Concentrator 3030 ver 3.6 + Client 3.6.1 using VCA

gonzalo.gil · ‎09-11-2002

Hi Guys,

We are running a couple of Concentrator 3030 ver 3.6 + Client 3.6.1 using VCA for Client load balancing. The concetrator are behind a Pix 525 running 6.2.2.

It all works fine when client connect via PSTN/ISDN or directly attached to the LAN on the public interface of the Concentrators. But It fails when connecting via xDSL or Cable modem???

I disable proxy arp on the Pix internal interface and change MTU on the VPN client but no look.

Look at the VPN Client loggin but it does not seems to provide any meaminfull info.

Any clues??

Cheers

Gonzalo

mmellet · ‎09-18-2002

I wonder if it has to do with the fact that xDSL or Cable is using NAT or PAT? The concentrator should be placed in parallel with the PIX from the installation guides I see on Cisco's site. I wonder if that might be a better option for you. You could then use NAT transparency mode and fix the xDSL/Cable modem issue.

bhesk · ‎09-18-2002

Almost definitely the problem will be because the DSL router is doing NAT/PAT.

Using NAT transparency mode you can still leave the concentrator behind the firewall and create a static NAT entry to it.

On the client ensure that you have NAT transparency enabled using the TCP option. This needs to match the similar config on the concentrator.

I have this exact scenario running fine in a couple of customer accounts. I have found that I need to use VPN Client 3.6.1 to get it to work reliably.

As the concentrator is not a firewall product itself, I am not convinced about ever installing it on a dirty network. By doing this, you create a route into your network which doesn't need to transit the firewall - not good design IMHO.

Regards, Barry