Port forwarding over VPN with Double-NAT
I have two site, one with a USG110 and another with a USG200 with a IPSec VPN connection between them. The USG110 is behind a NAT router (a.k.a. Double-NAT). Just like in the example "VPN - Configure IPSec Site-to-Site VPN behind a NAT router"
I need access to a server in the second site using only the public IP of the first site.
How can I configure access to the server using Port forwarding over the VPN?
Thx.
Accepted Solution
-
Ok update it is possible I was entering the wrong port is testing before.
So on site A if USG has the WAN IP you need a NAT Virtual Server rule like
incoming interface WAN 1
external IP WAN1 interface object
Internal IP the IP of server on site B
and the port 80
routing rule
incoming interface WAN 1
service port 80
next hop VPN Tunnel
your site B Tunnel
policy control
from WAN to VPN zone service port 80
On site B
routing rule
incoming interface LAN of server
advanced
service port any
Source port port 80
next hop VPN Tunnel
your site A Tunnel
policy control
from VPN zone to LAN service port 80
1
All Replies
-
If you have a VPN tunnel and client on site one can use the tunnel to access the server
0 -
Sorry, I wasn't clear….
I need to permit to a generic Internet users (I don't know this users Public IP) to access a specific port on a server in the site two behind the USG200 connected via IPSec VPN to the USG110 in the site one . The generic Internet user haven't any VPN client and can access only the site one Public IP.
Thanks in advance for the help !
0 -
So the VPN tunnel does not play apart in this.
If USG has the WAN IP on a WAN interface you just need a NAT Virtual Server rule like
incoming interface WAN 1
external IP WAN1 interface object
Internal IP server IP
and the port(s)
plus a policy control rule from WAN to LAN of the server server
0 -
Hi PeterUK, what you suggest is not clear to me. try xplain better my problem.
I have two site:
Site A (USG110) connected to internet with a double NAT, with a public IP used by external user to access a internal sever using NAT and all is working fine.
SIte B (USG200) connected to internet and to Site A with a IPSec VPN
I have a new server on LAN Site B that must be reached from the same external user using the Site A public IP
In another word: I want NAT some ports of the new server in the Site B LAN for user who acceess the SIte A public IP.
Thanks a lot for your time !
0 -
I see testing here you can not on site A Port forward NAT Virtual Server from the internet down a VPN tunnel to site Bedit rechecking
You would need to do Port forward NAT Virtual Server on site B and have user connect to site B.
0 -
Ok update it is possible I was entering the wrong port is testing before.
So on site A if USG has the WAN IP you need a NAT Virtual Server rule like
incoming interface WAN 1
external IP WAN1 interface object
Internal IP the IP of server on site B
and the port 80
routing rule
incoming interface WAN 1
service port 80
next hop VPN Tunnel
your site B Tunnel
policy control
from WAN to VPN zone service port 80
On site B
routing rule
incoming interface LAN of server
advanced
service port any
Source port port 80
next hop VPN Tunnel
your site A Tunnel
policy control
from VPN zone to LAN service port 80
1
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight