1. Home
  2. Cisco Systems
  3. State of VPN Pass Through on Cisco Routers?

State of VPN Pass Through on Cisco Routers?

I will be using a Cisco 2801 router and I would like to use NAT with a pool for a site. We will have to support outbound VPN connections of every possible variety (we have no control over what type of VPN our clients will be using). We also need to be able to support as many concurrent VPN connections as we can with the available pool of public IP addresses. It is not unreasonable to expect 300 users all connecting to the same VPN endpoint (although I will try to setup a hardware VPN endpoint onsite for most of those situations).

So, my question is, will I run into any VPNs that will not work if I do setup NAT on the 2801? Normally we simply handout public IP addresses to every user but in this case I want to offer a bit more security using VLANs. To do that I will need to be able to define many subnets for different areas of the property.

Any thoughts are greatly appreciated.

Reply to
mcarroll76
Loading thread data ...

Are you going to be using NAT overload, or will every client get a different NAT address? VPNs can run into problems with overloaded NAT, because the standard IPSEC protocols don't have port numbers to distinguish the tunnels.

To deal with this problem, many VPN implementations offer a feature called "NAT Traversal" or "UDP Encapsulation".

Reply to
Barry Margolin

I will be using a NAT pool of public IP addresses so generally each user will have a routable IP address. I also looking to see if there can be overloads with the pool in case we run out of public addresses.

Given that I will be using a pool of public addresses are there any VPNs that still might have a problem? I can't expect everyone to have NAT Traversal support so I will have a decent amout of public IP addresses available to the NAT pool.

Reply to
mcarroll76

In article , wrote: :Given that I will be using a pool of public addresses are there any :VPNs that still might have a problem? I can't expect everyone to have :NAT Traversal support so I will have a decent amout of public IP :addresses available to the NAT pool.

If your client's VPN endpoints happen to be configured to use AH (authentication header) and they do not happen to have NAT Traversal support, then you will have problems with using a 1-to-1 NAT pool.

For AH without NAT-T to work, the external IP for the host must be the same as the internal IP for it.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.