dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1794
share rss forum feed

justsoso
Premium
join:2013-08-19
united state

Cisco ASA 5505

Is it possible to have multiple vpn connections FROM the same ip (NAT) to the cisco?
When I have multiple connections now, only the first person to make the vpn connection can get to the devices connected to the cisco. I need 3 people from the same IP (NAT) to be able to vpn to the cisco.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
Short answer, it is doable with the proper setup.

I wonder why there are three people coming from the same NAT-ed IP address establishing VPN to the same VPN concentrator. Why can't all of these people using a dedicated VPN client to be shared among them?

justsoso
Premium
join:2013-08-19
united state
The client is software based on each computer

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to justsoso
Agree with aryoba See Profile that THEORETICALLY it's doable. Lemme guess, all 3 computers belong to 3 WFHers from the same
house sitting behind the same ISP / NAT router?

It'd be instructive to get the config of the ASA in question -- minus passwords and other sensitive information -- and
for you to clarify if you're using IPSec or SSL based VPN.

Regards

Network Guy
Premium
join:2000-08-25
New York
kudos:2
Reviews:
·Future Nine Corp..
·T-Mobile US
·Optimum Online
reply to justsoso
said by justsoso:

The client is software based on each computer

Do you know if the license on the ASA is only allowing one active connection at a time?

justsoso
Premium
join:2013-08-19
united state
reply to justsoso
I'm not the cisco expert or even amateur. I'm learning by force not choice. I need access to the equipment on the vpn side, because of that I must learn how to get this connection to work. I told them I needed a hardware based vpn client (thanks aryoba) and was handed a cisco pix 501. So if you are up for a little teaching, I'm up for a little learning.

Network Guy
Premium
join:2000-08-25
New York
kudos:2
Reviews:
·Future Nine Corp..
·T-Mobile US
·Optimum Online
I have a Cisco PIX 501 sitting at home unplugged, but I don't remember much from it other than knowing it only supported ten concurrent client connections to the Internet.

I probably won't have time to fire it up until the weekend. Hopefully someone helps you before then.

justsoso
Premium
join:2013-08-19
united state
reply to Network Guy
said by Network Guy:

Do you know if the license on the ASA is only allowing one active connection at a time?

No

justsoso
Premium
join:2013-08-19
united state
reply to HELLFIRE
IPSEC and IKE is being used
said by HELLFIRE:

if you're using IPSec or SSL based VPN.

Ipsec and IKE are being used

justsoso
Premium
join:2013-08-19
united state
reply to Network Guy
said by Network Guy:

I have a Cisco PIX 501 sitting at home unplugged, but I don't remember much from it other than knowing it only supported ten concurrent client connections to the Internet.

10 connections would be more the plenty so no problems there.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to justsoso
said by soso :

I'm not the cisco expert or even amateur. I'm learning by force not choice.

At some point we all have been there

said by soso :

So if you are up for a little teaching, I'm up for a little learning.

We have helpful people hang around this forum. I'm sure you will get the learning

said by justsoso:

said by HELLFIRE:

if you're using IPSec or SSL based VPN.

IPSec and IKE are being used

said by soso :

I need access to the equipment on the vpn side, because of that I must learn how to get this connection to work. I told them I needed a hardware based vpn client (thanks aryoba) and was handed a cisco pix 501.

Let me clarify. You now have a (working) Cisco PIX 501 firewall. The objective is to setup site-to-site IPSec VPN between this PIX 501 and the Cisco ASA 5505 at remote site. This VPN will then provide connectivity to the remote site as needed.

Am I correct so far?

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to justsoso
Okay, I'm somewhat confused now... you started the thread mentioning about an ASA5505, now you're talking about a PIX501.

Again, I'm requesting confirmation of the following :

said by HELLFIRE:

all 3 computers belong to 3 WFHers from the same house sitting behind the same ISP / NAT router?

but now instead of "NAT router," we're looking at the aforementioned PIX501 due to your requirement for a "hardware based VPN
client," and you being handed the PIX. Also, the VPN type is going to be / is IPSec. Is my understanding correct so far justsoso See Profile ?

If so, then please get a console cable, plug into the PIX, and with a terminal program (eg. Hyperterm in Windows) @ 9600-8-n-1
supply us the PIX's config, minus the passwords and any other sensitive information.

_IF_ what you're trying to do is what I think you're trying to do, a better design would be set up the PIX501 with a site to site
tunnel to wherever these 3 users need to go....but, and I've enough time in tech support in IT to back this up, if I don't have the
correct information / understanding of the situation, this just ends up going in a whole
lot of nowhere.

Regards

justsoso
Premium
join:2013-08-19
united state
reply to aryoba
said by aryoba:

Am I correct so far

Thats exactly it

justsoso
Premium
join:2013-08-19
united state

1 edit
reply to HELLFIRE
said by HELLFIRE:

all 3 computers belong to 3 WFHers from the same house sitting behind the same ISP / NAT router?

Something like that... 3 people (from the same location behind NAT)need to connect to the 5505 (through VPN) to access the equipment that is attached to it

pix 501 - I had no idea of the password so I found out how to remove the password and have successfully done so(No Thanks to Windows 7). I can tell you it is running 6.3 while the 5505 is running 7.2 with ASDM of 5.2

justsoso
Premium
join:2013-08-19
united state
reply to HELLFIRE
said by HELLFIRE:

_IF_ what you're trying to do is what I think you're trying to do, a better design would be set up the PIX501 with a site to site
tunnel to wherever these 3 users need to go

Yes I believe that is what I need to do. Right now we are all using software to vpn into the 5505. One user logs in and the other user gets locked out - Not good.

