I have a client with 5 computers in a private LAN behind a DSL/Routing
box (ActionTec GT701-WG).  Each of these computers needs simultaneous
access to a VPN using Cisco's software VPN client.  There is no
problem when each machine connects independently, but I can't get more
than one to connect at once (since the other end of the VPN sees them
as coming from the same public IP).

So, I have purchased five public IPs from my ISP.  Now here's my
problem--the LAN needs to maintain security so I do not want to just
assign the five public IPs directly to the LAN PCs and route
everything straight to them.  Is there some way that I can shield the
LAN PCs behind my NATing router but still have the VPN connections
that originate from the LAN PCs appear to come from my five different
public IPs?

I can't afford a fancy managed router for this client, but the
ActionTec box does support static routing.  The problem is I don't
know how to configure what I want (or even what the terminology for
this is).  If the ActionTec box is inadequate for this task, I also
have a linux box (running ClarkConnect) that I could add into their
network and have take over routing functionality.

As a side note--there is also a Windows 2000 server in this network
that handles local DHCP (rather than the ActionTec box), but I don't
want to use it for public routing--again because of security concerns.

Thanks for your help.  In composing your response, I am not a
networking expert (no Cisco certs, etc...), but do understand the
basics of NAT/DHCP/DNS/IP.

Thanks!

---

Clarification of Question by scotru2-ga on 29 Jun 2006 01:06 PDT

Anyone?

I am not familiar with your router, but you might look into something
called "proxy-arp".

Proxy-arp can be used to make a router "disappear" for selected IP
addresses--the router will answer ARP requests on one interface, and
pass those packets along to the destination host. Outgoing packets are
routed normally--the proxy-arped device does not need any special
settings. It's a nice way to get bridge-like features and still keep a
routed/firewalled environment.

I use proxy-arp on Linux with Shorewall in several locations, and it works great.

http://en.wikipedia.org/wiki/Proxy_ARP
http://www.shorewall.net/ProxyARP.htm

This may be what I am looking for.  Am I correct in understanding that
the firewall rules still operate on traffic to the proxy-arped device?
 That is the machines behind the router are still protected?

Thanks!

Yes, that's right. Once the router has the packets (that's the tricky
bit) it's a normal forwarding operation, so you can firewall as you
would any other traffic. It's completely transparent otherwise so
picky stuff like SIP (and a lot of VPNs) doesn't get broken like is
does with NAT.

It's by no means limited to linux--Cisco routers actually proxy-arp
between interfaces by default, if you don't put "no ip proxy-arp" in
the interface configuration.

I hope proxy-arp does the trick for you. Goooooooo proxy-arp!

Multi-NAT with SpeedTouch 546?  I've replaced the ActionTec box with a
SpeedTouch 546 that supports "MultiNAT" functionality.  I need some
help configuring the router.  I have a /29 block from my ISP and five
computers on the 192.168.0.100-105 subnet that I want to appear to
come from these IPs.  Can anyone help?

Thanks!