FLEX 500H NAT - VPN problem

ZdenekB · May 16

I create NAT rule ( and rule works OK ):

but now when i use VPN conection ( windows vpn client ) and try connect to web in my LAN ( for example on IP 192.168.0.7 ) all my web traffic end on ip 192.168.100.210. When I turn NAT rule off all works fine.

Zyxel_Jeff · May 17

Hi @ZdenekB

What is the firmware version you are using? What is the VPN client's IP range? Do you have any Policy Route or static route settings? Thanks.

ZdenekB · May 17

Hi
firmware: V1.20(ABZH.0)

client IP :

no policy or static route

Thanks

PeterUK · May 17

Slightly different setting like WAN3 and LAN subnets but not able to create your problem other then wrong zone for VPN in logs and able to do WAN3 to LAN for VPN traffic

SI_Solutions · May 30

I ran into this exact Problem yesterday.

If i set up a NAT-Rule from WAN to LAN, for Example for Port 443, all 443 Traffic trough an IPSec Tunnel lands there as well

Interface: ge1
Source-IP: any
External IP: any
Internal IP: [IP-of-Webserver]
Port Mapping Type: Service
External/Internal Service: https

If we have multiple internal Servers that run a service on 443, All traffic trough the IPSec-VPN Tunnel will be redirected to the one set by the NAT Rule

The IPSec Tunnel is assigned to the default IPSec_VPN Zone

Traffic trough the IPSEC VPN Tunnel might be treated as traffic from ge1, but assigned a different Zone, and since NAT Rules work on interfaces, not Zones this might be where the issue stems from.

I just made a workaround by changing the access from the internet to 4433 → forward to 443 since it's not used by the public, only for external access by workers from anywhere

If this was something that should be publicly available from anywhere, that would be a bigger issue for us.

FLEX 500H NAT - VPN problem

All Replies

Categories

Security Help Center