SNAT Nebula
Hallo,
ich werde in diversen Standorten die USG60W durch ne USGFLEX 200 ersetzen und habe zu Hause einen Testaufbau mit den Gegebenheiten einer Filiale.
In dem Zuge möchte ich auch alles auf Nebula umstellen und scheitere nun erneut an einer Sache.
Vom Warenwirtschaftanbieter erhalten wir eine Fortigate die einen VPN Tunnel zum Server aufbaut.
Zyxel Netzwerk (VLAN) - 192.168.99.0
Fortigate IP: 192.168.99.200
Ping, Tracert - klappt alles. Nach längerem analysieren mit einem Supporter vom Serveranbieter sieht dieser meine Anfrage eingehen, aber erhält die Meldung das der Client (also ich) die Daten ablehnt. Der Supporter meint, das es am Source Natting liegt.
In der Tat habe ich in einer Filiale ne Policy Router eingerichtet und nun die Frage - wie bekomme ich das in Nebula hin?
Vielen Dank im vorraus
Gruß
Matthias Lagenstein
Accepted Solution
-
Hello,
i had now installed the Zyxel Router with Nebula in our network and the problem is fixed.
That's was the solution:
Asymetrical Route:
SSH > Login
configure terminal
secure-policy asymmetrical-route activate
exit
write
exitThanks to the mail support!
Best regards
Ray007310
All Replies
-
Hi @Ray00731,
Please configure the SNAT from from outgoing-interface to None in policy route.
0 -
Hello,
thank you for your answer.
the configuration on the screen works, so i mustn't change it.
I search the function in Nebula, because there don't work the connection with the extern Fortigate.
0 -
Hi @Ray00731,
You can add static route in Nebula for routing traffic to Fortigate.
0 -
in the “old” Configuration Interface i must set the policy & static route. Without policy route it don't work.
So i must apply the same configuration in Nebula with the SNAT option and i don't know how.
When i set on the windows machine via cmd a route “route /add….” it works.
0 -
Hi @Ray00731 ,
Can you provide a brief network topology with interface IP marked for troubleshooting
0 -
Hi @Zyxel_Cooldia ,
0 -
Here what I think the root cuase of issue.
Triangle route issue (without SNAT to 192.168.99.1)
No triangle route (with SNAT)
So either Zyxel Firewall to allow asymmetric route or doing SNAT can solve the issue.
0 -
IMVHO fortigate should have Fritxbox as WAN and a simple PPTP VPN might be the route among 10.97.0.0/16 and 192.168.99.0/24
0 -
Hello,
yes the offerer from Server & Fortigate mean the same - that SNAT is missing. Without nebula worked the connection. With nebula not. So i think the feature is missing.
In 4 locations the configuration without nebula work fine with policy & static route. The offerer from Server & Fortigate will not change his standard config. They use the internal network as primary Gateway for VPN and WAN only as backup.
Greeting
Matthias0 -
I can see some advantages in Nebula, but not enough for consider that the option for manage Zyxel Firewalls.
0
Zyxel Employee
Master Member
Guru Member
Categories
- All Categories
- 431 Beta Program
- 2.6K Nebula
- 164 Nebula Ideas
- 112 Nebula Status and Incidents
- 6K Security
- 364 USG FLEX H Series
- 292 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 262 Service & License
- 407 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.9K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 83 Security Highlight
