New Pix506e and VPN Client software help needed!!!

Discussion in 'Cisco' started by pickjunior, Dec 6, 2004.

  1. pickjunior

    pickjunior Guest

    Hello folks

    I've got a Pix 506e in my main office and have recently established a
    smaller office elsewhere. I have installed the vpn client software on
    the PC's (W2K Pro) and one pc at a time can connect fine. I'm having an
    issue with getting 2 connected at the same time. Is there a way to
    allow more than 1 pc to connect? I understand that the office is NAT'd
    so both pc's have the same outside IP address...

    I'd just like to be able to tell the firewall to allow more than one
    connection per IP addy. Is this possible?
     
    pickjunior, Dec 6, 2004
    #1
    1. Advertisements

  2. :I've got a Pix 506e in my main office and have recently established a
    :smaller office elsewhere. I have installed the vpn client software on
    :the PC's (W2K Pro) and one pc at a time can connect fine. I'm having an
    :issue with getting 2 connected at the same time. Is there a way to
    :allow more than 1 pc to connect? I understand that the office is NAT'd
    :so both pc's have the same outside IP address...

    :I'd just like to be able to tell the firewall to allow more than one
    :connection per IP addy. Is this possible?

    To do that, you need PIX 6.3(1) or later, and you have to turn on
    isakmp nat-traversal, preferably on both PIXes.

    Without isakmp nat-traversal, you cannot do it. The VPN Client software
    uses IPSec, which relies in part on packets that use the IP protocol
    'ESP'. Not TCP or UDP -port-, but -protocol- (on the same level as
    TCP or UDP.) ESP has no concept of ports, so it is not possible to
    do PAT (Port Address Translation) on ESP packets in order to be able
    to figure out which if the internal systems the ESP reply should go
    back to.
     
    Walter Roberson, Dec 6, 2004
    #2
    1. Advertisements

  3. pickjunior

    John Smith Guest

    or you could configure a site-to-site vpn tunnel (instead of PC to site).
    this means no end user interaction once configured properly and it is also
    means the tunnel is (nearly) always up.
    although you did not specifically state that you have an ipsec capable
    router/firewall at the new site. is this the case?
    otherwise you will have to use the aforementioned nat traversal command...
     
    John Smith, Dec 6, 2004
    #3
  4. pickjunior

    pickjunior Guest

    Thanks for the suggestions. I've ordered a Cisco 831 to go at the other
    end to facilitate the site-to-site vpn :)
     
    pickjunior, Dec 7, 2004
    #4
  5. pickjunior

    pickjunior Guest

    Will the Cisco 831 be ok with a NAT'd internal IP address, or does it
    need a static external IP address?
    I'm in a serviced office with a shared connection...
     
    pickjunior, Dec 8, 2004
    #5
  6. pickjunior

    Terry Guest

    I currently have a similar setup with the 506e, and successfully am using
    multiple clients logging in at the same time. What you do is set up a group
    name and ip pool for each login/user. They will then get their own assigned
    IP when they log in.
     
    Terry, Dec 8, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.