BOVPN on a Firebox Behind a Device That Does NAT
The Firebox can use NAT traversal. This means that you can configure VPN tunnels if your ISP does NAT (Network Address Translation) or if the external interface of your Firebox is connected to a device that does NAT. We recommend that the Firebox external interface have a public IP address. If that is not possible, follow the instructions below to configure the local ID in the VPN gateway settings on the Firebox.
Devices that do NAT frequently have some basic firewall features. To make a VPN tunnel to your Firebox when the Firebox is installed behind a device that does NAT, the NAT device must let the traffic through. These ports and protocols must be open on the NAT device:
- UDP port 500 (IKE)
- UDP port 4500 (NAT Traversal)
- IP protocol 50 (ESP)
If the external interface of your Firebox has a private IP address, you cannot use an IP address as the local ID type in the Phase 1 settings. Instead, use one of these methods:
If the NAT device that the Firebox connects to has a dynamic public IP address:
Configure the Firebox in Bridge Mode. For more information, see Bridge Mode. In Bridge Mode, the Firebox gets the public IP address on its external interface. Refer to the documentation for your NAT device for more information.
Configure Dynamic DNS on the Firebox. For information, see About the Dynamic DNS Service. In the Phase 1 settings of the Manual VPN, set the local ID type to Domain Name. Enter the DynDNS domain name as the Local ID. The remote device must identify your Firebox by domain name and it must use the DynDNS domain name associated with your Firebox in its Phase 1 configuration.
If the NAT device that the Firebox connects to has a static public IP address
In the Phase 1 settings of the Manual VPN, set the local ID type drop-down list to Domain Name. Specify the public IP address assigned to the external interface of the NAT device as the Local ID. The remote device must identify your Firebox by domain name, and it must use the same public IP address as the domain name in its Phase 1 configuration.