Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
358
Views
0
Helpful
4
Replies

Multipole VPN Clients connecting from same NAT'ed Connection (IOS)

peter.rowe
Level 1
Level 1

‎12-08-2005 10:15 AM - edited ‎02-21-2020 02:08 PM

HI There,

I have a client who is trying to connect mupliple clients through the same shared cable NAT'ed internet connection - when the 2nd client connects, the 1st is kicked out.

Can someone tell me if this is 'normal' and suggest a way of working around the issue.

The VPN clients are connecting to an IOS router (1710) using 3des IPSEC.

Thanks,

Peter.

Labels:
0 Helpful
4 Replies 4

jackko
Level 7
Level 7

‎12-08-2005 03:25 PM

please post the entire config with public ip masked.

with pix, there is a command to permit nat-t; whereas ios router has no such command as it supports it by default.

0 Helpful

peter.rowe
Level 1
Level 1
In response to jackko

‎12-12-2005 04:56 AM

Thanks for the response:-

here:-

Current configuration : 4592 bytes

!

version 12.2

service config

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname abz-r

!

aaa new-model

!

!

aaa authentication login ruser local

aaa authorization network rgroup local

aaa session-id common

enable secret xxxx

enable password ****

!

username ****** password *******

username ****** privilege 15 password ******

memory-size iomem 20

ip subnet-zero

!

!

ip domain name rgroup.com

!

ip inspect name Firewall-in tcp

ip inspect name Firewall-in ftp

ip inspect name Firewall-in smtp

ip inspect name Firewall-in http

ip inspect name Firewall-in udp

ip inspect name Firewall-in tftp

ip audit notify log

ip audit po max-events 100

!

!

crypto isakmp policy 1

authentication pre-share

!

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp keepalive 12

!

crypto isakmp client configuration group rclient

key ********

dns 10.10.10.1

wins 10.10.10.1

domain rgroup.com

pool ippool

!

!

crypto ipsec transform-set lanTolan ah-sha-hmac esp-des

crypto ipsec transform-set clientset esp-des esp-md5-hmac

!

crypto dynamic-map dynamap 10

set transform-set clientset

!

!

crypto map LANmap local-address Ethernet0

crypto map LANmap client authentication list ruser

crypto map LANmap isakmp authorization list rgroup

crypto map LANmap client configuration address respond

crypto map LANmap 10 ipsec-isakmp dynamic dynamap

!

!

!

!

interface Ethernet0

description **Internet Side -

ip address *************

ip access-group 105 in

ip nat outside

ip inspect Firewall-in out

no ip mroute-cache

half-duplex

no cdp enable

crypto map LANmap

!

interface FastEthernet0

description **Ethernet private network**

ip address 10.10.10.254 255.255.255.0

ip nat inside

ip route-cache flow

no ip mroute-cache

speed auto

half-duplex

no cdp enable

!

!

ip local pool ippool 193.168.1.1 193.168.1.10

ip nat inside source route-map ipsecrm interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 **********

no ip http server

ip pim bidir-enable

!

!

ip access-list extended dns-servers

ip access-list extended idletime

ip access-list extended inacl

ip access-list extended key-exchange

ip access-list extended timeout

ip access-list extended wins-servers

!

access-list 105 permit tcp any any eq smtp

access-list 105 deny ip host 255.255.255.255 any

access-list 105 deny ip 10.10.10.0 0.0.0.255 any

access-list 105 permit icmp any any echo-reply

access-list 105 permit icmp any 10.10.10.0 0.0.0.255 time-exceeded

access-list 105 permit icmp any 10.10.10.0 0.0.0.255 packet-too-big

access-list 105 permit icmp any 10.10.10.0 0.0.0.255 traceroute

access-list 105 permit icmp any 10.10.10.0 0.0.0.255 unreachable

access-list 105 permit gre any any

access-list 105 permit esp any any

access-list 105 permit udp any eq isakmp any

access-list 105 permit udp any eq isakmp any eq isakmp

access-list 105 permit ahp any any

access-list 105 permit udp any eq 10000 any eq 10000

access-list 105 permit ip 193.168.1.0 0.0.0.255 any

!

access-list 115 deny ip 192.168.1.0 0.0.0.255 193.168.1.0 0.0.0.15

access-list 115 permit ip 192.168.1.0 0.0.0.255 any

access-list 115 deny ip 10.10.10.0 0.0.0.255 193.168.1.0 0.0.0.15

access-list 115 permit ip 10.10.10.0 0.0.0.255 any

no cdp run

!

route-map ipsecrm permit 10

match ip address 115

!

snmp-server community public RO

snmp-server enable traps tty

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

password *****

!

end

Will be changing to RADIUS authentication for clients via a win2000/2003 box.

cheers,

Peter.

0 Helpful

anthonyhoar
Level 1
Level 1

‎12-28-2005 01:47 PM

Here is a link that may help:

Configuring Multiple VPN Clients to a Cisco VPN 3000 Concentrator Using NAT-Traversal

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2276/products_configuration_example09186a008010edf4.shtml

0 Helpful

rparra
Level 1
Level 1

‎09-19-2007 07:15 AM

I have the exact same issue. Were you able to come up with a good configuration on your 1710? Please advise. Thanks.

0 Helpful
Customers Also Viewed These Support Documents