12-10-2007 12:50 AM - edited 03-11-2019 04:41 AM
Hi all,
I have a bitty simple question here !!
I have PIX running 6.3 and configured as EzVPN server.
I'm willing to configure local authentication on PIX for VPN clients but with no luck..
any useful commitments will be high appreciated..
Regards,
12-10-2007 01:42 AM
Hi balsheikh
crypto map outside_map client authentication LOCAL
Regards
12-10-2007 05:02 AM
Hi husycisco,
thanks for ur reply, i've configured it but still i connected without prompting for login access.
is there any more command should be configured to work properly !!
Regards,
12-10-2007 05:08 AM
Please upload your config and let me check
12-10-2007 05:26 AM
here is the config:
DAS-PIX# wr t
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
access-list NoNAT permit ip host 192.168.20.31 192.168.20.4 255.255.255.252
access-list NoNAT permit ip host 192.168.20.32 192.168.20.4 255.255.255.252
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 1.2.3.170 255.255.255.248
ip address inside 192.168.22.2 255.255.255.0
ip address DMZ 192.168.11.1 255.255.255.0
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN-Pool 192.168.20.5-192.168.20.6
pdm location 192.168.20.20 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 1.2.3.174 netmask 255.255.255.248
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (DMZ,outside) mailserver 192.168.11.2 netmask 255.255.255.255 0 0
static (DMZ,outside) webserver 192.168.11.11 netmask 255.255.255.255 0 0
static (DMZ,outside) sametime 192.168.11.3 netmask 255.255.255.255 0 0
static (inside,DMZ) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0
static (inside,DMZ) 192.168.21.0 192.168.21.0 netmask 255.255.255.0 0 0
access-group mailserver_outaccess in interface outside
access-group DAS_OUT in interface inside
access-group DMZ_IN in interface DMZ
route outside 0.0.0.0 0.0.0.0 1.2.3.169 1
route inside 192.168.20.0 255.255.255.0 192.168.22.254 1
route inside 192.168.21.0 255.255.255.0 192.168.22.254 1
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
sysopt connection permit-ipsec
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 client configuration address initiate
crypto map map1 client configuration address respond
crypto map map1 client authentication LOCAL
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup ATS-Group address-pool VPN-Pool
vpngroup ATS-Group default-domain xxx.com
vpngroup ATS-Group split-tunnel NoNAT
vpngroup ATS-Group idle-time 1800
vpngroup ATS-Group password ********
telnet 192.168.20.20 255.255.255.255 inside
telnet 192.168.21.103 255.255.255.255 inside
[OK]
12-11-2007 02:37 AM
nothing looks wrong. maybe removing the following works
crypto map map1 client configuration address initiate
crypto map map1 client configuration address respond
Please try clearing vpngroup ATS-Group and related cryptos, then create again. Dont forget
Following is an example RA VPN configuration
vpngroup ATS-Group password xxx
vpngroup ATS-Group address-pool VPN-Pool
crypto dynamic-map outside_dyn_map 10 set transform-set trmset1
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
vpngroup ATS-Group split-tunnel NoNAT
sysopt connection permit-ipsec
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: