ZyWALL 2

16

5 Advanced Configuration

This section shows you how to configure some of the advanced features of the ZyWALL.

5.1 Network Address Translation Overview

NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host

in a packet. For example, the source address of an outgoing packet, used within one network is

changed to a different IP address known within another network.

If you have a single public IP address then choose

SUA Only

in the

Network Address

Translation

field of the

WAN ISP

screen (see

section 4.4

). If you have multiple public IP

addresses then you may use full feature mapping types (see the

User’s Guide

for more details).

NAT supports five types of IP/port mapping.

They are:

1.

One-to-One

: One-to-one mode maps one local IP address to one global IP address. Note

that port numbers do not change for One-to-One NAT mapping type.

2.

Many-to-One

: Many-to-One mode maps multiple local IP addresses to one global IP

address. This is equivalent to SUA (that is, PAT, port address translation), ZyXEL's Single

User Account feature.

3.

Many-to-Many Overload

: Many-to-Many Overload mode maps multiple local IP

addresses to shared global IP addresses.

4.

Many One-to-One

: Many One-to-One mode maps each local IP address to unique global

IP addresses.

5.

Server

: This type allows you to specify inside servers of different services behind the NAT

to be accessible to the outside world.

5.2 Configuring SUA Server

A SUA server set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP,

that you can make visible to the outside world even though SUA makes your whole inside network

appear as a single computer to the outside world.

Click

SUA/NAT

to open the

SUA Server

screen.

ZyWALL 2

17

The following table describes the fields in this screen.

LABEL

DESCRIPTION

Default Server

In addition to the servers for specified services, NAT supports a default server. A default

server receives packets from ports that are not specified in this screen. If you do not

assign a default server IP address, then all packets received for ports not specified in this

screen will be discarded.

#

This is the number of an individual SUA server entry.

Active

Select this check box to enable the SUA server entry. Clear this checkbox to disallow

forwarding of these ports to an inside server without having to delete the entry.

Name

Enter a name to identify this port-forwarding rule.

Start Port

Type a port number in this field. To forward only one port, type the port number again in

the

End Port

field. To forward a series of ports, type the start port number here and the

end port number in the

End Port

field.

End Port

Type a port number in this field. To forward only one port, type the port number in the

Start

Port

field above and then type it again in this field. To forward a series of ports, type

the last port number in a series that begins with the port number in the

Start

Port

field

above.

ZyWALL 2

18

LABEL

DESCRIPTION

Server IP

Address

Enter the inside IP address of the server here.

5.3 Firewall Overview

The ZyWALL firewall is a stateful inspection firewall and is designed to protect against Denial of

Service attacks when activated. The ZyWALL’s purpose is to allow a private Local Area Network

(LAN) to be securely connected to the Internet. The ZyWALL can be used to prevent theft,

destruction and modification of data, as well as log events, which may be important to the security

of your network. The ZyWALL also has packet-filtering capabilities.

When activated, the firewall allows all traffic to the Internet that originates from the LAN, and

blocks all traffic to the LAN that originates from the Internet. In other words the ZyWALL will:

Allow all sessions originating from the LAN to the WAN

Deny all sessions originating from the WAN to the LAN

LAN-to-WAN

rules are local network to Internet firewall rules. The default is to forward all traffic

from your local network to the Internet.

The following figure illustrates a ZyWALL firewall application.

ZyWALL 2

19

5.4 Configuring Firewall

Click

FIREWALL

to open the

Summary

screen. Enable (or activate) the firewall by selecting the

Enable Firewall

check box as seen in the following screen.

The following table describes the fields in this screen.

LABEL

Enable Firewall

Select this check box to activate the firewall. The ZyWALL performs access control and

protects against Denial of Service (DoS) attacks when the firewall is activated.

Bypass Triangle

Route

Select this check box to have the ZyWALL firewall ignore the use of triangle route

topology on the network. See your

User’s Guide-

Appendices

for more on triangle route

topology.

ZyWALL 2

20

LABEL

Firewall Rules

Storage Space in

Use

This read-only bar shows how much of the ZyWALL's memory for recording firewall rules

it is currently using. When you are using 80% or less of the storage space, the bar is

green. When the amount of space used is over 80%, the bar is red.

Packet Direction

Use the drop-down list box to select a direction of travel of packets (

LAN to

LAN/ZyWALL

,

LAN to WAN

,

WAN to LAN

,

WAN to WAN/ZyWALL

) for which you want

to configure firewall rules.

Block/

Forward

Use the option buttons to select whether to

Block

(silently discard) or

Forward

(allow the

passage of) packets that are traveling in the selected direction.

Log

Select the check box to create a log (when the above action is taken) for packets that are

traveling in the selected direction and do not match any of the rules below.

The following read-only fields summarize the rules you have created that apply to traffic traveling in the selected

packet direction. The firewall rules that you configure (summarized below) take priority over the general firewall

action settings above.

#

This is your firewall rule number. The ordering of your rules is important as rules are

applied in turn. The

Move

field below allows you to reorder your rules.

Status

This field displays whether a firewall is turned on (

Active

) or not (

Inactive

). Rules that

have not been configured display

Empty

.

Source Address

This drop-down list box displays the source addresses or ranges of addresses to which

this firewall rule applies. Please note that a blank source or destination address is

equivalent to

Any

.

Destination

Address

This drop-down list box displays the destination addresses or ranges of addresses to

which this firewall rule applies. Please note that a blank source or destination address is

equivalent to

Any

.

Service Type

This drop-down list box displays the services to which this firewall rule applies. Please

note that a blank service type is equivalent to

Any

.

Action

This is the specified action for that rule, either

Block

or

Forward

. Note that

Block

means

the firewall silently discards the packet.

Schedule

This field tells you whether a schedule is specified (

Yes

) or not (

No

).

Log

This field shows you if a log is created for packets that match the rule (

Match

), don't

match the rule (

Not Match

), both (

Both

) or no log is created (

None

).

Alert

This field tells you whether this rule generates an alert (

Yes

) or not (

No

) when the rule is

matched.

Insert

Type the index number for where you want to put a rule. For example, if you type “6”, your

new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.

Click

Insert

to display this screen and refer to the following table for information on the

fields.