Is it possible to build a vpn-connection if the offical ip-address of one side is nated into a privat adress.
I will put the central endpoint of the VPN-Tunnels into a DMZ. The router will get an ip adress out of the range 10.0.0.0. The firewall will nat an offical ip address into the ip address (example 10.100.100.14).
Is this possible?
The central router is a cisco 3640. The home user will dial into the internet with a cisco 801.
What VPN technologie can I use with this hardware?
YEs, this is possible. If it's a true one-to-one translation then you don't need to do anything, just point the client at the NAT'd address and everything should work fine.
If it's a one-to-many translation (PAT) then it'll still work. Both the concentrator and the client support the new standard NAT-T so if you enable it on both ends, they'll figure out that they're going through a NAT/PAT device and automatically encaspulate everything in UDP port 4500 packets. You can also enable either "IPSec over UDP" or "IPSec over TCP" in the client and concentrator to encapsulate everything in UDP port 10000 (default) or TCP packets, which also gets around PAT problems.
One restriction on that is that only one end will be able to initiate the tunnel, since the device behind the PAT device won't be contactable directly. The device behind the PAT device will only be able to initiate the tunnel to the device on the Internet, not the other way around.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...