WAN to other side of tunnel connection
Hi,
I have a MS-Exchange Server running in local company network (172.16.0.0/16).
This one is connected via USG310 using NAT on port 443 to WAN/internet, where WAN is static IP.
Everything is fine and working.
Now I need to use a second Exchange Server in same local network.
Each Exchange Server is running on a separate machine, so inside my local network I can address both correct.
Each Exchange Server is running on a separate machine, so inside my local network I can address both correct.
But I also need to access the second one from internet and it also should be available on the internet on port 443.
Unfortunately our ISP cannot give us a second IP for the WAN on this site.
So my suggested solution is:
Leave everything on the company site as is.
In home-office I use a USG200, this one is connected to internet as well, and also connect via ipsec-vpn to the company site.
Local network in home-office is 172.31.0.0/16 and WAN is static IP.
The tunnel is working and I exchange data in both directions.
Now I want to use home-office port 443 from WAN and do a NAT to target IP 172.16.1.101 on port 443 (second Exchange Server).
But I cannot reach the second Exchange server from home WAN.
What is wrong?
What is wrong?
Thanks for your help.
Joerg
0
All Replies
-
Are you doing a site to site setup?
Is the logs showing any blocked traffic that you need to make a rule to allow?0 -
Yes, it is a site-to-site setup.
All traffic is allowed inside vpn tunnel (on both sides of firewall rules).
0 -
Hi @JoeSch
In your scenario, you may adopt another port(e.q. 11111) to replace WAN external 443 port.
And add a NAT rule on your USG310 for second Exchange Server(e.q. WAN IP:11111 NAT to 172.16.1.101:443).
You can refer to the following KB tutorial about NAT port forwarding.
https://kb.zyxel.com/KB/searchArticle!viewDetail.action?articleOid=017894&lang=EN
Configuration > Network > NAT > Add a NAT rule and you can create a IP object named LAN_Web with IP address 172.16.1.101.
Cinfiguration > Security Policy > Policy > Add a “from WAN to LAN” policy
See how you've made an impact in Zyxel Community this year!
0 -
Hi Zyxel_Jeff,thanks for your answer.
But this is not working and therefore I need to use a second WAN-IP (home-office) and bring the SSL-port 443 through the tunnel.
One reason is:
When using a web-browser to access OWA (Outlook Web Access) on a port like you said 11111 then the second Exchange server redirects the port to 443 and this is the port of the first Exchange server.
Also -I believe- it is not possible to configure an Outlook to access an Exchange server on another port than 443.
So, do you have any Idea to use the second WAN-IP (Home-office) and to redirect the port 443 on this WAN through the tunnel as explained above?
Thank you
Joerg0 -
To give a better understanding - any ideas?
0 -
Maybe you can try with policy route to redirect all packets "to Static Public IP 2" to the VPN tunnel so that those packets will be forwarded to the Exchange Server located in Company network (172.16.x.x).0
Guru Member
Zyxel Employee
Master Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 149 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 263 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight
