Zywall 1100 NAT to a an ip address on the other side of an IPSEC VPN

I have a Zywall 1100 with an IPSEC VPN connection to another site.

The unit is connected to the internet on ge1 and on a local subnet 192.168.0.0/16 for the other interfaces

The remote site on the other side of the VPN has subnet 10.168.0.0/16. The VPN is configured with 192.168.0.0/16 as the local policy and 10.168.0.0/16 for the remote policy.

I want to set a NAT rule to forward traffic arriving from the internet on port 4433 to 10.168.20.161 (remote site) on port 443.

From a device in the local network, I can successfully hit https://<internet.facing.ip.address>:4433/ and access the service on 10.168.20.161:443. From the internet, https://<internet.facing.ip.address>:4433/ times out. It was difficult to set a policy control but I was eventually able to find one that doesn't log dropped packets (although it's more permissive than i was expecting it would need to be). However, even with the permissive policy control I cannot access the exposed service from the internet.

NAT rules that forward traffic to the local site (192.168.0.0/16) are working fine. Is there anything I'm missing to allow port forwarding to a service on a remote site?

Accepted Solution

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    Hi @emisaacson ,

    Add policy routes on both sites.

    Internet ←→ ZyWALL 1100 ←→ VPN ←→ Remote Site ←→ 10.168.20.161:443

    On ZyWALL 1100,

    1. Add a policy route for Internet to 10.168.20.161:443 over VPN tunnel to remote site.

    Internet→(ge1)ZyWALL 1100→VPN→Remote Site→10.168.20.161

    source: any, destination: 10.168.20.161, next-hop: VPN tunnel

    2. And a policy route, for 10.168.20.161:433 to Internet be source NAT to ge1 IP of ZyWALL 1100.

    Internet (ge1)←ZyWALL 1100←10.168.20.161

    source: 10.168.20.161, destination: any, next-hop: ge1, SNAT: outgoing interface

    On remote site,

    1.Add a policy route, for 10.168.20.161:443 to Internet over VPN tunnel.

    ZyWALL 1100 ← VPN ← Remote Site ←10.168.20.161:443

    source: 10.168.20.161, source port: 443, destination: any, next-hop: VPN tunnel.

All Replies

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    Hi @emisaacson ,

    Add policy routes on both sites.

    Internet ←→ ZyWALL 1100 ←→ VPN ←→ Remote Site ←→ 10.168.20.161:443

    On ZyWALL 1100,

    1. Add a policy route for Internet to 10.168.20.161:443 over VPN tunnel to remote site.

    Internet→(ge1)ZyWALL 1100→VPN→Remote Site→10.168.20.161

    source: any, destination: 10.168.20.161, next-hop: VPN tunnel

    2. And a policy route, for 10.168.20.161:433 to Internet be source NAT to ge1 IP of ZyWALL 1100.

    Internet (ge1)←ZyWALL 1100←10.168.20.161

    source: 10.168.20.161, destination: any, next-hop: ge1, SNAT: outgoing interface

    On remote site,

    1.Add a policy route, for 10.168.20.161:443 to Internet over VPN tunnel.

    ZyWALL 1100 ← VPN ← Remote Site ←10.168.20.161:443

    source: 10.168.20.161, source port: 443, destination: any, next-hop: VPN tunnel.

  • emisaacson
    emisaacson Posts: 2
    First Comment
    edited October 2023

Security Highlight