I have a customer with a single IP address from his ISP. He wnats to use a VPN solution but this will require the ISP router, doing Port Address Translation to recognise the VPN packets and forward them to the right internal address. I know how to use static PAT with a TCP or UDP port number but ESP, AH and GRE are all IP protocols, not TCP or UDP protocols.
Does anyone know how I can set up static PAT for these protocols and which routers / feature sets I would need for this?
This may not help considering that you cannot change the device being terminated into, however we have tested Cisco 2621's and 1605R's using PPTP on Win2K Professional clients terminating into a Win2K Server behind the individual routers. All routers are running NAT/PAT on the outside interface. This configuration has been virtually flawless. We tested many permutations of this (with/without WINS, various levels of encryption & compression, etc) before we setteled on a standard template configuration for this type of access. If your VPN terminating device supports PPTP & the various Microsoft protocols (MPPE/MPPC, etc) then I suspect that it will function in the same way. The only issue I've had so far is loss of telnet access to the public interface from non-private ip ranges (but this may just be a NAT/PAT/Access-List issue that I'm just not seeing in my router configs) :( In any event, let me know if this helps and I'll email you a detailed network configuration of our general set-ups.
P.S. I think the general concensus is that non PPTP based VPN solutions WILL NOT function correctly through a PAT due to PAT 'packet fix-ups' that cannot be made to the packets being passed. If your client REQUIRES a non PPTP VPN solution you may HAVE to terminate the VPN into the public IP router/VPN server.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...