local authentication on PIX 6.3

Unanswered Question
Dec 10th, 2007

Hi all,

I have a bitty simple question here !!

I have PIX running 6.3 and configured as EzVPN server.

I'm willing to configure local authentication on PIX for VPN clients but with no luck..

any useful commitments will be high appreciated..

Regards,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Mon, 12/10/2007 - 01:42

Hi balsheikh

crypto map outside_map client authentication LOCAL

Regards

balsheikh Mon, 12/10/2007 - 05:02

Hi husycisco,

thanks for ur reply, i've configured it but still i connected without prompting for login access.

is there any more command should be configured to work properly !!

Regards,

balsheikh Mon, 12/10/2007 - 05:26

here is the config:

DAS-PIX# wr t

Building configuration...

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

access-list NoNAT permit ip host 192.168.20.31 192.168.20.4 255.255.255.252

access-list NoNAT permit ip host 192.168.20.32 192.168.20.4 255.255.255.252

pager lines 24

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 1.2.3.170 255.255.255.248

ip address inside 192.168.22.2 255.255.255.0

ip address DMZ 192.168.11.1 255.255.255.0

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN-Pool 192.168.20.5-192.168.20.6

pdm location 192.168.20.20 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 1.2.3.174 netmask 255.255.255.248

nat (inside) 0 access-list NoNAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (DMZ,outside) mailserver 192.168.11.2 netmask 255.255.255.255 0 0

static (DMZ,outside) webserver 192.168.11.11 netmask 255.255.255.255 0 0

static (DMZ,outside) sametime 192.168.11.3 netmask 255.255.255.255 0 0

static (inside,DMZ) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0

static (inside,DMZ) 192.168.21.0 192.168.21.0 netmask 255.255.255.0 0 0

access-group mailserver_outaccess in interface outside

access-group DAS_OUT in interface inside

access-group DMZ_IN in interface DMZ

route outside 0.0.0.0 0.0.0.0 1.2.3.169 1

route inside 192.168.20.0 255.255.255.0 192.168.22.254 1

route inside 192.168.21.0 255.255.255.0 192.168.22.254 1

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

sysopt connection permit-ipsec

crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac

crypto dynamic-map map2 10 set transform-set trmset1

crypto map map1 10 ipsec-isakmp dynamic map2

crypto map map1 client configuration address initiate

crypto map map1 client configuration address respond

crypto map map1 client authentication LOCAL

crypto map map1 interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup ATS-Group address-pool VPN-Pool

vpngroup ATS-Group default-domain xxx.com

vpngroup ATS-Group split-tunnel NoNAT

vpngroup ATS-Group idle-time 1800

vpngroup ATS-Group password ********

telnet 192.168.20.20 255.255.255.255 inside

telnet 192.168.21.103 255.255.255.255 inside

[OK]

husycisco Tue, 12/11/2007 - 02:37

nothing looks wrong. maybe removing the following works

crypto map map1 client configuration address initiate

crypto map map1 client configuration address respond

Please try clearing vpngroup ATS-Group and related cryptos, then create again. Dont forget

Following is an example RA VPN configuration

vpngroup ATS-Group password xxx

vpngroup ATS-Group address-pool VPN-Pool

crypto dynamic-map outside_dyn_map 10 set transform-set trmset1

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800 kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

vpngroup ATS-Group split-tunnel NoNAT

sysopt connection permit-ipsec

Actions

This Discussion