Netscreen VPN behind 3640 Router

Hi folks,

could someone please tell me if this is possible....

Netscreen-----Cisco3640-----Internet-----Netscreen VPN Client.

The Cisco3640 will have NAT and the netscreen will be using IPSec. I think
on the cisco device we need some sort of NAT pass-through due to IPSec
encrypting the IP Header. Is this possible? or am I doing this wrong? Do I
need some specific IOS?

 

Register a public subnet for the the transit-net between the router an the
netscreen, the netscreen device needs an public IP on the untrust interface
to terminate the VPN-Tunnel.

NAT Transversal is possible with netscreen but in another way:

If you have a Netscreen VPN-Client behind a NAT-Router with IPSec
pass-through on the remote side it works..... but the central side need a
public IP!!!!

 

So if I've picked you up correctly...

Int..............Machine....Int.................Int............Machine......
Int
(Internal IP)Netscreen(Public IP)----(Public IP)Cisco3640(Public IP, NAT
Traversal)-----Internet

is that correct?

"Amos Walker" <> wrote in message
news:3fb9f314$...
> Register a public subnet for the the transit-net between the router an the
> netscreen, the netscreen device needs an public IP on the untrust
interface
> to terminate the VPN-Tunnel.
>
> NAT Transversal is possible with netscreen but in another way:
>
> If you have a Netscreen VPN-Client behind a NAT-Router with IPSec
> pass-through on the remote side it works..... but the central side need a
> public IP!!!!
>
>
>

 

no, not correct. The only NAT device at your central side should be the
netscreen. It has a private IP on the trust interface and an public IP on
the untrust interface and does NAT......then you terminate the VPN-Tunnel to
the untrust IP of the Netscreen, optional with NAT Transversal an IPSec
Pass-Through from the remote side .....

Forget NAT on your Cisco Router..... it has to become an pubic IP an its WAN
interface an on its "LAN" interface (to the Netscreen) and does only routing
.......ask your Provider for IPs an Subnets ........

Internet--------WAN- Cisco - LAN ----------- untrust - Netscreen - trust
public Subnet1<-routing-> public Subnet2 <-NAT->

 

Cheers Amos, I'm with you now, sorry not much experience with this.

Originally I only needed the 3640 to provide NAT and routing, looks like
from what you say the netscreen can do both, so I can do away with the 3640
and just use the Netscreen, this would save me getting 2 public IP subnets.

thanks again

Dave

"Amos Walker" <> wrote in message
news:3fba0ef1$...
> no, not correct. The only NAT device at your central side should be the
> netscreen. It has a private IP on the trust interface and an public IP on
> the untrust interface and does NAT......then you terminate the VPN-Tunnel
to
> the untrust IP of the Netscreen, optional with NAT Transversal an IPSec
> Pass-Through from the remote side .....
>
> Forget NAT on your Cisco Router..... it has to become an pubic IP an its
WAN
> interface an on its "LAN" interface (to the Netscreen) and does only
routing
> ......ask your Provider for IPs an Subnets ........
>
> Internet--------WAN- Cisco - LAN ----------- untrust - Netscreen - trust
> public Subnet1<-routing-> public Subnet2 <-NAT->
>
>

 

right, so I guess you haven an ISP-Router with public adresses in front of
your cisco router.......then forget the cisco router an use only the
netscreen firewall .......

 

No I don't, I thought that I could use the netscreen as the router.

"Amos Walker" <> wrote in message
news:3fba18fb$...
> right, so I guess you haven an ISP-Router with public adresses in front of
> your cisco router.......then forget the cisco router an use only the
> netscreen firewall .......
>
>

 

You can in the case that you have an ethernet interface to the internet
.......
A netscreen firewall is a " router " , and much more ......