Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Disabling terminated user's vpn access into PIX 515

We are using PIX 515. We terminated a user who was able to vpn into the corporate LAN. We need to block this user from getting through our PIX and onto the corp LAN.

Can you tell me what I need to do? Is there a database of names of vpn users stored somewhere?

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

no sysopt route dnat

crypto ipsec transform-set transet esp-des esp-md5-hmac

crypto dynamic-map bluebirdmap 20 set transform-set transet

crypto map map_firewall 20 ipsec-isakmp dynamic bluebirdmap

crypto map map_firewall client configuration address initiate

crypto map map_firewall client configuration address respond

crypto map map_firewall interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp client configuration address-pool local vpnpool outside

isakmp policy 5 authentication pre-share

isakmp policy 5 encryption des

isakmp policy 5 hash md5

isakmp policy 5 group 1

isakmp policy 5 lifetime 86400

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup VpnGroup1 address-pool vpnpool

vpngroup VpnGroup1 split-tunnel 90

vpngroup VpnGroup1 idle-time 1800

vpngroup VpnGroup1 max-time 86400

vpngroup VpnGroup1 password ********

1 REPLY
Cisco Employee

Re: Disabling terminated user's vpn access into PIX 515

Doesn't look like you're doing any XAuth (user authentication) here, which is not good. Do your users get prompted for a username and password when they connect, I'll guess not going by your config? If not, then the only way to stop this person from getting in is to change your group password and tell everyone else except this person what the new password is. The line:

> vpngroup VpnGroup1 password ********

is the one you want to change, then everyone has to change their VPN client configuration (not pretty).

For the future, you should upgrade this PIX to 6.3, then you can add local usernames/passwords into the PIX config, and with the command:

> crypto map map_firewall client authentication LOCAL

your users will have to enter a username/password before the VPN will be established. Add usernames in with:

> username password

command, you can add as many as you like. You can also use an external TACACS/Radius server if you prefer, see http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html as an example of this.

90
Views
0
Helpful
1
Replies
CreatePlease to create content