In this case, I am proposing a VPN solution for a customer. The small office only has 5 employees, and they will be traveling to remote customer sites, often with 2 employees at the same site. So this is a generalized question. I have seen something on the NAT T, is it something that was designed to overcome the multi-user behind the same IP address issue? I will look into NAT T, but I need to find out exactly what I need to do before I propose this to the customer.. I have only set up a couple PIX's so im kinda green here..

Thanks,

Mike

Just another note to keep this message on top for another day... Can I assume that I wont be able to do this. Thanks for your response mostiguy, but I cant do a proposal hoping that something "might work". I have called cisco pre-sales, and got this response:

It would work out bound from the client to the headend pix firewall ...but inbound you will need a L3 device behind the pix firewall at the remote in order to route between the clients in different VLAN...

This makes no sense to me.... Is there anyone out there that has ever needed to let 2 people create a client software to PIX VPN connection from behind the same IP address? If so, please respond with something that a non-CCNP can understand? And if it cant be done, please let me know..

Thanks,

Mike

What the response from cisco pre-sales means is this: Your clients can send the request to the corp. network over the vpn connection, but for the reply to reach the client the remote network (the site where your customers will be) routing path needs to be done properly so that each client will only see their own session. I.E., the nat/pat function is transparent to the internal routers.

The bottom line: You will be able to accomplish what is needed to allow multiple remote clients to connect to the corp. network via a vpn session thru the PIX when each client has a seperate address that gets nat/pat'ed to one before the vpn traffic gets received at the firewall.

The one caveat is that the remote network will need to allow those users to establish the vpn connection - regardless of nat/pat and what your pix can do, it won't happen if the only outbound traffic the remote admins allow is only tcp port 80.

Thanks Ed, I appreciate your response...

Mike

I haven't found a solution, but I think I have found the answer. Something has to be done on the remote end to give each client their own global, routable IP address for the PIX to allow a vpn connection into it. One more thing, I have found out that I will be setting up the pix for the customer in question dispite the single IP issue, could someone please send me a sample config that has all the command line entries needed to set up a simple VPN server on the PIX? Not a lan to lan connection, just a simple VPN server that will allow Cisco VPN software clients to connect to the internal LAN, and also perform the normal firewall functions for the internal users at the PIX site. Or send me a link to the proper documentation that will show me how to do it?

Thanks all for the responses!

Mike

I have it working now. But I need to NAT my internat IPs to external public known IPs.

I use the graphic interface, the VPN wizard.

I have examples in word.

I can send you those if you give me your email.

br

Henrik

htj@tt.dk