Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Concentrator 3030 ver 3.6 + Client 3.6.1 using VCA

Hi Guys,

We are running a couple of Concentrator 3030 ver 3.6 + Client 3.6.1 using VCA for Client load balancing. The concetrator are behind a Pix 525 running 6.2.2.

It all works fine when client connect via PSTN/ISDN or directly attached to the LAN on the public interface of the Concentrators. But It fails when connecting via xDSL or Cable modem???

I disable proxy arp on the Pix internal interface and change MTU on the VPN client but no look.

Look at the VPN Client loggin but it does not seems to provide any meaminfull info.

Any clues??

Cheers

Gonzalo

2 REPLIES
New Member

Re: Concentrator 3030 ver 3.6 + Client 3.6.1 using VCA

I wonder if it has to do with the fact that xDSL or Cable is using NAT or PAT? The concentrator should be placed in parallel with the PIX from the installation guides I see on Cisco's site. I wonder if that might be a better option for you. You could then use NAT transparency mode and fix the xDSL/Cable modem issue.

New Member

Re: Concentrator 3030 ver 3.6 + Client 3.6.1 using VCA

Almost definitely the problem will be because the DSL router is doing NAT/PAT.

Using NAT transparency mode you can still leave the concentrator behind the firewall and create a static NAT entry to it.

On the client ensure that you have NAT transparency enabled using the TCP option. This needs to match the similar config on the concentrator.

I have this exact scenario running fine in a couple of customer accounts. I have found that I need to use VPN Client 3.6.1 to get it to work reliably.

As the concentrator is not a firewall product itself, I am not convinced about ever installing it on a dirty network. By doing this, you create a route into your network which doesn't need to transit the firewall - not good design IMHO.

Regards, Barry

83
Views
6
Helpful
2
Replies