VPN Design ? [7:45927]

[Jeffrey Reed]

I havent actually setup a VPN, but think I understand the very basic
concepts of a tunnel. Applying to a real life situation is confusing me a
little. I have a need to setup a remote office for a customer. They have a
2500 with a very basic NAT configuration, listed below my signature. They do
not have a firewall sitting between them and the Internet (not my choice).
They have a DSL connection at the remote office.

In order for the few PCs in the remote office to have access to the main
office servers, do I even need to build a tunnel since they have no
firewall? If I want to use a tunnel, how do you get a tunnel between two
routers without running the 3DES on the Cisco in the main office? The DSL
Router is a no-name from the telco.

Any suggestions would be appreciated!!

Jeffrey Reed
Classic Networking, Inc.
Cell 717-805-5536
Office 717-737-8586
FAX 717-737-0290

ip nat pool NATPOOL x.x.203.161 x.x.203.161 netmask 255.255.255.224
ip nat inside source list 1 pool NATPOOL overload
ip name-server x.224.86.15
ip name-server x.224.64.20
!
interface Ethernet0
 ip address 192.168.200.254 255.255.255.0
 ip nat inside
!
interface Serial0
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial1
 description 384K Fractional T1 to Epix (Circuit ID# DS1-8135)
 ip address x.x.34.154 255.255.255.252
 no ip directed-broadcast
 ip nat outside
!
ip default-gateway x.x.34.153
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1 permanent
access-list 1 permit 192.168.200.0 0.0.0.255




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45927t=45927
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VPN Design ? [7:45927]

[Craig Columbus]

In order for the few PCs in the remote office to have access to the main
office servers, do I even need to build a tunnel since they have no
firewall?

Whether to setup a vpn tunnel or not is dictated by your business needs and 
the types of services you want the remote office to access, not by the 
presence or absence of a firewall.  So, you may, or may not, need a 
tunnel.  Let's say that you are passing sensitive data from server to 
client.  By setting up a tunnel and using the appropriate access lists on 
the router, you can make sure that only certain clients can access the data 
and that the data is encrypted when it's travelling over the public network.

If I want to use a tunnel, how do you get a tunnel between two routers 
without running the 3DES on the Cisco in the main office?

Well, you don't need 3DES.  You can also use DES and a greatly reduced 
cost.  For most applications, this is sufficient.  However, many security 
experts caution against using DES since it's relatively easy to 
break.  Either way, you'll need to upgrade the 2500 to a crypto IOS.

The DSL Router is a no-name from the telco.

The DSL router will only be involved in the VPN if you setup a peer-to-peer 
between the routers (my preference).  You can also install a VPN client on 
the client machines and have them connect.  Be forewarned that you don't 
want multiple clients behind a dynamic NAT/PAT router trying to connect to 
the same VPN server...it won't work.  If this is the case, you'll need to 
go with the peer-to-peer.  You should check with the DSL router 
manufacturer to see if it supports IPSEC VPNs...you might be surprised.  I 
recently setup a Netopia SDSL router to connect to a PIX via IPSEC.  It was 
very easy and it's been remarkably stable.

Hope this helps.

Craig

At 08:42 AM 6/6/2002 -0400, you wrote:
I havent actually setup a VPN, but think I understand the very basic
concepts of a tunnel. Applying to a real life situation is confusing me a
little. I have a need to setup a remote office for a customer. They have a
2500 with a very basic NAT configuration, listed below my signature. They do
not have a firewall sitting between them and the Internet (not my choice).
They have a DSL connection at the remote office.

In order for the few PCs in the remote office to have access to the main
office servers, do I even need to build a tunnel since they have no
firewall? If I want to use a tunnel, how do you get a tunnel between two
routers without running the 3DES on the Cisco in the main office? The DSL
Router is a no-name from the telco.

Any suggestions would be appreciated!!

Jeffrey Reed
Classic Networking, Inc.
Cell 717-805-5536
Office 717-737-8586
FAX 717-737-0290

ip nat pool NATPOOL x.x.203.161 x.x.203.161 netmask 255.255.255.224
ip nat inside source list 1 pool NATPOOL overload
ip name-server x.224.86.15
ip name-server x.224.64.20
!
interface Ethernet0
  ip address 192.168.200.254 255.255.255.0
  ip nat inside
!
interface Serial0
  no ip address
  no ip directed-broadcast
  shutdown
!
interface Serial1
  description 384K Fractional T1 to Epix (Circuit ID# DS1-8135)
  ip address x.x.34.154 255.255.255.252
  no ip directed-broadcast
  ip nat outside
!
ip default-gateway x.x.34.153
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1 permanent
access-list 1 permit 192.168.200.0 0.0.0.255




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45931t=45927
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VPN Design ? [7:45927]

[Marshal Schoener]

Be forewarned that you don't 
want multiple clients behind a dynamic NAT/PAT router trying to connect to 
the same VPN server...it won't work.



