Multiple VPN Connections Outbound from Behind PIX

In article , Jim wrote: :We have recently discovered a wonderful "feature" in the PIX at my :office.

It's a "feature" that is documented.

:Another person on our LAN tries to connect from their laptop through :our PIX and to the same or different customer site using the Cisco VPN :client. This second person is unable to connect.

:We have a PIX 515R with 6.3.4 running on it.

Turning on isakmp nat-traversal 20 might solve the problem (though really the change should be made to the PIX at the other end.)

The problem is inherent in the way IPSec works. IPSec uses

*protocol* 50 (ESP) [not *port* 50]. If you are using PAT (Port Address Translation) then because ESP has no equivilent to a port number, there is no way for the PIX to figure out which inside client to forward returning ESP packets to. nat-traversal encapsulates ESP packets inside of UDP packets and so avoids the problem.

If you cannot use NAT-T then you either have to stick with one client at a time, or else you have to use one-to-one NAT instead of PAT. You don't necessarily need to static map your addresses: a 'global' listing an IP range does just as well [but keep in mind that such ranges will always be used before PAT, so other hosts will tend to grab the global IPs first...]

I will look into that... thank you very much for your help!

-- Jim