Multiple VPN connections from another NAT

Posted on 2006-05-24
Last Modified: 2011-10-03
I have some users out in a school district that need to VPN to our system. All of the internet access for all of these schools goes through one proxy for the whole city.

Currently I have a ISA server that they connect through via PPTP but the issue is that not more then one person can connect at a time as they are coming from the same public IP address and ISA does not seem to handle it.

I am looking for any solution for this situation. Can other VPN Appliances handle this type of connection?
We cannot put in a VPN device that all the users would connect through as they are at different physical locations in the city.

Thanks for the help
Question by:kpiller
    LVL 2

    Accepted Solution

    ok lets get some more details, this is all very vague. What kind of system do they need access to? what are they connecting with dsl?t1?framerelay? wy not just have vpn clients for each pc?

    Have a vpn concentrator in your main site and you are good to go. I have a wan with 13 locations remotely and about 10 users at each site, they come out with the same ip and all connect to my cisco concentrator with no problem.
    LVL 44

    Expert Comment

    You might consider an router like the Linksys BEFSVP41.  It can handle multiple VPN requests concurrently, and if you use IPSec rather than PPTP, it handles more connections.  But check which routers can handle as many connections as you need, you might find that only the highest end routers like CIsco can handle 100+ VPN connections at the same time.
    LVL 16

    Expert Comment

    >Have a vpn concentrator in your main site and you are good to go.

    Nope.  The problem is with multiple clients behind a NAT device - a concentrator would not help, IMO.

    I think the above posters are thinking about a situation in which your positions are reversed.


    might be what you want - multiple secure peer-to-peer VPN connections (using IPSEC), which functions behind most NAT.  Only the initial client connection is netgotiated by the Hamachi server - no key exchanges or other encryption info is exchanged with the Hamachi server.

    LVL 4

    Expert Comment

    VPN connections through proxy devices (and you didn't say what that proxy device was) often need NAT transversal set up on the proxy device. For normal PAT (port address translation) type applications (many to one IP address), VPN connections fail because of the way the device doing the PAT keeps track of all the connections. NAT transversal allows the VPN connections to work on a UDP port (4500 is common, so is 10001).

    Check your proxy device (FW or router or whatever) and see if it supports NAT transversal. If so, that might be your problem.

    A good explanation of PAT (called NAPT here) and NAT Transversal is here at Nortel:
    LVL 16

    Expert Comment

    Hamachi relies on (an abeit deprecated) RFC for arbitrary UDP port number generation that circumvents the above problem on most firewalls.  If you don't know what that means, don't worry about it - it means that it just works in situations that ordinarily require NAT traversal or other firewall adjustments.

    Duh - I completely forgot to mention, but the main reason I suggested hamachi is because it can typically work even behind NAT (even with NAT on both sides), with multiple clients behind each NAT, with *no* adjustments to the firewall/NAT device.


    LVL 2

    Author Comment

    I ended up getting a Cisco concentrator and am using SSL WebVPN which work well in this situation. I have the users working through a terminal services session once they get connected over the WebVPN

    The county network that all my users are coming from would also not let IPSec with NAT transversal through, I tried that first but they are blocking it in some way as I could not get any connections through with L2TP/IPSec. They would not work with me on it, I'm am a very small piece in their large picture.

    I will award points to dually681 as he recomended the concentrator but the real solution for us was using SSL WebVPN which the concentrator supports.

    Thanks very much for the help


    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    #Citrix #Citrix Netscaler #HTTP Compression #Load Balance
    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now