This isn't really the case.  It can be a bit more difficult to setup the
clients behind a NAT device, but it is entirely possible.
In many cases it's as easy as forcing UDP encapsulation on the server
side...

Good luck,

-Original Message-
From: Craig Columbus [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 06, 2002 9:37 AM
To: [EMAIL PROTECTED]
Subject: Re: VPN Design ? [7:45927]


In order for the few PCs in the remote office to have access to the main
office servers, do I even need to build a tunnel since they have no
firewall?

Whether to setup a vpn tunnel or not is dictated by your business needs and 
the types of services you want the remote office to access, not by the 
presence or absence of a firewall.  So, you may, or may not, need a 
tunnel.  Let's say that you are passing sensitive data from server to 
client.  By setting up a tunnel and using the appropriate access lists on 
the router, you can make sure that only certain clients can access the data 
and that the data is encrypted when it's travelling over the public network.

If I want to use a tunnel, how do you get a tunnel between two routers 
without running the 3DES on the Cisco in the main office?

Well, you don't need 3DES.  You can also use DES and a greatly reduced 
cost.  For most applications, this is sufficient.  However, many security 
experts caution against using DES since it's relatively easy to 
break.  Either way, you'll need to upgrade the 2500 to a crypto IOS.

The DSL Router is a no-name from the telco.

The DSL router will only be involved in the VPN if you setup a peer-to-peer 
between the routers (my preference).  You can also install a VPN client on 
the client machines and have them connect.  Be forewarned that you don't 
want multiple clients behind a dynamic NAT/PAT router trying to connect to 
the same VPN server...it won't work.  If this is the case, you'll need to 
go with the peer-to-peer.  You should check with the DSL router 
manufacturer to see if it supports IPSEC VPNs...you might be surprised.  I 
recently setup a Netopia SDSL router to connect to a PIX via IPSEC.  It was 
very easy and it's been remarkably stable.

Hope this helps.

Craig

At 08:42 AM 6/6/2002 -0400, you wrote:
I havent actually setup a VPN, but think I understand the very basic
concepts of a tunnel. Applying to a real life situation is confusing me a
little. I have a need to setup a remote office for a customer. They have a
2500 with a very basic NAT configuration, listed below my signature. They
do
not have a firewall sitting between them and the Internet (not my choice).
They have a DSL connection at the remote office.

In order for the few PCs in the remote office to have access to the main
office servers, do I even need to build a tunnel since they have no
firewall? If I want to use a tunnel, how do you get a tunnel between two
routers without running the 3DES on the Cisco in the main office? The DSL
Router is a no-name from the telco.

Any suggestions would be appreciated!!

Jeffrey Reed
Classic Networking, Inc.
Cell 717-805-5536
Office 717-737-8586
FAX 717-737-0290

ip nat pool NATPOOL x.x.203.161 x.x.203.161 netmask 255.255.255.224
ip nat inside source list 1 pool NATPOOL overload
ip name-server x.224.86.15
ip name-server x.224.64.20
!
interface Ethernet0
  ip address 192.168.200.254 255.255.255.0
  ip nat inside
!
interface Serial0
  no ip address
  no ip directed-broadcast
  shutdown
!
interface Serial1
  description 384K Fractional T1 to Epix (Circuit ID# DS1-8135)
  ip address x.x.34.154 255.255.255.252
  no ip directed-broadcast
  ip nat outside
!
ip default-gateway x.x.34.153
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1 permanent
access-list 1 permit 192.168.200.0 0.0.0.255




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45935t=45927
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VPN Design ? [7:45927]

[Craig Columbus]

I'm not referring to a strictly static NAT setup.  I'm talking about 
dynamic NAT/PAT, where clients may get a NAT address or may use PAT, 
depending on pool availability.
For example, I had a location that was dropping connections on the PIX and 
I couldn't figure out what was going on.  The remote site had 3 dynamic NAT 
addresses, 1 overload address (PAT)and 10 clients.  I opened a case with 
TAC, they reviewed and told me that they don't support multiple clients 
behind dynamic NAT/PAT and that I'd need to either not use NAT/PAT or 
assign statics to each client.
I know PAT isn't a problem with multiple clients connecting to different 
VPN servers, but I've yet to see it work properly when multiple clients 
using PAT connect to the same VPN server.  If you've got a way to make PAT 
work with multiple clients connecting to the same VPN server, I'd love to 
hear the details since I could make use of this in several locations.

