• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 866
  • Last Modified:

Cisco 3000 concentrator with private IP

Hello Experts,
I have a network with one public IP address assigned to a watchgaurd firebox x500 firewall.  I need to install a cisco 3000 concentrator behind this firewall.  The lan port on the cisco already has an internal address 192.168.0.249  ...  what ip do i assign the public port?  The firebox is providing NAT so, I am not sure if I can give the cisco public ip a private (192.168.0.248) address.

Also, how do i tell the firebox that all vpn traffic should be forwarded to the this cisco...

Thanks!

derek
0
corpdsinc
Asked:
corpdsinc
  • 2
  • 2
1 Solution
 
batry_boyCommented:
Can't help you with the firebox configuration, but you most certainly can assign a private IP address to the public interface of the VPN 3000 concentrator.  I would then do a one-to-one NAT on the firebox from that private IP on the public interface of the concentrator to a public IP address that you own and then configure the following ports to be allowed through the firewall to the concentrator:

UDP 500
UDP 4500
TCP 10000 (optional, only if you're using IPSEC over TCP)

Good luck!
0
 
corpdsincAuthor Commented:
Thanks for the help.  I tired that with now luck.  I forwarded all of those ports to the internet address of the public interface ...and did a one to one nat from a public ip to the interal (cisco exteral) address..but it still will not connect.   I am running out of ideas.  
0
 
corpdsincAuthor Commented:
I think I would prefer to assign my cisco concentrator an IP from my public block rather than do the port forwarding...but I don't know how to this with a watchguard. I have opened a question in that area.

0
 
batry_boyCommented:
That would be the easiest way to do this.  Adding in that port forwarding layer in your topology complicates the implementation.  BTW, the concentrator is considered a hardened device (like a firewall) so you should feel comfortable putting the VPN concentrator right beside the watchguard if you want to.  This is the typical placement of a concentrator in a network topology, although I have put some in behind a PIX before.  The concentrator is considered a hardened device because you can't allow traffic inbound through it unless it is a tunneling protocol (IPSEC, L2TP) so the only way to get traffic to go through it in an inbound fashion is to first establish a VPN tunnel to it...you can't open it up to just regular unencrypted traffic like you can on a firewall.
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now