SNAT Nebula

Ray00731
Ray00731 Posts: 13
First Comment Friend Collector Second Anniversary
edited March 2023 in Nebula

Hallo,

ich werde in diversen Standorten die USG60W durch ne USGFLEX 200 ersetzen und habe zu Hause einen Testaufbau mit den Gegebenheiten einer Filiale.

In dem Zuge möchte ich auch alles auf Nebula umstellen und scheitere nun erneut an einer Sache.

Vom Warenwirtschaftanbieter erhalten wir eine Fortigate die einen VPN Tunnel zum Server aufbaut.

Zyxel Netzwerk (VLAN) - 192.168.99.0
Fortigate IP: 192.168.99.200

Ping, Tracert - klappt alles. Nach längerem analysieren mit einem Supporter vom Serveranbieter sieht dieser meine Anfrage eingehen, aber erhält die Meldung das der Client (also ich) die Daten ablehnt. Der Supporter meint, das es am Source Natting liegt.

In der Tat habe ich in einer Filiale ne Policy Router eingerichtet und nun die Frage - wie bekomme ich das in Nebula hin?

Vielen Dank im vorraus

Gruß

Matthias Lagenstein

Accepted Solution

  • Ray00731
    Ray00731 Posts: 13
    First Comment Friend Collector Second Anniversary
    Answer ✓

    Hello,

    i had now installed the Zyxel Router with Nebula in our network and the problem is fixed.

    That's was the solution:

    Asymetrical Route:
    SSH > Login
    configure terminal
    secure-policy asymmetrical-route activate
    exit
    write
    exit

    Thanks to the mail support!

    Best regards
    Ray00731

«1

All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @Ray00731,

    Please configure the SNAT from from outgoing-interface to None in policy route.

  • Hello,

    thank you for your answer.

    the configuration on the screen works, so i mustn't change it.

    I search the function in Nebula, because there don't work the connection with the extern Fortigate.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @Ray00731,

    You can add static route in Nebula for routing traffic to Fortigate.

  • Ray00731
    Ray00731 Posts: 13
    First Comment Friend Collector Second Anniversary

    Hi @Zyxel_Cooldia

    in the “old” Configuration Interface i must set the policy & static route. Without policy route it don't work.

    So i must apply the same configuration in Nebula with the SNAT option and i don't know how.

    When i set on the windows machine via cmd a route “route /add….” it works.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @Ray00731 ,

    Can you provide a brief network topology with interface IP marked for troubleshooting

  • zyman2008
    zyman2008 Posts: 219  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    edited March 2023

    Here what I think the root cuase of issue.

    Triangle route issue (without SNAT to 192.168.99.1)

    No triangle route (with SNAT)

    So either Zyxel Firewall to allow asymmetric route or doing SNAT can solve the issue.

  • mMontana
    mMontana Posts: 1,380  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    IMVHO fortigate should have Fritxbox as WAN and a simple PPTP VPN might be the route among 10.97.0.0/16 and 192.168.99.0/24

  • Ray00731
    Ray00731 Posts: 13
    First Comment Friend Collector Second Anniversary

    Hello,

    yes the offerer from Server & Fortigate mean the same - that SNAT is missing. Without nebula worked the connection. With nebula not. So i think the feature is missing.

    In 4 locations the configuration without nebula work fine with policy & static route. The offerer from Server & Fortigate will not change his standard config. They use the internal network as primary Gateway for VPN and WAN only as backup.

    Greeting
    Matthias

  • mMontana
    mMontana Posts: 1,380  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    I can see some advantages in Nebula, but not enough for consider that the option for manage Zyxel Firewalls.

Nebula Tips & Tricks