Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Interesting problem with NAT and VPN (not the usual question)

Reply
Thread Tools

Interesting problem with NAT and VPN (not the usual question)

 
 
Jim Westwood
Guest
Posts: n/a
 
      10-15-2005
I have a client who wishes to, effectively, become an ISP for the companies
that it works with, to do so it requires to provide ADSL with VPN routers at
the clients site and a VPN server at the base site. As many of my clients
clients run the same IP address range the spokes of the VPN connection will
all require to be NAT'd to unique IP address ranges when they get to the
main site (preferably before to save routing issues on the VPN server), each
of the spokes will require 1-1 NAT for upto 50 x 254 addresses as they will
be acting as servers and clients in communications. The spokes will need to
talk to each other (intra-client) and the clients will also require to be
talked to and talk to my clients HQ.

The above explanation is rough but hopefully good enough, if you think you
can help with my question and need more detail pls just ask.

The question I have is:

1) Can this setup be done with Cisco?
2) If so what kit would I require to get to make it work, this work is on a
tight budget as the company is small.
3) Has anybody done this before (I would expect so?)?
4) Does anyone have any examples of setups of the above?, although I've
followed Cisco for a while I'm effectively very new when it comes to
configuration and would really appreciate any help given, even if it's just
RTFM, as long as you point me at the right M to be reading!

Cheers,

Jim Westwood


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      10-15-2005
In article <43511a2e$0$73599$(E-Mail Removed)>,
Jim Westwood <(E-Mail Removed)> wrote:
:I have a client who wishes to, effectively, become an ISP for the companies
:that it works with,

:each of the spokes will require 1-1 NAT for upto 50 x 254 addresses as they

:The question I have is:

:1) Can this setup be done with Cisco?

Yes.

:2) If so what kit would I require to get to make it work, this work is on a
:tight budget as the company is small.

I'm unsure here: is that 50 clients each with a /24? Or is it
several clients, the largest of which uses 50 /24's?

To what extent do you need to protect the clients from each other?
If the answer is "none", then this is a task for a VPN concentrator.
If the answer is not "none" then you need firewalls or equivilent
in there.

Is it considered important to terminate all of the clients on the
same device? If so and if it is 50 clients, you would need
a device able to handle 50 VPN tunnels. To do that in a single
device you'd need at least a PIX 515E or one of the new ASA
series (not sure which model at the moment.)

If it is 50 clients each at ADSL speeds, and if you want to
provision for each of them running at peak speeds, then you
need to support a VPN encryption rate of 50 times the
sum of the ADSL upload and download rate. If the ADSL is 2/1
(2 megabit down, 4 megabit up), then that would be 50 x 3 = 150 megabits
per second of encryption, which is just barely within the official
rating of a PIX 525 with optional VAC+ card. If the ADSL is 4/2
then you would need twice that, and the only PIX that can support
300 megabits per second of encryption is the PIX 535, which is
certainly not suitable for a tight budget.

--
"It is important to remember that when it comes to law, computers
never make copies, only human beings make copies. Computers are given
commands, not permission. Only people can be given permission."
-- Brad Templeton
 
Reply With Quote
 
 
 
 
Jim Westwood
Guest
Posts: n/a
 
      10-15-2005
Thanks Walter for the quick reply.

In answer to your questions:

> To what extent do you need to protect the clients from each other?


Each client may have 1 - 50 sites, each site will require to see each other
site. Individual clients should not be able to communicate with each other,
although individually all clients should be able to talk to my clients
network.

> Is it considered important to terminate all of the clients on the same
> device?


It's not vital although my client does have a limited amount of external IP
addresses. My client is starting small with maybe 1 client with upto 50
sites, the aim is to have 500 VPN's in total spread over many clients. In
short, multiple devices could be used.

> If it is 50 clients each at ADSL speeds


The clients will initially be sending minimal transactional data across the
VPN but may also have to support remote support connections also, the
service will then be scaled up to allow full www/e-mail connectivity for the
clients if they require it.


Hope that helps.

As far as I'm aware due to the requirement to route into and out of the same
VPN device for clients talking to each others sites the PIX is ruled out as
it doesn't like comms going into and out of the same interface, am I wrong
in this assumption?

Cheers,

Jim.



