VPN clients behind a firewall

llei · ‎06-19-2006

Hi, All

Now all our PCs are behind a firewall, and we need to use the cisco VPN client to connect to a Cisco Pix 506E firewall outside local network. We are using IPSec, the problem is only one people can connect to the Cisco firewall at one time, if the second ppl tries to connect, it will break first ppl's connection.

I want to know what should I do to let multiple users connect to the Cisco firewall simultaneously, what are the options I need to configure for the local firewall and what should I do to the VPN server (Cisco PIX 506E).

Thanks a lot!

Regards,

Leo

grant.maynard · ‎06-21-2006

I think the behaviour is rather dependant on PIX version.

What user authentication is remote PIX using? I tried this with PIX6.3 and VPN Client 4.6 and found Cisco client from two PCs behind same source IP does work unless both using same username from AD, in which case first one ok, second one gets error 413 due to "simultaneous logins exceeded" from DC (not reported to user, looks to user like password failure).

Results were different for VPN client 3.6 - Cisco client from two PCs behind same source IP did not work to PIX or VPN Concentrator ? the second connection kicked the first one off.

llei · ‎06-21-2006

Currently the version is Cisco PIX Firewall Version 6.3(5), and I am using Cisco VPN Client 4.6.00.0045.

The authentication on PIX is group authentication.

Now we have to static NAT the local machines outside the local firewall to have simultaneous access, it works but not that good. Still wonder what should I do to the local firewall and VPN server (PIX).

jmia · ‎06-21-2006

Leo

Can you post your configuration - take out any sensitive info.

Jay

pkapoor · ‎06-22-2006

This is an easy one.

Just make sure that on the PIX-506E you are connecting to, you have the command "isakmp nat-t".

Then make sure that the firewall behind which your VPN clients are is allowing the following:

1. Protocol ESP

2. UDP/500

3. UDP/4500

That's it.