"""Be forewarned that you don't 
want multiple clients behind a dynamic NAT/PAT router trying to connect to 
the same VPN server...it won't work."""
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>

This isn't really the case.  It can be a bit more difficult to setup the
clients behind a NAT device, but it is entirely possible.
In many cases it's as easy as forcing UDP encapsulation on the server
side...

Good luck,

-----Original Message-----
From: Craig Columbus [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 06, 2002 9:37 AM
To: [EMAIL PROTECTED]
Subject: Re: VPN Design ? [7:45927]


"In order for the few PCs in the remote office to have access to the main
office servers, do I even need to build a tunnel since they have no
firewall?"

Whether to setup a vpn tunnel or not is dictated by your business needs and 
the types of services you want the remote office to access, not by the 
presence or absence of a firewall.  So, you may, or may not, need a 
tunnel.  Let's say that you are passing sensitive data from server to 
client.  By setting up a tunnel and using the appropriate access lists on 
the router, you can make sure that only certain clients can access the data 
and that the data is encrypted when it's travelling over the public network.

"If I want to use a tunnel, how do you get a tunnel between two routers 
without running the 3DES on the Cisco in the main office?"

Well, you don't need 3DES.  You can also use DES and a greatly reduced 
cost.  For most applications, this is sufficient.  However, many security 
experts caution against using DES since it's relatively easy to 
break.  Either way, you'll need to upgrade the 2500 to a crypto IOS.

"The DSL Router is a no-name from the telco."

The DSL router will only be involved in the VPN if you setup a peer-to-peer 
between the routers (my preference).  You can also install a VPN client on 
the client machines and have them connect.  Be forewarned that you don't 
want multiple clients behind a dynamic NAT/PAT router trying to connect to 
the same VPN server...it won't work.  If this is the case, you'll need to 
go with the peer-to-peer.  You should check with the DSL router 
manufacturer to see if it supports IPSEC VPNs...you might be surprised.  I 
recently setup a Netopia SDSL router to connect to a PIX via IPSEC.  It was 
very easy and it's been remarkably stable.

Hope this helps.

Craig

At 08:42 AM 6/6/2002 -0400, you wrote:
>I havent actually setup a VPN, but think I understand the very basic
>concepts of a tunnel. Applying to a real life situation is confusing me a
>little. I have a need to setup a remote office for a customer. They have a
>2500 with a very basic NAT configuration, listed below my signature. They
do
>not have a firewall sitting between them and the Internet (not my choice).
>They have a DSL connection at the remote office.
>
>In order for the few PCs in the remote office to have access to the main
>office servers, do I even need to build a tunnel since they have no
>firewall? If I want to use a tunnel, how do you get a tunnel between two
>routers without running the 3DES on the Cisco in the main office? The DSL
>Router is a no-name from the telco.
>
>Any suggestions would be appreciated!!
>
>Jeffrey Reed
>Classic Networking, Inc.
>Cell 717-805-5536
>Office 717-737-8586
>FAX 717-737-0290
>
>ip nat pool NATPOOL x.x.203.161 x.x.203.161 netmask 255.255.255.224
>ip nat inside source list 1 pool NATPOOL overload
>ip name-server x.224.86.15
>ip name-server x.224.64.20
>!
>interface Ethernet0
>  ip address 192.168.200.254 255.255.255.0
>  ip nat inside
>!
>interface Serial0
>  no ip address
>  no ip directed-broadcast
>  shutdown
>!
>interface Serial1
>  description 384K Fractional T1 to Epix (Circuit ID# DS1-8135)
>  ip address x.x.34.154 255.255.255.252
>  no ip directed-broadcast
>  ip nat outside
>!
>ip default-gateway x.x.34.153
>ip classless
>ip route 0.0.0.0 0.0.0.0 Serial1 permanent
>access-list 1 permit 192.168.200.0 0.0.0.255




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45935&t=45927
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to