VPN Design ? [7:45927]
I havent actually setup a VPN, but think I understand the very basic concepts of a tunnel. Applying to a real life situation is confusing me a little. I have a need to setup a remote office for a customer. They have a 2500 with a very basic NAT configuration, listed below my signature. They do not have a firewall sitting between them and the Internet (not my choice). They have a DSL connection at the remote office. In order for the few PCs in the remote office to have access to the main office servers, do I even need to build a tunnel since they have no firewall? If I want to use a tunnel, how do you get a tunnel between two routers without running the 3DES on the Cisco in the main office? The DSL Router is a no-name from the telco. Any suggestions would be appreciated!! Jeffrey Reed Classic Networking, Inc. Cell 717-805-5536 Office 717-737-8586 FAX 717-737-0290 ip nat pool NATPOOL x.x.203.161 x.x.203.161 netmask 255.255.255.224 ip nat inside source list 1 pool NATPOOL overload ip name-server x.224.86.15 ip name-server x.224.64.20 ! interface Ethernet0 ip address 192.168.200.254 255.255.255.0 ip nat inside ! interface Serial0 no ip address no ip directed-broadcast shutdown ! interface Serial1 description 384K Fractional T1 to Epix (Circuit ID# DS1-8135) ip address x.x.34.154 255.255.255.252 no ip directed-broadcast ip nat outside ! ip default-gateway x.x.34.153 ip classless ip route 0.0.0.0 0.0.0.0 Serial1 permanent access-list 1 permit 192.168.200.0 0.0.0.255 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45927t=45927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN Design ? [7:45927]
In order for the few PCs in the remote office to have access to the main office servers, do I even need to build a tunnel since they have no firewall? Whether to setup a vpn tunnel or not is dictated by your business needs and the types of services you want the remote office to access, not by the presence or absence of a firewall. So, you may, or may not, need a tunnel. Let's say that you are passing sensitive data from server to client. By setting up a tunnel and using the appropriate access lists on the router, you can make sure that only certain clients can access the data and that the data is encrypted when it's travelling over the public network. If I want to use a tunnel, how do you get a tunnel between two routers without running the 3DES on the Cisco in the main office? Well, you don't need 3DES. You can also use DES and a greatly reduced cost. For most applications, this is sufficient. However, many security experts caution against using DES since it's relatively easy to break. Either way, you'll need to upgrade the 2500 to a crypto IOS. The DSL Router is a no-name from the telco. The DSL router will only be involved in the VPN if you setup a peer-to-peer between the routers (my preference). You can also install a VPN client on the client machines and have them connect. Be forewarned that you don't want multiple clients behind a dynamic NAT/PAT router trying to connect to the same VPN server...it won't work. If this is the case, you'll need to go with the peer-to-peer. You should check with the DSL router manufacturer to see if it supports IPSEC VPNs...you might be surprised. I recently setup a Netopia SDSL router to connect to a PIX via IPSEC. It was very easy and it's been remarkably stable. Hope this helps. Craig At 08:42 AM 6/6/2002 -0400, you wrote: I havent actually setup a VPN, but think I understand the very basic concepts of a tunnel. Applying to a real life situation is confusing me a little. I have a need to setup a remote office for a customer. They have a 2500 with a very basic NAT configuration, listed below my signature. They do not have a firewall sitting between them and the Internet (not my choice). They have a DSL connection at the remote office. In order for the few PCs in the remote office to have access to the main office servers, do I even need to build a tunnel since they have no firewall? If I want to use a tunnel, how do you get a tunnel between two routers without running the 3DES on the Cisco in the main office? The DSL Router is a no-name from the telco. Any suggestions would be appreciated!! Jeffrey Reed Classic Networking, Inc. Cell 717-805-5536 Office 717-737-8586 FAX 717-737-0290 ip nat pool NATPOOL x.x.203.161 x.x.203.161 netmask 255.255.255.224 ip nat inside source list 1 pool NATPOOL overload ip name-server x.224.86.15 ip name-server x.224.64.20 ! interface Ethernet0 ip address 192.168.200.254 255.255.255.0 ip nat inside ! interface Serial0 no ip address no ip directed-broadcast shutdown ! interface Serial1 description 384K Fractional T1 to Epix (Circuit ID# DS1-8135) ip address x.x.34.154 255.255.255.252 no ip directed-broadcast ip nat outside ! ip default-gateway x.x.34.153 ip classless ip route 0.0.0.0 0.0.0.0 Serial1 permanent access-list 1 permit 192.168.200.0 0.0.0.255 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45931t=45927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN Design ? [7:45927]
