Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
435
Views
0
Helpful
2
Replies

Dynamic VPN Connection Problems

mkoenig
Level 1
Level 1

‎10-02-2003 06:09 AM - edited ‎02-21-2020 12:48 PM

Now I' ve read tonns of documentation and I didn' t find a solution for my problems:

We have 2 different kinds of dynamic VPN connections:

1.) The first one with 2 Clients each with Cisco VPN Client Version 4.0.1.

They connect basically to the internet through a DSL-Router with a dynamically assigned IP.

The connection works if one of the clients connect to our Pix (6.3.1) and has access to the requested server.

But the connection terminates if the second client establishes a connection to the Pix and to the server - and now only this connection works.

So even only one client at the same time can have access to the server - and I want that everyone at each time can have this access.

2.) The second connection is a bit different - but the result is the same.

I' ve configured two 836 Router to connect to the internet over an ISP which dynamically assignes an IP to the router.

Behind this router there is a terminal-server connected.

If now one of the joined terminals want to connect to our server the router establishes a VPN connection to our Pix and then the connection for the terminal to our server is possible.

Again only such a long time as another router does this - from another placement and with another assigned IP.

And as remark - this two kinds (No. 1 + 2) of vpn connections are possible at the same time.

So - do I have more than one crypto dynamic-map configuration or / and more than one crypto map <name> configuration ?

Thank you for help - If more information is needed (Pix and router configuration) I can give it to you.

With Kind Regards

M. König

Labels:
0 Helpful
2 Replies 2

t1000
Level 1
Level 1

‎10-02-2003 02:14 PM

I'm not sure that I understand the situation with the second problem, but I can tell you that you cannot have more than one VPN client connect from behind a DSL/cable connection with only one IP address, either static or dynamically assigned. You have two choices:

1. Get additional IPs assigned from your ISP - one for each client that will require simultaneous access, or

2. Get a PIX-501 for the remote office.

Hope that helps.

Regards,

Tim Thousand

Computer Concepts

Lafayette, LA

0 Helpful

mkoenig
Level 1
Level 1
In response to t1000

‎10-08-2003 01:39 AM

Hello Tim Thousand,

thank you for youer reply.

For the first toppic I thougt then in the same way - And I made the proposal to get a firewall, gateway or something.

The second problem I figured out that there were made dynamic acl' s in this way:

Crypto Map "VPN" 50 ipsec-isakmp

Peer = 217.234.60.161

access-list dynacl107; 1 elements

access-list dynacl107 line 1 permit ip 192.168.1.0 255.255.255.0 172.29.192.0 255.255.255.0 (hitcnt=1)

dynamic (created from dynamic map dyn-vpn/10)

Current peer: 217.234.60.161

Security association lifetime: 4608000

kilobytes/28800 seconds

PFS (Y/N): Y

DH group: group2

Transform sets={ high-des, }

I think the interestening point is the access-list dynacl107 and the address 192.168.1.0 255.255.255.0 172.29.192.0 255.255.255.0

Because I' ve configured all the routers in this way:

access-list 101 permit ip 172.29.192.0 0.0.0.255 192.168.1.0 0.0.0.255

So I think the pix cann' t see the difference between the 1st and the 2nd router (maybe possible by the peer address) for the tunnel.

So I try to have a more clearly addresses in this way:

(For the 1st router)

access-list 101 permit ip 172.29.192.110 0.0.0.255 192.168.1.0 0.0.0.255

(For the 2nd router)

access-list 101 permit ip 172.29.192.120 0.0.0.255 192.168.1.0 0.0.0.255

...

to get the dynacl:

Crypto Map "VPN" 50 ipsec-isakmp

Peer = 217.234.60.161

access-list dynacl107; 1 elements

access-list dynacl107 line 1 permit ip 192.168.1.0 255.255.255.0 172.29.192.110 255.255.255.0 (hitcnt=1)

dynamic (created from dynamic map dyn-vpn/10)

Current peer: 217.234.60.161

Security association lifetime: 4608000

kilobytes/28800 seconds

PFS (Y/N): Y

DH group: group2

Transform sets={ high-des, }

Crypto Map "VPN" 60 ipsec-isakmp

Peer = 217.234.60.172

access-list dynacl107; 1 elements

access-list dynacl107 line 1 permit ip 192.168.1.0 255.255.255.0 172.29.192.120 255.255.255.0 (hitcnt=1)

dynamic (created from dynamic map dyn-vpn/10)

Current peer: 217.234.60.172

Security association lifetime: 4608000

kilobytes/28800 seconds

PFS (Y/N): Y

DH group: group2

Transform sets={ high-des, }

...

Would you agree ? (Because I' ve only one Test account - and no second to verify my thoughts.)

Thank you in advance

M. König

0 Helpful
Customers Also Viewed These Support Documents