ZyXEL Communications ZyWALL 70 User Manual

ZyWALL 70

Internet Security Gateway

Quick Start Guide

Version 3.64

3/2005

Table of Contents

ENGLISH 1 DEUTSCH 23 ESPAÑOL 47 FRANÇAIS 71 ITALIANO 95 中文 119

ENGLISH

Overview

The ZyWALL 70 is a load-balancing, dual WAN firewall with VPN, bandwidth management, content filtering and many other features. You can use it as a transparent firewall and not reconfigure your network nor configure the ZyWALL’s routing features. The ZyWALL increases network security by providing DMZ ports for use with publicly accessible servers. This guide covers the initial connections and configuration needed to start using the ZyWALL in your network.

See the User’s Guide for more information on all features.

You may need your Internet access information.

This guide is divided into the following sections.

1 Hardware Connections 2 Accessing the Web Configurator 3 Bridge Mode 4 Internet Access Setup 5 DNS 6 NAT

7 Firewall 8 VPN Rule Setup 9 myZyXEL.com Product Registration 10External Database Content Filtering 11Troubleshooting

1 Hardware Connections

You need the following.

ZyWALL Computer Ethernet Cables

Power Cord

ENGLISH

Do the following to make hardware connections for initial setup.

1 Use an Ethernet cable to connect the LAN port to a computer. You can also use Ethernet cables to

connect public servers (web, e-mail, FTP, etc.) to the DMZ ports.

2 Use another Ethernet cable(s) to connect the WAN 1 and/or WAN 2 port to an Ethernet jack with Internet

access.

3 Use the included power cord to connect the power socket (on the rear panel) to a power outlet 4 Push the power switch to the on position and look at the front panel. The PWR LED turns on. The SYS

LED blinks while performing system testing and then stays on if the testing is successful. The ACT, CARD, LAN, DMZ, and WAN LEDs turn on and stay on if the corresponding connections are properly made.

ENGLISH

2 Accessing the Web Configurator

Use this section to configure the WAN 1 interface for Internet access.

1 Launch your web browser. Enter 192.168.1.1 (the

ZyWALL’s default IP address) as the address. If the login screen does not display, see Section

11.1 to set your computer’s IP address.

3 Change the login password by entering a new

password and clicking Apply.

2 Click Login (the default password 1234 is already

entered).

4 Click Apply to replace the ZyWALL’s default

digital certificate.

5 The HOME screen opens.

The ZyWALL is in router mode by default. Continue to the next step if you want to use routing features such as NAT, DHCP and VPN.

Go to Section 3 if you prefer to use the ZyWALL as a transparent firewall.

6 Check the Network

Status table. If the WAN 1 status is not Down and there is an

IP address, go to

Section 5.

If the WAN 1 status is Down (or there is not an IP address), click Internet Access and use Section 4 to configure WAN 1.

Use the NETWORK WAN screens if you need to configure WAN 2. You can also configure load balancing between the WAN ports.

ENGLISH

3 Bridge Mode

When you set the ZyWALL to bridge mode, it functions as a transparent firewall. Do the following to set the ZyWALL to bridge mode.

1 Click MAINTENANCE in

the navigation panel and then Device Mode.

2 Select Bridge and

configure a (static) IP address subnet mask and gateway IP address for the ZyWALL’s LAN, WAN, DMZ and WLAN interfaces.

3 Click Apply. The ZyWALL

restarts.

Skip to Section 5 if you have servers that you need to be accesible from the WAN.

4 Internet Access Setup

ENGLISH

Enter the Internet access information exactly as given to you.

If you were given an IP address to use, select Static in the IP Address Assignment drop-down list box and enter the information provided.

Note: The fields vary depending on what you select in the Encapsulation field. Fill them in with the

information provided by the ISP or network administrator.

Click Finish when you are done.

• Ethernet Encapsulation

Configure a Roadrunner service in the NETWORK WAN screens (use the WAN 1 tab).

