ZD/AP connectivity via NAT not working
SummaryBoth AP and ZD are behind NAT and are unable to reach each other. AP is at a remote location and even manually programming the ZD's IP on the device does not get the AP connected to the ZD.
QuestionAP unable to connect to ZD behind NAT
Customer EnvironmentMain Site 172.17.0.0/20 network Remote Site 172.17.16.0/20 network Firewall at both locations before the devices Both devices behind NAT WAN links connecting both the sites
Root CauseThe main cause for the issue is because the AP looks for the ZD using the private IP address of the ZD, now since ZD is behind NAT the AP is unable to reach the ZD as there is no mapping done of the Firewall to allow the translation of the ZD's private IP to the public IP.
Steps followed to get the AP's to talk to the ZD at the main site. This procedure was done on a Juniper SSG-140 Firewall.
Step 1) Identify publicly addressable IP addresses that are available to use on your network Firewall.
Step 2) Create a custom service group on your Firewall specifically for your ZoneDirector to be able to talk to the internet.
As listed the required is needed: (source port is 0-65535)
Port 22 TCP
Port 12222 UDP
Port 12223 UDP
Port 21 TCP
Port 443 TCP
Step 3) On your Firewall, configure a MIP (Mapped IP) on the interface (publicly addressable IP address) to the private IP address of the ZoneDirector.
Step 4) Return to your policy list on your Firewall. Create the policy within your internet connection to your privately addressable space. In this case: Untrust-B to Trust-B.
Step 5) Create a new policy on your Firewall and for service ports use your custom service group defined in Step #2 and turn on logging. (See attached image)
Step 6) SSH to the required access point, login and run the following command:
“ set director ip x.x.x.x “ hit enter (x.x.x.x is where you input your publicly addressable IP address)
Step 7) After the AP reboots it should go out through its current internet connection and communicate with the publically addressable IP based on the MIP that we had provisioned in Step #3. Check logging to ensure communication to the ZoneDirector at your central location is passing the traffic. No additional Firewall setup or configuration is needed at the “branch” locations as the traffic is routed out across the internet.