"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:dir7p0$fks$(E-Mail Removed)...
> In article <43511a2e$0$73599$(E-Mail Removed)>,
> Jim Westwood <(E-Mail Removed)> wrote:
> :I have a client who wishes to, effectively, become an ISP for the
> companies
> :that it works with,
>
> :each of the spokes will require 1-1 NAT for upto 50 x 254 addresses as
> they
>
> :The question I have is:
>
> :1) Can this setup be done with Cisco?
>
> Yes.
>
> :2) If so what kit would I require to get to make it work, this work is on
> a
> :tight budget as the company is small.
>
> I'm unsure here: is that 50 clients each with a /24? Or is it
> several clients, the largest of which uses 50 /24's?
>
> To what extent do you need to protect the clients from each other?
> If the answer is "none", then this is a task for a VPN concentrator.
> If the answer is not "none" then you need firewalls or equivilent
> in there.
>
> Is it considered important to terminate all of the clients on the
> same device? If so and if it is 50 clients, you would need
> a device able to handle 50 VPN tunnels. To do that in a single
> device you'd need at least a PIX 515E or one of the new ASA
> series (not sure which model at the moment.)
>
> If it is 50 clients each at ADSL speeds, and if you want to
> provision for each of them running at peak speeds, then you
> need to support a VPN encryption rate of 50 times the
> sum of the ADSL upload and download rate. If the ADSL is 2/1
> (2 megabit down, 4 megabit up), then that would be 50 x 3 = 150 megabits
> per second of encryption, which is just barely within the official
> rating of a PIX 525 with optional VAC+ card. If the ADSL is 4/2
> then you would need twice that, and the only PIX that can support
> 300 megabits per second of encryption is the PIX 535, which is
> certainly not suitable for a tight budget.
>
> --
> "It is important to remember that when it comes to law, computers
> never make copies, only human beings make copies. Computers are given
> commands, not permission. Only people can be given permission."
> -- Brad Templeton



 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      10-15-2005
In article <435127ba$0$49795$(E-Mail Removed)>,
Jim Westwood <(E-Mail Removed)> wrote:
:> To what extent do you need to protect the clients from each other?

:Each client may have 1 - 50 sites, each site will require to see each other
:site. Individual clients should not be able to communicate with each other,
:although individually all clients should be able to talk to my clients
:network.

:As far as I'm aware due to the requirement to route into and out of the same
:VPN device for clients talking to each others sites the PIX is ruled out as
:it doesn't like comms going into and out of the same interface, am I wrong
:in this assumption?

Your memory is not faulty, but your information is not up-to-date.

The PIX that would be able to handle a project such as this would
be the 515/515E, 525, or 535 (or possibly one of the new ASA series).
The 515/515E, 525, and 535 also happen to be the devices that support
the PIX 7.0 software that was released earlier this year. PIX 7.0
supports same-interface routing in the case where VPNs are involved.
PIX 7.0 also supports assigning security levels to VPN tunnels
and supports unrestricted communications between devices at the same
security level (with or without NAT), which would sound to be just
the thing to seperate the clients from each other.

Another possibility to look into is Cisco's relatively new
Dynamic Mesh feature for IOS, which can make setting up the clients
very easy.
--
Is there any thing whereof it may be said, See, this is new? It hath
been already of old time, which was before us. -- Ecclesiastes
 
Reply With Quote
 
Jim Westwood
Guest
Posts: n/a
 
      10-15-2005
Thanks Walter,

I'll look into a Pix 515E with v7 software, I wasn't aware that a 515 could
run v7, I presume it needs a memory upgrade of some sort? (sorry for my
ignorance here)

I'll also take a look at Dynamic Mesh, I'm all for making things easy!

Cheers,

Jim.


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      10-15-2005
In article <435132db$0$49805$(E-Mail Removed)>,
Jim Westwood <(E-Mail Removed)> wrote:
:I'll look into a Pix 515E with v7 software, I wasn't aware that a 515 could
:run v7, I presume it needs a memory upgrade of some sort?

New PIX515E arrive with enough memory for 7.0; even some of the
older ones have enough as well. A PIX515 (non-E) would need a memory
upgrade.
--
"No one has the right to destroy another person's belief by
demanding empirical evidence." -- Ann Landers
 
Reply With Quote
 
Jim Westwood
Guest
Posts: n/a
 
      10-15-2005
Thanks for all your help.

Jim.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
htmlfile ActiveX very abscure problem (not the usual disconnectproblem) JT HTML 2 04-23-2008 01:32 PM
Interesting nat problem G.G. Cisco 2 12-02-2005 09:22 PM
VPN, from nat without VPN to nat with it Allan Wilson Cisco 1 07-05-2004 10:51 PM
Usual StarDownloader Problem! miss calm Computer Support 4 01-31-2004 12:52 PM
BGP and NAT... interesting problem Gollum Cisco 3 12-17-2003 06:22 PM



Advertisments