Thanks for the quick response.

Unfortunately, the client doesn't have control of what they connect to. They don't even know what they connect to. They just know that multiple simultaneous connections worked fine before the Cisco PIX 501.

So, is the only option for them to use NAT if they only have control on their end?

I meant what is the VPN end point the clients are connecting to. Is it a pix, vpn concentrator, ASA or something else? If they are connecting to differnt vpn endpoints all out of there control then NAT is the only option.

There are three methods to setup NAT trasparent mode if you control the vpn end point.

IPSec over TCP

IPSec over NAT-T

IPSec over UDP

NAT Transparent mode setup on a VPN Concentrator

http://www.cisco.com/warp/public/471/nat_trans.html

Hi,

I'm sorry I wasn't more clear on my last response. What I meant was that I don't know what the VPN end point is that the Cisco VPN client software is connecting to. This company called me in after they tried to setup their PIX 501 themselves. I have fixed all of their issues except for this. They are a small consultant company that is doing development for another company. That other company is hosting the VPN end points and their network people have control over those VPN end points. I don't.

Anyway, the small development consultant company have three different Cisco VPN connection entries they use from each pc. One of those connections is to my company. I changed our PIX 515e to use NAT-T like you requested and it works great. They now can have multiple simultaneous Cisco VPN client connections to us. So, now I just need to work with them on the other two connection end points.

One last question. The small consultant company said that they always had to wait for about 15 minutes after one pc ended a Cisco VPN connection before a different pc could get in. Do you know if that is a configurable timeout period that could be changed on their PIX 501 or within the properties of their Cisco VPN client connections?

Thanks for all of your help.

Glad to here your side is working.

If I'm not mistaken (maybe someone else has some insight) I believe the xlate timeout is what is causing them to have to wait 15mins. When a vpn connection goes through a pix running pat the translation (xlate) for the esp gets assigned to port 0 since esp doesn't have one assigned.

If you do a show xlate you should see the translation. Clear the xlate to see if you can use the vpn.

clear xlate local ipaddress-of-localhost

If it's using ipsec over tcp or udp those timeouts could be the issue. Show conn to see the connections.

Do a show run and look at your timeout values.

Hope this helps.

Thanks,

Chad

I have the same issue here. Some travellers are stting behind of my IOS router and trying to VPN back to VPN concentrator at their office. Actually they have configured NAT-T, but the problem is still with Phase ISKAMP.

When router receiving ISAKMP request from VPN cleint, it will try to keep the original UDP 500 for PAT. Everythig works fine for first client, but when the router trying to process the second request, it has to perform PAT with different source UDP port other than 500 as it is being used. This will cause ISAKMP failed at VPN concentrator.

I tried to configure "ip nat service list 150 IKE preserve-port" on router and it fixed the issue. Router will not change the source UDP port for second ISAKMP request.

Hi,

what about letting the pix501 terminate all the vpn connections, if its possible ?

(if the users on your lan are using the same vpn-setup)

Martin

DK