mudtoe
join:2005-10-09
Cleveland, OH
 ·Cincinnati Bell
| Z5/Z35 Routing an Internet IP address thru VPN
Hi folks:
I was wondering if there was a way to force route an internet IP address through a VPN between two Zywall routers such that the access to the IP address occurred through the remote Zywall's WAN interface. I've got two Zywall's with a VPN between them and they are on different ISPs. I've got a laptop that can be used at either site, but it uses email from only one of the ISPs. I want to be able to route the SMTP address of the first ISP, if it comes through the Zywall connected to the second ISP, through the VPN and out the WAN port of the Zywall connected to the first ISP. That way I get around the problem of the first ISP only allowing access to their SMTP server from within their network. The only other alternative I can think of is to setup a proxy server on the local LAN of the Zywall connected to the first ISP.
Suggestions welcome.
mudtoe |
|
Bwuutje
join:2005-01-10 | No, not possible.
Bwuutje. |
|
lorennerol
Premium
join:2003-10-29
Seattle, WA
| said by Bwuutje  :No, not possible. Bwuutje. Couldn't this be done with a policy route? I haven't tried it, but it seems like it could be possible. |
|
mudtoe
join:2005-10-09
Cleveland, OH | I was reading about the policy routes, but I didn't see anything off hand in it that would allow me to do what I want.
mudtoe |
|
dslpartner
join:2005-02-18
| reply to mudtoe
Try to make a second vnp tunnel to site with the DNS server, ie you have 2 tunnels to the same gateway address.
The second tunnel is just for the IP address of the DNS server.
--
"Perl is executable line noise, Python is executable pseudo-code." |
|
lorennerol
Premium
join:2003-10-29
Seattle, WA | reply to mudtoe
Why not just make a static DHCP assignment for your laptop and make a policy route to send all traffic from that IP through the default gateway on the remote LAN? |
|
mudtoe
join:2005-10-09
Cleveland, OH
·Cincinnati Bell
| reply to dslpartner
dslpartner, forgive me for being dense, but what would that accomplish for me? I'm not have an issue resolving the dns name of the smtp server, as I could either hard code it in the laptop or put the entry in the dns table of the router servicing ISP 2 if it wouldn't resolve via ISP 2's dns server. I can't see how having a second tunnel is going to allow me to route the actual data to the smtp server through the VPN. Can you clarify this for me?
Thanks,
mudtoe |
|
mudtoe
join:2005-10-09
Cleveland, OH
·Cincinnati Bell
| reply to lorennerol
said by lorennerol :Why not just make a static DHCP assignment for your laptop and make a policy route to send all traffic from that IP through the default gateway on the remote LAN? That's an interesting idea. Somehow when I was reading about the policy routes I got the impression that I could only target things to the LAN side of the remote router. If that's not the case, then the only issue would be that browsing and downloading on the laptop, when it's connected to the second site, would be slowed to the speed of the upload capability of the primary site. That might be an acceptable trade off though, as I think most of the internet access on the laptop would be browsing and email, not file transfers.
mudtoe |
|
dslpartner
join:2005-02-18
| reply to mudtoe
said by mudtoe :dslpartner, forgive me for being dense, but what would that accomplish for me? I'm not have an issue resolving the dns name of the smtp server, as I could either hard code it in the laptop or put the entry in the dns table of the router servicing ISP 2 if it wouldn't resolve via ISP 2's dns server. I can't see how having a second tunnel is going to allow me to route the actual data to the smtp server through the VPN. Can you clarify this for me? Thanks, mudtoe VPN is not routed atleast it was not pre ZyNOS 4.0 and I doubt it has changed after, it might be different on the ZLD based device.
VPN is done by classifier, which means that all traffic coming from the lan side destined for the wan side will be checked against the ip ranges/subnets defined for remote vpn sited. If the destination ip is in one of the remote vpn sites, it will be encrypted and forwarded to the correct remote gateway.
Since this is not already happening, based on your info, I can only deduct that the LAN ip of the SMTP server in the remote vpn site, is not part of the remote address scope that is used for the tunnel. So either extend the scope or just add a second tunnel for just that lan ip.
You will ofcourse need to add the corresponding vpn rule on the remote side. |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs:
| VPN in ZLD devices is different, and more flexible than ZyNOS devices. Everything in ZLD devices is handled by routing and in fact for complex Intranets with interior routers you need to setup both static routes and policy routes to make routing work. In ZLD you can apply NAT to VPN traffic which can be helpful for some VPN scenarios.
I understand the original question but can't immediately comment on if this is possible with zw1050 or USG300 (both ZLD devices). |
|
mudtoe
join:2005-10-09
Cleveland, OH
·Cincinnati Bell
| reply to dslpartner
dslpartner, I think I get what you are driving at. Are you suggesting that I setup a second tunnel with just a single IP address, the address of ISP 1's SMTP server, as the "range" of the tunnel? That might be interesting. The thing I don't know is if something going through the tunnel can be routed to the WAN interface on the destination end of the tunnel. However, it's worth a try as that's not too hard to setup.
mudtoe |
|
dslpartner
join:2005-02-18
| Sorry, I missed the part about the ISP's SMTP server, I tough it was on in the remote lan.
So is this what you are trying to achive?
LAN 1 .. ISP 1 -- Internet -- ISP 2 -- LAN 2
|
|--- SMTP server
And the SMTP server is not in LAN 2?
Well then you can still do it with the 2nd tunnel, but you need to get the ZyWALL at LAN 2 to send the traffic back out on to the wan port after it decrypts it and of course LAN 2 must use NAT.
There was a CI command to do the extra routing, but I do not remember, somebody smarter than me will probably pling in with it.
--
"Perl is executable line noise, Python is executable pseudo-code." |
|
ayh20
join:2008-07-10
| reply to mudtoe
yes you can .... »i.dslr.net/v2/lite/grey/bigsmile.gif
[:D]
When you configure the remote lan range ...... normally you'd have something like 168.4.2.0 255.255.255.0 ..... just configure it so it's 0.0.0.0 and 0.0.0.0 ... that way it routes ALL traffic via that VP interface ... works with things like the greenbow client to a Zyxel device.
Andy |
|
