ZyXEL Communications 1000 Manuel D’Utilisation

 Chapter 7 Tutorials

ZyWALL USG 1000 User’s Guide

• To have all Internet access from the spoke routers to go through the VPN 

tunnel, set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the 

remote IP address. 

• Your firewall rules can still block VPN packets.
• If the USG ZyWALLs’ VPN tunnels are members of a single zone, make sure it is  

not set to block intra-zone traffic.

• The ZyNOS based ZyWALLs don't have user-configured policy routes so the only 

way to get traffic destined for another spoke router to go through the ZyNOS 

ZyWALL's VPN tunnel is to make the remote policy cover both tunnels. 

• Since the USG ZyWALLs automatically handle the routing for VPN tunnels, if a 

USG ZyWALL is a hub router and the local policy covers both tunnels, the 

automatic routing takes care of it without needing a VPN concentrator.

• If a ZyNOS-based ZyWALL’s remote network setting overlaps with its local 

network settings, set 

ipsec swSkipOverlapIp

 to 

on

 to send traffic destined to 

A’s local network to A’s local network instead of through the VPN tunnel.

You can configure many policies and security settings for specific users or groups 
of users. This is illustrated in the following example, where you will set up the 
following policies. This is a simple example that does not include priorities for 
different types of traffic. See 

 for more on 

bandwidth management. 

The users are authenticated by an external RADIUS server at 192.168.1.200.

First, set up the user accounts and user groups in the ZyWALL. Then, set up user 
authentication using the RADIUS server. Finally, set up the policies in the table 
above.

The ZyWALL has its default settings.

Table 20   User-aware Access Control Example

Finance (Leo)

Yes

200K

No

Yes

Engineer (Steven) Yes

100K

No

No

Sales (Debbie)

Yes

100K

Yes (M-F, 08:30~18:00)

Yes

Boss (Andy)

Yes

100K

Yes

Yes

Guest (guest)

Yes

50K

No

No

Others

No

---

No

No