Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Remote VPN issue


in our network we created a remote VPN for remote access to our internal server through PIX 515E

currently i have created a group-policy with the name VPN300 and remote users are able to access but what happens they get full access to our internal

what i needd is restrict access based on the username with the local authentication since we are not using TACACUS or RADIUS

As per the document i have created a another group-policy and inthe group-policy attributes i mentioned as usename and password but its not working

kindly suggest

PIX Version 7.0(1)



interface Ethernet0

description WAN_connectivity

nameif outside

security-level 0

ip address XXXXX


interface Ethernet1

description Lan-connectivity

nameif inside

security-level 100

ip address


interface Ethernet2

description WEB_NATACCESS

nameif DMZ

security-level 80

ip address


access-list 110 extended permit ip

access-list accesstoTC1 extended permit ip

access-list 110 extended permit ip

access-list accesstoALL extended permit ip

ip local pool RemoteVPNpool

ip local pool AccesstoTc1 mask

global (outside) 1 interface

nat (inside) 0 access-list 110

nat (inside) 1

nat (DMZ) 0 access-list 110

nat (DMZ) 1 access-list DMZtoInternet

route outside XXXXXXX 1

route DMZ 1

group-policy AccesstoTc1 internal

group-policy AccesstoTc1 attributes

user-authentication enable

group-policy vpn3000 internal

group-policy vpn3000 attributes

user-authentication enable

username admin2 password eY/fQXw7Ure8Qrz7 encrypted

username admin2 password eY/fQXw7Ure8Qrz7 encrypted

crypto ipsec transform-set RVPN esp-des esp-md5-hmac

crypto ipsec transform-set RVPN1 esp-3des esp-md5-hmac

crypto dynamic-map DYN-map 1 set transform-set RVPN RVPN1

crypto map Remote-VPN 1 ipsec-isakmp dynamic DYN-map

crypto map Remote-VPN interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 11 authentication pre-share

isakmp policy 11 encryption 3des

isakmp policy 11 hash md5

isakmp policy 11 group 2

isakmp policy 11 lifetime 86400

isakmp policy 13 authentication pre-share

isakmp policy 13 encryption 3des

isakmp policy 13 hash md5

isakmp policy 13 group 1

isakmp policy 13 lifetime 86400

isakmp policy 15 authentication pre-share

isakmp policy 15 encryption 3des

isakmp policy 15 hash sha

isakmp policy 15 group 2

isakmp policy 15 lifetime 3600

telnet DMZ

telnet DMZ

telnet timeout 5

ssh timeout 5

console timeout 0

tunnel-group vpn3000 type ipsec-ra

tunnel-group vpn3000 general-attributes

address-pool RemoteVPNpool

default-group-policy vpn3000

tunnel-group vpn3000 ipsec-attributes

pre-shared-key *

tunnel-group AccesstoTc1 type ipsec-ra

tunnel-group AccesstoTc1 general-attributes

address-pool AccesstoTc1

default-group-policy AccesstoTc1

tunnel-group AccesstoTc1 ipsec-attributes

pre-shared-key *

New Member

Re: Remote VPN issue

New Member

Re: Remote VPN issue

Thanks its working

in my PIX config iam using the DMZ interface subnet as the Remote pool ip address which is coming under DMZ interface ip range

if i use the new subnet i need to make routing change so iam using range in the DMZ interface

whether it will be an issue or we can use the new subnet


CreatePlease to create content