PAT and VPN

Hello

I have a question, currently I have configured 10 servers PAT against a public IP (x.x.x.x) in ASA. Now I need to configure a few VPN tunnels with the customers and I want this tunnel encryption IP x.x.x.x public IP domain, which is natted against these IP 10. Is this possible? If so, how?

Traffic that goes out of tunnels, would be of any one of these 10 servers for external clients.

Thank you

Pawan

I mean that you have usually to NAT the traffic that goes through the tunnel because you don't need these addresses to be public.

If you a reason you need NAT/Pat, then you can set it up like that.

Here is an example:

A Local network 10.1.1.0/24 site

Site A PAT address: 200.1.1.1

Site b: local area network: 10.2.2.0/24

Site b: public IP address: 200.2.2.1

So, normally, you avoid NATing VPN traffic communication and between sites of 10.1.1.0/24 to 10.2.2.0/24

In this case if you want to PAT the traffic, then you do the following:

Site A:

NAT (inside) 1 10.1.1.0 255.255.255.0

Global 1 interface (outside)

list of allowed VPN ip 200.1.1.1 host Access 10.2.2.0 255.255.255.0--> it's the ACL crypto

You must make sure that there is no nat 0 for that traffic.

In this case, when traffic goes to 10.1.1.0/24 to 10.2.2.0/24, the traffic will get PATed encrypted and sent through the tunnel.

Only Site A may initiate the VPN tunnel.

Federico.

Tags: Cisco Security

Similar Questions

remote VPN and vpn site to site vpn remote users unable to access the local network

As per below config remote vpn and vpn site to site vpn remote users unable to access the local network please suggest me a required config

The local 192.168.215.4 not able ping server IP this server connectivity remote vpn works fine but not able to ping to the local network vpn users.

ASA Version 8.2 (2)
!
host name
domain kunchevrolet
activate r8xwsBuKsSP7kABz encrypted password
r8xwsBuKsSP7kABz encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 0
PPPoE client vpdn group dataone
IP address pppoe
!
interface Ethernet0/1
nameif inside
security-level 50
IP 192.168.215.2 255.255.255.0
!
interface Ethernet0/2
nameif Internet
security-level 0
IP address dhcp setroute
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
management only
!
passive FTP mode
clock timezone IST 5 30
DNS server-group DefaultDNS
domain kunchevrolet
permit same-security-traffic intra-interface
object-group network GM-DC-VPN-Gateway
object-group, net-LAN
access extensive list ip 192.168.215.0 sptnl allow 255.255.255.0 192.168.2.0 255.255.255.0
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
tunnel of splitting allowed access list standard 192.168.215.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 Internet
IP local pool VPN_Users 192.168.2.1 - 192.168.2.250 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
Enable http server
x.x.x.x 255.255.255.252 out http
http 192.168.215.0 255.255.255.252 inside
http 192.168.215.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dynmap 65500 transform-set RIGHT
card crypto 10 VPN ipsec-isakmp dynamic dynmap
card crypto VPN outside interface
card crypto 10 ASA-01 set peer 221.135.138.130
card crypto 10 ASA - 01 the transform-set RIGHT value
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
the Encryption
sha hash
Group 2
lifetime 28800
Telnet 192.168.215.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
management-access inside
VPDN group dataone request dialout pppoe
VPDN group dataone localname bb4027654187_scdrid
VPDN group dataone ppp authentication chap
VPDN username bb4027654187_scdrid password * local store
interface for identifying DHCP-client Internet customer
dhcpd dns 218.248.255.141 218.248.245.1
!
dhcpd address 192.168.215.11 - 192.168.215.254 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Des-sha1 encryption SSL
WebVPN
allow outside
tunnel-group-list activate
internal kun group policy
kun group policy attributes
VPN - connections 8
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
kunchevrolet value by default-field
test P4ttSyrm33SV8TYp encrypted password username
username kunauto password bSHrKTGl8PUbvus / encrypted privilege 15
username kunauto attributes
Strategy Group-VPN-kun
Protocol-tunnel-VPN IPSec
tunnel-group vpngroup type remote access
tunnel-group vpngroup General attributes
address pool VPN_Users
Group Policy - by default-kun
tunnel-group vpngroup webvpn-attributes
the vpngroup group alias activation
vpngroup group tunnel ipsec-attributes
pre-shared key *.
type tunnel-group test remote access
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
: end
kunauto #.

