Port forwarding over VPN with Double-NAT

massimo_r
massimo_r Posts: 5
First Comment

I have two site, one with a USG110 and another with a USG200 with a IPSec VPN connection between them. The USG110 is behind a NAT router (a.k.a. Double-NAT). Just like in the example "VPN - Configure IPSec Site-to-Site VPN behind a NAT router"

I need access to a server in the second site using only the public IP of the first site.

How can I configure access to the server using Port forwarding over the VPN?

Thx.

Accepted Solution

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    Answer ✓

    Ok update it is possible I was entering the wrong port is testing before.

    So on site A if USG has the WAN IP you need a NAT Virtual Server rule like

    incoming interface WAN 1

    external IP WAN1 interface object

    Internal IP the IP of server on site B

    and the port 80

    routing rule

    incoming interface WAN 1

    service port 80

    next hop VPN Tunnel

    your site B Tunnel

    policy control

    from WAN to VPN zone service port 80

    On site B

    routing rule

    incoming interface LAN of server

    advanced

    service port any

    Source port port 80

    next hop VPN Tunnel

    your site A Tunnel

    policy control

    from VPN zone to LAN service port 80

All Replies

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    If you have a VPN tunnel and client on site one can use the tunnel to access the server

  • massimo_r
    massimo_r Posts: 5
    First Comment

    Sorry, I wasn't clear….

    I need to permit to a generic Internet users (I don't know this users Public IP) to access a specific port on a server in the site two behind the USG200 connected via IPSec VPN to the USG110 in the site one . The generic Internet user haven't any VPN client and can access only the site one Public IP.

    Thanks in advance for the help !

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 24

    So the VPN tunnel does not play apart in this.

    If USG has the WAN IP on a WAN interface you just need a NAT Virtual Server rule like

    incoming interface WAN 1

    external IP WAN1 interface object

    Internal IP server IP

    and the port(s)

    plus a policy control rule from WAN to LAN of the server server

  • massimo_r
    massimo_r Posts: 5
    First Comment

    Hi PeterUK, what you suggest is not clear to me. try xplain better my problem.

    I have two site:

    Site A (USG110) connected to internet with a double NAT, with a public IP used by external user to access a internal sever using NAT and all is working fine.

    SIte B (USG200) connected to internet and to Site A with a IPSec VPN

    I have a new server on LAN Site B that must be reached from the same external user using the Site A public IP

    In another word: I want NAT some ports of the new server in the Site B LAN for user who acceess the SIte A public IP.

    Thanks a lot for your time !

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 27

    I see testing here you can not on site A Port forward NAT Virtual Server from the internet down a VPN tunnel to site B

    edit rechecking

    You would need to do Port forward NAT Virtual Server on site B and have user connect to site B.

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    Answer ✓

    Ok update it is possible I was entering the wrong port is testing before.

    So on site A if USG has the WAN IP you need a NAT Virtual Server rule like

    incoming interface WAN 1

    external IP WAN1 interface object

    Internal IP the IP of server on site B

    and the port 80

    routing rule

    incoming interface WAN 1

    service port 80

    next hop VPN Tunnel

    your site B Tunnel

    policy control

    from WAN to VPN zone service port 80

    On site B

    routing rule

    incoming interface LAN of server

    advanced

    service port any

    Source port port 80

    next hop VPN Tunnel

    your site A Tunnel

    policy control

    from VPN zone to LAN service port 80

  • massimo_r
    massimo_r Posts: 5
    First Comment

    PeterUK, I have just one word for you: GREAT !!

    Your solution is perfect for me.

    Thanks a lot for the support.

    Best Regards. Ciao !

Security Highlight