... darkrealms ...

Forums before death by AOL, social media and spammers... "We can't have nice things"

comp.dcom.vpn

VPN protocols, clients, awesomeness

2,349 messages

[ << oldest | < older | list | newer > | newest >> ]

Message 1,421 of 2,349

John C. Ring, Jr. to Mike Drechsler - SPAM PROTECTED EMA

Re: VPN users behind a firewall

06 Jan 05 20:26:09

   XPost: comp.security.firewalls   
   From: jcring@switch.com   
      
   In article , Mike Drechsler - SPAM   
   PROTECTED EMAIL  wrote:   
   >Leythos wrote:   
   >> In article , jcring@switch.com says...   
   >>   
   >>>In article , Leythos   
   >  wrote:   
   >>>   
   >>>>In article <1104960769.560560.54360@f14g2000cwb.googlegroups.com>,   
   >>>>srp336@getcoactive.com says...   
   >>>>   
   >>>>>I've got two users trying to hit our VPN concentrator (Cisco 3005) from   
   >>>>>behind some sort of firewall. I'm not sure yet of the details of the   
   >>>>>firewall, but I'm trying to find that out.   
   >>>>>   
   >>>>>These two users cannot be connected at the same time.   
   >>>>>   
   >>>>>They're both making PPTP connnections to us with the built-in W2K   
   >>>>>client.  [...]   
   >>>>>   
   >>>>>What's the simplest way to allow both these users to connect at the   
   >>>>>same time?   
   >>>>   
   >>>>It would be about impossible for two users behind a router using the   
   >>>>same public IP address to make a PPTP connection to the same server at   
   >>>>the same time.   
   >>>   
   >>>Or stop using PPTP and change to IPsec and enable NAT-T.   
   >>   
   >>   
   >> I bet that won't help when the same two users are behind the same   
   >> router. Most of the SOHO units have a IPSec & PPTP pass-through option,   
   >> but it can't handle more than one session at a time. Some of the newer   
   >> (higher end) units can handle two sessions.   
   >   
   >I believe that when he said NAT-T he is implying NAT Traversal mode.  If   
   >the VPN server supports NAT Traversal then each connection gets assigned   
   >a different port number so that NAT routers can easily do the address   
   >translation for multiple users.  This means that the NAT router does not   
   >need an application level gateway for IPSEC to function with multiple   
   >users.  This mode is not part of standard IPSec so to use it you must   
   >have a VPN server and client that can interoperate in this mode.   
      
   The original poster indicated he has a Cisco C3005 device.  That device is   
   NAT-T capable.  Also, I'm fairly certain that the Cisco VPN client, which   
   supports NAT-T, is no extra charge if the original poster's C3005 device is   
   under a support contract.  The poster would, of course, need to contact Cisco   
   to verify that and gain access to download the client.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)

[ << oldest | < older | list | newer > | newest >> ]