Most VPN implementations I've seen create encrypted tunnels between to
trusted hosts. The actual data is transferred between the registered IP
address on the exterior interface of the firewall (or host) but the VPN
appears to the interior
network like another interface on the firewall (or host) and can be
assigned any IP address you choose (registered or private). Some
implementations (e.g., PPTP) will also allow you to assign other
protocols to the virtual interface as well.
You might view it like this. I have a truck full of cargo I want to
deliver to my office in Timbuck2 and the simplest path is the train
track (Internet). -- I could build my own road (a dedicated connection)
but it might take awhile and it might be too expensive. -- Now my truck
works great on the local roads here and in Timbuck2 but unfortunately my
truck won't run on the train track because it doesn't have the correct
configuration (protocol and/or addressing). So instead I drive the
truck to the train station and load it (encapsulate it) onto the train
(the tunnel) and let the train deliver my truck to the Timbuck2. I then
unload the truck (unencapsulate it) and drive it to the Timbuck2 office.
An IP tunnel works much the same way. It becomes the conduit between
two end points. It doesn't look care what the packet protocol,
addressing, etc. is (except to determine if it goes across the tunnel)
it treats the entire packet as data
and sends it using its normal delivery method.
NAT just translates addresses between interfaces so that data can be
transferred on the Internet using a registered address. Hope this
"Simplify - There is no value in complexity, it's too difficult to
Bill Stackpole, CISSP
Seitel Leeds & Associates Voice: 206.283.4355
2 Nickerson St. Suite 201 Email: bstackpole @
Seattle, Wa 98109
> -----Original Message-----
> From: Jose R. Ferreira [SMTP:jricardo @
> Sent: Thursday, July 24, 1997 11:42 AM
> To: firewalls @
> Subject: NAT x Tunneling
> Jose R. Ferreira @
> 24/07/97 15:42
> Hi All,
> To use the Internet for a VPN, the private network must be made
> with IP protocol. The obvious way to do this is to use
> Internet addresses. But because most private networks use unofficial
> "private" IP addresses there are some options for making these private
> networks compatible with Internet:
> . convert to Internet addresses using NAT
> . install special IP gateways
> . employ tunneling techniques
> What is in your opinion the best one(s) option ?
> ASCEND is saying that NAT is a less ambitious approch to convert
> addresses, and that Tunneling is generally the best option for making
> private networks Internet-compatible.
> I didn't understand which really seems to be the best option.
> Performance ? Easy implementation ? Security ?
> Jose Ricardo