VPN problem due to double NAT with Netgear DG834PN and Firebox Edge - Firewalls

This is a discussion on VPN problem due to double NAT with Netgear DG834PN and Firebox Edge - Firewalls ; Hi, We are having great problems getting IPSec to work via the Watchguard Mobile User VPN (MUVPN) and I believe it is because it can not handle two NATs. We have a Netgear DG834PN ADSL router which feed into a ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: VPN problem due to double NAT with Netgear DG834PN and Firebox Edge

  1. VPN problem due to double NAT with Netgear DG834PN and Firebox Edge

    Hi,

    We are having great problems getting IPSec to work via the Watchguard Mobile
    User VPN (MUVPN) and I believe it is because it can not handle two NATs. We
    have a Netgear DG834PN ADSL router which feed into a Watchguard Firebox Edge
    X20e-W firewall which then feeds the internal network.

    We have a Demon ADSL broadband and the whole thing is set up as follows:-

    ADSL --- (PIP) Netgear (192.168.0.1) ------ (192.168.0.2) Firebox (IIP)

    where PIP is my abbreviation fot Public IP address and IIP is our internal
    subnet.

    What I think we need to do is to somehow expose the PIP to the firebox in
    order to cut out one of the NATs. This worked before in a previous ADSL
    router by what they called port forwarding (I thinik of it more as address
    forwarding). We have tried turning off the NAT in the Netgear box but still
    cannot get anything to work. The above setup works fine for ordinary
    Internet access and indeed for standard Microsoft PPTP VPN.

    Has anyone got any experience of the Netgear unit and any ideas about how we
    can get round this problem?

    Regards,

    Vic Russell


  2. Re: VPN problem due to double NAT with Netgear DG834PN and Firebox Edge

    Vic Russell wrote:

    > What I think we need to do is to somehow expose the PIP to the firebox in
    > order to cut out one of the NATs. This worked before in a previous ADSL
    > router by what they called port forwarding (I thinik of it more as address
    > forwarding). We have tried turning off the NAT in the Netgear box but
    > still cannot get anything to work. The above setup works fine for ordinary
    > Internet access and indeed for standard Microsoft PPTP VPN.

    You want a public IP on the external interface of the Firebox, if you have a
    router sitting in front of it, let it do what it's name says: Let it route.

    This means: Get a public, routable network form your ISP. Nothing more,
    nothing less. Everything else is crap for IPSec.

    Example of such setup:

    Nework: 1.1.1.0
    netmask: 255.255.255.248

    router-1.1.1.1/29-------1.1.1.2/29-VPN-Gateway-192.168.1.1/24

    > Has anyone got any experience of the Netgear unit and any ideas about how
    > we can get round this problem?

    I have quite a lot experience with various routers and VPN Gateways from
    different vendors and I tell you that you *never* want address translation
    and IPSec togther, no matter what devices are used.

    Get a routable network from you ISP.

    Wolfgang

  3. Re: VPN problem due to double NAT with Netgear DG834PN and Firebox Edge

    On Jul 31, 10:43 am, "Vic Russell" wrote:
    > Hi,
    >
    > We are having great problems getting IPSec to work via the Watchguard Mobile
    > User VPN (MUVPN) and I believe it is because it can not handle two NATs. We
    > have a Netgear DG834PN ADSL router which feed into a Watchguard Firebox Edge
    > X20e-W firewall which then feeds the internal network.
    >
    > We have a Demon ADSL broadband and the whole thing is set up as follows:-
    >
    > ADSL --- (PIP) Netgear (192.168.0.1) ------ (192.168.0.2) Firebox (IIP)
    >
    > where PIP is my abbreviation fot Public IP address and IIP is our internal
    > subnet.
    >
    > What I think we need to do is to somehow expose the PIP to the firebox in
    > order to cut out one of the NATs. This worked before in a previous ADSL
    > router by what they called port forwarding (I thinik of it more as address
    > forwarding). We have tried turning off the NAT in the Netgear box but still
    > cannot get anything to work. The above setup works fine for ordinary
    > Internet access and indeed for standard Microsoft PPTP VPN.
    >
    > Has anyone got any experience of the Netgear unit and any ideas about how we
    > can get round this problem?
    >
    > Regards,
    >
    > Vic Russell

    Your ISP should provide you with a public IP and a subnet mask. You
    shouldn't need NAT at all. Your firewall should provide adequate
    protection.

+ Reply to Thread
« Sunbelt-Kerio issues / Need new desktop firewall advise | cisco pix 525 and packet filter »