PIX 515E: VPN (PPTP) and DMZ to INSIDE rules

Discussion in 'Cisco' started by mfoolb, Dec 2, 2005.

  1. mfoolb

    mfoolb Guest


    it has been a long time since I last posted here, it's time again to
    ask you Cisco experts for help;

    I set up a PIX 515E (relevant parts of configuration follows) with
    three ethernet interfaces (outside, inside and DMZ) and a VPN tunnel.

    The VPN works with PPTP Windows client but it only works for one client
    at a time.
    All clients (at once) can authenticate if no client has authenticated
    for *some minutes*;
    if a client try to connect while there's another session active I see
    the PIX building up second tunnel and session but the client hanging on
    the authentication window; looking at the sessions on the PIX I see
    user unknown (no packet with: debug ppp authentication).

    Here is the VPN part of the configuration:

    access-list 110 permit ip
    ip local pool pptp-pool mask
    nat (inside) 0 access-list 110
    sysopt connection permit-pptp
    vpdn group VPN-TEST accept dialin pptp
    vpdn group VPN-TEST ppp authentication pap
    vpdn group VPN-TEST ppp authentication chap
    vpdn group VPN-TEST ppp authentication mschap
    vpdn group VPN-TEST ppp encryption mppe 40
    vpdn group VPN-TEST client configuration address local pptp-pool
    vpdn group VPN-TEST pptp echo 60
    vpdn group VPN-TEST client authentication local
    vpdn username testing password ********
    vpdn enable outside

    Is there a limit of one vpn active session or what? This PIX has
    unrestricted license and
    SW ver 6.3(4), PDM 3.0(2).

    Other situation:

    I have WEBSERVER in the DMZ and two application server in the inside
    (AS1 and AS2).

    The WEBSERVER accept http/https connection from the Internet and than
    need to ask for data to the inside network; how to add this rule in the
    following configuration to let WEBSERVER use a ajp13 balanced worker at
    port 8009 that access two tomcat server in AS1 and AS2?


    Relevant part of configuration:

    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security4
    enable password XXXXXXXXXXX encrypted
    object-group service WebServer tcp
    port-object eq www
    port-object eq https
    access-list outside_access_in permit tcp any host
    object-group WebServer log 7
    access-list 110 permit ip
    ip address outside
    ip address inside
    ip address DMZ
    global (outside) 1 interface
    global (DMZ) 1
    nat (inside) 0 access-list 110
    nat (inside) 1 0 0
    static (DMZ,outside) WebServer netmask 0 0
    access-group outside_access_in in interface outside
    route outside 1

    Hope I made myself clear.

    Thanks in advance,


    Please answer also to my e-mail because I'm not a frequent reader of
    the newsgroup.
    mfoolb, Dec 2, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.