Knowledge Base

When creating 1:1 NAT rules for local hosts, these local hosts become unreachable through VPN IPSec.

Question

When creating 1:1 NAT rules for local hosts, these local hosts become unreachable through VPN IPSec.
However, if using Virtual Server as the NAT type, there is no such problem.
Why is this the case?

 

Answer

The virtual server function is a "port forwarding" function. 
The 1:1 NAT function is "forwarding all traffic" to the local server. 
When using "1:1NAT", the traffic can't pass through to the tunnel because all traffic passes through the WAN interface.
In "packet flow explore", the priority of 1-1 SNAT is higher than site to sitesite-to-site VPN when 1:1 NAT is enabled.
 
To solve this problem, please reorganize the order of the routing priority.
For legacy models with ZLD 3.30 platform, use the following CLI command.
ip route control-virtual-server-rules activate
 
For new USG/ZyWALL series with ZLD 4.13, enable "Use Static-Dynamic Route to Control 1-1 NAT Route" on GUI.
 
Then the priority of Site To Site VPN becomes higher than 1-1 NAT route.
 



YES NO

Please leave your comment:

SUBMIT

Question Profile

LANGUAGE:
ARTICLE ID:015118
TYPE:Spec. Info
FIRMWARE:4.13 patch 1; 3.30 patch 7
VIEWS:3761
VOTES:5
TECHNOLOGY:
MODEL:USG100-PLUS,USG110,USG1100 (view more model name)

Still have trouble with your device? Contact Zyxel technology support team directly!

Contact Zyxel Support