×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Multipole VPN Clients connecting from same NAT'ed Connection (IOS)

Unanswered Question

HI There,


I have a client who is trying to connect mupliple clients through the same shared cable NAT'ed internet connection - when the 2nd client connects, the 1st is kicked out.


Can someone tell me if this is 'normal' and suggest a way of working around the issue.


The VPN clients are connecting to an IOS router (1710) using 3des IPSEC.


Thanks,


Peter.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jackko Thu, 12/08/2005 - 15:25
User Badges:
  • Gold, 750 points or more

please post the entire config with public ip masked.


with pix, there is a command to permit nat-t; whereas ios router has no such command as it supports it by default.

Thanks for the response:-


here:-




Current configuration : 4592 bytes

!

version 12.2

service config

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname abz-r

!

aaa new-model

!

!

aaa authentication login ruser local

aaa authorization network rgroup local

aaa session-id common

enable secret xxxx

enable password ****

!

username ****** password *******

username ****** privilege 15 password ******

memory-size iomem 20

ip subnet-zero

!

!

ip domain name rgroup.com

!

ip inspect name Firewall-in tcp

ip inspect name Firewall-in ftp

ip inspect name Firewall-in smtp

ip inspect name Firewall-in http

ip inspect name Firewall-in udp

ip inspect name Firewall-in tftp

ip audit notify log

ip audit po max-events 100

!

!

crypto isakmp policy 1

authentication pre-share

!

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp keepalive 12

!

crypto isakmp client configuration group rclient

key ********

dns 10.10.10.1

wins 10.10.10.1

domain rgroup.com

pool ippool

!

!

crypto ipsec transform-set lanTolan ah-sha-hmac esp-des

crypto ipsec transform-set clientset esp-des esp-md5-hmac

!

crypto dynamic-map dynamap 10

set transform-set clientset

!

!

crypto map LANmap local-address Ethernet0

crypto map LANmap client authentication list ruser

crypto map LANmap isakmp authorization list rgroup

crypto map LANmap client configuration address respond

crypto map LANmap 10 ipsec-isakmp dynamic dynamap

!

!

!

!

interface Ethernet0

description **Internet Side -

ip address *************

ip access-group 105 in

ip nat outside

ip inspect Firewall-in out

no ip mroute-cache

half-duplex

no cdp enable

crypto map LANmap

!

interface FastEthernet0

description **Ethernet private network**

ip address 10.10.10.254 255.255.255.0

ip nat inside

ip route-cache flow

no ip mroute-cache

speed auto

half-duplex

no cdp enable

!

!

ip local pool ippool 193.168.1.1 193.168.1.10

ip nat inside source route-map ipsecrm interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 **********

no ip http server

ip pim bidir-enable

!

!

ip access-list extended dns-servers

ip access-list extended idletime

ip access-list extended inacl

ip access-list extended key-exchange

ip access-list extended timeout

ip access-list extended wins-servers

!

access-list 105 permit tcp any any eq smtp

access-list 105 deny ip host 255.255.255.255 any

access-list 105 deny ip 10.10.10.0 0.0.0.255 any

access-list 105 permit icmp any any echo-reply

access-list 105 permit icmp any 10.10.10.0 0.0.0.255 time-exceeded

access-list 105 permit icmp any 10.10.10.0 0.0.0.255 packet-too-big

access-list 105 permit icmp any 10.10.10.0 0.0.0.255 traceroute

access-list 105 permit icmp any 10.10.10.0 0.0.0.255 unreachable

access-list 105 permit gre any any

access-list 105 permit esp any any

access-list 105 permit udp any eq isakmp any

access-list 105 permit udp any eq isakmp any eq isakmp

access-list 105 permit ahp any any

access-list 105 permit udp any eq 10000 any eq 10000

access-list 105 permit ip 193.168.1.0 0.0.0.255 any

!

access-list 115 deny ip 192.168.1.0 0.0.0.255 193.168.1.0 0.0.0.15

access-list 115 permit ip 192.168.1.0 0.0.0.255 any

access-list 115 deny ip 10.10.10.0 0.0.0.255 193.168.1.0 0.0.0.15

access-list 115 permit ip 10.10.10.0 0.0.0.255 any

no cdp run

!

route-map ipsecrm permit 10

match ip address 115

!

snmp-server community public RO

snmp-server enable traps tty

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

password *****

!

end




Will be changing to RADIUS authentication for clients via a win2000/2003 box.


cheers,


Peter.

Actions

This Discussion