you do not know your DNS information, select Disable DNS.
-If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in).
Setting Up Your Computer’s IP Address 1-3
Click the Gateway tab.
3.
-If you do not know your gateway’s IP address, remove previously installed gateways.
-If you have a gateway IP address, type it in the New gateway field and click Add.
Click OK to save and close the TCP/IP Properties window.
4.
Click OK to close the Network window. Insert the Windows CD if prompted.
5.
6. Turn on your ZyWALL and restart your computer when prompted.
Verifying Your Computer’s IP Address
Click Start and then Run.
1.
In the Run window, type "winipcfg" and then click OK to open the IP Configuration window.
2.
3. Select your network adapter. You should see your computer's IP address, subnet mask and default gateway.
Windows 2000/NT/XP
1-4
Setting Up Your Computer’s IP Address
For Windows XP, click start, Control Panel. In
1. Windows 2000/NT, click Start, Settings, Control Panel.
For Windows XP, click Network
2.
Connections. For Windows 2000/NT, click Network and Dial-up Connections.
Right-click Local Area Connection and
3. then click Properties.
Setting Up Your Computer’s IP Address 1-5
Select Internet Protocol (TCP/IP) (under the
4. General tab in Win XP) and click Properties.
The Internet Protocol TCP/IP Properties
5. window opens (the General tab in Windows XP).
-If you have a dynamic IP address click Obtain an IP address automatically.
-If you have a static IP address click Use the
following IP Address and fill in the IP address, Subnet mask, and Default gateway fields.
Click Advanced.
1-6
Setting Up Your Computer’s IP Address
6. -If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK.
Do one or more of the following if you want to configure additional IP addresses:
-In the IP Settings tab, in IP addresses, click Add.
-In TCP/IP Address, type an IP address in IP address and a subnet mask in Subnet mask, and then click Add.
-Repeat the above two steps for each IP address you want to add.
-Configure additional default gateways in the IP
Settings tab by clicking Add in Default gateways.
-In TCP/IP Gateway Address, type the IP address of the default gateway in Gateway. To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric.
-Click Add.
-Repeat the previous three steps for each default gateway you want to add.
-Click OK when finished.
Setting Up Your Computer’s IP Address 1-7
In the Internet Protocol TCP/IP Properties
7. window (the General tab in Windows XP):
-Click Obtain DNS server address automatically if you do not know your DNS server IP address(es).
-If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.
If you have previously configured DNS servers, click Advanced and then the DNS tab to order them.
Click OK to close the Internet Protocol (TCP/IP) Properties window.
8.
Click OK to close the Local Area Connection Properties window.
9.
10. Turn on your ZyWALL and restart your computer (if prompted).
Verifying Your Computer’s IP Address
Click Start, All Programs, Accessories and then Command Prompt.
1.
In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also open
2.
Network Connections, right-click a network connection, click Status and then click the Support tab.
Macintosh OS 8/9
1-8
Setting Up Your Computer’s IP Address
Click the Apple menu, Control Panel and double-click
1. TCP/IP to open the TCP/IP Control Panel.
Select Ethernet built-in
2. from the Connect via list.
For dynamically assigned settings, select Using DHCP Server from the Configure: list.
3.
Setting Up Your Computer’s IP Address 1-9
4. For statically assigned settings, do the following:
-From the Configure box, select Manually.
-Type your IP address in the IP Address box.
-Type your subnet mask in the Subnet mask box.
-Type the IP address of your ZyWALL in the Router address box.
Close the TCP/IP Control Panel.
5.
Click Save if prompted, to save changes to your configuration.
6.
7. Turn on your ZyWALL and restart your computer (if prompted).
Verifying Your Computer’s IP Address
Check your TCP/IP properties in the TCP/IP Control Panel window.
Macintosh OS X
Click the Apple menu, and click System Preferences
1.
to open the System Preferences window.
1-10
Setting Up Your Computer’s IP Address
2.
Click Network in the icon bar.
- Select Automatic from the Location list.
- Select Built-in Ethernet from the Show list.
- Click the TCP/IP tab.
3.
For dynamically assigned settings, select Using DHCP from the Configure list.
4. For statically assigned settings, do the following:
-From the Configure box, select Manually.
-Type your IP address in the IP Address box.
-Type your subnet mask in the Subnet mask box.
-Type the IP address of your ZyWALL in the Router address box.
Click Apply Now and close the window.
5.
6. Turn on your ZyWALL and restart your computer (if prompted).
Verifying Your Computer’s IP Address
Check your TCP/IP properties in the Network window.
Setting Up Your Computer’s IP Address 1-11
Chapter 2
Triangle Route
The Ideal Setup
When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyWALL to protect your LAN against attacks.
Diagram 2-1 Ideal Setup
The “Triangle Route” Problem
A traffic route is a path for sending or receiving data packets between two Ethernet devices. Some companies have more than one alternate route to one or more ISPs. If the LAN and ISP(s) are in the same subnet, the “triangle route” problem may occur. The steps below describe the “triangle route” problem.
Step 1. A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server
on the WAN.
Step 2. The ZyWALL reroutes the SYN packet through Gateway B on the LAN to the WAN.
Step 3. The reply from the WAN goes directly to the computer on the LAN without going through the
ZyWALL.
As a result, the ZyWALL resets the connection, as the connection has not been acknowledged.
Triangle Route 2-1
Loading...
+ 67 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use