ZyWALL 35 Internet Security Appliance Quick Start Guide Version 4.0 8/2005 Table of Contents ENGLISH DEUTSCH ESPAÑOL FRANÇAIS ITALIANO 1 17 33 49 65 81 97 ENGLISH Overview The ZyWALL 35 is a load-balancing, dual WAN firewall with VPN, bandwidth management, content filtering, anti-spam, anti-virus, IDP (Intrusion Detection and Protection) and many other features. You can use it as a transparent firewall and not reconfigure your network nor configure the ZyWALL's routing features. The ZyWALL increases network security by adding the option to change port roles from LAN to DMZ for use with publicly accessible servers. This guide covers the initial connections and configuration needed to start using the ZyWALL in your network. See the User's Guide for more information on all features. You may need your Internet access information. This guide is divided into the following sections. 1 Hardware Connections 2 Accessing the Web Configurator 3 Bridge Mode 4 Internet Access Setup and Product Registration 5 DNS 6 NAT 7 Firewall 8 VPN Rule Setup 9 Troubleshooting 1 Hardware Connections You need the following. ZyWALL Computer Ethernet Cables Power Adaptor 1 ENGLISH Do the following to make hardware connections for initial setup. 1 Use an Ethernet cable to connect the LAN/DMZ port to a computer. If you configure these ports as DMZ ports in the LAN or DMZ screen through the web configurator, you can also use Ethernet cables to connect public servers (web, e-mail, FTP, etc.) to the LAN/DMZ ports. 2 Use another Ethernet cable(s) to connect the WAN 1 port and/or WAN2 port to an Ethernet jack with Internet access. 3 Insert the ZyWALL Turbo extension card to use the anti-virus and IDP features or insert a wireless LAN card to use the wireless LAN feature. See the ZyWALL Turbo Card guide for more information about the extension card. See the user's guide about installing a wireless LAN card. 4 Use the included power adaptor to connect the power socket (on the rear panel) to a power outlet. 2 ENGLISH 5 Look at the front panel. The PWR LED turns on. The SYS LED blinks while performing system testing and then stays on if the testing is successful. The ACT, CARD, LAN/DMZ and WAN LEDs turn on and stay on if the corresponding connections are properly made. 2 Accessing the Web Configurator Use this section to configure the WAN 1 interface for Internet access. 1 Launch your web browser. Enter 192.168.1.1 (the ZyWALL's default IP address) as the address. If the login screen does not display, see Section 9.1 to set your computer's IP address. 2 Click Login (the default password 1234 is already entered). 3 Change the login password by entering a new password and clicking Apply. 4 Click Apply to replace the ZyWALL's default digital certificate. 5 The HOME screen opens. The ZyWALL is in router mode by default. Continue to the next step if you want to use routing features such as NAT, DHCP and VPN. Go to Section 3 if you prefer to use the ZyWALL as a transparent firewall. 3 ENGLISH 6 Check the Network Status table. If the WAN 1 status is not Down and there is an IP address, go to Section 5. If the WAN 1 status is Down (or there is not an IP address), click Internet Access and use Section 4 to configure WAN 1. Use the NETWORK WAN screens if you need to configure WAN 2. You can also configure load balancing between the WAN ports. 3 Bridge Mode When you set the ZyWALL to bridge mode, it functions as a transparent firewall. Do the following to set the ZyWALL to bridge mode. 4 ENGLISH 1 Click MAINTENANCE in the navigation panel and then Device Mode. 2 Select Bridge and configure a (static) IP address subnet mask and gateway IP address for the ZyWALL's LAN, WAN, DMZ and WLAN interfaces. 3 Click Apply. The ZyWALL restarts. Skip to Section 5 if you have servers that you need to be accessible from the WAN. 4 Internet Access Setup and Product Registration 1 Click Internet Access in the HOME screen to open the Internet access wizard. Enter the Internet access information exactly as given to you. If you were given an IP address to use, select Static in the IP Address Assignment drop-down list box and enter the information provided. Note: The fields vary depending on what you select in the Encapsulation field. Fill them in with the information provided by the ISP or network administrator. Click Apply when you are done. 5 ENGLISH · Ethernet Encapsulation Configure a Roadrunner service in the NETWORK WAN screens (use the WAN 1 tab). · PPP over Ethernet or PPTP Encapsulation Select Nailed-Up when you want your connection up all the time (this could be expensive if your ISP bills you for Internet usage time instead of a flat monthly fee). To not have the connection up all the time, specify an idle time-out period (in seconds) in Idle Timeout. 