Interesting problem with NAT and VPN (not the usual question)

Discussion in 'Cisco' started by Jim Westwood, Oct 15, 2005.

  1. Jim Westwood

    Jim Westwood Guest

    I have a client who wishes to, effectively, become an ISP for the companies
    that it works with, to do so it requires to provide ADSL with VPN routers at
    the clients site and a VPN server at the base site. As many of my clients
    clients run the same IP address range the spokes of the VPN connection will
    all require to be NAT'd to unique IP address ranges when they get to the
    main site (preferably before to save routing issues on the VPN server), each
    of the spokes will require 1-1 NAT for upto 50 x 254 addresses as they will
    be acting as servers and clients in communications. The spokes will need to
    talk to each other (intra-client) and the clients will also require to be
    talked to and talk to my clients HQ.

    The above explanation is rough but hopefully good enough, if you think you
    can help with my question and need more detail pls just ask.

    The question I have is:

    1) Can this setup be done with Cisco?
    2) If so what kit would I require to get to make it work, this work is on a
    tight budget as the company is small.
    3) Has anybody done this before (I would expect so?)?
    4) Does anyone have any examples of setups of the above?, although I've
    followed Cisco for a while I'm effectively very new when it comes to
    configuration and would really appreciate any help given, even if it's just
    RTFM, as long as you point me at the right M to be reading! :)

    Cheers,

    Jim Westwood
     
    Jim Westwood, Oct 15, 2005
    #1
    1. Advertisements

  2. :I have a client who wishes to, effectively, become an ISP for the companies
    :that it works with,

    :each of the spokes will require 1-1 NAT for upto 50 x 254 addresses as they

    :The question I have is:

    :1) Can this setup be done with Cisco?

    Yes.

    :2) If so what kit would I require to get to make it work, this work is on a
    :tight budget as the company is small.

    I'm unsure here: is that 50 clients each with a /24? Or is it
    several clients, the largest of which uses 50 /24's?

    To what extent do you need to protect the clients from each other?
    If the answer is "none", then this is a task for a VPN concentrator.
    If the answer is not "none" then you need firewalls or equivilent
    in there.

    Is it considered important to terminate all of the clients on the
    same device? If so and if it is 50 clients, you would need
    a device able to handle 50 VPN tunnels. To do that in a single
    device you'd need at least a PIX 515E or one of the new ASA
    series (not sure which model at the moment.)

    If it is 50 clients each at ADSL speeds, and if you want to
    provision for each of them running at peak speeds, then you
    need to support a VPN encryption rate of 50 times the
    sum of the ADSL upload and download rate. If the ADSL is 2/1
    (2 megabit down, 4 megabit up), then that would be 50 x 3 = 150 megabits
    per second of encryption, which is just barely within the official
    rating of a PIX 525 with optional VAC+ card. If the ADSL is 4/2
    then you would need twice that, and the only PIX that can support
    300 megabits per second of encryption is the PIX 535, which is
    certainly not suitable for a tight budget.
     
    Walter Roberson, Oct 15, 2005
    #2
    1. Advertisements

  3. Jim Westwood

    Jim Westwood Guest

    Thanks Walter for the quick reply.

    In answer to your questions:
    Each client may have 1 - 50 sites, each site will require to see each other
    site. Individual clients should not be able to communicate with each other,
    although individually all clients should be able to talk to my clients
    network.
    It's not vital although my client does have a limited amount of external IP
    addresses. My client is starting small with maybe 1 client with upto 50
    sites, the aim is to have 500 VPN's in total spread over many clients. In
    short, multiple devices could be used.
    The clients will initially be sending minimal transactional data across the
    VPN but may also have to support remote support connections also, the
    service will then be scaled up to allow full www/e-mail connectivity for the
    clients if they require it.


    Hope that helps.

    As far as I'm aware due to the requirement to route into and out of the same
    VPN device for clients talking to each others sites the PIX is ruled out as
    it doesn't like comms going into and out of the same interface, am I wrong
    in this assumption?

    Cheers,

    Jim.
     
    Jim Westwood, Oct 15, 2005
    #3
  4. :> To what extent do you need to protect the clients from each other?

    :Each client may have 1 - 50 sites, each site will require to see each other
    :site. Individual clients should not be able to communicate with each other,
    :although individually all clients should be able to talk to my clients
    :network.

    :As far as I'm aware due to the requirement to route into and out of the same
    :VPN device for clients talking to each others sites the PIX is ruled out as
    :it doesn't like comms going into and out of the same interface, am I wrong
    :in this assumption?

    Your memory is not faulty, but your information is not up-to-date.

    The PIX that would be able to handle a project such as this would
    be the 515/515E, 525, or 535 (or possibly one of the new ASA series).
    The 515/515E, 525, and 535 also happen to be the devices that support
    the PIX 7.0 software that was released earlier this year. PIX 7.0
    supports same-interface routing in the case where VPNs are involved.
    PIX 7.0 also supports assigning security levels to VPN tunnels
    and supports unrestricted communications between devices at the same
    security level (with or without NAT), which would sound to be just
    the thing to seperate the clients from each other.

    Another possibility to look into is Cisco's relatively new
    Dynamic Mesh feature for IOS, which can make setting up the clients
    very easy.
     
    Walter Roberson, Oct 15, 2005
    #4
  5. Jim Westwood

    Jim Westwood Guest

    Thanks Walter,

    I'll look into a Pix 515E with v7 software, I wasn't aware that a 515 could
    run v7, I presume it needs a memory upgrade of some sort? (sorry for my
    ignorance here)

    I'll also take a look at Dynamic Mesh, I'm all for making things easy! :)

    Cheers,

    Jim.
     
    Jim Westwood, Oct 15, 2005
    #5
  6. :I'll look into a Pix 515E with v7 software, I wasn't aware that a 515 could
    :run v7, I presume it needs a memory upgrade of some sort?

    New PIX515E arrive with enough memory for 7.0; even some of the
    older ones have enough as well. A PIX515 (non-E) would need a memory
    upgrade.
     
    Walter Roberson, Oct 15, 2005
    #6
  7. Jim Westwood

    Jim Westwood Guest

    Thanks for all your help.

    Jim.
     
    Jim Westwood, Oct 15, 2005
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.