Home » ZyXEL Manuals » Networking » ZyXEL P-202U » Manual Viewer

ZyXEL P-202U User Guide - Page 126

E-mail, Local ID Type, Content, My IP Address, 0.0.0, Secure Gateway IP Address, IPSec Keying Mode,

Get ZyXEL P-202U PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 126 highlights

P-202H Plus v2 User's Guide Table 37 VPN Rule Setup (continued) LABEL DESCRIPTION Local ID Type Select IP to identify this ZyXEL Device by its IP address. Select DNS to identify this ZyXEL Device by a domain name. Select E-mail to identify this ZyXEL Device by an e-mail address. Content When you select IP in the Local ID Type field, type the IP address of your computer in the local Content field. The ZyXEL Device automatically uses the IP address in the My IP Address field (refer to the My IP Address field description) if you configure the local Content field to 0.0.0.0 or leave it blank. It is recommended that you type an IP address other than 0.0.0.0 in the local Content field or use the DNS or E-mail ID type in the following situations. • When there is a NAT router between the two IPSec routers. • When you want the remote IPSec router to be able to distinguish between VPN connection requests that come in from IPSec routers with dynamic WAN IP addresses. When you select DNS or E-mail in the Local ID Type field, type a domain name or e-mail address by which to identify this ZyXEL Device in the local Content field. Use up to 31 ASCII characters including spaces, although trailing spaces are truncated. The domain name or e-mail address is for identification purposes only and can be any string. My IP Address Enter the WAN IP address of your ZyXEL Device. The ZyXEL Device uses its current WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0. The VPN tunnel has to be rebuilt if this IP address changes. Peer ID Type Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the remote IPSec router by a domain name. Select E-mail to identify the remote IPSec router by an e-mail address. Content The configuration of the peer content depends on the peer ID type. • For IP, type the IP address of the computer with which you will make the VPN connection. If you configure this field to 0.0.0.0 or leave it blank, the ZyXEL Device will use the address in the Secure Gateway IP Address field (refer to the Secure Gateway IP Address field description). • For DNS or E-mail, type a domain name or e-mail address by which to identify the remote IPSec router. Use up to 31 ASCII characters including spaces, although trailing spaces are truncated. The domain name or e-mail address is for identification purposes only and can be any string. It is recommended that you type an IP address other than 0.0.0.0 or use the DNS or E-mail ID type in the following situations: • When there is a NAT router between the two IPSec routers. • When you want the ZyXEL Device to distinguish between VPN connection requests that come in from remote IPSec routers with dynamic WAN IP addresses. Secure Gateway IP Address Type the WAN IP address or the URL (up to 31 characters) of the IPSec router with which you're making the VPN connection. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address (the IPSec Keying Mode field must be set to IKE). In this case only the remote IPSec router can initiate the VPN. In order to have more than one active rule with the Secure Gateway IP Address field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between rules. If you configure an active rule with 0.0.0.0 in the Secure Gateway IP Address field and the LAN's full IP address range as the local IP address, then you cannot configure any other active rules with the Secure Gateway IP Address field set to 0.0.0.0. 125 Chapter 11 VPN Screens

