Configure NAT and Policy

I would like to Connect from the Client_HoOf to the RDS-Server. The USG40 get the Internet from the FritzBox. The USG40 is connected with IPSec to the Company

I create a NAT and a Policy. When i try to connect to the RDS-Server with the IP 192.168.199.2 i get the ACCESS BLOCK shown in the Picture. Whats wrong in my Config? Need more information?



Thanks Christian

All Replies

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 2021

    You should not need the NAT rule as you be going down IPSec tunnel so if the tunnel is setup correctly you go to 10.0.0.20 from 192.168.199.30

    The gateway for 192.168.199.30 should be 192.168.199.2 really your PC should be conncted to the USG40W then it to the FritzBox for internet.....

    So is the USG connected the FritzBox LAN? are you using the WAN port on the USG for this?

    Edit: with the NAT rule try it with firewall disabled on USG


  • Hey, the Gateway for 192.168.199.30 is 192.168.199.1, the IP of the FritzBox. Yes the USG is connected to the FritzBox LAN with the WAN Port on the USG.

    I think the SecurityPolicy is wrong. We have the same constellation with a firewall from a german manufacturer an there works this fine.
  • tonygibbs16
    tonygibbs16 Posts: 941  Guru Member
    50 Answers 500 Comments Friend Collector Third Anniversary

    If you do a traceroute or tracert from your PC to the RDS Server, then how far does it get?

    Perhaps you could run it and post it here, to show if the traceroute gets to the far end of the IPSEC tunnel or not.
        - I think that it would help in finding out if your issue is at the USG40 or Zywall 310 end or not.

    Similarly, If you ping the RDS-Server, then which item responds?
         - do you get a destination unreachable reply from somewhere?

    I hope that this is helpful.

    KInd regards,
         Tony



  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,271  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments
    edited May 2021

    Hi @ baumgaertnerc

    Please check if USG40W has a policy route for 192.168.199.30 to 10.0.0.20, to VPN tunnel to ZyWALL310.

    You may also need set a policy route on Zywall310 for 10.0.0.20 to 192.168.199.30, to VPN tunnel to USG40W.

    On both devices need to set up policy route rule.

    Engage in the Community, become an MVP, and win exclusive prizes!

Security Highlight