ZYWALL 2WG - VPN Router ZYXEL - Free user manual and instructions

USER MANUAL ZYWALL 2WG ZYXEL

ENGLISH Overview The ZyWALL 2WG is a firewall with VPN, bandwidth management, content filtering and many other features. You can use it as a transparent firewall and not reconfigure your network nor configure the ZyWALL's routing features. When the ZyWALL is in router mode, you can also insert a 3G wireless card to add a second WAN. The ZyWALL increases network security by adding the option to change port roles from LAN to DMZ for use with publicly accessible servers. This guide covers the initial connections and configuration needed to start using the ZyWALL in your network. See the User's Guide for more information on all features. You may need your Internet access information. DMZ This guide is divided into the following sections. 1 Hardware Connections 2 Accessing the Web Configurator 3 Bridge Mode 4 Internet Access Setup and Product Registration 5 DMZ 1 Hardware Connections You need the following. ZyWALL Computer

ENGLISH Do the following to make hardware connections for initial setup.

1 Use an Ethernet cable to connect the LAN/DMZ port to a computer. If you configure these ports as DMZ ports in the LAN or DMZ screen through the web configurator, you can also use Ethernet cables to connect public servers (web, e-mail, FTP, etc.) to the LAN/DMZ ports. 2 Use another Ethernet cable to connect the WAN port to an Ethernet jack with Internet access. Æ Use the blue console cable if you want to connect the CONSOLE port to your computer. Use the black dial backup cable if you want to connect the AUX port to an analog modem. 3 Insert a 3G wireless card into the card slot on the side panel to access the Internet wirelessly via a 3G network. At the time of writing, you can only use the Sierra AC850/860 3G wireless card in the ZyWALL. 4 Use the included power adaptor to connect the power socket (on the rear panel) to a power outlet. 5 Look at the front panel. The PWR LED turns on. The CARD, LAN/DMZ and WAN LEDs turn on and stay on if the corresponding connections are properly made.

ENGLISH ? If none of the LEDs are on, check your connections, and inspect your cables for damage. Make sure that you have the power adaptor connected to the ZyWALL and plugged in to an appropriate power source. Make sure the power source is turned on. If the LEDs are still off, contact your local vendor. 2 Accessing the Web Configurator Use this section to configure the WAN 1 interface for Internet access. 1 Launch your web browser. Enter 192.168.1.1 (the 2 Click Login (the default password 1234 is already ZyWALL's default IP address) as the address. entered). | File Edt View Favorites Tocs Help | eat : + - Q A À] QSearh Favorites repas Lagdress | http:yn192.168.1.1

? If the login screen does not display, check your browser’s security settings and make sure your computer's Ethernet card is installed and functioning properly. Your computer should be also set to get an IP address automatically from a DHCP server. See Set Up Your Computer's IP Address for more information.

ENGLISH 3 Change the login password by entering a new 4 Click Apply to replace the ZyWALL's default password and clicking Apply. digital certificate. Use this screen to change the password. New Password: D | Replace Factory Default Certificate ‘The factory default certificate is common to all ZYWALL models. Click Apply to create a certificate using your ZyWALL's MAC address that will be Retypeto Conf: SSI

. If you changed the password and have forgotten it, you need to return the ZyWALL to the defaults (password is 1234, LAN IP address is 192.168.1.1, etc.). Press the RESET button (on the rear panel) until the PWR LED starts to blink, then release it. 5 The HOME screen opens. The ZyWALL is in router mode by default. Continue to the next step if you want to use routing features such as NAT, DHCP and VPN. Go to section 3 if you prefer to use the ZyWALL as a transparent firewall. 6 Check the network status table. If the WAN 1 status is not Down and there is an IP address, go to section

Ifthe WAN 1 status is Down (or there is not an IP address), click the Wizard icon and use section 4 to configure WAN 1.

