In article <1124120467.713151.252840@o13g2000cwo.googlegroups .com>,
<brian.chirhart@gmail.com> wrote:
:We have a need for a large (20+) number of technical support folks to
:VPN out to multiple customer sites using different VPN clients
whatever the customer supports). I have been told that this can only
:be done with a static NAT translation one to one with a public IP
:address. Isn't this what PAT is for? To me, it seems like I would be
:able to PAT all the VPN connections through one public IP address. Is
:this not true? If it is, could someone submit a configuration example?
"It depends".
There are different mechanisms used for VPN. The one that is standard
and flexible is IPSec, but there is also PPTP, SSL, and others.
The different mechanisms use different protocols -- not just different
ports and not just tcp vs udp, but different IP -protocols-
(in the sense that TCP and UDP are different IP protocols.) Those other
protocols do not -have- "port numbers" in order to do Port Address
Translation.
If the VPN clients support "NAT Traversal" then you can add support
for that on the PIX by configure isakmp nat-traversal 20
When that is done, modern IPSec implementations are able to detect
the presense of NAT (or PAT) and will encapsulate those other IP
protocols within UDP, thus allowing multiple internal clients with PAT.
(In theory you shouldn't need the cooperation of the PIX for this, but
it doesn't hurt to turn it on.)
PPTP uses the GRE IP protocol, which does not have ports. There is a
"pptp" fixup that you can turn on on the PIX that should help.
If I recall correctly, we found that the Nortel VPN client required
one-to-one NAT when the client was behind the PIX.
--
"No one has the right to destroy another person's belief by
demanding empirical evidence." -- Ann Landers
