| Author |
VPN users behind a firewall
|
|
| srp336@getcoactive.com 2005-01-05, 5:45 pm |
| I've got two users trying to hit our VPN concentrator (Cisco 3005) from
behind some sort of firewall. I'm not sure yet of the details of the
firewall, but I'm trying to find that out.
These two users cannot be connected at the same time.
They're both making PPTP connnections to us with the built-in W2K
client. It looks like from the logs, the first one succeeds and the
second one gets a "denied -- already established" message. Both users
behind the firewall have the same external IP. Is this what's causing
the second connection to be denied.
What's the simplest way to allow both these users to connect at the
same time?
Thanks!
| |
|
| No two users can have the same IP address. Get a second IP.
<srp336@getcoactive.com> wrote in message
news:1104960769.560560.54360@f14g2000cwb.googlegroups.com...
> I've got two users trying to hit our VPN concentrator (Cisco 3005) from
> behind some sort of firewall. I'm not sure yet of the details of the
> firewall, but I'm trying to find that out.
>
> These two users cannot be connected at the same time.
>
> They're both making PPTP connnections to us with the built-in W2K
> client. It looks like from the logs, the first one succeeds and the
> second one gets a "denied -- already established" message. Both users
> behind the firewall have the same external IP. Is this what's causing
> the second connection to be denied.
>
> What's the simplest way to allow both these users to connect at the
> same time?
>
> Thanks!
>
| |
| Leythos 2005-01-05, 5:45 pm |
| In article <1104960769.560560.54360@f14g2000cwb.googlegroups.com>,
srp336@getcoactive.com says...
> I've got two users trying to hit our VPN concentrator (Cisco 3005) from
> behind some sort of firewall. I'm not sure yet of the details of the
> firewall, but I'm trying to find that out.
>
> These two users cannot be connected at the same time.
>
> They're both making PPTP connnections to us with the built-in W2K
> client. It looks like from the logs, the first one succeeds and the
> second one gets a "denied -- already established" message. Both users
> behind the firewall have the same external IP. Is this what's causing
> the second connection to be denied.
>
> What's the simplest way to allow both these users to connect at the
> same time?
It would be about impossible for two users behind a router using the
same public IP address to make a PPTP connection to the same server at
the same time.
In addition to that, many of the cheap routers only support one PPTP
pass through connection at a time.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
| |
| Mike Drechsler - SPAM PROTECTED EMAIL 2005-01-05, 5:45 pm |
| srp336@getcoactive.com wrote:
> I've got two users trying to hit our VPN concentrator (Cisco 3005) from
> behind some sort of firewall. I'm not sure yet of the details of the
> firewall, but I'm trying to find that out.
>
> These two users cannot be connected at the same time.
>
> They're both making PPTP connnections to us with the built-in W2K
> client. It looks like from the logs, the first one succeeds and the
> second one gets a "denied -- already established" message. Both users
> behind the firewall have the same external IP. Is this what's causing
> the second connection to be denied.
>
> What's the simplest way to allow both these users to connect at the
> same time?
>
> Thanks!
>
Many routers only allow a single PPTP connection to be active to the
same VPN endpoint at a time. It's also hard to find out which routers
have an application level gateway that supports multiple connections to
the same VPN endpoint but they are out there. Also they may be able to
upgrade the firmware on their router to support this ability if the
vendor has an upgrade available.
But the problem it would seem is not really yours, just tell that that
the remote firewall is the problem and let the owner of that device deal
with it.
--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
| |
| Kirk Goins 2005-01-05, 8:45 pm |
| If these users are constantly needing access then maybe a site to site
connection is needed. Maybe add a PIX501 ( or your pick od many others )
at their end.
Woody wrote:
> No two users can have the same IP address. Get a second IP.
>
>
> <srp336@getcoactive.com> wrote in message
> news:1104960769.560560.54360@f14g2000cwb.googlegroups.com...
>
>
>
>
| |
| Michael J. Pelletier 2005-01-05, 8:45 pm |
| Are you using NAT?
srp336@getcoactive.com wrote:
> I've got two users trying to hit our VPN concentrator (Cisco 3005) from
> behind some sort of firewall. I'm not sure yet of the details of the
> firewall, but I'm trying to find that out.
>
> These two users cannot be connected at the same time.
>
> They're both making PPTP connnections to us with the built-in W2K
> client. It looks like from the logs, the first one succeeds and the
> second one gets a "denied -- already established" message. Both users
> behind the firewall have the same external IP. Is this what's causing
> the second connection to be denied.
>
> What's the simplest way to allow both these users to connect at the
> same time?
>
> Thanks!
| |
| Michael J. Pelletier 2005-01-05, 8:45 pm |
| You might want to get arround this by ckecking out VPN tunneling. Instead of
each user having thier own VPN connection, make a site-to-site VPN
tunnel...
Michael
srp336@getcoactive.com wrote:
> I've got two users trying to hit our VPN concentrator (Cisco 3005) from
> behind some sort of firewall. I'm not sure yet of the details of the
> firewall, but I'm trying to find that out.
