USG 50 - NAT Configuration Issue - Layer 3 Switch behind Zywall.
Options
I have a USG 50 Firewall with DMZ port configured with Subnet 172.16.0.1/28.
Connected to the DMZ port, I have a Cisco 3560 Layer3 Switch connected.
Zywall DMZ (172.16.0.1) --> Cisco 3560 (172.16.0.10).
Cisco 3560 has IP routing Enabled, and a VLAN 100 setup (192.168.100.0/24). (VLAN100 SVI 192.168.100.5)
GW (ip route) of last resort on the Cisco 3560 is 0.0.0.0 0.0.0.0 172.16.0.1
A PC host (192.168.100.1) is connected to the Cisco. PC Host can ping it's SVI 192.168.100.5 without issue. Cannot ping anything else, not LAN1, LAN2 or external sites. Zywall packet capture shows the DMZ interface receiving a packet from PC host 192.168.100.1 --> 8.8.8.8, but with no response found.
On the Cisco Switch, I can ping everything, DMZ interface, LAN1, and LAN2 hosts and interfaces and any external site.
On the Zywall I have a static route to the 192.168.100.0 subnet via the DMZ interface. I can ping into the LAN attached to the CISCO (192.168.100.0) from hosts in the LAN1, LAN2.
I'm fairly certain the issue is related to NAT. I'm having issues translating a subnet behind the DMZ interface and I am not sure of the configuration on the Zywall USG 50.
To test this, I set up another router with a layer 2 switch and a Cisco 1841 in a router on a stick configuration and setup NAT on the 1841 to translate from the 192.168.100.0 subnet to the outgoing interface that's connected to the Zywall DMZ port. Traffic flows fine in this scenario.
If you need additional info, I am happy to provide it.
Connected to the DMZ port, I have a Cisco 3560 Layer3 Switch connected.
Zywall DMZ (172.16.0.1) --> Cisco 3560 (172.16.0.10).
Cisco 3560 has IP routing Enabled, and a VLAN 100 setup (192.168.100.0/24). (VLAN100 SVI 192.168.100.5)
GW (ip route) of last resort on the Cisco 3560 is 0.0.0.0 0.0.0.0 172.16.0.1
A PC host (192.168.100.1) is connected to the Cisco. PC Host can ping it's SVI 192.168.100.5 without issue. Cannot ping anything else, not LAN1, LAN2 or external sites. Zywall packet capture shows the DMZ interface receiving a packet from PC host 192.168.100.1 --> 8.8.8.8, but with no response found.
On the Cisco Switch, I can ping everything, DMZ interface, LAN1, and LAN2 hosts and interfaces and any external site.
On the Zywall I have a static route to the 192.168.100.0 subnet via the DMZ interface. I can ping into the LAN attached to the CISCO (192.168.100.0) from hosts in the LAN1, LAN2.
I'm fairly certain the issue is related to NAT. I'm having issues translating a subnet behind the DMZ interface and I am not sure of the configuration on the Zywall USG 50.
To test this, I set up another router with a layer 2 switch and a Cisco 1841 in a router on a stick configuration and setup NAT on the 1841 to translate from the 192.168.100.0 subnet to the outgoing interface that's connected to the Zywall DMZ port. Traffic flows fine in this scenario.
If you need additional info, I am happy to provide it.
0
Categories
- All Categories
- 384 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 80 Nebula Status and Incidents
- 5.1K Security
- 79 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 909 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 209 Service & License
- 335 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 898 Nebula FAQ
- 415 Security FAQ
- 234 Switch FAQ
- 205 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 62 Security Highlight