Hello

Looking at the configuration, there is an access list this nat exemption: -.

192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0

But it is not applied in the States of nat.

Send the following command to the nat exemption to apply: -.

NAT (inside) 0 access-list sheep

Kind regards

Dinesh Moudgil

P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community

Wireless and VPN RV042 router WRT54G

Respected member, please help if you can! I have an ADSL with dynamic connected with the wrt54g router, I recently bought RV042 and want to connect the wire coming from wireless with ports. so, basically, I want to use RV042VPN for help after the router, is there a way I can use vpn behind with port using RV042 router wireless

I can't be able to connect to the vpn as he seeks is not an ip or WAN/LAN.

It may be possible if you're lucky. But I highly recommend not to connect the RV042 after the WRT. A VPN server must always have a public IP address. Running a VPN server behind a router NAT (such as WRT) makes it extremely difficult and often it won't work at all. Connect the RV042 directly to your modem, configure it to your internet connection. In this way the RV042 has the public IP and VPN should become much easier. Then implement the WRT as simple access point in your network by changing the address LAN IP of 192.168.1.1 to 192.168.1.2, disable the DHCP server, and connect a LAN port of the WRT on a LAN on the RV042 port.

Any java API to delete profile wifi and vpn

Hi, I am trying to API seeks to delete the wifi and vpn profile after searching autour and read the documentation of the API, I found nothing. I think that there is no such API. Could someone give a confirmation on that? Thank you very much.

never heard of an API for that

WRVS4400N with AG300 and VPN connections

I bought a WRVS4400N router hoping to add wireless and VPN capability at a remote office LAN. I want to be able to establish a VPN connection from my PC to the central office to the WRVS4400N to remote desktop, access and administer systems at the remote office. Remote desktop systems is unnecessary access to systems to the central office.

Before you deploy the WRVS4400N to remote desktop, I'm stable and by configuring it to our central office.

Our central office is a router Linksys AG300 and ADSL service for Internet connection. It works well and I don't want to change it.

I have connected the WRVS4400N to our central office LAN and it has an IP address on its WAN port assigned by the DHCP server on the AG300.

What I do not understand how to establish a VPN connection to a system on the Internet at the WRVS4400N on the local network. I have a laptop with the QuickVPN software installed. If I connect my laptop to the AG300 (i.e. the same switch as the WAN port on the WRVS4400N) I can establish a VPN connection to the WRVS4400N but if I connect to my laptop to the Internet (via my ADSL service at home), I am unable to set up the VPN. I don't know how to configure the AG300 so that the VPN from my laptop reaches the WRVS4400N.

I transfer ipsec enabled on the AG300, but this does not seem to run the VPN with the WRVS4400N.

Can someone tell me what I need to do?

Is there some other DSL modem I could use that facilitates the connection? There is another DSL modem (I don't know make/model until I visit the site) used in remote desktop, but I could replace it if I knew that the replacement work.

Update: I got it to work. See https://supportforums.cisco.com/thread/2108785 for the advice that has been most useful.

The essential steps have been before the ports indicated in this article (and UDP 500) to the WRVS4400N and I dropped a bit of the MTU (do not know if this was really necessary). Now I can establish connection QuickVPN, except when the Windows Firewall interferes.

Hello

Thank you for posting. In the AG300, transmit the following ports to the IP address of the WAN WRVS4400N port: 443, 500, 4500, 60443. This allows you to establish a QuickVPN for the WRVS4400N using the WAN IP of the AG300.

Can fast VPN and VPN Cisco coexist (WRVS4400N)

I am looking to buy a WRVS4400N to take care of my home network. While I get out on the road I want to VPN in my home network to my laptop (on which I installed Cisco VPN for the company's mobile access to my corporate network). In this spirit, I have three questions:

1. is the Cisco VPN client on my laptop be able to establish a VPN connection to unity WRVS4400N? I suspect not, and instead, I have to use fast VPN.

2. I understand there are problems in co existence with different suppliers, VPN clients (when I tried before with a Netgear router, the VPN Netgear client broke the Cisco VPN client). Quick VPN client Linksys can coexist with the Cisco VPN client without any problems?

