Solved

Cisco 3000 concentrator with private IP

Posted on 2007-12-06
4
840 Views
Last Modified: 2013-11-16
Hello Experts,
I have a network with one public IP address assigned to a watchgaurd firebox x500 firewall.  I need to install a cisco 3000 concentrator behind this firewall.  The lan port on the cisco already has an internal address 192.168.0.249  ...  what ip do i assign the public port?  The firebox is providing NAT so, I am not sure if I can give the cisco public ip a private (192.168.0.248) address.

Also, how do i tell the firebox that all vpn traffic should be forwarded to the this cisco...

Thanks!

derek
0
Comment
Question by:corpdsinc
  • 2
  • 2
4 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 20424679
Can't help you with the firebox configuration, but you most certainly can assign a private IP address to the public interface of the VPN 3000 concentrator.  I would then do a one-to-one NAT on the firebox from that private IP on the public interface of the concentrator to a public IP address that you own and then configure the following ports to be allowed through the firewall to the concentrator:

UDP 500
UDP 4500
TCP 10000 (optional, only if you're using IPSEC over TCP)

Good luck!
0
 
LVL 1

Author Comment

by:corpdsinc
ID: 20425698
Thanks for the help.  I tired that with now luck.  I forwarded all of those ports to the internet address of the public interface ...and did a one to one nat from a public ip to the interal (cisco exteral) address..but it still will not connect.   I am running out of ideas.  
0
 
LVL 1

Author Comment

by:corpdsinc
ID: 20453657
I think I would prefer to assign my cisco concentrator an IP from my public block rather than do the port forwarding...but I don't know how to this with a watchguard. I have opened a question in that area.

0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 20457475
That would be the easiest way to do this.  Adding in that port forwarding layer in your topology complicates the implementation.  BTW, the concentrator is considered a hardened device (like a firewall) so you should feel comfortable putting the VPN concentrator right beside the watchguard if you want to.  This is the typical placement of a concentrator in a network topology, although I have put some in behind a PIX before.  The concentrator is considered a hardened device because you can't allow traffic inbound through it unless it is a tunneling protocol (IPSEC, L2TP) so the only way to get traffic to go through it in an inbound fashion is to first establish a VPN tunnel to it...you can't open it up to just regular unencrypted traffic like you can on a firewall.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now