Craig

At 10:08 AM 6/6/2002 -0400, you wrote:
Be forewarned that you don't
want multiple clients behind a dynamic NAT/PAT router trying to connect to
the same VPN server...it won't work.


 

This isn't really the case.  It can be a bit more difficult to setup the
clients behind a NAT device, but it is entirely possible.
In many cases it's as easy as forcing UDP encapsulation on the server
side...

Good luck,

-Original Message-
From: Craig Columbus [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 06, 2002 9:37 AM
To: [EMAIL PROTECTED]
Subject: Re: VPN Design ? [7:45927]


In order for the few PCs in the remote office to have access to the main
office servers, do I even need to build a tunnel since they have no
firewall?

Whether to setup a vpn tunnel or not is dictated by your business needs and
the types of services you want the remote office to access, not by the
presence or absence of a firewall.  So, you may, or may not, need a
tunnel.  Let's say that you are passing sensitive data from server to
client.  By setting up a tunnel and using the appropriate access lists on
the router, you can make sure that only certain clients can access the data
and that the data is encrypted when it's travelling over the public network.

If I want to use a tunnel, how do you get a tunnel between two routers
without running the 3DES on the Cisco in the main office?

Well, you don't need 3DES.  You can also use DES and a greatly reduced
cost.  For most applications, this is sufficient.  However, many security
experts caution against using DES since it's relatively easy to
break.  Either way, you'll need to upgrade the 2500 to a crypto IOS.

The DSL Router is a no-name from the telco.

The DSL router will only be involved in the VPN if you setup a peer-to-peer
between the routers (my preference).  You can also install a VPN client on
the client machines and have them connect.  Be forewarned that you don't
want multiple clients behind a dynamic NAT/PAT router trying to connect to
the same VPN server...it won't work.  If this is the case, you'll need to
go with the peer-to-peer.  You should check with the DSL router
manufacturer to see if it supports IPSEC VPNs...you might be surprised.  I
recently setup a Netopia SDSL router to connect to a PIX via IPSEC.  It was
very easy and it's been remarkably stable.

Hope this helps.

Craig

At 08:42 AM 6/6/2002 -0400, you wrote:
 I havent actually setup a VPN, but think I understand the very basic
 concepts of a tunnel. Applying to a real life situation is confusing me a
 little. I have a need to setup a remote office for a customer. They have a
 2500 with a very basic NAT configuration, listed below my signature. They
do
 not have a firewall sitting between them and the Internet (not my choice).
 They have a DSL connection at the remote office.
 
 In order for the few PCs in the remote office to have access to the main
 office servers, do I even need to build a tunnel since they have no
 firewall? If I want to use a tunnel, how do you get a tunnel between two
 routers without running the 3DES on the Cisco in the main office? The DSL
 Router is a no-name from the telco.
 
 Any suggestions would be appreciated!!
 
 Jeffrey Reed
 Classic Networking, Inc.
 Cell 717-805-5536
 Office 717-737-8586
 FAX 717-737-0290
 
 ip nat pool NATPOOL x.x.203.161 x.x.203.161 netmask 255.255.255.224
 ip nat inside source list 1 pool NATPOOL overload
 ip name-server x.224.86.15
 ip name-server x.224.64.20
 !
 interface Ethernet0
   ip address 192.168.200.254 255.255.255.0
   ip nat inside
 !
 interface Serial0
   no ip address
   no ip directed-broadcast
   shutdown
 !
 interface Serial1
   description 384K Fractional T1 to Epix (Circuit ID# DS1-8135)
   ip address x.x.34.154 255.255.255.252
   no ip directed-broadcast
   ip nat outside
 !
 ip default-gateway x.x.34.153
 ip classless
 ip route 0.0.0.0 0.0.0.0 Serial1 permanent
 access-list 1 permit 192.168.200.0 0.0.0.255




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45942t=45927

RE: VPN Design ? [7:45927]

[Marshal Schoener]

Thanks for that response.
You just taught me something :-)

I mis-understood what you were saying the first time.
Regards,


-Original Message-
From: Craig Columbus [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 05, 2002 11:07 AM
To: Marshal Schoener
Cc: [EMAIL PROTECTED]
Subject: RE: VPN Design ? [7:45927]


I'm not referring to a strictly static NAT setup.  I'm talking about 
dynamic NAT/PAT, where clients may get a NAT address or may use PAT, 
depending on pool availability.
For example, I had a location that was dropping connections on the PIX and 
I couldn't figure out what was going on.  The remote site had 3 dynamic NAT 
addresses, 1 overload address (PAT)and 10 clients.  I opened a case with 
TAC, they reviewed and told me that they don't support multiple clients 
behind dynamic NAT/PAT and that I'd need to either not use NAT/PAT or 
assign statics to each client.
I know PAT isn't a problem with multiple clients connecting to different 
VPN servers, but I've yet to see it work properly when multiple clients 
using PAT connect to the same VPN server.  If you've got a way to make PAT 
work with multiple clients connecting to the same VPN server, I'd love to 
hear the details since I could make use of this in several locations.

