I work from home and am having trouble staying connected to my work VPN. The tech at work says Verizon might be using a practice known as Carrier Grade Nat (CGN) or Large Scale NAT (LSN). I was told to contact Verizon and ask if they use either of these and if so to have it disabled from my account. I waited on hold for over 2 hours for a VZ tech to answer but they never did! Does anyone know about either of these?
Solved! Go to Solution.
I have seen a number of people use VPNs and not have an issue.
Have never heard of these options being used.
The IP address your router gets is a public IP so no reason for Verizon to employ NAT.
That is a cool question. I'm sure others here already knew what Carrier Grade NAT (CGN aka Large Scale NAT [LSN]) was. I did not, so I looked that up. Then I Googled How can I tell if my isp is using carrier grade NAT? That led me to this post at RemoteRig.com and this post at SuperUser (aka StackOverflow).
As recommended by the RemoteRig post, I checked my IP using What's my IP and compared that to the external IP address assigned to my router. They match. While my IP address does change (slowly) over time, it's currently in the 108.44.x.x range. As recommended by the second post, I ran also a tracert (traceroute in my case - Linux firewall/router) to my current external IP address reported by What's my IP and got one hop. From those results, I believe that I am not behind CGN.
I dawned on me though that doesn't necessarily mean you aren't behind CGN. Verizon may only be using it in selected areas where the IPV4 pool they have is overburdened. I live in northern VA outside of DC (and my pool of IPV4 addresses seems to come from a pool in Culpepper, VA), and my experience with Verizon in terms of speed consistency and reliability seems to be significantly different than those in the New York / New Jersey area. I suggest you try the same tests to see what results you get. If Verizon is playing by the rules and you are behind CGN, your router's external IP address should be in the 100.64.0.0/10 range. However, the IP address it could also be another type of private network IP like 10.0.0.0/8 or 192.168.0.0/16.
My main reason for answering this question was to say that I don't have any issues using VPN to my company's development servers. I've been connected via VPN for days at a time. Not this weekend, thankfully, but there have been weekends during a crunch time where I connect via VPN on Friday night and stay connected until I pack up my laptop on Sunday night. Unless I shut down the laptop, I tend to stay connected the whole time. We have a fairly small, old Cisco ASA (I think it's a 5505, but I'm not sure.) and fairly old Cisco AnyConnect VPN software.