State of VPN Pass Through on Cisco Routers?

Discussion in 'Cisco' started by mcarroll76@gmail.com, May 26, 2005.

  1. Guest

    I will be using a Cisco 2801 router and I would like to use NAT with a
    pool for a site. We will have to support outbound VPN connections of
    every possible variety (we have no control over what type of VPN our
    clients will be using). We also need to be able to support as many
    concurrent VPN connections as we can with the available pool of public
    IP addresses. It is not unreasonable to expect 300 users all
    connecting to the same VPN endpoint (although I will try to setup a
    hardware VPN endpoint onsite for most of those situations).

    So, my question is, will I run into any VPNs that will not work if I do
    setup NAT on the 2801? Normally we simply handout public IP addresses
    to every user but in this case I want to offer a bit more security
    using VLANs. To do that I will need to be able to define many subnets
    for different areas of the property.

    Any thoughts are greatly appreciated.
     
    , May 26, 2005
    #1
    1. Advertising

  2. In article <>,
    wrote:

    > I will be using a Cisco 2801 router and I would like to use NAT with a
    > pool for a site. We will have to support outbound VPN connections of
    > every possible variety (we have no control over what type of VPN our
    > clients will be using). We also need to be able to support as many
    > concurrent VPN connections as we can with the available pool of public
    > IP addresses. It is not unreasonable to expect 300 users all
    > connecting to the same VPN endpoint (although I will try to setup a
    > hardware VPN endpoint onsite for most of those situations).
    >
    > So, my question is, will I run into any VPNs that will not work if I do
    > setup NAT on the 2801? Normally we simply handout public IP addresses
    > to every user but in this case I want to offer a bit more security
    > using VLANs. To do that I will need to be able to define many subnets
    > for different areas of the property.
    >
    > Any thoughts are greatly appreciated.


    Are you going to be using NAT overload, or will every client get a
    different NAT address? VPNs can run into problems with overloaded NAT,
    because the standard IPSEC protocols don't have port numbers to
    distinguish the tunnels.

    To deal with this problem, many VPN implementations offer a feature
    called "NAT Traversal" or "UDP Encapsulation".

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
     
    Barry Margolin, May 27, 2005
    #2
    1. Advertising

  3. Guest

    I will be using a NAT pool of public IP addresses so generally each
    user will have a routable IP address. I also looking to see if there
    can be overloads with the pool in case we run out of public addresses.

    Given that I will be using a pool of public addresses are there any
    VPNs that still might have a problem? I can't expect everyone to have
    NAT Traversal support so I will have a decent amout of public IP
    addresses available to the NAT pool.
     
    , Jun 8, 2005
    #3
  4. In article <>,
    <> wrote:
    :Given that I will be using a pool of public addresses are there any
    :VPNs that still might have a problem? I can't expect everyone to have
    :NAT Traversal support so I will have a decent amout of public IP
    :addresses available to the NAT pool.

    If your client's VPN endpoints happen to be configured to use AH
    (authentication header) and they do not happen to have NAT Traversal
    support, then you will have problems with using a 1-to-1 NAT pool.

    For AH without NAT-T to work, the external IP for the host must be the
    same as the internal IP for it.
    --
    'ignorandus (Latin): "deserving not to be known"'
    -- Journal of Self-Referentialism
     
    Walter Roberson, Jun 8, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Masud Reza
    Replies:
    3
    Views:
    4,092
    Masud Reza
    Dec 9, 2003
  2. Alphaomega

    Cisco PIX pass through VPN

    Alphaomega, Nov 16, 2005, in forum: Cisco
    Replies:
    0
    Views:
    472
    Alphaomega
    Nov 16, 2005
  3. Alphaomega

    Cisco PIX pass through VPN

    Alphaomega, Nov 16, 2005, in forum: Cisco
    Replies:
    0
    Views:
    3,746
    Alphaomega
    Nov 16, 2005
  4. Replies:
    3
    Views:
    15,314
    JF Mezei
    Mar 7, 2007
  5. Martin Bilgrav
    Replies:
    0
    Views:
    578
    Martin Bilgrav
    May 6, 2008
Loading...

Share This Page