Page 141 / 944
Scroll up to view Page 136 - 140
Chapter 7 Tutorials
ZyWALL USG 50 User’s Guide
141
1
Use
Configuration > Object > Address > Add
to create an address object for
the public WAN IP address (called WAN_IP-for-H323 here). Then use it again to
create an address object for the H.323 device’s private LAN1 IP address (called
LAN_H323 here).
Figure 97
Create Address Objects
Page 142 / 944
Chapter 7 Tutorials
ZyWALL USG 50 User’s Guide
142
2
Click
Configuration > Network > NAT > Add.
Configure a name for the rule (WAN-LAN_H323 here).
You want the LAN H.323 device to receive peer-to-peer calls from the WAN and
also be able to initiate calls to the WAN so you set the
Classification
to
NAT 1:1
.
Set the
Incoming Interface
to
wan1
.
Set the
Original IP
to the WAN address object (
WAN_IP-for-H323
).
Set the
Mapped IP
to the H.323 device’s LAN1 IP address object (
LAN_H323
).
Set the
Port Mapping Type
to
Port
, the
Protocol Type
to
TCP
and the original
and mapped ports to 1720.
Click
OK
.
Figure 98
Configuration > Network > NAT > Add
7.9.3
Set Up a Firewall Rule For H.323
The default firewall rule for WAN-to-LAN traffic drops all traffic. Here is how to
configure a firewall rule to allow H.323 (TCP port 1720) traffic received on the
WAN_IP-for-H323 IP address to go to LAN1 IP address 192.168.1.56.
Page 143 / 944
Chapter 7 Tutorials
ZyWALL USG 50 User’s Guide
143
1
Click
Configuration > Firewall
>
Add
.
In the
From
field select WAN.
In the
To
field select LAN1.
Configure a name for the rule (WAN-to-LAN_H323 here).
Set the
Destination
to the H.323 device’s LAN1 IP address object (
LAN_H323
).
LAN_H323
is the destination because the ZyWALL applies NAT to traffic before
applying the firewall rule.
Set the
Service
to
H.323
.
Click
OK
.
Figure 99
Configuration > Firewall > Add
7.10
How to Allow Public Access to a Web Server
This is an example of making an HTTP (web) server in the DMZ zone accessible
from the Internet (the WAN zone). In this example you have public IP address
1.1.1.1 that you will use on the
wan1
interface and map to the HTTP server’s
private IP address of 192.168.3.7.
Figure 100
Public Server Example Network Topology
DMZ
192.168.3.7
1.1.1.1
Page 144 / 944
Chapter 7 Tutorials
ZyWALL USG 50 User’s Guide
144
7.10.1
Create the Address Objects
Use
Configuration > Object > Address > Add
to create the address objects.
1
Create a host address object named DMZ_HTTP for the HTTP server’s private IP
address of 192.168.3.7.
Figure 101
Creating the Address Object for the HTTP Server’s Private IP Address
2
Create a host address object named Public_HTTP_Server_IP for thepublic WAN IP
address 1.1.1.1.
Figure 102
Creating the Address Object for thePublic IP Address
7.10.2
Configure NAT
You need a NAT rule to send HTTP traffic coming to IP address 1.1.1.1 on
wan1
to
the HTTP server’s private IP address of 192.168.3.7. In the
Configuration >
Network > NAT
screen, click the
Add
icon and create a new NAT entry as
follows.
•
Set the
Incoming Interface
to
wan1
.
•
Set the
Original IP
to the
Public_HTTP_Server_IP
object and the
Mapped
IP
to the
DMZ_HTTP
object.
•
HTTP traffic and the HTTP server in this example both use TCP port 80. So you
set the
Port Mapping Type
to
Port
, the
Protocol Type
to
TCP
, and the
original and mapped ports to 80.
Page 145 / 944
Chapter 7 Tutorials
ZyWALL USG 50 User’s Guide
145
• Keep
Enable NAT Loopback
selected to allow users connected to other
interfaces to access the HTTP server (see
NAT Loopback on page 327
for
details).
Figure 103
Creating the NAT Entry
7.10.3
Set Up a Firewall Rule
The firewall blocks traffic from the WAN zone to the DMZ zone by default so you
need to create a firewall rule to allow the public to send HTTP traffic to IP address
1.1.1.1 in order to access the HTTP server. If a domain name is registered for IP
address 1.1.1.1, users can just go to the domain name to access the web server.
19216811.live