![Zyxel USG100-PLUS [7/185] Routing and nat](/img/pdf.png)
Zyxel USG100-PLUS [7/185] Routing and nat
![Zyxel ZyWALL USG 20W [7/185] Routing and nat](/views2/1008951/page7/bg7.png)
ZyWALL USG Support Notes
7
All contents copyright (c) 2010 ZyXEL Communications Corporation.
1. Routing and NAT
USG ZyWALL is usually placed at the company network boarder, acting as company
network gateway. Routing and NAT are the indispensable functions of USG ZyWALL,
responsible for the routing among intranet networks, as well as comprehensive routing
between intranet and internet traffic. Thus, correctly set up routing and NAT are very
important for the USG ZyWALL to work properly as your requirements.
In the scenario above, there‟re various intranet subnets interconnected. The client
zone and WLAN zone are connected directly to the USG ZyWALL, server zone and
VoIP client subnets are connected to a switch, and the switch is connected to the USG.
All the intranet clients and servers need to be able to access internet, with proper
settings of routing and SNAT. The intranet servers should be able to be accessed by
internet clients, and also should be able to be accessed by the intranet clients. To
enable the branch office intranet clients communicate safely with the HQ internet
resources and clients, IPSec VPN are built between the HQ USG and branch office
security gateway, so correct VPN routing is also necessary. Telecommunicates not
only wants to access the HQ resources via SSL VPN, but also wants to access branch
office resources via SSL VPN first to the HQ, then is directed to the branch office via
IPSec VPN. To achieve this goal, we also need correct routings set on the USG
ZyWALL.
Содержание
- Zywall usg support notes 1
- Zywall usg support notes 2
- Zywall usg support notes 3
- Zywall usg support notes 4
- Zywall usg support notes 5
- Zywall usg support notes 6
- Routing and nat 7
- Zywall usg support notes 7
- General packet flow 8
- Understand packet flow 8
- Zywall usg support notes 8
- Routing priority 9
- Zywall usg support notes 9
- Zywall usg support notes 10
- Zywall usg support notes 11
- Snat priority 12
- Zywall usg support notes 12
- Zywall usg support notes 13
- Zywall usg support notes 14
- Zywall usg support notes 15
- Zywall usg support notes 16
- Default wan trunk and default snat 17
- Interface type 17
- Zywall usg support notes 17
- Zywall usg support notes 18
- Zywall usg support notes 19
- Zywall usg support notes 20
- Default wan trunk and default snat 21
- Zywall usg support notes 21
- Zywall usg support notes 22
- Zywall usg support notes 23
- Zywall usg support notes 24
- Network scenario 25
- Setting up virtual server 25
- Zywall usg support notes 25
- Configuration steps 26
- Zywall usg support notes 26
- Zywall usg support notes 27
- Configuration steps 28
- Network scenario 28
- Setting up one to one nat 28
- Zywall usg support notes 28
- Zywall usg support notes 29
- Application scenario 30
- Setting up many one to one nat 30
- Zywall usg support notes 30
- Configuration steps 31
- Zywall usg support notes 31
- Nat loopback 32
- Network scenario 32
- Zywall usg support notes 32
- Configuration steps 33
- Zywall usg support notes 33
- Nat with proxy arp 34
- Zywall usg support notes 34
- Application scenario 35
- Configuration steps 35
- Zywall usg support notes 35
- Zywall usg support notes 36
- Policy route vs direct route 37
- Zywall usg support notes 37
- Routing for ipsec vpn 38
- Zywall usg support notes 38
- Application scenario 39
- Configuration steps 39
- Zywall usg support notes 39
- Zywall usg support notes 40
- Network scenario 41
- One to one nat link fail over 41
- Zywall usg support notes 41
- Configuration steps 42
- Zywall usg support notes 42
- Zywall usg support notes 43
- Accessing ipsec vpn peer subnet from ssl 44
- Application scenario 44
- Vpn clients 44
- Zywall usg support notes 44
- Configuration steps 45
- Zywall usg support notes 45
- Zywall usg support notes 46
- Zywall usg support notes 47
- Zywall usg support notes 48
- Zywall usg support notes 49
- Zywall usg support notes 50
- Zywall usg support notes 51
- Zywall usg support notes 52
- Zywall usg support notes 53
- Zywall usg support notes 54
- Deploying eps 55
- Eps introduction 55
- Eps webgui 55
- Zywall usg support notes 55
- Zywall usg support notes 56
- Zywall usg support notes 57
- Eps cli 58
- Zywall usg support notes 58
- Zywall usg support notes 59
- Application scenario 60
- Configuration steps 60
- Deploy eps in user aware 60
- Eps application note 60
- Zywall usg support notes 60
- Add eps object that complies with dmz checking requirements 61