3. a last resort, if Cisco and Linksys VPN can coexist, install the client quick VPN Linksys inside a VM Ware image would work (while the Cisco VPN client is still installed in the host operating system).

Thanks much for any help.

(1) correct. For WRVS4400N QVPN

(2) I run the Cisco VPN CLient and VPN fast on my laptop and seems fine

GANYMEDE + for the unified management of ASA and VPN auth

Hello, I have ASA 5540 and 4.2 ACS (AD backend), I want authentic unified management and vpn access.

For example, I have two groups in ACS (mapping AD): Admins, VPN access.

I wish that Admins have full access (shell, VPN) and "Access VPN" only vpn, without shell of any kind.

I understand how to do with RADIUS - use 'Service-type' and network access profile, but how to do it with GANYMEDE +?

There is something

I explained to him almost the same scenario in the post of 2008

https://Cisco-support.hosted.Jivesoftware.com/message/853751#853751

To achieve this, you should have even ASA added to GANYMEDE and RADIUS AAA cleint.

Since you want to group admin must have FULL access so don't change anything on this group.

Now vpnaccess Group on ACS must have only access to the VPN, then here you need to implement IP-based NAR

Go into the setup of the Group > ip based NAR

I hope this helps.

Rgds, jousset

Note the useful posts ~

problem with Ezvpn and VPN from Site to Site

Hello

I want to set Ezvpn and VPN Site to another but the problem is that the EasyVpn that would only work at the Site to the Site does not at all

I have set up 1 card for two VPN with different tagged crypto

I had execlude the traffice to NOT be natted to, and when I remove the Ezvpn site to another work well

crypto ISAKMP policy 100
BA aes
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 10000
BA aes 256
preshared authentication
Group 5
key address 123456 crypto isakmp (deleted)

ISAKMP crypto client configuration group easyvpn
easyvpn key
domain ezvpn
pool easyvpn
ACL easyvpn
Save-password
Split-dns cme
MAX User 9
netmask 255.255.255.0
!

Crypto ipsec transform-set esp - aes 256 esp-sha-hmac vpn

Crypto-map dynamic easyvpn 10
Set transform-set dmvpn
market arriere-route
!
!
address-card crypto easyvpn local Dialer1
card crypto client easyvpn of authentication list easyvpn
card crypto isakmp authorization list easyvpn easyvpn
client configuration address card crypto easyvpn answer
easyvpn 100 card crypto ipsec-isakmp dynamic easyvpn
easyvpn 1000 ipsec-isakmp crypto map
defined by the peers (deleted)
Set transform-set vpn
game site address

interface Dialer1
the negotiated IP address
IP mtu 1492
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
PPP authentication chap callin pap
PPP chap hostname
PPP chap password
PPP pap sent-name to user
easyVPN card crypto

DSL_ACCESSLIST extended IP access list
deny ip 100.0.0.0 0.0.0.255 101.1.1.0 0.0.0.255
deny ip 100.0.0.0 0.0.0.255 70.0.0.0 0.0.0.255
IP 100.0.0.0 allow 0.0.0.255 any
refuse an entire ip
easyvpn extended IP access list
IP 100.0.0.0 allow 0.0.0.255 70.0.0.0 0.0.0.255
IP extended site access list
IP 100.0.0.0 allow 0.0.0.255 101.1.1.0 0.0.0.255

Best regards

The sequence number of card crypto for the static mapping crypto (site to site vpn) should be higher (ie: sequence number must be lower) than the ezvpn (map dynamic crypto).

In your case, you must configure as follows:

map easyvpn 10 ipsec-isakmp crypto
defined by the peers (deleted)
Set transform-set vpn
game site address

map easyvpn 150 - ipsec-isakmp crypto dynamic easyvpn

Hope that solves this problem.

Router vpn site to site PIX and vpn client

I have two on one interface on the pix vpn connections that terminate VPN. client vpn and VPN site-to-site have passed phase one and two and decrypt and encrypt the packets. However as in another post I can not ping through the l2l vpn. I checked this isn't a nat problem a nd two NAT 0 on the pix and the NAT on the router access lists work correctly.