Be forewarned that you don't want multiple clients behind a dynamic NAT/PAT router trying to connect to the same VPN server...it won't work. This isn't really the case. It can be a bit more difficult to setup the clients behind a NAT device, but it is entirely possible. In many cases it's as easy as forcing UDP encapsulation on the server side... Good luck, -Original Message- From: Craig Columbus [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 06, 2002 9:37 AM To: [EMAIL PROTECTED] Subject: Re: VPN Design ? [7:45927] In order for the few PCs in the remote office to have access to the main office servers, do I even need to build a tunnel since they have no firewall? Whether to setup a vpn tunnel or not is dictated by your business needs and the types of services you want the remote office to access, not by the presence or absence of a firewall. So, you may, or may not, need a tunnel. Let's say that you are passing sensitive data from server to client. By setting up a tunnel and using the appropriate access lists on the router, you can make sure that only certain clients can access the data and that the data is encrypted when it's travelling over the public network. If I want to use a tunnel, how do you get a tunnel between two routers without running the 3DES on the Cisco in the main office? Well, you don't need 3DES. You can also use DES and a greatly reduced cost. For most applications, this is sufficient. However, many security experts caution against using DES since it's relatively easy to break. Either way, you'll need to upgrade the 2500 to a crypto IOS. The DSL Router is a no-name from the telco. The DSL router will only be involved in the VPN if you setup a peer-to-peer between the routers (my preference). You can also install a VPN client on the client machines and have them connect. Be forewarned that you don't want multiple clients behind a dynamic NAT/PAT router trying to connect to the same VPN server...it won't work. If this is the case, you'll need to go with the peer-to-peer. You should check with the DSL router manufacturer to see if it supports IPSEC VPNs...you might be surprised. I recently setup a Netopia SDSL router to connect to a PIX via IPSEC. It was very easy and it's been remarkably stable. Hope this helps. Craig At 08:42 AM 6/6/2002 -0400, you wrote: I havent actually setup a VPN, but think I understand the very basic concepts of a tunnel. Applying to a real life situation is confusing me a little. I have a need to setup a remote office for a customer. They have a 2500 with a very basic NAT configuration, listed below my signature. They do not have a firewall sitting between them and the Internet (not my choice). They have a DSL connection at the remote office. In order for the few PCs in the remote office to have access to the main office servers, do I even need to build a tunnel since they have no firewall? If I want to use a tunnel, how do you get a tunnel between two routers without running the 3DES on the Cisco in the main office? The DSL Router is a no-name from the telco. Any suggestions would be appreciated!! Jeffrey Reed Classic Networking, Inc. Cell 717-805-5536 Office 717-737-8586 FAX 717-737-0290 ip nat pool NATPOOL x.x.203.161 x.x.203.161 netmask 255.255.255.224 ip nat inside source list 1 pool NATPOOL overload ip name-server x.224.86.15 ip name-server x.224.64.20 ! interface Ethernet0 ip address 192.168.200.254 255.255.255.0 ip nat inside ! interface Serial0 no ip address no ip directed-broadcast shutdown ! interface Serial1 description 384K Fractional T1 to Epix (Circuit ID# DS1-8135) ip address x.x.34.154 255.255.255.252 no ip directed-broadcast ip nat outside ! ip default-gateway x.x.34.153 ip classless ip route 0.0.0.0 0.0.0.0 Serial1 permanent access-list 1 permit 192.168.200.0 0.0.0.255 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45935t=45927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN Design ? [7:45927]
