Hi,
I have a requirement to create a IPsec VPN, which looks like this:-
Internal A----(10.10.10.254/24)TMG(192.168.10.1/24)--Private DMZ---(192.168.10.254/24)ISP Managed device (Pub100.1.1.2/24)------ (100.1.1.2/24)Watchguard(192.168.10.0/24)------Internal B
TMG is NAt'ing outbound traffic from Internal A traffic to 192.168.10.1, and then the ISP device has a 1-2-1 NAT to this address for inbound traffic, and publishing rules are configured on the DMZ IP in TMG. You can see that the private DMZ is is the same IP range as the remote site. I have 2 questions:-
- Will creating a site to site VPN where the remote network is the same as an interface on TMG, and where that interface is the public interface, work?
- Will TMG be OK using NAT traversal outbound through the ISP device?
As the VPN will be policy driven, and the destination IP should encapsulated before routing kicks in, this should work. The clients should still be able to access the internet, as the destination IP will not be in the DMZ range, but I'm not sure of the order of operations in TMG.
Also, I do realise this is not ideal, and another option is NAT on the WatchGuard, so TMG doesn't have a VPN policy to a network that's in the same range as the DMZ, but I'd like to avoid that if possible.
Thanks for your help
Regards,
Tom
