Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

multiple pptp clients behind firewall/nat device to vpn3015

Hi

I am trying the following:

Win2k PCs behind a 3com Lan modem (doing nat) trying to make a pptp connection to our vpn concentrator. One client will allways make a connection but subsequent clients will fail. The vpn concentrator will have the following message:

815 10/21/2002 19:55:49.870 SEV=4 PPTP/33 RPT=20 x.x.x.x

PPTP tunnel for peer x.x.x.x denied - already established

We have also tried this at another site which is behind a firewall and the same thing happens.

Is such an arrangement at all possible to support using the vpn 3015 concentrator?

Will this work if I use the ipsec client (cisco or win2k)?

thanks

Norman

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: multiple pptp clients behind firewall/nat device to vpn3015

I suspect that you really have a PAT environment (Port Address Translation, or many on the inside to one address on the outside). If this is the case, PPTP will fail because it uses GRE, which is IP (protocol 47, I believe) as well as TCP port 1723. Since GRE doesn't have a port associated with it like TCP or UDP does, most implementations will either fail completely or, as in your case, allow only one concurrent connection.

If you go to IPSec using the Cisco Unity client, you can get around this by implementing IPSec over UDP, which will transport it over UDP, thereby allowing ports to be associated with different connections.

2 REPLIES
New Member

Re: multiple pptp clients behind firewall/nat device to vpn3015

I suspect that you really have a PAT environment (Port Address Translation, or many on the inside to one address on the outside). If this is the case, PPTP will fail because it uses GRE, which is IP (protocol 47, I believe) as well as TCP port 1723. Since GRE doesn't have a port associated with it like TCP or UDP does, most implementations will either fail completely or, as in your case, allow only one concurrent connection.

If you go to IPSec using the Cisco Unity client, you can get around this by implementing IPSec over UDP, which will transport it over UDP, thereby allowing ports to be associated with different connections.

New Member

Re: multiple pptp clients behind firewall/nat device to vpn3015

Thanks for the response. We had some conflicting information on wether it would work so we tried it out. We could have multiple connections to the vpn 3000 with the cisco client with ipsec over udp enabled.

thanks

289
Views
0
Helpful
2
Replies
CreatePlease to create content