ISAKMP crypto RTR #show its
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
66.x.x.x 89.x.x.x QM_IDLE 2001 0 ACTIVE

IPv6 Crypto ISAKMP Security Association

local ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
current_peer 66.x.x.x port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 23583, #pkts encrypt: 23583 #pkts digest: 23583
#pkts decaps: 18236, #pkts decrypt: 18236, #pkts check: 18236
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 40, #recv errors 0

local crypto endpt. : 89.x.x.x, remote Start crypto. : 66.x.x.x
Path mtu 1380, ip mtu 1380, ip mtu BID Dialer0
current outbound SPI: 0xC4BAC5E (206285918)

SAS of the esp on arrival:
SPI: 0xD7848FB (225986811)
transform: aes - esp esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 3, flow_id: Motorola SEC 1.0:3, card crypto: PIX_MAP
calendar of his: service life remaining (k/s) key: (4573083/78319)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xC4BAC5E (206285918)
transform: aes - esp esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 4, flow_id: Motorola SEC 1.0:4, card crypto: PIX_MAP
calendar of his: service life remaining (k/s) key: (4572001/78319)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

Expand the IP NAT access list
10 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 (21396 matches)
20 permit ip 192.168.2.0 0.0.0.255 everything (362 matches)
Expand the IP VPN_ACCESS access list
10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 (39724 matches)

I looked on the internet and that it points to a routing error when packets are being encrypted and decrypted, but you can't do a ping on the binding. However when I test the connection I did not enter any of the static routes that networks are connected directly on each side of the pix and the router. any help would be a preciated as I think there's maybe something is blocking the ping to reach the internal network at the end of pix with a configured access list.

is ping failure of the only thing between the site to site VPN? and assuming that all other traffic works fine since it decrypts and encrypts the packets.

If it's just ping, then activate pls what follows on the PIX:

If it is version 6.3 and below: fixup protocol icmp

If it is version 7.0 and higher: select "inspect icmp" under your political map of the world.

Config complete hand and on the other could help determine if it's a configuration problem or another problem.

How to configure NAT for Hyper-V on laptop with wifi, wired and vpn connectivity

Me, as I suspect a lot of people, I have a laptop with WiFi connection, cable connection and VPN connection (Cisco AnyConnect), which

also uses a virtual adapter (activated when active). I searched for some time a way to be able to move to

Hyper-V in VirtualBox. Blocker full for me is the need for a lot of my virtual machines to be able to connect to the

Internet through 'the connection active' in the way that VirtualBox and VMWare Workstation/Player through their NAT feature.

I'm not a networking wait, but after looking around, can't seem to find something that is simple enough for me to configure,

with a minimum of resources, which allows me to connect a Hyper-V virtual network via a simple NAT device adapter

all three potential network connections - most seem to not assume that one connection out of the machine, which of course does not

me what I want.

Three questions:

1. is there a Windows application available that an adapter (like loopback) internal which acts as a real NAT device to one of the surfaces

external access via the active network connections and through the Windows Firewall and any other antivirus, components etc. for

the road to (i.e. behaves like a "normal app" inside Windows for internet access)? It would be the best option, because it would be

"always there" when I run virtual machines

2. display of my lack of knowledge around this feature, don't RRAS (and I know that this is not an option "minimum contact") allow you to

Connect an internal network adapter to several external network adapters?

3. on the Linux/OpenBSD various base/NAT routers, are everything that allow several external adapters and who are

relatively easy to set up (by an independent expert of the network)?

Really, we could do with this feature for Hyper-V on the desktop, but willing to work around him, if there is a way to at least the

use virtual machines, once it is easy to install.

Hello

The question is more suited in the TechNet forums. So I would say you mention the link and send the request in this forum for better support.

http://social.technet.Microsoft.com/forums/en-us/w8itpronetworking/threads

For any information related to Windows, feel free to get back to us. We will be happy to help you.