Section	Page
P-202H Plus v2	1
Copyright	3
Certifications	4
Safety Warnings	5
ZyXEL Limited Warranty	6
Customer Support	7
Table of Contents	9
List of Figures	21
List of Tables	27
Preface	31
1. Getting To Know Your ZyXEL Device	33
1.1 Introducing the ZyXEL Device	33
1.2 Features	33
1.3 Applications for the ZyXEL Device	37
1.3.1 Internet Access	37
1.3.2 LAN-to-LAN Connection	37
1.3.3 Remote Access Server	38
1.3.4 Secure Broadband Internet Access and VPN	38
1.4 Front Panel LEDs	39
1.5 Hardware Connection	40
2. Introducing the Web Configurator	41
2.1 Web Configurator Overview	41
2.2 Accessing the Web Configurator	41
2.3 Resetting the ZyXEL Device	42
2.3.1 Using the Reset Button	42
2.4 Navigating the Web Configurator	43
2.4.1 Changing Login Password	44
3. Wizard Setup	47
3.1 Introduction	47
3.1.1 MSN (Multiple Subscriber Number) and Subaddress	47
3.1.2 PABX Outside Line Prefix	47
3.2 Wizard Setup	47
3.2.1 Test Your Internet Connection	54
4. LAN Setup	55
4.1 LAN Overview	55
4.1.1 LANs, WANs and the ZyXEL Device	55
4.1.2 DHCP Setup	55
4.1.2.1 IP Pool Setup	56
4.1.3 DNS Server Address Assignment	56
4.2 LAN TCP/IP	56
4.2.1 IP Address and Subnet Mask	56
4.2.1.1 Private IP Addresses	57
4.3 Configuring LAN Setup	57
5. WAN Setup	61
5.1 WAN Overview	61
5.1.1 PPP Multilink	61
5.1.2 Bandwidth on Demand	61
5.1.3 IP Address Assignment	61
5.2 Internet Access Setup	61
6. Network Address Translation (NAT) Screens	65
6.1 NAT Overview	65
6.1.1 NAT Definitions	65
6.1.2 What NAT Does	66
6.1.3 How NAT Works	66
6.1.4 NAT Application	67
6.1.5 NAT Mapping Types	67
6.2 SUA (Single User Account) Versus NAT	68
6.3 Selecting the NAT Mode	68
6.4 SUA Server	69
6.4.1 Default Server IP Address	70
6.4.2 Port Forwarding: Services and Port Numbers	70
6.4.3 Configuring Servers Behind NAT (Example)	70
6.5 Configuring SUA Server	71
6.6 Configuring Address Mapping	72
6.6.1 Address Mapping Rule Edit	73
7. Dynamic DNS	75
7.1 Dynamic DNS Overview	75
7.1.1 DYNDNS Wildcard	75
7.2 Configuring Dynamic DNS	75
8. Firewalls	77
8.1 Firewall Overview	77
8.2 Types of Firewalls	77
8.2.1 Packet Filtering Firewalls	77
8.2.2 Application-level Firewalls	77
8.2.3 Stateful Inspection Firewalls	78
8.3 Introduction to ZyXEL’s Firewall	78
8.3.1 Denial of Service Attacks	79
8.4 Denial of Service	79
8.4.1 Basics	79
8.4.2 Types of DoS Attacks	80
8.4.2.1 ICMP Vulnerability	82
8.4.2.2 Illegal Commands (NetBIOS and SMTP)	82
8.4.2.3 Traceroute	83
8.5 Stateful Inspection	83
8.5.1 Stateful Inspection Process	84
8.5.2 Stateful Inspection and the ZyXEL Device	84
8.5.3 TCP Security	85
8.5.4 UDP/ICMP Security	85
8.5.5 Upper Layer Protocols	86
8.6 Guidelines for Enhancing Security with Your Firewall	86
8.6.1 Security In General	86
8.7 Packet Filtering Vs Firewall	87
8.7.1 Packet Filtering:	87
8.7.1.1 When To Use Filtering	88
8.7.2 Firewall	88
8.7.2.1 When To Use The Firewall	88
9. Firewall Configuration	89
9.1 Enabling the Firewall	89
9.2 E-Mail	89
9.3 Attack Alert	91
9.3.1 Alerts	91
9.3.2 Threshold Values	91
9.3.3 Half-Open Sessions	92
9.3.3.1 TCP Maximum Incomplete and Blocking Time	92
9.3.4 Configuring Firewall Alert	92
9.4 Rules Overview	94
9.5 Rule Logic Overview	94
9.5.1 Rule Checklist	95
9.5.2 Security Ramifications	95
9.5.3 Key Fields For Configuring Rules	95
9.5.3.1 Action	95
9.5.3.2 Service	95
