Hi Richard.

Yes, that was my thoughts, too, but I guess, either I did it wrong (I don't think I added ESP, how would I do that?) or, as you say, my issue is with the static translation overriding anything I do. I tried various incantations to no avail on that one....

Eric

Eric

Are things working in this config as you want - other than the VPN part? And can you tell us a bit about your environment? The title of the post indicates port forwarding but I do not see any port forwarding just the static translation to 192.168.40.8 for incoming traffic and the dynamic/overload for outbound traffic.

HTH

Rick

Hi Rick.

Yes, things work as I need them, but then, I'm not after anything special. This is my systems at home, so I have a static IP address that gets assigned to the Dialer1 interface by the ISP. Anything coming to that IP address gets forwarded to external address of my firewall host. There are however other hosts on the 192.168.40.0/24 network (e.g. mobile phone, laptops via wifi, etc), so I need the address translation on the outbound traffic. Again, this works fine.

With the config as it stands, unfortunately, the router also forwards any traffic that it's supposed to terminate itself (in my case only VPN) to the internal host. That's the bit I want to avoid.

Thanks for your help.

Ciao,

Eric

Eric

Thanks for the explanation which does help. I am glad that most things do work as you need them to. I have two possibilities to suggest for how you might achieve your remaining objective:

- is it possible that your firewall host could provide the VPN connection that you want?

- is it possible that you could configure port forwarding to pass the VPN on to the router rather than to the firewall? In configuring port forwarding we typically configure the incoming address, the incoming port, the address to translate to, and the port to translate to. I wonder if you could configure port forwarding specifying the same IP address as incoming address and address to translate to, and specify the same port as incoming port and port to translate to.

HTH

Rick

Hi Rick.

Sorry for the delay in getting back (been away for work).

Unfortunately, my firewall host is not a possible VPN termination point (although that would have been my preferred solution, too) because I can't get a Cisco compatiple VPN server for Solaris. (there are restrictions on the devices that I want to connect as to what VPN they can do, they are Sun Rays).

Re port forwarding: are you thinking of passing the inbound traffic to the firewall host and the firewall host than passing the VPN traffic back to the internal interface of the router? I hadn't considered that, certainly something I could try when back at base, but sounds pretty inefficient to me?

Alternatively, the question would be how to exclude the forwarding of the VPN traffic from the port forwarding that the router does in the first place, but I can't find the right incantation for this....

Eric

Eric

I had not thought particularly about router forwarding to firewall which would forward back to router inside. It does sound sort of inefficient but if it could solve your issue it might be worth it. But this is not what I was suggesting.

At the risk of being a bit picky about terminology what you have configured is a static translation and is not port forwarding (at least as I understand that term). When we say port forwarding we are configuring that if a packet comes to the interface for a certain address and a certain port then forward to some other address on some port. So for example we might configure that if it arrives for the public address on port 80 then we forward to some inside host address on port 80. Or if a packet arrives for the public address on port 339 that we forward to some other inside address on port 339. What you have configured is a static translation that says that anything that arrives for the public address should be forwarded to your firewall. And up to this point that is the behavior that you have wanted. What I am suggesting is configuration of port forwarding that says if a packet arrives for the public address on UDP 500 that it be forwarded to the router (probably outside but perhaps to router inside) address as UDP 500. And if a packet arrives on UDP 4500 that it be forwarded to the router address as 4500. And if an ESP (IP protocol 50) packet arrives that it be forwarded to the router as ESP.

HTH

Rick 

Hi Rick.

I'm just looking at a config I had several years ago where VPN did work. (The difference then was that I had several public IP addresses which is no longer possible where I now live, long story) and it appears that my recollection that I simply used a different IP for the VPN is wrong. It appears that I did selectivly forward individual ports back then.

I'll have a go at that configuration and see if I can get that to work.

Thanks for jogging my memory, very much appreciated.

Eric

Hi Rick.

OK, that did it.

I selectively forwarded the ports I need only and now it's working as expected.

Again, thanks for jogging my memory on this and thanks for your help.

Eric

Eric

I am glad that my suggestions were helpful and happy that you now have it working as expected. Congratulations.

HTH

Rick