I've got two users trying to hit our VPN concentrator (Cisco 3005) from
behind some sort of firewall. I'm not sure yet of the details of the
firewall, but I'm trying to find that out.

These two users cannot be connected at the same time.

They're both making PPTP connnections to us with the built-in W2K
client. It looks like from the logs, the first one succeeds and the
second one gets a "denied -- already established" message. Both users
behind the firewall have the same external IP. Is this what's causing
the second connection to be denied.

What's the simplest way to allow both these users to connect at the
same time?

Thanks!

[ Post a follow-up to this message ]

No two users can have the same IP address. Get a second IP.


<srp336@getcoactive.com> wrote in message
news:1104960769.560560.54360@f14g2000cwb.googlegroups.com...
> I've got two users trying to hit our VPN concentrator (Cisco 3005) from
> behind some sort of firewall. I'm not sure yet of the details of the
> firewall, but I'm trying to find that out.
>
> These two users cannot be connected at the same time.
>
> They're both making PPTP connnections to us with the built-in W2K
> client. It looks like from the logs, the first one succeeds and the
> second one gets a "denied -- already established" message. Both users
> behind the firewall have the same external IP. Is this what's causing
> the second connection to be denied.
>
> What's the simplest way to allow both these users to connect at the
> same time?
>
> Thanks!
>

[ Post a follow-up to this message ]

In article <1104960769.560560.54360@f14g2000cwb.googlegroups.com>,
srp336@getcoactive.com says...
> I've got two users trying to hit our VPN concentrator (Cisco 3005) from
> behind some sort of firewall. I'm not sure yet of the details of the
> firewall, but I'm trying to find that out.
>
> These two users cannot be connected at the same time.
>
> They're both making PPTP connnections to us with the built-in W2K
> client. It looks like from the logs, the first one succeeds and the
> second one gets a "denied -- already established" message. Both users
> behind the firewall have the same external IP. Is this what's causing
> the second connection to be denied.
>
> What's the simplest way to allow both these users to connect at the
> same time?

It would be about impossible for two users behind a router using the
same public IP address to make a PPTP connection to the same server at
the same time.

In addition to that, many of the cheap routers only support one PPTP
pass through connection at a time.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

[ Post a follow-up to this message ]

srp336@getcoactive.com wrote:
> I've got two users trying to hit our VPN concentrator (Cisco 3005) from
> behind some sort of firewall. I'm not sure yet of the details of the
> firewall, but I'm trying to find that out.
>
> These two users cannot be connected at the same time.
>
> They're both making PPTP connnections to us with the built-in W2K
> client. It looks like from the logs, the first one succeeds and the
> second one gets a "denied -- already established" message. Both users
> behind the firewall have the same external IP. Is this what's causing
> the second connection to be denied.
>
> What's the simplest way to allow both these users to connect at the
> same time?
>
> Thanks!
>

Many routers only allow a single PPTP connection to be active to the
same VPN endpoint at a time.  It's also hard to find out which routers
have an application level gateway that supports multiple connections to
the same VPN endpoint but they are out there.  Also they may be able to
upgrade the firmware on their router to support this ability if the
vendor has an upgrade available.

But the problem it would seem is not really yours, just tell that that
the remote firewall is the problem and let the owner of that device deal
with it.

--
WARNING!  Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)

[ Post a follow-up to this message ]

If these users are constantly needing access then maybe a site to site
connection is needed. Maybe add a PIX501 ( or your pick od many others )
at their end.

Woody wrote:

> No two users can have the same IP address. Get a second IP.
>
>
> <srp336@getcoactive.com> wrote in message
> news:1104960769.560560.54360@f14g2000cwb.googlegroups.com...
> 
>
>
>

[ Post a follow-up to this message ]

Are you using NAT?

srp336@getcoactive.com wrote:

> I've got two users trying to hit our VPN concentrator (Cisco 3005) from
> behind some sort of firewall. I'm not sure yet of the details of the
> firewall, but I'm trying to find that out.
>
> These two users cannot be connected at the same time.
>
> They're both making PPTP connnections to us with the built-in W2K
> client. It looks like from the logs, the first one succeeds and the
> second one gets a "denied -- already established" message. Both users
> behind the firewall have the same external IP. Is this what's causing
> the second connection to be denied.
>
> What's the simplest way to allow both these users to connect at the
> same time?
>
> Thanks!

[ Post a follow-up to this message ]

You might want to get arround this by ckecking out VPN tunneling. Instead of
each user having thier own VPN connection, make a site-to-site VPN
tunnel...

Michael

srp336@getcoactive.com wrote:

> I've got two users trying to hit our VPN concentrator (Cisco 3005) from
> behind some sort of firewall. I'm not sure yet of the details of the
> firewall, but I'm trying to find that out.
>
> These two users cannot be connected at the same time.
>
> They're both making PPTP connnections to us with the built-in W2K
> client. It looks like from the logs, the first one succeeds and the
> second one gets a "denied -- already established" message. Both users
> behind the firewall have the same external IP. Is this what's causing
> the second connection to be denied.
>
> What's the simplest way to allow both these users to connect at the
> same time?
>
> Thanks!

[ Post a follow-up to this message ]

In article <MPG.1c46315c7d10b02e989dff@news-server.columbus.rr.com>, Leythos <void@nowhere.l
an> wrote:
>In article <1104960769.560560.54360@f14g2000cwb.googlegroups.com>,
>srp336@getcoactive.com says... 
>
>It would be about impossible for two users behind a router using the
>same public IP address to make a PPTP connection to the same server at
>the same time.

Or stop using PPTP and change to IPsec and enable NAT-T.

[ Post a follow-up to this message ]

In article <crjju8$nc3$1@usenet.switch.com>, jcring@switch.com says...
> In article <MPG.1c46315c7d10b02e989dff@news-server.columbus.rr.com>, Leyth
os <void@nowhere.lan> wrote: 
>
> Or stop using PPTP and change to IPsec and enable NAT-T.

I bet that won't help when the same two users are behind the same
router. Most of the SOHO units have a IPSec & PPTP pass-through option,
but it can't handle more than one session at a time. Some of the newer
(higher end) units can handle two sessions.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

[ Post a follow-up to this message ]

Leythos wrote:
> In article <crjju8$nc3$1@usenet.switch.com>, jcring@switch.com says...
> 
>
>
> I bet that won't help when the same two users are behind the same
> router. Most of the SOHO units have a IPSec & PPTP pass-through option,
> but it can't handle more than one session at a time. Some of the newer
> (higher end) units can handle two sessions.

I believe that when he said NAT-T he is implying NAT Traversal mode.  If
the VPN server supports NAT Traversal then each connection gets assigned
a different port number so that NAT routers can easily do the address
translation for multiple users.  This means that the NAT router does not
need an application level gateway for IPSEC to function with multiple
users.  This mode is not part of standard IPSec so to use it you must
have a VPN server and client that can interoperate in this mode.

And it's not a function of only higher end units to handle two sessions.
There are cheap routers that can handle multiple PPTP sessions to the
same endpoint.  I have a Netopia R3386-ENT that can handle multiple
sessions to the same endpoint.  It cost only $100, and has it's own
built in IPSEC and PPTP VPN server capability built in.  Hardly a high
end device but it works well.  It all depends on the firmware and
support from the manufacturer.  I bet there are high end devices that
won't pass multiple PPTP sessions to the same endpoint.


--
WARNING!  Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)

[ Post a follow-up to this message ]