1. Home
  2. Cisco Systems
  3. PIX 515E: VPN (PPTP) and DMZ to INSIDE rules

PIX 515E: VPN (PPTP) and DMZ to INSIDE rules

Ciao,

it has been a long time since I last posted here, it's time again to ask you Cisco experts for help;

I set up a PIX 515E (relevant parts of configuration follows) with three ethernet interfaces (outside, inside and DMZ) and a VPN tunnel.

The VPN works with PPTP Windows client but it only works for one client at a time. All clients (at once) can authenticate if no client has authenticated for *some minutes*; if a client try to connect while there's another session active I see the PIX building up second tunnel and session but the client hanging on the authentication window; looking at the sessions on the PIX I see user unknown (no packet with: debug ppp authentication).

Here is the VPN part of the configuration:

access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0

255.255.255.0 ip local pool pptp-pool 192.168.2.2-192.168.2.254 mask 255.255.255.0 nat (inside) 0 access-list 110 sysopt connection permit-pptp vpdn group VPN-TEST accept dialin pptp vpdn group VPN-TEST ppp authentication pap vpdn group VPN-TEST ppp authentication chap vpdn group VPN-TEST ppp authentication mschap vpdn group VPN-TEST ppp encryption mppe 40 vpdn group VPN-TEST client configuration address local pptp-pool vpdn group VPN-TEST pptp echo 60 vpdn group VPN-TEST client authentication local vpdn username testing password ******** vpdn enable outside

Is there a limit of one vpn active session or what? This PIX has unrestricted license and SW ver 6.3(4), PDM 3.0(2).

Other situation:

I have WEBSERVER in the DMZ and two application server in the inside (AS1 and AS2).

The WEBSERVER accept http/https connection from the Internet and than need to ask for data to the inside network; how to add this rule in the following configuration to let WEBSERVER use a ajp13 balanced worker at port 8009 that access two tomcat server in AS1 and AS2?

WEBSERVER: 35.35.35.35 AS1: 192.168.1.100 AS2: 192.168.1.101

Relevant part of configuration:

interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security4 enable password XXXXXXXXXXX encrypted object-group service WebServer tcp port-object eq www port-object eq https access-list outside_access_in permit tcp any host 88.88.88.19 object-group WebServer log 7 access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0

255.255.255.0 ip address outside 88.88.88.18 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 ip address DMZ 35.35.35.1 255.255.255.0 global (outside) 1 interface global (DMZ) 1 35.35.35.5-35.35.35.20 nat (inside) 0 access-list 110 nat (inside) 1 192.168.1.0 255.255.255.0 0 0 static (DMZ,outside) 88.8.88.19 WebServer netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 88.88.88.17 1

Hope I made myself clear.

Thanks in advance,

Marco.

P.S. Please answer also to my e-mail because I'm not a frequent reader of the newsgroup.

Reply to
mfoolb
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.