09-11-2009 09:52 AM
HI,
in our network we created a remote VPN for remote access to our internal server through PIX 515E
currently i have created a group-policy with the name VPN300 and remote users are able to access but what happens they get full access to our internal
what i needd is restrict access based on the username with the local authentication since we are not using TACACUS or RADIUS
As per the document i have created a another group-policy and inthe group-policy attributes i mentioned as usename and password but its not working
kindly suggest
PIX Version 7.0(1)
names
!
interface Ethernet0
description WAN_connectivity
nameif outside
security-level 0
ip address XXXXX 255.255.255.224
!
interface Ethernet1
description Lan-connectivity
nameif inside
security-level 100
ip address 192.168.193.1 255.255.255.0
!
interface Ethernet2
description WEB_NATACCESS
nameif DMZ
security-level 80
ip address 10.208.6.10 255.255.255.0
!
access-list 110 extended permit ip 10.210.0.0 255.255.255.0 192.168.180.200 255.255.255.248
access-list accesstoTC1 extended permit ip 10.210.0.0 255.255.255.0 192.168.180.200 255.255.255.248
access-list 110 extended permit ip 10.0.0.0 255.255.255.0 10.208.6.240 255.255.255.240
access-list accesstoALL extended permit ip 10.0.0.0 255.255.255.0 10.208.6.240 255.255.255.240
ip local pool RemoteVPNpool 10.208.6.241-10.208.6.254
ip local pool AccesstoTc1 192.168.180.200-192.168.180.206 mask 255.255.255.248
global (outside) 1 interface
nat (inside) 0 access-list 110
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list 110
nat (DMZ) 1 access-list DMZtoInternet
route outside 0.0.0.0 0.0.0.0 XXXXXXX 1
route DMZ 10.0.0.0 255.255.0.0 10.208.6.1 1
group-policy AccesstoTc1 internal
group-policy AccesstoTc1 attributes
user-authentication enable
group-policy vpn3000 internal
group-policy vpn3000 attributes
user-authentication enable
username admin2 password eY/fQXw7Ure8Qrz7 encrypted
username admin2 password eY/fQXw7Ure8Qrz7 encrypted
crypto ipsec transform-set RVPN esp-des esp-md5-hmac
crypto ipsec transform-set RVPN1 esp-3des esp-md5-hmac
crypto dynamic-map DYN-map 1 set transform-set RVPN RVPN1
crypto map Remote-VPN 1 ipsec-isakmp dynamic DYN-map
crypto map Remote-VPN interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption 3des
isakmp policy 11 hash md5
isakmp policy 11 group 2
isakmp policy 11 lifetime 86400
isakmp policy 13 authentication pre-share
isakmp policy 13 encryption 3des
isakmp policy 13 hash md5
isakmp policy 13 group 1
isakmp policy 13 lifetime 86400
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption 3des
isakmp policy 15 hash sha
isakmp policy 15 group 2
isakmp policy 15 lifetime 3600
telnet 10.0.0.0 255.0.0.0 DMZ
telnet 192.168.151.0 255.255.255.0 DMZ
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
address-pool RemoteVPNpool
default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
pre-shared-key *
tunnel-group AccesstoTc1 type ipsec-ra
tunnel-group AccesstoTc1 general-attributes
address-pool AccesstoTc1
default-group-policy AccesstoTc1
tunnel-group AccesstoTc1 ipsec-attributes
pre-shared-key *
09-11-2009 11:24 AM
A vpn filter should do the trcik check out the link below.
HTH
09-12-2009 12:10 AM
Thanks its working
in my PIX config iam using the DMZ interface subnet as the Remote pool ip address
10.208.6.241-10.208.6.254 which is coming under DMZ interface ip range
if i use the new subnet i need to make routing change so iam using range in the DMZ interface
whether it will be an issue or we can use the new subnet
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide