ZD/AP connectivity via NAT not working

Summary

Both AP and ZD are behind NAT and are unable to reach each other. AP is at a remote location and even manually programming the ZD's IP on the device does not get the AP connected to the ZD.

Question

AP unable to connect to ZD behind NAT

Customer Environment

Main Site 172.17.0.0/20 network Remote Site 172.17.16.0/20 network Firewall at both locations before the devices Both devices behind NAT WAN links connecting both the sites

Root Cause

The main cause for the issue is because the AP looks for the ZD using the private IP address of the ZD, now since ZD is behind NAT the AP is unable to reach the ZD as there is no mapping done of the Firewall to allow the translation of the ZD's private IP to the public IP.

Resolution

Steps followed to get the AP's to talk to the ZD at the main site. This procedure was done on a Juniper SSG-140 Firewall.
 
 
Step 1) Identify publicly addressable IP addresses that are available to use on your network Firewall.
Step 2) Create a custom service group on your Firewall specifically for your ZoneDirector to be able to talk to the internet. 
 
As listed the required is needed: (source port is 0-65535)
Port 22 TCP
Port 12222 UDP
Port 12223 UDP
Port 21 TCP
Port 443 TCP
 
Step 3) On your Firewall, configure a MIP (Mapped IP) on the interface (publicly addressable IP address) to the private IP address of the ZoneDirector.
 
Step 4) Return to your policy list on your Firewall. Create the policy within your internet connection to your privately addressable space. In this case: Untrust-B to Trust-B. 
 
Step 5) Create a new policy on your Firewall and for service ports use your custom service group defined in Step #2 and turn on logging. (See attached image)
 
Step 6) SSH to the required access point, login and run the following command:
 
“ set director ip x.x.x.x “ hit enter (x.x.x.x is where you input your publicly addressable IP address)
 
Step 7) After the AP reboots it should go out through its current internet connection and communicate with the publically addressable IP based on the MIP that we had provisioned in Step #3. Check logging to ensure communication to the ZoneDirector at your central location is passing the traffic. No additional Firewall setup or configuration is needed at the “branch” locations as the traffic is routed out across the internet.
 
 

Article Number:
000001462

Updated:
June 17, 2019 02:48 AM (about 1 year ago)

Tags:
Troubleshooting, ZoneDirector, ZoneFlex Indoor, ZoneFlex Outdoor

Votes:
0

This article is:
helpful
not helpful

Working...Please wait

This is here to prevent you from accidentally submitting twice.

The page will automatically refresh.