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to justsoso
Okay, thanks for clarifying our understanding of things justsoso See Profile.

said by justsoso:

I can tell you it is running 6.3 while the 5505 is running 7.2 with ASDM of 5.2

PIX6.x code is long EOL EOS, but you can find some site to site VPN guides here for ASA 7.x and higher code.

said by justsoso:

One user logs in and the other user gets locked out - Not good.

Indeed, so any possibilty of getting the config from the PIX at this time? Do you also have access
to the ASA5505 and its config as well? I can't see why the ASA'd kick a 2nd person off, unless the
3 users were using the same local ID on the ASA.

Other than that, generally speaking, so long as you know the public IP addresses from both ends, and
know what you want for phase1 and phase2 settings on the PIX and ASA, you should be in business.

Regards

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to justsoso
A site-to-site IPSec VPN between PIX 501 running OS version 6.3 and ASA 5505 running OS version 7.2 is not a complicated one to setup. However following must be in place to move forward.

* Your site (where the 3 people sit) must have ISP connectivity that support IPSec VPN tunnel. Something like Cable Internet with Business account and static IP address should do
* Both PIX 501 and ASA 5505 must have proper license to support all Internet and VPN traffic flow.
* I assume a split tunnel is needed so that the 3 people can go out to the Internet without going through the secure tunnel

As mentioned by HELLFIRE See Profile, existing configurations and show version of both PIX and ASA is needed so we can suggest what improvement is needed.

justsoso
Premium
join:2013-08-19
united state
I'm working the config for the pix (feels like I'm learning a new language). I've got it copied now just need to make it forum safe, thats going to be a pain in the but.

aryoba
Premium,MVM
join:2002-08-22
kudos:4

1 edit
In addition, you also need to work with the network admin of the remote site (that manage the Cisco ASA 5505) to retrieve the following.

* What IP address are they expecting you to come from? Your NAT-ed (single IP address) or else?
* What IP address are the three of your users in need to access?
* What is the remote site's ASA 5505 VPN termination IP address?
* What is the PIX 501 VPN termination IP address?
* How is the Phases 1 and 2 setting like?
* What is the pre-shared key (assuming you use one)?

justsoso
Premium
join:2013-08-19
united state

1 edit
reply to aryoba
removed

aryoba
Premium,MVM
join:2002-08-22
kudos:4
Can you post the config directly to this thread instead? It is a preferable method compared to downloading from some website

justsoso
Premium
join:2013-08-19
united state
: Saved
: Written by enable_15 at 01:38:10.062 UTC Fri Jan 1 1993
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname -name protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list chracl permit ip 192.168.15.0 255.255.255.0 host
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 255.255.255.192
ip address inside 192.168.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 1 10.12.20.0 255.255.255.0 0 0
static (inside,outside) 192.168.15.25 10.12.20.25 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.15.40 10.12.20.40 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.15.55 10.12.20.55 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.15.67 10.12.20.67 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.15.80 10.12.20.80 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.15.81 10.12.20.81 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.15.83 10.12.20.83 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.15.84 10.12.20.84 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit icmp any any echo-reply
route outside 0.0.0.0 0.0.0.0
route inside 10.12.20.0 255.255.255.0 192.168.5.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chrsolutions esp-aes-256 esp-sha-hmac
crypto map chr 1 ipsec-isakmp
crypto map chr 1 match address chracl
crypto map chr 1 set peer
crypto map chr 1 set transform-set chrsolutions
crypto map chr interface outside
isakmp enable outside
isakmp key address netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 3600
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:: end

justsoso
Premium
join:2013-08-19
united state
This config was for a different purpose and was pulled from use.

aryoba
Premium,MVM
join:2002-08-22
kudos:4

1 edit
reply to justsoso
Some suggestions

* Remove the conduit commands since those are unnecessary
* Remove the ssh 0.0.0.0 0.0.0.0 command to avoid anyone log into the firewall and start messing around
* I imagine you will need to remove the static commands at some point since most likely your three people are just users (clients) and are not necessary run servers
* The route commands and any command with IP addresses at some point will need adjustment

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to justsoso
On side note, how is your Internet connection like? Do you have an external modem or router that the PIX 501 firewall will connect to?

justsoso
Premium
join:2013-08-19
united state
router with static ip

aryoba
Premium,MVM
join:2002-08-22
kudos:4
I image you already know that the PIX 501 WAN port goes to the router and the LAN ports connect to the three users.

Once you have the following info from the ASA 5505 network admin, you can start configure the PIX.

* What IP address are they expecting you to come from? Your NAT-ed (single IP address) or else?
* What IP address are the three of your users in need to access?
* What is the remote site's ASA 5505 VPN termination IP address?
* What is the PIX 501 VPN termination IP address?
* How is the Phases 1 and 2 setting like?
* What is the pre-shared key (assuming you use one)?

YDC

join:2007-11-13
Hewlett, NY
reply to justsoso
The reason you can only make one IPsec connection is due to the limitations of the NAT router you are behind. Most NAT routers will only support one pass-through connection. If you try this from two different outside locations you will probably find that the IPsec comes up for both. If not then you may have a license issue on the 5505. I beleive two licenses are bundled if licensed and validated. I could be wrong there though. Check your license via the GUI (ADSM launcher) as it will show what is allowed.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
said by YDC:

Check your license via the GUI (ADSM launcher) as it will show what is allowed.

A show version command output will reveal such as well.

YDC

join:2007-11-13
Hewlett, NY
We're assuming they know how to use the CLI