Firewall Wizards mailing list archives

RE: Cannot establish PPTP VPN connection thru PAT on Cis co router

From: shewitt () cdw com
Date: Mon, 18 Sep 2000 10:25:29 -0500

So, Cisco's implementation of PAT is not as advanced as the single IP NAT
implementations found in shareware software and SOHO routers?  I've used
SyGate, Windows 2000 NAT, a DSL router, and have talked to several other
people with single IP NAT implementations and they are able to VPN.  
My understanding is that if I use a NAT pool on a Cisco router, and a single
IP for overloading, clients will use up the NAT pool on a first come - first
serve basis.  So, if I only have 5 IP's in my pool, and they are gone, then
I have no way of using PPTP.  Even if I'm the sixth person to connect, I'll
be on the PAT, so I won't be able to get a GRE packet thru.  
This is a problem for me because I have over 2000 clients of which several
hundred may be browsing simultaneously forcing me to have several hundred IP
addresses.  
So, it sounds like I'll have to make a small NAT pool for all users of PPTP.
And when they need to connect, I'll have to assign them a static IP address
(since DHCP will be releasing IP addresses with PAT).

--Scott Hewitt

[snip]

 My thought is that maybe it 
doesn't work thru
PAT, it only works thru NAT.


*BING!*

Congratulations. ;) Look at it this way - GRE doesn't have any port
information, so if you're trying to overload on an external IP address
there's no way for the router to know which internal host to 
give the return
GRE traffic to.

You'll need to have a static NAT mapping for this to work. 
You can still
overload for the rest of your TCP / UDP traffic, but you'll 
only be able to
support one PPTP connection per real IP address that you have.


Any suggestions?  Anybody have PPTP working thru PAT on a 
Cisco router?


No, but a few through NAT with the method above.

-------------------------------
Scott Hewitt


Cheers,

--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304  Mobile: +61 414 411 520


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

Current thread:

RE: Cannot establish PPTP VPN connection thru PAT on Cis co router shewitt (Sep 18)
- <Possible follow-ups>
- RE: Cannot establish PPTP VPN connection thru PAT on Cis co router Ben Nagy (Sep 18)
  - RE: Cannot establish PPTP VPN connection thru PAT on Cis co router Ryan Russell (Sep 18)