VPNs and network address translation (NAT) have historically suffered from some conflicts when used together. NAT is an Internet standard that allows you to use one set of IP addresses on your internal LAN and a second set of IP addresses for the Internet connection. A device (usually a router or firewall) stands between the two connections and provides NAT services, managing the translation of internal addresses to external addresses. This allows companies to use large numbers of unregistered internal addresses while needing only a fraction of that number of addresses on the Internet, thus conserving the addresses. This is similar to a company that may have hundreds of phones in a building but pays for only a small number of connections to the phone switch, as it is unlikely that every employee would pick up the phone at the exact same time.

NAT was created as a workaround to IP addressing issues. Because the Internet relies on the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol for communications, it also relies on the IPv4 addressing that is an integral part of the TCP/IP protocol suite. The explosive growth of the Internet threatened to exhaust the pool of IPv4 IP addresses. Without unique addresses, the Internet would be unable to successfully route TCP/IP traffic. This was clearly unacceptable because the Internet was fueling the explosive growth of many businesses. As a result, NAT was proposed and adopted widely as a way to conserve critical IPv4 addresses.

In the early days of the Internet, when IP addressing was created, developers believed the 32-bit addressing scheme (known as IPv4) to be adequate for any potential network growth. Theoretically 4,294,967,296 unique addresses were available using 32-bit addressing and, even discounting the reserved ranges, more than 3 billion addresses were possible. At the time, there were enough addresses to provide one for every person on the planet.

Unfortunately, the designers of the addressing scheme dramatically underestimated the explosive growth of the Internet, as well as the popularity of TCP/IP in business and home networks. There are no longer enough addresses to go around. IPv6 contains an addressing scheme that allows for a dramatically larger pool of addresses, but because of the cost of switching to IPv6, the move has been slow for many networks on the Internet today. This is due in large part to the use of NAT. Many companies will not move to IPv6 until forced to do so. For some it is due to installed hardware and software not supported in the newer standard. For others it is the lack of skilled employees to make the necessary changes, as well as perform training and testing. Presently, IPv6 networks account for around 40 percent of business networks, with that number to continue to increase. For more information on NAT, see RFC 3022 at http://tools.ietf.org/html/rfc3022.

Two main types of NAT are available:

• Static NAT—This version of NAT maps an unregistered IP address on the private network to a registered IP address on the public network on a one-to-one basis. This is used when the translated device must be accessible from the public network. For example, a web server on your private network might have an unregistered address of 10.10.10.10, but a NAT address of 12.2.2.123. A user trying to connect to that website can enter 12.2.2.123, and the router or firewall at the other end will translate that address to 10.10.10.10 when the packet reaches it. A static address is used for devices that require public access, such as to a website.
• Dynamic NAT—This version of NAT maps an unregistered IP address to a registered IP address from a group of registered IP addresses. This is more commonly used when large pools of devices on the internal network need to access the Internet and do not have a requirement for a static address. The workstation’s address is translated to the next available registered address as soon as it initiates a connection to the public network.

The critical thing to remember about NAT is that due to limitations in the IPSec standard, IPSec has issues traversing a translated network. VPN vendors have addressed this issue, but the workaround can make troubleshooting more challenging. If possible, run your IPSec VPNs on untranslated addresses or deploy an SSL VPN. Because SSL runs at a higher level in the OSI model, it is not affected by NAT. NAT traversal is a general term for techniques that establish and maintain TCP/IP network and/or UDP connections traversing NAT gateways.

For IPSec to work through NAT, configure the firewall to permit the following protocols and ports:

• Internet Key Exchange (IKE)—User Datagram Protocol (UDP) port 500
• Encapsulating Security Payload (ESP)—IP protocol number 50
• Authentication Header (AH)—IP protocol number 51