ENGLISH

• PPP over Ethernet or PPTP Encapsulation

Select Nailed-Up when you want your connection up all the time (this could be expensive if your ISP bills you for Internet usage time instead of a flat monthly fee).

To not have the connection up all the time, specify an idle time-out period (in seconds) in Idle Timeout.

ENGLISH

5 DMZ

The DeMilitarized Zone (DMZ) allows public servers (web, e-mail, FTP, etc.) to be visible to the outside world and still have firewall protection from DoS (Denial of Service) attacks.

Unlike the LAN, the ZyWALL does not assign TCP/IP configuration via DHCP to computers connected to the DMZ ports. Configure the computers with static IP addresses (in the same subnet as the DMZ port's IP address) and DNS server addresses. Use the ZyWALL's DMZ IP address as the default gateway.

Do the following to configure the DMZ if the ZyWALL is in routing mode.

Note: You do not need to configure DMZ with bridge mode, skip to Section 7.

1 Click DMZ in the navigation panel.

ENGLISH

2 Specify an IP address and subnet mask for the DMZ

interface.

If you use private IP addresses on the DMZ, use NAT to make the servers publicly accessible (see Section 6).

A public IP address must be on a separate subnet from the WAN port’s public IP address. If you do not configure NAT for the public IP addresses on the DMZ, the ZyWALL routes traffic to the public IP addresses on the DMZ without performing NAT. This may be useful for hosting servers for NAT unfriendly applications.

3 Click Apply.

6 NAT

NAT (Network Address Translation - NAT, RFC 1631) means the translation of an IP address in one network to a different IP address in another. You can use the NAT Address Mapping screens to have the ZyWALL translate multiple public IP addresses to multiple private IP addresses on your LAN (or DMZ).

The following example allows access from the WAN to an HTTP (web) server on the DMZ. The server has a private IP address of 10.0.0.20.

ENGLISH

1 Click NAT in the navigation panel

and then Port Forwarding.

2 Select the Active check box. 3 Type a name for the rule. 4 Type the port number that the

service uses.

5 Type the HTTP server’s IP address. 6 Click Apply.

7 Firewall

You can use the ZyWALL without configuring the firewall.

The ZyWALL’s firewall is pre-configured to protect your LAN from attacks from the Internet. By default, no traffic can enter your LAN unless a request was generated on the LAN first. The ZyWALL allows access to the DMZ from the WAN or LAN, but blocks traffic from the DMZ to the LAN.

If you are using the ZyWALL in router mode, continue with the next section. For bridge mode, skip to Section

ENGLISH

8 VPN Rule Setup

A VPN (Virtual Private Network) tunnel gives you a secure connection to another computer or network.

A gateway policy identifies the IPSec routers at either end of a VPN tunnel.

A network policy specifies which devices (behind the IPSec routers) can use the VPN tunnel.

This figure helps explain the main fields in the wizard screens.

1 Click VPN in the HOME screen (you may need to scroll up to see the link) to open the VPN wizard.

ENGLISH

Note: Your settings are not saved when you click Back.

2 Use this screen to configure the gateway policy.

Name: Enter a name to identify the gateway policy.

Remote Gateway Address: Enter the IP address or

domain name of the remote IPSec router.

3 Use this screen to configure the network policy.

Leave the Active check box selected.

Name: Enter a name to identify the network policy.

Select Single and enter an IP address for a single IP address.

Select Range IP and enter starting and ending IP addresses for a specific range of IP addresses.

Select Subnet and enter an IP address and subnet mask to specify IP addresses on a network by their subnet mask.

ENGLISH

Note: Make sure that the remote IPSec router uses the same security settings that you configure in

the next two screens.

Negotiation Mode: Select Main Mode for identity protection. Select Aggressive Mode to allow more incoming connections from dynamic IP addresses to use separate passwords.

Note: Multiple SAs (security associations) connecting through a secure gateway must have the same

negotiation mode.

Encryption Algorithm: Select 3DES or AES for stronger (and slower) encryption.

