Using DMZ
DMZ stands for De-Militarized Zone which provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death).
It is highly recommended that you connect all of your public servers to DMZ port.
It is also highly recommended that you keep all sensitive information off the public servers on DMZ port. Please store sensitive information on LAN computers instead.
ZyWALL70 supports three types of interfaces, which are 2*WAN, 1*LAN and 4*DMZ. This document guides you how to setup servers on DMZ port so that users from Internet or LAN can access these servers, and also how to grant users on LAN the capability for Internet access.
In this document, we assume you have got a segment of public IP address on WAN interface from your ISP, say 202.132.154.0/29. ZyWALL70 treats DMZ and LAN as two different segments, and both of them are behind NAT, so we assign two private IP segments for DMZ port and LAN port.
WAN |
LAN | DMZ |
IP: 202.132.154.1 subnet: 255.255.255.248 |
IP: 192.168.1.1 Subnet: 255.255.255.0 | IP:
192.168.2.1
Subnet: 255.255.255.0 Web Server: 192.168.2.3 FTP Server: 192.168.2.4 |
1. WAN IP Address Configuration
Configure ZyWALL70's WAN IP address as 202.132.154.1, IP Subnet Mask as 255.255.255.248, and Gateway IP address as 202.132.154.7. In case you are not sure about these parameters, we suggest you to consult your ISP.
2. LAN IP Address Configuration
Configure ZyWALL70's LAN IP address as 192.168.1.1, IP Subnet Mask as 255.255.255.0. We turn on DHCP Server option in this example, you can turn off this option as you wish.
3. DMZ IP Address Configuration
Configure ZyWALL70's DMZ IP address as 192.168.2.1, IP Subnet Mask as 255.255.255.0.
For Internet Access from LAN and DMZ servers to be accessible from Internet, we have to configure NAT mapping between private IP address (ie. 192.168.1.x and 192.168.2.x) and public IP address (202.132.154.1/29).
1. NAT mapping for Internet Access from LAN
In this section, we configure NAT mapping for the whole LAN subnet to a public IP address, 202.132.154.2. Please go to ADVANCED->SUA/NAT)->Address Mapping, then select index 1, and press Edit. Select Mapping Type to Many-to-One, enter 192.168.1.1 as Local Start IP, 192.168.1.254 as Local End IP and 202.132.154.2 as Global Start IP. Then press Apply to save the configuration.
2. NAT mapping for Web server on DMZ port
In this section, we configure NAT mapping for Web server on DMZ port. So that users on Internet can access the server. Please go to ADVANCED->SUA/NAT->Address Mapping, then select index 2, and press Edit. Select Mapping Type to One-to-One, enter 192.168.2.3 as Local Start IP, and 202.132.154.2 as Global Start IP. Then press Apply to save the configuration.
3. NAT mapping for FTP server on DMZ port
In this section, we configure NAT mapping for Web server on DMZ port. So that users on Internet can access the server. Please go to ADVANCED/(SUA/NAT)/Address Mapping, then select index 2, and press Edit. Select Mapping Type to One-to-One, enter 192.168.2.4 as Local Start IP, and 202.132.154.4 as Global Start IP. Then press Apply to save the configuration.
After finishing the above three NAT configurations, you can check the summary of each rule as following.
If you enable ZyWAL's Firewall function, you need to setup ACL rule to forward the traffic otherwise firewall may block the traffic. In the following screen we can see that, ZyWALL70 forwards traffic from LAN to WAN by default, so users on LAN can access Internet without further ACL rule settings. Similar with traffic from LAN to WAN, traffic from LAN or WAN to DMZ is also forwarded by default, so servers on DMZ can be accessed by both Internal and Internet users. You can also customize your ACL rule in this page if necessary.
All contents copyright (c) 2004 ZyXEL Communications Corporation.