local authentication on PIX 6.3

Unanswered Question
Dec 10th, 2007
User Badges:


Hi all,


I have a bitty simple question here !!


I have PIX running 6.3 and configured as EzVPN server.


I'm willing to configure local authentication on PIX for VPN clients but with no luck..


any useful commitments will be high appreciated..


Regards,




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Mon, 12/10/2007 - 01:42
User Badges:
  • Gold, 750 points or more

Hi balsheikh


crypto map outside_map client authentication LOCAL


Regards

balsheikh Mon, 12/10/2007 - 05:02
User Badges:

Hi husycisco,


thanks for ur reply, i've configured it but still i connected without prompting for login access.


is there any more command should be configured to work properly !!


Regards,


husycisco Mon, 12/10/2007 - 05:08
User Badges:
  • Gold, 750 points or more

Please upload your config and let me check

balsheikh Mon, 12/10/2007 - 05:26
User Badges:


here is the config:


DAS-PIX# wr t

Building configuration...

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto


interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50


access-list NoNAT permit ip host 192.168.20.31 192.168.20.4 255.255.255.252

access-list NoNAT permit ip host 192.168.20.32 192.168.20.4 255.255.255.252


pager lines 24

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 1.2.3.170 255.255.255.248

ip address inside 192.168.22.2 255.255.255.0

ip address DMZ 192.168.11.1 255.255.255.0

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm


ip local pool VPN-Pool 192.168.20.5-192.168.20.6



pdm location 192.168.20.20 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 1.2.3.174 netmask 255.255.255.248


nat (inside) 0 access-list NoNAT


nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (DMZ,outside) mailserver 192.168.11.2 netmask 255.255.255.255 0 0

static (DMZ,outside) webserver 192.168.11.11 netmask 255.255.255.255 0 0

static (DMZ,outside) sametime 192.168.11.3 netmask 255.255.255.255 0 0

static (inside,DMZ) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0

static (inside,DMZ) 192.168.21.0 192.168.21.0 netmask 255.255.255.0 0 0

access-group mailserver_outaccess in interface outside

access-group DAS_OUT in interface inside

access-group DMZ_IN in interface DMZ

route outside 0.0.0.0 0.0.0.0 1.2.3.169 1

route inside 192.168.20.0 255.255.255.0 192.168.22.254 1

route inside 192.168.21.0 255.255.255.0 192.168.22.254 1


aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local


sysopt connection permit-ipsec

crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac

crypto dynamic-map map2 10 set transform-set trmset1

crypto map map1 10 ipsec-isakmp dynamic map2

crypto map map1 client configuration address initiate

crypto map map1 client configuration address respond

crypto map map1 client authentication LOCAL

crypto map map1 interface outside


isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400


vpngroup ATS-Group address-pool VPN-Pool

vpngroup ATS-Group default-domain xxx.com

vpngroup ATS-Group split-tunnel NoNAT

vpngroup ATS-Group idle-time 1800

vpngroup ATS-Group password ********


telnet 192.168.20.20 255.255.255.255 inside

telnet 192.168.21.103 255.255.255.255 inside


[OK]


husycisco Tue, 12/11/2007 - 02:37
User Badges:
  • Gold, 750 points or more

nothing looks wrong. maybe removing the following works

crypto map map1 client configuration address initiate

crypto map map1 client configuration address respond


Please try clearing vpngroup ATS-Group and related cryptos, then create again. Dont forget


Following is an example RA VPN configuration


vpngroup ATS-Group password xxx

vpngroup ATS-Group address-pool VPN-Pool

crypto dynamic-map outside_dyn_map 10 set transform-set trmset1

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800 kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

vpngroup ATS-Group split-tunnel NoNAT

sysopt connection permit-ipsec


Actions

This Discussion