Authentication Algorithm: Select MD5 for minimal security or SHA-1 for higher security.

Key Group: Select DH2 for higher security.

SA Life Time: Set how often the ZyWALL renegotiates the IKE SA (minimum 180 seconds). A short SA life

time increases security, but renegotiation temporarily disconnects the VPN tunnel.

Pre-Shared Key: Use 8 to 31 case-sensitive ASCII characters or 16 to 62 hexadecimal ("0-9", "A-F") characters. Precede a hexadecimal key with a "0x” (zero x), which is not counted as part of the 16 to 62 character range for the key.

Encapsulation Mode: Tunn el is compatible with NAT, Transport is not.

IPSec Protocol: ESP is compatible with NAT, AH is not.

Perfect Forward Secrecy (PFS): None allows faster IPSec setup, but DH1 and DH2 are more secure.

4 Use this screen to configure IKE (Internet Key

Exchange) tunnel settings.

5 Use this screen to configure IPSec settings.

ENGLISH

6 Check your VPN settings. Click Finish to save the

settings.

7 Click Close in the final screen to complete the

VPN wizard setup. Continue with the next section to activate the VPN rule and establish a VPN connection.

8.1 Using the VPN Connection

Use VPN tunnels to securely send and retrieve files, and allow remote access to corporate networks, web servers and e-mail. Services work as if you were at the office instead of connected through the Internet.

For example, the “test” VPN rule allows secure access to an web server on a remote corporate LAN. Enter the server’s IP address (10.0.0.23 in this example) as your browser’s URL. The ZyWALL automatically builds the VPN tunnel when you attempt to use it.

Click VPN in the navigation panel and then the SA Monitor tab to display a list of connected VPN tunnels (the “test” VPN tunnel is up here).

ENGLISH

9 myZyXEL.com Product Registration

myZyXEL.com is ZyXEL’s online services center where you can register your ZyXEL device.

1 Go to myZyXEL.com using your web

browser.

2 Create a new account (if you don’t have

one already).

Note: You are automatically logged out of

your myZyXEL.com account after five minutes of inactivity. Simply log back into your myZyXEL.com account if this happens to you.

3 After you create an account, you will receive a confirmation e-mail. Click the URL in the e-mail to activate

your account.

4 Click Continue to go to the myZyXEL.com

5 Log in. 6 Click the link and register your ZyXEL

device.

ENGLISH

7 Click Add.

8 Enter the product serial

number in the Serial Number field.

9 Your device category and

model number automatically display in the Category and Model fields respectively. Otherwise, select the correct ones from the drop-down list boxes.

10Enter the device’s MAC

address in the Authentication Code field (it may already be displayed).

11Enter a descriptive name in

the Friendly Name field for identification purposes.

12Click Register.

ENGLISH

13Specify the purchase

information and click

Continue.

14Click Continue again to

complete the process.

ENGLISH

15After you have

registered your ZyXEL device, you can view its registration details in the Service Management screen. The ZyXEL device is now registered, but content filtering is not activated. To activate content filtering, you need to access myZyXEL.com via your device. Continue with the next section.

10 External Database Content Filtering

When you register for and enable external database content filtering, your ZyWALL accesses an external database that has millions of web sites categorized based on content. You can have the ZyWALL block and/or log access to web sites based on these categories. Register your ZyWALL at myZyXEL.com (see Section 9) and then do the following to register for external database content filtering.

ENGLISH

1 In your ZyXEL device’s web

configurator, click CONTENT

FILTER, Categories and then the Register button.

Note: You must also use the

ZyWALL’s web configurator CONTENT FILTER screens to configure and enable content filtering.

2 The myZyXEL.com login screen opens. 3 Enter the user name and password from your myZyXEL.com account.

4 Click My Product in the navigation

panel.

5 Click the product name link for your

device to view its registration details in the Service Management screen.

ENGLISH

6 Click Activate for the content filter service to display the next screen.

7 If you want to use the trial, click Submit under

Content Filtering Trial. The trial period begins the

date you apply.

