Remote VPN issue

Unanswered Question
Sep 11th, 2009


in our network we created a remote VPN for remote access to our internal server through PIX 515E

currently i have created a group-policy with the name VPN300 and remote users are able to access but what happens they get full access to our internal

what i needd is restrict access based on the username with the local authentication since we are not using TACACUS or RADIUS

As per the document i have created a another group-policy and inthe group-policy attributes i mentioned as usename and password but its not working

kindly suggest

PIX Version 7.0(1)



interface Ethernet0

description WAN_connectivity

nameif outside

security-level 0

ip address XXXXX


interface Ethernet1

description Lan-connectivity

nameif inside

security-level 100

ip address


interface Ethernet2

description WEB_NATACCESS

nameif DMZ

security-level 80

ip address


access-list 110 extended permit ip

access-list accesstoTC1 extended permit ip

access-list 110 extended permit ip

access-list accesstoALL extended permit ip

ip local pool RemoteVPNpool

ip local pool AccesstoTc1 mask

global (outside) 1 interface

nat (inside) 0 access-list 110

nat (inside) 1

nat (DMZ) 0 access-list 110

nat (DMZ) 1 access-list DMZtoInternet

route outside XXXXXXX 1

route DMZ 1

group-policy AccesstoTc1 internal

group-policy AccesstoTc1 attributes

user-authentication enable

group-policy vpn3000 internal

group-policy vpn3000 attributes

user-authentication enable

username admin2 password eY/fQXw7Ure8Qrz7 encrypted

username admin2 password eY/fQXw7Ure8Qrz7 encrypted

crypto ipsec transform-set RVPN esp-des esp-md5-hmac

crypto ipsec transform-set RVPN1 esp-3des esp-md5-hmac

crypto dynamic-map DYN-map 1 set transform-set RVPN RVPN1

crypto map Remote-VPN 1 ipsec-isakmp dynamic DYN-map

crypto map Remote-VPN interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 11 authentication pre-share

isakmp policy 11 encryption 3des

isakmp policy 11 hash md5

isakmp policy 11 group 2

isakmp policy 11 lifetime 86400

isakmp policy 13 authentication pre-share

isakmp policy 13 encryption 3des

isakmp policy 13 hash md5

isakmp policy 13 group 1

isakmp policy 13 lifetime 86400

isakmp policy 15 authentication pre-share

isakmp policy 15 encryption 3des

isakmp policy 15 hash sha

isakmp policy 15 group 2

isakmp policy 15 lifetime 3600

telnet DMZ

telnet DMZ

telnet timeout 5

ssh timeout 5

console timeout 0

tunnel-group vpn3000 type ipsec-ra

tunnel-group vpn3000 general-attributes

address-pool RemoteVPNpool

default-group-policy vpn3000

tunnel-group vpn3000 ipsec-attributes

pre-shared-key *

tunnel-group AccesstoTc1 type ipsec-ra

tunnel-group AccesstoTc1 general-attributes

address-pool AccesstoTc1

default-group-policy AccesstoTc1

tunnel-group AccesstoTc1 ipsec-attributes

pre-shared-key *

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vinoth.kumar Sat, 09/12/2009 - 00:10

Thanks its working

in my PIX config iam using the DMZ interface subnet as the Remote pool ip address which is coming under DMZ interface ip range

if i use the new subnet i need to make routing change so iam using range in the DMZ interface

whether it will be an issue or we can use the new subnet



This Discussion