Zyxel USG 60 map IPSec VPN connection

PeterUK

is it a Site to site or Remote Access (Server Role) ?

andrew8891821

https://community.zyxel.com/en/discussion/comment/54280#Comment_54280

PeterUK

It might help if you draw out the network layout my test was done with Remote Access (Server Role) going to a client down the VPN for NAT rule.

PeterUK

Got some bad news testing here with Remote Access (Server Role) on the other end and you being the Remote Access (client Role) to forward a port by way if design can not be done. I can get a TCP SYN by ShieldsUP! to the IP down the VPN but getting a SYN, ACK back is not possible that way round if you was the Server Role then it should be possible to forward a port to a client.

andrew8891821

Thank you for your help. So I assume there is no other way to get access to that resource from outside LAN?

PeterUK

You would need to set a Remote Access (Server Role) your end with local IP 0.0.0.0

and setup a Remote Access (client Role) on the other end with local IP your subnet with remote policy 0.0.0.0 then you can NAT a port with your end routing rule

incoming WAN

service your port

next hop VPN Tunnel your VPN server

on the other end

incoming LAN

click advanced source port your port

next hop VPN Tunnel your VPN client

and some firewall rules IPSec_VPN to LAN and your end WAN to IPSec_VPN

Zyxel_Jeff

Hello @andrew8891821

Welcome to the Zyxel community and thanks for your inquiry. Regarding your requirement "What I need to do is give access to that resource to one PC from outside. E.g. PC X with public IP X.X.X.X can connect VPN host 192.168.200.80 by accessing my Zyxel WAN_IP:VPN-HOST_PORT.".

Currently, we don't support this scenario. We suggest the outside PC get a VPN IP address(such as 192.168.200.XX) and connect to the VPN host 192.168.200.80, please ensure the security policy allows VPN IPs can connect to each other. Thanks.