Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
643
Views
0
Helpful
5
Replies

Problems connecting to a customer VPN

onlinegamer
Level 1
Level 1

‎04-05-2005 01:03 PM - edited ‎02-21-2020 01:42 PM

We have developers here that need access to a VPN but it will only allow one connection. If someone else tries to connect from this network the other user that is currently connected will be kicked off. The admin responsible for the cisco VPN says it is not a problem on his end but ours. We have a watchguard firewall and IPsec is set to allow all traffic inc and out. Now if I give a developer an external IP he can now connect to the VPN without kicking the other user off. So I think there is an issue with everyone here connecting to this VPN using the same username and it coming from one IP address which is our firewall. I dont want to give everyone here an external IP to solve this problem and the admin of the VPN is positive it is a problem with our network config and not his. I have been trying to solve this problem for weeks now so any help would be appreciated thank you.

Labels:
0 Helpful
5 Replies 5

mhussein
Level 4
Level 4

‎04-05-2005 03:58 PM

Hi,

Usually this problem is solved by implementing "NAT Transparency" or "NAT Traversal". This feature allows multiple vpn clients behind a NAT/PAT device (Watchguard firewall in this case) to connect to the vpn gateway using one PAT'd ip address.

I guess you can ask the vpn admin if this feature is supported or enabled on thier side.

The documents below describe NAT-T configurations on different vpn gateways:

PIX firewall

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278c.html#wp1057446

VPN3000 Concentrator

http://www.cisco.com/warp/public/471/cvpn_3k_nat.html

Router

http://www.cisco.com/warp/public/707/ios-ipsec-nat-vpnclient.html

VPN Client

http://www.cisco.com/warp/public/471/cvpn_3k_nat.html#conf_client

HTH,

Mustafa

0 Helpful

onlinegamer
Level 1
Level 1
In response to mhussein

‎04-06-2005 01:12 PM

Thank you for responding mhussein that is some useful info. The clients are setup for NAT/PAT so do we have to enable NAT trans and NAT trav on the router that is hosting the VPN? Or do we have to have this enabled on both ends for it to work?

0 Helpful

mhussein
Level 4
Level 4
In response to onlinegamer

‎04-06-2005 03:28 PM

The NAT-T feature is supported and automatically enabled on the recent router IOS versions. There is no special setup required on the router other than the optional "crypto isakmp nat keepalive".

So the requirements are:

1. VPN client has to be configured for "IPSec over UDP (NAT/PAT)

2. The router has to be upgraded to an IOS version that supports "IPSec Transparency" feature - IOS ver 12.3(13) for most router platforms.

0 Helpful

onlinegamer
Level 1
Level 1
In response to mhussein

‎04-07-2005 10:40 AM

I passed this on to the admin who is out of town right now so hopefully he will get back to me soon. So what happens if he comes back and says this is enabled? Can you think of anything else that would cause this problem?

0 Helpful

mhussein
Level 4
Level 4
In response to onlinegamer

‎04-07-2005 03:02 PM

I can't think of anything else; as long as clients' outbound traffic is allowed on all ports NAT-T usually works.

0 Helpful
Customers Also Viewed These Support Documents