[c-nsp] Overlapping NAT subnets and PPTP
Gert Doering
gert at greenie.muc.de
Sat May 31 03:32:42 EDT 2008
Hi,
On Fri, May 30, 2008 at 05:32:12PM -0700, Andrew Gristina wrote:
> Two: PPTP and PAT don't really mix. Read up on the PPTP protocol. If
> not just try a whole bunch of PPTP clients behind a PAT.
Cisco NAT/PAT can actually handle PPTP, if the IOS is recent enough
(12.3 or so). The difficult thing is to remember which GRE packet belongs
to what control connection, and NAT those correctly.
> Three: IPSec can do double NAT or double PAT (disguise the same
> network at both ends)
IPSEC cannot do anything of this :-) - IPSEC is just a transport, as is
PPTP. Whether or not a given IPSEC implementation can also run NAT on
the IPSEC-Tunnel is not a question of "is the protocol superior?".
OTOH, on Cisco you might run a GRE tunnel over IPSEC, and use that to
do NAT to your heart's content.
Or just do away with NAT and get real IP addresses. Which is the way to go.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080531/fb18398a/attachment.bin>
More information about the cisco-nsp
mailing list