Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Quick VPN question for remote clients 2

Status
Not open for further replies.
jgassner2

jgassner2

Technical User
Sep 19, 2003
26
0
0
US
Hello
I have been given the task of trying to get vpn to work to connect to a remote site from our home office. I have a pretty decent grasp on the configuration but as I am reading it seems like when you use something like a Cisco VPN client you have to have an external server for authentication and authorization. Is this true, or is there a way to set the PIX up to allow this connection. If anyone could let me know and maybe provide an example on how to get it to work would be awesome. If you need the configuration let me know.

Thanks
Jon
 
Sort by date Sort by votes
You don't need an external server. You can use the local database by specifying (for example) "crypto map <mapname> client authentication LOCAL"

Then specify the users with the "username" statement.
 
Upvote 0 Downvote
hostname PIX
access-list 101 permit ip 192.168.0.0 255.255.255.0 172.16.101.0 255.255.255.0

ip address outside x.x.x.94 1 255.255.255.252
ip address inside 192.168.0.254 255.255.255.0

ip local pool ippool 172.16.101.1-172.16.101.254
nat (inside) 0 access-list 101

sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpnClients address-pool ippool

vpngroup vpnClients dns-server 149.168.11.11 205.152.132.23
vpngroup vpnClients default-domain com.com
vpngroup vpnClients split-tunnel 101
vpngroup vpnClients idle-time 1800
vpngroup vpnClients password putyourpasswordhere

Then have the users load a profile (.pcf) and point it to the outside IP address of the pix. Make the username and password the same (all are case sensitive).

This will work fine under most circumstances. If you are running multiple tunnels elsewhere some mods should be done.
 
Upvote 0 Downvote
Thanks for all of your help. You all really helped cleared up some foggy thoughts.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
150
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
152
intel233
intel233
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
177
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
53
WhosYourDiffie
WhosYourDiffie
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
126
XLNTech1
XLNTech1

Part and Inventory Search

Sponsor

Back
Top