From: Jason T. Rohm (jtrohm@rohmtech.com)
Date: Mon Apr 25 2005 - 15:43:27 GMT-3
That is correct in the case of PAT, but in the case of NAT you would have an actual public address for each internal client, so the ESP translation issue would be elminated. This problem seems to occur even when using NAT, not just PAT. That is why I suspect there is a different cause, or maybe a quirk in the way the NAT pools work that is just escaping me right now.
Jason
-----Original Message-----
From: Sheahan, John [mailto:John.Sheahan@priceline.com]
Sent: Mon 4/25/2005 1:29 PM
To: Jason T. Rohm; ccielab@groupstudy.com
Cc:
Subject: RE: VPN3000 Client through NAT/PAT Problem
My understanding is that the first connection works because ESP will
work once through the first PAT address but not more than once. If you
use IPSEC over TCP/UDP, it removes ESP from the equation and will work
with PAT and NAT pools.
-----Original Message-----
From: Jason T. Rohm [mailto:jtrohm@rohmtech.com]
Sent: Monday, April 25, 2005 2:22 PM
To: Sheahan, John; ccielab@groupstudy.com
Subject: RE: VPN3000 Client through NAT/PAT Problem
Thanks. Unfortunately that doesn't fix my problem. I do not control the
remote end and connect use the UDP/TCP option.
The part that I am having a really hard time with, is this: "Why does
the first connection work?". If it is a matter of unique addresses,
then why doesn't the NAT pool fix it?
Jason
----Original Message-----
From: Sheahan, John [mailto:John.Sheahan@priceline.com]
Sent: Mon 4/25/2005 11:32 AM
To: Jason T. Rohm; ccielab@groupstudy.com
Cc:
Subject: RE: VPN3000 Client through NAT/PAT Problem
I ran into this exact same problem recently.
I was forced to configure the client to use IPSec over UDP or
TCP
depending upon if the other end was allowing it or not. I tried
both and
got one to work since I had no way of knowing what the other end
was
running and I had no contact info. Cisco told me to allow both
IPSec
over tcp and udp on my concentrator as well to solve
connectivity
problems stemming from clients using PAT or overload pools.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf Of
Jason T. Rohm
Sent: Monday, April 25, 2005 11:44 AM
To: ccielab@groupstudy.com
Subject: VPN3000 Client through NAT/PAT Problem
I am having a weird problem that I just can't seem to wrap my
brain
around today.
I have a customer using the Cisco VPN3000 client in a
conventional IPSec
configuration. (Not IPSec over TCP or UDP). The endpoint is
unknown, but
it is not a VPN3000 concentrator. I suspect it is a PIX.
The customer was having problem opening multiple session from
behind his
router. I suspected that it was related to doing PAT, so I
configured a
large pool of addresses so he could do conventional NAT. This
did NOT
fix the problem
I have confirmed that this is a router configuration problem by
having
the customer dial out and openning multiple sessions.
The router in question is a Cisco831 running 12.3(8)T6, IP Plus
IPSec
3DES.
The NAT pool was larger than the total internal systems, and was
not
configured with the "overload" option.
The first attempt to open a connection always succeeds. However,
attempts to open a second or third to the same end-point (from
other
machines) always fail.
Anyone have some ideas and/or a reference URL?
Thanks
Jason
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:55:08 GMT-3