I'm hoping for some advice on the following scenario, particularly, will the 1605-R perform the intended function.
I have a Windows 2000 Server with DHCP, WINS, and the Routing and Remote Access services configured. This server has one network card, configured with IP address 192.168.100.10
There are 2 Win2K-Pro desktop computers and 2 Win2K-Pro notebook computers in my office. The 2 notebook users would like to connect via PPTP (or L2TP I suppose) using the Win2K-Server's RRAS when out of the office, such as from home or from a hotel.
I intend to configure a 1605-R with a public IP address on one ethernet port (which would be connected to a cable modem, a static IP address as provided by my ISP) and a private IP address on the 2nd ethernet port (prehaps 192.168.100.1)
Can the 1605-R be further configured to allow incoming PPTP connections from the 2 notebook users (using the built-in Win2K dial-up VPN option), such that the PPTP VPN connection is completed by the Win2K Server's Routing and Remote Access Service? I believe that PPTP requires TCP 1723 + Protocol 47 (GRE), while L2TP requires UDP 500 + UDP 1701. I've heard that there can be issues forwarding GRE packets from multiple external sources to a single internal VPN server, especially when the intermediate router is configured for NAT or PAT. All other inbound protocols or ports would be blocked, because we're not running our own web or mail services at this time. My desktop & notebook users would need to be able to browse the internet and download email when in the office, and access a database running on the Win2K Server when out of the office connected by the VPN.
I would be hiring a consultant to complete this configuration but want to be sure that the 1605-R will do the job as intended. I don't necessarily want to purchase a 1700 or 2600-series product, or find myself in a situation where the consultant recommends a higher-performance device, as cost is an issue.
You wont be able to terminate your remote users to the PAT address on your network. Youll have to get another IP address and make a permanent static translation to your RAS server for that purpose. You could alternately terminate your VPN tunnels right at the 1605 using 56bit IPSec (youll likely have to upgrade your IOS) and then your remote users can authenticate against the NT server once inside.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...