Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 877
  • Last Modified:

Cisco 3000 concentrator with private IP

Hello Experts,
I have a network with one public IP address assigned to a watchgaurd firebox x500 firewall.  I need to install a cisco 3000 concentrator behind this firewall.  The lan port on the cisco already has an internal address 192.168.0.249  ...  what ip do i assign the public port?  The firebox is providing NAT so, I am not sure if I can give the cisco public ip a private (192.168.0.248) address.

Also, how do i tell the firebox that all vpn traffic should be forwarded to the this cisco...

Thanks!

derek
0
corpdsinc
Asked:
corpdsinc
  • 2
  • 2
1 Solution
 
batry_boyCommented:
Can't help you with the firebox configuration, but you most certainly can assign a private IP address to the public interface of the VPN 3000 concentrator.  I would then do a one-to-one NAT on the firebox from that private IP on the public interface of the concentrator to a public IP address that you own and then configure the following ports to be allowed through the firewall to the concentrator:

UDP 500
UDP 4500
TCP 10000 (optional, only if you're using IPSEC over TCP)

Good luck!
0
 
corpdsincAuthor Commented:
Thanks for the help.  I tired that with now luck.  I forwarded all of those ports to the internet address of the public interface ...and did a one to one nat from a public ip to the interal (cisco exteral) address..but it still will not connect.   I am running out of ideas.  
0
 
corpdsincAuthor Commented:
I think I would prefer to assign my cisco concentrator an IP from my public block rather than do the port forwarding...but I don't know how to this with a watchguard. I have opened a question in that area.

0
 
batry_boyCommented:
That would be the easiest way to do this.  Adding in that port forwarding layer in your topology complicates the implementation.  BTW, the concentrator is considered a hardened device (like a firewall) so you should feel comfortable putting the VPN concentrator right beside the watchguard if you want to.  This is the typical placement of a concentrator in a network topology, although I have put some in behind a PIX before.  The concentrator is considered a hardened device because you can't allow traffic inbound through it unless it is a tunneling protocol (IPSEC, L2TP) so the only way to get traffic to go through it in an inbound fashion is to first establish a VPN tunnel to it...you can't open it up to just regular unencrypted traffic like you can on a firewall.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now