You cannot apply for a trial if you’ve already used a trial or registered an iCard’s PIN number.

If you purchased an iCard, enter the PIN code exactly as shown on your iCard in the License Key (PIN code) field. Select the date when you want your content filtering to start and click Submit under Registration Information.

ENGLISH

8 A screen displays showing you the

service is registered. Click

Continue to proceed to the Service Management screen.

9 If you are currently using a trial, you can still register the PIN code from an iCard by clicking Upgrade in

the Service Activation field of the Service Management screen.

11 Troubleshooting

Problem Corrective Action

None of the LEDs turn on.

Cannot access the ZyWALL from the LAN.

Cannot access the Internet.

Cannot establish a VPN connection

Make sure that you have the power cord connected to the ZyWALL and plugged in to an appropriate power source. Make sure you have the ZyWALL turned on. Check all cable connections.

If the LEDs still do not turn on, you may have a hardware problem. In this case, you should contact your local vendor.

Check the cable connection between the ZyWALL and your computer or hub. Refer to

Section 1 for details.

Ping the ZyWALL from a LAN computer. Make sure your computer’s Ethernet card is installed and functioning properly.

In the computer, click Start, (All) Programs, Accessories and then Command Prompt. In the Command Prompt window, type "ping" followed by the ZyWALL’s LAN IP address (192.168.1.1 is the default) and then press [ENTER]. The ZyWALL should reply. Otherwise, refer to Section 11.1.

If you’ve forgotten the ZyWALL’s password, use the RESET button. Press the button in for about 10 seconds (or until the PWR LED starts to blink), then release it. It returns the ZyWALL to the factory defaults (password is 1234, LAN IP address 192.168.1.1 etc.; see your User’s Guide for details).

If you’ve forgotten the ZyWALL’s LAN or WAN IP address, you can check the IP address in the SMT via the console port. Connect your computer to the CONSOLE port using a console cable. Your computer should have a terminal emulation communications program (such as HyperTerminal) set to VT100 terminal emulation, no parity, 8 data bits, 1 stop bit, no flow control and 9600 bps port speed.

Check the ZyWALL’s connection to the Ethernet jack with Internet access. Make sure the Internet gateway device (such as a DSL modem) is working properly.

Click WAN in the navigation panel to verify your settings. Make sure the ZyWALL and the remote IPSec router use the same VPN settings. Click VPN

in the navigation panel to configure advanced settings. Access a web site to check that you have a successful Internet connection.

ENGLISH

11.1 Set Up Your Computer’s IP Address

This section shows you how to set up your computer to receive an IP address in Windows 2000, Windows NT and Windows XP. This is ensures that your computer can communicate with your ZyWALL.

1 In Windows XP, click Start, Control Panel.

In Windows 2000/NT, click Start, Settings, Control Panel.

2 In Windows XP, click Network Connections.

ENGLISH

In Windows 2000/NT, click Network and Dial-up Connections.

3 Right-click Local Area Connection and then click Properties.

4 Select Internet Protocol (TCP/IP) (under the General

tab in Windows XP) and click Properties.

5 The Internet Protocol TCP/IP Properties screen

opens (the General tab in Windows XP). Select the Obtain an IP address automatically and Obtain DNS server address automatically options.

6 Click OK to close the Internet Protocol (TCP/IP)

Properties window.

7 Click Close (OK in Windows 2000/NT) to close the

Local Area Connection Properties window.

8 Close the Network Connections screen.

11.2 Procedure to View a Product’s Certification(s)

1 Go to www.zyxel.com. 2 Select your product from the drop-down list box on the ZyXEL home page to go to that product's page. 3 Select the certification you wish to view from this page.

