* VPN and NAT Question

Secure Home | Search | About

Lost Password?

General Computer Security

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject

Author

Date

* VPN and NAT Question

AndyNoSpam

11-08-2004

Re: * VPN and NAT Question

Walter Roberson

11-08-2004

Re: * VPN and NAT Question

Leythos

11-08-2004

Posted by AndyNoSpam on November 8, 2004, 6:42 pm

If you were Registered and logged in, you could reply and use other advanced thread options

question

Assuming i setup a broadband connection with a hardware firewall and router
using 2 ip addresses given to me by the isp and i have all the other
computers on the network
using internal ip addresses using NAT. (10.0.0.xx etc)

If i then want to establish a VPN connection to a machine on the network
can it be accessable
if it has an internal ip address ?

also what hardware is required for a VPN connection ?
Do i have to have windows 2003 server or similar ?

Thanks

Posted by Walter Roberson on November 8, 2004, 7:13 pm

If you were Registered and logged in, you could reply and use other advanced thread options

:Assuming i setup a broadband connection with a hardware firewall and router
:using 2 ip addresses given to me by the isp and i have all the other
:computers on the network
:using internal ip addresses using NAT. (10.0.0.xx etc)

:If i then want to establish a VPN connection to a machine on the network
:can it be accessable
:if it has an internal ip address ?

Generally speaking, yes.

With a Cisco PIX, for example, there would be two ways of doing this:

A) use a 'static' command to map specific ports on the firewall external
IP to those same ports on the internal machine, such as

static (inside, outside) tcp interface www 10.0.0.x www netmask 255.255.255.255

This is known as 'static PAT' in Cisco lingo, and the word 'interface'
there is a special keyword used only when you want to be able to use
the public IP of the firewall as the destination.

If 10.0.0.x can originate connections but should not be a server at all
(not even for NETBIOS udp packet purposes), then there is a related approach
using the nat/global pair of commands, which you would usually have
in place anyhow to allow non-VPN traffic from the internal hosts to go
outwards.

B) use 'nat (inside) 0 access-list AnACLNameHere' and define
AnACLNameHere as an access-list matching the traffic sourced from
the 10.0.0.x host and going to whatever IP the remote machine can have.
This will turn off source IP translation on the 10.0.0.x packets as they
go to the remote machine, and the remote machine would talk to the
internal machine by using it's internal 10.10.10.x address. This
approach would normally only be taken by organizations that trust each other
somewhat and are willing to coordinate internal IP ranges. If the two
organizations are not willing to coordinate internal IP ranges,
or they aren't willing to trust each other more than the minimum necessary
to get the traffic through, then the public IP approach of (A) would be more
likely.

:also what hardware is required for a VPN connection ?
:Do i have to have windows 2003 server or similar ?

No. If you have a hardware firewall with VPN services, then the firewall
will take care of all the details and you can use literally any kind
of IP-capable machine internally. Even xbox with the network adapter.

If you do not have a hardware firewall then in Windows 2000 and XP,
you can configure the system to be a software VPN client to connect
to a remote firewall system. If I recall correctly, L2TP and PPTP are
supported for that. XP Pro might also support outgoing IPSec.
Windows XP Pro (and possibly some other versions of Windows) can act
as firewall endpoints for incoming connections for L2TP and PPTP;
I'm not sure about IPSec.

If you are connecting to a remote firewall from a PC directly (with
no hardware firewall on your end, or you need to skip that local
firewall), and you need to use a tunnel protocol that is not natively
supported on that PC, then usually the vendor of the remote firewall
will have VPN client software to run on the PC that will allow it to
connect. Cisco has versions that support at least as far back as
Windows 98; I'm not sure about earlier Windows versions.
--
Contents: 100% recycled post-consumer statements.

Posted by Leythos on November 8, 2004, 8:12 pm

If you were Registered and logged in, you could reply and use other advanced thread options

andynospam@zetnet.co.uk says...

> question

> Assuming i setup a broadband connection with a hardware firewall and router

> using 2 ip addresses given to me by the isp and i have all the other

> computers on the network

> using internal ip addresses using NAT. (10.0.0.xx etc)

> If i then want to establish a VPN connection to a machine on the network

> can it be accessable

> if it has an internal ip address ?

You would connect to the public IP that is then "forwarded" to the
internal computer - since you only have two public IP you can only VPN
into two internal computers (unless you change the ports).

> also what hardware is required for a VPN connection ?

> Do i have to have windows 2003 server or similar ?

You could install a 2000/2003 server, forward the VPN ports from the
public IP to the internal IP of the server and setup RAS, or you could
purchase a VPN router/firewall device and VPN to the device which could
then authenticate you and give you full access to it.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Similar Threads	Posted
WEP question	August 18, 2004, 6:14 pm
Log in question	July 22, 2005, 12:38 pm
Log in question	July 22, 2005, 12:38 pm
Log in question	July 22, 2005, 12:38 pm
A question	October 2, 2005, 11:49 pm
PKI question	August 1, 2006, 7:50 am
Question regarding SSL/TLS	August 21, 2006, 5:01 pm
Question regarding SSL/TLS	August 22, 2006, 12:23 pm
Question regarding SSL/TLS	August 23, 2006, 4:51 am
IP number question	January 26, 2005, 1:14 pm

The site map in XML format XML site map