Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Clients with One outside IP Address

Status
Not open for further replies.
userice

userice

Technical User
Oct 24, 2002
78
US
Hi,
My company have three locations. Two locations have Site-to-Site VPN setup. The third location has two workstations, and we are currently using VPN clients. Both PC are behind a Dlink Firewall. The problem is, I can't have both PC connect to Main Office's PIX. I guess the problem was because there was only one outside IP address. Does not mean I have to setup Site-to-SIte VPN. Is the a better way to avoid getting another PIX.

Thank you
 
Sort by date Sort by votes
If I'm understanding you correctly, that is not your problem. The PIX can accept multiple VPN connections from outside addresses. Can you share the error message you're getting, and post your config(s)? (remove passwords, etc.)
 
Upvote 0 Downvote
PIX(A) at location 1 (IOS 6.22)
PIX(B) at location 2 (IOS 6.22)

My PIX (A) can receive multiple VPN connects (I think)
PIX(A) and PIX(B) have site to site VPN, and it works.
My 3rd location does not have PIX. We have D-Link FW/Router and we have two computers that need to connect to Server on location 1 via VPN. It only allow one pc to connect to PIX(A). If we connect both PCs to PIX, one will get disconnect. There is no error messages....
 
Upvote 0 Downvote
HI.

> I guess the problem was because there was only one outside IP
Yes, the DLink router does PAT, and this is the cause of the problem. The DLink probably have an IPSec passthrough option but it is limitted to single IPSec tunnel for technical reasons.

> Is the a better way to avoid getting another PIX
You can choose one of several solutions, here are some:

* Purchasing a pix501 and creating additional site to site tunnel is a good solution because it makes your network more "unity", and a site to site solution helps the sysadmin at main office support the remote clients using remote control applications, because site to site is bidirectional.

* Maybe you can establish site to site with the DLink. Have you checked that option?

* If you upgrade the main office pix A to OS ver 6.3(1), then you can use the new "NAT traversal" option.
With that option enable, you may be able to overcome the shared IP and PAT problem.
However this is a new feature of the pix that has still not proven stable.
(If someone reading this post has field experience with NAT-Traversal and pix 6.3x, please share your comments)

* You can do without VPN by using access-list. Install a terminal server or similar remote control solution at the main office, and open the required ports for source ip address of the remote clients (if they have a fixed ip).

* There are other optional solutions, but I'm out of additional ideas now.


Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
283
Sameer258
Sameer258
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
254
XLNTech1
XLNTech1
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
297
intel233
intel233
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
301
Johnkite
Johnkite
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
128
gkittelson
gkittelson

Part and Inventory Search

Sponsor

Back
Top