[vpn] VPN with NAT

[Christopher Gripp]

It's a non issue.  Add routes on the LRP box that point to the inside of
the PIX for all remote subnets.

-----Original Message-----
From: Chuck Renner [mailto:crenner at dynalivery.com]
Sent: Wednesday, October 10, 2001 3:47 PM
To: vpn at securityfocus.com
Subject: [vpn] VPN with NAT


Here's my current network situation:

Internet-----Router-----LRP box----Private Network

The LRP box is a system running a floppy-based version of the Linux
Router
Project.  It is the default gateway for all systems on the private
network
(192.168.1.x), and provides NAT services and firewalling.

Now, I have a few remote employees that I'd like to connect to the
private
network via a Cisco Secure PIX 506 box.  Ideally, I'd like to have
something
like this:

Internet-----Router-----LRP box----Private Network
               |                      |
               --------PIX 506---------


I only want to use the PIX to terminate the VPN clients, not have it
replace
the LRP box.  I've been considering the following ideas to make things
work
correctly, and would like feedback or suggestions:

1)  I can add a second network card to each system that I want to make
available via the VPN.  This will require extra cabling and requires a
lot
of opening of boxes.

2)  Via RIP, have the systems on the private network update their
routing
tables so that the traffic for any remote system connecting to the PIX
will
be routed back through the PIX.  Only problem is I don't know if the PIX
provides any capability for this kind of thing.

3)  Replace the LRP box with the PIX, so all traffic flows through it.  

4)  Any methods anyone else can recommend...


VPN is sponsored by SecurityFocus.com


VPN is sponsored by SecurityFocus.com