Multiple VPN connections from same site 1

[nogarap]

Hi,
First time I've used the PIX forum. Hope some PIX expert can help us clarify the situation. At our main office, we have a PIX-515. We have 2 users at a branch office. They have a DSL line there, and connect to the main office through VPN, using the built in XP VPN client. At the branch office, they're using a Netgear DG834, and NATted IP addresses. Only 1 user can connect through VPN at the same time, but they're hoping to increase the number of remote users at this branch office to 4.
Originally, I thought the 1 user limitation was due to the Netgear router, but after looking at the Netgear site, I think the router is capable, but we need to have NAT traversal detection enabled on the VPN gateway (ie the PIX) See

http://kbserver.netgear.com/kb_web_files/n101581.asp

I did a bit more googling and what things seem to suggest is that the PIX-515 does support it, but for some reason Cisco haven't enabled it out of the box. (See

http://osdir.com/ml/security.vpn/2005-11/msg00022.html

)
What I'd like to know is if anybody has any experience of making this change? From what I've read, it's a matter of running "isakmp nat-traversal" , and possibly/probably opening UDP port 4500, which doesn't sound that difficult.
Many thanks in advance
Gaz

 

[garnetbobcat]

Yup, that's all you need to do.

As you say, you need to make sure that UDP 4500 is open between the clients and the PIX. You don't need to open UDP 4500 on the PIX unless the clients are connecting to something behind the PIX.

Matt
CCIE Security

http://www.wr-mem.com

 

[nogarap]

Nice one Matt, thanks for the speedy reply

 

[nogarap]

Matt aka garnetbobcat,
I looked at your website, and saw you completed your lab test last week. Congrats on that, you must be happy and very tired!

 

[garnetbobcat]

Yup! That pretty much sums it up.

Matt
CCIE Security

http://www.wr-mem.com