Solved

Cisco 3000 concentrator with private IP

Posted on 2007-12-06
4
848 Views
Last Modified: 2013-11-16
Hello Experts,
I have a network with one public IP address assigned to a watchgaurd firebox x500 firewall.  I need to install a cisco 3000 concentrator behind this firewall.  The lan port on the cisco already has an internal address 192.168.0.249  ...  what ip do i assign the public port?  The firebox is providing NAT so, I am not sure if I can give the cisco public ip a private (192.168.0.248) address.

Also, how do i tell the firebox that all vpn traffic should be forwarded to the this cisco...

Thanks!

derek
0
Comment
Question by:corpdsinc
  • 2
  • 2
4 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 20424679
Can't help you with the firebox configuration, but you most certainly can assign a private IP address to the public interface of the VPN 3000 concentrator.  I would then do a one-to-one NAT on the firebox from that private IP on the public interface of the concentrator to a public IP address that you own and then configure the following ports to be allowed through the firewall to the concentrator:

UDP 500
UDP 4500
TCP 10000 (optional, only if you're using IPSEC over TCP)

Good luck!
0
 
LVL 1

Author Comment

by:corpdsinc
ID: 20425698
Thanks for the help.  I tired that with now luck.  I forwarded all of those ports to the internet address of the public interface ...and did a one to one nat from a public ip to the interal (cisco exteral) address..but it still will not connect.   I am running out of ideas.  
0
 
LVL 1

Author Comment

by:corpdsinc
ID: 20453657
I think I would prefer to assign my cisco concentrator an IP from my public block rather than do the port forwarding...but I don't know how to this with a watchguard. I have opened a question in that area.

0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 20457475
That would be the easiest way to do this.  Adding in that port forwarding layer in your topology complicates the implementation.  BTW, the concentrator is considered a hardened device (like a firewall) so you should feel comfortable putting the VPN concentrator right beside the watchguard if you want to.  This is the typical placement of a concentrator in a network topology, although I have put some in behind a PIX before.  The concentrator is considered a hardened device because you can't allow traffic inbound through it unless it is a tunneling protocol (IPSEC, L2TP) so the only way to get traffic to go through it in an inbound fashion is to first establish a VPN tunnel to it...you can't open it up to just regular unencrypted traffic like you can on a firewall.
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

697 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question