Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX remote client VPN not prompting for username and password

Reply
Thread Tools

PIX remote client VPN not prompting for username and password

 
 
dbarry82@yahoo.com
Guest
Posts: n/a
 
      10-29-2007
Hello. I am betting someone has an easy answer for this.

I have configured a PIX 506e to do ipsec remote client VPN.

Cisco VPN Client 4.8.00.0440 currently works. We can connect to the
VPN simply based on the group name and password.

Here is the problem: at connect-time do not get prompted for a
username and password. It just connects us. If the group name and
password are correct that is all that is needed.

I have compared this to the other PIX's we have installed and I cannot
see the difference. Can anyone help make sense of this? I have posted
the config below (modified to protect the innocent...) THANKS A BUNCH

btw, I know we should have a different network assigned for the VPN
users but we are being forced to assign IP addresses from the same
network as the inside of the LAN so we can connect the laptop VPN
users to a unix machine on the LAN (telnet access). The Unix vendor
tells us that we MUST be on the same subnet or their system won't be
accessible :^\

----------

PIX Version 6.3(5)
interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXXXXXXXXX encrypted

passwd XXXXXXXXXX encrypted

hostname punji

domain-name myco.net

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.0.10 csd

access-list vpnremote_splitTunnelAcl permit ip host csd any

access-list inside_outbound_nat0_acl permit ip host csd 192.168.0.192
255.255.255.192

access-list outside_cryptomap_dyn_40 permit ip any 192.168.0.192
255.255.255.192

access-list inbound permit icmp any any

access-list outbound permit ip 192.168.0.0 255.255.255.0 any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 1.1.1.2 255.255.255.252

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ipsecpool 192.168.0.210-192.168.0.230



pdm history enable

arp timeout 14400


global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 192.168.0.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0


access-group inbound in interface outside

access-group outbound in interface inside


route outside 0.0.0.0 0.0.0.0 1.1.1.1 1


timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute



aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local



http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec



crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 40 match address
outside_cryptomap_dyn_40

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside



isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400



vpngroup vpnremote address-pool ipsecpool

vpngroup vpnremote dns-server 2.5.2.5 2.2.2.1

vpngroup vpnremote default-domain myco.net

vpngroup vpnremote split-tunnel vpnremote_splitTunnelAcl

vpngroup vpnremote idle-time 1800

vpngroup vpnremote password ********

telnet 192.168.22.0 255.255.255.0 inside

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh 7.17.98.13 255.255.255.255 outside

ssh 7.17.13.18 255.255.255.255 outside

ssh timeout 5

console timeout 0

dhcpd address 192.168.0.100-192.168.0.150 inside

dhcpd dns 2.3.4.5 2.2.2.1

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside



username field password xxxxxxxx encrypted privilege 15

username field1 password xxxxxxxxxxxxx encrypted privilege 15



terminal width 80

Cryptochecksum:6418c999151ff8674257519e9c50ab7c

: end

 
Reply With Quote
 
 
 
 
Darren
Guest
Posts: n/a
 
      10-29-2007
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
> Hello. I am betting someone has an easy answer for this.
>
> I have configured a PIX 506e to do ipsec remote client VPN.
>
> Cisco VPN Client 4.8.00.0440 currently works. We can connect to the
> VPN simply based on the group name and password.
>
> Here is the problem: at connect-time do not get prompted for a
> username and password. It just connects us. If the group name and
> password are correct that is all that is needed.
>
>

snip..

I believe that you need:

crypto map YOUR_CRYPTO_MAP_NAME client authentication XXXXXX

(where XXX is e.g. Local or AAA Server Name etc). If you Google this you
should find a number of responses.

Regards

Darren
 
Reply With Quote
 
 
 
 
dbarry82@yahoo.com
Guest
Posts: n/a
 
      10-30-2007
On Oct 29, 2:41 pm, Darren <(E-Mail Removed)> wrote:
> (E-Mail Removed) wrote:
> > Hello. I am betting someone has an easy answer for this.

>
> > I have configured a PIX 506e to do ipsec remote client VPN.

>
> > Cisco VPN Client 4.8.00.0440 currently works. We can connect to the
> > VPN simply based on the group name and password.

>
> > Here is the problem: at connect-time do not get prompted for a
> > username and password. It just connects us. If the group name and
> > password are correct that is all that is needed.

>
> snip..
>
> I believe that you need:
>
> crypto map YOUR_CRYPTO_MAP_NAME client authentication XXXXXX
>
> (where XXX is e.g. Local or AAA Server Name etc). If you Google this you
> should find a number of responses.
>
> Regards
>
> Darren


MANY thanks. I can't believe I missed that one. It works now.

Best to you!


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VPN PIX-_static PIX ; PIX-dynamic_PIX ; VPN Client Svenn Cisco 3 03-13-2006 09:25 AM
PIX-to-PIX vpn + remote Access VPN not working Marko Uusitalo Cisco 1 04-11-2005 12:45 PM
PIX 501 :VPN client traffic does not pass down VPN tunnel to remote subnet.. Tim Fortea Cisco 2 10-23-2004 12:25 PM
Prompting for Username/password =?Utf-8?B?TGVl?= ASP .Net 0 09-07-2004 09:09 AM
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM



Advertisments