• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 604
  • Last Modified:

Enabling more than one VPN connection per IP

I have several users at a remote site using SBC DSL.  They VPN into my network via Cisco VPN client.  I use a Cisco 3000 VPN Concentrator here on the network.  When a user VPN's into the network, the concentrator kicks the currently VPN'd user of the connection.  I can see by the Concentrator's event log, that all the users come into the Concentrator with the same IP, which is the gateway for the SBC DSL connection.  Is there any way to enable more than one connection per IP on the concentrator?  I desperately need all the users to be able to VPN in at will.
0
cheesebugah
Asked:
cheesebugah
  • 6
  • 5
1 Solution
 
119supportCommented:
Why not just put another firewall on that remote site and setup an IPSEC tunnel between the two locations.  This way, there is a constant secure connection between both offices.  
0
 
cheesebugahAuthor Commented:
Yeah, that's nice, but what does that do for the problem on the Cisco VPN Concentrator?  I have DHCP enabled on the concentrator, pointing to our DHCP server,  thinking it would acquire inside addresses from our DHCP server, but it's not.  Are you talking about by-passing the concentrator and going straight through our PIX firewall?  I'm not sure if I understand what that would do to solve the single (gateway) IP the DSL ISP is translating to, which shows up on my Concentrator?  
0
 
cheesebugahAuthor Commented:
OKAY!!!!!!  I can see no one gives a sh** about this one.

After researching the configurations on the Concentrator, it appears that I can set up a LAN-to-LAN connection with an IPSec/VPN device on the remote site.  I suppose I'll purchase a PIX 501 and attempt to implement it.  Is there any feedback at all on this soution?  Maybe some pointers on the configurations would be helpful.

Thanks,
Cheese
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
cheesebugahAuthor Commented:
A colleague of mine, suggested I enable NAT Traversal on the client and the concentrator.  That did the trick.  Thanks, I think?
0
 
119supportCommented:
"After researching the configurations on the Concentrator, it appears that I can set up a LAN-to-LAN connection with an IPSec/VPN device on the remote site.  I suppose I'll purchase a PIX 501 and attempt to implement it. "

That's what I said...and that would have fixed your problem, and done a much better job than using Client connections.

A rule of thumb that I like to use:  VPN Client Connections are for mobile computers only.  If you are doing site to site,  create a constant ipsec tunnel between gateways.

0
 
cheesebugahAuthor Commented:
119support,

When I get the PIX firewall set up, will leaving the NAT-T in place effect anything?

Thanks,
Cheese
0
 
119supportCommented:
Your config is internet->SBC Router(doing NAT)->Cisco VPN concentrator

Is that right?

it shouldn't, but just incase it does we will need to look at what you SBC router is doing.  Is your SBC configured to port-forward VPN traffic to the cisco? or is the Cisco sitting in a DMZ behind the router?  

0
 
cheesebugahAuthor Commented:
The Concentrator is here in the main office behind ourmain office gateway router.  The remote site will be Internet -> SBC Router -> 501 PIX Firewall -> Clients.  The SBC router is currently doing a NAT and DHCP.  However, I can do both of those through the 501 PIX, I think, and disable them on the SBC router.  It will simply act as a gateway.  I believe that is how it will work anyway.
0
 
119supportCommented:
yes, that is how it should work.  

The SBC router shouldn't do anything but act as a gateway.  We call it "bridge" mode.

0
 
119supportCommented:
well to clarify, bridge mode is when the SBC router acts just like a modem and passes the signal to the 501.  We do this a lot with DSL.  Gatweway would mean that the SBC router has both a public wan address and then the first address in your block of statics as on its LAN side.

0
 
cheesebugahAuthor Commented:
Gotcha!

Thanks
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now