ENGLISH Use the NETWORK WAN screens if you need to configure WAN 2. You can also configure load balancing between the WAN connections. Va | ssjes/z00e vauaaeL os | 11/0u/200€ Port states | _ouepratle | ve [mani

2/seue sus sara a7anes CERTEE Dislesdup om Deca/000c HUM sou sai nu HU aol Gon@ 000 se EE Sa sse ace au 20 222 oc san 3 Bridge Mode When you set the ZyWALL to bridge mode, it functions as a transparent firewall. Do the following to set the ZyWALL to bridge mode. 1 Click MAINTENANCE in the navigation panel and then Device Mode. 2 Select Bridge and configure a (static) IP address subnet mask and gateway IP address for the ZyWALL's LAN, WAN, DMZ and WLAN interfaces. 3 Click Apply. The ZyWALL restarts. Skip to section 5 if you have servers that you need to be accessible from the WAN. SRE cruumtons MERDE ntm once made ho 2yMALL rasta: automates after ou ohange ta deveo mod and "apr" AP nddrses sc Lu mn, puz and ua) CREER ERERERRE Lo 5. 4 Internet Access Setup and Product Registration 1 Click the Wizard icon (ee) in the HOME screen and then the Internet Access Setup link to open the Internet access wizard.

ENGLISH Enter the Internet access information exactly as given to you. If you were given an IP address to use, select Static in the IP Address Assignment drop-down list box and enter the information provided. Æ The fields vary depending on what you select in the Encapsulation field. Fill them in with the information provided by the ISP or network administrator. Click Apply when you are done. + Ethernet Encapsulation Configure a Roadrunner service in the NETWORK WAN screens (use the WAN tab). You an select ethernet, PPPGE or PPTP according to in which he netwerk you are, 1f you dont know, please ask your network administrator, The most popular type of network is ethernet, Encapsulstion Eremt | WAN IP Address Assignment 1P address Aesignment [Site || MY AN 1 Address] © . 0 . © 0 My WAN 1P Subnet mé D. 0.0.0 Gateway 1P Address | o . 0 . © . 0 First DNS Server 5.0.0. Semndons semer [0 . 0 . © . 0 + PPP over Ethernet or PPTP Encapsulation Select Nailed-Up when you want your connection up all the time (this could be expensive if your ISP bills you for Internet usage time instead of a flat monthly fee).

Formes = Wan IP Address Acsignment 2 Click Next to display the screen where you can INTERNET ACCESS register your ZyWALL with myZyXEL.com (ZyXEL's online services center) and activate the (Product rogistratian and service 2euvation for free free content filtering trial application. Otherwise, click Skip and then Close to complete Internet access setup. 3 If you already have an account at myZyXEL.com, select Existing myZyXEL.com account and enter account information. rene Otherwise, select New myZyXEL.com account 3 and fill in the fields below to create a new , account and register your ZyWALL. Click Next. INTERNET ACCESS

ENGLISH 4 Wait for the registration progress to finish. 5 The following screen displays if the registration was not successful. Click Return to go back to the Device Registration screen and check your settings. Register on myZyKEL.com server-in Progress “This may take up to 40 seconds, Please wait Register Message eu musttype à malin the email field _Raun | 6 Click Close to leave the wizard screen when the registration and activation are done. Italien is comalete Device Regisrasont Registered Cantet rierina Erabed Æ If you want to activate a standard service with your iCard’s PIN number (license key), use the REGISTRATION Service screen. See the User's Guide for details. ? If you cannot access the Internet via WAN 1, check the ZyWALL's connection to the Ethernet jack with Internet access. Make sure the Internet gateway device (such as a DSL modem) is working properly. Click WAN in the navigation panel to verify your settings.

