Re: Cannot get web interface

bhughesiii · ‎05-14-2004

The problem I got is I have a client using Cisco's VPN client. He connects to another server and is going through a pix 515. The vpn authenticates, but when we try to pull up the web interface for an IBM AS400 it will not go through. Could this be a mis config on my pix, or is it an issue with the server being authenticated to?

micah · ‎05-15-2004

Can the client connect to other services through the tunnel? Can he ping the AS400?

bhughesiii · ‎05-17-2004

Here is the deal. And I just found this out today. If you dial up to the internet and use the cisco vpn client from a public address it works fine. It is haveing trouble going through the pix on a private address. We havent tried pinging the AS400 yet I think ICMP is turned off. But we are going to try that, and if this other info helps then I will appreciate anything else you can tell me

micah · ‎05-17-2004

Correct. If you are behind a 1 to many (PAT /NAPT) NAT situation then it will not work. You have to have a 1 to 1 nat translation for IOS or the firewall at this time. If you have a concentrator you can use IPSEC over tcp. The problem lies with the fact that the port information is encrypted so port address translation doesn't work. In addition to this for a firewall on a PAT/NAPT setup you need to enable ESP inbound on the public address in your firewall rules.

bhughesiii · ‎05-18-2004

Thank you much. I will make the neccassary changes and see how it works.