SSL VPN with multiple address pools on Zyxel USG Flex 100H

seby
seby Posts: 4 image  Freshman Member
First Comment
in USG FLEX H Series

I have a Zyxel USG Flex 100H with an SSL VPN configured on the default pool.

My LAN uses two separate subnets, each with a dedicated server.

Is it possible to configure the SSL VPN to handle multiple address pools so that both subnets can be accessed?

All Replies

  • PeterUK
    PeterUK Posts: 4,119 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary

    You can use Local Networks Only (Split Tunnel) to add the two subnets if you don't use Internet and Local Networks (Full Tunnel).

    If you mean you want one user group to access one subnet and not the other you can se that up by policy control by user option.

  • Zyxel_Tina
    Zyxel_Tina Posts: 270 image  Master Member
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch 50 Answers First Comment

    Hi @seby,

    Could you please confirm if your VPN clients should use their own local network for Internet access?

    • If yes, then you can use Split Tunnel, and add the required local subnets so that the clients can access both.
    • If not, you can configure Full Tunnel, which will also allow the clients to reach the different subnets through the VPN.

    Zyxel Tina

  • seby
    seby Posts: 4 image  Freshman Member
    First Comment

    Thanks for your replies. Maybe I didn’t explain myself well the first time. What I actually need is for external users connecting through VPN to receive an IP address from one of the internal IP ranges of my network. In my setup I have two different IP classes: depending on the user, one should get an address from the 192.168.x.x range, while another should get one from the 192.168.y.y range.

    On another device I own, a ZyWALL USG20, I noticed that this model allows me to configure multiple SSL_VPN connections, which seems to cover this requirement.

  • PeterUK
    PeterUK Posts: 4,119 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary

    The SSL client can only get a IP from the SSL IP pool not from a LAN interface.

    currently the FLEX H can not do multiple SSL_VPN only one IP pool

  • seby
    seby Posts: 4 image  Freshman Member
    First Comment

    Thanks for your reply, I basically made the wrong purchase, it would have been better to buy an older generation firewall like the ZyWALL ATP200 this way I could setup multiple SSLVPNs with different address classes.

  • PeterUK
    PeterUK Posts: 4,119 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited September 18

    But why is one address pool bad?

    If you have SSL VPN pool 192.168.51.0/24

    LAN1 192.168.2.0/24

    LAN2 192.168.7.0/24

    You want some users from SSL VPN to go to LAN1 and some by LAN2 yes you can make two user groups add both to the SSL VPN then by policy control rule have from SSL VPN user group1 to LAN1 and from SSL VPN user group2 to LAN2

  • Zyxel_Tina
    Zyxel_Tina Posts: 270 image  Master Member
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch 50 Answers First Comment

    Hi @seby,

    Could you please confirm if you are referring to configuring multiple SSL VPN access policies (with different IP pools) as supported on ZLD firewalls, as shown in the screenshot below?

    image.png


    If so, please note that currently only one SSL VPN can be configured on the USG FLEX H series firewalls.

    Since this feature has already been requested by other users, we encourage you to refer to this idea post and show your support by voting or leaving a comment. Thank you!

    Zyxel Tina

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)