Solved

Cisco 3000 concentrator with private IP

Posted on 2007-12-06
4
843 Views
Last Modified: 2013-11-16
Hello Experts,
I have a network with one public IP address assigned to a watchgaurd firebox x500 firewall.  I need to install a cisco 3000 concentrator behind this firewall.  The lan port on the cisco already has an internal address 192.168.0.249  ...  what ip do i assign the public port?  The firebox is providing NAT so, I am not sure if I can give the cisco public ip a private (192.168.0.248) address.

Also, how do i tell the firebox that all vpn traffic should be forwarded to the this cisco...

Thanks!

derek
0
Comment
Question by:corpdsinc
  • 2
  • 2
4 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 20424679
Can't help you with the firebox configuration, but you most certainly can assign a private IP address to the public interface of the VPN 3000 concentrator.  I would then do a one-to-one NAT on the firebox from that private IP on the public interface of the concentrator to a public IP address that you own and then configure the following ports to be allowed through the firewall to the concentrator:

UDP 500
UDP 4500
TCP 10000 (optional, only if you're using IPSEC over TCP)

Good luck!
0
 
LVL 1

Author Comment

by:corpdsinc
ID: 20425698
Thanks for the help.  I tired that with now luck.  I forwarded all of those ports to the internet address of the public interface ...and did a one to one nat from a public ip to the interal (cisco exteral) address..but it still will not connect.   I am running out of ideas.  
0
 
LVL 1

Author Comment

by:corpdsinc
ID: 20453657
I think I would prefer to assign my cisco concentrator an IP from my public block rather than do the port forwarding...but I don't know how to this with a watchguard. I have opened a question in that area.

0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 20457475
That would be the easiest way to do this.  Adding in that port forwarding layer in your topology complicates the implementation.  BTW, the concentrator is considered a hardened device (like a firewall) so you should feel comfortable putting the VPN concentrator right beside the watchguard if you want to.  This is the typical placement of a concentrator in a network topology, although I have put some in behind a PIX before.  The concentrator is considered a hardened device because you can't allow traffic inbound through it unless it is a tunneling protocol (IPSEC, L2TP) so the only way to get traffic to go through it in an inbound fashion is to first establish a VPN tunnel to it...you can't open it up to just regular unencrypted traffic like you can on a firewall.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question