VPN problem due to double NAT with Netgear DG834PN and Firebox Edge

Hi,

We are having great problems getting IPSec to work via the Watchguard Mobile
User VPN (MUVPN) and I believe it is because it can not handle two NATs. We
have a Netgear DG834PN ADSL router which feed into a Watchguard Firebox Edge
X20e-W firewall which then feeds the internal network.

We have a Demon ADSL broadband and the whole thing is set up as follows:-

ADSL --- (PIP) Netgear (192.168.0.1) ------ (192.168.0.2) Firebox (IIP)

where PIP is my abbreviation fot Public IP address and IIP is our internal
subnet.

What I think we need to do is to somehow expose the PIP to the firebox in
order to cut out one of the NATs. This worked before in a previous ADSL
router by what they called port forwarding (I thinik of it more as address
forwarding). We have tried turning off the NAT in the Netgear box but still
cannot get anything to work. The above setup works fine for ordinary
Internet access and indeed for standard Microsoft PPTP VPN.

Has anyone got any experience of the Netgear unit and any ideas about how we
can get round this problem?

Regards,

Vic Russell

Re: VPN problem due to double NAT with Netgear DG834PN and Firebox Edge

Vic Russell wrote:

> What I think we need to do is to somehow expose the PIP to the firebox in
> order to cut out one of the NATs. This worked before in a previous ADSL
> router by what they called port forwarding (I thinik of it more as address
> forwarding). We have tried turning off the NAT in the Netgear box but
> still cannot get anything to work. The above setup works fine for ordinary
> Internet access and indeed for standard Microsoft PPTP VPN.

You want a public IP on the external interface of the Firebox, if you have a
router sitting in front of it, let it do what it's name says: Let it route.

This means: Get a public, routable network form your ISP. Nothing more,
nothing less. Everything else is crap for IPSec.

Example of such setup:

Nework: 1.1.1.0
netmask: 255.255.255.248

router-1.1.1.1/29-------1.1.1.2/29-VPN-Gateway-192.168.1.1/2 4

> Has anyone got any experience of the Netgear unit and any ideas about how
> we can get round this problem?

I have quite a lot experience with various routers and VPN Gateways from
different vendors and I tell you that you *never* want address translation
and IPSec togther, no matter what devices are used.

Get a routable network from you ISP.

Wolfgang

Re: VPN problem due to double NAT with Netgear DG834PN and Firebox Edge

On Jul 31, 10:43 am, "Vic Russell" wrote:
> Hi,
>
> We are having great problems getting IPSec to work via the Watchguard Mobile
> User VPN (MUVPN) and I believe it is because it can not handle two NATs. We
> have a Netgear DG834PN ADSL router which feed into a Watchguard Firebox Edge
> X20e-W firewall which then feeds the internal network.
>
> We have a Demon ADSL broadband and the whole thing is set up as follows:-
>
> ADSL --- (PIP) Netgear (192.168.0.1) ------ (192.168.0.2) Firebox (IIP)
>
> where PIP is my abbreviation fot Public IP address and IIP is our internal
> subnet.
>
> What I think we need to do is to somehow expose the PIP to the firebox in
> order to cut out one of the NATs. This worked before in a previous ADSL
> router by what they called port forwarding (I thinik of it more as address
> forwarding). We have tried turning off the NAT in the Netgear box but still
> cannot get anything to work. The above setup works fine for ordinary
> Internet access and indeed for standard Microsoft PPTP VPN.
>
> Has anyone got any experience of the Netgear unit and any ideas about how we
> can get round this problem?
>
> Regards,
>
> Vic Russell

Your ISP should provide you with a public IP and a subnet mask. You
shouldn't need NAT at all. Your firewall should provide adequate
protection.