You can specify any type of gateway ID and any gateway ID, but the local and remote gateway IDs must correspond as follows:įor a Firebox behind a NAT device with a static public IP address, configure these BOVPN settings: For example, you could type test or ID-123. In the Remote Gateway Endpoint Settings for Firebox A, specify the IP address 192.0.2.1.įor the gateway ID, specify any data that is not a resolvable domain name. Firebox B is behind a NAT device that has a static public IP address of 192.0.2.1. If the NAT device that the Firebox connects to has a static public IP addressįor a VPN connection to a remote Firebox behind a NAT device, specify the static public IP address of the NAT device in the VPN connection settings.įor example, you have two Fireboxes A and B. This is required so the remote device knows how to contact the Firebox. The Firebox that is behind the NAT device with a dynamic public IP address must initiate the VPN connection if the NAT device is assigned a new IP address. Configure all other BOVPN settings as specified in Define Gateway Endpoints for a BOVPN Gateway.Īs a best practice, traffic should always be generated from the devices that are protected by the NAT-T firewall.Gateway Endpoint settings in the Policy Manager Gateway ID Domain settings in Policy Manager For example, you could type the name test. In the adjacent text box, type the letters, numbers, or characters to use for the gateway ID.In Policy Manager, select By Domain Information.Define Gateway Endpoints for a BOVPN Gateway and specify this option for the gateway ID:.In the Phase 1 settings of the BOVPN gateway configuration, select NAT Traversal. ![]() Configure the General Settings for a BOVPN gateway.The local gateway ID on Firebox B and the remote gateway ID on Firebox A must match.The local gateway ID on Firebox A and the remote gateway ID on Firebox B must match.You can specify any type of gateway ID and any gateway ID, but the local and remote gateway IDs must correspond as follows: In this case, we recommend one of these two options: If the NAT device that the Firebox connects to has a dynamic public IP address The next section shows how to specify a gateway ID that is not an IP address. You do not need to specify private IP addresses in the Phase 1 settings on the Firebox or on the other VPN endpoint device. In a pcap packet capture of this traffic, you would see only UDP 500 traffic, which occurs during BOVPN setup, followed by UDP 4500 traffic for all data packets. The encapsulated packets can then be NATed. With NAT-T enabled, the Firebox and the other VPN endpoint device can detect the NAT device and switch data packets from raw ESP to ESP encapsulated within UDP 4500 packets. You must enable NAT-T on the Firebox and the other VPN endpoint device. These ports and protocols must be open on the NAT device: To make a VPN tunnel to your Firebox when the Firebox is installed behind a device that does NAT, the NAT device must let the traffic through. ![]() Requirements Portsĭevices that do NAT usually have some basic firewall features. This topic explains how to configure BOVPN tunnels when the NAT device the Firebox connects to has a dynamic or static public IP address. However, you can still configure VPN tunnels because the Firebox can use NAT traversal (NAT-T). If the external interface of your Firebox has a private IP address because your ISP does Network Address Translation (NAT) or because your Firebox is connected to a device that does NAT, a remote VPN device cannot use that private IP address for VPN connections to the Firebox. We recommend that the Firebox external interface has a public IP address. BOVPN on a Firebox Behind a Device That Does NAT
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |