Interesting problem with NAT and VPN (not the usual question)

Discussion in 'Cisco' started by Jim Westwood, Oct 15, 2005.

  1. Jim Westwood

    Jim Westwood Guest

    I have a client who wishes to, effectively, become an ISP for the companies
    that it works with, to do so it requires to provide ADSL with VPN routers at
    the clients site and a VPN server at the base site. As many of my clients
    clients run the same IP address range the spokes of the VPN connection will
    all require to be NAT'd to unique IP address ranges when they get to the
    main site (preferably before to save routing issues on the VPN server), each
    of the spokes will require 1-1 NAT for upto 50 x 254 addresses as they will
    be acting as servers and clients in communications. The spokes will need to
    talk to each other (intra-client) and the clients will also require to be
    talked to and talk to my clients HQ.

    The above explanation is rough but hopefully good enough, if you think you
    can help with my question and need more detail pls just ask.

    The question I have is:

    1) Can this setup be done with Cisco?
    2) If so what kit would I require to get to make it work, this work is on a
    tight budget as the company is small.
    3) Has anybody done this before (I would expect so?)?
    4) Does anyone have any examples of setups of the above?, although I've
    followed Cisco for a while I'm effectively very new when it comes to
    configuration and would really appreciate any help given, even if it's just
    RTFM, as long as you point me at the right M to be reading! :)

    Cheers,

    Jim Westwood
     
    Jim Westwood, Oct 15, 2005
    #1
    1. Advertising

  2. In article <43511a2e$0$73599$>,
    Jim Westwood <> wrote:
    :I have a client who wishes to, effectively, become an ISP for the companies
    :that it works with,

    :each of the spokes will require 1-1 NAT for upto 50 x 254 addresses as they

    :The question I have is:

    :1) Can this setup be done with Cisco?

    Yes.

    :2) If so what kit would I require to get to make it work, this work is on a
    :tight budget as the company is small.

    I'm unsure here: is that 50 clients each with a /24? Or is it
    several clients, the largest of which uses 50 /24's?

    To what extent do you need to protect the clients from each other?
    If the answer is "none", then this is a task for a VPN concentrator.
    If the answer is not "none" then you need firewalls or equivilent
    in there.

    Is it considered important to terminate all of the clients on the
    same device? If so and if it is 50 clients, you would need
    a device able to handle 50 VPN tunnels. To do that in a single
    device you'd need at least a PIX 515E or one of the new ASA
    series (not sure which model at the moment.)

    If it is 50 clients each at ADSL speeds, and if you want to
    provision for each of them running at peak speeds, then you
    need to support a VPN encryption rate of 50 times the
    sum of the ADSL upload and download rate. If the ADSL is 2/1
    (2 megabit down, 4 megabit up), then that would be 50 x 3 = 150 megabits
    per second of encryption, which is just barely within the official
    rating of a PIX 525 with optional VAC+ card. If the ADSL is 4/2
    then you would need twice that, and the only PIX that can support
    300 megabits per second of encryption is the PIX 535, which is
    certainly not suitable for a tight budget.

    --
    "It is important to remember that when it comes to law, computers
    never make copies, only human beings make copies. Computers are given
    commands, not permission. Only people can be given permission."
    -- Brad Templeton
     
    Walter Roberson, Oct 15, 2005
    #2
    1. Advertising

  3. Jim Westwood

    Jim Westwood Guest

    Thanks Walter for the quick reply.

    In answer to your questions:

    > To what extent do you need to protect the clients from each other?


    Each client may have 1 - 50 sites, each site will require to see each other
    site. Individual clients should not be able to communicate with each other,
    although individually all clients should be able to talk to my clients
    network.

    > Is it considered important to terminate all of the clients on the same
    > device?


    It's not vital although my client does have a limited amount of external IP
    addresses. My client is starting small with maybe 1 client with upto 50
    sites, the aim is to have 500 VPN's in total spread over many clients. In
    short, multiple devices could be used.

    > If it is 50 clients each at ADSL speeds


    The clients will initially be sending minimal transactional data across the
    VPN but may also have to support remote support connections also, the
    service will then be scaled up to allow full www/e-mail connectivity for the
    clients if they require it.


    Hope that helps.

    As far as I'm aware due to the requirement to route into and out of the same
    VPN device for clients talking to each others sites the PIX is ruled out as
    it doesn't like comms going into and out of the same interface, am I wrong
    in this assumption?

    Cheers,

    Jim.



