Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN Site-to-Site w User Authentication ???


I've a VPN Site-to-Site between two branch offices.

What I want to know is, seen that is Site-to-Site, if it's possible, with a PIX, to add User Authentication before the traffic is sent to the destination network.

If Yes, as I suppose will be based on an external AAA server or it could be done directly on the PIX (local database)??

Thanks for any suggestion


Cisco Employee

Re: VPN Site-to-Site w User Authentication ???

Yes, any inbound traffic with IPSec terminating on the PIX can be configured for authentication on PIX for traffic passing through the PIX.

I tested with a router on outside and inside, and did a telnet across the IPSec tunnel with AAA

configured on PIX for telnet traffic.

Here is a document that explains how to configure AAA on PIX for traffic through the PIX;

Here is a snip of my PIX config;

access-list 198 permit ip

nat (inside) 0 access-list 198

crypto map cisco 10 ipsec-isakmp

crypto map cisco 10 match address 198

crypto map cisco 10 set peer

crypto map cisco 10 set transform-set cisco

crypto map cisco interface outside

isakmp enable outside

isakmp key ******** address netmask

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400


aaa-server TACACS+ (inside) host cisco timeout 5

aaa authentication include telnet outside TACACS+

PIX(config)# show uauth

Current Most Seen

Authenticated Users 1 1

Authen In Progress 0 1

user 'pix-telnet' at, authenticated

absolute timeout: 0:05:00

inactivity timeout: 0:00:00

PIX(config)# show crypto ipsec sa

interface: outside

Crypto map tag: cisco, local addr.

local ident (addr/mask/prot/port): (

remote ident (addr/mask/prot/port): (


PERMIT, flags={origin_is_acl,}

#pkts encaps: 569, #pkts encrypt: 569, #pkts digest 569

#pkts decaps: 601, #pkts decrypt: 601, #pkts verify 601

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0


Hope that helps.



New Member

Re: VPN Site-to-Site w User Authentication ???

Hi Yusuf,

Thanks for the suggestion...Does the authentication works also with RADIUS ???...seeing that you use TACACS+ :-)

I've Release 6.2, does the authorization works with RADIUS (in my case IAS), seeing that the document states:

"RADIUS and TACACS+ authentication may be done for FTP, Telnet, and HTTP connections through the Cisco Secure PIX Firewall. Authentication for other less common protocols can usually be made to work. TACACS+ authorization is supported; RADIUS authorization is not."



CreatePlease to create content