PIX VPN Group

Discussion in 'Cisco' started by Ned, Mar 28, 2006.

  1. Ned

    Ned Guest

    When VPN clients are connecting they are asked to enter VPN group ID
    and password - before their access username & password prompt. I cannot
    see in the PIX config where the VPN group name and password are
    configured ??? I'm assuming "user1" is the client ID and "abC123" is
    the client password

    ip local pool vpnpool9 123.123.123.123-123.123.123.126
    crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
    crypto dynamic-map map2 10 set transform-set trmset1
    crypto map map1 10 ipsec-isakmp dynamic map2
    crypto map map1 interface outside
    isakmp enable outside
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption aes-256
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup user1 address-pool vpnpool9
    vpngroup user1 split-tunnel 102
    vpngroup user1 idle-time 1800
    vpngroup user1 password password abc123
    **************************
     
    Ned, Mar 28, 2006
    #1
    1. Advertising

  2. Ned

    Merv Guest

    I think this is known as eXtended Authentication (XAUTH):


    username <insert username here> password <insert password here>

    aaa-server LOCAL protocol local

    aaa-server VPN_XAUTH protocol local

    crypto map map1 client authentication VPN_XAUTH
     
    Merv, Mar 28, 2006
    #2
    1. Advertising

  3. In article <>,
    Ned <> wrote:
    >When VPN clients are connecting they are asked to enter VPN group ID
    >and password - before their access username & password prompt. I cannot
    >see in the PIX config where the VPN group name and password are
    >configured ??? I'm assuming "user1" is the client ID and "abC123" is
    >the client password


    >vpngroup user1 address-pool vpnpool9


    That's where the group name is configured, the "user1" of the second
    field.

    >vpngroup user1 password password abc123


    That's where the group password is configured, abc123 .

    These are not the username and password, these are the group name
    and group password.
     
    Walter Roberson, Mar 28, 2006
    #3
  4. Ned

    Ned Guest

    Thanks Walter,
    I have a VPN connection running now.Next question is how do I get
    remote users pick up the correct default gateway. The one they get now
    is their own address allocated from the VPNPOOL - I want them to have
    the default gateway of this subnet on the LAN - e.g 172.0.0.254
    Thanks, Ned.

    Walter Roberson wrote:
    > In article <>,
    > Ned <> wrote:
    > >When VPN clients are connecting they are asked to enter VPN group ID
    > >and password - before their access username & password prompt. I cannot
    > >see in the PIX config where the VPN group name and password are
    > >configured ??? I'm assuming "user1" is the client ID and "abC123" is
    > >the client password

    >
    > >vpngroup user1 address-pool vpnpool9

    >
    > That's where the group name is configured, the "user1" of the second
    > field.
    >
    > >vpngroup user1 password password abc123

    >
    > That's where the group password is configured, abc123 .
    >
    > These are not the username and password, these are the group name
    > and group password.
     
    Ned, Mar 29, 2006
    #4
  5. In article <>,
    Ned <> wrote:
    > I have a VPN connection running now.Next question is how do I get
    >remote users pick up the correct default gateway. The one they get now
    >is their own address allocated from the VPNPOOL - I want them to have
    >the default gateway of this subnet on the LAN - e.g 172.0.0.254


    If I recall correctly, the default gateway is correct. The link that
    is created is a point-to-point link, which uses a single IP address
    with netmask 255.255.255.255 to represent both sides of the link.
     
    Walter Roberson, Mar 29, 2006
    #5
  6. Ned

    Ned Guest

    OK - am I blocking access through the firewall into the LAN? A user
    comes into the VPN sucessfully with an address 123.123.123.123. His
    default gatway is the same as his client address. He cannot PING the
    default gateway of that LAN which is 123.123.123.254. He is
    authenticated OK on the firewall but is just sitting there. Should he
    not be able to PING 123.123.123.254 through the firewall? Is there any
    way to get his default gateway established as .254 when he gets
    authenticated by the FW ?
     
    Ned, Mar 30, 2006
    #6
  7. Ned

    Scribble Guest

    I believe that the PIX uses the split tunnel options as well. So, you
    will want to make sure that local LAN access is enabled on the client
    and that the transparent tunneling option is set.

    These are the settings that I used on my recent firewall VPN
    configuration. However, I am using the PIX software version 7.1.x and
    not 6.x. The 192.168.100.0/24 address is my local ip pool, and the
    10.10.200.0/24 network is my inside network.
    primaryfirewall# sho run group-policy
    group-policy InternalGroup internal
    group-policy InternalGroup attributes
    dns-server value 10.10.200.30
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value WEB

    primaryfirewall# sho access-list WEB
    access-list WEB; 1 elements
    access-list WEB line 1 extended permit ip 10.10.200.0 255.255.255.0
    192.168.100.0 255.255.255.0
     
    Scribble, Mar 30, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Richard

    PIX to PIX to PIX meshed VPN

    Richard, Nov 13, 2003, in forum: Cisco
    Replies:
    1
    Views:
    643
    Richard
    Nov 15, 2003
  2. GVB
    Replies:
    1
    Views:
    2,908
    Martin Bilgrav
    Feb 6, 2004
  3. Tom
    Replies:
    4
    Views:
    714
  4. Marko Uusitalo
    Replies:
    1
    Views:
    1,564
    Frank Durham
    Apr 11, 2005
  5. Svenn
    Replies:
    3
    Views:
    774
    Svenn
    Mar 13, 2006
Loading...

Share This Page