Double NAT with two USG FLEX devices

Options
baba
baba Posts: 280  Master Member
First Anniversary 10 Comments Friend Collector
edited September 2023 in Security

Hi all,

i've two USG FLEX connected to each other via Point-to-Point WiFi and IPSec VPN as Backup. Both USG FLEX have it's own DSL connection. All Incoming WAN traffic from USG on the right should be forwarded to the USG on the left and from there to the servers in the DMZ zone.

Untitled Diagram.drawio (5).png

How to configure the USG's for this scenario (especially the USG on the right)?

Is this the right way or should I forward only specific ports from right to left USG?

Thanks!

Best,
baba

«1

All Replies

  • baba
    baba Posts: 280  Master Member
    First Anniversary 10 Comments Friend Collector
    Options

    I've gotten to the point where I only want to forward certain ports, but I can't get it configured

    Thanks!

  • PeterUK
    PeterUK Posts: 2,806  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    What the PC IP that needs the ports from FLEX200 to FLEX200H?

  • baba
    baba Posts: 280  Master Member
    First Anniversary 10 Comments Friend Collector
    edited September 2023
    Options

    @PeterUK 10.50.10.50

  • PeterUK
    PeterUK Posts: 2,806  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    So on the FLEX200 you do a NAT rule Virtual Server

    incoming WAN

    external IP your WAN IP

    internal IP 10.50.10.10

    ports

    This alone will not work you need to do a static route on FLEX200

    destination IP 10.50.10.0

    subnet 255.255.0.0

    gateway 10.70.70.1

    With firewall rule in place that should forward the ports

  • baba
    baba Posts: 280  Master Member
    First Anniversary 10 Comments Friend Collector
    Options

    I've a policy route on flex 200 with 10.50.0.0/16 with GW 10.70.70.1 but it does not work. Must it be a static route?

  • PeterUK
    PeterUK Posts: 2,806  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited September 2023
    Options

    I don't think a routing rule would work tested here by static route which the NAT rule will follow

    You might need a routing rule on FLEX200H

    incoming LAN 10.50.10.0

    source 10.50.10.0

    next hop 10.70.70.2

    SNAT none

    and maybe on FLEX200

    incoming LAN 10.70.70.2

    source 10.50.10.0

    next hop WAN

    SNAT outgoing

  • baba
    baba Posts: 280  Master Member
    First Anniversary 10 Comments Friend Collector
    Options

    Hi @PeterUK the static route does not help :/

    You might need a routing rule on FLEX200H

    incoming LAN 10.50.10.0

    source 10.50.10.0

    next hop 10.70.70.2

    SNAT none

    This route would forward all traffic from DMZ (10.50.10.0/24) to 10.70.70.2 but that's not correct. Only when requests comes through 10.70.70.2 response should go back through 10.70.70.2

    Best,
    baba

  • baba
    baba Posts: 280  Master Member
    First Anniversary 10 Comments Friend Collector
    Options

    Any other ideas?

    Thanks!

    Best,
    baba

  • PeterUK
    PeterUK Posts: 2,806  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    do it for 10.50.10.50 then?

  • baba
    baba Posts: 280  Master Member
    First Anniversary 10 Comments Friend Collector
    Options

    Also 10.50.10.50 should have 10.70.70.1 as gateway by default. Only when requests comes through 10.70.70.2 response should go back through 10.70.70.2

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)