Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure a new VPN Client group on the PIX Firewall

Resolution

In order to configure a new VPN Client group on a PIX Firewall that already contains groups, complete these steps:

  1. Remove the crypto map from the the outside interface:
       

    no crypto map map-name interface outside

       
  2. Create a new IP pool for the new group, or use the current pool: 

    ip local pool        pool_name pool_start_address[-pool_end_address]

  3. Create an access-list for the NAT bypass, nat 0. Make sure that the sequence number for this access-list is the same as the previously configured nat 0 access-lists:
       

    access-list acl_no  permit ip source_ip  source_mask destination_ip  destination_mask

       
  4. Create an access-list for the split tunnel. This access-list must be identical to the nat 0 access-list. This is optional if Intenet access is required:
       

    access-list  102  permit ip source_ip  source_mask destination_ip  destination_mask

       
  5. Create a new group with these commands.
       

    vpngroup  group_name address-pool pool_name        
    vpngroup  group_name dns-server 192.168.1.x (optional)
    vpngroup  group_name default-domain (optional)
    vpngroup  group_name split-tunnel 102 (optional)
    vpngroup  group_name idle-time 1800
    vpngroup  group_name password preshared_key

       
  6. Reapply the crypto map to the outside interface.

        crypto map map-name interface outside

398
Views
0
Helpful
0
Comments