As mentioned earlier, NAT cannot provide access control based on user or group membership. However, you can restrict network access with a Virtual Private Network (VPN), using access controls that are based on account information.
While a VPN uses the Internet as a transit internetwork, the VPN tunnel is typically created between two VPN gateway servers.
These servers are located at the edges of private networks. The VPN solution will not work if you are interested in account-based access control for general Internet resources.
VPNs authenticate users and encrypt data transferred across public networks. For example, you can use VPN connections in a NAT solution to secure connections between:
Some of the remote users that need to access private network resources
Users on the private network and resources within partner organizations
Users on the private network and resources at other locations within the organization
The following MouseOver illustrates the solutions provided by VPN connections and describes how these solutions enhance the security of a NAT design.
Network Address Translation Security
They support Point-to-Point Tunneling Protocol tunnels (PPTP)
They provide user level authentication
They support inbound and outbound connections
Design Options to Improve Nat Security
VPN tunnels that use Layer 2 Tunneling Protocol (L2TP) are not supported because IPSec can encrypt the IP header and NAT cannot perform address
translation. You must use PPTP is you wish to tunnel from behind a NAT. In the next lesson, you will learn the strategies used to enhance the availability and performance of NAT.
