The answer is: it depends. 1) vpn_cluster -----IOS_router -----Internet ----Checkpoint_NGx assume that the vpn cluster has a RFC 1918 IP address of 192.168.1.1 and it is being NATted by the IOS_router to 129.174.1.8 then all you need to do on the IOS_router is: ip nat inside source static 192.168.1.1 129.174.1.8 ip nat inside ip nat outside access-list 100 permit udp host NGx_External_IP host 129.174.1.8 eq 500 access-list 100 permit esp host NGx_External_IP host 129.174.1.8 access-list 100 permit udp host NGx_External_IP host 129.174.1.8 eq 4500 ip access-group 100 in Keep in mind that Cisco will NOT do NAT-T for site-to-site VPN with other vendors, only with both sides are cisco devices. 2) vpn_cluster -----IOS_router -----Internet ----Checkpoint_NGx except in this case you have only 1 IP address and it is being assigned to the IOS_router: ip nat inside source static udp 192.168.1.1 500 interface f0/0 500 ip nat inside source static esp 192.168.1.1 interface f0/0 esp ip nat inside source static udp 192.168.1.1 500 interface f0/0 4500 ip nat inside ip nat outside access-list 100 permit udp host NGx_External_IP host 129.174.1.8 eq 500 access-list 100 permit esp host NGx_External_IP host 129.174.1.8 access-list 100 permit udp host NGx_External_IP host 129.174.1.8 eq 4500 ip access-group 100 in Again, cisco will not do NAT-T with other vendors except Cisco, to my knowledge. HTH
"André L." <[EMAIL PROTECTED]> wrote: Dear list, Does anyone have experience implementing a site-to-site VPN between CP VPN-1 NGX and other vendors VPN products (Netscreen, Cisco) using NAT-T? Our customer wants to place his VPN cluster behind a packet filter firewall. He wants to configure private (RFC1918) IP addresses on the external interfaces of the VPN cluster. What are fundamental caveats? Thanks in advance! Andy -- "Feel free" - 5 GB Mailbox, 50 FreeSMS/Monat ... Jetzt GMX ProMail testen: www.gmx.net/de/go/mailfooter/promail-out ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- It's here! Your new message! Get new email alerts with the free Yahoo! Toolbar. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
