Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 515E: VPN (PPTP) and DMZ to INSIDE rules

Thread Tools

PIX 515E: VPN (PPTP) and DMZ to INSIDE rules
Posts: n/a

it has been a long time since I last posted here, it's time again to
ask you Cisco experts for help;

I set up a PIX 515E (relevant parts of configuration follows) with
three ethernet interfaces (outside, inside and DMZ) and a VPN tunnel.

The VPN works with PPTP Windows client but it only works for one client
at a time.
All clients (at once) can authenticate if no client has authenticated
for *some minutes*;
if a client try to connect while there's another session active I see
the PIX building up second tunnel and session but the client hanging on
the authentication window; looking at the sessions on the PIX I see
user unknown (no packet with: debug ppp authentication).

Here is the VPN part of the configuration:

access-list 110 permit ip
ip local pool pptp-pool mask
nat (inside) 0 access-list 110
sysopt connection permit-pptp
vpdn group VPN-TEST accept dialin pptp
vpdn group VPN-TEST ppp authentication pap
vpdn group VPN-TEST ppp authentication chap
vpdn group VPN-TEST ppp authentication mschap
vpdn group VPN-TEST ppp encryption mppe 40
vpdn group VPN-TEST client configuration address local pptp-pool
vpdn group VPN-TEST pptp echo 60
vpdn group VPN-TEST client authentication local
vpdn username testing password ********
vpdn enable outside

Is there a limit of one vpn active session or what? This PIX has
unrestricted license and
SW ver 6.3(4), PDM 3.0(2).

Other situation:

I have WEBSERVER in the DMZ and two application server in the inside
(AS1 and AS2).

The WEBSERVER accept http/https connection from the Internet and than
need to ask for data to the inside network; how to add this rule in the
following configuration to let WEBSERVER use a ajp13 balanced worker at
port 8009 that access two tomcat server in AS1 and AS2?


Relevant part of configuration:

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
enable password XXXXXXXXXXX encrypted
object-group service WebServer tcp
port-object eq www
port-object eq https
access-list outside_access_in permit tcp any host
object-group WebServer log 7
access-list 110 permit ip
ip address outside
ip address inside
ip address DMZ
global (outside) 1 interface
global (DMZ) 1
nat (inside) 0 access-list 110
nat (inside) 1 0 0
static (DMZ,outside) WebServer netmask 0 0
access-group outside_access_in in interface outside
route outside 1

Hope I made myself clear.

Thanks in advance,


Please answer also to my e-mail because I'm not a frequent reader of
the newsgroup.

Reply With Quote

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
help with pix inside->outside + dmz->outside + inside->outside->dmz Jack Cisco 0 09-19-2007 01:57 AM
Allow smtp traffic from DMZ to Inside, without DMZ loosing Internet connection? morten Cisco 4 09-04-2007 01:48 PM
PIX VPN to both DMZ and INSIDE segments Tiffany Cisco 3 10-19-2005 04:13 AM
Cisco PIX DMZ to DMZ Access Network-Guy Cisco 7 09-25-2005 08:28 PM
VPN from Inside to DMZ of 525 PIX JammyKat Cisco 1 10-20-2003 10:58 PM