[pptp-server] Thoughts and suggestions for a NAT situation

Cowles, Steve Steve at SteveCowles.com
Fri Sep 14 09:35:30 CDT 2001 

> -----Original Message-----
> From: Chris j. Storer [mailto:cstorer at infinitisystems.com]
> Sent: Thursday, September 13, 2001 9:10 PM
> To: 'George Vieira '; 'pptp-server '
> Subject: RE: [pptp-server] Thoughts and suggestions for a NAT 
> situation
> 
> 
> That's exactly what I mean - 1 IP address that is NATing a 
> LAN - each client on the LAN maintains a PPTP connection,
> through NAT on a Win2k server, or a 3com "lanmodem".
> 
> I have main office in Cleveland with an as400 and a t1.  7 
> small, remote offices - 2 on dsl, the rest share dialup
> lines with 3com lanmodems, small analog NAT routers.  Each
> individual client at the 7 remote sites initiates a VPN
> session into cleveland (1 Win2k VPN server, 1 WinNT VPN 
> server...don't ask), through NAT, and then telnet into the
> 400.  At one site I have 25 sessions running through one
> IP address.
> 
> MS PPTP, in this situation, works - I can have 20 seperate 
> connections NATed from one IP.
> 
> PoPToP does not seem to handle this.  Once one client behind 
> the NAT has a PPTP connection, all other attempts to connect
> from behind the NAT fail.

As you've stated, you have multiple clients connecting to a single PPTP
server from behind a NAT'd firewall. The PPTP specification never accounted
for this scenario. In a perfect world (with regards to network design), you
should not have to create multiple PPTP connections (to the same server)
from behind a NAT'd firewall. 

With this in mind, you seem to have only two choices:

1) Continue using your MS PPTP server since it meets your current
requirements.

2) You touched on this option in your first post, but dismissed it due to
cost. Anyway, it might be time to "bite the bullet" and consider
implementing a LAN-to-LAN VPN solution for these remote offices. Then the
clients simply telnet into the AS400 without first creating a VPN.

I know, easier said than done. Option number two will be harder to
implement, plus you have additional security issues to deal with. But long
term though, your implementing a "sound" network design that is scalable on
down the road. Plus, from a client perspective, its easier to use since they
no longer have to deal with "first" establishing a PPTP tunnel and then
telneting into your AS400.

FWIW: I had a customer in a similar situation. i.e.. Cost was overriding
implementing a sound network design. So, we used old 486's (with
linux/ipsec) as endpoints between their offices. Checkout:
http://jixen.tripod.com I would think the "Using a central IPSEC gateway as
a tunnel hub" option applies to your case. This could also be implemented
using PPTP.

Good luck
Steve Cowles

More information about the pptp-server mailing list