1. Home
  2. Cisco Systems
  3. PIX VPN Group

PIX VPN Group

When VPN clients are connecting they are asked to enter VPN group ID and password - before their access username & password prompt. I cannot see in the PIX config where the VPN group name and password are configured ??? I'm assuming "user1" is the client ID and "abC123" is the client password

ip local pool vpnpool9 123.123.123.123-123.123.123.126 crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac crypto dynamic-map map2 10 set transform-set trmset1 crypto map map1 10 ipsec-isakmp dynamic map2 crypto map map1 interface outside isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup user1 address-pool vpnpool9 vpngroup user1 split-tunnel 102 vpngroup user1 idle-time 1800 vpngroup user1 password password abc123

**************************
Reply to
Ned
Loading thread data ...

I think this is known as eXtended Authentication (XAUTH):

username password

aaa-server LOCAL protocol local

aaa-server VPN_XAUTH protocol local

crypto map map1 client authentication VPN_XAUTH

Reply to
Merv

That's where the group name is configured, the "user1" of the second field.

That's where the group password is configured, abc123 .

These are not the username and password, these are the group name and group password.

Reply to
Walter Roberson

If I recall correctly, the default gateway is correct. The link that is created is a point-to-point link, which uses a single IP address with netmask 255.255.255.255 to represent both sides of the link.

Reply to
Walter Roberson

OK - am I blocking access through the firewall into the LAN? A user comes into the VPN sucessfully with an address 123.123.123.123. His default gatway is the same as his client address. He cannot PING the default gateway of that LAN which is 123.123.123.254. He is authenticated OK on the firewall but is just sitting there. Should he not be able to PING 123.123.123.254 through the firewall? Is there any way to get his default gateway established as .254 when he gets authenticated by the FW ?

Reply to
Ned

I believe that the PIX uses the split tunnel options as well. So, you will want to make sure that local LAN access is enabled on the client and that the transparent tunneling option is set.

These are the settings that I used on my recent firewall VPN configuration. However, I am using the PIX software version 7.1.x and not 6.x. The 192.168.100.0/24 address is my local ip pool, and the

10.10.200.0/24 network is my inside network. primaryfirewall# sho run group-policy group-policy InternalGroup internal group-policy InternalGroup attributes dns-server value 10.10.200.30 split-tunnel-policy tunnelspecified split-tunnel-network-list value WEB

primaryfirewall# sho access-list WEB access-list WEB; 1 elements access-list WEB line 1 extended permit ip 10.10.200.0 255.255.255.0

192.168.100.0 255.255.255.0
Reply to
Scribble

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.