LAN 1 - LAN2 : USG Flex 200

dupstech
dupstech Posts: 3
edited April 14 in Security
Hi

This is my first time using a Zyxel FW appliance and I need a little assistance.

I have two physical LAN's in office, LAN1 - 192.168.0.0/24 (P4) and LAN2 - 10.85.221.160/28 (P5) and I need them to talk to each other.
No DHCP on either ports (LAN1 managed by inhouse domain controller, LAN2 no DHCP)
LAN1(P4) => office network switch
LAN2(P5) => 3rd party Cisco router w/4 active switch ports (gateway for LAN2)

I am able to ping from the USG appliance to all (ping-able) devices on either LAN but I am unable to ping/access anything from one LAN to another.

I have setup FW rules to allow traffic flow both ways but I have had no luck. Policies below:
LAN1 - LAN2 - any - any - any - any - allow
LAN2 - LAN1 - any - any - any - any - allow

Is there something I am missing? I have used SonicWALL and Sophos appliances before and this is how I would normally have achieved my desired goal. I am not using VLANs

Any help would be appreciated and I am happy to provide additional info if needed.

Leon

Best Answers

  • dupstech
    dupstech Posts: 3
    Accepted Answer
    zyman2008 said:
    It's could be relate to routing settings.
    What's the gateway address of clients on LAN1 and LAN2 ?

    Thanks for this, I setup a policy route on the USG from LAN1 to LAN2 with SNAT of the outgoing interface P5 (10.85.221.162) and it's working great.

Answers

  • zyman2008, thanks for your quick input.

    LAN1 gw is the USG - 192.168.0.1
    LAN2 gw is the Cisco router - 10.85.221.161

    USG is connected to the Cisco with IP 10.85.221.162. Both networks can ping this interface but traffic is not going any further.

    Should the Cisco be configured with a route to the 192.168.0.0/24 network? Could I setup NAT/Masquerading on this LAN2 port? Getting any assistance from the 3rd party who manage the Cisco router is tricky at the best of times...
  • zyman2008
    zyman2008 Posts: 120  Ally Member
    Well, 
    The best practice is routing between USG FLEX and Cisco router without any NAT/Masquerading.
    If you can add a static route entry 192.168.0.0/24, next-hop: 10.85.221.162
    And enable "Allow Asymmetric Route" in Security Policy > Policy Control page.
    Then you don't need to add the policy route on USG FLEX for NAT/Masquerading the LAN1 client.


    But in case, if it's not easy to setup Cisco router in time.
    What's you current setup is a work-around for LAN1 to LAN2.
    But what you lose is for LAN2 to all LAN1 services.
    You can only set NAT port forwarding for LAN2 to access specific service in LAN1 via IP address 10.85.221.162

    For example,
    10.85.221.162:8080 map to 192.168.0.10:80

Security Highlight