USG20-VPN WITH NAT AND VIRTUAL IP

Max_Tor
Max_Tor Posts: 8
Friend Collector First Comment
edited April 2021 in Security
Hello!
I have a USG20-VPN factory restored, and ready to be configured!
I need to install it in a already built network (192.168.1.0/24) because I have some devices that I want to reach with SSL VPN.
I try to explain what I think to do:
  • assign virtual IP to the USG
  • NAT that IP to the real IP (internal network of the USG, for example LAN1)
  • create rule to let user connect from the primary network to that IP
  • configure VPN SSL to reach internal IP of the USG (with NAT rule from the primary modem)
I'm trying to do all of these things but without success... could you help me?
I attach an image to explain the situation:

Accepted Solution

  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    Friend Collector First Answer First Comment
    Answer ✓

    Hi @Max_Tor,

     

    Can you please configure as following;

    1- Change WAN and LAN IPs;


    2 - Configure NAT;


    3-  Allow from WAN to Clients (Configuration > Security Policy > Policy Control)



    4- Configure SSL VPN Settings;


    Best regards.

All Replies

  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    Friend Collector First Answer First Comment
    Answer ✓

    Hi @Max_Tor,

     

    Can you please configure as following;

    1- Change WAN and LAN IPs;


    2 - Configure NAT;


    3-  Allow from WAN to Clients (Configuration > Security Policy > Policy Control)



    4- Configure SSL VPN Settings;


    Best regards.
  • PeterUK
    PeterUK Posts: 2,654  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    If your modem router at 192.168.1.1 can do static route there is another way without double NAT.


  • Max_Tor
    Max_Tor Posts: 8
    Friend Collector First Comment
    Thank you @Zyxel_Can!

    Everythings are clear!

    @PeterUK: yes there is a modem router and I have access to it. What do you mean with another waY?

    Thanks

  • PeterUK
    PeterUK Posts: 2,654  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Instead of SNAT 192.168.0.31 from 192.168.1.30 or with virtual IP's you static route on the modem router at 192.168.1.1 for 192.168.0.0/24 to 192.168.1.30 you then make a routing rule with Use IPv4 Policy Route to Overwrite Direct Route checked to go from incoming LAN1 to next hop gateway 192.168.1.1


  • Max_Tor
    Max_Tor Posts: 8
    Friend Collector First Comment
    Ok, @PeterUK! Thanks for your advice!
    Everything to learn is useful for me!

Security Highlight