Here is the situation I have a sidewinder firewall just behind a Cisco 2811 router. The router has one external public IP, so it is providing NAT overload (PAT). I want to allow users to connect to my network using a ipsec vpn to the firewall. Due to design issues I cannot put the firewall directly on the Internet. Now here is my question do I need to port-forward the ipsec vpn from the router to the firewall? And now the big rookie question if I do have to port-forward how do I do that?
Thanks for the help,
Just to add a small detail here. Given that the firewall is going to be behind a NAT device, NAT-T hsould detect this fact and hence force further VPN transactions ot use UDP port 4500 (or whatever is specified on the firewall). So in addition to the port-forwarding for UDP 500, you will just need a port forward for UDP port 4500 (or what is specified on the firewall of yours). So you will need to ensure that NAT-Traversal is enabled on the firewall.
The NAT for ESP hence may not be necessary.
Let me know if this helps!!
Thanks and Regards,
I'm not sure if that firewall supports port-forwarding or how to do it, but you will need to redirect
UDP port 500
IP protocol ESP
UDP port 4500
So, if this was a cisco device you create a port forwarding rule to redirect the above ports to the internal firewall.
To do the port forwarding in the router you do:
ip nat inside source static udp x.x.x.x 500 interface 500
ip nat inside source static udp x.x.x.x 4500 interface 500
ip nat inside source static esp x.x.x.x interface