Access pdm pix501 with vpn

Unanswered Question
Apr 21st, 2010
User Badges:


Question i want to access the pdm webpage of my pix501 when the vpn connection is open.

I can already reach it local, so http server enable is already configured. i also have the command:http outside

(i thing it see the vpn as outside) and i configured the command: pdm location outside

still cannot reach it when the vpn is connected..

What do i need to do?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
p.mcgowan Wed, 04/21/2010 - 08:42
User Badges:
  • Bronze, 100 points or more

is the IP of the VPN device?

what IP are you trying to PDM, inside or outside?

kennis1977 Wed, 04/21/2010 - 09:44
User Badges:

Hi, is the ip adres i get from the pix when i setup a vpn connection..

the device is

and.. i don't know.. when im connected by vpn and i wan't to access the pdm website.. is that then inside traffic or still outside??

thanks again...

p.mcgowan Thu, 04/22/2010 - 01:23
User Badges:
  • Bronze, 100 points or more

you should try and PDM to the inside interface

kennis1977 Thu, 04/22/2010 - 01:33
User Badges:

pdm location inside doesnt work..

still nothing...

scott-goodwin Thu, 04/22/2010 - 02:56
User Badges:


Have you tried adding the

http inside ??

The Pix may not be treating them as being outside as you can have the clients appear on a dmz or on the inside when it comes to implementing access control.

Hope this helps


kennis1977 Thu, 04/22/2010 - 06:53
User Badges:

Http inside

is also already in the config... but does not help...

somehow the pix is still seing this subnet/ip adres as not trusted... because this command is working just from the inside netwerk

Federico Coto F... Thu, 04/22/2010 - 11:22
User Badges:
  • Green, 3000 points or more

Can you PING the inside IP of the ASA through the VPN tunnel?

To be able to access the internal IP of the ASA through VPN, you need the management access-inside command.

Besides able to PING the IP, to enable PDM access, you must enable HTTP access for the IP of the VPN pool for the clients.

This should work.


kennis1977 Fri, 04/23/2010 - 07:11
User Badges:

Great!!! this works... the command Management-access inside did the
trick.... thanks

Perhaps some other question... when im trying the get a connection from my business (with also an asa)

i get a connection but.. i cannot ping or access anything... (only when im using a internet connection

without an asa) it is working.

I get some debug message saying:305006: regular translation creation failed for protocol 50 src INSIDE

can i fix this on my pix? or is this some config issue on the asa at my work?


Federico Coto F... Fri, 04/23/2010 - 07:49
User Badges:
  • Green, 3000 points or more

The error means that IP protocol 50 (which is ESP) does not match any translation rule.

This is not necessarily a problem.

Could you provide more details about the problem that you're having now?


kennis1977 Fri, 04/23/2010 - 08:09
User Badges:

Ok.... hmm

the problem is... i can get a connection to the pix... and have an ip adres from the vpn pool.. but cannot reach anything....

and this is only when im connecting from our asa here...

Federico Coto F... Fri, 04/23/2010 - 08:27
User Badges:
  • Green, 3000 points or more

When you say connecting from your ASA, you mean there's a Site-to-Site VPN tunnel established?

I don't think so, because you say that you get an IP from the VPN pool (so, it's a remote VPN client connection I assume).

Correct me if I'm wrong...

The problem is when establishing a VPN client connection going through your ASA.

If this is the case, is your ASA performing PAT for your Internet connection?

Do you have NAT-T enabled on the VPN headend ASA?


kennis1977 Fri, 04/23/2010 - 10:54
User Badges:

yeah that's right.. no site to site connection... just throw another asa to the outside world...

ehh nat-t ? just beginning with the pix...

i don't think its enabled... how to configure this?


Federico Coto F... Fri, 04/23/2010 - 10:59
User Badges:
  • Green, 3000 points or more

You say the VPN connection does not work when going through your ASA.

If you connect from another site (without going through ASA) it works correct?

Then most likely, your ASA is blocking either UDP 500 or ESP (IP protocol 50).

Also check if you have ''crypto isakmp nat-traversal'' enabled on the ASA that terminates the VPN tunnel.

Let me know if this is the case.



This Discussion