- Add eps object that complies with internet checking requirements add eps object that complies with internet checking requirements 61
- All contents copyright c 2010 zyxel communications corporation 61
- Zywall usg support notes 61
- All contents copyright c 2010 zyxel communications corporation 62
- Eps object summary 62
- Zywall usg support notes 62
- Zywall usg support notes 63
- Scenario verification 64
- Zywall usg support notes 64
- Zywall usg support notes 65
- Application scenario 66
- Deploy eps in ssl vpn 66
- Zywall usg support notes 66
- Configuration steps 67
- Zywall usg support notes 67
- Zywall usg support notes 68
- Scenario verification 69
- Zywall usg support notes 69
- Zywall usg support notes 70
- Zywall usg support notes 71
- Application scenario 72
- Configuration steps 72
- Deploy aaa and eps in ssl vpn 72
- Zywall usg support notes 72
- Zywall usg support notes 73
- Zywall usg support notes 74
- Zywall usg support notes 75
- Zywall usg support notes 76
- Zywall usg support notes 77
- Zywall usg support notes 78
- All contents copyright c 2010 zyxel communications corporation 79
- If you have entered the attribute alternative login name attribute as shown in the 79
- Picture below you can also verify by user mail address 79
- Zywall usg support notes 79
- All contents copyright c 2010 zyxel communications corporation 80
- Zywall usg support notes 80
- Zywall usg support notes 81
- Zywall usg support notes 82
- Zywall usg support notes 83
- Zywall usg support notes 84
- Zywall usg support notes 85
- Access privilege add two ssl vpn rules for cso_support and sales 86
- All contents copyright c 2010 zyxel communications corporation 86
- Zywall usg support notes 86
- All contents copyright c 2010 zyxel communications corporation 87
- Zywall usg support notes 87
- All contents copyright c 2010 zyxel communications corporation 88
- Zywall usg support notes 88
- Scenario verification 89
- Zywall usg support notes 89
- Zywall usg support notes 90
- Zywall usg support notes 91
- Zywall usg support notes 92
- Voip application with usg 93
- Voip support device list 93
- Zywall usg support notes 93
- Sip server on the internet 94
- Voip in nat scenario 94
- Zywall usg support notes 94
- Sip server on the local network 95
- Zywall usg support notes 95
- Zywall usg support notes 96
- Application scenario 97
- Voip in vpn scenario 97
- Zywall usg support notes 97
- Configuration steps 98
- Zywall usg support notes 98
- Zywall usg support notes 99
- Zywall usg support notes 100
- Zywall usg support notes 101
- Zywall usg support notes 102
- Zywall usg support notes 103
- Zywall usg support notes 104
- Zywall usg support notes 105
- Zywall usg support notes 106
- Zywall usg support notes 107
- Zywall usg support notes 108
- Application scenario 109
- Ipsec vpn high availability 109
- Site to site ipsec vpn ha fall back 109
- Zywall usg support notes 109
- Configuration steps 110
- Zywall usg support notes 110
- Zywall usg support notes 111
- Zywall usg support notes 112
- Zywall usg support notes 113
- Zywall usg support notes 114
- Scenario verification 115
- Zywall usg support notes 115
- Zywall usg support notes 116
- Zywall usg support notes 117
- Zywall usg support notes 118
- Application scenario 119
- Ipsec vpn fail over and fall back 119
- Zywall usg support notes 119
- Configuration steps 120
- Zywall usg support notes 120
- Zywall usg support notes 121
- Zywall usg support notes 122
- Zywall usg support notes 123
- Zywall usg support notes 124
- Zywall usg support notes 125
- Zywall usg support notes 126
- Zywall usg support notes 127
- Zywall usg support notes 128
- Zywall usg support notes 129
- Scenario verification 130
- Zywall usg support notes 130
- Zywall usg support notes 131
- Zywall usg support notes 132
- Zywall usg support notes 133
- Zywall usg support notes 134
- A device management faq 135
- A01 how can i connect to zywall usg to perform 135
- A02 why can t i login into zywall usg 135
- Administrator s tasks 135
- Zywall usg support notes 135
- A04 why zywall usg redirects me to the login page when i 137
- A05 why do i lose my configuration setting after zywall usg 137
- A06 how can i do if the system is keeping at booting up stage 137
- Am performing the management tasks in gui 137
- For a long time 137
- Restarts 137
- Zywall usg support notes 137
- Zywall usg support notes 138
- B registration faq 139
- B01 why do i need to do the device registration 139
- B02 why do i need to activate services 139
- B03 why can t i active trial service 139
- B04 will the utm service registration information be reset 139
