Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- * VPN and NAT Question
November 8, 2004, 11:42 pm
rate this thread
Assuming i setup a broadband connection with a hardware firewall and router
using 2 ip addresses given to me by the isp and i have all the other
computers on the network
using internal ip addresses using NAT. (10.0.0.xx etc)
If i then want to establish a VPN connection to a machine on the network
can it be accessable
if it has an internal ip address ?
also what hardware is required for a VPN connection ?
Do i have to have windows 2003 server or similar ?
Re: * VPN and NAT Question
:using 2 ip addresses given to me by the isp and i have all the other
:computers on the network
:using internal ip addresses using NAT. (10.0.0.xx etc)
:If i then want to establish a VPN connection to a machine on the network
:can it be accessable
:if it has an internal ip address ?
Generally speaking, yes.
With a Cisco PIX, for example, there would be two ways of doing this:
A) use a 'static' command to map specific ports on the firewall external
IP to those same ports on the internal machine, such as
static (inside, outside) tcp interface www 10.0.0.x www netmask 255.255.255.255
This is known as 'static PAT' in Cisco lingo, and the word 'interface'
there is a special keyword used only when you want to be able to use
the public IP of the firewall as the destination.
If 10.0.0.x can originate connections but should not be a server at all
(not even for NETBIOS udp packet purposes), then there is a related approach
using the nat/global pair of commands, which you would usually have
in place anyhow to allow non-VPN traffic from the internal hosts to go
B) use 'nat (inside) 0 access-list AnACLNameHere' and define
AnACLNameHere as an access-list matching the traffic sourced from
the 10.0.0.x host and going to whatever IP the remote machine can have.
This will turn off source IP translation on the 10.0.0.x packets as they
go to the remote machine, and the remote machine would talk to the
internal machine by using it's internal 10.10.10.x address. This
approach would normally only be taken by organizations that trust each other
somewhat and are willing to coordinate internal IP ranges. If the two
organizations are not willing to coordinate internal IP ranges,
or they aren't willing to trust each other more than the minimum necessary
to get the traffic through, then the public IP approach of (A) would be more
:also what hardware is required for a VPN connection ?
:Do i have to have windows 2003 server or similar ?
No. If you have a hardware firewall with VPN services, then the firewall
will take care of all the details and you can use literally any kind
of IP-capable machine internally. Even xbox with the network adapter.
If you do not have a hardware firewall then in Windows 2000 and XP,
you can configure the system to be a software VPN client to connect
to a remote firewall system. If I recall correctly, L2TP and PPTP are
supported for that. XP Pro might also support outgoing IPSec.
Windows XP Pro (and possibly some other versions of Windows) can act
as firewall endpoints for incoming connections for L2TP and PPTP;
I'm not sure about IPSec.
If you are connecting to a remote firewall from a PC directly (with
no hardware firewall on your end, or you need to skip that local
firewall), and you need to use a tunnel protocol that is not natively
supported on that PC, then usually the vendor of the remote firewall
will have VPN client software to run on the PC that will allow it to
connect. Cisco has versions that support at least as far back as
Windows 98; I'm not sure about earlier Windows versions.
Contents: 100% recycled post-consumer statements.
Re: * VPN and NAT Question
You would connect to the public IP that is then "forwarded" to the
internal computer - since you only have two public IP you can only VPN
into two internal computers (unless you change the ports).
You could install a 2000/2003 server, forward the VPN ports from the
public IP to the internal IP of the server and setup RAS, or you could
purchase a VPN router/firewall device and VPN to the device which could
then authenticate you and give you full access to it.
(Remove 999 to reply to me)