506, VPN and external access

Unanswered Question
Feb 5th, 2007

I have been trying to setup a 506 to serve as a firewall for a small local church. I have been banging my head against this and finally need to reach out for some assistance. I have read through too many different configurations and tried most of them without success.

Here is what I am trying to achieve in a nutshell.

A 506 connected to a cable provider with a Dynamic DNS service. From this 506 I want to:

1) Protect the internal network

2) Provide access through the PIX to a web/mail server inside the network.

3) allow remote access VPN connections with RADIUS authorization.

I have been able to do the following combinations:

1 and 2 working together without problem. I can access the Net from the inside network without problems and get traffic in to the web server and the mail server.

1 and 3 working together. Protection and access for internal network is working fine with VPN access for remote clients.

What I have not been able to get working is having the VPN working and allowing access to the web/mail server at the same time.

I am certain that I have missed something simple in the configuration, unless this is just not possible.

Thank you,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (7 ratings)

Hello Russ,

What your asking for is certainly possible, can you please attach the configuration from the PIX - change any sensitive information before attaching. Also, do you have any PIX logs when you initiate the connection to your inside web/mail servers whilst having the VPN connection open?

How many public IP addresses do you have? Just the one or more?

Let us know and I am sure either myself or someone here will be able to help.


Russ_Jacobs Tue, 02/06/2007 - 06:26


Thank you for your quick response. I do not have any log files to speak of. I do not have any logging configured yet on this unit.

The problem is not getting inside the firewall to the web/mail while a connection is open, but once I configure VPN (using PDM) I lose my ability to get to the Web/Mail server at all.

I will only have the one public facing address.

I have attached 2 files. One is Base_Web-Clean and the other is Base_Web_VPN-clean.

As I mentioned I am new to this and have been trying countless examples found out on the net, so I am sure that what I have is probably not the best implementation, just what I found that works (to a point).

Thank you very much,


kbingeman Tue, 02/06/2007 - 13:21

I noticed you have DHCP setup on the outside interface. Do you have a static IP from your ISP? In order to provide reliable service to your website and email you'll need a static IP.

I'd recommend getting a static IP and assigning this to the outside interface. Then you should be able to access all your services as you have them defined.

Once that is done, then I would move on to the VPN piece.

What radius server OS are you using? Windows 2003?

Russ_Jacobs Tue, 02/06/2007 - 13:40

I have no choice in having DHCP running on the outside interface. I cannot get DSL and Cable is the only other option. The cable provider does provide Dynamic DNS so they will manage the domain name requests and route the traffic to the IP assigned to the outside port.

The Radius Server is IAS on Windows Server 2003. It is working, although I am not getting much data in the database. I created a MSSQL database with all of the data elements in it and the stored procedure to parse the XML file and extract all of the data elements and load them into the table. This is working, although I would like to refine this and include more detailed information from the clients when they authorize, but I am trying to move one step at a time and the authorization piece is functional at this point.

Thank you for your time and response. Any assistance that I can get is greatly appreciated.


Russ_Jacobs Sun, 02/11/2007 - 18:37

I am posting this message in hopes that I will get a response to my original query. Other than the initial response telling me that what I wanted to do was possible and requesting configuration information, I have not gotten any additional feedback that would assist me at all.

If I need to post any additional information, or have not been clear in what I am attempting to accomplish, please let me know and I will be happy to provide any additional details or information.

Thank you,


Russ_Jacobs Thu, 02/15/2007 - 11:37

Can anyone point me to another forum where I might be able to post my query and get some feedback? It has been 2 weeks since my original post and follow up with my configurations and the only person that is writing anything on this thread is me asking for some type of assistance or feedback.

Sorry if I came to the wrong place, but I figured that the Forums at Cisco were the place to post my types of queries.

Thank you,


acomiskey Thu, 02/15/2007 - 11:58

Just to clarify, what are you saying exactly?

1). You are saying that you cannot access web/mail server while you are connected to the vpn?

2). Or you cannot access web/mail server while the configuration is in the pix for the vpn clients?

OH, and it would probably be helpful to use a different subnet for your vpn client pool (different than your inside subnet).

Russ_Jacobs Thu, 02/15/2007 - 13:38

Thank you for your quick response. Your second point is the issue that I am having. As soon as I configure the VPN access, then my ability to access the internal web/mail server ceases.

I can access the web/mail server, or have VPN access, but not both.

I can change the IP pool for the VPN access. I will make this change, but would this have had an impact on the issue of access that I am having?

I have tried many different configurations that I have seen posted, but none seem to get me to where I need to be (and I am certain that the 506 can handle this, as long as I tell it what I need it to do and in the right way and order).

Thank you again!


acomiskey Thu, 02/15/2007 - 13:49

If you connect to the vpn can you connect to mail/web server?

I would definitely start with the vpn pool subnet change and go from there.

Russ_Jacobs Thu, 02/15/2007 - 13:54

The VPN does work fine, although, once I configure the VPN, I can no longer get to the web/mail server. This is a total loss of access, not dependent on having an active VPN session.

I will change the VPN pool and see if that has any impact on the access.

Are there any other issues that you can see in the configuration(s) that should be done differently?

Thank you again for your assistance!


kaachary Fri, 02/16/2007 - 06:56


You have got to change the pool to some other n/w and also remove this statement from the config :

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20



Russ_Jacobs Sat, 02/17/2007 - 19:17


I did make the change to the outside pool. The VPN still works fine after doing this, but there was no change in my ability to get to the web/mail server from the outside after making this change.

I also removed the crypto line as you suggested. This did not make any difference in being able to get to the inside servers, but did cause the VPN connection to stop working.

The crypto line was put in by the PDM when I created the VPN configuration, and removing it caused the VPN to cease working.

At this point I am about beside myself. As soon as I remove the VPN from the configuration, the access to the internal web/mail server works. With the VPN configuration in place, this access no longer functions, but the VPN works just fine. Any other suggestions would be greatly appreciated.

Thank you,


Russ_Jacobs Wed, 03/07/2007 - 05:58

Can anyone please point me to a forum that might be able to provide me with some assistance? After a month of not getting any solid answers from this forum, I am calling it quits here.

I assumed that coming to a Cisco forum might be the best place to get some guidance, especially on a Cisco product, but I can see that I was mistaken.

I apologize for taking up disk space and bandwidth with a problem that either cannot be solved, or that is not worthy of anyones time.


kaachary Wed, 03/07/2007 - 06:01


I would recommend you to open a TAC case if its not going anywhere.


acomiskey Wed, 03/07/2007 - 06:16

Sorry you feel that way. Usually people put some effort into solving their own problem, posting configs, updates, posting LOGS etc.

Nobody here is getting paid for helping you, so you may want to ask nicely next time. Good luck.

Russ_Jacobs Wed, 03/07/2007 - 06:55

Excuse me? Check the thread here and you will see that I did post configs and asked for assistance and guidance. I was initially told that it would be no problem to do what I was trying, but then nothing. I tried many times to generate some help, but it did not happen.

After getting nothing that helped at all, I have become frustrated. Sorry if you cannot understand that. It is funny that I receive no helpful replies to any posts here unless I mark the previous replies as being not helpful, then I get responses within minutes...

kbingeman Wed, 03/07/2007 - 07:11

I too get frustrated but at the end of the day it is your issue to resolve not ours. Speaking for myself (and I think others may agree) that if you post to a group such as this - you get...what you get. There's no guarantee.

What is guarantee is opening a TAC case and getting help from the paid professionals. We all have our own systems to manage and problems to solve too you know.

Good Luck to you. I think you'll find that opening a TAC case will get this issue resolved much faster.


This Discussion