VMware Fusion 5 with Windows 8 and VPN

Hi, I'm new to VMware. I am connected to my company via wifi VPN. I configured the VMware to connect through NAT. VPN seems to work fine on OSX, but in windows (VM) it says "no internet access. Internet works fine when I'm not on the VPN, but as soon as I connect to the VPN connection is lost. I tried to reload the OSX and Windows number of times. I tried ipconfig/release, ipconfig / renew on windows as suggested by other posts.
Please let me know if you have any ideas to get this to work.
In addition, the VPN was working fine until recently on another Terminal Wifi. I'm traveling now and I am facing this problem with wifi again. Not sure if there is wifi problem. Although I doubt that because the internet seems to work fine without a VPN and VPN seems to work fine under OSX. It's just VPN on VM that has a problem.

I agree to what Akotsur said. Probably, you might consider configuring VPN Windows separately keeping in bridged mode.

By PAT and NAT VPN

We have a place where you want to set up a tunnel VPN to our headquarters.

In this place, there is a router that PAT (NAT overloading), and then a few jumps more, there is a firewall that makes the NAT.

Is this could pose a problem for the VPN tunnel?

Here's a "pattern" of what looks like the connection.

Customer--> PAT - router-->--> Internet--> CVPN3005 NAT firewall

I hope you can provide me with an answer.

VPN tunnel will not work in your scenario. NAT second change address and the ports you want to use for the vpn tunnel. So the port 500 wil be translated to top port and will be rejected at HQ.

PIX, VPN, PAT and static

I want to activate an incoming and outgoing VPN on a PIX configured with PAT. I enabled ESP and UDP/500 on the appropriate access to the lists, but must provide a static for inbound traffic. I already use a static for incoming SMTP traffic, and I don't see how to do the same thing for udp/500, but how do I ESP traffic?

Any suggestions gratefully received.

If you are referring to a static port, you can create one for ESP since static port can only be created for TCP/UDP and ESP is located just above the intellectual property, it is NOT a TCP/UDP protocol. You will need to create a one-to-one static for this internal VPN server and have your clients to connect to this address. This will chew global IP address to another one, sorry.

PAT/NAT and VPN through a PIX

"PPTP through the PIX with Port address translation (PAT) does not work because there is no concept of ports in GRE"-this is an excerpt from a config PIX version 6.2 and below.

1. how this problem has been fixed in 6.3? GRE is encapsulated in udp or tcp to use ports to follow the connection?

2. is it "fixup protocol esp-ike" use the same technology - the source port created by the IKE protocol? -ISAKMP cannot be enabled when you use this command

3. What is "isakmp nat-traversal? How is this different from fixup protocol esp-ike"

Thank you

RJ

1. when the PIX sees outgoing PPTP (TCP 1723 port) packets it now opens holes for them to return, as well as opening a hole for the GRE packets, it has never done this before. The PPTP TCP packets can be PAT would be fine because they are TCP packets. GRE packets, I believe, are followed by the id field only tunnel in the package.

2. we use the source port of the ISAKMP packet for ESP packets as well. The current limitation is that if you have this option, you cannot use the PIX to close the IPSec sessions, so you can not turn on ISAKMP any interface. You can also have only a single IPSec client internal to use this feature.

3 NAT - T is a new standard for IPSec to work through a NAT device peers, because they detect changes of address during the negotiation of tunnel and automatically encapsulate packets in UDP 4500. This market allows the PIX and the other device (if it supports it) to automatically detect a NAT/PAT device between them. This differs from the "esp - ike correction '' that the PIX ends not in fact the IPSec tunnel with esp - ike, but it is the endpoint in nat - t.

506th PIX and VPN client - multiple connections connections

I have a PIX of the 506th (6.2) w/3DES license and 3.6.3 VPN client software. I'm only using group user name and password to authenticate. The first user login works fine. When the second user connects, the first is finished and the second works very well. The product turned on States I should be able to have 25 simultaneous connections or site to site or customer.

Any help will be greatly appreciated, Kyle

Are these two users on the same site, behind a device that makes PAT? If so, then this device is causing the problem, not the PIX. The device is unable to correctly translate the IPsec packets. Unfortunately nothing you can do about it on the PIX, although the next version of the software (6.3 to your calendar of March) will have NAT - T support (which the client currently supports). Once that support NAT - T both ends, they'll be able to say that there's a PAT instrument between the two and they will automatically encapsulate everything in the UDP packets, which your PAT instrument will be able to translate correctly.

PAT and VPN

Similar Questions

Maybe you are looking for