I'm not referring to a strictly static NAT setup. I'm talking about dynamic NAT/PAT, where clients may get a NAT address or may use PAT, depending on pool availability. For example, I had a location that was dropping connections on the PIX and I couldn't figure out what was going on. The remote site had 3 dynamic NAT addresses, 1 overload address (PAT)and 10 clients. I opened a case with TAC, they reviewed and told me that they don't support multiple clients behind dynamic NAT/PAT and that I'd need to either not use NAT/PAT or assign statics to each client. I know PAT isn't a problem with multiple clients connecting to different VPN servers, but I've yet to see it work properly when multiple clients using PAT connect to the same VPN server. If you've got a way to make PAT work with multiple clients connecting to the same VPN server, I'd love to hear the details since I could make use of this in several locations. Craig At 10:08 AM 6/6/2002 -0400, you wrote: Be forewarned that you don't want multiple clients behind a dynamic NAT/PAT router trying to connect to the same VPN server...it won't work. This isn't really the case. It can be a bit more difficult to setup the clients behind a NAT device, but it is entirely possible. In many cases it's as easy as forcing UDP encapsulation on the server side... Good luck, -Original Message- From: Craig Columbus [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 06, 2002 9:37 AM To: [EMAIL PROTECTED] Subject: Re: VPN Design ? [7:45927] In order for the few PCs in the remote office to have access to the main office servers, do I even need to build a tunnel since they have no firewall? Whether to setup a vpn tunnel or not is dictated by your business needs and the types of services you want the remote office to access, not by the presence or absence of a firewall. So, you may, or may not, need a tunnel. Let's say that you are passing sensitive data from server to client. By setting up a tunnel and using the appropriate access lists on the router, you can make sure that only certain clients can access the data and that the data is encrypted when it's travelling over the public network. If I want to use a tunnel, how do you get a tunnel between two routers without running the 3DES on the Cisco in the main office? Well, you don't need 3DES. You can also use DES and a greatly reduced cost. For most applications, this is sufficient. However, many security experts caution against using DES since it's relatively easy to break. Either way, you'll need to upgrade the 2500 to a crypto IOS. The DSL Router is a no-name from the telco. The DSL router will only be involved in the VPN if you setup a peer-to-peer between the routers (my preference). You can also install a VPN client on the client machines and have them connect. Be forewarned that you don't want multiple clients behind a dynamic NAT/PAT router trying to connect to the same VPN server...it won't work. If this is the case, you'll need to go with the peer-to-peer. You should check with the DSL router manufacturer to see if it supports IPSEC VPNs...you might be surprised. I recently setup a Netopia SDSL router to connect to a PIX via IPSEC. It was very easy and it's been remarkably stable. Hope this helps. Craig At 08:42 AM 6/6/2002 -0400, you wrote: I havent actually setup a VPN, but think I understand the very basic concepts of a tunnel. Applying to a real life situation is confusing me a little. I have a need to setup a remote office for a customer. They have a 2500 with a very basic NAT configuration, listed below my signature. They do not have a firewall sitting between them and the Internet (not my choice). They have a DSL connection at the remote office. In order for the few PCs in the remote office to have access to the main office servers, do I even need to build a tunnel since they have no firewall? If I want to use a tunnel, how do you get a tunnel between two routers without running the 3DES on the Cisco in the main office? The DSL Router is a no-name from the telco. Any suggestions would be appreciated!! Jeffrey Reed Classic Networking, Inc. Cell 717-805-5536 Office 717-737-8586 FAX 717-737-0290 ip nat pool NATPOOL x.x.203.161 x.x.203.161 netmask 255.255.255.224 ip nat inside source list 1 pool NATPOOL overload ip name-server x.224.86.15 ip name-server x.224.64.20 ! interface Ethernet0 ip address 192.168.200.254 255.255.255.0 ip nat inside ! interface Serial0 no ip address no ip directed-broadcast shutdown ! interface Serial1 description 384K Fractional T1 to Epix (Circuit ID# DS1-8135) ip address x.x.34.154 255.255.255.252 no ip directed-broadcast ip nat outside ! ip default-gateway x.x.34.153 ip classless ip route 0.0.0.0 0.0.0.0 Serial1 permanent access-list 1 permit 192.168.200.0 0.0.0.255 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45942t=45927
RE: VPN Design ? [7:45927]