- Manufactory default 139
- Once restore configuration in zywall usg back to 139
- Zywall usg support notes 139
- C file manager faq 140
- C01 how can zywall usg manage multiple configuration 140
- C02 what are the configuration files like startup config conf 140
- C03 why can t i update firmware 140
- System default conf and lastgood conf 140
- Zywall usg support notes 140
- C05 how to write a shell script 141
- C06 why can t i run shell script successfully 141
- Shell scripts 141
- Zywall usg support notes 141
- D object faq 142
- D01 why does zywall usg use object 142
- Zywall usg support notes 142
- D02 what s the difference between trunk and the zone 143
- D03 what is the difference between the default ldap and the 143
- Default ldap radius server is a built in aaa object if you only have one ldap radius server installed all you need to do is to setup the default ldap radius and then select group ldap radius into authentication method if you have several redundant ldap radius servers you may need to create your own ldap radius server groups but don t forget selecting the ldap radius server groups in the authentication method chosen for authenticating 143
- Group ldap what is the difference between the default 143
- Object 143
- Radius and the group radius 143
- The trunk concept is used as an interface group for a policy routing you can add interfaces and define load balance mechanisms in one trunk the zone concept is used to group multiple of interfaces which have the same security policy for example you can define two zones lan and wan and add a firewall rule to control the traffic between lan and wan 143
- Zywall usg support notes 143
- Base interface goes down 144
- E interface faq 144
- E01 how to setup the wan interface with pppoe or pptp 144
- E02 how to add a virtual interface ip alias 144
- E03 why can t i get ip address via dhcp relay 144
- E04 why can t i get dns options from zywall s dhcp 144
- E05 why does the ppp interface dials successfully even its 144
- Server 144
- Zywall usg support notes 144
- The base interface is just a reference which zywall uses to connect to ppp server if you have another active interface routes zywall will try to maintain connectivity 145
- Zywall usg support notes 145
- F01 how to add a policy route 146
- F02 how to configure local loopback in zywall usg 146
- Routing and nat faq 146
- Zywall usg support notes 146
- Zywall usg support notes 147
- Zywall usg support notes 148
- F03 how to configure a nat 149
- Zywall usg support notes 149
- Bandwidth usage 150
- F04 after i installed a http proxy server and set a http 150
- F05 how to limit some application for example ftp 150
- Redirect rule i still can t access web why 150
- Zywall usg support notes 150
- And static route and direct connect subnet table 151
- F06 what s the routing order of policy route dynamic route 151
- F07 why zywall usg cannot ping the internet host but pc 151
- F08 why can t i ping to the internet after i shutdown the 151
- F09 why the virtual server or port trigger does not work 151
- From lan side can browse internet www 151
- Primary wan interface 151
- Zywall usg support notes 151
- F10 why port trigger does not work 152
- F11 how do i use the traffic redirect feature in zywall usg 152
- F12 why can t zywall learn the route from rip and or ospf 152
- Zywall usg support notes 152
- Correctly and the vpn connection status is connected but the 153
- G vpn and certificate 153
- G01 why can t the vpn connections dial to a remote gateway 153
- G02 vpn connections are dialed successfully but the traffic 153
- G03 why zywall usg vpn tunnel had been configured 153
- Still cannot go through the ipsec tunnel 153
- Traffic still can not reach the remote vpn subnet 153
- Zywall usg support notes 153
- G04 vpn connections are dialed successfully and the policy 154
- G05 why don t the inbound outbound traffic nat in vpn 154
- Remote site 154
- Route is set but the traffic is lost or there is no response from 154
- Zywall usg support notes 154
- Disable the firewall 155
- H firewall faq 155
- H01 why doesn t my lan to wan or wan to lan rule work 155
- H02 why does the intra zone blocking malfunction after i 155
- H03 can i have access control rules to the device in firewall 155
- Zywall usg support notes 155
- Application patrol is to inspect and determine the application type accurately by looking at the application payload osi layer 7 regardless of the port numbers 156
