cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1877
Views
0
Helpful
8
Replies

Multiple VPN Client connections from outside offices using PAT and Linksys

sitedr
Level 1
Level 1

Hello,

I am having difficulty with several vendor/distributor offices that connect with our mainframe throughout the day. The distributors are using the VPN client, release 3.5.1.E. They connect to our PIX 525s running 6.1(1). The distributors that I am having the problem are running either Linksys or some other small access device, using PAT. It seems that if one person starts a connection, other people in the office cannot. I have other offices in which everyone can connect, but these offices NAT. Is it possible for multiple VPN clients to work via PAT, is there something I have missed on my (PIX) end, or could it be the Linksys and Netopia-style small routers not doing PAT properly? Any suggestions are greatly appreciated.

8 Replies 8

jeff
Level 1
Level 1

When you say the distributors are running PAT, do you mean that the Linksys routers are doing the PAT, or actually Port Forwarding?

They would have to set up the ports for EACH of the IP addresses of the PC's that want to connect. Might they only have the ports set up for 1 address?

jeff
Level 1
Level 1

I just remembered: I had a similar problem last year, and when I checked with Linksys, they said multiple VPN/PAT wasn't supported. You may want to check with them now to see if there's new software.

We use a linksys 4 port cable router for testng (with the latest rev as of last month), and yes, 1 connection is all that is able to go thru

The issue is NAT(PAT) IPSec traversal.

Cisco VPN 3000 concentrator supports NAT terversal.

PIX currently does not (It may in the future).

Hope this helps

For the router, you can confiure the esp pat.

The esp pat feature in the router will only allow one single ipsec connection through as you are mapping the entire protocol to that one address so further connections will not be able to be used. Typically you cannot connect the cvpn client 3.x to a router or a pix behind a PAT device. Linksys is one of the exceptions as they have a built in esp pat feature that allows only one vpn client to connect using PAT. IOS now has that esp PAT feature, but this still only allows one single connection. The difference before was you couldnt connect the client when using PAT from behind a ios router to a pix or router using ipsec and now you can, but just one.

Kurtis Durrett

ddippel
Level 1
Level 1

Hi,

Our standard for home office is the Linksys also, and I had the same problem

with multiple clients behind the Linksys trying to use the VPN simultaneously.

If you change to TCP instead of UDP it should work.

gregm
Level 1
Level 1

We've had success using the Netopia R910 router to support multiple ipsec pass-through session requirements. It supports multiple session to a single destination point or multiple destination points. Its the only SOHO device I've found that has this functionality.

Review Cisco Networking for a $25 gift card