Contents

BOVPN on a Firebox Behind a Device That Does NAT

We recommend that the Firebox external interface has a public IP address. If the external interface of your Firebox has a private IP address because your ISP does Network Address Translation (NAT) or because your Firebox is connected to a device that does NAT, a remote VPN device cannot use that private IP address for VPN connections to the Firebox.

However, you can still configure VPN tunnels because the Firebox can use NAT traversal (NAT-T). This topic explains how to configure BOVPN tunnels when the NAT device the Firebox connects to has a dynamic or static public IP address.

Devices that do NAT frequently have some basic firewall features. To make a VPN tunnel to your Firebox when the Firebox is installed behind a device that does NAT, the NAT device must let the traffic through. These ports and protocols must be open on the NAT device:

  • UDP port 500 (IKE)
  • UDP port 4500 (NAT Traversal)
  • IP protocol 50 (ESP)

If the NAT device that the Firebox connects to has a dynamic public IP address

In this case, we recommend either of these options:

  • Configure dynamic DNS.
  • For the gateway ID, specify any data that is not a resolvable domain name. For example, you could type test or ID-123.

If the NAT device that the Firebox connects to has a static public IP address

For a VPN connection to a remote Firebox behind a NAT device, specify the static public IP address of the NAT device in the VPN connection settings.

For example, you have two Fireboxes A and B. Firebox B is behind a NAT device that has a static public IP address of 192.0.2.1. In the Remote Gateway Endpoint Settings for Firebox A, specify the IP address 192.0.2.1.

For the gateway ID, specify any data that is not a resolvable domain name. For example, you could type test or ID-123. You can specify any type of gateway ID and any gateway ID, but the local and remote gateway IDs must correspond as follows:

  • The local gateway ID on Firebox A and the remote gateway ID on Firebox B must match.
  • The local gateway ID on Firebox B and the remote gateway ID on Firebox A must match.

If you specify a resolvable domain name, keep the Attempt to resolve domain check box clear. If you select Attempt to resolve domain, the Firebox tries to resolve the domain name if it has never has before, or if the VPN has never been established. Once the name has been resolved the Firebox keeps a record that matches the name to IP address. This record is kept even after a Firebox reboot.

In this example, we select the By Domain option and specify a non-resolvable gateway ID.

Gateway Endpoint Settings

Remote Gateway Endpoint settings in the Web UI

Screen shot of the Remote Gateway Settings

Remote Gateway Endpoint settings in the Policy Manager

As a best practice, traffic should always be generated from the devices that are protected by the NAT-T firewall. The Firebox that is behind the NAT device with a dynamic public IP address must initiate the VPN connection if the NAT device is assigned a new IP address. This is required so the remote device knows how to contact the Firebox.

See Also

Configure Manual BOVPN Gateways

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search