Screen OS

Hi, was looking for advise on using transparent mode Vs Nat mode. I have only generally used/deployed NAT mode in the past. 

I have a deployment to make where I can use either mode but wanted to understand if there were any limitations to using tranparent mode.  This deployment is at a small remote site with an ISP provided DSL router. The SSG20 will sit behind this router, I need to have a VPN tunnel back to the main office from the SSG20.  I can leave all as is at the remote site and drop in the SSG20 between the DSL router and local LAN in trasparent mode or move DSL router address to the FW trust interface and set up another subnet on interface from Untrust to router and run NAT mode (note Untrust interface will be a private address DSL router will be NATing).  Any best practise or suggestions ?  Thanks RK.

Hi,

If you dont need to do any NAT on the firewall then go with transparent mode. Major difference between transparent and route mode is not NAT and Routing supported in transparent mode. Other wise everything else is ther.

Only other thing to think about is that you would need to use aggressive move VPNs as the VPN in trasparent mode would need to authenticate via a ID rather than an IP address as it is sat behind a NAT device, which means that the VPN would always have to be started from the device behind the NAT device. Not a problem if you turn on VPN monitoring and Rekey as the VPN will always be up.

Also nice and easy to deply in transparent mode as you dont have to change any other addressing on devices, have done this a number of times for customers.

Hope this helps.

Andy

Other thing you could do is get a DSL card for the SSG20 and do away with the DSL router, make it even better

Then deploy it in route mode.

Andy

Thanks Andy.  Worked a treat.

could you please explain me how to configure aggressive movd VPNs on transparent mode with ssg20 on one side (behind adsl nat modem - dynamic ip) and another side ssg550 with static IP