9.5.3.3 Source Address	96
9.5.3.4 Destination Address	96
9.6 Connection Direction	96
9.6.1 LAN to WAN Rules	96
9.6.2 WAN to LAN Rules	96
9.7 Firewall Rules Summary	96
9.7.1 Configuring Firewall Rules	98
9.7.2 Source and Destination Addresses	100
9.7.3 Customized Services	101
9.7.4 Configuring A Customized Service	102
9.8 Timeout	102
9.8.1 Factors Influencing Choices for Timeout Values	103
9.9 Logs Screen	104
9.10 Example Firewall Rule	105
9.11 Predefined Services	108
10. Introduction to IPSec	111
10.1 VPN Overview	111
10.1.1 IPSec	111
10.1.2 Security	111
10.1.3 Other Terminology	111
10.1.3.1 Encryption	111
10.1.3.2 Data Confidentiality	112
10.1.3.3 Data Integrity	112
10.1.3.4 Data Origin Authentication	112
10.1.4 VPN Applications	112
10.2 IPSec Architecture	112
10.2.1 IPSec Algorithms	113
10.2.2 Key Management	113
10.3 Encapsulation	113
10.3.1 Transport Mode	114
10.3.2 Tunnel Mode	114
10.4 IPSec and NAT	114
11. VPN Screens	117
11.1 VPN/IPSec Overview	117
11.2 IPSec Algorithms	117
11.2.1 AH (Authentication Header) Protocol	117
11.2.2 ESP (Encapsulating Security Payload) Protocol	117
11.3 My IP Address	118
11.4 Secure Gateway IP Address	118
11.4.1 Dynamic Secure Gateway Address	119
11.5 VPN Summary Screen	119
11.6 Keep Alive	121
11.7 ID Type and Content	121
11.7.1 ID Type and Content Examples	122
11.8 Pre-Shared Key	123
11.9 VPN Rules	123
11.10 IKE Phases	127
11.10.1 Negotiation Mode	128
11.10.2 Diffie-Hellman (DH) Key Groups	129
11.10.3 Perfect Forward Secrecy (PFS)	129
11.11 Advanced IKE Settings	129
11.12 Manual Key	132
11.12.1 Security Parameter Index (SPI)	132
11.13 Manual Key Screen	133
11.14 SA Monitor Screen	135
11.15 Global Setting Screen	136
11.16 Telecommuter VPN/IPSec Examples	137
11.16.1 Telecommuters Sharing One VPN Rule Example	137
11.16.2 Telecommuters Using Unique VPN Rules Example	138
11.17 Logs	139
12. NetCAPI	141
12.1 NetCAPI Overview	141
12.2 CAPI	141
12.2.1 ISDN-DCP	141
12.3 Configuring NetCAPI	142
12.3.1 Configuring the ZyXEL Device as a NetCAPI Server	143
12.3.2 RVS-COM	143
12.3.3 Example of Installing a CAPI driver and Communication Software	144
13. Supplementary Phone Services	145
13.1 Overview	145
13.2 Setting Up Supplemental Phone Service	146
13.3 The Flash Key	146
13.4 Call Waiting	146
13.4.1 How to Use Call Waiting	146
13.4.1.1 Placing the Current Call on Hold	146
13.4.1.2 Dropping the Current Call to Switch to an Incoming/Holding Call	146
13.5 Three Way Calling	147
13.5.1 How to Use Three-Way Calling	147
13.5.1.1 To drop the last call added to the three-way call:	147
13.5.1.2 To drop yourself from the conference call:	147
13.6 Call Transfer	147
13.6.1 How to Use Call Transfer	147
13.6.2 To Do a Blind Transfer:	148
13.7 Call Forwarding	148
13.8 Reminder Ring	148
13.9 Multiple Subscriber Number (MSN)	149
13.10 Using MSN	149
13.11 Terminal Portability (Suspend/Resume)	149
13.11.1 How to Suspend/Resume a Phone Call:	149
13.11.1.1 To suspend an active phone call	149
13.11.1.2 To resume your phone call	149
14. Maintenance	151
14.1 Maintenance Overview	151
14.2 System Status	151
14.2.1 System Statistics	153
14.3 DHCP Table Screen	154
14.4 Firmware Screen	155
14.5 Budget Control	158
15. Introducing the SMT	159
15.1 SMT Introduction	159
15.2 Accessing the ZyXEL Device via Console Port	159
15.2.1 Initial Screen	159
15.2.2 Entering Password	159
15.3 Procedure for SMT Configuration via Telnet	160
15.4 SMT Menu Overview	160
15.5 Navigating the SMT Interface	162
15.5.1 System Management Terminal Interface Summary	163
15.6 Changing the System Password	164
16. Menu 1 General Setup	167
16.1 General Setup	167
16.2 Procedure To Configure Menu 1	167
16.2.1 Procedure to Configure Dynamic DNS	168
17. Menu 2 ISDN Setup	171
17.1 ISDN Setup Overview	171
17.1.1 Supplementary Voice Services	171
17.1.2 ISDN Call Waiting	171
17.1.3 PABX Outside Line Prefix	171
17.1.4 Outgoing Calling Party Number	172
17.2 ISDN Setup	172
17.2.1 ISDN Advanced Setup	174
17.2.2 Configuring Advanced Setup	175
17.3 NetCAPI	176
17.3.1 Configuring NetCAPI	176
18. Menu 3 Ethernet Setup	179
18.1 Ethernet Setup	179
18.1.1 General Ethernet Setup	179
18.2 Ethernet TCP/IP and DHCP Server	180
18.3 Configuring TCP/IP Ethernet Setup and DHCP	180
18.3.1 IP Alias Setup	181
19. Internet Access Setup	185
19.1 Introduction to Internet Access Setup	185
19.2 Internet Access Setup	185
20. Remote Node Configuration	187
20.1 Introduction to Remote Node Setup	187
20.1.1 Minimum Toll Period	187
20.2 Remote Node Profile Setup	187
20.3 Outgoing Authentication Protocol	190
20.4 PPP Multilink	191
20.5 Bandwidth on Demand	191
20.6 Editing PPP Options	192
20.7 LAN-to-LAN Application	193
20.8 Configuring Network Layer Options	194
20.9 Remote Node Filter	196
21. Static Route Setup	199
21.1 Static Route	199
21.2 IP Static Route Setup	199
22. Dial-in Setup	203
22.1 Dial-in Users Overview	203
22.2 Default Dial-in User Setup	203
22.2.1 CLID Callback Support For Dial-In Users	203
22.3 Setting Up Default Dial-in	204
22.3.1 Default Dial-in Filter	206
22.4 Callback Overview	206
22.5 Dial-In User Setup	207
22.6 Telecommuting Application With Windows Example	208
22.7 LAN-to-LAN Server Application Example	210
22.7.1 Configuring Callback in LAN-to-LAN Application	210
22.7.2 Configuring With CLID in LAN-to-LAN Application	212
23. Network Address Translation (NAT)	215
23.1 Using NAT	215
23.1.1 SUA (Single User Account) Versus NAT	215
23.2 Applying NAT	215
23.3 NAT Setup	217
23.3.1 Address Mapping Sets	217
23.3.1.1 User-Defined Address Mapping Sets	219
23.3.1.2 Ordering Your Rules	220
23.4 Configuring a Server behind NAT	221
23.5 General NAT Examples	223
23.5.1 Example 1: Internet Access Only	223
23.5.2 Example 2: Internet Access with an Inside Server	224
23.5.3 Example 3: Multiple Public IP Addresses With Inside Servers	224
23.5.4 Example 4: NAT Unfriendly Application Programs	228
24. Enabling the Firewall	231
24.1 Remote Management and the Firewall	231
24.2 Access Methods	231
24.3 Enabling the Firewall	231
24.3.1 Viewing the Firewall Log	232
24.3.2 Example E-mail Log	234
25. Filter Configuration	235
25.1 Introduction to Filters	235
25.1.1 The Filter Structure of the ZyXEL Device	236
25.2 Configuring a Filter Set	237
25.2.1 Filter Rules Summary Menus	240
25.2.2 Configuring a Filter Rule	241
25.2.3 Configuring a TCP/IP Filter Rule	241
25.2.4 Configuring a Generic Filter Rule	244
25.3 Example Filter	246
25.4 Filter Types and NAT	248
25.5 Firewall Versus Filters	249
25.6 Applying a Filter	249
25.6.1 Applying LAN Filters	249
25.6.2 Applying Remote Node Filters	250
26. SNMP Configuration	251
26.1 About SNMP	251
26.2 Supported MIBs	252
26.3 SNMP Configuration	252
26.4 SNMP Traps	253
27. System Security	255
27.1 System Security	255
27.2 System Password	255
27.3 RADIUS	255
27.4 Configuring External Server	256
28. System Information and Diagnosis	259
28.1 System Status	259
28.2 System Information and Console Port Speed	261
28.2.1 System Information	261
28.2.2 Console Port Speed	262
28.3 Log and Trace	263
28.3.1 Viewing Error Log	263
28.3.2 Unix Syslog	264
28.3.2.1 CDR	265
28.3.2.2 Packet triggered	266
28.3.2.3 Filter log	266
28.3.2.4 PPP log	267
28.3.2.5 POTS log	267
28.3.3 Accounting Server	267
28.3.4 Call-Triggering Packet	268
28.4 Diagnostic	269
29. Firmware and Configuration File Maintenance	271
29.1 Filename Conventions	271
29.2 Backup Configuration	272
29.2.1 Backup Configuration	272
29.2.2 Using the FTP Command from the Command Line	273
29.2.3 Example of FTP Commands from the Command Line	273
29.2.4 GUI-based FTP Clients	274
29.2.5 Remote Management Limitations	274
29.2.6 Backup Configuration Using TFTP	274
29.2.7 TFTP Command Example	275
29.2.8 GUI-based TFTP Clients	275
29.2.9 Backup Via Console Port	276
29.3 Restore Configuration	277
29.3.1 Restore Using FTP	277
29.3.2 Restore Using FTP Session Example	278
29.3.3 Restore Via Console Port	278
29.4 Uploading Firmware and Configuration Files	279
29.4.1 Firmware File Upload	279
29.4.2 Configuration File Upload	280
29.4.3 FTP File Upload Command from the DOS Prompt Example	281
29.4.4 FTP Session Example of Firmware File Upload	281
29.4.5 TFTP File Upload	281
29.4.6 TFTP Upload Command Example	282
29.4.7 Uploading Via Console Port	282
29.4.8 Uploading Firmware File Via Console Port	282
29.4.9 Example Xmodem Firmware Upload Using HyperTerminal	283
29.4.10 Uploading Configuration File Via Console Port	283
29.4.11 Example Xmodem Configuration Upload Using HyperTerminal	284
30. System Maintenance	285
30.1 Command Interpreter Mode	285
30.1.1 Command Syntax	285
30.1.2 Command Usage	286
30.2 Call Control Support	286
30.2.1 Call Control Parameters	287
30.2.2 Black List	287
30.2.3 Budget Management	288
30.2.4 Call History	289
30.3 Time and Date Setting	290
30.3.1 Resetting the Time	291
31. Remote Management	293
31.1 Remote Management	293
31.1.1 Remote Management Limitations	294
31.2 Remote Management and NAT	294
31.3 System Timeout	295
32. Call Scheduling	297
32.1 Introduction to Call Scheduling	297
33. VPN/IPSec Setup	301
33.1 VPN/IPSec Overview	301
33.2 IPSec Summary Screen	302
33.3 IPSec Setup	304
33.4 IKE Setup	307
33.5 Manual Setup	309
33.5.1 Active Protocol	309
34. SA Monitor	313
34.1 SA Monitor Overview	313
34.2 Using SA Monitor	313
35. IPSec Log	315
35.1 IPSec Logs	315
36. Troubleshooting	319
36.1 Problems Starting Up the ZyXEL Device	319
36.2 Problems with the LAN	319
36.3 Problems with the ISDN Line	320
36.4 Problems with Remote User Dial-in	320
36.5 Problems Accessing the ZyXEL Device	321
A. Product Specifications	323
B. Wall-mounting Instructions	325
C. Log Descriptions	327
D. Setting up Your Computer’s IP Address	339
36.5.1 Verifying Settings	354
E. IP Addresses and Subnetting	355
F. Pop-up Windows, JavaScripts and Java Permissions	363
Index	371
A	371
B	371
C	371
D	371
E	372
F	372
G	372
H	372
I	372
K	373
L	373
M	373
N	373
O	373
P	373
Q	374
R	374
S	374
T	375
U	375
V	375
W	375
X	375

