From: Sheahan, John (John.Sheahan@priceline.com)
Date: Mon Apr 25 2005 - 13:32:37 GMT-3
I ran into this exact same problem recently.
I was forced to configure the client to use IPSec over UDP or TCP
depending upon if the other end was allowing it or not. I tried both and
got one to work since I had no way of knowing what the other end was
running and I had no contact info. Cisco told me to allow both IPSec
over tcp and udp on my concentrator as well to solve connectivity
problems stemming from clients using PAT or overload pools.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jason T. Rohm
Sent: Monday, April 25, 2005 11:44 AM
To: ccielab@groupstudy.com
Subject: VPN3000 Client through NAT/PAT Problem
I am having a weird problem that I just can't seem to wrap my brain
around today.
I have a customer using the Cisco VPN3000 client in a conventional IPSec
configuration. (Not IPSec over TCP or UDP). The endpoint is unknown, but
it is not a VPN3000 concentrator. I suspect it is a PIX.
The customer was having problem opening multiple session from behind his
router. I suspected that it was related to doing PAT, so I configured a
large pool of addresses so he could do conventional NAT. This did NOT
fix the problem
I have confirmed that this is a router configuration problem by having
the customer dial out and openning multiple sessions.
The router in question is a Cisco831 running 12.3(8)T6, IP Plus IPSec
3DES.
The NAT pool was larger than the total internal systems, and was not
configured with the "overload" option.
The first attempt to open a connection always succeeds. However,
attempts to open a second or third to the same end-point (from other
machines) always fail.
Anyone have some ideas and/or a reference URL?
Thanks
Jason
This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:55:08 GMT-3