DEUTSCH

Übersicht

Die ZyWALL 70 ist eine Load-balancing-, Dual-WAN-Firewall mit VPN, Bandbreitenmanagement, Content Filtering und vielen anderen Funktionen. Sie können sie als transparente Firewall verwenden, ohne das Netzwerk neu zu konfigurieren und die Routingfunktionen des Geräts zu konfigurieren. Die ZyWALL erhöht die Netzwerksicherheit, indem sie DMZ-Ports für die Verwendung öffentlich zugänglicher Server bietet. In dieser Anleitung finden Sie eine Beschreibung der Anschlüsse und der Konfiguration, die notwendig ist, damit Sie die ZyWALL in Ihrem Netzwerk verwenden können.

Eine ausführliche Beschreibung aller Funktionen finden Sie im Benutzerhandbuch.

Bitte halten Sie die Daten für Ihren Internetzugang bereit.

Diese Anleitung ist in die folgenden Abschnitte aufgeteilt.

1 Anschließen der Hardware 2 Zugriff auf den Web-Konfigurator 3 Bridge Mode 4 Einrichten des Internetzugriffs 5 DNS 6 NAT

7 Firewall 8 Einstellen der VPN-Regeln 9 myZyXEL.com Produktregistrierung 10Externe Datenbank für den Content Filter 11Problembeseitigung

1 Anschließen der Hardware

Sie benötigen folgendes:

ZyWALL Computer Ethernetkabel

Netzkabel

DEUTSCH

Wenn Sie das Gerät installieren, müssen Sie die Hardwaregeräte folgendermaßen anschließen.

1 Verbinden Sie den LAN-Port mit einem Ethernet-Kabel mit dem Computer. Mit Ethernet-Kabeln können

Sie auch öffentliche Server (Internet, E-Mail, FTP, usw.) an die DMZ-Ports anschließen.

2 Schließen Sie mit einem anderen Ethernet-Kabel den WAN 1- und/oder WAN 2-Port an die Ethernet-

Buchse mit Internetzugriff an.

3 Schliessen Sie den Netzanschluss des Geräts (an der Rückseite) mit dem mitgelieferten Netzkabel an

eine Netzsteckdose an.

4 Schalten Sie den Ein/Aus-Schalter in die Position On und sehen Sie sich das vordere Bedienfeld an. Die

PWR-LED beginnt zu leuchten. Während des Systemtests blinkt die SYS-LED. Wurde er Test erfolgreich

abgeschlossen, bleibt diese Anzeige an. Die LEDs ACT, CARD, LAN, DMZ und WAN beginnen zu leuchten und bleiben an, wenn die entsprechenden Verbindungen richtig hergestellt wurden.

DEUTSCH

2 Zugriff auf den Web-Konfigurator

In diesem Abschnitt wird beschrieben, wie die WAN 1-Schnittstelle für den Internetzugriff konfiguriert wird.

1 Starten Sie Ihren Internetbrowser. Geben Sie als

Adresse 192.168.1.1 (die IP-Standardadresse des ZyWALL) ein. Wenn das Loginfenster nicht angezeigt wird, lesen Sie in Abschnitt 11.1 nach, wie Sie die IP-Adresse Ihres Computers einstellen können.

3 Ändern Sie das Passwort, indem Sie ein neues

Passwort eingeben und auf Apply (Übernehmen) klicken.

2 Klicken Sie auf Login (Einloggen) (das

Standardpasswort 1234 ist bereits vorgegeben).

4 Klicken Sie auf Apply (Übernehmen), um das

Standarddigitalzertifikat der ZyWALL zu ersetzen.

5 Das Fenster HOME wird angezeigt.

Standardmäßig befindet sich die ZyWALL im Routermodus. Wenn Sie Routingfunktionen wie NAT, DHCP oder VPN verwenden möchten, gehen Sie weiter zum nächsten Schritt.

Gehen Sie zu Abschnitt 3, wenn Sie die ZyWALL als eine transparente Firewall verwenden möchten.

6 Prüfen Sie die

Netzwerkstatus

tabelle. Wenn der Status von WAN 1 nicht Down ist und eine IP-Adresse angegeben ist, gehen Sie zu Abschnitt 5.

