Inat (Intelligent Address Translation); Special Considerations Regarding Vpn Support - Proxim Orinoco AP-2500 User Manual

Network Parameters

INAT (Intelligent Address Translation)

The INAT table on the VPN/iNAT tab allows you to enable Intelligent Address Translation for transparent VPN access.
When IP addresses are configured in the INAT table, the AP performs real-time translation of all data packets being
communicated between the private and public address domains. The AP performs a defined mode of network address
translation based on packet type and protocol.
Follow these steps to configure iNAT entries:
Adding Entries to the iNAT Table
1. Click Add to add an entry to the INAT table.
2. Enter the IP Start Address and IP End Address to define an IP address or range of IP addresses (up to 50).
3. Click the Create button.
4. Click OK. The entry appears in the INAT table.
5. Reboot the AP for your changes to take effect.
Figure 4-21 INAT Add Entries

Special Considerations Regarding VPN Support

The most common VPN protocol is IPSec. When a subscriber who has a private IP address (assigned via NAT)
attempts to create a VPN session, the AP-2500 performs a mapping between the subscriber's private IP address and
the AP's public IP address. This is also known as IPSec Traversal. However, your subscribers may encounter a
problem establishing VPN sessions when using private IP addresses. Potential causes include:
• Customer uses an IPSec mode other than ESP: The AP-2500 supports only Encapsulating Security
Payload (ESP) tunnel mode. This is the most common mode of establishing IPSec tunnels. In the rare case
that a subscriber is using one of the other methods, then it would be necessary for this user to be given a
public IP address. Other IPSec methods are Authentication Header (AH) transport and tunnel mode and ESP
transport mode.
• Two or more subscribers attempt to connect to the same VPN server: In general, most VPN servers
support only a single IPSec session from a particular public IP address. However, when establishing a VPN
session, all subscribers connected to a particular AP will share the same originating IP address (that is, the
AP's public IP address). When a VPN server sees multiple session requests from the same IP address it
typically drops all connections which originate from that address. Note that this is not a problem with the AP's
NAT functionality; it is an issue with the VPN server that will not support multiple connections from the same IP
address. This behavior does not apply to all VPN servers. At of the release of this documentation, VPN
servers from Cisco and Lucent do not support more than one IPSec session from the same IP address but the
VPN server from Nortel Networks does support multiple sessions.
NOTE: When supporting Virtual Private Network (VPN), we recommend that PPTD IP tagging or iNAT
functionality be configured.
98