>
> These two users cannot be connected at the same time.
>
> They're both making PPTP connnections to us with the built-in W2K
> client. It looks like from the logs, the first one succeeds and the
> second one gets a "denied -- already established" message. Both users
> behind the firewall have the same external IP. Is this what's causing
> the second connection to be denied.
>
> What's the simplest way to allow both these users to connect at the
> same time?
>
> Thanks!
| |
| John C. Ring, Jr. 2005-01-06, 5:45 pm |
| In article <MPG.1c46315c7d10b02e989dff@news-server.columbus.rr.com>, Leythos <void@nowhere.lan> wrote:
>In article <1104960769.560560.54360@f14g2000cwb.googlegroups.com>,
>srp336@getcoactive.com says...
>
>It would be about impossible for two users behind a router using the
>same public IP address to make a PPTP connection to the same server at
>the same time.
Or stop using PPTP and change to IPsec and enable NAT-T.
| |
| Leythos 2005-01-06, 5:45 pm |
| In article <crjju8$nc3$1@usenet.switch.com>, jcring@switch.com says...
> In article <MPG.1c46315c7d10b02e989dff@news-server.columbus.rr.com>, Leythos <void@nowhere.lan> wrote:
>
> Or stop using PPTP and change to IPsec and enable NAT-T.
I bet that won't help when the same two users are behind the same
router. Most of the SOHO units have a IPSec & PPTP pass-through option,
but it can't handle more than one session at a time. Some of the newer
(higher end) units can handle two sessions.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
| |
| Mike Drechsler - SPAM PROTECTED EMAIL 2005-01-06, 5:45 pm |
| Leythos wrote:
> In article <crjju8$nc3$1@usenet.switch.com>, jcring@switch.com says...
>
>
>
> I bet that won't help when the same two users are behind the same
> router. Most of the SOHO units have a IPSec & PPTP pass-through option,
> but it can't handle more than one session at a time. Some of the newer
> (higher end) units can handle two sessions.
I believe that when he said NAT-T he is implying NAT Traversal mode. If
the VPN server supports NAT Traversal then each connection gets assigned
a different port number so that NAT routers can easily do the address
translation for multiple users. This means that the NAT router does not
need an application level gateway for IPSEC to function with multiple
users. This mode is not part of standard IPSec so to use it you must
have a VPN server and client that can interoperate in this mode.
And it's not a function of only higher end units to handle two sessions.
There are cheap routers that can handle multiple PPTP sessions to the
same endpoint. I have a Netopia R3386-ENT that can handle multiple
sessions to the same endpoint. It cost only $100, and has it's own
built in IPSEC and PPTP VPN server capability built in. Hardly a high
end device but it works well. It all depends on the firmware and
support from the manufacturer. I bet there are high end devices that
won't pass multiple PPTP sessions to the same endpoint.
--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
| |
| Leythos 2005-01-06, 5:45 pm |
| In article <TGgDd.290213$lR6.49876@news.easynews.com>, mike-newsgroup@-
DELETETHISPART-.upcraft.com says...
> And it's not a function of only higher end units to handle two sessions.
> There are cheap routers that can handle multiple PPTP sessions to the
> same endpoint. I have a Netopia R3386-ENT that can handle multiple
> sessions to the same endpoint. It cost only $100, and has it's own
> built in IPSEC and PPTP VPN server capability built in. Hardly a high
> end device but it works well. It all depends on the firmware and
> support from the manufacturer. I bet there are high end devices that
> won't pass multiple PPTP sessions to the same endpoint.
Yea, I was thinking of the Linksys and D-Link units in the SUB $100
market. there is a Linksys BEFVP41 unit that will do it, and can
functions as a IPSec end-point also, but most of the ones people
purchase are the cheap units ($50) and almost all of those wont do it.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
| |
| John C. Ring, Jr. 2005-01-06, 5:45 pm |
| In article <TGgDd.290213$lR6.49876@news.easynews.com>, Mike Drechsler - SPAM PROTECTED EMAIL <mike-newsgroup@-DELETETHISPART-.upcraft.com> wrote:
>Leythos wrote:
> <void@nowhere.lan> wrote:
>
>I believe that when he said NAT-T he is implying NAT Traversal mode. If
>the VPN server supports NAT Traversal then each connection gets assigned
>a different port number so that NAT routers can easily do the address
>translation for multiple users. This means that the NAT router does not
>need an application level gateway for IPSEC to function with multiple
>users. This mode is not part of standard IPSec so to use it you must
>have a VPN server and client that can interoperate in this mode.
The original poster indicated he has a cisco C3005 device. That device is
NAT-T capable. Also, I'm fairly certain that the cisco VPN client, which
supports NAT-T, is no extra charge if the original poster's C3005 device is
under a support contract. The poster would, of course, need to contact Cisco
to verify that and gain access to download the client.
|
|
|
|