I have a client that currently has Bordermanager VPN 3.6 that is used
a Client to Site VPN. They do not have enterprise edition, they only

have the VPN portion of the software. They have a Cisco router
performing some firewall filtering, but Bordermanager performs the
Network Address translation for the whole lan. Internally, it is one

flat network with no additional routing. It is my understanding that
BM 3.6 is behind a firewall that does NAT/PAT then the VPN will not
anymore even with a static address translation through the firewall.

The organization wants to put a Cisco PIX firewall in place and have
do NAT/PAT. I need to find a way to keep the Bordermanager working.
would like validation that my idea will work or see if anyone else has
better way of doing it.

Option 1:
Keep all IP addressing on Bordermanager the same and wrap it around
new firewall. I thought that the Internet router would have all
and access lists turned off. It would just route Internet traffic.
would not perform NAT. Then it would connect to an internal Ethernet

perimeter switch. That switch would have the new Cisco PIX firewall
the existing Bordermanager connected to it. Both would have valid,
external Internet IP addresses and be outside the firewall. The
and External IP's on Bordermanager would stay the same, but all the
internal PC default gateways would be changed to point to the new PIX

firewall's internal IP address instead of the Bordermanager internal
address. The PIX would perform all address translation for internal PC's.

Will this affect the operation of the VPN? It will still have the
external IP address, but it will not be performing NAT for the
network anymore. I am hoping that since the VPN clients would still
connecting to the same IP address and since the Bordermanager server would not be behind a NAT device that it should continue to work with
changes to the Bordermanager server. The only real difference is that
would no longer do NAT and route traffic for the rest of the internal


Does this sound like a workable solution? Are there any pitfalls I
should watch out for? Is there a reference in documentation with this

scenario? Will this cause any security problems? I am assuming that

Bordermanager will deny all inbound traffic unless it is VPN traffic.
Thanks for any assistance!

Josh Krueger