Re: Remote Access VPN behind NAT/PAT

farrsum · ‎04-06-2005

I have established 1 remote access VPN from client (Windows XP PPTP) to Cisco VPN Con 3030.

How can i establish multiple remote access VPNs from the same LAN clients (192.168.x.x) using PAT to the same destination VPN Concentrator.

Can Cisco VPN client solve the problem.

Can we have multiple VPNs between 2 Real IPz.

ehirsel · ‎04-06-2005

The cisco vpn client is only an IPSEC vpn client, not a pptp one. However the 3030 device can be used to terminate ipsec as well as pptp and other types of vpn sessions. What type of client you use depends upon what you want to achieve - pptp is already enabled on the ms win xp os so there is no extra sw to install. The cisco vpn client needs to be installed. However pptp may be more vulnerable to attack as it uses the RC4 algorithm whereas the cisco vpn client has more choices for hashing algorithms, and 3des/aes IPSEC is harder to crack unless you use weak preshare keys.

Whether you use ipsec or pptp vpn clients, when any of them reside behind a nat/pat device ususally that device needs to be aware of the vpn traffic and make the necessary adjustments. If that device is the pix firewall you can run the fixup protocol pptp to allow the pptp traffic to originate from more than one client on the internal network. Most newer vpn gateways allow for nat-t to allow the ipsec vpn traffic to encaped in another tcp or udp frame (udp port 4500 is the IETF standard).

With regards to multiple vpns between 2 different ip addresses, the answer is yes assuming that the nat/pat device is doing the xlate properly. The client port numbers will distinguish the vpn connections, similar to having two clients behind a pat device connecting to the same ftp or web server on an internet connection.

Let me know if this helps.