Anon | Re: When NAT becomes NOT
There is one other way to get a VPN to work with
NAT - use dual-assignment.
While it's a little unorthodox, you can set up your NAT device, then set up a plain-jane router that is bridged ACROSS the NAT. In this scenario most internal machines use the private IP numbers and go through the NAT device. However, the few machines on the inside that must establish VPN connections to the outside, (or vis-versa) these systems use public IP numbers that are routed through the plain-jane router. On the inside net you will be running 2 IP ranges, in fact you can even set up the plain-jane router to route between these ranges, so the internal systems on the public IP range can reach other internal systems on the private range!
In this way you can get the benefit of the IP address conservation of private IP number usage through NAT, as well as run your VPN.
Also, one other thing to consider. In increasing years the shortage of IPv4 numbers will reach far higher porportions than it is today. It is going to be more and more difficult for organizations and individuals to retain large blocks of legal IPv4 IP numbers when either NAT or Proxy is possible. It is also very unlikely that IP v6 will make much difference - in all likelyhood organizations will merely implement NAT devices that not only translate between private and public IP numbers - but also translate between IPv4 and IPv6 numbers! So, even if your ISP delivers IPv6 to your organizations "doorstep", unless you are prepared to replace every single last internal device in your organization with upgraded devices that support IPv6, your going to still be running IPv4 and using NAT.
What this all boils down to is that it's a very bad idea to roll out any TCP/IP solutions at this time that depend on hard-coding the IP number in the data portion of the TCP/IP packet payload. Fancy VPN solutions are best implemented from router-to-router, and that don't involve the desktop computers. |
