How do I set up remote AP on Nebula when the firewall is behind NAT?

Zyxel_JoyLee
Zyxel_JoyLee Posts: 39  Zyxel Employee
Friend Collector
edited March 11 in Other Topics

Scenario:

Users may wish to use the remote AP service behind a NAT scenario. For example, in the topology below, the remote AP will establish a VPN service to the destination firewall USG Flex 100.

USG Flex 100 and AP must be in the same Nebula Site.

raptopo.jpg

Users may wonder how to set up NAT port forwarding on the USG Flex 200. This article will guide you on how to execute it. 

Answer:

The remote AP service is based on VPN-related protocols, so users should configure a VPN-related service group that includes AH, ESP, IKE, and NATT services. The USG Flex 200 should execute NAT port forwarding on these ports toward the internal host USG Flex 100.

 Step 1:

Navigate to Object> Service > Service Group > to add a service group that includes AH, ESP, IKE, and NATT services. 

1_object service group.png

STEP 2:

Navigate to Network > NAT > to add a NAT port rule for the internal host USG Flex 100(192.168.11.34). 

2_NAT_rule.png image.png

STEP 3:

Navigate to Security Policy > Policy Control > to add a security policy to allow the Remote AP service to be forwarded to the internal host USG Flex 100 normally.

3_security policy_edit.png 3_security policy.png

STEP 4: Remote access VPN configuration on USG Flex 100

Navigate to Configure > Firewall > Remote access VPN

WAN Interface:Auto

NAT Traversal:the public IP of the USG Flex 200

remote access vpn.png