Zywall 1100 NAT to a an ip address on the other side of an IPSEC VPN
I have a Zywall 1100 with an IPSEC VPN connection to another site.
The unit is connected to the internet on ge1 and on a local subnet 192.168.0.0/16 for the other interfaces
The remote site on the other side of the VPN has subnet 10.168.0.0/16. The VPN is configured with 192.168.0.0/16 as the local policy and 10.168.0.0/16 for the remote policy.
I want to set a NAT rule to forward traffic arriving from the internet on port 4433 to 10.168.20.161 (remote site) on port 443.
From a device in the local network, I can successfully hit https://<internet.facing.ip.address>:4433/ and access the service on 10.168.20.161:443. From the internet, https://<internet.facing.ip.address>:4433/ times out. It was difficult to set a policy control but I was eventually able to find one that doesn't log dropped packets (although it's more permissive than i was expecting it would need to be). However, even with the permissive policy control I cannot access the exposed service from the internet.
NAT rules that forward traffic to the local site (192.168.0.0/16) are working fine. Is there anything I'm missing to allow port forwarding to a service on a remote site?
Accepted Solution
-
Hi @emisaacson ,
Add policy routes on both sites.
Internet ←→ ZyWALL 1100 ←→ VPN ←→ Remote Site ←→ 10.168.20.161:443
On ZyWALL 1100,
1. Add a policy route for Internet to 10.168.20.161:443 over VPN tunnel to remote site.
Internet→(ge1)ZyWALL 1100→VPN→Remote Site→10.168.20.161
source: any, destination: 10.168.20.161, next-hop: VPN tunnel
2. And a policy route, for 10.168.20.161:433 to Internet be source NAT to ge1 IP of ZyWALL 1100.
Internet (ge1)←ZyWALL 1100←10.168.20.161
source: 10.168.20.161, destination: any, next-hop: ge1, SNAT: outgoing interface
On remote site,
1.Add a policy route, for 10.168.20.161:443 to Internet over VPN tunnel.
ZyWALL 1100 ← VPN ← Remote Site ←10.168.20.161:443
source: 10.168.20.161, source port: 443, destination: any, next-hop: VPN tunnel.
0
Master Member
All Replies
-
Hi @emisaacson ,
Add policy routes on both sites.
Internet ←→ ZyWALL 1100 ←→ VPN ←→ Remote Site ←→ 10.168.20.161:443
On ZyWALL 1100,
1. Add a policy route for Internet to 10.168.20.161:443 over VPN tunnel to remote site.
Internet→(ge1)ZyWALL 1100→VPN→Remote Site→10.168.20.161
source: any, destination: 10.168.20.161, next-hop: VPN tunnel
2. And a policy route, for 10.168.20.161:433 to Internet be source NAT to ge1 IP of ZyWALL 1100.
Internet (ge1)←ZyWALL 1100←10.168.20.161
source: 10.168.20.161, destination: any, next-hop: ge1, SNAT: outgoing interface
On remote site,
1.Add a policy route, for 10.168.20.161:443 to Internet over VPN tunnel.
ZyWALL 1100 ← VPN ← Remote Site ←10.168.20.161:443
source: 10.168.20.161, source port: 443, destination: any, next-hop: VPN tunnel.
0 -
0
Categories
- All Categories
- 431 Beta Program
- 2.6K Nebula
- 169 Nebula Ideas
- 112 Nebula Status and Incidents
- 6K Security
- 371 USG FLEX H Series
- 294 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.7K Consumer Product
- 265 Service & License
- 409 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.9K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 83 Security Highlight
