12-08-2005 10:15 AM - edited 02-21-2020 02:08 PM
HI There,
I have a client who is trying to connect mupliple clients through the same shared cable NAT'ed internet connection - when the 2nd client connects, the 1st is kicked out.
Can someone tell me if this is 'normal' and suggest a way of working around the issue.
The VPN clients are connecting to an IOS router (1710) using 3des IPSEC.
Thanks,
Peter.
12-08-2005 03:25 PM
please post the entire config with public ip masked.
with pix, there is a command to permit nat-t; whereas ios router has no such command as it supports it by default.
12-12-2005 04:56 AM
Thanks for the response:-
here:-
Current configuration : 4592 bytes
!
version 12.2
service config
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname abz-r
!
aaa new-model
!
!
aaa authentication login ruser local
aaa authorization network rgroup local
aaa session-id common
enable secret xxxx
enable password ****
!
username ****** password *******
username ****** privilege 15 password ******
memory-size iomem 20
ip subnet-zero
!
!
ip domain name rgroup.com
!
ip inspect name Firewall-in tcp
ip inspect name Firewall-in ftp
ip inspect name Firewall-in smtp
ip inspect name Firewall-in http
ip inspect name Firewall-in udp
ip inspect name Firewall-in tftp
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 12
!
crypto isakmp client configuration group rclient
key ********
dns 10.10.10.1
wins 10.10.10.1
domain rgroup.com
pool ippool
!
!
crypto ipsec transform-set lanTolan ah-sha-hmac esp-des
crypto ipsec transform-set clientset esp-des esp-md5-hmac
!
crypto dynamic-map dynamap 10
set transform-set clientset
!
!
crypto map LANmap local-address Ethernet0
crypto map LANmap client authentication list ruser
crypto map LANmap isakmp authorization list rgroup
crypto map LANmap client configuration address respond
crypto map LANmap 10 ipsec-isakmp dynamic dynamap
!
!
!
!
interface Ethernet0
description **Internet Side -
ip address *************
ip access-group 105 in
ip nat outside
ip inspect Firewall-in out
no ip mroute-cache
half-duplex
no cdp enable
crypto map LANmap
!
interface FastEthernet0
description **Ethernet private network**
ip address 10.10.10.254 255.255.255.0
ip nat inside
ip route-cache flow
no ip mroute-cache
speed auto
half-duplex
no cdp enable
!
!
ip local pool ippool 193.168.1.1 193.168.1.10
ip nat inside source route-map ipsecrm interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 **********
no ip http server
ip pim bidir-enable
!
!
ip access-list extended dns-servers
ip access-list extended idletime
ip access-list extended inacl
ip access-list extended key-exchange
ip access-list extended timeout
ip access-list extended wins-servers
!
access-list 105 permit tcp any any eq smtp
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip 10.10.10.0 0.0.0.255 any
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any 10.10.10.0 0.0.0.255 time-exceeded
access-list 105 permit icmp any 10.10.10.0 0.0.0.255 packet-too-big
access-list 105 permit icmp any 10.10.10.0 0.0.0.255 traceroute
access-list 105 permit icmp any 10.10.10.0 0.0.0.255 unreachable
access-list 105 permit gre any any
access-list 105 permit esp any any
access-list 105 permit udp any eq isakmp any
access-list 105 permit udp any eq isakmp any eq isakmp
access-list 105 permit ahp any any
access-list 105 permit udp any eq 10000 any eq 10000
access-list 105 permit ip 193.168.1.0 0.0.0.255 any
!
access-list 115 deny ip 192.168.1.0 0.0.0.255 193.168.1.0 0.0.0.15
access-list 115 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 deny ip 10.10.10.0 0.0.0.255 193.168.1.0 0.0.0.15
access-list 115 permit ip 10.10.10.0 0.0.0.255 any
no cdp run
!
route-map ipsecrm permit 10
match ip address 115
!
snmp-server community public RO
snmp-server enable traps tty
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password *****
!
end
Will be changing to RADIUS authentication for clients via a win2000/2003 box.
cheers,
Peter.
12-28-2005 01:47 PM
Here is a link that may help:
Configuring Multiple VPN Clients to a Cisco VPN 3000 Concentrator Using NAT-Traversal
09-19-2007 07:15 AM
I have the exact same issue. Were you able to come up with a good configuration on your 1710? Please advise. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide