VPN Tunnel over NAT

pkohlstetter · ‎02-07-2003

Hello,

Is it possible to build a vpn-connection if the offical ip-address of one side is nated into a privat adress.

I will put the central endpoint of the VPN-Tunnels into a DMZ. The router will get an ip adress out of the range 10.0.0.0. The firewall will nat an offical ip address into the ip address (example 10.100.100.14).

Is this possible?

The central router is a cisco 3640. The home user will dial into the internet with a cisco 801.

What VPN technologie can I use with this hardware?

Thanks for every help.

Best regards

Peer Kohlstetter

gfullage · ‎02-09-2003

YEs, this is possible. If it's a true one-to-one translation then you don't need to do anything, just point the client at the NAT'd address and everything should work fine.

If it's a one-to-many translation (PAT) then it'll still work. Both the concentrator and the client support the new standard NAT-T so if you enable it on both ends, they'll figure out that they're going through a NAT/PAT device and automatically encaspulate everything in UDP port 4500 packets. You can also enable either "IPSec over UDP" or "IPSec over TCP" in the client and concentrator to encapsulate everything in UDP port 10000 (default) or TCP packets, which also gets around PAT problems.

In short, you should have no problems.

alessandro.pelosi · ‎02-10-2003

Hello

does this mean that you can set-up a LAN to LAN tunnel with PAT in the middle?

Alessandro

gfullage · ‎02-10-2003

Yep, should be able to as long as both ends support NAT-T.

gfullage · ‎02-10-2003

One restriction on that is that only one end will be able to initiate the tunnel, since the device behind the PAT device won't be contactable directly. The device behind the PAT device will only be able to initiate the tunnel to the device on the Internet, not the other way around.