01-29-2003 04:54 AM - edited 02-21-2020 12:19 PM
Hi,
I want to access vpn through firewall/proxy in the client side(VPN Client).
I've installed vpn gateway as pix 515 firewall using Microsoft CA IKE SA.
I want to establish vpn tunnel from my vpn client through a proxy/firewall.
I've tried in some vpn client places where the firewall acts as a linux box in which its enabled with the ipsec and esp NAT functionality. Its working perfectly. But only one concurrent vpn client. Also the first vpn tunnel disconnects when the second user tries without knowing the first established tunnel.
I heard that we can workout this issue using "NAT Taversal" mode which comes in pix ios 6.3 version as like Cisco 3000 Concentrator.
I want to know how the NAT Traversal can solve my issue in which more than one concurrent user without esp nat support in a firewall/proxy setup or only one concurrent user without esp nat support in a firewall/proxy setup.
Thanks,
Karthikeyan V
Solved! Go to Solution.
01-29-2003 09:22 PM
The VPN client is able to detect that it has gone through a NAT/PAT device on the way to the concentrator/PIX, and then if both ends support it, they'll automatically start NAT-T and encapsulate the IPSec packets into UDP port 4500 packets. These are then able to be NAT'd properly and you won't get the disconnections or the problems you're currently seeing.
The reason you see only one client being able to connect and clients being disconnected when another connects is that your PAT device cannot handle the ISAKMP and IPSec packets properly. This is a fairly common symptom.
PIX v6.3 code will support NAT-T, should be available in March sometime.
01-30-2003 05:30 PM
Yes, PIX v6.3 will support NAT-T, and if you use the VPN client, whihc also supports NAT-T, then they'll be able to connect thru Linux devices.
v6.3 should be available in March.
01-29-2003 09:22 PM
The VPN client is able to detect that it has gone through a NAT/PAT device on the way to the concentrator/PIX, and then if both ends support it, they'll automatically start NAT-T and encapsulate the IPSec packets into UDP port 4500 packets. These are then able to be NAT'd properly and you won't get the disconnections or the problems you're currently seeing.
The reason you see only one client being able to connect and clients being disconnected when another connects is that your PAT device cannot handle the ISAKMP and IPSec packets properly. This is a fairly common symptom.
PIX v6.3 code will support NAT-T, should be available in March sometime.
01-30-2003 03:58 AM
Please acknowledge my reply whether its correct or not.
From your valuble explanations I found that the pix ios 6.3 supports NAT-T and its supports multiple concorrent users through NAT/PAT device like linux.
01-30-2003 05:30 PM
Yes, PIX v6.3 will support NAT-T, and if you use the VPN client, whihc also supports NAT-T, then they'll be able to connect thru Linux devices.
v6.3 should be available in March.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide