Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Multiple VPN Clients Behind NAT Possible?

Reply
Thread Tools

Multiple VPN Clients Behind NAT Possible?

 
 
Rodney
Guest
Posts: n/a
 
      08-16-2004
I'm having a prob with my Cisco VPN setup used by many remote clients.
It works fine when one client is connected at any site, however as
soon as the second client at that same site connects, it kicks the
first connection off.

It seems as if I can't have more than one connection at a time using
NAT, I have reproduced this at other sites using various low end
routers.

Is there any setting on the client and/or routers that I need to get
this working?

Thankful for any advice.

Thankyou in advance
TG
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      08-16-2004
In article <(E-Mail Removed)> ,
Rodney <(E-Mail Removed)> wrote:
:I'm having a prob with my Cisco VPN setup used by many remote clients.
:It works fine when one client is connected at any site, however as
:soon as the second client at that same site connects, it kicks the
:first connection off.

You need to tell us what equipment and software releases you are
using.

If you are using the VPN client 3.5 or later, and your Cisco router
or Cisco PIX has new enough software (6.3 for the PIX), then you
should enable "nat traversal" (isakmp nat-traversal 20 on a PIX)
and that will take care of the problem for you, provided that
udp port 4500 is open between the two endpoints.

If you cannot use nat traversal for some reason, then with the PIX
especially you are going to see the effect you note unless you can
use 1-to-1 NAT rather than PAT.

The base problem is that the AH and ESP packets go out from the
VPN clients fine, but they have no inherent "port numbers" as
recognized by PAT (Port Address Translation.) So when the replies
come back, the PAT'ing device cannot tell -which- of the clients
the packet is intended for. It's an incompatability between PAT
and IPSec, fixed by using the nat traversal feature of newer software
releases.
--
csh is bad drugs.
 
Reply With Quote
 
 
 
 
Rodney
Guest
Posts: n/a
 
      08-17-2004
>
> You need to tell us what equipment and software releases you are
> using.
>


Thanks for the reply Walter, I'm a little closer in understanding
this.

The clients are version 3.6.3 and the router itself is a 1700 series.
If I can turn on nat-transversal, would that be the recommended way of
doing it, or should I be looking at replacing the cheap routers with
something that can permanently tunneled to the main site?

Thanks for your patience, I'm only learning
 
Reply With Quote
 
CISCORUBS
Guest
Posts: n/a
 
      08-17-2004
IPSec with NAT-Traversal is not always a stable solution. It sometimes
has issues with double NAT. IPSec over UDP or TCP is more stable.

I had this exact issue and the fix was IPSec over TCP port 10,000.

BTW were your users behind a Linksys? The other common thread here is
Linksys.

http://www.velocityreviews.com/forums/(E-Mail Removed) (Rodney) wrote in message news:<(E-Mail Removed) om>...
> >
> > You need to tell us what equipment and software releases you are
> > using.
> >

>
> Thanks for the reply Walter, I'm a little closer in understanding
> this.
>
> The clients are version 3.6.3 and the router itself is a 1700 series.
> If I can turn on nat-transversal, would that be the recommended way of
> doing it, or should I be looking at replacing the cheap routers with
> something that can permanently tunneled to the main site?
>
> Thanks for your patience, I'm only learning

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Multiple VPN clients behind home router RC Cisco 9 08-10-2011 09:34 AM
easy vpn IOS - vpn clients cannot acces another network behind nat teodor General Computer Support 0 08-20-2009 11:51 AM
VPN on PIX can't work with vpn client behind nat Tomi Cisco 3 05-11-2005 11:43 AM
VPN, from nat without VPN to nat with it Allan Wilson Cisco 1 07-05-2004 10:51 PM
pix6.3 and multiple pptp ipsec clients behind nat Eugene Vekua Cisco 1 03-02-2004 06:46 AM



Advertisments