Solved: Multiple XAuth client connections from PIX 506E

fadata-bg · ‎10-27-2005

Hi, we have Cisco PIX 506E, fully updated to:

Cisco PIX Firewall Version 6.3(5)

Cisco PIX Device Manager Version 3.0(4)

We have two clients with Cisco (PIX firewalls, and IOS routers with VPN). I cannot establish two IPSec connections to them using XAuth (they have enabled Xauth ). As far as i see we can have only one VPN connection with extended authentication (XAuth) called 'Easy VPN'. When i'm trying to configure another it just replaces my old connection. If i must not use Easy VPN Client function of this PIX Firewall, how i can use extended authentication (XAuth) i didn't find any options for this? Is this supported? Did the 25 connections on the data sheet means only IPSec connections without XAuth authentication?

jackko · ‎11-01-2005

as far as i know, you may need an extra device. as mentioned, the reason being a single unit can't act as ezvpn client for two different ezvpn servers.

alternatively, you need to reconsider the vpn type. i.e. to configure lan-lan.

View solution in original post

jackko · ‎10-30-2005

would you please post the latest configs with public ip masked?

fadata-bg · ‎10-31-2005

My question is more theoretical right now. I'm not really sure of capabilities of this device(and it's software). I'm using it right now with EasyVPN and only one connection. My question is can i do more than only one connection to remote VPNs (PIX for example) using XAuth. As far i see the only way to do more than connection is to tell to the remote VPNs not to use XAuth. Right now i'm using EasyVPN which configuration is:

vpnclient server orgpix

vpnclient mode client-mode

vpnclient vpngroup example1 password **********

vpnclient username example2 password **********

vpnclient enable

Then the connection is successfully established (with the XAuth VPN server at the other side). But if i try to use again 'vpnclient' options it just overrides my orgpix connection and not create another one instead.

jackko · ‎10-31-2005

pix can only act as an ezvpn client for one ezvpn server. if more than one vpn is required, you'll need to configure lan-lan vpn.

fadata-bg · ‎11-01-2005

OK, that confirms my findings. I have one more question that is more important. Is possible to use XAuth authentication at all with lan-to-lan options of the PIX i.e is possible XAuth at all without using ezvpn.

jackko · ‎11-01-2005

xauth is recommended for ezvpn due to the fact that the ezvpn server will accept any ip address as a client. thus performing an extra layer of security is critical.

alternatively, when configuring lan-lan vpn, the public ip of both vpn peers need to be specified. thus xauth may not be required.

fadata-bg · ‎11-01-2005

OK, but i think you still didn't get my real question. I have to connect to two or more remote sites which are using XAuth as authentication and i didn't find how to do it without using ezvpn?

jackko · ‎11-01-2005

as far as i know, you may need an extra device. as mentioned, the reason being a single unit can't act as ezvpn client for two different ezvpn servers.

alternatively, you need to reconsider the vpn type. i.e. to configure lan-lan.

fadata-bg · ‎11-01-2005

Yes. I understand. Using XAuth is only possible when using ezvpn. And this also means only one XAuth enabled VPN connection at one time is possible per PIX device. Thanks.