DistributedNetworks DistributedNetworks

Securing NAT Solution  «Prev  Next»
Lesson 4Enhancing NAT security with VPN
ObjectiveEnhance NAT security with VPN Connections

Enhancing NAT Security with VPN

As mentioned earlier, NAT cannot provide access control based on user or group membership. However, you can restrict network access with a Virtual Private Network (VPN), using access controls that are based on account information.
While a VPN uses the Internet as a transit internetwork, the VPN tunnel is typically created between two VPN gateway servers. These servers are located at the edges of private networks. The VPN solution will not work if you are interested in account-based access control for general Internet resources.
VPNs authenticate users and encrypt data transferred across public networks. For example, you can use VPN connections in a NAT solution to secure connections between:

  1. Some of the remote users that need to access private network resources
  2. Users on the private network and resources within partner organizations
  3. Users on the private network and resources at other locations within the organization

The following MouseOver illustrates the solutions provided by VPN connections and describes how these solutions enhance the security of a NAT design.

Network Address Translation Security
  1. They support Point-to-Point Tunneling Protocol tunnels (PPTP)
  2. They provide user level authentication
  3. They support inbound and outbound connections

Design Options to Improve Nat Security
VPN tunnels that use Layer 2 Tunneling Protocol (L2TP) are not supported because IPSec can encrypt the IP header and NAT cannot perform address translation. You must use PPTP is you wish to tunnel from behind a NAT. In the next lesson, you will learn the strategies used to enhance the availability and performance of NAT.