Interesting problem with NAT and VPN (not the usual question)

I have a client who wishes to, effectively, become an ISP for the companies
that it works with, to do so it requires to provide ADSL with VPN routers at
the clients site and a VPN server at the base site. As many of my clients
clients run the same IP address range the spokes of the VPN connection will
all require to be NAT'd to unique IP address ranges when they get to the
main site (preferably before to save routing issues on the VPN server), each
of the spokes will require 1-1 NAT for upto 50 x 254 addresses as they will
be acting as servers and clients in communications. The spokes will need to
talk to each other (intra-client) and the clients will also require to be
talked to and talk to my clients HQ.

The above explanation is rough but hopefully good enough, if you think you
can help with my question and need more detail pls just ask.

The question I have is:

1) Can this setup be done with Cisco?
2) If so what kit would I require to get to make it work, this work is on a
tight budget as the company is small.
3) Has anybody done this before (I would expect so?)?
4) Does anyone have any examples of setups of the above?, although I've
followed Cisco for a while I'm effectively very new when it comes to
configuration and would really appreciate any help given, even if it's just
RTFM, as long as you point me at the right M to be reading!

Cheers,

Jim Westwood

 

:I have a client who wishes to, effectively, become an ISP for the companies
:that it works with,

:each of the spokes will require 1-1 NAT for upto 50 x 254 addresses as they

:The question I have is:

:1) Can this setup be done with Cisco?

Yes.

:2) If so what kit would I require to get to make it work, this work is on a
:tight budget as the company is small.

I'm unsure here: is that 50 clients each with a /24? Or is it
several clients, the largest of which uses 50 /24's?

To what extent do you need to protect the clients from each other?
If the answer is "none", then this is a task for a VPN concentrator.
If the answer is not "none" then you need firewalls or equivilent
in there.

Is it considered important to terminate all of the clients on the
same device? If so and if it is 50 clients, you would need
a device able to handle 50 VPN tunnels. To do that in a single
device you'd need at least a PIX 515E or one of the new ASA
series (not sure which model at the moment.)

If it is 50 clients each at ADSL speeds, and if you want to
provision for each of them running at peak speeds, then you
need to support a VPN encryption rate of 50 times the
sum of the ADSL upload and download rate. If the ADSL is 2/1
(2 megabit down, 4 megabit up), then that would be 50 x 3 = 150 megabits
per second of encryption, which is just barely within the official
rating of a PIX 525 with optional VAC+ card. If the ADSL is 4/2
then you would need twice that, and the only PIX that can support
300 megabits per second of encryption is the PIX 535, which is
certainly not suitable for a tight budget.

 

Thanks Walter for the quick reply.

In answer to your questions:

Each client may have 1 - 50 sites, each site will require to see each other
site. Individual clients should not be able to communicate with each other,
although individually all clients should be able to talk to my clients
network.

It's not vital although my client does have a limited amount of external IP
addresses. My client is starting small with maybe 1 client with upto 50
sites, the aim is to have 500 VPN's in total spread over many clients. In
short, multiple devices could be used.

The clients will initially be sending minimal transactional data across the
VPN but may also have to support remote support connections also, the
service will then be scaled up to allow full www/e-mail connectivity for the
clients if they require it.


Hope that helps.

As far as I'm aware due to the requirement to route into and out of the same
VPN device for clients talking to each others sites the PIX is ruled out as
it doesn't like comms going into and out of the same interface, am I wrong
in this assumption?

Cheers,

Jim.

 

:> To what extent do you need to protect the clients from each other?

:Each client may have 1 - 50 sites, each site will require to see each other
:site. Individual clients should not be able to communicate with each other,
:although individually all clients should be able to talk to my clients
:network.

:As far as I'm aware due to the requirement to route into and out of the same
:VPN device for clients talking to each others sites the PIX is ruled out as
:it doesn't like comms going into and out of the same interface, am I wrong
:in this assumption?

Your memory is not faulty, but your information is not up-to-date.

The PIX that would be able to handle a project such as this would
be the 515/515E, 525, or 535 (or possibly one of the new ASA series).
The 515/515E, 525, and 535 also happen to be the devices that support
the PIX 7.0 software that was released earlier this year. PIX 7.0
supports same-interface routing in the case where VPNs are involved.
PIX 7.0 also supports assigning security levels to VPN tunnels
and supports unrestricted communications between devices at the same
security level (with or without NAT), which would sound to be just
the thing to seperate the clients from each other.

Another possibility to look into is Cisco's relatively new
Dynamic Mesh feature for IOS, which can make setting up the clients
very easy.

 

Thanks Walter,

I'll look into a Pix 515E with v7 software, I wasn't aware that a 515 could
run v7, I presume it needs a memory upgrade of some sort? (sorry for my
ignorance here)

I'll also take a look at Dynamic Mesh, I'm all for making things easy!

Cheers,

Jim.

 

:I'll look into a Pix 515E with v7 software, I wasn't aware that a 515 could
:run v7, I presume it needs a memory upgrade of some sort?

New PIX515E arrive with enough memory for 7.0; even some of the
older ones have enough as well. A PIX515 (non-E) would need a memory
upgrade.

 

Thanks for all your help.

Jim.