ENGLISH 5 DMZ The DebMilitarized Zone (DMZ) allows public servers (web, e-mail, FTP, etc.) to be visible to the outside world and still have firewall protection from DoS (Denial of Service) attacks. You can assign TCP/IP configuration via DHCP to computers connected to the DMZ ports. Otherwise, configure the computers with static IP addresses (in the same subnet as the DMZ port's IP address) and DNS server addresses. Use the ZyWALL's DMZ IP address as the default gateway. Do the following to configure the DMZ if the ZyWALL is in routing mode. Note: You do not need to configure DMZ with bridge mode, skip to section 7. 1 Click NETWORK > DMZ in the navigation panel. 2 Specify an IP address and subnet mask for the DMZ interface. Dem suuconer rats Par rotes If you use private IP addresses on the DMZ, use ns ps er NAT to make the servers publicly accessible (see ul 2

2 ol a re p ee Fr A public IP address must be on a separate subnet ces from the WAN ports public IP address. If you do Den = __— not configure NAT for the public IP addresses on RE the DMZ, the ZyWALL routes traffic to the public FRE IP addresses on the DMZ without performing NAT. reins Ps Fo on re nat re This may be useful for hosting servers for NAT unfriendly applications. Fo | 3 Click Apply. 4 By default, LAN/DMZ ports 1 to 4 are all LAN ports. To configure a port as a DMZ port, click the ve suc oner 1 Port Roles tab, select its radio button next to DMZ and click Apply. = nl 6 NAT NAT (Network Address Translation - NAT, RFC 1631) means the translation of an IP address in one network to a different IP address in another. You can use the NAT Address Mapping screens to have the ZyWALL translate multiple public IP addresses to multiple private IP addresses on your LAN (or DMZ). The following example allows access from the WAN1 to an HTTP (web) server on the DMZ. The server has a private IP address of 10.0.0.20.

ENGLISH 1 Click ADVANCED, NAT in the navigation panel and then Port Forwarding. 2 Select the WAN connection (WAN1) for which you want to configure port forwarding rules. 3 Select the Active check box. 4 Type a name for the rule. 5 Type the port number that the service uses. 6 Type the HTTP server's IP address. 7 Click Apply. 7 Firewall NAT overvien Address Mapping Por FRERE en am Fa Deux server Jo... crane [ilactive) nome [ rncoming Port(s) | port Translation _| server 1P adüress 1 Dre De fe F No. E [: En F Fr F F Pos so. (En FE F2 Pos ss [Mai F F F F Do .o.o.o [Em F F F F Pos so On F F F F Fo... Or F—#fF FT “ROEREREN Enr REF F2 Fos s Êr F—%F un © RERRREE Dur PF ÉF © (RC ee ere A 2 Pen Panne or

You can use the ZyWALL without configuring the firewall. The ZyWALL's firewall is pre-configured to protect your LAN from attacks from the Internet. By default, no traffic can enter your LAN unless a request was generated on the LAN first. The ZyWALL allows access to the DMZ from the WAN or LAN, but blocks traffic from the DMZ to the LAN. If you are using the ZyWALL in router mode, continue with the next section. For bridge mode, you are done With initial configuration. 8 VPN Rule Setup A VPN (Virtual Private Network) tunnel gives you a secure connection to another computer or network. Remote Netwrork A gateway policy identifies the [ (Fée roue ateimerendora ven LS fou roucr À tunnel. A network policy specifies which devices (behind the IPSec routers) can use the VPN tunnel. NETWORK POLICY

ENGLISH This figure helps explain the main fields in the wizard screens.

