Multiple VPN Clients Behind NAT Possible?

Discussion in 'Cisco' started by Rodney, Aug 16, 2004.

  1. Rodney

    Rodney Guest

    I'm having a prob with my Cisco VPN setup used by many remote clients.
    It works fine when one client is connected at any site, however as
    soon as the second client at that same site connects, it kicks the
    first connection off.

    It seems as if I can't have more than one connection at a time using
    NAT, I have reproduced this at other sites using various low end
    routers.

    Is there any setting on the client and/or routers that I need to get
    this working?

    Thankful for any advice.

    Thankyou in advance
    TG
    Rodney, Aug 16, 2004
    #1
    1. Advertising

  2. In article <>,
    Rodney <> wrote:
    :I'm having a prob with my Cisco VPN setup used by many remote clients.
    :It works fine when one client is connected at any site, however as
    :soon as the second client at that same site connects, it kicks the
    :first connection off.

    You need to tell us what equipment and software releases you are
    using.

    If you are using the VPN client 3.5 or later, and your Cisco router
    or Cisco PIX has new enough software (6.3 for the PIX), then you
    should enable "nat traversal" (isakmp nat-traversal 20 on a PIX)
    and that will take care of the problem for you, provided that
    udp port 4500 is open between the two endpoints.

    If you cannot use nat traversal for some reason, then with the PIX
    especially you are going to see the effect you note unless you can
    use 1-to-1 NAT rather than PAT.

    The base problem is that the AH and ESP packets go out from the
    VPN clients fine, but they have no inherent "port numbers" as
    recognized by PAT (Port Address Translation.) So when the replies
    come back, the PAT'ing device cannot tell -which- of the clients
    the packet is intended for. It's an incompatability between PAT
    and IPSec, fixed by using the nat traversal feature of newer software
    releases.
    --
    csh is bad drugs.
    Walter Roberson, Aug 16, 2004
    #2
    1. Advertising

  3. Rodney

    Rodney Guest

    >
    > You need to tell us what equipment and software releases you are
    > using.
    >


    Thanks for the reply Walter, I'm a little closer in understanding
    this.

    The clients are version 3.6.3 and the router itself is a 1700 series.
    If I can turn on nat-transversal, would that be the recommended way of
    doing it, or should I be looking at replacing the cheap routers with
    something that can permanently tunneled to the main site?

    Thanks for your patience, I'm only learning :)
    Rodney, Aug 17, 2004
    #3
  4. Rodney

    CISCORUBS Guest

    IPSec with NAT-Traversal is not always a stable solution. It sometimes
    has issues with double NAT. IPSec over UDP or TCP is more stable.

    I had this exact issue and the fix was IPSec over TCP port 10,000.

    BTW were your users behind a Linksys? The other common thread here is
    Linksys.

    (Rodney) wrote in message news:<>...
    > >
    > > You need to tell us what equipment and software releases you are
    > > using.
    > >

    >
    > Thanks for the reply Walter, I'm a little closer in understanding
    > this.
    >
    > The clients are version 3.6.3 and the router itself is a 1700 series.
    > If I can turn on nat-transversal, would that be the recommended way of
    > doing it, or should I be looking at replacing the cheap routers with
    > something that can permanently tunneled to the main site?
    >
    > Thanks for your patience, I'm only learning :)
    CISCORUBS, Aug 17, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eugene Vekua
    Replies:
    1
    Views:
    607
    Martin Bilgrav
    Mar 2, 2004
  2. Tomi
    Replies:
    3
    Views:
    1,943
  3. Replies:
    1
    Views:
    3,398
    Walter Roberson
    Jun 21, 2005
  4. teodor
    Replies:
    0
    Views:
    1,508
    teodor
    Aug 20, 2009
  5. RC
    Replies:
    9
    Views:
    3,883
    Superstar
    Aug 10, 2011
Loading...

Share This Page