User Guide
Page 13
... trunks (groups of concurrent client NAT/firewall sessions. NAT Set up and manage HTTP redirection rules. RIP Configure device-level RIP settings. OSPF Configure device-level OSPF settings, including areas and virtual links. DDNS Profile Define and manage the ZyWALL's DDNS domain names. VPN ZyWALL USG100-PLUS User's Guide 13 Tunnel Configure tunneling between IPv4 and IPv6...
... trunks (groups of concurrent client NAT/firewall sessions. NAT Set up and manage HTTP redirection rules. RIP Configure device-level RIP settings. OSPF Configure device-level OSPF settings, including areas and virtual links. DDNS Profile Define and manage the ZyWALL's DDNS domain names. VPN ZyWALL USG100-PLUS User's Guide 13 Tunnel Configure tunneling between IPv4 and IPv6...
User Guide
Page 45
...application patrol to LAN traffic and how stateful inspection works. This example shows the ZyWALL's default firewall behavior for NAT (DNAT) and policy routes (SNAT). Figure 26 Default Firewall Action LAN WAN ZyWALL USG100-PLUS User's Guide 45 The firewall can use schedule, user, user ...; Device and Service Registration on page 47 • Anti-Virus Policy Configuration on page 48 • IDP Profile Configuration on page 50 • ADP Profile Configuration on page 51 • Content Filter Profile Configuration on page 54 • Viewing Content Filter Reports on page 56 ...
...application patrol to LAN traffic and how stateful inspection works. This example shows the ZyWALL's default firewall behavior for NAT (DNAT) and policy routes (SNAT). Figure 26 Default Firewall Action LAN WAN ZyWALL USG100-PLUS User's Guide 45 The firewall can use schedule, user, user ...; Device and Service Registration on page 47 • Anti-Virus Policy Configuration on page 48 • IDP Profile Configuration on page 50 • ADP Profile Configuration on page 51 • Content Filter Profile Configuration on page 54 • Viewing Content Filter Reports on page 56 ...
User Guide
Page 64
It may help to the ZyWALL. Check the configuration for NAT traversal. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. • The ZyWALL supports UDP port 500 and UDP port 4500 for the following ZyWALL features. • The ZyWALL does not put IPSec SAs in each ... UDP port 4500 too. • Make sure regular firewall rules allow IPSec VPN traffic to identify a configuration problem. • If you are using a packet analyzer such as Wireshark). If the ZyWALL's certificate is self-signed, import it is signed by RIP and would take priority over the new VPN...
It may help to the ZyWALL. Check the configuration for NAT traversal. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. • The ZyWALL supports UDP port 500 and UDP port 4500 for the following ZyWALL features. • The ZyWALL does not put IPSec SAs in each ... UDP port 4500 too. • Make sure regular firewall rules allow IPSec VPN traffic to identify a configuration problem. • If you are using a packet analyzer such as Wireshark). If the ZyWALL's certificate is self-signed, import it is signed by RIP and would take priority over the new VPN...
User Guide
Page 105
... the Configuration > Firewall and Configuration > Network > NAT screens to configure the corresponding firewall rules and NAT virtual server for the inbound service access. 5.4.1 What Can Go Wrong? • Using a greater TTL value makes DNS inbound load balancing become ineffective, although it can reduce the ZyWALL's loading...for 5 minutes. Select Enable, enter *.example.com as the member interfaces. ZyWALL USG100-PLUS User's Guide 105 Select any in the IP Address field and WAN in the Configuration table. The following screen appears. Total as the DNS request senders does not...
... the Configuration > Firewall and Configuration > Network > NAT screens to configure the corresponding firewall rules and NAT virtual server for the inbound service access. 5.4.1 What Can Go Wrong? • Using a greater TTL value makes DNS inbound load balancing become ineffective, although it can reduce the ZyWALL's loading...for 5 minutes. Select Enable, enter *.example.com as the member interfaces. ZyWALL USG100-PLUS User's Guide 105 Select any in the IP Address field and WAN in the Configuration table. The following screen appears. Total as the DNS request senders does not...
