Help with NAT rules setup - USG40
Josias_MaiaTI
Posts: 8 
Freshman Member
Freshman Member
Hello!
I'm trying to set up a few NAT rules on my USG40 but I can't seem to get it to work.
I need to create a rule that allows RDP from WAN to one of my VLANs Servers. The external connection should be in a different port, so for example, I need to redirect RDP traffic from WAN1 on port 42000 to my internal Server's IP address on port 3389.
Do I need to create just a NAT rule? I've also created a security Policy, but nothing seems to get my RDP to work.
I'm trying to set up a few NAT rules on my USG40 but I can't seem to get it to work.
I need to create a rule that allows RDP from WAN to one of my VLANs Servers. The external connection should be in a different port, so for example, I need to redirect RDP traffic from WAN1 on port 42000 to my internal Server's IP address on port 3389.
Do I need to create just a NAT rule? I've also created a security Policy, but nothing seems to get my RDP to work.
0
Comments
-
I've just noticed that I also cannot access Zyxel appliance from WAN.
0 -
Is the USG40 getting the WAN IP?
0 -
I'm sorry, I'm new to Zyxel, how can I check it? If you mean the Ethernet port IP, my WAN1 IP is 192.168.2.100.
My ISP router has a DMZ to the WAN1 IP.0 -
Hi Josias_MaiaTI.
you are talking about a ISP router ? so this one is acting for S-NAT and D-NAT ?
and the ZYWALL is behind a ISP Router ?
Take care to configure no double-NAT
and the ISP Router has also an NAT from the internet to the dedicated destination (USG) port 443?
or is port 443 (HTTPS) allready in use to get e.g. an Web-Interface at the provider IP published ?
regards
Christian
0 -
Are you able to put your ISP router into bridge mode for the WAN IP to be on the USG?
0 -
Hi Christian, thanks for the reply. It's a D-NAT, the ZYWALL is behind the ISP router.ChristianG said:Hi Josias_MaiaTI.
you are talking about a ISP router ? so this one is acting for S-NAT and D-NAT ?
and the ZYWALL is behind a ISP Router ?
Take care to configure no double-NAT
and the ISP Router has also an NAT from the internet to the dedicated destination (USG) port 443?
or is port 443 (HTTPS) allready in use to get e.g. an Web-Interface at the provider IP published ?
regards
Christian
The ISP router has a DMZ, redirecting all traffic to the ZYWALL's WAN1 address (see print below for my WAN1 Port configuration).
Since it has a DMZ, all traffic should be redirected to the USG, who should take care of what to do with the packets. In the above setup, my ISP router has a DMZ to the 192.168.2.100 IP. The 192.168.2.1 Gateway IP is the router's LAN address.
I had a Cyberoam appliance before USG, and I also used to access it from port 4433 (HTTPS) - I changed in the configuration the port from 443 to 4433.
I just changed the appliance and it stopped working, along with some NAT rules, it has all the same IP addresses as Cyberoam did, so I think it's something I'm missing with the Zywall setup, not really something with the ISP router, as it was working just fine before with a different appliance.PeterUK said:Are you able to put your ISP router into bridge mode for the WAN IP to be on the USG?
Hi Peter, thanks for the reply. No, unfortunately I cannot. The router is very limited, so I don't have a bridge mode setup in the configuration.
0 -
@Josias_MaiaTI,
in summary for all to have the same view.
1. The ISP UTM has an internal DMZ Interface with the IP 192.168.2.1 (the gateway for traffic that's not in the DMZ and should be routed to the Extranet (WAN) ?
2. The USG has the IP 192.168.2.100 configured and should forward traffic to a destination behind the USG.
3. The Port 4433/TCP is on the ISP UTM and Port 443/TCP is configured on the USG
4. The Rule WAN to device is allready configured as shown in your screenshot.
Have you checked the traffic by monitoring the WAN interface (DMZ interface at the ISP-Router) and the WAN Interface at the ZYWALL to have a flow from the package (at ZYWALL you can monitor the Interface and have a look with Wireshark about the package-flow).
Your Challange
Extranet ---> WAN Interface (Cyberoam) Port 443/TCP ---> NAT e.g. 1:1 ----> DMZ Interface from the Cyberoam to the ZYWALL (443/TCP)
Does my summary match your requirement?
And what part have you checked/monitored allready by Wireshark ?
Regards
Christian
0 -
Hello Josias_MaiaTI,
Since the USG is behind the ISP router, if you cannot configure ISP router to be bridge mode, you need to create the NAT rule on ISP router.
Here is a similar case as your reference.
https://businessforum.zyxel.com/discussion/comment/1317#Comment_1317
Charlie0 -
Hello all!
I'll try to explain my current topology:
My ISP "router" is an Ubiquiti antenna. The antenna is connected to the ZYWALL's WAN1 port via Ethernet cable. In the antenna configuration, I have a DMZ redirecting all traffic towards the ZYWALL's WAN1 IP (192.168.2.100). The antenna's IP is 192.168.2.1.
I have 3 VLANs, I don't know if that causes any difference in the ZYWALL configuration when it comes to NAT. Here's what I'm trying to do and am not being able to:
> Access ZYWALL console from WAN (HTTPS port 4433).
> RDP to a Server in one of the 3 VLANs (also, I want to RDP in a port different from 3389, so for example, I'll try to RDP to the address: publicIP:21000 - ZYWALL needs to redirect this to IP 192.168.254.5 (VLAN 1) on port 3389.
I can ping my public IP normally, so I'm pretty sure I'm missing something in Zywall's configuration. As mentioned, I had Cyberoam before Zyxel, and all of those NAT rules worked normally, I just tried to replicate the same configuration from Cyberoam to Zywall, same IPs and ports, but it doesn't seem to work.
Is there a step-by-step manual to set up a NAT rule in ZYWALL, so I can check it and see if my current configuration is the same.
Thanks for the help so far!
0 -
Josias_MaiaTI said:Hello all!
I'll try to explain my current topology:
Thanks for the help so far!
Hello Josias_MaiaTI,
are you able to place a simple topology picture ? to have a better view for all, what's/where are placed the devices and the required ports that should be reached from the internet direclty ?
For NAT there is a ZYXEL CNP video about NAT possibilities and above all, what you use?
Are you able to see the request on your ISP router, if you try to get connected form the internet to the destination ?
Regards
Christian
0
Guru Member
Ally Member
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 74 Security Highlight
