When creating 1:1 NAT rules for local hosts, these local hosts become unreachable through VPN IPSec.

Zyxel_Charlie
Zyxel_Charlie Posts: 1,006  Zyxel Employee
in FAQ
The virtual server function is a "port forwarding" function. 
The 1:1 NAT function is "forwarding all traffic" to the local server. 
When using "1:1NAT", the traffic can't pass through to the tunnel because all traffic passes through the WAN interface.
In "packet flow explore", the priority of 1-1 SNAT is higher than site to sitesite-to-site VPN when 1:1 NAT is enabled.
 
To solve this problem, please reorganize the order of the routing priority.
For legacy models with ZLD 3.30 platform, use the following CLI command.
ip route control-virtual-server-rules activate
 
For new USG/ZyWALL series with ZLD 4.13, enable "Use Static-Dynamic Route to Control 1-1 NAT Route" on GUI.


Then the priority of Site To Site VPN becomes higher than 1-1 NAT route.
Sign In to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click on this button!

Sign In Register

Categories

Zyxel Help Center

  • FAQ
  • Education Center
  • Video Tutorials
    • EnglishРусский中文(台灣)