Zywall USG and Public Static IP
I am having an issue, as I have a Zywall USG used with Public Static IPs, on the Zywall 5/35 when the servers posted emails / SMTP the Static IP was shown on the header, now with the Zywall USG the Dynamic IP provided by the ISP (wan1_ppp) to the router is shown, and not the Public Static IP...
Any idea how to setup the Routing to be sure that the Public Static IP is used to "output" data to internet and not the Dynamic one ?
Are you talking about servers on the LAN side of the ZyWALL or the servers/daemons inside the ZyWALL?
"Perl is executable line noise, Python is executable pseudo-code."
|reply to toysoft |
Talking about Servers in the LAN side,
|reply to toysoft |
Found solution, that works.
1-to-1 NAT (Address Mapping) (Firmware v2.12)
Tilbage til guider
Step by step guide to configure 1 to 1 NAT in ZyWALL USG firewalls. (This is similar to the Address Mapping in old ZyWALLs)
To start, we need to create 2 new objects, one for the internal IP and one for the external IP. Therefore logon to your ZyWALLs WebGUI using your web browser.
Navigate in the left menu to Object -> Address -> Address then click on the Add button in the upper right corner to create a new object.
Create the 1st address object for mapping to the internal host. In this example we use the internal IP: 192.168.1.33
Create the 2nd address object for the public IP. In this example we use the external IP: 22.214.171.124.
Now you will have 2 new objects in the overview page as below. One for the internal IP and one for the external IP.
We must now create a policy route rule to send the traffic from 192.168.1.33 to the external IP and also when traffic comes from the outside, we must route it correctly.
Navigate to: Network -> Routing -> Policy Route and then click the add icon to create a new object.
1.Write a name for the Policy Route.
2.Set the source and the destination IP address to use the pre-configured NAT_ internal_IP address object and select Any for the service type.
3.Choose Type: Interface and Interface is the configured WAN port of the ZyWALL USG. This may vary depending
on configuration and ZyWALL so check that this is the correct WAN Port.
4.SNAT will use the pre-configured NAT_external_IP address object. This policy route will route packets from
the internal host to Internet and replace the IP address to the mapped external IP address.
5.Click OK to save the policy route.
After the configuration, go to the policy route summary page. The order in the policy route table is very important. Packets are routed based on the first rule matched. The unit will not check all routes and choose the most suitable
one to route the packets. Therefore you must configure new rules before existing global rules that catches all packets.
Ex: The NAT_internal_IP address object (192.168.1.33) is also included in the LAN_SUBNET address object (192.168.1.0/255.255.255.0) and if the Policy Route is set after that LAN_SUBNET rule, the packets will be sent
into that rule and the external IP will not be included for the specific client.
Now weve set everything up so that the PC on IP: 192.168.1.33 can go out on the internet from a different WAN IP. We now want to enable traffic from the outside (internet) in to the specific host and for that we need to create a Virtual Server rule for DNAT mapping.
Navigate to: Network -> Virtual Server and click the âadd button to create a new Virtual Server rule.
First write a name for the new rule.
The Incoming Interface will be the traffic coming from interface. In this case, the traffic is coming from internet so please select ge2 as interface (thus this may vary depending on ZyWALL USG model and configuration so make sure this is the correct WAN port).
Set the external IP address as the original IP, the internal host (192.168.1.33) as the mapped IP and any for the mapping type.
Press OK to save the Virtual server rule.
Check back in the overview for Virtual Server rules to make sure its configured correct.
We have now make all incoming traffic on the external IP route to the internal IP in the network.
We also need to create a firewall rule to allow traffic from outside (internet) before everything works both ways.
Set up the security policy to allow traffic from the Internet to the internal host. Even though you have already
configured a virtual server rule to map the public IP to the internal host; you still need to configure a firewall rule
(access control) to allow traffic from the WAN to access the internal host. To configure a new ACL rule,
click Firewall in the menu to the left and click the add icon to configure a WAN-to-LAN rule.
Set the IP address of the internal host as the destination address and use Any for the source address. Configure the appropriate security settings based for the rule on your application needs. For example, you may create a rule that
allows only traffic from specific web site or service (such as HTTP or FTP). In this case, we will just allow all services.
If you want to allow a specific service only, then choose it from the Service list.
Click the OK button to save the Firewall rule.
Check the overview page to see if the configuration is correct.
When all these steps are done, you configured a 1-to-1 NAT mapping rule for the specific host in your local
AnavSarcastic Llama? Naw, Just AcerbicPremium
|reply to toysoft |
thats probably the safer order to do it.
Typically I would have suggested started at the Virtual server and creating the one to one mapping.
So in a nutshell
a. create required objects (wan IP and LAN host)
b. Create virtual 1:1 mapping of the two objects
c. Create a firewall rule to allow traffic to the host from public IP
d. create a policy route so people or return traffic from the host can reach the internet.
The only tricky part would be identifying that the new public (WANIP) object has to be correctly associated with an existing WAN interface.
I suppose you might also want to consider a LAN2 host vice using LAN1 host, for an associated public IP and access through your router. (keeping it separate from LAN1)
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"