Interesting problem with NAT and VPN (not the usual question)

In article , Jim Westwood wrote: :I have a client who wishes to, effectively, become an ISP for the companies :that it works with,

:each of the spokes will require 1-1 NAT for upto 50 x 254 addresses as they

:The question I have is:

:1) Can this setup be done with Cisco?

Yes.

:2) If so what kit would I require to get to make it work, this work is on a :tight budget as the company is small.

I'm unsure here: is that 50 clients each with a /24? Or is it several clients, the largest of which uses 50 /24's?

To what extent do you need to protect the clients from each other? If the answer is "none", then this is a task for a VPN concentrator. If the answer is not "none" then you need firewalls or equivilent in there.

Is it considered important to terminate all of the clients on the same device? If so and if it is 50 clients, you would need a device able to handle 50 VPN tunnels. To do that in a single device you'd need at least a PIX 515E or one of the new ASA series (not sure which model at the moment.)

If it is 50 clients each at ADSL speeds, and if you want to provision for each of them running at peak speeds, then you need to support a VPN encryption rate of 50 times the sum of the ADSL upload and download rate. If the ADSL is 2/1 (2 megabit down, 4 megabit up), then that would be 50 x 3 = 150 megabits per second of encryption, which is just barely within the official rating of a PIX 525 with optional VAC+ card. If the ADSL is 4/2 then you would need twice that, and the only PIX that can support

Thanks Walter for the quick reply.

In answer to your questions:

Each client may have 1 - 50 sites, each site will require to see each other site. Individual clients should not be able to communicate with each other, although individually all clients should be able to talk to my clients network.

It's not vital although my client does have a limited amount of external IP addresses. My client is starting small with maybe 1 client with upto 50 sites, the aim is to have 500 VPN's in total spread over many clients. In short, multiple devices could be used.

The clients will initially be sending minimal transactional data across the VPN but may also have to support remote support connections also, the service will then be scaled up to allow full www/e-mail connectivity for the clients if they require it.

Hope that helps.

As far as I'm aware due to the requirement to route into and out of the same VPN device for clients talking to each others sites the PIX is ruled out as it doesn't like comms going into and out of the same interface, am I wrong in this assumption?

Cheers,

Jim.

In article , Jim Westwood wrote: :> To what extent do you need to protect the clients from each other?

:Each client may have 1 - 50 sites, each site will require to see each other :site. Individual clients should not be able to communicate with each other, :although individually all clients should be able to talk to my clients :network.

:As far as I'm aware due to the requirement to route into and out of the same :VPN device for clients talking to each others sites the PIX is ruled out as :it doesn't like comms going into and out of the same interface, am I wrong :in this assumption?

Your memory is not faulty, but your information is not up-to-date.

The PIX that would be able to handle a project such as this would be the 515/515E, 525, or 535 (or possibly one of the new ASA series). The 515/515E, 525, and 535 also happen to be the devices that support the PIX 7.0 software that was released earlier this year. PIX 7.0 supports same-interface routing in the case where VPNs are involved. PIX 7.0 also supports assigning security levels to VPN tunnels and supports unrestricted communications between devices at the same security level (with or without NAT), which would sound to be just the thing to seperate the clients from each other.

Another possibility to look into is Cisco's relatively new Dynamic Mesh feature for IOS, which can make setting up the clients very easy.

Thanks Walter,

I'll look into a Pix 515E with v7 software, I wasn't aware that a 515 could run v7, I presume it needs a memory upgrade of some sort? (sorry for my ignorance here)

I'll also take a look at Dynamic Mesh, I'm all for making things easy! :-)

Cheers,

Jim.

In article , Jim Westwood wrote: :I'll look into a Pix 515E with v7 software, I wasn't aware that a 515 could :run v7, I presume it needs a memory upgrade of some sort?

New PIX515E arrive with enough memory for 7.0; even some of the older ones have enough as well. A PIX515 (non-E) would need a memory upgrade.

Thanks for all your help.

Jim.