User Guide
Page 106
...to the HTTP server's private IP address of 192.168.3.7. Figure 41 Public Server Example Network Topology 192.168.3.7 DMZ 1.1.1.1 5.5.1 Configure NAT Create a NAT rule to send HTTP traffic coming to WAN IP address 1.1.1.1 to create a host address object named Public_HTTP_Server_IP for the HTTP server's... Set the Original IP to the Public_HTTP_Server_IP object and the Mapped IP to access the HTTP server. 106 ZyWALL USG100-PLUS User's Guide Keep Enable NAT Loopback selected to allow users connected to other interfaces to the DMZ_HTTP object. Chapter 5 Managing Traffic 5.5 How...
...to the HTTP server's private IP address of 192.168.3.7. Figure 41 Public Server Example Network Topology 192.168.3.7 DMZ 1.1.1.1 5.5.1 Configure NAT Create a NAT rule to send HTTP traffic coming to WAN IP address 1.1.1.1 to create a host address object named Public_HTTP_Server_IP for the HTTP server's... Set the Original IP to the Public_HTTP_Server_IP object and the Mapped IP to access the HTTP server. 106 ZyWALL USG100-PLUS User's Guide Keep Enable NAT Loopback selected to allow users connected to other interfaces to the DMZ_HTTP object. Chapter 5 Managing Traffic 5.5 How...
User Guide
Page 107
... 1.1.1.1 in order to access the HTTP server. If a domain name is the destination because the ZyWALL applies NAT to HTTP, and click OK. Set the Destination to access the web server. ZyWALL USG100-PLUS User's Guide 107 Click Configuration > Firewall > Add. Set the From field as WAN and the To field as DMZ. Chapter...
... 1.1.1.1 in order to access the HTTP server. If a domain name is the destination because the ZyWALL applies NAT to HTTP, and click OK. Set the Destination to access the web server. ZyWALL USG100-PLUS User's Guide 107 Click Configuration > Firewall > Add. Set the From field as WAN and the To field as DMZ. Chapter...
User Guide
Page 108
... peer-to -peer Calls Example 192.168.1.56 10.0.0.8 5.6.1.1 Turn On the ALG Click Configuration > Network > ALG. The ZyWALL only apply's a zone's rules to the zone. Figure 42 WAN to LAN H.323 Peer... from the WAN. Select Enable H.323 ALG and Enable H.323 transformations and click Apply. 108 ZyWALL USG100-PLUS User's Guide If traffic matches a rule that belong to the interfaces that comes earlier...is assigned to WAN zone. 5.6 How to Manage Voice Traffic Here are examples of how to configure NAT and the firewall to have a H.323 device on the LAN for WAN IP address 10.0.0.8 to...
... peer-to -peer Calls Example 192.168.1.56 10.0.0.8 5.6.1.1 Turn On the ALG Click Configuration > Network > ALG. The ZyWALL only apply's a zone's rules to the zone. Figure 42 WAN to LAN H.323 Peer... from the WAN. Select Enable H.323 ALG and Enable H.323 transformations and click Apply. 108 ZyWALL USG100-PLUS User's Guide If traffic matches a rule that belong to the interfaces that comes earlier...is assigned to WAN zone. 5.6 How to Manage Voice Traffic Here are examples of how to configure NAT and the firewall to have a H.323 device on the LAN for WAN IP address 10.0.0.8 to...
User Guide
Page 109
...323 device's LAN IP address object (LAN_H323). ZyWALL USG100-PLUS User's Guide 109 Configure a name for -H323). Figure 43 Configuration > Network > ALG Chapter 5 Managing Traffic 5.6.1.2 Set Up a NAT Policy For H.323 In this example, you set the Classification to NAT 1:1. Set the Mapped IP to 1720. ...OK. 5.6.1.3 Set Up a Firewall Rule For H.323 Configure a firewall rule to allow H.323 (TCP port 1720) traffic received on the ZyWALL's 10.0.0.8 WAN IP address to LAN IP address 192.168.1.56. 1 Click Configuration > Network > NAT > Add > Create New Object > Address and create...
