Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco PIX multiple Vpn connection!!!

Status
Not open for further replies.
rmessenger94

rmessenger94

MIS
Dec 3, 2002
8
US
Hi everyone out there I desperately need helps on this, I couldn't seems to figure this out.
I have a Cisco Firewall Pix with VPN configured at the main office. It seems like when I am at a remote site, (this site have cable internet connection ) I can get connected to the main office using my PC with the Cisco VPN client. But whenever I have another PC try to connect to the main office both at the same time...it also works fine for like 10 minutes and it seems to be disconnected itself even though the vpn client is still showing that it is still connected to the remote site, but you cannot browse the network or have access to anything. The other PC is still connected and works fine...then sometime I have this message when I try to connect another PC to the main office while one PC is already connected. " the remote peer is no longer responding "....
Would some one out there help me...I would greatly appreciated....

Thanx!
 
Sort by date Sort by votes
HI.

Please describe in more details the Internet connection, devices, and ip addressing at the remote site.

Is the cable modem doing NAT?
What is the ip address on the remote PC (registered or private)?
Can the remote VPN clients ping the pix outside interface, before initiating the VPN connection?
Try also "ping -t" and check the results.
Is there a transparent proxy in the way (ask the ISP)?
Go to thes web site:
Do you get the same ip address as with winipcfg/ipconfig on the client?
What is the pix version?
What are the client OS, and the client VPN version?


Your problem is probably related to the network devices, configuration, or quality on the remote (client) side.

Possible solutions:
* Install a pix firewall at the remote side or use existing firewall/router at the remote side to configure a site to site VPN.
* Purchase a Cisco VPN server like the 3005 that can do "Transparent Tunneling" - IPSec over TCP/UDP.
* Purchase a Cisco hardware VPN client (3002) and install it at the remote site. This device can act as a proxy for VPN connections, so only a single tunnel will be created.

Yes, I know that all of those solutions are not for free, but I don't know of a way to solve it using existing devices.

You should try to contact the cable company about this, maybe their premier support can help you.

Try to use "debug" commands and syslog messages at the pix, and the "log viewer" at the VPN clients to look for more info.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
HI Yizhar!
All my remote client PC is behind a NAT going through a cable router with a public IP on the outside interface of the cable router provided by the ISP. all the client IPs are private IP. Can these pc establish vpn tunels to the remote site?....
Thanx!
 
Upvote 0 Downvote
Hi YIZHAR
All my remote client PC is behind a NAT going through a cable router with a public IP on the outside interface of the cable router provided by the ISP. all the client IPs are private IP. Can these PCs establish vpn tunels to the remote site?....
I mean all the PCs is NAT and when they try to establish a VPN tunel to the remote site, they had to go through the ISP registered IP to get to the remote site. Can these PCs established multiples vpn tunels through 1 public IP address which the ISP provided, or only one tunel can be established at a time. Can you help me clarify this....

Thanx!
 
Upvote 0 Downvote
HI.

With the current configuration I don't think that it can work, and you have seen that on the field.

See the possible solutions I've posted before, and there are more alternate options, like:

* Install a Terminal Server at the main office, and allow access to it at the pix only from the ip of the cable modem.
This combined with strong passwords and OS can give you acceptable protection - but you should note that all other cable users that share the same registered ip are also able to connect to it.

I think that the best option for you is the most expensive one - purchase a Cisco VPN Concentrator 3005 for the main office, to overcome this problem with transparent tunneling, and give you more options to manage and control VPN access to your company network.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Thanx Yizhar! you are always there when we need you, much appreciated, Happy New Year to you and your family....
 
Upvote 0 Downvote
If you use Terminal Server, you can only gain access to it from any client with the TS client installed (unless the users are particularly clever!).

What ports do you need to enable on the Pix to get the remote computer to access the TS behind the Pix?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
605
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
163
WhosYourDiffie
WhosYourDiffie
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
507
MottoK
MottoK
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
662
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
314
AllenH12
AllenH12

Part and Inventory Search

Sponsor

Back
Top