Networks

It depends on the VPN server. Is it built in to the firewall or is it inside the network? If it is the firewall what kind is it?

If you're talking about the workstations with the DHCP addresses establishing an outbound VPN connection, yes that is quite easily accomplished as long as the IP address won't be changing within a VPN session. In one of the systems I manage, we support a little over 1,000 users on DHCP and have no trouble using various VPN clients on the desktop to establish sessions on with VPN servers on foreign networks. It does require some dancing around with the outbound firewall rules (that particular system uses a non-NAT PIX)and we are not currently using IPSEC clients so if either of those factors are involved, there might be some issues to resolve.

However, I assume you have a NAT firewall and what happens in that case is that the firewall 'masquerades' the VPN traffic so it appears to be coming from the external (public) IP address, regardless of the private IP address behind the firewall. The only "gotcha" is that the private IP has to outlast the VPN session so the firewall knows how to route the incoming packets back to the IP address that started the session.

I would be glad to share whatever other information I might have that might be useful to you in setting this up. One thing I will mention is that your users will need to understand that unless "split tunneling" is implemented by the particular VPN product you're using, they will lose access to their local network during the time they are connected to the VPN session. That's been a big hurdle for some of our users who want to have simulaneous sessions open with their local LAN and a remote mainframe and aren't quite happy that we cannot support that in some cases.

paul

Paul is on target here. The tricky part of using VPN with a firewall is when you are using a NAT. You cannot use a PAT (port address translation) and a VPN. You can get around this by doing a static NAT for each client internal IP address and then opening ports or conduits for each NAT. Obviously this only makes sense if you only have a few clients that need the vpn connections.

This question was auto closed due to inactivity