Have you used ipsec nat translation on the concentrator?
You need to tell the terminating device traffic may have been natted.
You also need a fairly new version of IOS on both ends. Sorry to be
vague but I don't have my notes with me.
Andy
-----Original Message-----
From: Wozny, Scott (US - New York) [mailto:swozny@deloitte.com]
Sent: 16 September 2004 15:42
To: Chris Tyler; firewalls@securityfocus.com
Subject: RE: 1 VPN client only through PIX
You can set up the concentrator to terminate IPSec tunnels encapsulated
in another PATable protocol but the key is to make sure the client
station is originating tunnels in that protocol too. If I were in your
shoes the first thing I'd do is get a trace of the client attempting to
make a connection to make sure it really was IPSec inside UDP it was
using to make the requests.
Alternatively, I'm not sure if the 506E is capable of it, but in a
situation like this I'd be tempted to set up a site to site tunnel to
avoid dealing with the headache of client software (unless you're in an
insecure operating environment like wireless or shared infrastructure).
Good luck,
Scott
-----Original Message-----
From: Chris Tyler [mailto:chris.tyler@inatpower.com]
Sent: Wednesday, September 15, 2004 9:33 AM
To: firewalls@securityfocus.com
Subject: 1 VPN client only through PIX
We have remote Cisco VPN clients 4.0.2, connecting through a PIX 506E
which is doing PAT, attaching to Cisco VPN concentrator . The first
client can connect fine but no other users can then connect and no
traffic is seen at the concentrator. I cannot access the remote PIX but
from what I have seen if you disconnect the client and wait for the
translate to clear another client can then connect. My assumption waS/is
that this is an IPSec and PAT problem on the PIX. I therefore enabled
both IPsec over UDP and IPSec with NAT-T on the concentrator and had the
relevant ports on the PIX opened up however this does not appear to have
solved the problem.
Any ideas gratefully received.
Chris
Chris Tyler
------------------------------------------------------------------------
---------------------------------------
Throughout the year International Power support Crisis, Sight Savers and
the Queen Elizabeth Foundation as part of their Charitable giving
policy.
Please note that neither International Power plc nor the sender
accepts any responsibility for any viruses that may be contained in
this e-mail or its attachments. This message and any attachments
are confidential. If you are not the intended recipient, please
telephone or e-mail the sender, delete this message and any
attachment from your system. If you are not the intended recipient
you must not copy this message or attachment or disclose the
contents to any other person.
------------------------------------------------------------------------
---------------------------------------
This message (including any attachments) contains confidential
information intended for a specific individual and purpose, and is
protected by law. If you are not the intended recipient, you should
delete this message. Any disclosure, copying, or distribution of this
message, or the taking of any action based on it, is strictly
prohibited.
