Re: VPN server behind a Cisco router

LocNCH · ‎10-10-2017

We got a Checkpoint 4600 firewall connect to a Cisco router 2900, Cisco router 2900 connect to internet with static public IP address. Cisco router configured with NAT.

my question: can remote user use Checkpoint VPN client software to establish VPN connection with that public IP address on Cisco router 2900?

Flavio Miranda · ‎10-10-2017

Hi,

Why wouldn't?

Take a look in T-NAT or NAT traversal.

Richard Burts · ‎10-11-2017

NAT Traversal does allow VPN traffic to function when the server is behind an address translatiing device. But NAT Traversal by itself does not solve this problem. The issue is that the VPN user must use some public address as the destination address in the VPN client. So if a VPN packet comes to the public IP of the router, then how do we get it to go to the Checkpoint? If there were a secnd public IP available then the router could have a static NAT and that could forward the VPN packet to the Checkpoint. If there is not a second public IP then the router can be configured to use port forwarding to forward the VPN packet to the Checkpoint.

If the VPN client treats this as an IPsec VPN then the port forwarding is relatively simple. The router would forward any ISAKMP or IPsec packet to the Checkpoint. If the VPN client treats this as SSL VPN then the situation is a bit more complicated. The router could forward all TCP port 443 traffic to the Checkpoint. That would make the VPN work. But if there is TCP port 443 traffic that is not VPN (HTTPS traffic coming into the network) then that traffic would also be forwarded to Checkpoint.

HTH

Rick

HTH

Rick