Multiple VPN Clients
 

I will start this by stating that I am by no means a Cisco expert so bear
with me while I completly use the wrong terminolgy. I just hope I get the
point across. We have a scenario whereby we want to establish a VPN
connection to a PIX 501. The device is a PIX 501 running 6.3(4). The
network that the clients come from are using a solid state NAT device. We
are utilizing the Cisco VPN client version 4. We can always successfully
establish the first VPN connection without issue. That part works just
great. We can access the internal network behind the PIX. The problem is
when I fire up the second workstation with a VPN client on it and try and
connect. It immeadiately drops the first with an error 433 (reset by peer).
I did some reading and thought I stumbled upon needing to modify the config
of the PIX to enable NAT-T (I think anyway). I did what I thought would
work and now from the client side in the VPN connection statistics it reads
"Transparent tunneling active" "Tunneling port 4500 UDP" or something
similiar. However, the problem still exists. We have about 30 workstations
behind our soilid state device and of those only 3 or 4 need VPN access.
That is why I had figured using the VPN software client should suffice.
Will this ever work? Do I need to buy a device and put it in on the client
side and establish the VPN from there? I would rather not as such a small
percentage of the client side needs to access the VPN. I will paste my PIX
config to help matters. If anyone could help I would so appreciate it. I
have REM'd out the sensitive parts of the pix config.

Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ###########
passwd ########## encrypted
hostname fw
domain-name ###########
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 192.168.2.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.0
access-list source_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside ########### 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool sourcevpn 192.168.1.30-192.168.1.40
pdm location ########### 255.255.0.0 outside
pdm location ########### 255.255.0.0 outside
pdm location ########### 255.255.255.255 outside
pdm location 192.168.1.0 255.255.255.192 outside
pdm location 192.168.2.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 24.244.195.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http ########### 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
snmp-server location ###########
snmp-server contact ###########
snmp-server community ###########
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup source address-pool sourcevpn
vpngroup source dns-server ########### ###########
vpngroup source default-domain ###########
vpngroup source split-tunnel source_splitTunnelAcl
vpngroup source idle-time 1800
vpngroup source password ********
telnet timeout 5
ssh ########### 255.255.0.0 outside
ssh ########### 255.255.0.0 outside
ssh ########### 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.99 inside
dhcpd dns ########### ###########
dhcpd lease 432000
dhcpd ping_timeout 750
dhcpd domain ###########
dhcpd auto_config outside
dhcpd enable inside
username pasword password ########### encrypted privilege 15
username mtasker password ########### encrypted privilege 3
username domenic password ########### encrypted privilege 15
username keithm password ########### encrypted privilege 3
username bmercer password ########### encrypted privilege 3
terminal width 80
Cryptochecksum:c04f1aaa59ec1c8cc887b48e55f65639
: end
[OK]

Thank you so much for anyone that is willing to look at this for me.

Ed Russell