beautypg.com

B. firewall faq – ZyXEL Communications 2WG User Manual

Page 227

background image

ZyWALL 2WG Support Notes

All contents copyright (c) 2006 ZyXEL Communications Corporation.

227

understand the ESP packet with protocol number 50, replace the source IP address of the IPSec gateway to the

router's WAN IP address. However, NAT should not change the source port of the UDP packets which are used

for key managements. Because the remote gateway checks this source port during connections, the port thus is

not allowed to be changed.

A28. How do I setup my ZyWALL for routing IPSec packets over NAT?

For outgoing IPSec tunnels, no extra setting is required. For forwarding the inbound IPSec ESP tunnel, A

'Default' server set in menu 15 is required. It is because NAT makes your LAN appear as a single machine to

the outside world. LAN users are invisible to outside users. So, to make an internal server for outside access, we

must specify the service port and the LAN IP of this server in Menu 15. Thus NAT is able to forward the

incoming packets to the requested service behind NAT and the outside users access the server using the

ZyWALL's WAN IP address. So, we have to configure the internal IPSec as a default server (unspecified

service port) in menu 15 when it acts a server gateway.

A29. What is STP (Spanning Tree Protocol) /RSTP (Rapid STP)?

When the ZyWALL is set to bridge mode, (R)STP detects and breaks network loops and provides backup

links between switches, bridges or routers. It allows a bridge to interact with other (R)STP-compliant

bridges in your network to ensure that only one path exists between any two stations on the network. The

configuration is especially for the advanced user who knows the protocol well.

A30. What is the flow ZyWALL handles inbound and outgoing traffic?

(1) For a ZyWALL with router mode, following are the inspection flow for inbound and outgoing traffic.

Traffic from WAN: -> NAT -> Firewall-> Policy Route -> Load Balance -> Static Route -> IDP -> AV

-> AS ->

CF -> BWM

Traffic to WAN: -> Firewall -> Policy Route -> Load Balance -> Static Route -> IDP -> AV -> AS ->

CF -> BMW -> NAT

B. Firewall FAQ