Multiple IPSEC Tunnels into common PIX 515e

Discussion in 'Cisco' started by Jim.Seedlenissip, Feb 21, 2007.

  1. Maybe someone can clear this up for me...
    Scenario: We have a temporary remote site with xDSL connection. We are
    using a DLINK DSL router to offer an internet connection to two staff
    with laptops. Each laptop needs to connect back to the business
    network using Cisco VPN IPSEC client and they both connect back in via
    a common 515e Pix on the edge of W.A.N.
    We have what appears to be a common issue, where only one IPSEC tunnel
    can operate through the Pix 515e at a time, so the first vpn
    connection is always kicked off by the second vpn connection.
    I have been looking for solutions and one would appear to be using a
    smarter DSL router at the remote site that can do multiple VPN Pass-
    through. I get the impression thought that even with such a router in
    place the Pix 515e may still see them as the same source IP address
    (due to NAT on remote router) and only allow VPN connection at a time
    still anyway.

    Question 1: So if I purchase a multiple pass through router for the
    remote site do I need to sort out a NAT traversal solution at the PIX

    Question 2: How is it that we have other users who travel together who
    manage to both VPN through to our PIX when using public Wifi networks
    in Airports or in a star bucks etc... and they can connect back to our
    PIX at the same time quite happily? Surely those public networks would
    also use some form of NAT for fire walling? Does this indicate that
    these public networks commonly use multiple VPN pass through routers?

    No... a site to site VPN is not really an option in this case due to $
    restrictions and the tempoary nature of the remote office (3 months).

    Any assistance appreciated as we will likely have this scenario to
    deal with again later in the year.
    Jim.Seedlenissip, Feb 21, 2007
    1. Advertisements

  2. This is the problem of your DLINK DSL router. I assume the DSL router does
    not NAT, otherwise the problem did not exist.
    Ack. This would help. An other solution is to set up a lan2lan-VPN between
    the DSL router and the PIX. In this case the clients does not need the VPn
    client anymore.
    This does not harm. It's a quite common scenario.
    Nat-Traversal is trivial to configure. OTOH check if there is NAT at all.
    Yes they can (modulo the airport's router).
    Depends on the wifi provider. But if they filter traffic they know the VPN
    No. In most cases these networks are not filtered at all.
    Setting up a VPN with DLINK is an issue of half an hour.
    Lutz Donnerhacke, Feb 21, 2007
    1. Advertisements

  3. Add the command ISAKMP NAT-T to you PIX - it does not harm a thing to have
    it in.
    Check the CCVPN clients to use NAT T

    Check if the d-link has an option in its cfg, that is called "ipsec
    passthrough" or some likely setting.
    It might just be a "checkbox marked" you need to do.

    Yes ipsec passthrough is a must, and widely used as default setting today.
    because they do not use d-link ...
    Martin Bilgrav, Feb 21, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.