Cisco Pix used with radius server question

jimhalliwell · ‎07-06-2006

Hi Hope you can help me out here.

We have home workers that connect via BT IP Stream (adsl) to our IT Department. On power up of the Draytek router(at the house) they are authenticated by our radius server and are given a 10.180.*.* address, this works fine. Then we open a cisco client on the pc put in the passwords and are given a Pool address from our 255 range from our cisco pix 525 the address is 192.168.168.14, this works fine and the user can use our network. The problem is when we connect 2 users at the same site( house) connecting to the same 4 port router.On the second pc I open the VPN Client which cuts off the first user and gives the second user the same address as the first pc 192.168.168.14. I dont understand because we have a pool to give out 255 addresses! to give out any ideas

Thanks Jim.

jmia · ‎07-06-2006

Jim

Could you please post your ip local pool range from your PIX.

It should be something like:

ip local pool 192.168.1.1-192.168.1.254 mask 255.255.255.0

Jay

fred.s.mollenkopf · ‎07-06-2006

Problem sounds like the issue is with the IP on the outside interface of your user's router. More than likely they are being PAT translated out to the net. By default the VPN is going to use UDP 500 or UDP 4500 for IPSEC over nat. As soon as your second user connects this is causing the problem. You cannot have two sessions with the same IP and port. The internal IP address piece of the equation is irrelevant if you are dropping the first tunnel. So that is the first thing you need to check.

To fix this you need to use a non-standard port for your 2nd client. On the VPN 3000 you can specify multiple ports for VPN termination and in the client software you specify the TCP port you would like to use. Check to see if the PIX has this option as well.

Please rate any helpful posts

Thanks

Fred

fred.s.mollenkopf · ‎07-06-2006

Here is the doc for Pix 7.1. This section is for configuring IPSEC over TCP. Setup a handfull of TCP ports that you can use for situations like this.

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008054c51f.html#wp1059912

example.

client 1 connects to PIX IP on port TCP 14500

client 2 connects to PIX IP on port TCP 14501

You then would have to unique flows.

Please rate any helpful posts

Thanks

Fred

jimhalliwell · ‎07-06-2006

Thanks for the advice guys

im in work in the morning i'll take another look and let you know how I go on watch this space.

Jim

fred.s.mollenkopf · ‎07-06-2006

Jim,

I just thought of one more thing. I'm not sure if when you enable IPSEC over TCP if it uses the same port for source and destination like default UDP 500 does. I'm assuming it will but if it doesn't then you might be able to get away with the single port, though a unique one. It won't hurt to setup multiple ports but you might not have to manually change the VPN Client settings on the 2nd pc to be the second port. If you get around to implementing this let me know if the 2nd port was required.

Thanks

Fred

jimhalliwell · ‎07-07-2006

Hi Fred

Youve been spot on all the way our pix is software 6.3 so I put in the command isakmp-net-traversal

All works great now with no change to the client at all.Is there any problems doing this rather than the IPSEC over tcp.

Cheers Jim

jimhalliwell · ‎07-07-2006

Hi Fred

Youve been spot on all the way our pix is software 6.3 so I put in the command isakmp-net-traversal

All works great now with no change to the client at all.Is there any problems doing this rather than the IPSEC over tcp.

Cheers Jim

fred.s.mollenkopf · ‎07-07-2006

Nope if that works for you then run with it. I mainly would use the IPSEC over TCP to pass through firewalls that Administrators would block UDP 500 and UDP 4500. The advantage is you can use a well known port so you can still get your tunnel through.

Glad that your issue is resolved.

Thanks

Fred

jimhalliwell · ‎07-26-2006

Just a quick follow up question please. When one of the above people connect via the VPN Client we have no problem. When the second person connects also we have no problem with either connection. But when the first person disconnects and tries to reconnect they cannot without rebooting the Draytek router, any ideas?

Jim