Remote VPN issue

vinoth.kumar · ‎09-11-2009

HI,

in our network we created a remote VPN for remote access to our internal server through PIX 515E

currently i have created a group-policy with the name VPN300 and remote users are able to access but what happens they get full access to our internal

what i needd is restrict access based on the username with the local authentication since we are not using TACACUS or RADIUS

As per the document i have created a another group-policy and inthe group-policy attributes i mentioned as usename and password but its not working

kindly suggest

PIX Version 7.0(1)

names

!

interface Ethernet0

description WAN_connectivity

nameif outside

security-level 0

ip address XXXXX 255.255.255.224

!

interface Ethernet1

description Lan-connectivity

nameif inside

security-level 100

ip address 192.168.193.1 255.255.255.0

!

interface Ethernet2

description WEB_NATACCESS

nameif DMZ

security-level 80

ip address 10.208.6.10 255.255.255.0

!

access-list 110 extended permit ip 10.210.0.0 255.255.255.0 192.168.180.200 255.255.255.248

access-list accesstoTC1 extended permit ip 10.210.0.0 255.255.255.0 192.168.180.200 255.255.255.248

access-list 110 extended permit ip 10.0.0.0 255.255.255.0 10.208.6.240 255.255.255.240

access-list accesstoALL extended permit ip 10.0.0.0 255.255.255.0 10.208.6.240 255.255.255.240

ip local pool RemoteVPNpool 10.208.6.241-10.208.6.254

ip local pool AccesstoTc1 192.168.180.200-192.168.180.206 mask 255.255.255.248

global (outside) 1 interface

nat (inside) 0 access-list 110

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 0 access-list 110

nat (DMZ) 1 access-list DMZtoInternet

route outside 0.0.0.0 0.0.0.0 XXXXXXX 1

route DMZ 10.0.0.0 255.255.0.0 10.208.6.1 1

group-policy AccesstoTc1 internal

group-policy AccesstoTc1 attributes

user-authentication enable

group-policy vpn3000 internal

group-policy vpn3000 attributes

user-authentication enable

username admin2 password eY/fQXw7Ure8Qrz7 encrypted

crypto ipsec transform-set RVPN esp-des esp-md5-hmac

crypto ipsec transform-set RVPN1 esp-3des esp-md5-hmac

crypto dynamic-map DYN-map 1 set transform-set RVPN RVPN1

crypto map Remote-VPN 1 ipsec-isakmp dynamic DYN-map

crypto map Remote-VPN interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 11 authentication pre-share

isakmp policy 11 encryption 3des

isakmp policy 11 hash md5

isakmp policy 11 group 2

isakmp policy 11 lifetime 86400

isakmp policy 13 authentication pre-share

isakmp policy 13 encryption 3des

isakmp policy 13 hash md5

isakmp policy 13 group 1

isakmp policy 13 lifetime 86400

isakmp policy 15 authentication pre-share

isakmp policy 15 encryption 3des

isakmp policy 15 hash sha

isakmp policy 15 group 2

isakmp policy 15 lifetime 3600

telnet 10.0.0.0 255.0.0.0 DMZ

telnet 192.168.151.0 255.255.255.0 DMZ

telnet timeout 5

ssh timeout 5

console timeout 0

tunnel-group vpn3000 type ipsec-ra

tunnel-group vpn3000 general-attributes

address-pool RemoteVPNpool

default-group-policy vpn3000

tunnel-group vpn3000 ipsec-attributes

pre-shared-key *

tunnel-group AccesstoTc1 type ipsec-ra

tunnel-group AccesstoTc1 general-attributes

address-pool AccesstoTc1

default-group-policy AccesstoTc1

tunnel-group AccesstoTc1 ipsec-attributes

pre-shared-key *

kwillacey · ‎09-11-2009

A vpn filter should do the trcik check out the link below.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

HTH

vinoth.kumar · ‎09-12-2009

Thanks its working

in my PIX config iam using the DMZ interface subnet as the Remote pool ip address

10.208.6.241-10.208.6.254 which is coming under DMZ interface ip range

if i use the new subnet i need to make routing change so iam using range in the DMZ interface

whether it will be an issue or we can use the new subnet

thanks