Zywall 1100 NAT to a an ip address on the other side of an IPSEC VPN
I have a Zywall 1100 with an IPSEC VPN connection to another site.
The unit is connected to the internet on ge1 and on a local subnet 192.168.0.0/16 for the other interfaces
The remote site on the other side of the VPN has subnet 10.168.0.0/16. The VPN is configured with 192.168.0.0/16 as the local policy and 10.168.0.0/16 for the remote policy.
I want to set a NAT rule to forward traffic arriving from the internet on port 4433 to 10.168.20.161 (remote site) on port 443.
From a device in the local network, I can successfully hit https://<internet.facing.ip.address>:4433/ and access the service on 10.168.20.161:443. From the internet, https://<internet.facing.ip.address>:4433/ times out. It was difficult to set a policy control but I was eventually able to find one that doesn't log dropped packets (although it's more permissive than i was expecting it would need to be). However, even with the permissive policy control I cannot access the exposed service from the internet.
NAT rules that forward traffic to the local site (192.168.0.0/16) are working fine. Is there anything I'm missing to allow port forwarding to a service on a remote site?
Accepted Solution
-
Hi @emisaacson ,
Add policy routes on both sites.
Internet ←→ ZyWALL 1100 ←→ VPN ←→ Remote Site ←→ 10.168.20.161:443
On ZyWALL 1100,
1. Add a policy route for Internet to 10.168.20.161:443 over VPN tunnel to remote site.
Internet→(ge1)ZyWALL 1100→VPN→Remote Site→10.168.20.161
source: any, destination: 10.168.20.161, next-hop: VPN tunnel
2. And a policy route, for 10.168.20.161:433 to Internet be source NAT to ge1 IP of ZyWALL 1100.
Internet (ge1)←ZyWALL 1100←10.168.20.161
source: 10.168.20.161, destination: any, next-hop: ge1, SNAT: outgoing interface
On remote site,
1.Add a policy route, for 10.168.20.161:443 to Internet over VPN tunnel.
ZyWALL 1100 ← VPN ← Remote Site ←10.168.20.161:443
source: 10.168.20.161, source port: 443, destination: any, next-hop: VPN tunnel.
0
All Replies
-
Hi @emisaacson ,
Add policy routes on both sites.
Internet ←→ ZyWALL 1100 ←→ VPN ←→ Remote Site ←→ 10.168.20.161:443
On ZyWALL 1100,
1. Add a policy route for Internet to 10.168.20.161:443 over VPN tunnel to remote site.
Internet→(ge1)ZyWALL 1100→VPN→Remote Site→10.168.20.161
source: any, destination: 10.168.20.161, next-hop: VPN tunnel
2. And a policy route, for 10.168.20.161:433 to Internet be source NAT to ge1 IP of ZyWALL 1100.
Internet (ge1)←ZyWALL 1100←10.168.20.161
source: 10.168.20.161, destination: any, next-hop: ge1, SNAT: outgoing interface
On remote site,
1.Add a policy route, for 10.168.20.161:443 to Internet over VPN tunnel.
ZyWALL 1100 ← VPN ← Remote Site ←10.168.20.161:443
source: 10.168.20.161, source port: 443, destination: any, next-hop: VPN tunnel.
0 -
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight