01-12-2009 04:42 AM - edited 03-11-2019 07:35 AM
Hi,
I am using PIX 7.0 and i have created a IPSEC Vpn and trying to connect the same from my VPN client 4.0
The group authentication is working fine but after for the user authorization is asking for username and password
Since we are not using any TACCAS or RADIUS is it possible to give user authorization as PIX local usrname and password
Regards,
Vinoth
01-12-2009 04:53 AM
yes it is possible - create a local username and password in the PIX, then in the VPN tunnel group add:-
authentication-server-group local.
HTH>
01-12-2009 11:25 PM
Hi,
Thanks for your reply
I try to issue the command on my firewall but i dont have that command listed
(config)# vpngroup vpn3000 authe
(config)# vpngroup vpn3000 authentication-server ?
configure mode commands/options:
WORD The name of the IUA AAA server on the firewall headend
(config)# vpngroup vpn3000 authentication-server
Please guide me
01-13-2009 01:37 AM
Are you sure you are running code ver 7.x - as the config you posted looks to be in the wrong format for ver 7.x
Post the entire remote VPN config please.
01-13-2009 01:44 AM
Hi,
As requested i am sending the my config
PIX Version 7.0(1)
names
!
interface Ethernet0
description WAN_connectivity
nameif outside
security-level 0
ip address xxx.xx.2.3 255.255.255.224
!
interface Ethernet1
description Lan-connectivity
nameif inside
security-level 100
ip address 192.168.193.1 255.255.255.0
!
interface Ethernet2
description WEB_NATACCESS
nameif DMZ
security-level 80
ip address 10.108.1.3 255.255.255.0
access-list 101 extended permit ip 10.0.0.0 255.0.0.0 10.108.1.252 255.255.255.2
52
ip local pool RemoteVPNpool 10.108.1.253-10.108.1.254
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) xx.xxx.2.8 192.168.193.5 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 xx.xx.2.1 1
route inside 10.0.0.0 255.0.0.0 10.108.1.1 1
route DMZ 10.108.1.23 255.255.255.255 10.108.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn3000 internal
group-policy vpn3000 attributes
user-authentication enable
username admin password eY/fQXw7Ure8Qrz7 encrypted
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
crypto ipsec transform-set TCVPN-OLY esp-3des esp-none
crypto ipsec transform-set test-vpn esp-3des esp-none
crypto ipsec transform-set RVPN esp-3des esp-md5-hmac
crypto map mymap 10 set transform-set RVPN
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption 3des
isakmp policy 11 hash md5
isakmp policy 11 group 2
isakmp policy 11 lifetime 86400
telnet 10.0.0.0 255.0.0.0 DMZ
telnet 192.168.151.0 255.255.255.0 DMZ
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.193.5-192.168.193.200 inside
dhcpd dns 212.115.32.3 80.253.148.33
dhcpd lease 3000
dhcpd ping_timeout 50
dhcpd enable inside
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
address-pool RemoteVPNpool
default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
pre-shared-key
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
Regards,
Vinu
01-13-2009 01:51 AM
Add the below
tunnel-group vpn3000 ipsec-attributes
authentication-server-group LOCAL
HTH>
01-13-2009 04:02 AM
Thanks for your reply i entred the command after that i
debug crypto isakmp its shows some error
TCNEW-FW# Jan 13 04:41:02 [IKEv1]: QM IsRekeyed old sa not found by addr
Jan 13 04:41:02 [IKEv1]: QM FSM error (P2 struct &0x20c59a0, mess id 0x2dea489f)
!
Jan 13 04:41:02 [IKEv1]: Group = vpn3000, Username = admin, IP = xx.xx.37.82,
Removing peer from correlator table failed, no match!
Regards,
01-13-2009 04:25 AM
OK - that is a completly different error for a differnet reason. Checking more of your VPN config, you are missing the below:-
crypto dynamic-map remote_vpn 10 set transform-set RVPN
crypto map mymap 65535 ipsec-isakmp dynamic remote_vpn
add the above and test again.
01-15-2009 03:53 AM
Thanks for your information
now the iam able to login tthrough the VPN Client
I had a small question is it possible to recover VPN pre-share keys in PIX 6.3 (3) since we planned to put new firewall instead of existing one
Thanks
01-15-2009 04:07 AM
Copy the config from the pix to a tftp server:-
write net <
HTH>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide