I have two employees (a married couple) that recently started working from home. The problem is that only one PC can run the vpn client from home at a time.
I'm running a pix 515 v.6.1 they are running ADSL with one dynamic public IP. internally they have a 2WIRE 1800HG modem/router. Both are using win xp sp2.
Can someone give me some tips on how I can allow both systems to connect to the home office at the same time?
THANKS!
This is an issue with NAT. Since your employee's home router has one public IP address, two traditional IPSec (ESP & AH) VPN sessions can't occur at the same. You will have to implement IPSec NAT Traversal (IPSec over UDP) on the PIX, and in the client your employees are using.
In the PIX, use the global command
isakmp nat-traversal
"Mark Williams" wrote in news: snipped-for-privacy@i39g2000cwa.googlegroups.com:
Excuse my ignorance, but will this change the connection settings for all of the other existing clients or will it only affect the 2 in question/anyone else with this problem?
Thanks for you patience.
NAT traversal in negotiated for clients that support it. If a client and the PIX both support NAT traversal (IPSec over UDP), it will be chosen as the preferred method for the connection. If a client does not support it, you can still use traditional IPSec.
In other words, using the isakmp nat-traversal command *allows* to PIX to use IPSec NAT traversal, but doesn't force all connections to use it. I think!
Keep in mind that the maximum number of traditional IPSec connections your PIX can support is set by the number of globally routable addresses available at the outside interface. If you have a pool of say
13 routable addresses assigned at the outside interface, you can support a max of 13 traditional IPSec sessions. If you enable nat traversal, you would be able to support many more connections.
Not quite -- if both ends support (and have enabled) NAT-T, then the protocol will probe to determine which directions are NAT'd, and only encapsulates into UDP where necessary. For example, it is in theory capable of encapsulating AH packets (which cannot survive any form of NAT) but having ESP packets (which can survive
1-to-1 NAT but not PAT) go unencapsulated for the same tunnel.Encapsulation is not used unless it is necessary, because the encapsulation process lowers the effective MTU and is thus less efficient.
Not as phrased.
The PIX does not know how to play games with SPI (System Parameter Index) to "identify" an ESP session [as some manufacturers have implemented apparently], so Yes, each ESP session which *passes through* the PIX requires a unique outside IP. {Global routability is not a strict criteria, by the way, since the other end of the link is not necessarily reached through public IP space.}
My "Not as phrased" comment was because your phrasing did not make clear that the limit was on pass-through traffic. If the IPSec connections terminate -at- the PIX, then the number of outside addresses available does not matter: the PIX uses its own IP address for all tunnels that terminate -at- the PIX.
For IPSec tunnel mode I believe, but does the same hold true for transport mode?
I've seen non-NATed transport mode connections to a PIX fail because the outside address pool was exhausted.
Good question. I have never use transport mode (never really seen the point), but thinking about the documentation of it, you might be correct.
upgrade to 6.3 at once !
upgrade to 6.3 at once ! and isssue the cmd isakmp nat-t Use the Cisco VPN client for IPSEC ver 4.x
np MARTIN
8)Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.