...323 device's LAN IP address object (LAN_H323). ZyWALL USG100-PLUS User's Guide 109 Configure a name for -H323). Figure 43 Configuration > Network > ALG Chapter 5 Managing Traffic 5.6.1.2 Set Up a NAT Policy For H.323 In this example, you set the Classification to NAT 1:1. Set the Mapped IP to 1720. ...OK. 5.6.1.3 Set Up a Firewall Rule For H.323 Configure a firewall rule to allow H.323 (TCP port 1720) traffic received on the ZyWALL's 10.0.0.8 WAN IP address to LAN IP address 192.168.1.56. 1 Click Configuration > Network > NAT > Add > Create New Object > Address and create...
User Guide
Page 110
...This is the destination because the ZyWALL applies NAT to the IPPBX's private IP address of 192.168.3.9. Figure 44 IPPBX Example Network Topology 5.6.2.1 Turn On the ALG Click Configuration > Network > ALG. Chapter 5 Managing Traffic 1 Click Configuration > Firewall > Add. In ...the From field select WAN. Figure 45 Configuration > Network > ALG 5.6.2.2 Set Up a NAT Policy for the IPPBX Click Configuration > Network > NAT > Add > Create New Object > ...
...This is the destination because the ZyWALL applies NAT to the IPPBX's private IP address of 192.168.3.9. Figure 44 IPPBX Example Network Topology 5.6.2.1 Turn On the ALG Click Configuration > Network > ALG. Chapter 5 Managing Traffic 1 Click Configuration > Firewall > Add. In ...the From field select WAN. Figure 45 Configuration > Network > ALG 5.6.2.2 Set Up a NAT Policy for the IPPBX Click Configuration > Network > NAT > Add > Create New Object > ...
User Guide
Page 111
Chapter 5 Managing Traffic • Set the Original IP to the IPPBX's DMZ IP address object (DMZ_SIP). Click Configuration > Firewall > Add. ZyWALL USG100-PLUS User's Guide 111 IPPBX_DMZ is registered for IP address 1.1.1.2, users can use the IPPBX. • Click OK. Set the Destination ...(IPPBX-Public). If a domain name is registered for IP address 1.1.1.2, users can use it to connect to allow and click OK. Figure 46 Configuration > Network > NAT > Add 5.6.2.3 Set Up a WAN to DMZ Firewall Rule for SIP The firewall blocks traffic from the WAN zone to the DMZ zone by ...
Chapter 5 Managing Traffic • Set the Original IP to the IPPBX's DMZ IP address object (DMZ_SIP). Click Configuration > Firewall > Add. ZyWALL USG100-PLUS User's Guide 111 IPPBX_DMZ is registered for IP address 1.1.1.2, users can use the IPPBX. • Click OK. Set the Destination ...(IPPBX-Public). If a domain name is registered for IP address 1.1.1.2, users can use it to connect to allow and click OK. Figure 46 Configuration > Network > NAT > Add 5.6.2.3 Set Up a WAN to DMZ Firewall Rule for SIP The firewall blocks traffic from the WAN zone to the DMZ zone by ...
User Guide
Page 135
...criteria by following the order of an SNAT rule, the ZyWALL takes the corresponding action on your ZyWALL. In the Monitor > System Status > USB Storage screen, make sure the USB device's file system doesn't display "unknown". 2 Go to Configuration > System > USB Storage, select Activate USB storage service...from left to right. The Maintenance > Packet Flow Explore > SNAT Status screen displays the ZyWALL's current source NAT (SNAT) flow. The ZyWALL routes packets in the order of a route, the ZyWALL routes the packet and does not perform any further SNAT flow checking. Click Apply. 6....
...criteria by following the order of an SNAT rule, the ZyWALL takes the corresponding action on your ZyWALL. In the Monitor > System Status > USB Storage screen, make sure the USB device's file system doesn't display "unknown". 2 Go to Configuration > System > USB Storage, select Activate USB storage service...from left to right. The Maintenance > Packet Flow Explore > SNAT Status screen displays the ZyWALL's current source NAT (SNAT) flow. The ZyWALL routes packets in the order of a route, the ZyWALL routes the packet and does not perform any further SNAT flow checking. Click Apply. 6....