    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:dir7p0$fks$...
    > In article <43511a2e$0$73599$>,
    > Jim Westwood <> wrote:
    > :I have a client who wishes to, effectively, become an ISP for the
    > companies
    > :that it works with,
    >
    > :each of the spokes will require 1-1 NAT for upto 50 x 254 addresses as
    > they
    >
    > :The question I have is:
    >
    > :1) Can this setup be done with Cisco?
    >
    > Yes.
    >
    > :2) If so what kit would I require to get to make it work, this work is on
    > a
    > :tight budget as the company is small.
    >
    > I'm unsure here: is that 50 clients each with a /24? Or is it
    > several clients, the largest of which uses 50 /24's?
    >
    > To what extent do you need to protect the clients from each other?
    > If the answer is "none", then this is a task for a VPN concentrator.
    > If the answer is not "none" then you need firewalls or equivilent
    > in there.
    >
    > Is it considered important to terminate all of the clients on the
    > same device? If so and if it is 50 clients, you would need
    > a device able to handle 50 VPN tunnels. To do that in a single
    > device you'd need at least a PIX 515E or one of the new ASA
    > series (not sure which model at the moment.)
    >
    > If it is 50 clients each at ADSL speeds, and if you want to
    > provision for each of them running at peak speeds, then you
    > need to support a VPN encryption rate of 50 times the
    > sum of the ADSL upload and download rate. If the ADSL is 2/1
    > (2 megabit down, 4 megabit up), then that would be 50 x 3 = 150 megabits
    > per second of encryption, which is just barely within the official
    > rating of a PIX 525 with optional VAC+ card. If the ADSL is 4/2
    > then you would need twice that, and the only PIX that can support
    > 300 megabits per second of encryption is the PIX 535, which is
    > certainly not suitable for a tight budget.
    >
    > --
    > "It is important to remember that when it comes to law, computers
    > never make copies, only human beings make copies. Computers are given
    > commands, not permission. Only people can be given permission."
    > -- Brad Templeton
     
    Jim Westwood, Oct 15, 2005
    #3
  4. In article <435127ba$0$49795$>,
    Jim Westwood <> wrote:
    :> To what extent do you need to protect the clients from each other?

    :Each client may have 1 - 50 sites, each site will require to see each other
    :site. Individual clients should not be able to communicate with each other,
    :although individually all clients should be able to talk to my clients
    :network.

    :As far as I'm aware due to the requirement to route into and out of the same
    :VPN device for clients talking to each others sites the PIX is ruled out as
    :it doesn't like comms going into and out of the same interface, am I wrong
    :in this assumption?

    Your memory is not faulty, but your information is not up-to-date.

    The PIX that would be able to handle a project such as this would
    be the 515/515E, 525, or 535 (or possibly one of the new ASA series).
    The 515/515E, 525, and 535 also happen to be the devices that support
    the PIX 7.0 software that was released earlier this year. PIX 7.0
    supports same-interface routing in the case where VPNs are involved.
    PIX 7.0 also supports assigning security levels to VPN tunnels
    and supports unrestricted communications between devices at the same
    security level (with or without NAT), which would sound to be just
    the thing to seperate the clients from each other.

    Another possibility to look into is Cisco's relatively new
    Dynamic Mesh feature for IOS, which can make setting up the clients
    very easy.
    --
    Is there any thing whereof it may be said, See, this is new? It hath
    been already of old time, which was before us. -- Ecclesiastes
     
    Walter Roberson, Oct 15, 2005
    #4
  5. Jim Westwood

    Jim Westwood Guest

    Thanks Walter,

    I'll look into a Pix 515E with v7 software, I wasn't aware that a 515 could
    run v7, I presume it needs a memory upgrade of some sort? (sorry for my
    ignorance here)

    I'll also take a look at Dynamic Mesh, I'm all for making things easy! :)

    Cheers,

    Jim.
     
    Jim Westwood, Oct 15, 2005
    #5
  6. In article <435132db$0$49805$>,
    Jim Westwood <> wrote:
    :I'll look into a Pix 515E with v7 software, I wasn't aware that a 515 could
    :run v7, I presume it needs a memory upgrade of some sort?

    New PIX515E arrive with enough memory for 7.0; even some of the
    older ones have enough as well. A PIX515 (non-E) would need a memory
    upgrade.
    --
    "No one has the right to destroy another person's belief by
    demanding empirical evidence." -- Ann Landers
     
    Walter Roberson, Oct 15, 2005
    #6
  7. Jim Westwood

    Jim Westwood Guest

    Thanks for all your help.

    Jim.
     
    Jim Westwood, Oct 15, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?TG9vcGJhY2s=?=

    OT(as usual): remember tombraider?

    =?Utf-8?B?TG9vcGJhY2s=?=, Apr 19, 2006, in forum: MCSE
    Replies:
    3
    Views:
    493
    Bigus Di©kus
    Apr 20, 2006
  2. miss calm

    Usual StarDownloader Problem!

    miss calm, Jan 31, 2004, in forum: Computer Support
    Replies:
    4
    Views:
    478
    miss calm
    Jan 31, 2004
  3. Max Kuenkel
    Replies:
    2
    Views:
    2,169
    Max Kuenkel
    Nov 14, 2003
  4. Justin

    DDDVD comes through, as usual

    Justin, Jan 14, 2004, in forum: DVD Video
    Replies:
    1
    Views:
    413
    Video Flyer
    Jan 14, 2004
  5. HCE
    Replies:
    0
    Views:
    509
Loading...

Share This Page