10-27-2005 07:27 AM
Hi, we have Cisco PIX 506E, fully updated to:
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)
We have two clients with Cisco (PIX firewalls, and IOS routers with VPN). I cannot establish two IPSec connections to them using XAuth (they have enabled Xauth ). As far as i see we can have only one VPN connection with extended authentication (XAuth) called 'Easy VPN'. When i'm trying to configure another it just replaces my old connection. If i must not use Easy VPN Client function of this PIX Firewall, how i can use extended authentication (XAuth) i didn't find any options for this? Is this supported? Did the 25 connections on the data sheet means only IPSec connections without XAuth authentication?
Solved! Go to Solution.
11-01-2005 03:12 AM
as far as i know, you may need an extra device. as mentioned, the reason being a single unit can't act as ezvpn client for two different ezvpn servers.
alternatively, you need to reconsider the vpn type. i.e. to configure lan-lan.
10-30-2005 03:45 AM
would you please post the latest configs with public ip masked?
10-31-2005 01:31 AM
My question is more theoretical right now. I'm not really sure of capabilities of this device(and it's software). I'm using it right now with EasyVPN and only one connection. My question is can i do more than only one connection to remote VPNs (PIX for example) using XAuth. As far i see the only way to do more than connection is to tell to the remote VPNs not to use XAuth. Right now i'm using EasyVPN which configuration is:
vpnclient server orgpix
vpnclient mode client-mode
vpnclient vpngroup example1 password **********
vpnclient username example2 password **********
vpnclient enable
Then the connection is successfully established (with the XAuth VPN server at the other side). But if i try to use again 'vpnclient' options it just overrides my orgpix connection and not create another one instead.
10-31-2005 04:09 PM
pix can only act as an ezvpn client for one ezvpn server. if more than one vpn is required, you'll need to configure lan-lan vpn.
11-01-2005 12:46 AM
OK, that confirms my findings. I have one more question that is more important. Is possible to use XAuth authentication at all with lan-to-lan options of the PIX i.e is possible XAuth at all without using ezvpn.
11-01-2005 01:16 AM
xauth is recommended for ezvpn due to the fact that the ezvpn server will accept any ip address as a client. thus performing an extra layer of security is critical.
alternatively, when configuring lan-lan vpn, the public ip of both vpn peers need to be specified. thus xauth may not be required.
11-01-2005 03:02 AM
OK, but i think you still didn't get my real question. I have to connect to two or more remote sites which are using XAuth as authentication and i didn't find how to do it without using ezvpn?
11-01-2005 03:12 AM
as far as i know, you may need an extra device. as mentioned, the reason being a single unit can't act as ezvpn client for two different ezvpn servers.
alternatively, you need to reconsider the vpn type. i.e. to configure lan-lan.
11-01-2005 03:32 AM
Yes. I understand. Using XAuth is only possible when using ezvpn. And this also means only one XAuth enabled VPN connection at one time is possible per PIX device. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide