Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Two VPN groups on PIX 506 - Two Radius Servers on LAN

Reply
Thread Tools

Two VPN groups on PIX 506 - Two Radius Servers on LAN

 
 
Pichi_b
Guest
Posts: n/a
 
      03-27-2007
Hello,

This is what I would like to do:

I have two vpngroups (A and B) created on the PIX. I want the A group
to authenticate via Radius to Server A and the B group to authenticate
to Server B (also via Radius)

So it looks like this so far:

aaa-server A protocol radius
aaa-server A (inside) host server_A chuck

aaa-server B protocol radius
aaa-server B (inside) host server_B berry

-------------------------------------------------------------------------------------

vpngroup A authentication-server A
vpngroup A password ********


vpngroup B authentication-server B
vpngroup B password ********

-------------------------------------------------------------------------------------


crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime kilobytes 100000
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication A
crypto map mymap interface outside


--------------------------------------------------------------------------------------



You can see that I have the crypto map client authentication pointing
to A and thats OK and it works fine, but when I go to add B it just
takes the place of A, and I cant have both. I tried creating a new
crypto may called newmap with all the same things as the original but
then I am stuck again becuause I can only apply one map to the outside
interface.

Can anyone help??

Thanks,

P.

 
Reply With Quote
 
 
 
 
Pichi_b
Guest
Posts: n/a
 
      03-30-2007
Hello,

I am posting this so if anyone else out there runs into this problem
it will save them a few hours of looking at ambiguous Cisco
documentation.

The short answer is this cannot be done on ver 6.3.x

Only one crypto map client authentication per interface is allowed.
However you can do a backup for example:

crypto map MYMAP client authentication AuthIn DR

Where AuthIn is your primary Authentication Policy and DR is a backup
policy.

Hope this helps someone,


Pedro


On 27 mar, 18:38, "Pichi_b" <(E-Mail Removed)> wrote:
> Hello,
>
> This is what I would like to do:
>
> I have two vpngroups (A and B) created on the PIX. I want the A group
> to authenticate via Radius to Server A and the B group to authenticate
> to Server B (also via Radius)
>
> So it looks like this so far:
>
> aaa-server A protocol radius
> aaa-server A (inside) host server_A chuck
>
> aaa-server B protocol radius
> aaa-server B (inside) host server_B berry
>
> -------------------------------------------------------------------------------------
>
> vpngroup A authentication-server A
> vpngroup A password ********
>
> vpngroup B authentication-server B
> vpngroup B password ********
>
> -------------------------------------------------------------------------------------
>
> crypto ipsec transform-set myset esp-3des esp-md5-hmac
> crypto ipsec security-association lifetime kilobytes 100000
> crypto dynamic-map dynmap 10 set transform-set myset
> crypto map mymap 10 ipsec-isakmp dynamic dynmap
> crypto map mymap client configuration address initiate
> crypto map mymap client configuration address respond
> crypto map mymap client authentication A
> crypto map mymap interface outside
>
> --------------------------------------------------------------------------------------
>
> You can see that I have the crypto map client authentication pointing
> to A and thats OK and it works fine, but when I go to add B it just
> takes the place of A, and I cant have both. I tried creating a new
> crypto may called newmap with all the same things as the original but
> then I am stuck again becuause I can only apply one map to the outside
> interface.
>
> Can anyone help??
>
> Thanks,
>
> P.



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
pix 501 to pix 506 easy vpn fredrikmagnil@hotmail.com Cisco 3 05-22-2006 06:42 AM
LAN-to-LAN involving PIX and VPN Chris Kranz Cisco 3 08-23-2005 04:15 PM
PIX - vpn lan-to-lan Allie Cisco 4 09-28-2004 03:44 AM
problem with 2 VPN-Client groups and Radius authentication on Cisco PIX 515E Spoettel Otmar Cisco 0 05-12-2004 12:54 PM
VPN Site-to-Site with PIX 506 and PIX 515UR (6.3.1). How ? Javier Villegas Cisco 1 01-27-2004 07:29 PM



Advertisments