Re: Easy VPN server on PIX, only allow 1 remote user

k-vo · ‎12-20-2004

Hi everyone,

I set up a PIX firewall 515E as an easy VPN server to secure remote VPN client connections over the Internet, and it does appear that only one user can establish a VPN session with the VPN server at any single time. Does anyone know how to make this code work with multiple VPN client connections? Thank you for your help.

sysopt connection permit-ipsec

ip local pool Vendor x.x.x.1-x.x.x.254

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto dynamic-map Vendor 1 set transform-set myset

crypto map ExternalUsers 1 ipsec-isakmp dynamic Vendor

crypto map ExternalUsers interface outside

isakmp enable outside

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption 3des

isakmp policy 9 hash md5

isakmp policy 9 group 2

isakmp policy 9 lifetime 86400

vpngroup External-grp address-pool Vendor

vpngroup External-grp idle-time 1800

vpngroup External-grp password ********

gfullage · ‎12-20-2004

There's nothing in the PIX config sample you've provided that would limit only one VPN connection at a time. To be honest I don't even know how you'd do that, other than only have one IP address in your pool, which you haven't got.

Are you trying to connect more than one client with both of the clients being behind a device doing NAT/PAT. You might find this is the problem, in that the device is PAT'ing them incorrectly (IPSec and PAT don't mix well), and so when the second client connects it disconnects the first, simply because the PAT device can't separate the two.

Try connecting two devices from different places, and see if that works better. If that works, then you'll need to check out the manufacturers web site of whatever device both clients are behind to see if they support PAT'ing IPSec traffic.

alleyslair · ‎01-21-2005

Did you resolve this problem? If so, how? Thanks.