Re: Multiple users VPNing with same internet connection

boschrexroth · ‎01-25-2007

I just need some clarification on whether or not multiple users using the same internet connections can use the Cisco VPN client to connect to a PIX 515.

I have users in an office that are on a Linksys router and have indivdual local address but all use the same external IP address (NAT). Also, we have multiple people in the same hotel who all want to VPN in at the same time.

Can only 1 person VPN at a time or is there a way to allow the PIX to create multiple tunnels with the same originating address.

Thanks.

Patrick Iseli · ‎01-25-2007

Multiple peoples (VPN Clients) can connect on the same time to the PIX Firewall.

But the problem is that some NAT devices for example the Firewall in the hotel may not support multiple simultanious VPN connections.

So the problem is on the VPN Client side and not on the server side.

sincerely

Patrick

boschrexroth · ‎01-25-2007

I know that multiple people can connect. We have usually 20 - 30 people connected at any given time but can they being sharing the same internet connection when they are trying to connect?

Thanks.

scheikhnajib · ‎01-26-2007

Hi Mate,

I agree with Patrick and I already have a live environment where multiple users using Cisco VPN Client are connecting from the same public IP address and it's working fine.

Make sure that they are not using the same username/password anyway (unless you allowed this in your config).

Cheers.

Salem.

acomiskey · ‎01-25-2007

Sorry, we posted at the same time.

boschrexroth · ‎01-26-2007

I am not sure if Acomiskey posted about this as he removed his post or I read it but do I need NAT-T (nat transversal) configured in order for this to work?

Currently it does not work to have multiple users in the same office using the same ISP to VPN in at the same time.

If so does anyone have an example of how I would do this.

Thanks.

acomiskey · ‎01-26-2007

I had a hard time figuring out exactly what you were saying at first. As long as remote devices (linksys etc.) support nat traversal you should be ok.

try adding

isakmp nat-traversal

in your pix.

boschrexroth · ‎01-26-2007

Thanks acomiskey.

I also found some info that your client need to be set to IPSEC over TCP in order for multiple users to connect while on the same LAN.

Have to find out what I need to add to the PIX to support IPSEC over TCP. I think I have to somehow specify port 10000 to use.

Thanks for your help.

acomiskey · ‎01-26-2007

That is not necessarily the case. You could use ipsec over udp. I think this is your only option with pix anyway depending upon which version your're running. Ipsec over tcp is NOT nat-traversal. What vpn client are they using?

ipsec over tcp is on port tcp 10000

nat-t (ipsec over udp) is upd port 4500

boschrexroth · ‎01-26-2007

Cisco Systems VPN Client Version 4.8.02.0010.

Guess I am doing to much reading and thinking the two were related.

What is better to do nat-t or to setup the pix for ipsec over tcp? I can't find any Cisco example configs that deal with this issue.

Thanks.

acomiskey · ‎01-26-2007

They are related in the fact they are both tunneling protocols. You do not have to enable both in order to do what you want to do. One or the other will be fine. You'd better research whether your pix will do "ipsec over tcp" to begin with. I think you need at least ver. 7. Don't know much beyond that about the difference, I think UDP is faster. There is an option in the vpn client under the "Transport" tab to enable transparent tunneling and to specify ipsec over udp/tcp.

dpmichaud · ‎01-26-2007

Linksys only allows once vpn connection at a time, although you can get a linksys router to setup a lan to lan tunnel to the 515. Also look into transparent tunneling on the 515 this gets around the limitation of Linksys by encapsulating the ipsec in Tcpip

acomiskey · ‎01-26-2007

I believe linksys refers to it as ipsec-passthru.