Double NAT to allow IPSEC VPN on firewall behind router or firewall

On your Site 1 internet router/firewall, NAT the following ports to your VPN firewall’s External IP address

ports

Note: To setup a proper IPSEC VPN on a firewall that is behind an internet facing router/firewall, your IPSEC VPN firewall must be assigned an internal IP address. The above example shows the IPSEC VPN firewall as 192.168.254.100.

This is the IP subnet that is hosted by the internet router/firewall. 192.168.254.100 is what the External interface of the IPSEC VPN firewall is assigned. Its internal subnet must be on a different subnet. This example will use 172.29.0.0/24

The IPSEC VPN tunnel configuration is exactly identical as if the device was the internet facing device.

In the VPN tunnel configuration, setup your local gateway to what the internet facing device (External) IP address is assigned.

On the remote IPSEC VPN tunnel, configure its remote IP address to the same IP address that is assigned to the above local gateway.

Example:

Site 1 (Home)                                                   Site 2 (Business)

Local GW: 1.1.1.1                                             Local GW: 2.2.2.2
Remote GW: 2.2.2.2                                      Remote GW: 1.1.1.1
Internal: 172.29.0.0/24                                Internal: 192.168.1.0/24
Remote: 192.168.1.0/24                                Remote: 172.29.0.0/24

vpn.png

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s