IP Public - ERP Setup - NAT -

ZetaKappa
ZetaKappa Posts: 6
First Comment Friend Collector
in Security

Hi there, just a beginner trying to learn something.

I have a public IP (2.40.XX.xx) through my ISP and i want to reach an internal server (Internal IP is 10.0.220) in my small business. This server is running an https iss istance using port 443.

Hardware connection is like this:

MODEM ISP IP 10.0.0.233

FIREWALL VPN 50 ZYXEL 10.0.0.222

MODEM IS CONNECTED TO ZYXEL VIA WAN PORT

ZYXEL IS CONNECTED TO SWITCH VIA LAN PORT

Tried NAT and Contro policy, but i'm missing something.

All Replies

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 885  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments

    Hi @ZetaKappa ,

    Greeting Forum,

    So your WAN/LAN have the same subnet ?(WAN:10.0.0.233, LAN:10.0.0.222?),

    I would recommend separate that, For example:

    WAN: 10.0.1.1/24 , LAN 10.0.0.222/24, internal server : 10.0.0.220/24

    Frist of all, Please change default firewall webgui port from 443 since that's conflict with your internal server

    And you will have:

    NAT: 10.0.1.1 Port 443 Mapped to 10.0.0.222

    Policy: From WAN to LAN, Source:Any ; Destination: 10.0.0.222, service :443

    At last, Please check traffic can reach out firewall without blocking since your WAN is private IP .

    Please kindly attach your config if still have problems. Thank you

    Kevin

  • ZetaKappa
    ZetaKappa Posts: 6
    First Comment Friend Collector
    nat.png
    policy.png

    Maybe i'm missing something.

    ISP traffic is open from modem router to 10.0.1.1

    still not reaching 10.0.0.220 from public ip

  • PeterUK
    PeterUK Posts: 3,390  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Can you not get your WAN IP on VPN 50 directly?

    Change your LAN to 192.168.0.1 or the likely as we don't know the subnet used for 10. WAN

    Check your ISP is forwarding ports with grc.com and a packet capture.

  • smb_corp_user
    smb_corp_user Posts: 168  Master Member
    5 Answers First Comment Friend Collector Second Anniversary

    Do you have active port forwarding from 10.0.1.1 to 10.0.0.222 and also a firewall rule to allow wanted traffic between the 2 subnets?

  • ZetaKappa
    ZetaKappa Posts: 6
    First Comment Friend Collector
    https://community.zyxel.com/en/discussion/comment/59300#Comment_59300

    Only port forwarding is on ISP Router (10.0.0.253) opening ports 443 ecc to 10.0.1.1

  • smb_corp_user
    smb_corp_user Posts: 168  Master Member
    5 Answers First Comment Friend Collector Second Anniversary

    In this situation, I would like to recommend looking at what @PeterUK suggested, to check with your ISP if it is possible to set up the modem router as a bridge, moving the ISP login to your ZyWALL VPN50 if possible, because that would make it much easier to follow standard manual config pages to set up external access and port management.

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 885  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments

    Hi @ZetaKappa ,

    Please kindly try to capture packets on FIrewall's WAN. need to check if packets reach to.

    Please feel free to provide your Remote WebGUI by private message if need any further assistance.

    Thank you

  • ZetaKappa
    ZetaKappa Posts: 6
    First Comment Friend Collector
    https://community.zyxel.com/en/discussion/comment/59302#Comment_59302

    Asked to ISP for modem in bridge mode…

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 885  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments

    Hi @ZetaKappa ,

    Please kinldy provde your GUI access by PM if you need further helps.

    Thank you

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)