it has been a long time since I last posted here, it's time again to ask you Cisco experts for help;
I set up a PIX 515E (relevant parts of configuration follows) with three ethernet interfaces (outside, inside and DMZ) and a VPN tunnel.
The VPN works with PPTP Windows client but it only works for one client at a time. All clients (at once) can authenticate if no client has authenticated for *some minutes*; if a client try to connect while there's another session active I see the PIX building up second tunnel and session but the client hanging on the authentication window; looking at the sessions on the PIX I see user unknown (no packet with: debug ppp authentication).
Here is the VPN part of the configuration:
access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.025184.108.40.206 ip local pool pptp-pool 192.168.2.2-192.168.2.254 mask 255.255.255.0 nat (inside) 0 access-list 110 sysopt connection permit-pptp vpdn group VPN-TEST accept dialin pptp vpdn group VPN-TEST ppp authentication pap vpdn group VPN-TEST ppp authentication chap vpdn group VPN-TEST ppp authentication mschap vpdn group VPN-TEST ppp encryption mppe 40 vpdn group VPN-TEST client configuration address local pptp-pool vpdn group VPN-TEST pptp echo 60 vpdn group VPN-TEST client authentication local vpdn username testing password ******** vpdn enable outside
Is there a limit of one vpn active session or what? This PIX has unrestricted license and SW ver 6.3(4), PDM 3.0(2).
I have WEBSERVER in the DMZ and two application server in the inside (AS1 and AS2).
The WEBSERVER accept http/https connection from the Internet and than need to ask for data to the inside network; how to add this rule in the following configuration to let WEBSERVER use a ajp13 balanced worker at port 8009 that access two tomcat server in AS1 and AS2?
WEBSERVER: 220.127.116.11 AS1: 192.168.1.100 AS2: 192.168.1.101
Relevant part of configuration:
interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security4 enable password XXXXXXXXXXX encrypted object-group service WebServer tcp port-object eq www port-object eq https access-list outside_access_in permit tcp any host 18.104.22.168 object-group WebServer log 7 access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.02522.214.171.124 ip address outside 126.96.36.199 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 ip address DMZ 188.8.131.52 255.255.255.0 global (outside) 1 interface global (DMZ) 1 184.108.40.206-220.127.116.11 nat (inside) 0 access-list 110 nat (inside) 1 192.168.1.0 255.255.255.0 0 0 static (DMZ,outside) 18.104.22.168 WebServer netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 22.214.171.124 1
Hope I made myself clear.
Thanks in advance,
P.S. Please answer also to my e-mail because I'm not a frequent reader of the newsgroup.