Support
Joined: 09 Oct 2002 Posts: 175 Location: Lausanne, Switzerland
|
Posted: Tue Jan 14, 03 11:30 Post subject: Can I use NAT with the IPSec VPN option? |
|
|
Yes, but you must be sure to make a hole in SecureWall for UDP port 500 to be redirected internally. This allows the IKE authentication process to build an encrypted link between the two IPSec Endpoints.
There are 2 general options for using this.
1) You can configure the Encrypted connection using Transport mode which means the end of the communication is the remote MultiCom Firewall. This allows remote administration of the MultiCom Firewall. Additionally, you can use NAT to remap services to other servers on the LAN or DMZ but to the remote user it looks like the IP Address of the MultiCom's WAN interface is the server replying. For example, port 80 can be mapped to an internal web server. In this case you can still use the SecureWall to protect the WAN interface.
2) This second option has only been tested with the MultiCom SpeedSurf and the Ethernet Enterprise. You can use Tunnel mode to build a tunnel connection between 2 subnets and use NAT at the same time. See below for more information on this type of configuration. Additionally you will not be able to use the SecureWall since it would block incoming requests from the remote subnet. If you need to secure the WAN interface you will need to use the Stateful Filtering firewall.
The MultiCom Firewall can use NAT to redirect an encrypted request to the WAN interface to a computer on the LAN network. This can use Transport or Tunnel mode of IPSec, be sure to redirect UDP500 to the MultiCom Firewall if you use the SecureWall.
NOTE - With outgoing traffic NAT takes place before IPSec can encrypt the packet and with incoming traffic, NAT takes place just after IPSec has decrypted the packet. |
|