vpn client and nat server

Options
antonellobellisario
antonellobellisario Posts: 17  Freshman Member
First Anniversary First Comment
edited April 2021 in Security
hello, i have a problem that i can't configure usg40 for smart home working.

I have a usg40 with public ip which is connected to a DNS server (2 internal network cards) wan side 192.168.250.xx, and the clients nested in lan 192.168.200.xx.
I would like to join domain with home pc then open vpn and get the same ip address released

I state that I tried to do a similar configuration with a DNS server that was not nattava and joined domain quietly.
am I wrong something on nat server ??


Best Answers

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,070  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @antonellobellisario

    Welcome to Zyxel community

    Is this your topology below?

    IPSec VPN client need to join the AD domain and get the IP address the same as subnet 192.168.200.X?


  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,070  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @antonellobellisario ,

    If in the AD server, each USER is divided into groups,

    Then on USG settings, it just need to add one ext-group users into the rule.

    For example:

    There are three Sites group: HQ,Branch1 and Branch2, these sites belongs to the "Company" group,

    There are five users under each sites (HQ-Jack,Tom; Branch1- John, Marry; Branch2- Jessica)

    In this scenario, we only have to add one ext-group user on USG, that is the group "Company"

    If there is no "Company"group, then it need to add three ext-group user in this scenario,

    it need to add HQ group, Branch1 group and Branch2 group.

    If there is no "Company" and the "Sites" group, then it need to add five ext-group user.

    To make more easy setting on USG, it need to have a nice organize user into group on AD server.

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,070  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @antonellobellisario

    Those question/problems users shared here are valuable to us. And the experience sharing also can help other people when deploying their devices. Even sometimes you can get experienced feedback from different field experts. So we can just leave our discussions in the forum thread.

    If you have any personal information to share with us, feel free to share the information in private message directly.

«1

All Replies

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,070  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @antonellobellisario

    Welcome to Zyxel community

    Is this your topology below?

    IPSec VPN client need to join the AD domain and get the IP address the same as subnet 192.168.200.X?


  • antonellobellisario
    antonellobellisario Posts: 17  Freshman Member
    First Anniversary First Comment
    Options

    yes this is the typology ...

    but how can I configure it ??


    thanks

  • antonellobellisario
    antonellobellisario Posts: 17  Freshman Member
    First Anniversary First Comment
    Options

    I managed to create the Ipsec vpn tunnel but I only reach the server on the wan side and I don't see the clients on the network and therefore I can't log in domain

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,070  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @antonellobellisario

    You can try with L2TP over IPSec tunnel for certain purpose.

    Here is user guide how to setup L2TP VPN

    https://businessforum.zyxel.com/discussion/618/how-to-use-the-vpn-setup-wizard-to-create-a-l2tp-vpn-on-the-zywall-usg

    Here is FAQ of how to configure AD User do the authentication on L2TP scenario

    https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=013417&lang=EN

  • antonellobellisario
    antonellobellisario Posts: 17  Freshman Member
    First Anniversary First Comment
    Options
    is there another way to join the domain without configuring the AD user?
    to make things easier
    maybe even changing the server configuration behind the zyxel
    


  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,070  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @antonellobellisario ,

    If in the AD server, each USER is divided into groups,

    Then on USG settings, it just need to add one ext-group users into the rule.

    For example:

    There are three Sites group: HQ,Branch1 and Branch2, these sites belongs to the "Company" group,

    There are five users under each sites (HQ-Jack,Tom; Branch1- John, Marry; Branch2- Jessica)

    In this scenario, we only have to add one ext-group user on USG, that is the group "Company"

    If there is no "Company"group, then it need to add three ext-group user in this scenario,

    it need to add HQ group, Branch1 group and Branch2 group.

    If there is no "Company" and the "Sites" group, then it need to add five ext-group user.

    To make more easy setting on USG, it need to have a nice organize user into group on AD server.

  • antonellobellisario
    antonellobellisario Posts: 17  Freshman Member
    First Anniversary First Comment
    Options
    OK! I got it
    I have it in Ad Server "bellisario" domain
    with an "utenti di segreteria" group and all users in that group.
    
    In this scenario, i must to add one ext-group user on USG, that is the group "utenti di segreteria" 
    
    is  it correct?
    
    
    


  • antonellobellisario
    antonellobellisario Posts: 17  Freshman Member
    First Anniversary First Comment
    edited May 2020
    Options

    i can't make vpn connection with server :(

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,070  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @antonellobellisario

    Those question/problems users shared here are valuable to us. And the experience sharing also can help other people when deploying their devices. Even sometimes you can get experienced feedback from different field experts. So we can just leave our discussions in the forum thread.

    If you have any personal information to share with us, feel free to share the information in private message directly.

Security Highlight