We have a need for a large (20+) number of technical support folks to VPN out to multiple customer sites using different VPN clients (whatever the customer supports). I have been told that this can only be done with a static NAT translation one to one with a public IP address. Isn't this what PAT is for? To me, it seems like I would be able to PAT all the VPN connections through one public IP address. Is this not true? If it is, could someone submit a configuration example?
Thanks -
Well, if you'r looking for a good MSS provider that can deploy your PIX, let me know ;-)
Amaury
In article , wrote: :We have a need for a large (20+) number of technical support folks to :VPN out to multiple customer sites using different VPN clients :(whatever the customer supports). I have been told that this can only :be done with a static NAT translation one to one with a public IP :address. Isn't this what PAT is for? To me, it seems like I would be :able to PAT all the VPN connections through one public IP address. Is :this not true? If it is, could someone submit a configuration example?
"It depends".
There are different mechanisms used for VPN. The one that is standard and flexible is IPSec, but there is also PPTP, SSL, and others. The different mechanisms use different protocols -- not just different ports and not just tcp vs udp, but different IP -protocols- (in the sense that TCP and UDP are different IP protocols.) Those other protocols do not -have- "port numbers" in order to do Port Address Translation.
If the VPN clients support "NAT Traversal" then you can add support for that on the PIX by configure isakmp nat-traversal 20 When that is done, modern IPSec implementations are able to detect the presense of NAT (or PAT) and will encapsulate those other IP protocols within UDP, thus allowing multiple internal clients with PAT. (In theory you shouldn't need the cooperation of the PIX for this, but it doesn't hurt to turn it on.)
PPTP uses the GRE IP protocol, which does not have ports. There is a "pptp" fixup that you can turn on on the PIX that should help.
If I recall correctly, we found that the Nortel VPN client required one-to-one NAT when the client was behind the PIX.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.