Deploying NAT-rules on a USG is a very commonly asked request in our support tickets. Hence, we created this step by step guide (including video) by setting up a NAT-rule towards a NAS-device placed in the USG's LAN. So this article will show you how to setup a NAT on a USG.
Content
4. Configure the policy control
Walkthrough Steps
1. Log in to the device to start the configuration
2. Navigate to Configuration > Network > NAT
- create a new rule by clicking on "Add"
- create a rule name and select the port mapping type to "virtual server"
- select your incoming interface to WAN
Mapping rule:
Incoming interface - the interface that the traffic is coming from
Source IP - From where the users are connecting from (e.g. trusted IPs)
External IP - the public IP of the wan interface
Internal IP - The IP address of the server where you want to forward the ports to
Port Mapping Type
any - all traffic on will be forwarded
Service - Select a service-object (a protocol)
Service-Group - Select a service-group object (a group of protocols)
Port- Select a port that needs to be forwarded
Ports- Select a port range that needs to be forwarded
External vs. Internal ports
The external port is the port that the external user is using to get to the firewall on WAN
The internal port is the port that is forwarded internally on LAN
This can both be a 1:1 translation (port 443 to 443) or port 4433 to 443 for example
- add two new objects by clicking on "create new object" > "address"
- add your WAN and NAS IP
- set the created objects as external and internal IP
- set the port mapping type to port and configure them (i.e. port 50000 - please see video for reference)
- check if NAT loopback is enabled and click OK (allows users connected to any interface to use the NAT rule too)
3. Create a new service object by navigating to Configuration > Object > Service.
Add port 50000 and name it as desired:
4. Navigate to Configuration > Security Policy > Policy Control and add a new rule:
From WAN to LAN, Destination NAS IP, Service HTTP_NAS, Action allow
5. Save the rule and now if possible, test the NAT rule from a different remote network. You should have access to your NAS via WAN.
Open a browser and type in the WAN IP of your USG and the configured port. Now the NAS is behind the USG and reachable through port forwarding.
Example for our WAN IP https://[yourWAN-IP]:50000
For a more detailed description please see our video:
Comments
2 comments
Hi, my request was to configure PPTP-VPN software on old Apple server in the local network behind Zyfirewall....before reading article I have already done everything years ago and have a working configuration on Zywall 2Plus model. something is not clear in that moment when port 1723 is opened, do i need also PPTP Tunnel ? and combine them in a group? maybe problem is in Policy Control? thanks for attention
Every tutorial I have seen tells you to use wan1 as the incoming interface value for the NAT. In our case we had to use wan1_ppp as the incoming source, and then everything works as expected. In the Dashboard you will see the Interface Status Summary, and see the wan1 with a small plus sign. Open the tree list object, and use that object that is associated with the external IP address of the router as the incoming interface of the NAT.
NAT
Security Policy 1 Allow
Security Policy 2 Deny
The first policy will only allow a NAT from the allowed source IP addresses
The second policy, which must be after the first object in the policy list, will explicitly deny any access to the port from a non-allowed IP address.
Please sign in to leave a comment.