On Fri, Mar 5, 2010 at 8:58 AM, Evgeny Yurchenko <[email protected]> wrote: > Ståle Johnsen wrote: >> >> Hello, >> We have a customer who routes their internet through their IT-service >> provider. We need a secure ipsec connection from our internal network to the >> customers internal network. The other IT-service provider do not allow any >> new RFC1918 into their transport network. So they say we have to NAT our >> internal network or server to an official IP adress in our firewall/VPN. Is >> this possible to do behind an IPSEC with pfsense? If not, we are very happy >> for any suggestions to solve this. The solution has to be an IPSEC because >> the nodes we are trying to reach on the customers network is embedded >> terminals without possibilites for openvpn etc. >> >> Thanks in advance. >> >> Regards, >> Stale Johnsen > > I think it is impossible.
Short of having two firewalls, it is impossible. I've done a couple setups where an internal firewall does the NAT, and the perimeter firewall does the IPsec. Not ideal, but it works. The internal one is commonly a virtual machine so you don't need another piece of hardware (and its load is generally negligible). Another alternative I've setup is having the perimeter firewall do the NAT, and have another firewall sitting in a DMZ doing the IPsec. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
