Hi folks, could someone please tell me if this is possible.... Netscreen-----Cisco3640-----Internet-----Netscreen VPN Client. The Cisco3640 will have NAT and the netscreen will be using IPSec. I think on the cisco device we need some sort of NAT pass-through due to IPSec encrypting the IP Header. Is this possible? or am I doing this wrong? Do I need some specific IOS?
Register a public subnet for the the transit-net between the router an the netscreen, the netscreen device needs an public IP on the untrust interface to terminate the VPN-Tunnel. NAT Transversal is possible with netscreen but in another way: If you have a Netscreen VPN-Client behind a NAT-Router with IPSec pass-through on the remote side it works..... but the central side need a public IP!!!!
So if I've picked you up correctly... Int..............Machine....Int.................Int............Machine...... Int (Internal IP)Netscreen(Public IP)----(Public IP)Cisco3640(Public IP, NAT Traversal)-----Internet is that correct?
no, not correct. The only NAT device at your central side should be the netscreen. It has a private IP on the trust interface and an public IP on the untrust interface and does NAT......then you terminate the VPN-Tunnel to the untrust IP of the Netscreen, optional with NAT Transversal an IPSec Pass-Through from the remote side ..... Forget NAT on your Cisco Router..... it has to become an pubic IP an its WAN interface an on its "LAN" interface (to the Netscreen) and does only routing .......ask your Provider for IPs an Subnets ........ Internet--------WAN- Cisco - LAN ----------- untrust - Netscreen - trust public Subnet1<-routing-> public Subnet2 <-NAT->
Cheers Amos, I'm with you now, sorry not much experience with this. Originally I only needed the 3640 to provide NAT and routing, looks like from what you say the netscreen can do both, so I can do away with the 3640 and just use the Netscreen, this would save me getting 2 public IP subnets. thanks again Dave
right, so I guess you haven an ISP-Router with public adresses in front of your cisco router.......then forget the cisco router an use only the netscreen firewall .......
You can in the case that you have an ethernet interface to the internet ....... A netscreen firewall is a " router " , and much more ......