| depamo 2001-07-16, 2:08 pm |
| VPN traffic through the PAT is not possible as was said earlier. Is there a reason that the VPN server is inside the Privatly Addresses Area? What I would do is a combination of PAT and NAT. Statically identify your systems that your users must access with static NAT addresses, put your VPN server outside the router in the DMZ or isolation LAN where it will be doing its job a little better (might want to combo this with a Proxy to save some CPU cycles) then take the rest of your IP Addresses and pool them into a PAT for bi-directional traffic.
The reason for the VPN to be on the other side of the router, encrypted traffic is larger and more complex and doesn't compress for anything. A VPN system should be in the Isolation LAN behind the outer Firewall Router but in front of the inside Firewall Router to keep VPN access attempts in the DMZ, not on the private LAN allowing access to the inner private network servers (similar to a porthole).
Some people believe that this leaves your VPN system open for attack, that is usually not an issue, if the software protects the Private Key correctly, it shouldn't be an issue. If you don't have an isolation lan or DMZ, this might be an issue for a little redesign.
I am sure that everyone has an opinion, I know that this will work but you need a router with some cajones!! If you are terminating upto a T1 with a Class C worth of space, a 2500 will probably get overworked as they don't hold that much memory to begin with anyhow. That type of a job I would probably put in the hands of a 3640 (the NAT/PAT router).
So, thake it for what it is worth, I have quite a few desgins under my belt and have seen this as an option available that can work if you have the horsepower and the cash. |