WAN to LAN routing without NAT

ChrisGer
ChrisGer Posts: 205  Ally Member
Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
edited April 2021 in Security

Hi Community,

i currently have many question marks in routing from the ISP firewall through a ZYWALL behind it. ?

Here is a basic overview of the infrastructure.

My situation

The USG60W has no NAT on WAN1 and the networks, that are connected to the ISP FW (DMZ) are configured by static routeing sconfig on the firewalls as required. This is working well, if the user is behind the ZyWALL in the Office-LAN (left site of the infrastructure picture.


My Problem

If the User is connected trough SSL-VPN (ISP Firewall) the outgoing packet to the ZyWALL is visible at the ISP firewall (correct outgoing interface) but it " disappears" at the ZyWALL and does not reach the destination behind the ZyWALL.


Any idea what happend ? I am very grateful for tips and suggestions for solutions.


Regards

Christian

All Replies

  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary

    Do you configure the firewall rule to allow the VPN clients IP address to access LAN of USG60W ?

  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi lan31,

    the VPN tunnel access has all required destinations included (any) but the traffic stoped at USG WAN port ?

    A mistake factor occurred to me yesterday - if i send http/s requests, the firewall can stop this traffic, cause http/s is by default for external access to a USG. ?

    At wireshark

    WAN1 to ZYWALL show the requests from the ISP Firewall

    LAN1 show me no package

    FW Rule WAN to LAN any/any/LOG is also empty ?


    Regards

    Christian

  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary

    Any web authentication rules there ?

    How about the simple ping to LAN server ?