zywall usg60w behind a cisco isr1100/k9

jannisb
jannisb Posts: 11
First Anniversary First Comment
edited April 2021 in Security
Hello i m looking for suggestions for the following issue
right now i have a customer with a zyxel usg60w which does the following jobs.
1/it connects via PPPoE to the Internet and gets a static puclic v4 ip.
2/it holds 2 different subnets 1 with the business LAN and one DMZ for the mail server which is not 
working live with the internet but relays to the service providers mailboxes.
3.it connects to a zywall usg20 via ipsec vpn.
so far so good.
due to a internet line upgrade we have the following problem.
the service provider terminates all services , data & voice , to a cisco isr1100/k9 and provides a block of ips
how can i migrate this service to the existing solution so that the cisco isr1100/kr will only be a gateway as
far as it concerns the data part.the voice part is i think better to leave with the cisco .i mention it just because i think i have to consider it , in the bigger picture of the solution.
what i would like to achieve is to get one public ip for the wan1 interface of the zuwall usg60w and one for the DMZ interface of the Zywall in order to get the mail server running with a public ip.
Any suggestions?

Giannis 

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @jannisb

    What kind IP address that isr1100/k9 will offer? public IP or private IP?
    Can you also share the topology of this environment?

  • jannisb
    jannisb Posts: 11
    First Anniversary First Comment
    Hello Stanley ,
    thanks for your answer.
    the isr1100/kr will offer a block of public ip's.
    it will keep one for itself and i want to use the rest via the wan port of the USG60W.
    is it possible for the wan port to handle more than one public ip?
    the exact configuration of the isr1100/k9 is unknown but i think the telecom company will be willing to make some effort to meed our needs.
    i will upload later a schematic of the topology.

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @jannisb  

    USG60W with 2 WAN ports.

    You can configure 2 IP addressed to each ports.

    For the rest IP addresses, you can add in virtual interface or port forwarding rules for different incoming service or VPN tunnel.

    Due to ISP offers public IP address, so the services should working the same as before.


  • jannisb
    jannisb Posts: 11
    First Anniversary First Comment

    hello Stanley did not see your last reply earlier.sorry for that.

    it did work quite well.

    i was able to configure 2 ip adresses for the same interface.

    i did this via the virtual interface feature.

    there is some odd thing going on

    i can forward ports from the wan1 interface and get access to services behind the firewall.

    when i try to forward ports from the wan1:1 interface which i created with the virtual interface function i cannot do so.

    i m trying to forward ports from both interfaces to the LAN1 interface.

    my goal is to forward ports from the wan1:1 interface to the dmz zone.

    when i write https://"wan1:1" is get the zywall login perfectly and i can connect to the web interface.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @jannisb

    By default, there is no security policy rule to allow traffic from WAN to DMZ. You can create a rule from WAN to DMZ to allow traffic from external to internal.

    Also, you can disable the firewall rule temporarily to troubleshoot this issue. If it works after firewall rule disable, the port forwarding settings is correct, you can go straightly to check the firewall rule.

    CLI disable firewall rule:

    Router(config)# no firewall activate

Security Highlight