Network/NAT

noc_aba

I have a working IPSEC VPN between site1 and site2, so that lan1 and lan2 can communicate.

I would like to map a public IP of site1 to a host of lan2.

Setting up a virtual server from publicIPsite1 to site2hostIP and adding a route to site2hostIP via the VPN tunnel doesn't work.

I suppose because the VPN tunnel allow traffic just between the lan1 and lan2 IP network.

So I've searched a way to snat the external IP accessing the publicIPsite1, but didnt' find anything.

Is there a solution ?

many thanks

Paolo

noc_aba

forgot to say I'm on a ATP500 vith fw 5.39 patch1

PeterUK

Was able to do that here

Connecting client for port 5126 > WANIP Zywall 110 > site to site > USG40 > host for port 5126

Zywall 110
LAN2 192.168.138.0/28
site to site
local policy 192.168.138.0/28
remote policy 192.168.255.64/28

NAT
incoming WAN
external IP WAN
internal IP 192.168.255.66
port 5126

Routing
incoming tunnel
next hop WAN
SNAT outgoing-interface

incoming any
destination 192.168.255.64/28
next hop VPN tunnel

USG40
VLAN48 192.168.255.64/28
site to site
local policy 192.168.255.64/28
remote policy 192.168.138.0/28

Routing
incoming VLAN48
next hop VPN tunnel

noc_aba

Hi, thanks, I tried your configuration but it didn't work.

The only difference, respect to what I did before you answer, is your policy route:

incoming tunnel

next hop WAN

SNAT outgoing-interface

I suppose that by tunnel you mean the tunnel between USG110 and USG40, but what I think I need is to SNAT the IP accessing the WAN IP of the USG110, so that the internal IP masquerading it can reach the host behind the USG40, going through the tunnel.

In your configuration you snat what's coming from the tunnel while the problem is before, to go into the tunnel, IMHO.

In any case thanks for your kinf contribution

Paolo

PeterUK

that why you do routing

incoming any

destination 192.168.255.64/28

next hop VPN tunnel

so that the NAT rule for 192.168.255.66 routes down the tunnel