zywall usg60w behind a cisco isr1100/k9
Freshman Member
right now i have a customer with a zyxel usg60w which does the following jobs.
1/it connects via PPPoE to the Internet and gets a static puclic v4 ip.
2/it holds 2 different subnets 1 with the business LAN and one DMZ for the mail server which is not
working live with the internet but relays to the service providers mailboxes.
3.it connects to a zywall usg20 via ipsec vpn.
so far so good.
due to a internet line upgrade we have the following problem.
the service provider terminates all services , data & voice , to a cisco isr1100/k9 and provides a block of ips
how can i migrate this service to the existing solution so that the cisco isr1100/kr will only be a gateway as
far as it concerns the data part.the voice part is i think better to leave with the cisco .i mention it just because i think i have to consider it , in the bigger picture of the solution.
what i would like to achieve is to get one public ip for the wan1 interface of the zuwall usg60w and one for the DMZ interface of the Zywall in order to get the mail server running with a public ip.
Any suggestions?
Giannis
All Replies
-
Hi @jannisb
What kind IP address that isr1100/k9 will offer? public IP or private IP?
Can you also share the topology of this environment?
0 -
Hello Stanley ,
thanks for your answer.
the isr1100/kr will offer a block of public ip's.
it will keep one for itself and i want to use the rest via the wan port of the USG60W.
is it possible for the wan port to handle more than one public ip?
the exact configuration of the isr1100/k9 is unknown but i think the telecom company will be willing to make some effort to meed our needs.
i will upload later a schematic of the topology.
0 -
Hi @jannisb
USG60W with 2 WAN ports.
You can configure 2 IP addressed to each ports.
For the rest IP addresses, you can add in virtual interface or port forwarding rules for different incoming service or VPN tunnel.
Due to ISP offers public IP address, so the services should working the same as before.
0 -
hello Stanley did not see your last reply earlier.sorry for that.
it did work quite well.
i was able to configure 2 ip adresses for the same interface.
i did this via the virtual interface feature.
there is some odd thing going on
i can forward ports from the wan1 interface and get access to services behind the firewall.
when i try to forward ports from the wan1:1 interface which i created with the virtual interface function i cannot do so.
i m trying to forward ports from both interfaces to the LAN1 interface.
my goal is to forward ports from the wan1:1 interface to the dmz zone.
when i write https://"wan1:1" is get the zywall login perfectly and i can connect to the web interface.
0 -
Hi @jannisb
By default, there is no security policy rule to allow traffic from WAN to DMZ. You can create a rule from WAN to DMZ to allow traffic from external to internal.
Also, you can disable the firewall rule temporarily to troubleshoot this issue. If it works after firewall rule disable, the port forwarding settings is correct, you can go straightly to check the firewall rule.
CLI disable firewall rule:
Router(config)# no firewall activate
0
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 145 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 239 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
