Hi,

I have a requirement to create a IPsec VPN, which looks like this:-

Internal A----(10.10.10.254/24)TMG(192.168.10.1/24)--Private DMZ---(192.168.10.254/24)ISP Managed device (Pub100.1.1.2/24)------ (100.1.1.2/24)Watchguard(192.168.10.0/24)------Internal B

TMG is NAt'ing outbound traffic from Internal A traffic to 192.168.10.1, and then the ISP device has a 1-2-1 NAT to this address for inbound traffic, and publishing rules are configured on the DMZ IP in TMG. You can see that the private DMZ is is the same IP range as the remote site. I have 2 questions:-

• Will creating a site to site VPN where the remote network is the same as an interface on TMG, and where that interface is the public interface, work?
• Will TMG be OK using NAT traversal outbound through the ISP device?

As the VPN will be policy driven, and the destination IP should encapsulated before routing kicks in, this should work. The clients should still be able to access the internet, as the destination IP will not be in the DMZ range, but I'm not sure of the order of operations in TMG.

Also, I do realise this is not ideal, and another option is NAT on the WatchGuard, so TMG doesn't have a VPN policy to a network that's in the same range as the DMZ, but I'd like to avoid that if possible.

Thanks for your help

Regards,

Tom

Tom,

I am a little confused by this part of the question: "Will creating a site to site VPN where the remote network is the same as an interface on TMG, and where that interface is the public interface, work"

TMG is very capable of creating a site to site VPN where the two sides of the tunnel are TMG or it will also work with a 3rd party device as the other side.

Once you have the tunnel up and working though I would seriously consider routing and not NATting. Routing is much more flexible for network traffic. Regardless of which side of the tunnel you are on, there may be certain things you want to do that will not work well if NATted. The only problem I see you running into is that it looks as though your DMZ on side A and the Internal of B are using the same subnet (192.168.10.x). Not sure how big your network is but would probably be easier to change the subnet on your DMZ A.

Keith

• Proposed as answer by Keith AblutonMicrosoft employee, Editor 17 hours 54 minutes ago

Tom,

I am a little confused by this part of the question: "Will creating a site to site VPN where the remote network is the same as an interface on TMG, and where that interface is the public interface, work"

TMG is very capable of creating a site to site VPN where the two sides of the tunnel are TMG or it will also work with a 3rd party device as the other side.

Once you have the tunnel up and working though I would seriously consider routing and not NATting. Routing is much more flexible for network traffic. Regardless of which side of the tunnel you are on, there may be certain things you want to do that will not work well if NATted. The only problem I see you running into is that it looks as though your DMZ on side A and the Internal of B are using the same subnet (192.168.10.x). Not sure how big your network is but would probably be easier to change the subnet on your DMZ A.

Keith

• Proposed as answer by Keith AblutonMicrosoft employee, Editor Friday, March 27, 2015 1:28 PM

Tom,

I am a little confused by this part of the question: "Will creating a site to site VPN where the remote network is the same as an interface on TMG, and where that interface is the public interface, work"

TMG is very capable of creating a site to site VPN where the two sides of the tunnel are TMG or it will also work with a 3rd party device as the other side.

Once you have the tunnel up and working though I would seriously consider routing and not NATting. Routing is much more flexible for network traffic. Regardless of which side of the tunnel you are on, there may be certain things you want to do that will not work well if NATted. The only problem I see you running into is that it looks as though your DMZ on side A and the Internal of B are using the same subnet (192.168.10.x). Not sure how big your network is but would probably be easier to change the subnet on your DMZ A.

Keith

• Proposed as answer by Keith AblutonMicrosoft employee, Editor Friday, March 27, 2015 1:28 PM

Tom,

I am a little confused by this part of the question: "Will creating a site to site VPN where the remote network is the same as an interface on TMG, and where that interface is the public interface, work"

TMG is very capable of creating a site to site VPN where the two sides of the tunnel are TMG or it will also work with a 3rd party device as the other side.

Once you have the tunnel up and working though I would seriously consider routing and not NATting. Routing is much more flexible for network traffic. Regardless of which side of the tunnel you are on, there may be certain things you want to do that will not work well if NATted. The only problem I see you running into is that it looks as though your DMZ on side A and the Internal of B are using the same subnet (192.168.10.x). Not sure how big your network is but would probably be easier to change the subnet on your DMZ A.

Keith

• Proposed as answer by Keith AblutonMicrosoft employee, Editor Friday, March 27, 2015 1:28 PM
• Marked as answer by Joyce LMicrosoft contingent staff, Moderator 23 hours 5 minutes ago

Tom,

I am a little confused by this part of the question: "Will creating a site to site VPN where the remote network is the same as an interface on TMG, and where that interface is the public interface, work"

TMG is very capable of creating a site to site VPN where the two sides of the tunnel are TMG or it will also work with a 3rd party device as the other side.

Once you have the tunnel up and working though I would seriously consider routing and not NATting. Routing is much more flexible for network traffic. Regardless of which side of the tunnel you are on, there may be certain things you want to do that will not work well if NATted. The only problem I see you running into is that it looks as though your DMZ on side A and the Internal of B are using the same subnet (192.168.10.x). Not sure how big your network is but would probably be easier to change the subnet on your DMZ A.

Keith

• Proposed as answer by Keith AblutonMicrosoft employee, Editor Friday, March 27, 2015 1:28 PM
• Marked as answer by Joyce LMicrosoft contingent staff, Moderator Wednesday, April 01, 2015 8:16 AM

Tom,

I am a little confused by this part of the question: "Will creating a site to site VPN where the remote network is the same as an interface on TMG, and where that interface is the public interface, work"

TMG is very capable of creating a site to site VPN where the two sides of the tunnel are TMG or it will also work with a 3rd party device as the other side.

Once you have the tunnel up and working though I would seriously consider routing and not NATting. Routing is much more flexible for network traffic. Regardless of which side of the tunnel you are on, there may be certain things you want to do that will not work well if NATted. The only problem I see you running into is that it looks as though your DMZ on side A and the Internal of B are using the same subnet (192.168.10.x). Not sure how big your network is but would probably be easier to change the subnet on your DMZ A.

Keith

Tom, Any update on this? Keith