- Apppatrol on zywall usg supports four categories of application protocols at the time of writing 1 general protocols http ftp smtp pop3 and irc 2 im category msn yahoo messenger aol icq qq 3 p2p category bt edonkey fasttrack gnutella napster h 23 sip soulseek 4 streaming protocols rtsp real time streaming protocol note the applications support is not configurable add or remove 156
- I application patrol faq 156
- I01 what is application patrol 156
- I02 what applications can the application patrol function 156
- Inspect 156
- Zywall usg support notes 156
- Access for some applications 157
- All contents copyright c 2010 zyxel communications corporation 157
- I03 why does the application patrol fail to drop reject invalid 157
- I04 what is the difference between auto and service ports 157
- List the other is that the application patrol needs several session packets for the application identification after the session is identified successfully or it can t be identified specified action is taken if the session is terminated before being identified application patrol won t take any action but it seldom happens 157
- There are two possible reasons for this problem one is that this application version is not supported by the application patrol please refer to application patrol support 157
- Zywall usg support notes 157
- Settings in the application patrol configuration page 158
- Zywall usg support notes 158
- Apppatrol feature 159
- For different users 159
- I05 what is the difference between bwm bandwidth 159
- I06 do i have to purchase icards specifically for using 159
- I07 can i configure different access level based on application 159
- Management in policy route and app patrol 159
- Zywall usg support notes 159
- All contents copyright c 2010 zyxel communications corporation 160
- I08 can i migrate apppatrol policy and bandwidth 160
- Management control from zld1 x to zld2 x 160
- No as the new zld platform 2 x enhances zone to zone mechanism which is not capable to migrate into new apppatrol therefore the user will be required to reconfigure the related setting after complete firmware upgrade 160
- Zywall usg support notes 160
- Complete the registration and turn on idp 161
- J idp faq 161
- J01 why doesn t the idp work why has the signature 161
- J02 when i use a web browser to configure the idp 161
- J03 when i want to configure the packet inspection 161
- J04 after i select auto update for idp when will it update the 161
- J05 if i want to use idp service will it is enough if i just 161
- Signatures 161
- Signatures the gui becomes very slow 161
- Sometimes it will popup wait data timeout 161
- Updating failed 161
- Zywall usg support notes 161
- And latest idp adp in zld2 x 162
- J06 what are the major design differences in idp in zld1 x 162
- Zywall usg support notes 162
- Apppatrol 163
- Apppatrol can be free for usage if the user registers the idp trial license firstly due to apppatrol requires the idp signatures to identify the application type by registration to the trial program the user can use apppatrol as well to update signatures during the 163
- J07 does idp subscription have anything to do with 163
- J08 how to get a detailed description of an idp signature 163
- J09 after an idp signature updated does it require zywall to 163
- Lan will be treated differently 163
- Reboot to make new signatures take effect 163
- The detailed idp signature description can be retrieved either by visiting mysecurityzone or by clicking the hyper link in the log 163
- Trial period once the trial license expires the user can still use the apppatrol feature but is no longer able to update signatures apppatrol is independent from idp both features can be turned on or off independently 163
- Zywall usg support notes 163
- All contents copyright c 2010 zyxel communications corporation 164
- No it is not necessary to reboot the device to make new signatures take effect 164
- Zywall usg support notes 164
- Allowed trusted websites only 165
- Content filter faq 165
- Does the external web filtering service seem not to be 165
- K01 why can t i enable external web filtering service why 165
- K02 why can t i use msn after i enabled content filter and 165
- Working 165
- Zywall usg support notes 165
- Interfaces 166
- L device ha faq 166
- L01 what does the preempt mean 166
- L02 what is the password in synchronization 166
- L03 what is link monitor and how to enable it 166
- L04 can link monitor of device ha be used in backup vrrp 166
- Zywall usg support notes 166
- Backup zw usg are activated at the same time 167
- L05 why do both the vrrp interfaces of master zw usg and 167
- Zywall usg support notes 167
- Click a button link 168
- Disconnected why is the gui redirected to login page after i 168
