Zywall 1100 NAT to a an ip address on the other side of an IPSEC VPN

I have a Zywall 1100 with an IPSEC VPN connection to another site.

The unit is connected to the internet on ge1 and on a local subnet 192.168.0.0/16 for the other interfaces

The remote site on the other side of the VPN has subnet 10.168.0.0/16. The VPN is configured with 192.168.0.0/16 as the local policy and 10.168.0.0/16 for the remote policy.

I want to set a NAT rule to forward traffic arriving from the internet on port 4433 to 10.168.20.161 (remote site) on port 443.

From a device in the local network, I can successfully hit https://<internet.facing.ip.address>:4433/ and access the service on 10.168.20.161:443. From the internet, https://<internet.facing.ip.address>:4433/ times out. It was difficult to set a policy control but I was eventually able to find one that doesn't log dropped packets (although it's more permissive than i was expecting it would need to be). However, even with the permissive policy control I cannot access the exposed service from the internet.

NAT rules that forward traffic to the local site (192.168.0.0/16) are working fine. Is there anything I'm missing to allow port forwarding to a service on a remote site?

Accepted Solution

  • Posts: 227  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    Answer ✓

    Hi @emisaacson ,

    Add policy routes on both sites.

    Internet ←→ ZyWALL 1100 ←→ VPN ←→ Remote Site ←→ 10.168.20.161:443

    On ZyWALL 1100,

    1. Add a policy route for Internet to 10.168.20.161:443 over VPN tunnel to remote site.

    Internet→(ge1)ZyWALL 1100→VPN→Remote Site→10.168.20.161

    source: any, destination: 10.168.20.161, next-hop: VPN tunnel

    2. And a policy route, for 10.168.20.161:433 to Internet be source NAT to ge1 IP of ZyWALL 1100.

    Internet (ge1)←ZyWALL 1100←10.168.20.161

    source: 10.168.20.161, destination: any, next-hop: ge1, SNAT: outgoing interface

    On remote site,

    1.Add a policy route, for 10.168.20.161:443 to Internet over VPN tunnel.

    ZyWALL 1100 ← VPN ← Remote Site ←10.168.20.161:443

    source: 10.168.20.161, source port: 443, destination: any, next-hop: VPN tunnel.

All Replies

  • Posts: 227  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    Answer ✓

    Hi @emisaacson ,

    Add policy routes on both sites.

    Internet ←→ ZyWALL 1100 ←→ VPN ←→ Remote Site ←→ 10.168.20.161:443

    On ZyWALL 1100,

    1. Add a policy route for Internet to 10.168.20.161:443 over VPN tunnel to remote site.

    Internet→(ge1)ZyWALL 1100→VPN→Remote Site→10.168.20.161

    source: any, destination: 10.168.20.161, next-hop: VPN tunnel

    2. And a policy route, for 10.168.20.161:433 to Internet be source NAT to ge1 IP of ZyWALL 1100.

    Internet (ge1)←ZyWALL 1100←10.168.20.161

    source: 10.168.20.161, destination: any, next-hop: ge1, SNAT: outgoing interface

    On remote site,

    1.Add a policy route, for 10.168.20.161:443 to Internet over VPN tunnel.

    ZyWALL 1100 ← VPN ← Remote Site ←10.168.20.161:443

    source: 10.168.20.161, source port: 443, destination: any, next-hop: VPN tunnel.

  • Posts: 2
    First Comment
    edited October 2023

Welcome!

It looks like you're new here. If you want to get involved, click on this button!

Welcome!

It looks like you're new here. If you want to get involved, click on this button!