PIX 515E: VPN (PPTP) and DMZ to INSIDE rules

Discussion in 'Cisco' started by mfoolb@gmail.com, Dec 2, 2005.

  1. Guest

    Ciao,

    it has been a long time since I last posted here, it's time again to
    ask you Cisco experts for help;

    I set up a PIX 515E (relevant parts of configuration follows) with
    three ethernet interfaces (outside, inside and DMZ) and a VPN tunnel.

    The VPN works with PPTP Windows client but it only works for one client
    at a time.
    All clients (at once) can authenticate if no client has authenticated
    for *some minutes*;
    if a client try to connect while there's another session active I see
    the PIX building up second tunnel and session but the client hanging on
    the authentication window; looking at the sessions on the PIX I see
    user unknown (no packet with: debug ppp authentication).

    Here is the VPN part of the configuration:

    access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    255.255.255.0
    ip local pool pptp-pool 192.168.2.2-192.168.2.254 mask 255.255.255.0
    nat (inside) 0 access-list 110
    sysopt connection permit-pptp
    vpdn group VPN-TEST accept dialin pptp
    vpdn group VPN-TEST ppp authentication pap
    vpdn group VPN-TEST ppp authentication chap
    vpdn group VPN-TEST ppp authentication mschap
    vpdn group VPN-TEST ppp encryption mppe 40
    vpdn group VPN-TEST client configuration address local pptp-pool
    vpdn group VPN-TEST pptp echo 60
    vpdn group VPN-TEST client authentication local
    vpdn username testing password ********
    vpdn enable outside

    Is there a limit of one vpn active session or what? This PIX has
    unrestricted license and
    SW ver 6.3(4), PDM 3.0(2).

    Other situation:

    I have WEBSERVER in the DMZ and two application server in the inside
    (AS1 and AS2).

    The WEBSERVER accept http/https connection from the Internet and than
    need to ask for data to the inside network; how to add this rule in the
    following configuration to let WEBSERVER use a ajp13 balanced worker at
    port 8009 that access two tomcat server in AS1 and AS2?

    WEBSERVER: 35.35.35.35
    AS1: 192.168.1.100
    AS2: 192.168.1.101

    Relevant part of configuration:

    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security4
    enable password XXXXXXXXXXX encrypted
    object-group service WebServer tcp
    port-object eq www
    port-object eq https
    access-list outside_access_in permit tcp any host 88.88.88.19
    object-group WebServer log 7
    access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    255.255.255.0
    ip address outside 88.88.88.18 255.255.255.0
    ip address inside 192.168.1.1 255.255.255.0
    ip address DMZ 35.35.35.1 255.255.255.0
    global (outside) 1 interface
    global (DMZ) 1 35.35.35.5-35.35.35.20
    nat (inside) 0 access-list 110
    nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    static (DMZ,outside) 88.8.88.19 WebServer netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 88.88.88.17 1

    Hope I made myself clear.

    Thanks in advance,

    Marco.

    P.S.
    Please answer also to my e-mail because I'm not a frequent reader of
    the newsgroup.
    , Dec 2, 2005
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page