Using PC Anywhere through VPN tunnel (IPSec) Firewall/NAT on both ends
I want to connect to a PC Anywhere host using a VPN client (currently a Cisco client). Unfortunately it is not possible to do this with each end having NAT. Apparently IPSec doesn't support VPN through NAT.
Pictorial diagram:
PCANYWHERE remote PC ---- NAT/FIREWALL ------- <INTERNET> ------ NAT/FIREWALL ---- PCANYWHERE host PC
How can I make a secure VPN type connect this way?
We are starting off with one site as a proof of concept but eventually we what to replace all the expensive telephone dialup connections with Internet VPN connections. We require a one technology fits all solution (if possible). Can this be done? If so, what software is required?
I'm willing to offer more points depending on the detail and how soon an acceptable solution is given.
Thank you,
SDC
Pictorial diagram:
PCANYWHERE remote PC ---- NAT/FIREWALL ------- <INTERNET> ------ NAT/FIREWALL ---- PCANYWHERE host PC
How can I make a secure VPN type connect this way?
We are starting off with one site as a proof of concept but eventually we what to replace all the expensive telephone dialup connections with Internet VPN connections. We require a one technology fits all solution (if possible). Can this be done? If so, what software is required?
I'm willing to offer more points depending on the detail and how soon an acceptable solution is given.
Thank you,
SDC
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
doh,
Forgot to tell you about setting up client....Create a pcf file with the new group name and password info and put under the profiles directory....If you need a sample you probably already have one listed under that directory or go to cisco.com.
c:\Program files\cisco systems vpn client\profiles.
When you start the dialer go to Options...Import Entry and point to the file you created.
Forgot to tell you about setting up client....Create a pcf file with the new group name and password info and put under the profiles directory....If you need a sample you probably already have one listed under that directory or go to cisco.com.
c:\Program files\cisco systems vpn client\profiles.
When you start the dialer go to Options...Import Entry and point to the file you created.
ASKER
Thank you everyone for some good information.
Allow me to expand upon what I originally asked.
I have complete flexibility on one side of the Internet only. The other side represents a non-affiliated client and often I cannot dictate what VPN and/or Firewall technology they use.
The bottom line is we need a dial-up via telephone alternative (as a means to save money), however, to do this through the Internet means I must find a secure and highly adaptable means of communications. As I previously stated, "one technology fits all" solution.
Setting up a concentrator with a private subnet and in/outbound rules/filters is possible on my end but it will be very difficult at the clients’ site.
Is it possible to achieve my goal with minimal changes at the clients’ site?
Thank you
Allow me to expand upon what I originally asked.
I have complete flexibility on one side of the Internet only. The other side represents a non-affiliated client and often I cannot dictate what VPN and/or Firewall technology they use.
The bottom line is we need a dial-up via telephone alternative (as a means to save money), however, to do this through the Internet means I must find a secure and highly adaptable means of communications. As I previously stated, "one technology fits all" solution.
Setting up a concentrator with a private subnet and in/outbound rules/filters is possible on my end but it will be very difficult at the clients’ site.
Is it possible to achieve my goal with minimal changes at the clients’ site?
Thank you
OK, then - what technology do you have to work with on the "inflexible" end (what hardware, OS, software, etc)...?
If you can be flexible on the other end, it seems all that is needed is to conform to the requirements of the "inflexible" end
Or if you have the exact same software and hardware as CodeNameWizard or don't mind wasting a ton of cash, you could go with that solution (sorry, couldn't resist).
I await your response.
Cheers,
-Jon
If you can be flexible on the other end, it seems all that is needed is to conform to the requirements of the "inflexible" end
Or if you have the exact same software and hardware as CodeNameWizard or don't mind wasting a ton of cash, you could go with that solution (sorry, couldn't resist).
I await your response.
Cheers,
-Jon
ASKER
On my end, I'm considering the Cisco PIX 500 product as it appears to meet my criteria.
On the other end it could be anything!! I cannot control the other end, however, I might be able to convince the customer to allow me access to their internet (most likely NAT and some form of firewall).
Perhaps I can simply use PPTP or some commercial VPN product. I don't know? Again, I have no control over the other end except given the customer IP ports to open as long as I can garrentee security.
I'm trying to save LD charges by going Internet/VPN.
So is this thought of eliminating dial-up telephone connections a pipe-dream?
On the other end it could be anything!! I cannot control the other end, however, I might be able to convince the customer to allow me access to their internet (most likely NAT and some form of firewall).
Perhaps I can simply use PPTP or some commercial VPN product. I don't know? Again, I have no control over the other end except given the customer IP ports to open as long as I can garrentee security.
I'm trying to save LD charges by going Internet/VPN.
So is this thought of eliminating dial-up telephone connections a pipe-dream?
>So is this thought of eliminating dial-up telephone connections a pipe-dream?
No, but the requirement of arbitrary hardware and software on the remote end makes this much more difficult. When folks ask for a one-size-fits-all solution, I generally recommend some sort of unix-based solution, since most of the open-source unix/linux distributions offer some form of compiler, and newly developed features/code can be quickly integrated (rather than having to shell out mucho $$ for yet another IOS upgrade).
As for the other end, if they want to do goofy stuff like running VPN clients behind NAT boxes, etc, then you shouldn't worry about it - it is up to them to make thier own wacky configs work, since you seem to have no control over what they do on their end of the conection anyway... In any case, all you can do is set up your side in the most reasonable fashion (i.e. do not run your VPN server behind a firewall if possible - the VPN server should either be your firewall, or be similarly secure and externally connected)
Cheers,
-Jon
P.S. Some of the above advice contains certain generalizations to avoid overly confusing scenarios - if you can identify all the exceptions to the above generalizations, then you probably don't need my advice...
No, but the requirement of arbitrary hardware and software on the remote end makes this much more difficult. When folks ask for a one-size-fits-all solution, I generally recommend some sort of unix-based solution, since most of the open-source unix/linux distributions offer some form of compiler, and newly developed features/code can be quickly integrated (rather than having to shell out mucho $$ for yet another IOS upgrade).
As for the other end, if they want to do goofy stuff like running VPN clients behind NAT boxes, etc, then you shouldn't worry about it - it is up to them to make thier own wacky configs work, since you seem to have no control over what they do on their end of the conection anyway... In any case, all you can do is set up your side in the most reasonable fashion (i.e. do not run your VPN server behind a firewall if possible - the VPN server should either be your firewall, or be similarly secure and externally connected)
Cheers,
-Jon
P.S. Some of the above advice contains certain generalizations to avoid overly confusing scenarios - if you can identify all the exceptions to the above generalizations, then you probably don't need my advice...
G'day, sconnell
There has not been any activity on this question in 110 days.
Do you still need assistance, need more information, or have you solved your problem?
Can you close out this question?
There has not been any activity on this question in 110 days.
Do you still need assistance, need more information, or have you solved your problem?
Can you close out this question?
ASKER
Thank you for everyone's help.
More correctly, the firewall or cisco client does not supoprt this config - I know this will work if both firewalls run linux (and the cisco client is not too anal [why does anyone use the cisco client?!? - doesn't a generic IPSEC connection work as well?]) , but I've not implemented this myself.
In any case, wouldn't a VPN between the two firewalls achieve the same result, without adding the additional security headache of allowing an internal PC a direct circuit (via the VPN) to another, presumably insecure, site? I see no good reason (within this config) to make more than one local machine perform firewall duty...
Cheers,
-Jon