Help with NAT rules setup - USG40

Josias_MaiaTI
Josias_MaiaTI Posts: 8  Freshman Member
Friend Collector First Comment
edited April 2021 in Security
Hello!

I'm trying to set up a few NAT rules on my USG40 but I can't seem to get it to work.

I need to create a rule that allows RDP from WAN to one of my VLANs Servers. The external connection should be in a different port, so for example, I need to redirect RDP traffic from WAN1 on port 42000 to my internal Server's IP address on port 3389.

Do I need to create just a NAT rule? I've also created a security Policy, but nothing seems to get my RDP to work.
«1

Comments

  • Josias_MaiaTI
    Josias_MaiaTI Posts: 8  Freshman Member
    Friend Collector First Comment
    I've just noticed that I also cannot access Zyxel appliance from WAN.


  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 2018

    Is the USG40 getting the WAN IP?


  • Josias_MaiaTI
    Josias_MaiaTI Posts: 8  Freshman Member
    Friend Collector First Comment
    I'm sorry, I'm new to Zyxel, how can I check it? If you mean the Ethernet port IP, my WAN1 IP is 192.168.2.100.
    My ISP router has a DMZ to the WAN1 IP.
  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    Hi Josias_MaiaTI.
    you are talking about a ISP router ? so this one is acting for S-NAT and D-NAT ?
    and the ZYWALL is behind a ISP Router ?
    Take care to configure no double-NAT  ;)
    and the ISP Router has also an NAT from the internet to the dedicated destination (USG) port 443?
    or is port 443 (HTTPS) allready in use to get e.g. an Web-Interface at the provider IP published ?

    regards
    Christian
  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Are you able to put your ISP router into bridge mode for the WAN IP to be on the USG?

  • Josias_MaiaTI
    Josias_MaiaTI Posts: 8  Freshman Member
    Friend Collector First Comment
    Hi Josias_MaiaTI.
    you are talking about a ISP router ? so this one is acting for S-NAT and D-NAT ?
    and the ZYWALL is behind a ISP Router ?
    Take care to configure no double-NAT  ;)
    and the ISP Router has also an NAT from the internet to the dedicated destination (USG) port 443?
    or is port 443 (HTTPS) allready in use to get e.g. an Web-Interface at the provider IP published ?

    regards
    Christian
    Hi Christian, thanks for the reply. It's a D-NAT, the ZYWALL is behind the ISP router.
    The ISP router has a DMZ, redirecting all traffic to the ZYWALL's WAN1 address (see print below for my WAN1 Port configuration).

    Since it has a DMZ, all traffic should be redirected to the USG, who should take care of what to do with the packets. In the above setup, my ISP router has a DMZ to the 192.168.2.100 IP. The 192.168.2.1 Gateway IP is the router's LAN address.
    I had a Cyberoam appliance before USG, and I also used to access it from port 4433 (HTTPS) - I changed in the configuration the port from 443 to 4433.

    I just changed the appliance and it stopped working, along with some NAT rules, it has all the same IP addresses as Cyberoam did, so I think it's something I'm missing with the Zywall setup, not really something with the ISP router, as it was working just fine before with a different appliance.

    PeterUK said:

    Are you able to put your ISP router into bridge mode for the WAN IP to be on the USG?


    Hi Peter, thanks for the reply. No, unfortunately I cannot. The router is very limited, so I don't have a bridge mode setup in the configuration.
  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    @Josias_MaiaTI,
    in summary for all to have the same view.
    1. The ISP UTM has an internal DMZ Interface with the IP 192.168.2.1 (the gateway for traffic that's not in the DMZ and should be routed to the Extranet (WAN) ?
     
    2. The USG has the IP 192.168.2.100 configured and should forward traffic to a destination behind the USG.
      
    3. The Port 4433/TCP is on the ISP UTM and Port 443/TCP is configured on the USG
     
    4. The Rule WAN to device is allready configured as shown in your screenshot.
     
    Have you checked the traffic by monitoring the WAN interface (DMZ interface at the ISP-Router) and the WAN Interface at the ZYWALL to have a flow from the package (at ZYWALL you can monitor the Interface and have a look with Wireshark about the package-flow).

    Your Challange
    Extranet ---> WAN Interface (
    Cyberoam) Port 443/TCP ---> NAT e.g. 1:1 ----> DMZ Interface from the Cyberoam to the ZYWALL (443/TCP)

    Does my summary match your requirement?
    And what part have you checked/monitored allready by Wireshark ?

    Regards
    Christian

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hello Josias_MaiaTI,
    Since the USG is behind the ISP router, if you cannot configure ISP router to be bridge mode, you need to create the NAT rule on ISP router.
    Here is a similar case as your reference.
    https://businessforum.zyxel.com/discussion/comment/1317#Comment_1317
    Charlie
  • Josias_MaiaTI
    Josias_MaiaTI Posts: 8  Freshman Member
    Friend Collector First Comment
    Hello all!

    I'll try to explain my current topology:

    My ISP "router" is an Ubiquiti antenna. The antenna is connected to the ZYWALL's WAN1 port via Ethernet cable. In the antenna configuration, I have a DMZ redirecting all traffic towards the ZYWALL's WAN1 IP (192.168.2.100). The antenna's IP is 192.168.2.1.

    I have 3 VLANs, I don't know if that causes any difference in the ZYWALL configuration when it comes to NAT. Here's what I'm trying to do and am not being able to:

    > Access ZYWALL console from WAN (HTTPS port 4433).

    > RDP to a Server in one of the 3 VLANs (also, I want to RDP in a port different from 3389, so for example, I'll try to RDP to the address: publicIP:21000 - ZYWALL needs to redirect this to IP 192.168.254.5 (VLAN 1) on port 3389.

    I can ping my public IP normally, so I'm pretty sure I'm missing something in Zywall's configuration. As mentioned, I had Cyberoam before Zyxel, and all of those NAT rules worked normally, I just tried to replicate the same configuration from Cyberoam to Zywall, same IPs and ports, but it doesn't seem to work.

    Is there a step-by-step manual to set up a NAT rule in ZYWALL, so I can check it and see if my current configuration is the same.

    Thanks for the help so far!
  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    Hello all!

    I'll try to explain my current topology:


    Thanks for the help so far!

    Hello Josias_MaiaTI,
    are you able to place a simple topology picture ? to have a better view for all, what's/where are placed the devices and the required ports that should be reached from the internet direclty ?
    For NAT there is a ZYXEL CNP video about NAT possibilities and above all, what you use?

    Are you able to see the request on your ISP router, if you try to get connected form the internet to the destination ?

    Regards
    Christian

Security Highlight