- M user management faq 168
- M01 what is the difference between user and guest account 168
- M02 what is the re authentication time and lease time 168
- M03 why can t i sign in to the device 168
- M04 why is the telnet ssh ftp session to the device 168
- M05 what is aaa 168
- Zywall usg support notes 168
- M06 what are ldap users and radius users used for 169
- M07 what privileges will be given for ldap users and 169
- Radius users 169
- Zywall usg support notes 169
- See the flow as shown below 170
- Zywall usg support notes 170
- N centralized log faq 171
- N01 why can t i enable e mail server in system log settings 171
- N02 after i have the entire required field filled why can t i 171
- Receive the log mail 171
- Zywall usg support notes 171
- Data are cleared 172
- O traffic statistics faq 172
- O01 when i use flush data in report not all the statistic 172
- O02 why isn t the statistic data of report exact 172
- O03 does report collect the traffic from to zywall itself 172
- O04 why cannot i see the connections from to zywall itself 172
- P anti virus faq 172
- P01 is there any file size or amount of concurrent files 172
- Zywall usg support notes 172
- Limitation with zywall usg anti virus engine 173
- P02 does zywall usg anti virus support compressed file 173
- P03 what is the maximum concurrent session of zywall 173
- P04 how many type of viruses can be recognized by the 173
- P05 how frequent the av signature will be updated 173
- P06 how to retrieve the virus information in detail 173
- Scanning 173
- Usg anti virus engine 173
- Zywall usg 173
- Zywall usg support notes 173
- Been infected by the virus however i am very sure this file is 174
- How do i resolve this problem 174
- Not infected because the file is nothing but a plain text file 174
- P07 i cannot download a file from internet through zywall 174
- P08 does zywall usg anti virus engine support passive 174
- P09 what kinds of protocol are currently supported on 174
- P10 if the anti virus engine detects a virus what action it may 174
- Take can it cure the file 174
- Usg because the anti virus engine considers this file has 174
- Zywall usg anti virus engine 174
- Zywall usg support notes 174
- Does usg do this 175
- Q zld v2 0 new feature related faq 175
- Q01 in zld v2 0 by default i don t need to create any policy 175
- Route to make traffic from intranet to go out to internet how 175
- Zywall usg support notes 175
- 1 mapping 176
- Nat 1 1 mapping then how does the usg achieve the nat 176
- Q02 in zld v2 0 when i configure a nat 1 1 mapping rule 176
- There s not the option of add corresponding policy route for 176
- Zywall usg support notes 176
- Ipsec vpn traffic 177
- Q03 in zld v2 0 do i still need to create policy routes for 177
- Q04 what is eps 177
- Q05 where can i deploy the eps function 177
- Zywall usg support notes 177
- Q06 is ipsec vpn ha fall back function in zld v2 0 178
- Q07 i want to add a bridge interface to device ha what are 178
- The correct setup steps to prevent broadcast storm 178
- Zywall usg support notes 178
- Q08 i upgraded my usg firmware from v2 2 to v2 0 there 179
- Seem to be some routing issues after the upgrade i know 179
- Solve the routing issues related with firmware upgrade 179
- There re some changes in routing design in v2 0 how can i 179
- Zywall usg support notes 179
- Zywall usg support notes 180
- Zywall usg support notes 181
- Zywall usg support notes 182
- Zywall usg support notes 183
- Zywall usg support notes 184
- Zywall usg support notes 185
Похожие устройства
- HP pavilion x360 11-n056nr, k6z45ea Инструкция по эксплуатации
- HP 250, l8a49es Инструкция по эксплуатации
- Zyxel ZyWALL USG 300 Инструкция по эксплуатации
- HP spectre pro x360, l8t80es Инструкция по эксплуатации
- Zyxel ZyWALL USG 300 Инструкция по установке
- Zyxel ZyWALL USG 300 Справочник командного интерфейса
- Zyxel ZyWALL USG 300 Рекомендации по настройке
- HP 14-r250ur, l1s50ea Инструкция по эксплуатации
- HP proone 400, d5u22ea Инструкция по эксплуатации
- HP 15-g202ur, l1s12ea Инструкция по эксплуатации
- Zyxel ZyWALL USG 1000 Инструкция по эксплуатации
- Zyxel ZyWALL USG 1000 Справочник командного интерфейса
- Zyxel ZyWALL USG 1000 Рекомендации по настройке
- Zyxel ZyWALL USG 1000 Инструкция по установке
- Zyxel ZyWALL USG 2000 Инструкция по эксплуатации
- Zyxel ZyWALL USG 2000 Справочник командного интерфейса
- Zyxel ZyWALL USG 2000 Инструкция по установке
- Zyxel ZyWALL USG 2000 Рекомендации по настройке
- HP 15-r254ur, l1s18ea Инструкция по эксплуатации
- HP 15-r256ur, l1t30ea Инструкция по эксплуатации