M Local Network | free Hokwnrk Remote | =

1 Local Network I Remote Network L Pages _ Remote L___ PAddress _ _| My,ZyWALL Gateway Address 1 Click the Wizard icon (ee) in the HOME screen and then the VPN Setup link to open the VPN wizard. Æ Your settings are not saved when you click Back. 2 Use this screen to configure the gateway policy. Name: Enter a name to identify the gateway policy. Remote Gateway Address: Enter the IP address or A e Fes domain name of the remote IPSec router. # 5 ie zswau. Fr _ Renaems ad From

ENGLISH 3 Use this screen to configure the network policy. Leave the Active check box selected. Name: Enter a name to identify the network policy. F aoive Select Single and enter an IP address for a single IP name fre address. Select Range IP and enter starting and ending IP Local mervork © Single © Range 1P F Subnet Startng IP Address CCE: addresses for a specific range of IP addresses. Gén aédnus/ Sant [nee

Select Subnet and enter an IP address and subnet ” amet Net L° Sngle L Range 1 Subn mask to specify IP addresses on a network by their ame PIRE tenee Eur subnet mask. DE RE Dex Æ Make sure that the remote IPSec router uses the same security settings that you configure in the next two screens. Negotiation Mode: Select Main Mode for identity protection. Select Aggressive Mode to allow more incoming connections from dynamic IP addresses to use separate passwords. Æ Multiple SAs (security associations) connecting through a secure gateway must have the same negotiation mode. Encryption Algorithm: Select 3DES or AËS for stronger (and slower) encryption. Authentication Algorithm: Select MDS5 for minimal security or SHA-1 for higher security. Key Group: Select DH2 for higher security. SA Life Time: Set how often the ZyWALL renegotiates the IKE SA (minimum 180 seconds). A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel. Pre-Shared Key: Use 8 to 31 case-sensitive ASCII characters or 16 to 62 hexadecimal ("0-9", "A-F") characters. Precede a hexadecimal key with a "Ox" (zero x), which is not counted as part of the 16 to 62 character range for the key. Encapsulation Mode: Tunnel is compatible with NAT, Transport is not. IPSec Protocol: ESP is compatible with NAT, AH is not. Perfect Forward Secrecy (PFS): None allows faster IPSec setup, but DH1 and DH2 are more secure.

ENGLISH 4 Use this screen to configure IKE (Internet Key 5 Use this screen to configure IPSec settings. Exchange) tunnel settings.

Check your VPN settings. Click Finish to savethe 7 Click Close in the final screen to complete the settings. VPN wizard setup. Continue with the next section WIZARD - VPN to activate the VPN rule and establish a VPN ET connection.

8.1 Using the VPN Connection

Use VPN tunnels to securely send and retrieve files, and allow remote access to corporate networks, web servers and e-mail. Services work as if you were at the office instead of connected through the Internet.

ENGLISH For example, the “test” VPN rule allows secure access to an web server on a remote corporate LAN. Enter the server's VPN Rules (IKE) VPN Rules (Manual) DSK Global Setting IP address (10.0.0.23 in this example) as your browser's URL. The ZyWALL BE automatically builds the VPN tunnel when [ol:| me 2168207) 100007 | runmel ESPOES-sHa you attempt to use it. Click SECURITY > VPN in the navigation Fetresh, Disconrect panel and then the SA Monitor tab to display a list of connected VPN tunnels (the “test” VPN tunnel is up here). ? If you cannot establish a VPN connection, make sure the ZyWALL and the remote IPSec router use the same VPN settings. Click VPN in the navigation panel to configure advanced settings. Access a web site to check that you have a successful Internet connection. Set Up Your Computer’s IP Address This section shows you how to set up your computer to receive an IP address in Windows 2000, Windows NT and Windows XP. This is ensures that your computer can communicate with your ZyWALL. 1 In Windows XP, click Start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. 2 In Windows XP, click Network Connections. In Windows 2000/NT, click Network and Dial-up Connections. 3 Right-click Local Area Connection and then click Properties. 4 Select Internet Protocol (TCP/IP) (under the General tab in Windows XP) and click Properties.

