How to Allow Public Access to a Server Behind ZyWALL/USG?

Zyxel_Cooldia Posts: 1,462  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer
edited August 2022 in Networking


This is an example of using ZyWALL/USG to configure a securely access to internal server behind ZyWALL/USG with network address translation (NAT). The Internet users can reach this server directly by its public IP address and a NAT mapping rule will forward the traffic from the Internet to the Intranet. It provides security and decrease the number of IP addresses an organization needs.
Figure.   ZyWALL/USG enables Public Access to a Server with NAT


Set Up the NAT on the ZyWALL/USG 
1. In the ZyWALL/USG, go to CONFIGURATION > Network > NAT > add NAT, select Enable Rule. Select 1:1 NAT. Set Incoming Interface to be the wan1 interface. Type User-Defined Original IP ( in this example) and type User-Defined Mapped IP ( in this example). Set Port Mapping Type to Service, set Original Service and Mapped Service to HTTP in this example. Click OK.
Set Up the Security Policy on the ZyWALL/USG 
1. In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy Control > add corresponding, select Enable. Configure a Name for your to identify the security policy (http_server_access in this example). Set From: WAN and To: LAN1. Set Destination to the lan subnet where your server is (LAN_SUBNET_GE3 in this example). Set Service to HTTP, set Action to allow. Click OK.
CONFIGURATION > Security Policy > Policy Control > add corresponding


Type into the browser, it displays the HTTP service page.
What Can Go Wrong? 
1. If you cannot access your server via public IP address, please make sure all your public IP addresses are routing properly. To do one by one assign them to the ZyWALL’s WAN port. Test to make sure you have internet access with the public IP address.
2. If you cannot access the ZyWALL from the internet with any IP address on your public IP, this is a routing issue on the service end. Please contact the ISP to fix the routing for the public IPs.
3. If you see [notice] log message as below, the HTTPS traffic is blocked by the priority 1 Security Policy. The ZyWALL/USG checks the security policy in order and applies the first security policy the traffic matches. If the HTTPS traffic matches a policy that comes earlier in the list, it may be unexpectedly blocked. Please change your policy setting or move the policy to the higher priority. 
Monitor > Log