Thanks for that response. You just taught me something :-) I mis-understood what you were saying the first time. Regards, -Original Message- From: Craig Columbus [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 05, 2002 11:07 AM To: Marshal Schoener Cc: [EMAIL PROTECTED] Subject: RE: VPN Design ? [7:45927] I'm not referring to a strictly static NAT setup. I'm talking about dynamic NAT/PAT, where clients may get a NAT address or may use PAT, depending on pool availability. For example, I had a location that was dropping connections on the PIX and I couldn't figure out what was going on. The remote site had 3 dynamic NAT addresses, 1 overload address (PAT)and 10 clients. I opened a case with TAC, they reviewed and told me that they don't support multiple clients behind dynamic NAT/PAT and that I'd need to either not use NAT/PAT or assign statics to each client. I know PAT isn't a problem with multiple clients connecting to different VPN servers, but I've yet to see it work properly when multiple clients using PAT connect to the same VPN server. If you've got a way to make PAT work with multiple clients connecting to the same VPN server, I'd love to hear the details since I could make use of this in several locations. Craig At 10:08 AM 6/6/2002 -0400, you wrote: Be forewarned that you don't want multiple clients behind a dynamic NAT/PAT router trying to connect to the same VPN server...it won't work. This isn't really the case. It can be a bit more difficult to setup the clients behind a NAT device, but it is entirely possible. In many cases it's as easy as forcing UDP encapsulation on the server side... Good luck, -Original Message- From: Craig Columbus [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 06, 2002 9:37 AM To: [EMAIL PROTECTED] Subject: Re: VPN Design ? [7:45927] In order for the few PCs in the remote office to have access to the main office servers, do I even need to build a tunnel since they have no firewall? Whether to setup a vpn tunnel or not is dictated by your business needs and the types of services you want the remote office to access, not by the presence or absence of a firewall. So, you may, or may not, need a tunnel. Let's say that you are passing sensitive data from server to client. By setting up a tunnel and using the appropriate access lists on the router, you can make sure that only certain clients can access the data and that the data is encrypted when it's travelling over the public network. If I want to use a tunnel, how do you get a tunnel between two routers without running the 3DES on the Cisco in the main office? Well, you don't need 3DES. You can also use DES and a greatly reduced cost. For most applications, this is sufficient. However, many security experts caution against using DES since it's relatively easy to break. Either way, you'll need to upgrade the 2500 to a crypto IOS. The DSL Router is a no-name from the telco. The DSL router will only be involved in the VPN if you setup a peer-to-peer between the routers (my preference). You can also install a VPN client on the client machines and have them connect. Be forewarned that you don't want multiple clients behind a dynamic NAT/PAT router trying to connect to the same VPN server...it won't work. If this is the case, you'll need to go with the peer-to-peer. You should check with the DSL router manufacturer to see if it supports IPSEC VPNs...you might be surprised. I recently setup a Netopia SDSL router to connect to a PIX via IPSEC. It was very easy and it's been remarkably stable. Hope this helps. Craig At 08:42 AM 6/6/2002 -0400, you wrote: I havent actually setup a VPN, but think I understand the very basic concepts of a tunnel. Applying to a real life situation is confusing me a little. I have a need to setup a remote office for a customer. They have a 2500 with a very basic NAT configuration, listed below my signature. They do not have a firewall sitting between them and the Internet (not my choice). They have a DSL connection at the remote office. In order for the few PCs in the remote office to have access to the main office servers, do I even need to build a tunnel since they have no firewall? If I want to use a tunnel, how do you get a tunnel between two routers without running the 3DES on the Cisco in the main office? The DSL Router is a no-name from the telco. Any suggestions would be appreciated!! Jeffrey Reed Classic Networking, Inc. Cell 717-805-5536 Office 717-737-8586 FAX 717-737-0290 ip nat pool NATPOOL x.x.203.161 x.x.203.161 netmask 255.255.255.224 ip nat inside source list 1 pool NATPOOL overload ip name-server x.224.86.15 ip name-server x.224.64.20 ! interface Ethernet0 ip address 192.168.200.254 255.255.255.0 ip nat inside ! interface Serial0 no ip address no ip directed-broadcast shutdown ! interface Serial1 description 384K Fractional T1 to Epix (Circuit ID# DS1-8135
Re: VPN Design ? [7:45927]
I'm not sure if this is exactly what you are referring to Craig, but it might help. We also have had problems doing VPN Client connections behind PAT. Its only in places where the DSL/Cable router cannot support PAT on unknown ports, like UDP 1 which is default for VPN 3000 connections. Linksys routers are an example. The workaround is in 3000 concentrator version 3.5 where you can do IPSec via TCP. So you can setup PAT on known ports, like TCP port 80. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45960t=45927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]