PIX remote client VPN not prompting for username and password

Discussion in 'Cisco' started by dbarry82@yahoo.com, Oct 29, 2007.

  1. Guest

    Hello. I am betting someone has an easy answer for this.

    I have configured a PIX 506e to do ipsec remote client VPN.

    Cisco VPN Client 4.8.00.0440 currently works. We can connect to the
    VPN simply based on the group name and password.

    Here is the problem: at connect-time do not get prompted for a
    username and password. It just connects us. If the group name and
    password are correct that is all that is needed.

    I have compared this to the other PIX's we have installed and I cannot
    see the difference. Can anyone help make sense of this? I have posted
    the config below (modified to protect the innocent...) THANKS A BUNCH

    btw, I know we should have a different network assigned for the VPN
    users but we are being forced to assign IP addresses from the same
    network as the inside of the LAN so we can connect the laptop VPN
    users to a unix machine on the LAN (telnet access). The Unix vendor
    tells us that we MUST be on the same subnet or their system won't be
    accessible :^\

    ----------

    PIX Version 6.3(5)
    interface ethernet0 auto

    interface ethernet1 auto

    nameif ethernet0 outside security0

    nameif ethernet1 inside security100

    enable password XXXXXXXXXXXXX encrypted

    passwd XXXXXXXXXX encrypted

    hostname punji

    domain-name myco.net

    fixup protocol dns maximum-length 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol ils 389

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol skinny 2000

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    names

    name 192.168.0.10 csd

    access-list vpnremote_splitTunnelAcl permit ip host csd any

    access-list inside_outbound_nat0_acl permit ip host csd 192.168.0.192
    255.255.255.192

    access-list outside_cryptomap_dyn_40 permit ip any 192.168.0.192
    255.255.255.192

    access-list inbound permit icmp any any

    access-list outbound permit ip 192.168.0.0 255.255.255.0 any

    pager lines 24

    mtu outside 1500

    mtu inside 1500

    ip address outside 1.1.1.2 255.255.255.252

    ip address inside 192.168.0.1 255.255.255.0

    ip audit info action alarm

    ip audit attack action alarm

    ip local pool ipsecpool 192.168.0.210-192.168.0.230



    pdm history enable

    arp timeout 14400


    global (outside) 1 interface

    nat (inside) 0 access-list inside_outbound_nat0_acl

    nat (inside) 1 192.168.0.0 255.255.255.0 0 0

    nat (inside) 1 0.0.0.0 0.0.0.0 0 0


    access-group inbound in interface outside

    access-group outbound in interface inside


    route outside 0.0.0.0 0.0.0.0 1.1.1.1 1


    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00

    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

    timeout sip-disconnect 0:02:00 sip-invite 0:03:00

    timeout uauth 0:05:00 absolute



    aaa-server TACACS+ protocol tacacs+

    aaa-server TACACS+ max-failed-attempts 3

    aaa-server TACACS+ deadtime 10

    aaa-server RADIUS protocol radius

    aaa-server RADIUS max-failed-attempts 3

    aaa-server RADIUS deadtime 10

    aaa-server LOCAL protocol local



    http server enable

    http 192.168.0.0 255.255.255.0 inside

    no snmp-server location

    no snmp-server contact

    snmp-server community public

    no snmp-server enable traps

    floodguard enable

    sysopt connection permit-ipsec



    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

    crypto dynamic-map outside_dyn_map 40 match address
    outside_cryptomap_dyn_40

    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5

    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

    crypto map outside_map interface outside



    isakmp enable outside

    isakmp policy 20 authentication pre-share

    isakmp policy 20 encryption 3des

    isakmp policy 20 hash md5

    isakmp policy 20 group 2

    isakmp policy 20 lifetime 86400



    vpngroup vpnremote address-pool ipsecpool

    vpngroup vpnremote dns-server 2.5.2.5 2.2.2.1

    vpngroup vpnremote default-domain myco.net

    vpngroup vpnremote split-tunnel vpnremote_splitTunnelAcl

    vpngroup vpnremote idle-time 1800

    vpngroup vpnremote password ********

    telnet 192.168.22.0 255.255.255.0 inside

    telnet 192.168.0.0 255.255.255.0 inside

    telnet timeout 5

    ssh 7.17.98.13 255.255.255.255 outside

    ssh 7.17.13.18 255.255.255.255 outside

    ssh timeout 5

    console timeout 0

    dhcpd address 192.168.0.100-192.168.0.150 inside

    dhcpd dns 2.3.4.5 2.2.2.1

    dhcpd lease 3600

    dhcpd ping_timeout 750

    dhcpd enable inside



    username field password xxxxxxxx encrypted privilege 15

    username field1 password xxxxxxxxxxxxx encrypted privilege 15



    terminal width 80

    Cryptochecksum:6418c999151ff8674257519e9c50ab7c

    : end
    , Oct 29, 2007
    #1
    1. Advertising

  2. Darren Guest

    wrote:
    > Hello. I am betting someone has an easy answer for this.
    >
    > I have configured a PIX 506e to do ipsec remote client VPN.
    >
    > Cisco VPN Client 4.8.00.0440 currently works. We can connect to the
    > VPN simply based on the group name and password.
    >
    > Here is the problem: at connect-time do not get prompted for a
    > username and password. It just connects us. If the group name and
    > password are correct that is all that is needed.
    >
    >

    snip..

    I believe that you need:

    crypto map YOUR_CRYPTO_MAP_NAME client authentication XXXXXX

    (where XXX is e.g. Local or AAA Server Name etc). If you Google this you
    should find a number of responses.

    Regards

    Darren
    Darren, Oct 29, 2007
    #2
    1. Advertising

  3. Guest

    On Oct 29, 2:41 pm, Darren <> wrote:
    > wrote:
    > > Hello. I am betting someone has an easy answer for this.

    >
    > > I have configured a PIX 506e to do ipsec remote client VPN.

    >
    > > Cisco VPN Client 4.8.00.0440 currently works. We can connect to the
    > > VPN simply based on the group name and password.

    >
    > > Here is the problem: at connect-time do not get prompted for a
    > > username and password. It just connects us. If the group name and
    > > password are correct that is all that is needed.

    >
    > snip..
    >
    > I believe that you need:
    >
    > crypto map YOUR_CRYPTO_MAP_NAME client authentication XXXXXX
    >
    > (where XXX is e.g. Local or AAA Server Name etc). If you Google this you
    > should find a number of responses.
    >
    > Regards
    >
    > Darren


    MANY thanks. I can't believe I missed that one. It works now.

    Best to you!
    , Oct 30, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tim Fortea
    Replies:
    2
    Views:
    1,009
  2. Dave
    Replies:
    7
    Views:
    5,067
  3. The Reluctant Robot Named Jude

    Change the username found in "C:\Documents and Settings\Username"

    The Reluctant Robot Named Jude, May 5, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    12,693
    Rifleman
    May 5, 2004
  4. SteveB
    Replies:
    1
    Views:
    4,081
    professorguy
    Dec 27, 2006
  5. Giuen
    Replies:
    0
    Views:
    839
    Giuen
    Sep 12, 2008
Loading...

Share This Page