Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN clients behind a firewall

Hi, All

Now all our PCs are behind a firewall, and we need to use the cisco VPN client to connect to a Cisco Pix 506E firewall outside local network. We are using IPSec, the problem is only one people can connect to the Cisco firewall at one time, if the second ppl tries to connect, it will break first ppl's connection.

I want to know what should I do to let multiple users connect to the Cisco firewall simultaneously, what are the options I need to configure for the local firewall and what should I do to the VPN server (Cisco PIX 506E).

Thanks a lot!

Regards,

Leo

4 REPLIES

Re: VPN clients behind a firewall

I think the behaviour is rather dependant on PIX version.

What user authentication is remote PIX using? I tried this with PIX6.3 and VPN Client 4.6 and found Cisco client from two PCs behind same source IP does work unless both using same username from AD, in which case first one ok, second one gets error 413 due to "simultaneous logins exceeded" from DC (not reported to user, looks to user like password failure).

Results were different for VPN client 3.6 - Cisco client from two PCs behind same source IP did not work to PIX or VPN Concentrator ? the second connection kicked the first one off.

New Member

Re: VPN clients behind a firewall

Currently the version is Cisco PIX Firewall Version 6.3(5), and I am using Cisco VPN Client 4.6.00.0045.

The authentication on PIX is group authentication.

Now we have to static NAT the local machines outside the local firewall to have simultaneous access, it works but not that good. Still wonder what should I do to the local firewall and VPN server (PIX).

Gold

Re: VPN clients behind a firewall

Leo

Can you post your configuration - take out any sensitive info.

Jay

New Member

Re: VPN clients behind a firewall

This is an easy one.

Just make sure that on the PIX-506E you are connecting to, you have the command "isakmp nat-t".

Then make sure that the firewall behind which your VPN clients are is allowing the following:

1. Protocol ESP

2. UDP/500

3. UDP/4500

That's it.

231
Views
0
Helpful
4
Replies