Cisco Support Community
Community Member

VPN's and the NAT problem


While VPN's are great for remote access to corporate networks, NAT seems to kill Windows authentication and domain trusts. So I was wondering if it is possible configure a Router to Router (8 separate locations and 8 separate 1720's in my case) VPN and instead of having internet access setup via NAT on each router in each location have each router "route" internet access through the VPN tunnel to one central router that is configured with NAT. That way a VPN could act like a point to point connection and allow me to centralize Windows logons and management.

Thank you

Jon Cleek

Community Member

Re: VPN's and the NAT problem

It is possible, but depending on your traffic levels you are going to be taxing the central 1720, and creating a possible bandwidth bottleneck.

Community Member

Re: VPN's and the NAT problem

Thanks for the response. Now for my next question, How do I configure the remote routers to route all traffic through the VPN and is there anything special I need to do the central router to get NAT to work correctly?

Community Member

Re: VPN's and the NAT problem

I am not sure I understand your question but we don't use NAT at our remote facilities. The remote facilities all have 172.16.x.x addresses which are NAT 0 in the PIX 501 at the remote site and pulled into the tunnel and pop out at the central location still 172.16.x..x. No NATing is done. The remote devices therefore don't have direct access to the internet, which is also what we want.

No split tunnel.

It takes some planning and if you have a legacy network you might not be able to address things like this. In that case I suggest you contact Jack Daniels.

CreatePlease to create content