BOVPN on a Firebox Behind a Device That Does NAT

We recommend that the Firebox external interface has a public IP address. If the external interface of your Firebox has a private IP address because your ISP does Network Address Translation (NAT) or because your Firebox is connected to a device that does NAT, a remote VPN device cannot use that private IP address for VPN connections to the Firebox.

However, you can still configure VPN tunnels because the Firebox can use NAT traversal (NAT-T). This topic explains how to configure BOVPN tunnels when the NAT device the Firebox connects to has a dynamic or static public IP address.



Devices that do NAT usually have some basic firewall features. To make a VPN tunnel to your Firebox when the Firebox is installed behind a device that does NAT, the NAT device must let the traffic through. These ports and protocols must be open on the NAT device:

  • UDP port 500 (IKE)
  • UDP port 4500 (NAT Traversal)

NAT Traversal (NAT-T)

You must enable NAT-T on the Firebox and the other VPN endpoint device. With NAT-T enabled, the Firebox and the other VPN endpoint device can detect the NAT device and switch data packets from raw ESP to ESP encapsulated within UDP 4500 packets. The encapsulated packets can then be NATed.

In a pcap packet capture of this traffic, you would see only UDP 500 traffic, which occurs during BOVPN setup, followed by UDP 4500 traffic for all data packets.

You do not need to specify private IP addresses in the Phase 1 settings on the Firebox or on the other VPN endpoint device. The next section shows how to specify a gateway ID that is not an IP address.

If the NAT device that the Firebox connects to has a dynamic public IP address

In this case, we recommend one of these two options:

If the NAT device that the Firebox connects to has a static public IP address

For a VPN connection to a remote Firebox behind a NAT device, specify the static public IP address of the NAT device in the VPN connection settings.

For example, you have two Fireboxes A and B. Firebox B is behind a NAT device that has a static public IP address of In the Remote Gateway Endpoint Settings for Firebox A, specify the IP address

For the gateway ID, specify any data that is not a resolvable domain name. For example, you could type test or ID-123. You can specify any type of gateway ID and any gateway ID, but the local and remote gateway IDs must correspond as follows:

  • The local gateway ID on Firebox A and the remote gateway ID on Firebox B must match.
  • The local gateway ID on Firebox B and the remote gateway ID on Firebox A must match.

If you specify a resolvable domain name, keep the Attempt to resolve domain check box clear. If you select Attempt to resolve domain, the Firebox tries to resolve the domain name if it has never has before, or if the VPN has never been established. Once the name has been resolved the Firebox keeps a record that matches the name to IP address. This record is kept even after a Firebox reboot.


For a Firebox behind a NAT device with a static public IP address, configure these BOVPN settings:

  1. About the Dynamic DNS Service
  2. Configure the General Settings for a BOVPN gateway.
  3. In the Phase 1 settings of the BOVPN gateway configuration, select NAT Traversal.
  4. Define Gateway Endpoints for a BOVPN Gateway and specify this option for the remote gateway ID:
  • In the Web UI, select By Domain Name.
  • In Policy Manager, select By Domain Information.
  1. Specify a non-resolvable gateway ID.

Gateway Endpoint Settings

Remote Gateway Endpoint settings in the Web UI

Screen shot of the Remote Gateway Settings

Remote Gateway Endpoint settings in the Policy Manager

  1. Configure all other BOVPN settings as specified in Define Gateway Endpoints for a BOVPN Gateway.
  2. Configure Manual BOVPN Tunnels.

See Also

Configure Manual BOVPN Gateways