Match case Limit results 1 per page

P-202H Plus v2 User’s Guide

125

Chapter 11 VPN Screens

Local ID Type

Select

to identify this ZyXEL Device by its IP address.

Select

DNS

to identify this ZyXEL Device by a domain name.

Select

E-mail

to identify this ZyXEL Device by an e-mail address.

Content

When you select

in the

Local ID Type

field, type the IP address of your

computer in the local

Content

field. The ZyXEL Device automatically uses the IP

address in the

My IP Address

field (refer to the

My IP Address

field description)

if you configure the local

Content

field to

0.0.0.0

or leave it blank.

It is recommended that you type an IP address other than

0.0.0.0

in the local

Content

field or use the

DNS

E-mail

ID type in the following situations.

•

When there is a NAT router between the two IPSec routers.

•

When you want the remote IPSec router to be able to distinguish between

VPN connection requests that come in from IPSec routers with dynamic WAN

IP addresses.

When you select

DNS

E-mail

in the

Local ID Type

field, type a domain name

or e-mail address by which to identify this ZyXEL Device in the local

Content

field. Use up to 31 ASCII characters including spaces, although trailing spaces

are truncated. The domain name or e-mail address is for identification purposes

only and can be any string.

My IP Address

Enter the WAN IP address of your ZyXEL Device. The ZyXEL Device uses its

current WAN IP address (static or dynamic) in setting up the VPN tunnel if you

leave this field as

0.0.0.0

The VPN tunnel has to be rebuilt if this IP address changes.

Peer ID Type

Select

to identify the remote IPSec router by its IP address.

Select

DNS

to identify the remote IPSec router by a domain name.

Select

E-mail

to identify the remote IPSec router by an e-mail address.

Content

The configuration of the peer content depends on the peer ID type.

•

For

, type the IP address of the computer with which you will make the VPN

connection. If you configure this field to

0.0.0.0

or leave it blank, the ZyXEL

Device will use the address in the

Secure Gateway IP Address

field (refer to

the

Secure Gateway IP Address

field description).

•

For

DNS

E-mail

, type a domain name or e-mail address by which to

identify the remote IPSec router. Use up to 31 ASCII characters including

spaces, although trailing spaces are truncated. The domain name or e-mail

address is for identification purposes only and can be any string.

It is recommended that you type an IP address other than

0.0.0.0

or use the

DNS

E-mail

ID type in the following situations:

•

When there is a NAT router between the two IPSec routers.

•

When you want the ZyXEL Device to distinguish between VPN connection

requests that come in from remote IPSec routers with dynamic WAN IP

addresses.

Secure Gateway IP

Address

Type the WAN IP address or the URL (up to 31 characters) of the IPSec router

with which you're making the VPN connection. Set this field to

0.0.0.0

if the

remote IPSec router has a dynamic WAN IP address (the

IPSec Keying Mode

field must be set to

IKE

). In this case only the remote IPSec router can initiate the

VPN.

In order to have more than one active rule with the

Secure Gateway IP Address

field set to

0.0.0.0

, the ranges of the local IP addresses cannot overlap between

rules.

If you configure an active rule with

0.0.0.0

in the

Secure Gateway IP Address

field and the LAN's full IP address range as the local IP address, then you cannot

configure any other active rules with the

Secure Gateway IP Address

field set to

0.0.0.0

Table 37

VPN Rule Setup (continued)

LABEL

DESCRIPTION