Craig

At 10:08 AM 6/6/2002 -0400, you wrote:
Be forewarned that you don't
want multiple clients behind a dynamic NAT/PAT router trying to connect to
the same VPN server...it won't work.


 

This isn't really the case.  It can be a bit more difficult to setup the
clients behind a NAT device, but it is entirely possible.
In many cases it's as easy as forcing UDP encapsulation on the server
side...

Good luck,

-Original Message-
From: Craig Columbus [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 06, 2002 9:37 AM
To: [EMAIL PROTECTED]
Subject: Re: VPN Design ? [7:45927]


In order for the few PCs in the remote office to have access to the main
office servers, do I even need to build a tunnel since they have no
firewall?

Whether to setup a vpn tunnel or not is dictated by your business needs and
the types of services you want the remote office to access, not by the
presence or absence of a firewall.  So, you may, or may not, need a
tunnel.  Let's say that you are passing sensitive data from server to
client.  By setting up a tunnel and using the appropriate access lists on
the router, you can make sure that only certain clients can access the data
and that the data is encrypted when it's travelling over the public
network.

If I want to use a tunnel, how do you get a tunnel between two routers
without running the 3DES on the Cisco in the main office?

Well, you don't need 3DES.  You can also use DES and a greatly reduced
cost.  For most applications, this is sufficient.  However, many security
experts caution against using DES since it's relatively easy to
break.  Either way, you'll need to upgrade the 2500 to a crypto IOS.

The DSL Router is a no-name from the telco.

The DSL router will only be involved in the VPN if you setup a peer-to-peer
between the routers (my preference).  You can also install a VPN client on
the client machines and have them connect.  Be forewarned that you don't
want multiple clients behind a dynamic NAT/PAT router trying to connect to
the same VPN server...it won't work.  If this is the case, you'll need to
go with the peer-to-peer.  You should check with the DSL router
manufacturer to see if it supports IPSEC VPNs...you might be surprised.  I
recently setup a Netopia SDSL router to connect to a PIX via IPSEC.  It was
very easy and it's been remarkably stable.

Hope this helps.

Craig

At 08:42 AM 6/6/2002 -0400, you wrote:
 I havent actually setup a VPN, but think I understand the very basic
 concepts of a tunnel. Applying to a real life situation is confusing me a
 little. I have a need to setup a remote office for a customer. They have
a
 2500 with a very basic NAT configuration, listed below my signature. They
do
 not have a firewall sitting between them and the Internet (not my
choice).
 They have a DSL connection at the remote office.
 
 In order for the few PCs in the remote office to have access to the main
 office servers, do I even need to build a tunnel since they have no
 firewall? If I want to use a tunnel, how do you get a tunnel between two
 routers without running the 3DES on the Cisco in the main office? The DSL
 Router is a no-name from the telco.
 
 Any suggestions would be appreciated!!
 
 Jeffrey Reed
 Classic Networking, Inc.
 Cell 717-805-5536
 Office 717-737-8586
 FAX 717-737-0290
 
 ip nat pool NATPOOL x.x.203.161 x.x.203.161 netmask 255.255.255.224
 ip nat inside source list 1 pool NATPOOL overload
 ip name-server x.224.86.15
 ip name-server x.224.64.20
 !
 interface Ethernet0
   ip address 192.168.200.254 255.255.255.0
   ip nat inside
 !
 interface Serial0
   no ip address
   no ip directed-broadcast
   shutdown
 !
 interface Serial1
   description 384K Fractional T1 to Epix (Circuit ID# DS1-8135

Re: VPN Design ? [7:45927]

[Ben Woltz]

I'm not sure if this is exactly what you are referring to Craig, but it
might help.  We also have had problems doing VPN Client connections behind
PAT.  Its only in places where the DSL/Cable router cannot support PAT on
unknown ports, like UDP 1 which is default for VPN 3000 connections. 
Linksys routers are an example.  The workaround is in 3000 concentrator
version 3.5 where you can do IPSec via TCP.  So you can setup PAT on known
ports, like TCP port 80.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45960t=45927
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]