Simultaneous Cisco VPN client connections behind a PIX 501 using PAT

Unanswered Question
Oct 24th, 2006
User Badges:

Hi,


I was wondering if it is possible to establish multiple simultaneous Cisco VPN Client connections behind a Cisco PIX 501 Firewall that is configured to use PAT. I haven't figured out how for one of our clients if it is possible.


When one pc starts a Cisco VPN client connection, another one can't. If that pc disconnects it can reconnect right away again. If that pc disconnects, a different pc has to wait about 15 minutes before it can establish a Cisco VPN client.


Before the PIX 501 they were using a Linksys Firewall and they could use multiple simultaneous Cisco VPN client connections behind it.


The error I see in the log on the PIX when a second connection is attempted is a portmap translation error with udp port 500. I have even tried using IPSEC over tcp for the transport on port 10000 for the second connection and it doesn't work (I don't see any error in the log on the PIX for the IPSEC over tcp). Either transport works fine for the Cisco VPN client connection if it is the first connection.


I read an article that stated this can only be accomplished if the Cisco PIX 501 is using NAT instead of PAT. But, that means my client would need multiple public IP addresses, right?


Please help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cpembleton Tue, 10/24/2006 - 11:45
User Badges:
  • Silver, 250 points or more

VPN's behind NAT/PAT devices can cause problems. The best protocol to use for this is NAT-T if your end device supports it.


Yes, you could use NAT which requires an ip for each ip.


What kind of device are your vpn clients connecting to?


If your using a cisco device like a pix or vpn concentrotr your best bet is to use NAT-T. See article below.

http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K45735446


csuser Tue, 10/24/2006 - 12:23
User Badges:

Thanks for the quick response.


Unfortunately, the client doesn't have control of what they connect to. They don't even know what they connect to. They just know that multiple simultaneous connections worked fine before the Cisco PIX 501.


So, is the only option for them to use NAT if they only have control on their end?

cpembleton Tue, 10/24/2006 - 14:19
User Badges:
  • Silver, 250 points or more

I meant what is the VPN end point the clients are connecting to. Is it a pix, vpn concentrator, ASA or something else? If they are connecting to differnt vpn endpoints all out of there control then NAT is the only option.


There are three methods to setup NAT trasparent mode if you control the vpn end point.

IPSec over TCP

IPSec over NAT-T

IPSec over UDP


NAT Transparent mode setup on a VPN Concentrator

http://www.cisco.com/warp/public/471/nat_trans.html

csuser Wed, 10/25/2006 - 04:56
User Badges:

Hi,


I'm sorry I wasn't more clear on my last response. What I meant was that I don't know what the VPN end point is that the Cisco VPN client software is connecting to. This company called me in after they tried to setup their PIX 501 themselves. I have fixed all of their issues except for this. They are a small consultant company that is doing development for another company. That other company is hosting the VPN end points and their network people have control over those VPN end points. I don't.


Anyway, the small development consultant company have three different Cisco VPN connection entries they use from each pc. One of those connections is to my company. I changed our PIX 515e to use NAT-T like you requested and it works great. They now can have multiple simultaneous Cisco VPN client connections to us. So, now I just need to work with them on the other two connection end points.


One last question. The small consultant company said that they always had to wait for about 15 minutes after one pc ended a Cisco VPN connection before a different pc could get in. Do you know if that is a configurable timeout period that could be changed on their PIX 501 or within the properties of their Cisco VPN client connections?


Thanks for all of your help.

cpembleton Wed, 10/25/2006 - 05:58
User Badges:
  • Silver, 250 points or more

Glad to here your side is working.


If I'm not mistaken (maybe someone else has some insight) I believe the xlate timeout is what is causing them to have to wait 15mins. When a vpn connection goes through a pix running pat the translation (xlate) for the esp gets assigned to port 0 since esp doesn't have one assigned.


If you do a show xlate you should see the translation. Clear the xlate to see if you can use the vpn.

clear xlate local ipaddress-of-localhost


If it's using ipsec over tcp or udp those timeouts could be the issue. Show conn to see the connections.


Do a show run and look at your timeout values.


Hope this helps.

Thanks,

Chad

Leonlei Wed, 11/08/2006 - 14:20
User Badges:

I have the same issue here. Some travellers are stting behind of my IOS router and trying to VPN back to VPN concentrator at their office. Actually they have configured NAT-T, but the problem is still with Phase ISKAMP.


When router receiving ISAKMP request from VPN cleint, it will try to keep the original UDP 500 for PAT. Everythig works fine for first client, but when the router trying to process the second request, it has to perform PAT with different source UDP port other than 500 as it is being used. This will cause ISAKMP failed at VPN concentrator.


I tried to configure "ip nat service list 150 IKE preserve-port" on router and it fixed the issue. Router will not change the source UDP port for second ISAKMP request.




unicmd Wed, 11/08/2006 - 15:08
User Badges:

Hi,


what about letting the pix501 terminate all the vpn connections, if its possible ?

(if the users on your lan are using the same vpn-setup)


Martin

DK

Actions

This Discussion