6 ENGLISH 2 Click Next to display the screen where you can register your ZyWALL with myZyXEL.com (ZyXEL's online services center) and activate the free content filtering, anti-spam, anti-virus and IDP trial applications. Otherwise, click Skip and then Close to complete Internet access setup. Note: Make sure you have installed the ZyWALL Turbo Card before you activate the IDP and anti-virus subscription services. Turn the ZyWALL off before you install or remove the ZyWALL Turbo Card. 3 If you already have an account at myZyXEL.com, select Existing myZyXEL.com account and enter account information. Otherwise, select New myZyXEL.com account and fill in the fields below to create a new account and register your ZyWALL. Click Next. 4 Wait for the registration progress to finish. 7 ENGLISH 5 The following screen displays if the registration was not successful. Click Return to go back to the Device Registration screen and check your settings. 6 Click Close to leave the wizard screen when the registration and activation are done. Note: If you want to activate a standard service with your iCard's PIN number (license key), use the REGISTRATION Service screen. See the user's guide for details. 5 DMZ The DeMilitarized Zone (DMZ) allows public servers (web, e-mail, FTP, etc.) to be visible to the outside world and still have firewall protection from DoS (Denial of Service) attacks. Unlike the LAN, the ZyWALL does not assign TCP/IP configuration via DHCP to computers connected to the DMZ ports. Configure the computers with static IP addresses (in the same subnet as the DMZ port's IP address) and DNS server addresses. Use the ZyWALL's DMZ IP address as the default gateway. Do the following to configure the DMZ if the ZyWALL is in routing mode. Note: You do not need to configure DMZ with bridge mode, skip to Section 7. 8 ENGLISH 1 Click NETWORK, DMZ in the navigation panel. 2 Specify an IP address and subnet mask for the DMZ interface. If you use private IP addresses on the DMZ, use NAT to make the servers publicly accessible (see Section 6). A public IP address must be on a separate subnet from the WAN port's public IP address. If you do not configure NAT for the public IP addresses on the DMZ, the ZyWALL routes traffic to the public IP addresses on the DMZ without performing NAT. This may be useful for hosting servers for NAT unfriendly applications. 3 Click Apply. 4 By default, LAN/DMZ ports 1 to 4 are all LAN ports. To configure a port as a DMZ port, click the Port Roles tab, select its radio button next to DMZ and click Apply. 6 NAT NAT (Network Address Translation - NAT, RFC 1631) means the translation of an IP address in one network to a different IP address in another. You can use the NAT Address Mapping screens to have the ZyWALL translate multiple public IP addresses to multiple private IP addresses on your LAN (or DMZ). 9 ENGLISH The following example allows access from the WAN to an HTTP (web) server on the DMZ. The server has a private IP address of 10.0.0.20. 1 Click ADVANCED, NAT in the navigation panel and then Port Forwarding. 2 Select the Active check box. 3 Type a name for the rule. 4 Type the port number that the service uses. 5 Type the HTTP server's IP address. 6 Click Apply. 7 Firewall You can use the ZyWALL without configuring the firewall. The ZyWALL's firewall is pre-configured to protect your LAN from attacks from the Internet. By default, no traffic can enter your LAN unless a request was generated on the LAN first. The ZyWALL allows access to the DMZ from the WAN or LAN, but blocks traffic from the DMZ to the LAN. If you are using the ZyWALL in router mode, continue with the next section. For bridge mode, skip to Section 9. 10 ENGLISH 8 VPN Rule Setup A VPN (Virtual Private Network) tunnel gives you a secure connection to another computer or network. A gateway policy identifies the IPSec routers at either end of a VPN tunnel. A network policy specifies which devices (behind the IPSec routers) can use the VPN tunnel. This figure helps explain the main fields in the wizard screens. 1 Click VPN in the HOME screen (you may need to scroll up to see the link) to open the VPN wizard. 11 ENGLISH Note: Your settings are not saved when you click Back. 2 Use this screen to configure the gateway policy. Name: Enter a name to identify the gateway policy. Remote Gateway Address: Enter the IP address or domain name of the remote IPSec router. 3 Use this screen to configure the network policy. Leave the Active check box selected. Name: Enter a name to identify the network policy. Select Single and enter an IP address for a single IP address. Select Range IP and enter starting and ending IP addresses for a specific range of IP addresses. Select Subnet and enter an IP address and subnet mask to specify IP addresses on a network by their subnet mask. 12 ENGLISH Note: Make sure that the remote IPSec router uses the same security settings that you configure in the next two screens. Negotiation Mode: Select Main Mode for identity protection. Select Aggressive Mode to allow more incoming connections from dynamic IP addresses to use separate passwords. Note: Multiple SAs (security associations) connecting through a secure gateway must have the same negotiation mode. Encryption Algorithm: Select 3DES or AES for stronger (and slower) encryption. Authentication Algorithm: Select MD5 for minimal security or SHA-1 for higher security. Key Group: Select DH2 for higher security. SA Life Time: Set how often the ZyWALL renegotiates the IKE SA (minimum 180 seconds). A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel. Pre-Shared Key: Use 8 to 31 case-sensitive ASCII characters or 16 to 62 hexadecimal ("0-9", "A-F") characters. Precede a hexadecimal key with a "0x" (zero x), which is not counted as part of the 16 to 62 character range for the key. Encapsulation Mode: Tunnel is compatible with NAT, Transport is not. IPSec Protocol: ESP is compatible with NAT, AH is not. Perfect Forward Secrecy (PFS): None allows faster IPSec setup, but DH1 and DH2 are more secure. 4 Use this screen to configure IKE (Internet Key Exchange) tunnel settings. 5 Use this screen to configure IPSec settings. 13 ENGLISH 6 Check your VPN settings. Click Finish to save the settings. 7 Click Close in the final screen to complete the VPN wizard setup. Continue with the next section to activate the VPN rule and establish a VPN connection. 8.1 Using the VPN Connection Use VPN tunnels to securely send and retrieve files, and allow remote access to corporate networks, web servers and e-mail. Services work as if you were at the office instead of connected through the Internet. For example, the "test" VPN rule allows secure access to an web server on a remote corporate LAN. Enter the server's IP address (10.0.0.23 in this example) as your browser's URL. The ZyWALL automatically builds the VPN tunnel when you attempt to use it. Click SECURITY, VPN in the navigation panel and then the SA Monitor tab to display a list of connected VPN tunnels (the "test" VPN tunnel is up here). 14 ENGLISH 9 Troubleshooting Problem Corrective Action None of the LEDs Make sure that you have the power adaptor connected to the ZyWALL and plugged in to an turn on. appropriate power source. Check all cable connections. If the LEDs still do not turn on, you may have a hardware problem. In this case, you should contact your local vendor. Cannot access the ZyWALL from the LAN. Check the cable connection between the ZyWALL and your computer or hub. Refer to Section 1 for details. Ping the ZyWALL from a LAN computer. Make sure your computer's Ethernet card is installed and functioning properly. In the computer, click Start, (All) Programs, Accessories and then Command Prompt. In the Command Prompt window, type "ping" followed by the ZyWALL's LAN IP address (192.168.1.1 is the default) and then press [ENTER]. The ZyWALL should reply. Otherwise, refer to Section 9.1. If you've forgotten the ZyWALL's password, use the RESET button. Press the button in for about 10 seconds (or until the PWR LED starts to blink), then release it. It returns the ...