Access pdm pix501 with vpn

Unanswered Question
Apr 21st, 2010

Hi,

Question i want to access the pdm webpage of my pix501 when the vpn connection is open.

I can already reach it local, so http server enable is already configured. i also have the command:http 172.16.251.1 255.255.255.255 outside

(i thing it see the vpn as outside) and i configured the command: pdm location 172.16.251.1 255.255.255.255 outside

still cannot reach it when the vpn is connected..

What do i need to do?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
p.mcgowan Wed, 04/21/2010 - 08:42

is 172.16.251.1 the IP of the VPN device?

what IP are you trying to PDM, inside or outside?

kennis1977 Wed, 04/21/2010 - 09:44

Hi,

172.16.251.1 is the ip adres i get from the pix when i setup a vpn connection..

the device is 172.16.250.253

and.. i don't know.. when im connected by vpn and i wan't to access the pdm website.. is that then inside traffic or still outside??

thanks again...

kennis1977 Thu, 04/22/2010 - 01:33

pdm location 172.16.251.1 255.255.255.255 inside doesnt work..

still nothing...

scott-goodwin Thu, 04/22/2010 - 02:56

Hi,

Have you tried adding the

http inside ??

The Pix may not be treating them as being outside as you can have the clients appear on a dmz or on the inside when it comes to implementing access control.

Hope this helps

Scott

kennis1977 Thu, 04/22/2010 - 06:53

Http 172.16.251.1 255.255.255.255 inside

is also already in the config... but does not help...

somehow the pix is still seing this subnet/ip adres as not trusted... because this command is working just from the inside netwerk 172.16.250.0

Federico Coto F... Thu, 04/22/2010 - 11:22

Can you PING the inside IP of the ASA through the VPN tunnel?

To be able to access the internal IP of the ASA through VPN, you need the management access-inside command.

Besides able to PING the IP, to enable PDM access, you must enable HTTP access for the IP of the VPN pool for the clients.

This should work.

Federico.

kennis1977 Fri, 04/23/2010 - 07:11

Great!!! this works... the command Management-access inside did the
trick.... thanks

Perhaps some other question... when im trying the get a connection from my business (with also an asa)

i get a connection but.. i cannot ping or access anything... (only when im using a internet connection

without an asa) it is working.

I get some debug message saying:305006: regular translation creation failed for protocol 50 src INSIDE

can i fix this on my pix? or is this some config issue on the asa at my work?

Thankssssssssss

Federico Coto F... Fri, 04/23/2010 - 07:49

The error means that IP protocol 50 (which is ESP) does not match any translation rule.

This is not necessarily a problem.

Could you provide more details about the problem that you're having now?

Federico.

kennis1977 Fri, 04/23/2010 - 08:09

Ok.... hmm

the problem is... i can get a connection to the pix... and have an ip adres from the vpn pool.. but cannot reach anything....

and this is only when im connecting from our asa here...

Federico Coto F... Fri, 04/23/2010 - 08:27

When you say connecting from your ASA, you mean there's a Site-to-Site VPN tunnel established?

I don't think so, because you say that you get an IP from the VPN pool (so, it's a remote VPN client connection I assume).

Correct me if I'm wrong...

The problem is when establishing a VPN client connection going through your ASA.

If this is the case, is your ASA performing PAT for your Internet connection?

Do you have NAT-T enabled on the VPN headend ASA?

Federico.

kennis1977 Fri, 04/23/2010 - 10:54

yeah that's right.. no site to site connection... just throw another asa to the outside world...

ehh nat-t ? just beginning with the pix...

i don't think its enabled... how to configure this?

Thanks

Federico Coto F... Fri, 04/23/2010 - 10:59

You say the VPN connection does not work when going through your ASA.

If you connect from another site (without going through ASA) it works correct?

Then most likely, your ASA is blocking either UDP 500 or ESP (IP protocol 50).

Also check if you have ''crypto isakmp nat-traversal'' enabled on the ASA that terminates the VPN tunnel.

Let me know if this is the case.

Federico.

Actions

This Discussion