Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN 3005 concentrator & Client connectivity

Need to understand the connectivity of VPN 3005 box with Cisco 1720 router running FW feature set

I will have 1720 router running FW feature set on it. Have one public IP address on WAN interface and that is Now I would like to add VPN 3005 Concentaror box so mobile user can access company's network.

We are using on LAN. So I mean can I have on router's ethernet interface connected directly to VPN box which can be and other interface of VPN box can hav e connected to switch where all the user are coonected.?

I mean would this configuration will allow people inside network to go out and browse web and also will this allow mobile user to connect to corporate network via VPN and access network resources?

Can someone explain me how the traffic will flow from VPN client machine to all the way upto the network and which IP address we need to confiure at VPN client machines?

Can client machines have one authentication from Windows domain controller so they don't log on with different passwords. Can they be authenticated with single passwrod with above mentioned config. Can someone explain how the authentication will work and how we can set up. Step by step..

New Member

Re: VPN 3005 concentrator & Client connectivity


In response to your question, please note that the scenario as presented in your question is, in essence, workable, however, this is dependent on the number of users tunneling through your network, as well as the security policy in place.

Following is an overview of how a to configure the Cisco VPN 3000 Client to the VPN 3000 Concentrator with Microsoft Windows NT Domain Authentication.

This scenario demonstrates how to configure the Cisco VPN 3000 Concentrator to authenticate Cisco VPN 3000 clients to an external Microsoft Windows NT Domain server. If multiple NT Domain servers are specified, the first server listed is the primary server; the rest are backup servers in the event the primary server is inoperative after a configurable number of retries (0-10) and seconds (1-30). To have authentication to multiple NT domains, set up a trust relationship in NT, with one NT Domain server listed in the VPN 3000. All requests go to the single NT Domain server, which forwards the request to the appropriate trusted PDC in the specified domain.

If only one NT Domain server: (FOO=netbios name, domain=ANYWHERE)

is listed in the VPN 3000 Concentrator, but a trust relationship is set up in Windows NT, requests go to (FOO), which services user requests itself or forwards requests for other users to (PDCAPPS).

Configure the VPN 3000 Concentrator to Authenticate Clients to an External Windows NT Server

Tasks Performed

Test with local authentication.

Add the Windows NT domain server to concentrator.

Test concentrator to Windows NT domain server.

Change the group to point to Windows NT domain server.

Test the VPN 3000 Client to the VPN 3000 Concentrator with Windows NT.


Test to be sure that VPN 3000 client authentication and encryption to the internal VPN 3000 database works before adding authentication to a Windows NT domain server.

Add the NT domain server to the VPN 3000 Concentrator authentication server list. For a trust relationship, you may need to increase the timeout (the default is a 4 second timeout and 2 retries).

Test the NT domain server authentication from the VPN 3000 Concentrator. For example, we formed an NT trust relationship between and with one server listed. The authentication was tested by entering:

(user on

User Name: vpnuser

Password: *******

User Name: ANYWHERE\vpnuser

Password: *******

(user on

User Name: APPS\appsuser

Password: *******

Configure the VPN 3000 group to point to the NT domain for authentication.

Test the VPN 3000 client to the VPN 3000 Concentrator. The VPN 3000 client should be able to connect to the VPN 3000 Concentrator at this point. If there are problems, see Debug the Configuration and Bad Debug - VPN 3000 Concentrator to NT.

Debug the Configuration

Turn on VPN 3000 Concentrator debugging by selecting:

Configuration > System > Events > Classes > Add


Severity to Log = 1-9

Severity to Console = 1-3

In Windows NT, enable the audit facility:

Examine the VPN 3000 Concentrator debug by selecting:

Monitoring > Event Log

CreatePlease login to create content