ZyXEL → ZyWall 110 IPsec VPN, can't see entire remote network from client?

Hi there!

Just got VPN setup on a new ZyWall 110, and I can connect without any hassle. The problem is that I can't see everything from the client, see this:

10.0.0.1 - internal IP of firewall - OK
10.0.0.2 - os x server - OK
10.0.0.3 - windows server - no access at all
10.0.0.4 - windows server - no access at all
10.0.0.11 - SBS 2007 - no access at all
10.0.0.39 - iMac - OK
10.0.0.114 - NAS box running Windows server - OK
10.0.0.238 - printer - OK

There are a lot of other computers accessible (just don't want to type in all IP addresses!), so to me it seems as if there is a part of the internal network that can't be accessed, starting from 10.0.0.3 to at least 10.0.0.11. I've tried various VPN setups, and all have this error? I had a ZyWall 35 before this, and that VPN setup did not have this "flaw", and I'm 100% positive that it is not the servers rejecting the VPN client, mostly because of it working before, and I can't even ping the addresses, just get a timeout

Anyone knowing what could be the problem with my setup?

Thanks in advance,
Tommy

The windows servers and SBS have local firewalls turned on that are blocking you. You need to add exception or turn them off.

Don't really think so, on the internal network everything is ok, and that is what a VPN tunnel is supposed to do, appear is being there physically? I can ping 10.0.0.51 (and all others) from inside and connect to it via rdp, but via the tunnel I can't ping, but rdp is good.. Makes no sense

PS: On my old ZyWall 35 everything worked as a charm via VPN through that, exactly like the client was attached to the internal network - which still makes me think that is could be some firewall rule, but with the things I can / can't do, I cant figure out what should be blocking / unblocking me!

Maybe you should describe your topology.
What's on the other side of the tunnel? Another VPN router? Or SW client? Which one?
Post your VPN, Firewall and Policy route screenshots from USG.

I connect to the ZyXel via ZyXel's Greenbow client, pulling the setup from the VPN automatically, just to avoid any wrong setup there. Also been trying various clients on my Mac, all give the same results.

The network is really simple behind the firewall, there are only 2 ordinary gigabit switches, so no special routing setup at all.

The screenshots of the running setup can be found here:

»ge.tt/8dbGjH12?c

I also included screenshots of a scanning on the network, one using my PC at the site, and another one of the same scanning from a client connected via the tunnel.

If you need more information, let me know and I'll post it ASAP

/Tommy

I think I just might have stumbled upon something... Looking in the config file, I saw this:

ip virtual-server Mailserver interface wan1 original-ip 87.54.49.118 map-to 10.0.0.11 map-type any nat-loopback nat-1-1-map
ip virtual-server TommyMac interface wan1 original-ip 87.54.49.117 map-to 10.0.0.112 map-type any nat-loopback nat-1-1-map
ip virtual-server TommyPC interface wan1 original-ip 87.54.49.113 map-to 10.0.0.52 map-type any nat-loopback nat-1-1-map
ip virtual-server IC interface wan1 original-ip 87.54.49.115 map-to 10.0.0.4 map-type any nat-loopback nat-1-1-map
ip virtual-server Opti interface wan1 original-ip 87.54.49.116 map-to 10.0.0.16 map-type any nat-loopback nat-1-1-map
ip virtual-server ownCloud interface wan1 original-ip 87.54.49.114 map-to 10.0.0.163 map-type any nat-loopback nat-1-1-map

Actually, these machines are the ones, I can't see! The NAT'ing is correct, as I see it, since they are connectible from internet, but then there must be some firewall rule blocking these, or should I look into the NAT part of the VPN connection settings?

Just tried inactivating one of those, and then I could do everything from the client, but obviously nothing from the internet, since there was no NAT. How do I get this working?

OK - got it working now! The "problem" was that I set these machines to 1:1 NAT, tried changing them to Virtual Server, and voila, I could see them from within the VPN, and still access everything from the internet

Thanks for your time helping!

tomlar, one to one nat is when you want to assign a group of IPs directly to devices on your network so that they have a publicly facing IP address. If you want to provide control over these types of IPs one uses firewall rules or security policies (new term). Most of us just use a single WANIP and have a private network behind the router. In this case one needs to consider port forwarding (virtual server) as well as firewall rules for data flow protection.

Yes, I know how 1:1 NAT is working, and basically this is what I want, since I would like my mailserver having one dedicated public IP address, another server running some websites another public IP etc.

What seems to disturb me, is that when I have a host in 1:1 NAT, I cannot access that host at all when connected via VPN? That makes absolutely no sense to me! As I wrote, I tried to set them to Virtual Server, but then they are using the IP of WAN1 as their outbound IP, which of course made some spamservers think that mail was not supposed to be allowed from that IP....!

So basically - how do I setup my ZyWall 110 allowing access to 1:1 NAT devices?

/Tommy

On the ZyWALL, you could try to enable logging on all of your DENY firewall rules and check the System Log for any clues. Maybe you'll see the traffic being caught by the firewall for some reason.

If the firewall logs don't show anything interesting, can you try to disable NAT-Loopback in your 1:1 NAT rule?

Otherwise you could try to use virtual server and a policy route/SNAT to mimic the behavior of 1:1 nat

I only have one deny rule, and that's the main one that denys everything, until opened by other rules, and I don't think that's where to look, I'm kind of positive that this is related to the NAT'ing.

I tried disabling NAT loopback, and the result is the same. How do I setup the policy route / SNAT, I would be more than happy to give it a try?

/Tommy

I would do a packet trace on the LAN port that the server(s) are connected to and also take a look at the packflow diagram under maintaince on the device.

Did you create a vpn tunnel using the public IP address of the device or did you try creating a vpn tunnel to the router (main IP) and then attempt to access the device through that??

What program(s) should I try with to do such a packet trace?

Anav, I created the VPN using the public IP of the ZyWall (the one used on WAN1).

My config is attached, if it's to any help!

Having the config is a huge help, thanks!
I downloaded it and will check it out later tonight, busy day so far...

I'm thinking 1:1 SNAT is sending all outgoing packets directly to the WAN before they are caught by the dynamic vpn route, and we need a policy route to tell it to route the vpn traffic to the VPN connection.

can you try something?

I will use the TommyMac address-object for the example below.(no need to modify the NATs, keep them set as 1-1, as is)

-disable firewalls on TommyMac and on your IPSec client, just for testing, generally by default any traffic from outside the 'local' subnet is blocked so I just want to be SURE...

-On the ZyWALL IPSec Client, in the VPN Client Address field, assign an IP of 192.168.99.5(or any other 'uncommon' private ip OUTSIDE of your 10.0.0.0/8 LAN1 subnet). This is needed so we have a known IP address we can route to.

-on the router, create an address-object for IPSec clients:
Name: IPSec_CLIENT_POOL
Type: Range
Start: 192.168.99.5
End: 192.168.99.10

-now create a policy route:
Incoming: lan1
Source: TommyMac
Dest: IPSec_CLIENT_POOL
Service: Any
Next Hop: VPN Tunnel: Dyn_Client

-Connect your IPSec client, the client should now be able to ping TommyMac(10.0.0.112), and TommyMac should be able to ping IPsec Client(192.168.99.5)

Let me know the result!

Its a built in feature on the ZyWALL, look under Maintainance and Diagnostics

GB5102, you are my hero!

I tried your trick, and now it's running like a charm! Thank you, thank you & thank you!

Nice! Glad to hear it worked!