Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Multiple XAuth client connections from PIX 506E

Hi, we have Cisco PIX 506E, fully updated to:

Cisco PIX Firewall Version 6.3(5)

Cisco PIX Device Manager Version 3.0(4)

We have two clients with Cisco (PIX firewalls, and IOS routers with VPN). I cannot establish two IPSec connections to them using XAuth (they have enabled Xauth ). As far as i see we can have only one VPN connection with extended authentication (XAuth) called 'Easy VPN'. When i'm trying to configure another it just replaces my old connection. If i must not use Easy VPN Client function of this PIX Firewall, how i can use extended authentication (XAuth) i didn't find any options for this? Is this supported? Did the 25 connections on the data sheet means only IPSec connections without XAuth authentication?

  • VPN
1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Multiple XAuth client connections from PIX 506E

as far as i know, you may need an extra device. as mentioned, the reason being a single unit can't act as ezvpn client for two different ezvpn servers.

alternatively, you need to reconsider the vpn type. i.e. to configure lan-lan.

8 REPLIES
Gold

Re: Multiple XAuth client connections from PIX 506E

would you please post the latest configs with public ip masked?

New Member

Re: Multiple XAuth client connections from PIX 506E

My question is more theoretical right now. I'm not really sure of capabilities of this device(and it's software). I'm using it right now with EasyVPN and only one connection. My question is can i do more than only one connection to remote VPNs (PIX for example) using XAuth. As far i see the only way to do more than connection is to tell to the remote VPNs not to use XAuth. Right now i'm using EasyVPN which configuration is:

vpnclient server orgpix

vpnclient mode client-mode

vpnclient vpngroup example1 password **********

vpnclient username example2 password **********

vpnclient enable

Then the connection is successfully established (with the XAuth VPN server at the other side). But if i try to use again 'vpnclient' options it just overrides my orgpix connection and not create another one instead.

Gold

Re: Multiple XAuth client connections from PIX 506E

pix can only act as an ezvpn client for one ezvpn server. if more than one vpn is required, you'll need to configure lan-lan vpn.

New Member

Re: Multiple XAuth client connections from PIX 506E

OK, that confirms my findings. I have one more question that is more important. Is possible to use XAuth authentication at all with lan-to-lan options of the PIX i.e is possible XAuth at all without using ezvpn.

Gold

Re: Multiple XAuth client connections from PIX 506E

xauth is recommended for ezvpn due to the fact that the ezvpn server will accept any ip address as a client. thus performing an extra layer of security is critical.

alternatively, when configuring lan-lan vpn, the public ip of both vpn peers need to be specified. thus xauth may not be required.

New Member

Re: Multiple XAuth client connections from PIX 506E

OK, but i think you still didn't get my real question. I have to connect to two or more remote sites which are using XAuth as authentication and i didn't find how to do it without using ezvpn?

Gold

Re: Multiple XAuth client connections from PIX 506E

as far as i know, you may need an extra device. as mentioned, the reason being a single unit can't act as ezvpn client for two different ezvpn servers.

alternatively, you need to reconsider the vpn type. i.e. to configure lan-lan.

New Member

Re: Multiple XAuth client connections from PIX 506E

Yes. I understand. Using XAuth is only possible when using ezvpn. And this also means only one XAuth enabled VPN connection at one time is possible per PIX device. Thanks.

322
Views
0
Helpful
8
Replies
This widget could not be displayed.