Netscreen VPN behind 3640 Router

Discussion in 'Cisco' started by Dave, Nov 18, 2003.

  1. Dave

    Dave Guest

    Hi folks,

    could someone please tell me if this is possible....

    Netscreen-----Cisco3640-----Internet-----Netscreen VPN Client.

    The Cisco3640 will have NAT and the netscreen will be using IPSec. I think
    on the cisco device we need some sort of NAT pass-through due to IPSec
    encrypting the IP Header. Is this possible? or am I doing this wrong? Do I
    need some specific IOS?
     
    Dave, Nov 18, 2003
    #1
    1. Advertisements

  2. Dave

    Amos Walker Guest

    Register a public subnet for the the transit-net between the router an the
    netscreen, the netscreen device needs an public IP on the untrust interface
    to terminate the VPN-Tunnel.

    NAT Transversal is possible with netscreen but in another way:

    If you have a Netscreen VPN-Client behind a NAT-Router with IPSec
    pass-through on the remote side it works..... but the central side need a
    public IP!!!!
     
    Amos Walker, Nov 18, 2003
    #2
    1. Advertisements

  3. Dave

    Dave Guest

    So if I've picked you up correctly...

    Int..............Machine....Int.................Int............Machine......
    Int
    (Internal IP)Netscreen(Public IP)----(Public IP)Cisco3640(Public IP, NAT
    Traversal)-----Internet

    is that correct?
     
    Dave, Nov 18, 2003
    #3
  4. Dave

    Amos Walker Guest

    no, not correct. The only NAT device at your central side should be the
    netscreen. It has a private IP on the trust interface and an public IP on
    the untrust interface and does NAT......then you terminate the VPN-Tunnel to
    the untrust IP of the Netscreen, optional with NAT Transversal an IPSec
    Pass-Through from the remote side .....

    Forget NAT on your Cisco Router..... it has to become an pubic IP an its WAN
    interface an on its "LAN" interface (to the Netscreen) and does only routing
    .......ask your Provider for IPs an Subnets ........

    Internet--------WAN- Cisco - LAN ----------- untrust - Netscreen - trust
    public Subnet1<-routing-> public Subnet2 <-NAT->
     
    Amos Walker, Nov 18, 2003
    #4
  5. Dave

    Dave Guest

    Cheers Amos, I'm with you now, sorry not much experience with this.

    Originally I only needed the 3640 to provide NAT and routing, looks like
    from what you say the netscreen can do both, so I can do away with the 3640
    and just use the Netscreen, this would save me getting 2 public IP subnets.

    thanks again

    Dave
     
    Dave, Nov 18, 2003
    #5
  6. Dave

    Amos Walker Guest

    right, so I guess you haven an ISP-Router with public adresses in front of
    your cisco router.......then forget the cisco router an use only the
    netscreen firewall .......
     
    Amos Walker, Nov 18, 2003
    #6
  7. Dave

    Dave Guest

    No I don't, I thought that I could use the netscreen as the router.
     
    Dave, Nov 18, 2003
    #7
  8. Dave

    Amos Walker Guest

    You can in the case that you have an ethernet interface to the internet
    .......
    A netscreen firewall is a " router " , and much more ......
     
    Amos Walker, Nov 19, 2003
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.