Wenn der Status von WAN 1 Down ist (oder keine IPAdresse angegeben ist), klicken Sie auf Internet Access (Internetzugriff) und konfigurieren Sie mit

Abschnitt 4 WAN 1.

Verwenden Sie das NETWORK WAN Fenster, wenn Sie

WAN 2 konfigurieren möchten. Sie können

auch ein Loadbalancing zwischen den WAN-Ports konfigurieren.

DEUTSCH

3 Bridge Modus

Wenn Sie bei der ZyWALL den Bridge Modus einstellen, funktioniert sie als transparente Firewall. Bei der ZyWALL wird der Bridge Modus folgendermaßen eingestellt:

1 Klicken Sie in der

Navigationsleiste auf MAINTENANCE (Wartung) und dann auf

Device Mode (Gerätemodus).

2 Wählen Sie Bridge

(Brücke) und konfigurieren Sie eine statische) IP-AdressenSubnetmaske und eine Gateway-IP-Adresse für die LAN-, WAN-, DMZ- und WLAN- Schnittstelle der ZyWALL.

3 Klicken Sie auf Apply

(Übernehmen). Die

ZyWALL wird neu gestartet.

Gehen Sie weiter zu Abschnitt

5, wenn Sie Server haben,

auf die Sie vom WAN aus zugreifen müssen.

DEUTSCH

4 Einrichten des Internetzugriffs

Geben Sie die Daten für den Internetzugriff so ein, wie Sie sie erhalten haben.

Wenn Ihnen eine IP-Adresse gegeben wurde, wählen Sie im Listenfeld IP Address Assignment (IPAdressenzuweisung) die Option Static (Statisch) und geben Sie dort die Daten ein.

Hinweis: Je nachdem, was Sie im Feld Encapsulation (Verkapselung) wählen, sieht die

Eingabemaske anders aus. Geben Sie dort die Daten ein, die Sie von Ihrem Internetdienstanbieter oder Netzwerkadministrator erhalten haben.

Wenn Sie die Eingabe beendet haben, klicken Sie auf Finish (fertigstellen).

• Ethernet Encapsulation

Konfigurieren Sie einen Roadrunnerdienst in den NETWORK WAN (Netzwerk-WAN) Fenstern (auf der Registerkarte WAN 1).

DEUTSCH

• PPP over Ethernet or PPTP Encapsulation

Wählen Sie Nailed-Up, wenn die Verbindung dauerhaft aufrecht erhalten werden soll (das kann jedoch sehr teuer sein, wenn Ihr Internetdienstanbieter Ihnen die Benutzungsdauer anstelle eines monatlichen Pauschalbetrags in Rechnung stellt).

Wenn die Verbindung nicht dauerhaft stehen soll, müssen Sie bei Idle Timeout (Leerlaufausschaltzeit) eine Leerlaufausschaltzeit (in Sekunden) festlegen.

DEUTSCH

5 DMZ

Die DeMilitarisierte Zone (DMZ) ermöglicht es, dass öffentliche Server (Internet, E-Mail, FTP, usw.) nach außen hin sichtbar sind aber dennoch über Firewallschutz vor DoS-Angriffen verfügen (Denial of Service).

Anders als beim LAN weist die ZyWALL den an den DMZ-Ports angeschlossenen Computern nicht über DHCP die TCP/IP-Konfiguration zu. Die Computer werden mit statischen IP-Adressen (in demselben Subnetz wie die IP-Adressen des DMZ-Ports) und DNS-Serveradressen konfiguriert. Verwenden Sie die DMZ-IPAdresse der ZyWALL als Standardgateway.

Wenn sich die ZyWALL im Routingmodus befindet, wird die DMZ folgendermaßen konfiguriert.

Hinweis: Im Bridge Modus muss die DMZ nicht konfiguriert werden. Gehen Sie weiter zu Abschnitt 7.

1 Klicken Sie in der Navigationsleiste auf DMZ.

+ 111 hidden pages