• Advertisement

VPN through PAT and NAT

IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.

Re:VPN through PAT and NAT

Postby Guest » Wed Dec 15, 2010 7:05 am

so finally i guess i understand the picture; one termination point is the cvpn, and the other termination point is a device, that is deployed behind both a pat router and a nat firewall.

assuming this time i got it right, then, as you already know, this solution is not feasible.



Re:VPN through PAT and NAT

Postby Guest » Wed Dec 15, 2010 8:02 am

having a second thought, it's embarrassed to say, but now i disagree to my previous post. there should not be any drama with your scenario. please allow me to show you couple examples.

one of our branch offices runs on cable. the isp assigns a private ip on the cable modem as well as the router.


branch private net <--> pat router <--> cable modem <--> isp nat/pat device <--> www

due to the fact that the isp assigned ip is always private, i believe once the packet destined for the internet arrives at the isp cloud, and before it gets outside, the isp needs to pat/nat the packet as the source ip is private, right? yet, users from this branch are able to establish vpn to our main office cvpn.

other example is cdma with pcmcia card for notebook. again the isp assigns a private ip on the pcmcia card. thus, before the packet leaves the isp cloud, another pat/nat is required.

these two examples indicate that the remote vpn client is able to establish and maintain a vpn tunnel to a cvpn, regardless whether there is another nat/pat device along the path.

further, isn't the aim of nat traversal is to overcome the issue with pat/nat? in simplified terms, the cvpn receives a udp packet and starts processing. the cvpn and then realises that esp is being encapsulated by udp. next, cvpn decrypts and examines the packet further in order to validate the packet (with the original source ip regardless the udp header source ip).


Re:VPN through PAT and NAT

Postby Guest » Wed Dec 15, 2010 8:11 am

In this scenario, I believe the following is the case.

A modem cannot obtain an IP-address; it is always a bridge between a device and a network. This means the router obtains an address from the ISP through the modem.

Generally, the obtained IP-address is a public IP-address (I know of no other setup thatn that), thus the ISP doesn't habe to do NAT or PAT. Mostly, the ISP doesn't even have a firewall in between the client-router/modem and the internet.

I say a modem canot obtain an IP-address, because a modem is for signal-conversion only; it does not make decisions.

For example, a telephone-modem is used for initiating the connection. Your computer gets an IP-address through your modem.

In a router, a connection-device (Ethernet, DSL-WIC) does have an IP-address.

That's because the router has to know what addresses are connected, i.e. what exits it has. However, the router has the IP-addresses, not the actual interface.

n the case of the branch office, what is the IP of the router and modem? And what IP-address do internet-sites see?

I think they are all one and the same...

By the way, NAT-T is indeed for fixing problems with NAT-devices. However, even in the documentation of the Concentrators, they state that it will only work if either one or both sides are each behind a (single) NAT-device. That has to do with the port-translations and encapsulation of the IP-addresses. If a single device is behind multiple NAT-devices, the source IP-address wil be altered too many times, and will therefore be the wrong one when it reaches the endpoint.


Re:VPN through PAT and NAT

Postby Guest » Wed Dec 15, 2010 8:28 am

firstly, thanks for giving me a network fundamental. i guess i understand the BASIC of ip and how does it work, otherwise it would be a shame to be one of the top netpros.

believe it or not. the router deployed at the branch office has a private address on the outside interface. and that's why this particular branch has no lan-lan vpn back to our office, but rely on the remote vpn client software. further, as mentioned in my last post, the cdma pcmcia card is another example. i.e. the notebook will be assigned a private ip by the isp.

for your info, the branch router has a 192.168.x.x ip; whereas the cdma notebook has a 10.x.x.x. if the host do a search on google "current ip", a public ip will be shown. further it changes from time to time.

you mentioned "the obtained IP-address is a public IP-address (I know of no other setup thatn that)". please excuse me, but i guess it maybe time for you to make a trip to australia.

at the end of the day, if you believe the scenario will not work. that's fine. thanks for sharing.


Re:VPN through PAT and NAT

Postby Guest » Wed Dec 15, 2010 8:43 am

just another quick comment.

for testing purposes, a pix 501 has been deployed behind a pix 515e.

my notebook <--> pix 501 <--> sw <--> pix 515e <--> router <--> www


pix 501 outside:

pix 515e outside: 203.x.x.x

both pix 501 and pix 515e are configured to perform pat, and my notebook is able to establish a vpn and it works normally.



  • Advertisement

Return to Virtual Private Networks

Who is online

Users browsing this forum: No registered users and 2 guests