01-25-2007 08:40 AM - edited 03-11-2019 02:24 AM
I just need some clarification on whether or not multiple users using the same internet connections can use the Cisco VPN client to connect to a PIX 515.
I have users in an office that are on a Linksys router and have indivdual local address but all use the same external IP address (NAT). Also, we have multiple people in the same hotel who all want to VPN in at the same time.
Can only 1 person VPN at a time or is there a way to allow the PIX to create multiple tunnels with the same originating address.
Thanks.
01-25-2007 12:46 PM
Multiple peoples (VPN Clients) can connect on the same time to the PIX Firewall.
But the problem is that some NAT devices for example the Firewall in the hotel may not support multiple simultanious VPN connections.
So the problem is on the VPN Client side and not on the server side.
sincerely
Patrick
01-25-2007 12:51 PM
I know that multiple people can connect. We have usually 20 - 30 people connected at any given time but can they being sharing the same internet connection when they are trying to connect?
Thanks.
01-26-2007 08:04 AM
Hi Mate,
I agree with Patrick and I already have a live environment where multiple users using Cisco VPN Client are connecting from the same public IP address and it's working fine.
Make sure that they are not using the same username/password anyway (unless you allowed this in your config).
Cheers.
Salem.
01-25-2007 12:51 PM
Sorry, we posted at the same time.
01-26-2007 08:25 AM
I am not sure if Acomiskey posted about this as he removed his post or I read it but do I need NAT-T (nat transversal) configured in order for this to work?
Currently it does not work to have multiple users in the same office using the same ISP to VPN in at the same time.
If so does anyone have an example of how I would do this.
Thanks.
01-26-2007 12:27 PM
I had a hard time figuring out exactly what you were saying at first. As long as remote devices (linksys etc.) support nat traversal you should be ok.
try adding
isakmp nat-traversal
in your pix.
01-26-2007 12:41 PM
Thanks acomiskey.
I also found some info that your client need to be set to IPSEC over TCP in order for multiple users to connect while on the same LAN.
Have to find out what I need to add to the PIX to support IPSEC over TCP. I think I have to somehow specify port 10000 to use.
Thanks for your help.
01-26-2007 12:46 PM
That is not necessarily the case. You could use ipsec over udp. I think this is your only option with pix anyway depending upon which version your're running. Ipsec over tcp is NOT nat-traversal. What vpn client are they using?
ipsec over tcp is on port tcp 10000
nat-t (ipsec over udp) is upd port 4500
01-26-2007 12:52 PM
Cisco Systems VPN Client Version 4.8.02.0010.
Guess I am doing to much reading and thinking the two were related.
What is better to do nat-t or to setup the pix for ipsec over tcp? I can't find any Cisco example configs that deal with this issue.
Thanks.
01-26-2007 12:54 PM
They are related in the fact they are both tunneling protocols. You do not have to enable both in order to do what you want to do. One or the other will be fine. You'd better research whether your pix will do "ipsec over tcp" to begin with. I think you need at least ver. 7. Don't know much beyond that about the difference, I think UDP is faster. There is an option in the vpn client under the "Transport" tab to enable transparent tunneling and to specify ipsec over udp/tcp.
01-26-2007 01:34 PM
Linksys only allows once vpn connection at a time, although you can get a linksys router to setup a lan to lan tunnel to the 515. Also look into transparent tunneling on the 515 this gets around the limitation of Linksys by encapsulating the ipsec in Tcpip
01-26-2007 01:42 PM
I believe linksys refers to it as ipsec-passthru.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide