Remote access over VPN

dejmal69 Posts: 16
First Comment First Anniversary
 Freshman Member
edited April 2021 in Security

I solve access to NAS server behind non public IP (SBG3500) without Dynamic DNS services. We have a puplic IP on other site (USG110)  and IPSec VPN connection to SBG site.
How can I configure access to the NAS over Port forwarding and VPN? Topology is here.

Thank You

Accepted Solution

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,197
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
     Zyxel Employee
    Answer ✓

    Hi @dejmal69,

    On SBG, select “Any” as Remote IP Type in IPSec policy.

    On USG, set local policy of VPN tunnel as

    Add a policy route for traffic from SBG.

    Incoming: tunnel

    Source Address: SBG LAN subnet (ex:

    Next-Hop: USG’s wan interface

    Add a NAT rule.

    In this example, the PC in SBG’s LAN has IP address

    Add a security policy rule.

    Click this link to start:

All Replies

  • Alfonso
    Alfonso Posts: 257
    5 Answers First Comment Friend Collector Second Anniversary
     Master Member
    Hi @dejmal69

    I am going to give to you a theoretical answer.

    - Port Forwarding to NAS IP address. (Static destination NAT)
    - Source NAT. Masquerade the Internet (public) IP Address, using an authorized VPN IP address (usually an internal ip address)
    - VPN configuration to SBG3500. (be sure the Source NAT address is allowed to use the VPN)

    I hope it helps.


  • dejmal69
    dejmal69 Posts: 16
    First Comment First Anniversary
     Freshman Member
    Thank You very much.

    I test this config.
    - NAT to NAS internal IP
    - On both sites is the same subnet.
    - VPN SNAT over fake subnet and DNAT fake subnet mapped to original
      local subnet.
    - Policy route source lan1 interface, dest remote subnet, nexthop vpn to SBG.

      KB Zyxel states that VPN SNAT allows you to use the same subnets without conflict. Unfortunately, it doesn't work. It's obvious that they can be on both sites, but not local / remote VPN subnets.
    I haven't tried to configure it like this yet:
    - VPN USG110 local sub the same as NAS sub -> Fake sub -> remote sub
       (other on SBG)
    - SBG route, source SNAT IP , destination NAS IP
       (Depend on SBG possiblities) If a route back to the VPN is needed, then it
        will not work. SBG does not allow next hop to VPN. For the same reason,
        L2TP access from USG110 cannot be used.

    If you know of other configuration variants, please share.

    Thank You

  • dejmal69
    dejmal69 Posts: 16
    First Comment First Anniversary
     Freshman Member
    Hello Zyxel_Emily

    That's great. So easy. Thank You very much.


Security Highlight