General discussion

Locked

Hide NAT aka Public IPs behind a firewal

By STURNER ·
I really need help here! lol

I run a network with the private 192.x.x.x subnet behind a firewall. A company that we are beginging to do work with requires us to VPN to them via our firewall to their Checkpoint system.

According to them our internal network has to have a routable IP scope. So hince my need for help!

How do I determine my scope? My intial thought was that I could use any IP's I wanted (becasue it is behind a firewall) so I simply subnetted my public proxy ip (using a subnet calc) and implemented it. The caveot here is that if you try to go across the vpn it ping, DNS returns the name of the company that really owns the IP's I am trying to use behind the firewall.

So can anyone help and give me some direction here? PLease! Is there a block of IP's set aside for this type of issue that are routable but not used on the Inet?

Help Help Help

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Hide NAT aka Public IPs behind a firewal

by Joseph Moore In reply to Hide NAT aka Public IPs b ...

Typically, you need to set up a "one to one NAT" on your firewall to get VPN to work.

Here is the deal. You have a single reserved IP address put on the outside of your firewall, an IP you get from your ISP (not a 192.168.x.x address). This address is then NATted to a single workstation behind the firewall, and ONLY to this single workstation.

Then, as long as your firewall allows all the right ports/protocols for VPN, you can then establish a VPN connection FROM the workstation (through the one to one NAT), to the VPN gateway you are trying to connect to.

So, can you get some more reserved IPs from your ISP?

hope this helps

Collapse -

Hide NAT aka Public IPs behind a firewal

by STURNER In reply to Hide NAT aka Public IPs b ...

Poster rated this answer

Collapse -

Hide NAT aka Public IPs behind a firewal

by Pokhylchenko In reply to Hide NAT aka Public IPs b ...

I'd add to previous answer that several "gray" IP addresses (192.168.x.x) can be mapped to one real IP address by NAT, most routers can do it. However, your ISP must be able to provide you several real IP addresses, you put them in"outside" NAT spool and all necessary internal IP addresses in the "inside" spool. There are no free routable blocks of IP's in Internet without your registering them with your Local Internet Registry.

Collapse -

Hide NAT aka Public IPs behind a firewal

by STURNER In reply to Hide NAT aka Public IPs b ...

Then answer was that I do not need to use regitered IP's because most firewalls/VPM will allow you to decide where you terminate. There for by terminating on the WAN port, all of the internal addresses go across the VPN NAT'ed as the WAN Public IP

Collapse -

Hide NAT aka Public IPs behind a firewal

by STURNER In reply to Hide NAT aka Public IPs b ...

This question was closed by the author

Back to Networks Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums