ATP500 IPSec, SSL and NAT

Cesar_SysAD
Cesar_SysAD Posts: 4
First Comment
edited April 2021 in Security
Hello everyone.

Hope that everyone's doing great in this times that we're going trough.

I need help with a ATP 500, I just configured one for a client, I was able to configure the IPSec tunnels, the SSL and also did a NAT for a port that needs to be forward to a server inside the client network.

This client have 3 sites and the ATP connects to them via the IPSec tunnel, all this sites doesn't have a static WAN IP so they all dial out to the zyxel.

For some reason Zyxel doesn't let us permit more than one subnet either in the remote policy or the local policy, but i need the SSL VPN subnet to also be able to go to the other sites, this is my 1st issue.

Next one, in one of this sites we have a server that needs to be reached, but to be reached the WAN IP that its used is the one that the Zyxel gets, because this one its the fixed IP, I tried to NAT but it didn't work, probably because the zyxel can't forward this traffic via the IPSec tunnel?  I don't know, if anyone could help me with both questions, I would appreciate it.


Stay safe.

All Replies

  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Anniversary First Answer First Comment
    edited May 2020
    As you mentioned, you only can configure one subnet either in the remote policy or the local policy.
    However, you can segment subnet widely which include servers IP address.

    Is the Server under ATP?
    If so, you can access it via VPN tunnel without NAT
    You may draw the topology to understand it easily. 
  • Cesar_SysAD
    Cesar_SysAD Posts: 4
    First Comment
    edited May 2020

    The sites all Dial out to the main site, they have IPs in the range 192.168.4.0/24 , 192.168.5.0/24 and 192.168.8.0/24.
    The main site IPs are 192.168.0.0/24
    The SSL VPN IPs are 192.168.200.0/24

    I want the people that are logged in to the vpn to be able to go to the other networks, you're saying that if I do something like changing the local policy and remote policy netmask to fit all the subnets in the same subnet it will work?

    For example I could change the mask to 255.255.0.0 this way I would be sure that all the subnets fit in.

    Other issue is that we have a software in site 3 that people acess from outside, but since site 3 IP is a dynamic one, we're using the main site to forward the software to site 3. But for some reason the NAT that I created isn't working.

    EDIT: I was able to surpass one of the issues, by configuring other IPSec tunnels for the SSL IPs.
    Now the only issue I have is Port Forwarding over IPSec. I need people from outside the network to be able to port forward to our Main Site "WAN IP" and get forward to a server in one of the sites.
  • zyman2008
    zyman2008 Posts: 197  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Since the fixed office sites using 192.168.0.0/24, 192.168.4.0/24, 192.168.5.0/24, 192.168.8.0/24
    is not easy to change.
    But the SSL VPN IP is easy to change without change end users current behavior.
    I suggest you can using 192.168.0.0/20(192.168.0.0/255.255.240.0), 192.168.0.0/24 - 192.168.15.0/24, as company IP address space.  And change the SSL VPN IP pool to 192.168.15.0/24
    1. On Main site
    (1)Main Site to Site 1 IPSec network policy: 
    local policy: 192.168.0.0/20, remote policy: 192.168.4.0/24
    (2)Main Site to Site 1 IPSec network policy: 
    local policy: 192.168.0.0/20, remote policy: 192.168.5.0/24
    (3)Main Site to Site 1 IPSec network policy: 
    local policy: 192.168.0.0/20, remote policy: 192.168.8.0/24
    2. On Site 1
    Site 1 to Others IPSec network policy: 
    local policy: 192.168.4.0/20, remote policy: 192.168.0.0/20
    3. On Site 2
    Site 2 to Others IPSec network policy: 
    local policy: 192.168.5.0/20, remote policy: 192.168.0.0/20
    4. On Site 3
    Site 3 to Others IPSec network policy: 
    local policy: 192.168.8.0/20, remote policy: 192.168.0.0/20

    For the NAT from main site Internet over Site to Site tunnel to site 3 server.
    You need add a policy route on main and site 3,
    1. On main site
    From: any, To: server private IP, next-hop: tunnel to Site 3
    2. On Site 3,
    From: server private IP, next-hop: tunnel to Main site

  • Cesar_SysAD
    Cesar_SysAD Posts: 4
    First Comment
    edited May 2020
    zyman2008 said:
    Since the fixed office sites using 192.168.0.0/24, 192.168.4.0/24, 192.168.5.0/24, 192.168.8.0/24
    is not easy to change.
    But the SSL VPN IP is easy to change without change end users current behavior.
    I suggest you can using 192.168.0.0/20(192.168.0.0/255.255.240.0), 192.168.0.0/24 - 192.168.15.0/24, as company IP address space.  And change the SSL VPN IP pool to 192.168.15.0/24
    1. On Main site
    (1)Main Site to Site 1 IPSec network policy: 
    local policy: 192.168.0.0/20, remote policy: 192.168.4.0/24
    (2)Main Site to Site 1 IPSec network policy: 
    local policy: 192.168.0.0/20, remote policy: 192.168.5.0/24
    (3)Main Site to Site 1 IPSec network policy: 
    local policy: 192.168.0.0/20, remote policy: 192.168.8.0/24
    2. On Site 1
    Site 1 to Others IPSec network policy: 
    local policy: 192.168.4.0/20, remote policy: 192.168.0.0/20
    3. On Site 2
    Site 2 to Others IPSec network policy: 
    local policy: 192.168.5.0/20, remote policy: 192.168.0.0/20
    4. On Site 3
    Site 3 to Others IPSec network policy: 
    local policy: 192.168.8.0/20, remote policy: 192.168.0.0/20

    For the NAT from main site Internet over Site to Site tunnel to site 3 server.
    You need add a policy route on main and site 3,
    1. On main site
    From: any, To: server private IP, next-hop: tunnel to Site 3
    2. On Site 3,
    From: server private IP, next-hop: tunnel to Main site

    Since the IPSec VPNs are already working, I only tried the NAT part, and I didn't get it to work.
    I created the rule as you said, but with no luck.

    Inside the main site I tried to check if the port was open on site 3, and it is, so all the requests coming from the outside aren't working.
  • zyman2008
    zyman2008 Posts: 197  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    The related security policy is also created ? 
    On main site,
    From WAN to IPSec, source: any, destination: server private IP, service:(the port of your server) action: allow, log
    On Site 3,
    From IPSec to LAN, source: any, destination: server private IP, service (the port of your server), action: allow, log

    If the rules is created.
    Check the log, if there a hit log that's mean the connection is pass.
    At least you know the traffic is forward to site 3.
     
  • zyman2008 said:
    The related security policy is also created ? 
    On main site,
    From WAN to IPSec, source: any, destination: server private IP, service:(the port of your server) action: allow, log
    On Site 3,
    From IPSec to LAN, source: any, destination: server private IP, service (the port of your server), action: allow, log

    If the rules is created.
    Check the log, if there a hit log that's mean the connection is pass.
    At least you know the traffic is forward to site 3.
     
    Yup I got the hit, it says that the packet was accepted.
    So either the other side doesn't know how to forward the packet back...or its the device on the other site. 
    I forgot to mention that the packet on the other site is a draytek....... probably that's what's causing the issue here....

Security Highlight