Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

connect multi vpn client using multi user account

Hi;

i have a pix firewall 525 and i configure as vpn server with one vpn client account (username ,password). My point is how i can configure my firewall as to use multi accounts.

thanks

3 REPLIES
Gold

Re: connect multi vpn client using multi user account

below is a sample with multiple users within one group:

access-list 110 permit ip 10.1.1.0 255.255.255.0

access-list 120 permit ip 10.1.1.0 255.255.255.0

nat (inside) 0 access-list 110

nat (inside) 1 0.0.0.0 0.0.0.0

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp identity address

isakmp nat-traversal 20

crypto dynamic-map dynmap 10 set transform-set vpnset

crypto map myvpn 10 ipsec-isakmp dynamic dynmap

crypto map myvpn client configuration address initiate

crypto map myvpn client configuration address respond

crypto map myvpn client authentication LOCAL

ip local pool ippool 10.1.1.11-10.1.1.15

vpngroup vpnclient_1 address-pool ippool

vpngroup vpnclient_1 split-tunnel 120

vpngroup vpnclient_1 idle-time 1800

vpngroup vpnclient_1 password cisco100

username cisco1 password cisco123 encrypted privilege 2

username cisco2 password cisco456 encrypted privilege 2

with the same above, as long as there is an ip available within the ippool, you may configure more user by issuing "username xxx password xxx" command.

alternatively, if you prefer to restrict access to different remote vpn users, then you can configure multiple vpn groups.

e.g.

ip local pool ippool2 10.2.2.10-10.2.2.51

access-list 110 permit ip 10.2.2.0 255.255.255.0

access-list 121 permit ip host 10.2.2.0 255.255.255.0

vpngroup vpnclient_2 address-pool ippool2

vpngroup vpnclient_2 split-tunnel 121

vpngroup vpnclient_2 idle-time 1800

vpngroup vpnclient_2 password cisco200

to configure multiple vpn groups, just add the codes above with the previous example.

in order to allow pix to determine which groups a remote vpn user belongs to, you need to distribute the pcf file accordingly.

New Member

Re: connect multi vpn client using multi user account

thanks,

but i have pix with ios 6.1 , it dosnt include username command.

regards

Gold

Re: connect multi vpn client using multi user account

providing the command "username" is not supported by v6.1, i guess the current remote vpn acces is then authenticating against the group username and group password only.

one way is to create one group per user; alternatively, you need to upgarde the pix software to v6.3.x.

262
Views
0
Helpful
3
Replies