Assigned IP vs Public IP connecting L2TP over IPSec VPN

MartinVIE
MartinVIE Posts: 3
First Anniversary Friend Collector First Comment
edited April 2021 in Security
Hi Guys,
I'm a Newbie running a ZyWALL USG Flex 200 (192.168.1.1) and need some help. I've managed to connect to my company's LAN via L2TP over IPSec from outside.  
ZyWall's VPN Monitor tells me that my Assigned IP is 192.168.50.1 and my Public IP is 77.119.xx.xx (some dynamic IP of my mobile internet provider)

We've got production web servers outside the company which allow SSH access only from the company's static IP Address (that part works fine).

And there's a development web server running inside the company's LAN (at 192.168.1.xx), which has some access-restrictions configured: access is allowed for 192.168.1.1/24 and 192.168.50.1/24 addresses only. 

And here's the problem: Trying to access the development web server (using HTTPS) via VPN is impossible because it receives my Public IP (77.119.xx.xx) instead of my Assigned IP (192.168.50.1).

Inside the LAN it's possible to ping 192.168.50.1

Connecting to any other device (like Printer, NAS, etc.) is no problem. 

Is there anything I need to configure to be able to access the development web server using my Assigned IP instead of Public IP?

any help appreciated!

Thanks, Martin




Accepted Solution

  • MartinVIE
    MartinVIE Posts: 3
    First Anniversary Friend Collector First Comment
    Answer ✓
    I was able to solve my problem in a very simple way:

    I noticed, that VPN traffic to the development web server was routed via "outside", that's why the web server received the "Public IP" instead of an internal one.
      
    All I had to do was adding a DNS PTR Record *.mysubdomain.xyz pointing to the development web server's IP address. (all development sites are named "[something].mysubdomain.xyz").

    Now the VPN traffic to that machine stays "inside". The client's IP address provided to the development web server now is still not 192.168.50.1, but the one of the gateway, 192.168.1.1 which is also fine for me, as we just want to differ "internal" request von "external" requests.

    All good now!  :)

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,039  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @MartinVIE

    You can add WAN to LAN’s NAT rule on your USG Flex 200.

    e.q. WAN IP 77.119.xx.xx:8080 to LAN IP 192.168.50.1:80. 

    You can refer to the following KB tutorial about NAT port forwarding.

    https://kb.zyxel.com/KB/searchArticle!viewDetail.action?articleOid=017894&lang=EN


  • Thanks,@Zyxel_Jeff,

    I'm not sure if this is the perfect solution. As mentioned, the 77.119.xx.xx is a dynamic IP address, meaning, I would have to add that rule every time somebody connects to the VPN and delete it on disconnect (or leave a mess behind).

    Anyway, what's the purpose of that "Assigned IP", if my VPN client is still running under the Public IP?

    thanks, Martin

  • MartinVIE
    MartinVIE Posts: 3
    First Anniversary Friend Collector First Comment
    Answer ✓
    I was able to solve my problem in a very simple way:

    I noticed, that VPN traffic to the development web server was routed via "outside", that's why the web server received the "Public IP" instead of an internal one.
      
    All I had to do was adding a DNS PTR Record *.mysubdomain.xyz pointing to the development web server's IP address. (all development sites are named "[something].mysubdomain.xyz").

    Now the VPN traffic to that machine stays "inside". The client's IP address provided to the development web server now is still not 192.168.50.1, but the one of the gateway, 192.168.1.1 which is also fine for me, as we just want to differ "internal" request von "external" requests.

    All good now!  :)

Security Highlight