Netscreen VPN behind 3640 Router

Discussion in 'Cisco' started by Dave, Nov 18, 2003.

  1. Dave

    Dave Guest

    Hi folks,

    could someone please tell me if this is possible....

    Netscreen-----Cisco3640-----Internet-----Netscreen VPN Client.

    The Cisco3640 will have NAT and the netscreen will be using IPSec. I think
    on the cisco device we need some sort of NAT pass-through due to IPSec
    encrypting the IP Header. Is this possible? or am I doing this wrong? Do I
    need some specific IOS?
     
    Dave, Nov 18, 2003
    #1
    1. Advertising

  2. Dave

    Amos Walker Guest

    Register a public subnet for the the transit-net between the router an the
    netscreen, the netscreen device needs an public IP on the untrust interface
    to terminate the VPN-Tunnel.

    NAT Transversal is possible with netscreen but in another way:

    If you have a Netscreen VPN-Client behind a NAT-Router with IPSec
    pass-through on the remote side it works..... but the central side need a
    public IP!!!!
     
    Amos Walker, Nov 18, 2003
    #2
    1. Advertising

  3. Dave

    Dave Guest

    So if I've picked you up correctly...

    Int..............Machine....Int.................Int............Machine......
    Int
    (Internal IP)Netscreen(Public IP)----(Public IP)Cisco3640(Public IP, NAT
    Traversal)-----Internet

    is that correct?

    "Amos Walker" <> wrote in message
    news:3fb9f314$...
    > Register a public subnet for the the transit-net between the router an the
    > netscreen, the netscreen device needs an public IP on the untrust

    interface
    > to terminate the VPN-Tunnel.
    >
    > NAT Transversal is possible with netscreen but in another way:
    >
    > If you have a Netscreen VPN-Client behind a NAT-Router with IPSec
    > pass-through on the remote side it works..... but the central side need a
    > public IP!!!!
    >
    >
    >
     
    Dave, Nov 18, 2003
    #3
  4. Dave

    Amos Walker Guest

    no, not correct. The only NAT device at your central side should be the
    netscreen. It has a private IP on the trust interface and an public IP on
    the untrust interface and does NAT......then you terminate the VPN-Tunnel to
    the untrust IP of the Netscreen, optional with NAT Transversal an IPSec
    Pass-Through from the remote side .....

    Forget NAT on your Cisco Router..... it has to become an pubic IP an its WAN
    interface an on its "LAN" interface (to the Netscreen) and does only routing
    .......ask your Provider for IPs an Subnets ........

    Internet--------WAN- Cisco - LAN ----------- untrust - Netscreen - trust
    public Subnet1<-routing-> public Subnet2 <-NAT->
     
    Amos Walker, Nov 18, 2003
    #4
  5. Dave

    Dave Guest

    Cheers Amos, I'm with you now, sorry not much experience with this.

    Originally I only needed the 3640 to provide NAT and routing, looks like
    from what you say the netscreen can do both, so I can do away with the 3640
    and just use the Netscreen, this would save me getting 2 public IP subnets.

    thanks again

    Dave

    "Amos Walker" <> wrote in message
    news:3fba0ef1$...
    > no, not correct. The only NAT device at your central side should be the
    > netscreen. It has a private IP on the trust interface and an public IP on
    > the untrust interface and does NAT......then you terminate the VPN-Tunnel

    to
    > the untrust IP of the Netscreen, optional with NAT Transversal an IPSec
    > Pass-Through from the remote side .....
    >
    > Forget NAT on your Cisco Router..... it has to become an pubic IP an its

    WAN
    > interface an on its "LAN" interface (to the Netscreen) and does only

    routing
    > ......ask your Provider for IPs an Subnets ........
    >
    > Internet--------WAN- Cisco - LAN ----------- untrust - Netscreen - trust
    > public Subnet1<-routing-> public Subnet2 <-NAT->
    >
    >
     
    Dave, Nov 18, 2003
    #5
  6. Dave

    Amos Walker Guest

    right, so I guess you haven an ISP-Router with public adresses in front of
    your cisco router.......then forget the cisco router an use only the
    netscreen firewall .......
     
    Amos Walker, Nov 18, 2003
    #6
  7. Dave

    Dave Guest

    No I don't, I thought that I could use the netscreen as the router.

    "Amos Walker" <> wrote in message
    news:3fba18fb$...
    > right, so I guess you haven an ISP-Router with public adresses in front of
    > your cisco router.......then forget the cisco router an use only the
    > netscreen firewall .......
    >
    >
     
    Dave, Nov 18, 2003
    #7
  8. Dave

    Amos Walker Guest

    You can in the case that you have an ethernet interface to the internet
    .......
    A netscreen firewall is a " router " , and much more ......
     
    Amos Walker, Nov 19, 2003
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. admin too

    VPN Client through Netscreen?

    admin too, Jun 7, 2004, in forum: Cisco
    Replies:
    1
    Views:
    717
    Rik Bain
    Jun 8, 2004
  2. VPN to a Netscreen 50

    , Sep 10, 2004, in forum: Cisco
    Replies:
    1
    Views:
    816
    Mr Ping
    Sep 13, 2004
  3. William
    Replies:
    0
    Views:
    576
    William
    Sep 21, 2004
  4. Road Rage
    Replies:
    0
    Views:
    1,683
    Road Rage
    May 11, 2005
  5. Dil
    Replies:
    0
    Views:
    1,063
Loading...

Share This Page