How to Allow Public Access to a Server Behind ZyWALL/USG?
Zyxel_Cooldia
Posts: 1,511 Zyxel Employee
SCENARIO DESCRIPTION:
This is an example of using ZyWALL/USG to configure a securely access
to internal server behind ZyWALL/USG with network address translation
(NAT). The Internet users can reach this server directly by its public
IP address and a NAT mapping rule will forward the traffic from the
Internet to the Intranet. It provides security and decrease the number
of IP addresses an organization needs.
Figure. ZyWALL/USG enables Public Access to a Server with NAT
SETUP/STEP BY STEP PROCEDURE:
Set Up the NAT on the ZyWALL/USG
1. In the ZyWALL/USG, go to CONFIGURATION > Network > NAT >
add NAT, select Enable Rule. Select 1:1 NAT. Set Incoming Interface to
be the wan1 interface. Type User-Defined Original IP (172.251.31.90 in
this example) and type User-Defined Mapped IP (192.168.1.34 in this
example). Set Port Mapping Type to Service, set Original Service and
Mapped Service to HTTP in this example. Click OK.
CONFIGURATION > Network > NAT > add NAT
Set Up the Security Policy on the ZyWALL/USG
1. In the ZyWALL/USG, go to CONFIGURATION > Security Policy >
Policy Control > add corresponding, select Enable. Configure a Name
for your to identify the security policy (http_server_access in this
example). Set From: WAN and To: LAN1. Set Destination to the lan subnet
where your server is (LAN_SUBNET_GE3 in this example). Set Service to
HTTP, set Action to allow. Click OK.
CONFIGURATION > Security Policy > Policy Control > add corresponding
VERIFICATION:
Type http://172.251.31.90/ into the browser, it displays the HTTP service page.
What Can Go Wrong?
1. If you cannot access your server via public IP address, please make
sure all your public IP addresses are routing properly. To do one by one
assign them to the ZyWALL’s WAN port. Test to make sure you have
internet access with the public IP address.
2. If you cannot access the ZyWALL from the internet with any IP
address on your public IP, this is a routing issue on the service end.
Please contact the ISP to fix the routing for the public IPs.
3. If you see [notice] log message as below, the HTTPS traffic is
blocked by the priority 1 Security Policy. The ZyWALL/USG checks the
security policy in order and applies the first security policy the
traffic matches. If the HTTPS traffic matches a policy that comes
earlier in the list, it may be unexpectedly blocked. Please change your
policy setting or move the policy to the higher priority.
Monitor > Log
Tagged:
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight