I don’t know much about this firebox device but it looks like a small internet firewall.
If you weren’t NATing with your router your setup would resemble what I built for our college. The outer openbsd firewall screens the DMZ and allows VPNs to the PIX behind the DMZ. I had to open all UDP ports and ESP for standard and encapsulated VPNs to get through. The clients get IP addresses on the network behind the PIX.
NAT on your router is a significant problem unless your VPN solution encapsulates the packets within UDP or TCP. Without encapsulation, NAT anywhere between the client and VPN server will break your VPNs. On our PIX TCP encapsulation didn’t work so I had to use UDP. That is why I opened all UDP ports. Since we don’t NAT in our college, the reason we do encapsulation is to accomodate home users who have NAT on their internet connection.
If you had a “normal setup” you would have to allow ESP and ISAKMP as a minimum.
How big is your network? Could you substitute your firewall for the 1721? In some ways the ideal place for a VPN server is where the NAT occurs.
rt