NAT and VPN

msubtain · ‎11-15-2006

I am in the situation where i can not have more than 1 Static IP address in one of my branch offices, and the possible soution with available hardware is going to be look like this,

INTERNAL SWITCH(OFFICE LAN) 10.250.1.0/24

|

CISCO ASA 5510 (NAT/PAT/VPN)

|

CISCO 1841

|

-------INTERNET--------

|

Cisco 837(NAT)public IP address

|

Watchgaurd X15 (VPN/NAT)

WAN PORT: 192.168.0.254

INTERNAL: 10.250.2.254

|

INTERNAL SWITCH(Office LAN 10.250.2.0/24)

A SITE TO SITE VPN tunnel needs to be establish between CISCO ASA in HEADOFFICE and WATCHGAURD in BRANCHOFFICE, Can anyone have a look to see if this will work without any problems, primarily the branch office will run CITRIX sessions over the VPN.

spremkumar · ‎11-15-2006

Hi

Have you tried doing a static nat mapping your public ip address to the wan port ip of watchguard firewall ?

You can make use of overload for natting for the whole inside lan.

With all these limitation why cant you think of terminating the ipsec tunnels in the respective routers itself instead of bringing onto the firewalls..

if you can dont have that option opened then look out for going on for the static nat option on the respective routers..

regds

msubtain · ‎11-15-2006

We tried earlier with established VPN directly to Cisco 837 and performance was very bad, thats why this WATCHGAURD is coming into play as this model is dedicatedly made to be VPN endpoint.

The only thing i am not sure about is running another NAT on WATCHGARUD's already NATTED WAN PORT.

What sort of VPN throughput Cisco 837 offers? any idea

Muhammad

spremkumar · ‎11-15-2006

Hi Muhammad

This is what i could on cisco 837 router.

http://www.cisco.com/en/US/products/hw/routers/ps380/products_data_sheet09186a008010e5c5.html

regds