ENGLISH 5 The Internet Protocol TCP/IP Properties screen opens (the General tab in Windows XP). Select the Obtain an IP address automatically and Obtain DNS server address automatically options. 6 Click OK to close the Internet Protocol (TCP/IP) Properties window. 7 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window. 8 Close the Network Connections screen. Gens | You can get IP setings assigned automatical à your nelwoik supports this capablty. therwise, you need to ask pour nelwotk adinisalor for the appropriate IP setings. 7° Uge the following IP address: Pere Ep Defoh gt [ Obtain DNS server address automatically T° Use the following DNS server addresses: PrtetedbN ms Advanced. me |) cs Procedure to View a Product’s Certification(s) 1 Go to www.zyxel.com. 2 Select your product from the drop-down list box on the ZyXEL home page to go to that product's page. 3 Select the certification you wish to view from this page.

Remote Network Remote | =

1. Werify your setings in his wicerd

21 your nisard enèrise ara correct, bur st cannot Hat your SP Higs you entered in to mirard are correct: 3: 1 yeu cl have probloms, plozce contact susomer support ose |

LL lon baeen and Lt leon and at lement lobe D and AN nv ae nd rte à mairie

1. Werify your setings in his wicerd

1 Address me tt Gas across CNE

Local Network IP Address = ) VPNTunnel }) _J My re ae _

| Ele Edt Vew Favorites Tocs He J'ersx - + - Q À 4] @seech Gyravontes! ZYWALL 2WG [address | http:7/192.168.11 Enter Password and click Li

LL lon baeen and Lt leon and at lement lobe D and AN nv ae nd rte à mairie

1. Werify your setings in his wicerd

21 your nisard enèrise ara correct, bur st cannot acres he Internet, en check Hat our 1SP Sun ace and darts setange You entered in to mirard are correct: 1 jou sai have preblms, please oortact susomer support ose |

Enter Password and click Login ? ARETÉRRE, IFÉBNERNRÉRE, MARUXNMEFERMÉARMRENZITIER. SN, BARRE M DHCP ARS RARE IP bit. DÉS [iRERAGÉI IP NE] —%5, 3% ANR R SAME. AFS Apply COR). ER 4 M Apply COR). RAR ZALL RAM Er. MES Use this screen to change the password. Replace Factory Default Certificate New Password: ‘The factory default certificate is common to all ZYWALL models. Click Apply to create a certificate Rabat Cat Using your ZyWALL's MA that will be

5 5 © | | Dast [Laver |

Remote | = IPSec Router VPN Tunnel

Use this screen to change the password. Replace Factory Default Certificate The factory defauit certificate is common to all ZYWALL models. Click Apply to create a certificate Using your ZyWALL's MA that will be specific to this d New Password: Retype to Confirm: Co: | ? ROSE THAT EEE > AK ZyWALL RÉSERRE (BIÉE 1234 » ESF IP RtS 192.168.1.1 )- ft RESET (HR) SE (RE) EI] PWR LED SRE APTE TARES

Roadrunner AK#$ ( (£F1 WAN FE ) - ‘au can select ethamet, PPP6E or PPTP according te in which the network you are, 1 you don't know, please ask your network administator, The most popular typ3 cf network is ethernet Encapsulation Eremt | MAN IP Address Assignment ip address astignment[sate | My AN tp address | o 0 . 0 0 My WAN IP Subnet qu 0. 0.0.0 Gateway 1P Address | 0 . 0 . 0 . 0 First DNS Server 0. 0.0.0 Sétondons server | o . 0 . 0 © + PPP over Ethernet 5 PPTP Èf# RIRE HE » SET Naïled-Up (EEE) (AIRE ISP AÉTÉRÉERRANURE : MX REEARS : SSSR NÉÉNERNE)

ER HT Next (F—#) Wan IP Address Acsignment INTERNET ACCESS (Product registration and servics activation for free INTERNET ACCESS

=== ———— 7 Local Network | | Remote Network Remote | = IPSec Router | VPN Tunnel (l | (l | Ca =.

Negotiation Mode (HE ): ÆHt Main Mode (EE) IDÉES (RAI RSEDIÉE ET Aggressive Mode (ES) UE SRE SE IP RE VERRE RENTE