Thank you.

However, the customer is not using Cisco concentrators. The VPN is terminating on a Sonicwall box. I am not in a position to change this, unfortunately.

Any ideas?

This may not help considering that you cannot change the device being terminated into, however we have tested Cisco 2621's and 1605R's using PPTP on Win2K Professional clients terminating into a Win2K Server behind the individual routers. All routers are running NAT/PAT on the outside interface. This configuration has been virtually flawless. We tested many permutations of this (with/without WINS, various levels of encryption & compression, etc) before we setteled on a standard template configuration for this type of access. If your VPN terminating device supports PPTP & the various Microsoft protocols (MPPE/MPPC, etc) then I suspect that it will function in the same way. The only issue I've had so far is loss of telnet access to the public interface from non-private ip ranges (but this may just be a NAT/PAT/Access-List issue that I'm just not seeing in my router configs) :( In any event, let me know if this helps and I'll email you a detailed network configuration of our general set-ups.

P.S. I think the general concensus is that non PPTP based VPN solutions WILL NOT function correctly through a PAT due to PAT 'packet fix-ups' that cannot be made to the packets being passed. If your client REQUIRES a non PPTP VPN solution you may HAVE to terminate the VPN into the public IP router/VPN server.

PPTP and IPSEC will work through a "PAT" router. The trick is called "passthrough".

Most SOHO routers are not enabled with a PPTP and IPSEC passthrough switch. in a cisco

this is made possible via the NONAT route map. By defining a route map called NONAT and

applying a deny or allow on address space, you can keep IPSEC and PPTP traffic out of

the nat. This will allow it to pass unnatted.

I'd like a copy of those diagrams and notes if you don't mind.