This is not always the case. Many Cable Modem providers are running
NAT for some reason. This can cause grief when trying to work from home
with the office.
I posted a response earlier but don't see it. I must have used the wrong email
address.
The only VPN client I know of that will work through NAT is the Altiga (Cisco)
VPN Client. It does a raindance around NAT using UDP packets.
Kevin
At 02:56 PM 5/30/00 -0700, Chuck Larrieu wrote:
>To bring this back into the realm of education and enlightenment, let's look
>at the design issue.
>
>You are going VPN, ie secure tunnel from where to where?
>
>Home----internet-----firewall-----inside_network is the "standard"
>configuration, with you the user wanting to work from home for some perverse
>reason. ;->
>
>But in the case you state, it would appear that you the user are in the
>office, and want to VPN to some other place?
>
>Corp_net-----internet-----some_other_place
>
>Now as a matter of security policy, does corp_net want to allow people on
>the inside to connect snug and secure and private to some unknown place on
>the outside... say a competitor's network, where you will then transfer
>company secrets?
>
>As a matter of policy, companies might not want traffic whose contents
>cannot be inspected to be passing through their firewalls.
>
>Yes there are all in one products, such as the Checkpoint VPN firewall,
>which operate in such a manner.
>
>Inside----checkpoint-(VPN/NAT----tunnel/non-tunnel)-internet-----someplace_e
>lse
>
>But as a matter of design, NAT not withstanding, it is in my opinion at
>least, not a good idea to permit unrestricted VPNs from inside to outside.
>If there are extranets to be considered, then one should design a routing
>situation in which those who need to connect to particular VPN devices would
>be routed to particular pieces of equipment, from which the extranet VPN
>would be established.
>
>Inside-----firewall---internet
> |-----VPN/extranet----business_partner
>
>Hey, guys, have I muddied this up enough? :->
>
>Chuck
>
>
>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Greg
>Smythe
>Sent: Tuesday, May 30, 2000 2:13 PM
>To: Ric Messier; [EMAIL PROTECTED]
>Subject: Re: VPN through NAT
>
>So I can't make a VPN connection to my NT box over NAT.. Well that sucks.
>Thanks for the info!
>
>Greg
>----- Original Message -----
>From: "Ric Messier" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Tuesday, May 30, 2000 2:01 PM
>Subject: Re: VPN through NAT
>
>
>VPNs don't typically work through NAT. The reason is that the packet is
>altered by the router on the way through the network. As a result, the
>signature is altered and the packet is discarded as being corrupt. The
>originating IP is used as part of the authentication mechanism for the
>packets coming through. It's a security feature.
>
>Ric
>
>----- Original Message -----
>From: "Balharek, Peter" <[EMAIL PROTECTED]>
>To: "Greg Smythe" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
>Sent: Tuesday, May 30, 2000 4:31 PM
>Subject: RE: VPN through NAT
>
>
> > Try a crazy search on CCO.
> >
> > Type in "nat vpn".
> > Select to search in support.
> >
> > Ohhh.
> >
> > Rtfm
> >
> >
> >
> > -----Original Message-----
> > From: Greg Smythe [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, May 30, 2000 12:55 PM
> > To: [EMAIL PROTECTED]
> > Subject: VPN through NAT
> >
> > Hello --
> >
> > Has anyone done this before? I'm trying to get a VPN
> > connection to work over
> > NAT. I see the translation happening, but my PC gets as far
> > as "verifying
> > username/pass" and then it errors out saying the server
> > didn't respond
> > (timeout).
> > show ip nat tra:
> >
> > tcp 3.3.3.3:1056 102.153.102.251:1056 1.1.1.1:1723
> > 1.1.1.1:1723
> >
> > 3.3.3.3 is the IP of my router's internet interface.
> > 102.153.102.251 is my
> > inside IP of my pc. 1.1.1.1 is my VPN server on the
> > internet.
> >
> > If I give my PC an internet IP then it works, so it has
> > something to do with
> > the NAT. No filters are in effect on the interfaces on my
> > router.
> >
> > Thanks!
> >
> >
> > Greg
> >
> > ___________________________________
> > UPDATED Posting Guidelines:
> > http://www.groupstudy.com/list/guide.html
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com
> > Report misconduct and Nondisclosure violations to
> > [EMAIL PROTECTED]
> >
> > ___________________________________
> > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> > FAQ, list archives, and subscription info: http://www.groupstudy.com
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
>
>___________________________________
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>___________________________________
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
-----------------------------------------------------------------------------------------------------------------------------
Kevin S. Mahler, CCNP, CCDA, CCSE
Systems Engineer, Cisco Systems
Atlanta, GA
Author of CCNA Training Guide, New Riders, ISBN 0735700516
Tech Editor of CCDA Exam Certification Guide, Cisco Press, ISBN 0735700745
Revision Author of Internetworking Technologies Handbook Third Edition,
Cisco Press
See my homepage at <http://www.kmahler.com>
---------------------------------------------------------------------------------------------------------------------------
-
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
