Solved: help with 2 simultaneous internal users trying to VPN (Cisco s/w) to extern

tammyheal · ‎09-14-2007

Hello all,

We are a small office running Small Business Server 2003 - which means we're running the ISA 2004 firewall.

An external company has provided us with Cisco VPN software (ver403a) to access their network/secure web site.

A single user has been able to successfully connect to the company's network for quite some time. This was working just fine until two users tried to connect at the same time - using the same VPN user ID. We were told by the company that this should work but it simply isn't so we requested a second VPN user ID to test with.

Now what happens is that User A will connect successfully and User B can connect successfully at the same time however even though User B is connected, and you even see an IP assigned to the VPN adaptor, the user can not ping the company's web site and then of course can't access it. Very strange indeed!

I went back to the company and told them about our dilemma and we were told that it's nothing at their end but a routing/NAT issue at our end. So here I am now seeking some assistance from hopefully some Cisco experts. :-)

Appropriate ports have been opened in ISA and again both users will get connected to the VPN just fine, it is just that the second user can?t go any further.

It's been suggested to me that perhaps it's not a routing issue but that the company's Cisco VPN server/box is rejecting the second connection because it's coming from the same IP address - which would be the IP address of our ISA servers external network card.

If anyone has any suggestions as to how to fix this I would be so grateful!

Thank you very much.

Tammy

tstanik · ‎09-20-2007

Configuring multiple VPN tunnels to the same device (same public IP address) is not possible since it is not possible to have more than one IPsec Security Association (SA) for the same peer. However, it is possible to configure multiple VPN tunnels to multiple devices. In your case if your client PC's are using public IP addresses they both can simultaneously connect to the remote end vpn server. However if you are using a single public IP address then it is not possible to have mutiple vpn connections. If you have only one ip from your isp then it would have to do PAT and you wont be able to have both vpn clients connect at the same

time.

View solution in original post

guibarati · ‎09-24-2007

They have to enable NAT-T on their device, you dont need any change

View solution in original post

tstanik · ‎09-20-2007

Configuring multiple VPN tunnels to the same device (same public IP address) is not possible since it is not possible to have more than one IPsec Security Association (SA) for the same peer. However, it is possible to configure multiple VPN tunnels to multiple devices. In your case if your client PC's are using public IP addresses they both can simultaneously connect to the remote end vpn server. However if you are using a single public IP address then it is not possible to have mutiple vpn connections. If you have only one ip from your isp then it would have to do PAT and you wont be able to have both vpn clients connect at the same

time.

tammyheal · ‎10-09-2007

Thank you very much for the info...it looks like we will have to set-up a site-to-site VPN tunnel after all...just waiting to get the info from their end to proceed.

No biggy...this should be short term anyhow as they'll eventually be setting up secure access via a web site soon.

Thanks again for taking the time to reply! :-)

Tammy

guibarati · ‎09-24-2007

They have to enable NAT-T on their device, you dont need any change

tammyheal · ‎10-09-2007

Thank you very much for your input....for now we're just going to have to setup a VPN tunnel....until their secure web site is ready.

Thanks again!

Tammy :-)