Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Multiple VPN clients behind PIX

Multiple users in our company have to establish a VPN client connection to a VPN gateway on the Internet. Those connection have to go through our PIX. I allready enabled the fixup protocol for esp-ike and this allows one user to go out. When the next users tries to setup a VPN connection to the VPN gateway on the internet, the following syslog error appears:

%PIX-3-305006: portmap translation creation failed for udp src inside:192.168.0.102/500 dst outside:1x5.x17.x54.x10/500

It seems to me that the PIX only supports one outgoing VPN client connection at the time. Is this true??

When I perform a clear xlate, the first users gets disconnected, but a new users is able to set up a VPN connection.

Regards,

Tom

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Multiple VPN clients behind PIX

This is true, Tom - in the release notes for 6.3(1), the PAT for ESP section states "PIX Firewall version 6.3 provides the ability to PAT IP protocol 50 to support single IPSec user outbound access."

If you have sufficient public IP addresses and the remote VPN gateway supports PPTP, then one way to achieve multiple outbound VPN connections would be to set up a separate NAT pool for users who require outbound access and assign the internal IP addresses of those users to use those addresses.

Having just had a quick look aound, if PPTP is an option, then the PPTP PAT support in 6.3 may help.

2 REPLIES
New Member

Re: Multiple VPN clients behind PIX

This is true, Tom - in the release notes for 6.3(1), the PAT for ESP section states "PIX Firewall version 6.3 provides the ability to PAT IP protocol 50 to support single IPSec user outbound access."

If you have sufficient public IP addresses and the remote VPN gateway supports PPTP, then one way to achieve multiple outbound VPN connections would be to set up a separate NAT pool for users who require outbound access and assign the internal IP addresses of those users to use those addresses.

Having just had a quick look aound, if PPTP is an option, then the PPTP PAT support in 6.3 may help.

New Member

Re: Multiple VPN clients behind PIX

If your client is a Cisco client going to a Cisco VPN concentrator, you could also use the IPSEC-over-TCP option. We have used this successfully for multiple users behind a firewall. I believe the NAT traversal options using a PIX as a headend would also work.

105
Views
0
Helpful
2
Replies