10-31-2005 11:06 PM - edited 02-21-2020 02:04 PM
Hi;
i have a pix firewall 525 and i configure as vpn server with one vpn client account (username ,password). My point is how i can configure my firewall as to use multi accounts.
thanks
11-01-2005 03:58 AM
below is a sample with multiple users within one group:
access-list 110 permit ip
access-list 120 permit ip
nat (inside) 0 access-list 110
nat (inside) 1 0.0.0.0 0.0.0.0
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp identity address
isakmp nat-traversal 20
crypto dynamic-map dynmap 10 set transform-set vpnset
crypto map myvpn 10 ipsec-isakmp dynamic dynmap
crypto map myvpn client configuration address initiate
crypto map myvpn client configuration address respond
crypto map myvpn client authentication LOCAL
ip local pool ippool 10.1.1.11-10.1.1.15
vpngroup vpnclient_1 address-pool ippool
vpngroup vpnclient_1 split-tunnel 120
vpngroup vpnclient_1 idle-time 1800
vpngroup vpnclient_1 password cisco100
username cisco1 password cisco123 encrypted privilege 2
username cisco2 password cisco456 encrypted privilege 2
with the same above, as long as there is an ip available within the ippool, you may configure more user by issuing "username xxx password xxx" command.
alternatively, if you prefer to restrict access to different remote vpn users, then you can configure multiple vpn groups.
e.g.
ip local pool ippool2 10.2.2.10-10.2.2.51
access-list 110 permit ip
access-list 121 permit ip host
vpngroup vpnclient_2 address-pool ippool2
vpngroup vpnclient_2 split-tunnel 121
vpngroup vpnclient_2 idle-time 1800
vpngroup vpnclient_2 password cisco200
to configure multiple vpn groups, just add the codes above with the previous example.
in order to allow pix to determine which groups a remote vpn user belongs to, you need to distribute the pcf file accordingly.
11-09-2005 12:31 AM
thanks,
but i have pix with ios 6.1 , it dosnt include username command.
regards
11-09-2005 03:30 AM
providing the command "username" is not supported by v6.1, i guess the current remote vpn acces is then authenticating against the group username and group password only.
one way is to create one group per user; alternatively, you need to upgarde the pix software to v6.3.x.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide