Hi,
Our new ISP provided us with two networks : a public one (say 80.80.80.64/29) and a private interconnection one (172.16.1.0/30). The ISP's router is 172.16.1.1. So I set my SSG-5's Untrust interface to be 172.16.1.2.
I want to only use the first public IP address. So, I use a DIP for users' outgoing traffic and several NAT dst for incoming traffic. It all works fine.
My problem is with setting up a site-to-site VPN with a SSG-140. How am I supposed to create one if my SSG-5 doesn't have a public IP address ? Is there some way to tell the firewall to NAT its own packets, not just the policies ones ?
I did a very classic route-based setup but the Phase 1 never comes up.
A debug ike clearly shows that the SSG-5 can not talk with the SSG-140. Actually, a simple ping from the SSG-5 to the SSG-140 fails. I believe this is because the ping leaves the SSG-5 with the 172.16.1.2 address…
Pinging the SSG-140 from the Trust interface works, because at this time the packets are source NATed.
The SSG-140 is not a problem, it is ultra-classic : one public interface (public address) and one private one (private address).
What can I do ?
Thanks in advance.
Regards.