PIX 515E: VPN (PPTP) and DMZ to INSIDE rules


it has been a long time since I last posted here, it's time again to ask you Cisco experts for help;

I set up a PIX 515E (relevant parts of configuration follows) with three ethernet interfaces (outside, inside and DMZ) and a VPN tunnel.

The VPN works with PPTP Windows client but it only works for one client at a time. All clients (at once) can authenticate if no client has authenticated for *some minutes*; if a client try to connect while there's another session active I see the PIX building up second tunnel and session but the client hanging on the authentication window; looking at the sessions on the PIX I see user unknown (no packet with: debug ppp authentication).

Here is the VPN part of the configuration:

access-list 110 permit ip ip local pool pptp-pool mask nat (inside) 0 access-list 110 sysopt connection permit-pptp vpdn group VPN-TEST accept dialin pptp vpdn group VPN-TEST ppp authentication pap vpdn group VPN-TEST ppp authentication chap vpdn group VPN-TEST ppp authentication mschap vpdn group VPN-TEST ppp encryption mppe 40 vpdn group VPN-TEST client configuration address local pptp-pool vpdn group VPN-TEST pptp echo 60 vpdn group VPN-TEST client authentication local vpdn username testing password ******** vpdn enable outside

Is there a limit of one vpn active session or what? This PIX has unrestricted license and SW ver 6.3(4), PDM 3.0(2).

Other situation:

I have WEBSERVER in the DMZ and two application server in the inside (AS1 and AS2).

The WEBSERVER accept http/https connection from the Internet and than need to ask for data to the inside network; how to add this rule in the following configuration to let WEBSERVER use a ajp13 balanced worker at port 8009 that access two tomcat server in AS1 and AS2?


Relevant part of configuration:

interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security4 enable password XXXXXXXXXXX encrypted object-group service WebServer tcp port-object eq www port-object eq https access-list outside_access_in permit tcp any host object-group WebServer log 7 access-list 110 permit ip ip address outside ip address inside ip address DMZ global (outside) 1 interface global (DMZ) 1 nat (inside) 0 access-list 110 nat (inside) 1 0 0 static (DMZ,outside) WebServer netmask 0 0 access-group outside_access_in in interface outside route outside 1

Hope I made myself clear.

Thanks in advance,


P.S. Please answer also to my e-mail because I'm not a frequent reader of the newsgroup.

Reply to
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.