Remote access over VPN

dejmal69
dejmal69 Posts: 16  Freshman Member
First Comment Fourth Anniversary
edited April 2021 in Security
Hello,

I solve access to NAS server behind non public IP (SBG3500) without Dynamic DNS services. We have a puplic IP on other site (USG110)  and IPSec VPN connection to SBG site.
How can I configure access to the NAS over Port forwarding and VPN? Topology is here.

Thank You

Accepted Solution

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Answer ✓

    Hi @dejmal69,

    On SBG, select “Any” as Remote IP Type in IPSec policy.

    On USG, set local policy of VPN tunnel as 0.0.0.0/0.



    Add a policy route for traffic from SBG.

    Incoming: tunnel

    Source Address: SBG LAN subnet (ex: 192.168.1.0/24)

    Next-Hop: USG’s wan interface



    Add a NAT rule.

    In this example, the PC in SBG’s LAN has IP address 192.168.1.3.


    Add a security policy rule.


    See how you've made an impact in Zyxel Community this year!
    https://bit.ly/Your2024Moments_Community

All Replies

  • Alfonso
    Alfonso Posts: 257  Master Member
    5 Answers First Comment Friend Collector Second Anniversary
    Hi @dejmal69

    I am going to give to you a theoretical answer.

    USG110:
    - Port Forwarding to NAS IP address. (Static destination NAT)
    - Source NAT. Masquerade the Internet (public) IP Address, using an authorized VPN IP address (usually an internal ip address)
    - VPN configuration to SBG3500. (be sure the Source NAT address is allowed to use the VPN)

    I hope it helps.

    Regards

     
  • dejmal69
    dejmal69 Posts: 16  Freshman Member
    First Comment Fourth Anniversary
    Thank You very much.

    I test this config.
    - NAT to NAS internal IP
    - On both sites is the same subnet.
    - VPN SNAT over fake subnet and DNAT fake subnet mapped to original
      local subnet.
    - Policy route source lan1 interface, dest remote subnet, nexthop vpn to SBG.

      KB Zyxel states that VPN SNAT allows you to use the same subnets without conflict. Unfortunately, it doesn't work. It's obvious that they can be on both sites, but not local / remote VPN subnets.
    I haven't tried to configure it like this yet:
    - VPN USG110 local sub the same as NAS sub -> Fake sub -> remote sub
       (other on SBG)
    - SBG route, source SNAT IP , destination NAS IP
       (Depend on SBG possiblities) If a route back to the VPN is needed, then it
        will not work. SBG does not allow next hop to VPN. For the same reason,
        L2TP access from USG110 cannot be used.

    If you know of other configuration variants, please share.

    Thank You









  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Answer ✓

    Hi @dejmal69,

    On SBG, select “Any” as Remote IP Type in IPSec policy.

    On USG, set local policy of VPN tunnel as 0.0.0.0/0.



    Add a policy route for traffic from SBG.

    Incoming: tunnel

    Source Address: SBG LAN subnet (ex: 192.168.1.0/24)

    Next-Hop: USG’s wan interface



    Add a NAT rule.

    In this example, the PC in SBG’s LAN has IP address 192.168.1.3.


    Add a security policy rule.


    See how you've made an impact in Zyxel Community this year!
    https://bit.ly/Your2024Moments_Community

  • dejmal69
    dejmal69 Posts: 16  Freshman Member
    First Comment Fourth Anniversary
    Hello Zyxel_Emily

    That's great. So easy. Thank You very much.

    Dejmal69

  • massimo_r
    massimo_r Posts: 5
    First Comment

    what changes if i have a usg200 instead of the SBG ?

Security Highlight