Multiple VPN connections from another NAT

I have some users out in a school district that need to VPN to our system. All of the internet access for all of these schools goes through one proxy for the whole city.

Currently I have a ISA server that they connect through via PPTP but the issue is that not more then one person can connect at a time as they are coming from the same public IP address and ISA does not seem to handle it.

I am looking for any solution for this situation. Can other VPN Appliances handle this type of connection?
We cannot put in a VPN device that all the users would connect through as they are at different physical locations in the city.

Thanks for the help
Who is Participating?
dually681Connect With a Mentor Commented:
ok lets get some more details, this is all very vague. What kind of system do they need access to? what are they connecting with dsl?t1?framerelay? wy not just have vpn clients for each pc?

Have a vpn concentrator in your main site and you are good to go. I have a wan with 13 locations remotely and about 10 users at each site, they come out with the same ip and all connect to my cisco concentrator with no problem.
You might consider an router like the Linksys BEFSVP41.  It can handle multiple VPN requests concurrently, and if you use IPSec rather than PPTP, it handles more connections.  But check which routers can handle as many connections as you need, you might find that only the highest end routers like CIsco can handle 100+ VPN connections at the same time.
>Have a vpn concentrator in your main site and you are good to go.

Nope.  The problem is with multiple clients behind a NAT device - a concentrator would not help, IMO.

I think the above posters are thinking about a situation in which your positions are reversed.


might be what you want - multiple secure peer-to-peer VPN connections (using IPSEC), which functions behind most NAT.  Only the initial client connection is netgotiated by the Hamachi server - no key exchanges or other encryption info is exchanged with the Hamachi server.

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

VPN connections through proxy devices (and you didn't say what that proxy device was) often need NAT transversal set up on the proxy device. For normal PAT (port address translation) type applications (many to one IP address), VPN connections fail because of the way the device doing the PAT keeps track of all the connections. NAT transversal allows the VPN connections to work on a UDP port (4500 is common, so is 10001).

Check your proxy device (FW or router or whatever) and see if it supports NAT transversal. If so, that might be your problem.

A good explanation of PAT (called NAPT here) and NAT Transversal is here at Nortel:
Hamachi relies on (an abeit deprecated) RFC for arbitrary UDP port number generation that circumvents the above problem on most firewalls.  If you don't know what that means, don't worry about it - it means that it just works in situations that ordinarily require NAT traversal or other firewall adjustments.

Duh - I completely forgot to mention, but the main reason I suggested hamachi is because it can typically work even behind NAT (even with NAT on both sides), with multiple clients behind each NAT, with *no* adjustments to the firewall/NAT device.


kpillerAuthor Commented:
I ended up getting a Cisco concentrator and am using SSL WebVPN which work well in this situation. I have the users working through a terminal services session once they get connected over the WebVPN

The county network that all my users are coming from would also not let IPSec with NAT transversal through, I tried that first but they are blocking it in some way as I could not get any connections through with L2TP/IPSec. They would not work with me on it, I'm am a very small piece in their large picture.

I will award points to dually681 as he recomended the concentrator but the real solution for us was using SSL WebVPN which the concentrator supports.

Thanks very much for the help

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.