VPN problem due to double NAT with Netgear DG834PN and Firebox Edge

VPN problem due to double NAT with Netgear DG834PN and Firebox Edge
Secure Home | Search | About
Login Password
Register Now! Lost Password?

Networking Firewalls - Software and hardware firewalls discussions 

Bookmark this page:  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
VPN problem due to double NAT with Netgear DG834PN and Firebox Edge Vic Russell 07-31-2007
Posted by Vic Russell on July 31, 2007, 11:43 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,

We are having great problems getting IPSec to work via the Watchguard Mobile
User VPN (MUVPN) and I believe it is because it can not handle two NATs. We
have a Netgear DG834PN ADSL router which feed into a Watchguard Firebox Edge
X20e-W firewall which then feeds the internal network.

We have a Demon ADSL broadband and the whole thing is set up as follows:-

ADSL --- (PIP) Netgear (192.168.0.1) ------ (192.168.0.2) Firebox (IIP)

where PIP is my abbreviation fot Public IP address and IIP is our internal
subnet.

What I think we need to do is to somehow expose the PIP to the firebox in
order to cut out one of the NATs. This worked before in a previous ADSL
router by what they called port forwarding (I thinik of it more as address
forwarding). We have tried turning off the NAT in the Netgear box but still
cannot get anything to work. The above setup works fine for ordinary
Internet access and indeed for standard Microsoft PPTP VPN.

Has anyone got any experience of the Netgear unit and any ideas about how we
can get round this problem?

Regards,

Vic Russell



Posted by Wolfgang Kueter on July 31, 2007, 4:54 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Vic Russell wrote:

> What I think we need to do is to somehow expose the PIP to the firebox in
> order to cut out one of the NATs. This worked before in a previous ADSL
> router by what they called port forwarding (I thinik of it more as address
> forwarding). We have tried turning off the NAT in the Netgear box but
> still cannot get anything to work. The above setup works fine for ordinary
> Internet access and indeed for standard Microsoft PPTP VPN.

You want a public IP on the external interface of the Firebox, if you have a
router sitting in front of it, let it do what it's name says: Let it route.

This means: Get a public, routable network form your ISP. Nothing more,
nothing less. Everything else is crap for IPSec.

Example of such setup:

Nework: 1.1.1.0
netmask: 255.255.255.248

router-1.1.1.1/29-------1.1.1.2/29-VPN-Gateway-192.168.1.1/24

> Has anyone got any experience of the Netgear unit and any ideas about how
> we can get round this problem?

I have quite a lot experience with various routers and VPN Gateways from
different vendors and I tell you that you *never* want address translation
and IPSec togther, no matter what devices are used.

Get a routable network from you ISP.

Wolfgang

Posted by Hexalon on August 1, 2007, 9:42 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> Hi,
>
> We are having great problems getting IPSec to work via the Watchguard Mobile
> User VPN (MUVPN) and I believe it is because it can not handle two NATs. We
> have a Netgear DG834PN ADSL router which feed into a Watchguard Firebox Edge
> X20e-W firewall which then feeds the internal network.
>
> We have a Demon ADSL broadband and the whole thing is set up as follows:-
>
> ADSL --- (PIP) Netgear (192.168.0.1) ------ (192.168.0.2) Firebox (IIP)
>
> where PIP is my abbreviation fot Public IP address and IIP is our internal
> subnet.
>
> What I think we need to do is to somehow expose the PIP to the firebox in
> order to cut out one of the NATs. This worked before in a previous ADSL
> router by what they called port forwarding (I thinik of it more as address
> forwarding). We have tried turning off the NAT in the Netgear box but still
> cannot get anything to work. The above setup works fine for ordinary
> Internet access and indeed for standard Microsoft PPTP VPN.
>
> Has anyone got any experience of the Netgear unit and any ideas about how we
> can get round this problem?
>
> Regards,
>
> Vic Russell

Your ISP should provide you with a public IP and a subnet mask. You
shouldn't need NAT at all. Your firewall should provide adequate
protection.


Similar ThreadsPosted
Router NetGear Pack DG834PN ? March 22, 2008, 7:46 pm
Firebox X5 Edge questions November 28, 2004, 6:05 pm
Netgear FVS318 and Netgear (ProSafe) VPN Client problem through firewalls July 15, 2004, 9:17 am
Firebox 1000 WG and VPN problem. Assistance request. TIA. March 15, 2006, 12:22 am
netgear FWG114P outbout rule problem March 19, 2008, 1:07 pm
Double Encryption!!! July 9, 2008, 4:02 am
Re: Double Encryption!!! July 9, 2008, 2:40 pm
Re: Double Encryption!!! July 10, 2008, 12:01 am
Strange port 20/21 problem with Netgear RT314 Router November 27, 2005, 12:14 am
Port forwarding through double NATs April 21, 2005, 12:18 am

The site map in XML format XML site map

Contact Us | Privacy Policy