04-21-2010 07:46 AM - edited 03-11-2019 10:35 AM
Hi,
Question i want to access the pdm webpage of my pix501 when the vpn connection is open.
I can already reach it local, so http server enable is already configured. i also have the command:http 172.16.251.1 255.255.255.255 outside
(i thing it see the vpn as outside) and i configured the command: pdm location 172.16.251.1 255.255.255.255 outside
still cannot reach it when the vpn is connected..
What do i need to do?
Thanks
04-21-2010 08:42 AM
is 172.16.251.1 the IP of the VPN device?
what IP are you trying to PDM, inside or outside?
04-21-2010 09:44 AM
Hi,
172.16.251.1 is the ip adres i get from the pix when i setup a vpn connection..
the device is 172.16.250.253
and.. i don't know.. when im connected by vpn and i wan't to access the pdm website.. is that then inside traffic or still outside??
thanks again...
04-22-2010 01:23 AM
you should try and PDM to the inside interface
04-22-2010 01:33 AM
pdm location 172.16.251.1 255.255.255.255 inside doesnt work..
still nothing...
04-22-2010 02:56 AM
Hi,
Have you tried adding the
http
The Pix may not be treating them as being outside as you can have the clients appear on a dmz or on the inside when it comes to implementing access control.
Hope this helps
Scott
04-22-2010 06:53 AM
Http 172.16.251.1 255.255.255.255 inside
is also already in the config... but does not help...
somehow the pix is still seing this subnet/ip adres as not trusted... because this command is working just from the inside netwerk 172.16.250.0
04-22-2010 11:22 AM
Can you PING the inside IP of the ASA through the VPN tunnel?
To be able to access the internal IP of the ASA through VPN, you need the management access-inside command.
Besides able to PING the IP, to enable PDM access, you must enable HTTP access for the IP of the VPN pool for the clients.
This should work.
Federico.
04-23-2010 07:11 AM
Great!!! this works... the command Management-access inside did the
trick.... thanks
Perhaps some other question... when im trying the get a connection from my business (with also an asa)
i get a connection but.. i cannot ping or access anything... (only when im using a internet connection
without an asa) it is working.
I get some debug message saying:305006: regular translation creation failed for protocol 50 src INSIDE
can i fix this on my pix? or is this some config issue on the asa at my work?
Thankssssssssss
04-23-2010 07:49 AM
The error means that IP protocol 50 (which is ESP) does not match any translation rule.
This is not necessarily a problem.
Could you provide more details about the problem that you're having now?
Federico.
04-23-2010 08:09 AM
Ok.... hmm
the problem is... i can get a connection to the pix... and have an ip adres from the vpn pool.. but cannot reach anything....
and this is only when im connecting from our asa here...
04-23-2010 08:27 AM
When you say connecting from your ASA, you mean there's a Site-to-Site VPN tunnel established?
I don't think so, because you say that you get an IP from the VPN pool (so, it's a remote VPN client connection I assume).
Correct me if I'm wrong...
The problem is when establishing a VPN client connection going through your ASA.
If this is the case, is your ASA performing PAT for your Internet connection?
Do you have NAT-T enabled on the VPN headend ASA?
Federico.
04-23-2010 10:54 AM
yeah that's right.. no site to site connection... just throw another asa to the outside world...
ehh nat-t ? just beginning with the pix...
i don't think its enabled... how to configure this?
Thanks
04-23-2010 10:59 AM
You say the VPN connection does not work when going through your ASA.
If you connect from another site (without going through ASA) it works correct?
Then most likely, your ASA is blocking either UDP 500 or ESP (IP protocol 50).
Also check if you have ''crypto isakmp nat-traversal'' enabled on the ASA that terminates the VPN tunnel.
Let me know if this is the case.
Federico.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: