Double NAT with a VPN Server?
Hi Everyone,
I'm currently researching the setup of the Microsoft VPN server and RRAS, etc. In TechNet, I see the following topology (taken from TechNet) listed as being pretty normal.
So in this setup, we have the Firewall before the Microsoft VPN server with two NICs. I'm trying to figure out exactly how this works. In a preferred environment:
1. Is NAT enabled on the Firewall AND on the VPN server? If so, isn't a double NAT a bad thing? For example:
ISP Equipment ------> [wanIP]Firewall[172.16.y.z] ---------> [172.16.y.z]Microsoft VPN Server with NAT and 2 NICs[192.168.1.z] --------> Internal Network
2. OR is NAT only enabled only on the MS VPN server like this?
ISP Equipment ------> [wanIP]Firewall[wanIP] ---------> [wanIP]Microsoft VPN Server with NAT and 2 NICs[192.168.1.z] --------> Internal Network
3. In the picture above, would the web server have a WAN IP, or a private IP (172.16.y.z)?
Or maybe both methods are acceptable?
Thank you for your thoughts!
November 6th, 2012 7:31pm
Some firewalls do NAT, some don't. If the firewall was doing NAT, the firewall would need to forward the required protocols to the VPN server and the clients would need to connect to the firewall's public IP (and ditto for the web server and
http clients). If it is not doing NAT, the VPN and web servers have public IPs.
I have run double NAT configurations in test systems and the delay is not detectable. Not sure that I wold use it in a heavy traffic live setup.Bill
Free Windows Admin Tool Kit Click here and download it now
November 7th, 2012 11:36pm
Some firewalls do NAT, some don't. If the firewall was doing NAT, the firewall would need to forward the required protocols to the VPN server and the clients would need to connect to the firewall's public IP (and ditto for the web server and
http clients). If it is not doing NAT, the VPN and web servers have public IPs.
I have run double NAT configurations in test systems and the delay is not detectable. Not sure that I wold use it in a heavy traffic live setup.Bill
November 7th, 2012 11:36pm
Thank you Bill. This helps clear things up in terms of my options and what is both technically possible as well as responsible.
Free Windows Admin Tool Kit Click here and download it now
November 9th, 2012 7:48pm