User guide
Configuring Virtual Private Networks
146 WatchGuard Firebox X Edge
have a public IP address. If that is not possible, use this section for
more information.
Devices that do NAT frequently have some basic firewall features
built into them. To make a VPN tunnel to your Firebox X Edge when
the Edge is behind a device that does NAT, the NAT device must let
the traffic through. These ports and protocols must be open on the
NAT device:
• UDP port 500 (IKE)
• UDP Port 4500 (NAT Traversal)
• IP Protocol 50 (ESP)
Speak to the NAT device’s manufacturer for information on opening
these ports and protocols.
If your Edge’s external interface has a private IP address, you cannot
use IP Address as the local ID type in the Phase 1 settings. Because
private IP addresses cannot get through the Internet, the other
device cannot find your Edge’s private external IP address through
the Internet.
• If the NAT device to which the Edge is connected has a dynamic
public IP address:
- You must first set the device to Bridge Mode. In Bridge Mode,
the Edge will get the public IP address on its external interface.
Refer to the manufacturer of your NAT device for more
information.
- Then, set up Dynamic DNS on the Edge. For information, see
“Registering with the Dynamic DNS Service” on page 66. In the
Phase 1 settings of the Manual VPN, set the local ID type to
Domain Name. Enter the DynDNS domain name as the Local
ID. The remote device must identify your Edge by domain
name and it must use your Edge’s DynDNS domain name in its
Phase 1 setup.
• If the NAT device to which the Edge is connected has a static
public IP address:
- In the Phase 1 settings of the Manual VPN, set the local ID
type drop-down list to Domain Name. Enter the public IP
address assigned to the NAT device’s external interface as the
local ID. The remote device must identify your Edge by domain