Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
0
Helpful
3
Replies

connect multi vpn client using multi user account

jawwalit
Level 1
Level 1

‎10-31-2005 11:06 PM - edited ‎02-21-2020 02:04 PM

Hi;

i have a pix firewall 525 and i configure as vpn server with one vpn client account (username ,password). My point is how i can configure my firewall as to use multi accounts.

thanks

Labels:
0 Helpful
3 Replies 3

jackko
Level 7
Level 7

‎11-01-2005 03:58 AM

below is a sample with multiple users within one group:

access-list 110 permit ip 10.1.1.0 255.255.255.0

access-list 120 permit ip 10.1.1.0 255.255.255.0

nat (inside) 0 access-list 110

nat (inside) 1 0.0.0.0 0.0.0.0

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp identity address

isakmp nat-traversal 20

crypto dynamic-map dynmap 10 set transform-set vpnset

crypto map myvpn 10 ipsec-isakmp dynamic dynmap

crypto map myvpn client configuration address initiate

crypto map myvpn client configuration address respond

crypto map myvpn client authentication LOCAL

ip local pool ippool 10.1.1.11-10.1.1.15

vpngroup vpnclient_1 address-pool ippool

vpngroup vpnclient_1 split-tunnel 120

vpngroup vpnclient_1 idle-time 1800

vpngroup vpnclient_1 password cisco100

username cisco1 password cisco123 encrypted privilege 2

username cisco2 password cisco456 encrypted privilege 2

with the same above, as long as there is an ip available within the ippool, you may configure more user by issuing "username xxx password xxx" command.

alternatively, if you prefer to restrict access to different remote vpn users, then you can configure multiple vpn groups.

e.g.

ip local pool ippool2 10.2.2.10-10.2.2.51

access-list 110 permit ip 10.2.2.0 255.255.255.0

access-list 121 permit ip host 10.2.2.0 255.255.255.0

vpngroup vpnclient_2 address-pool ippool2

vpngroup vpnclient_2 split-tunnel 121

vpngroup vpnclient_2 idle-time 1800

vpngroup vpnclient_2 password cisco200

to configure multiple vpn groups, just add the codes above with the previous example.

in order to allow pix to determine which groups a remote vpn user belongs to, you need to distribute the pcf file accordingly.

0 Helpful

jawwalit
Level 1
Level 1
In response to jackko

‎11-09-2005 12:31 AM

thanks,

but i have pix with ios 6.1 , it dosnt include username command.

regards

0 Helpful

jackko
Level 7
Level 7
In response to jawwalit

‎11-09-2005 03:30 AM

providing the command "username" is not supported by v6.1, i guess the current remote vpn acces is then authenticating against the group username and group password only.

one way is to create one group per user; alternatively, you need to upgarde the pix software to v6.3.x.

0 Helpful
Customers Also Viewed These Support Documents