[vpn] off-topic: Keberos and NAT/PAT (Shiva and Cisco)?

ELAW at dr.dk ELAW at dr.dk
Fri May 24 02:28:12 EDT 2002


I guess this is mildly off-topic for this list, but I figured I might find
several experts on Kerberos on the VPN mialing list.

We've run into a problem with W2K remote access users accessing our network
via ISDN.
We're using either Cisco 8xx or Shiva Accessport ISDN routers.
The routers are running PAT (or DIAT as Shiva calls it), to map from the
local network at the remote end 
to an IP address obtained from the Access Server they're dialing into.

This works fine with a Cisco router, and users can log on to their W2K
workstations.
On the Shiva box the logon procedure is stalled.
Initial Sniffer traces at the central site indicate, that somehow the
initial W2K Kerberos Authentication doesn't work thru' the Shiva.

Anyone got any idea why/how W2K Kerberos could be broken by PAT?
Any known work arounds, except disabling PAT and routing individual subnets
to each user?
Clearly Cisco IOS somehow handles this better than the Shiva, but we have
huge numbers of Shiva Accessports in operation.

--Erik


VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list