Re: IPSec and NAT problem?

chan-kuen.hui · ‎11-17-2004

Dear All,

One remote site has a router with PAT. Workstation at remote site IP is 192.168.1.x/24 and it will PAT to router WAN Public IP. Workstation at remote site will use cisco VPN client to connect to main site PIX.

Can multiple VPN client at remote site connect to the PIX 515E at main site at the same time? and how can it be done?

Thanks.

C.K.

jmia · ‎11-17-2004

Yes, you should be ok with this – the only thing to remember here is that if your remote users are connecting back to your central site pix from behind a PAT device then you’ll require NAT-Traversal applied on your central site pix.

Here’s an example that should do the trick…

access-list nonat permit ip 10.0.10.0 255.255.255.0 10.0.6.0 255.255.255.128

access-list 100 permit ip 10.0.10.0 255.255.255.0 10.0.6.0 255.255.255.128

ip local pool RASPool 10.0.2.1-10.0.2.100

nat (inside) 0 access-list nonat

sysopt connection permit-ipsec

crypto ipsec transform-set vpn_users esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set vpn_users

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpnras address-pool RASPool

vpngroup vpnras dns-server

vpngroup vpnras wins-server

vpngroup vpnras default-domain

vpngroup vpnras idle-time 1800

vpngroup vpnras password

vpngroup vpnras split-tunnel 100

The above crypto access-list mask (255.255.255.128) will provide 100 ip addresses for the vpn users, you can increase this to suite your needs.

Hope this helps and let me know how you get on.

Jay

jmia · ‎11-17-2004

Sorry a slight typo on my previous post the RAS IP Pool range should be: ip local pool RASPool 10.0.6.1-10.0.6.100

and NOT ip local pool RASPool 10.0.2.1-10.0.2.100

Jay