TheStressFactor
IS-IT--Management
Hello All,
In an old post, I inquired about what would be the best way for users to log on to the vpn regarding usernames and passwords. I was concerned since there was one group username and password. It was suggested that I use IAS and Radius. I finally got a chance to implement it last night based on the wonderful advice given here and it worked fine. When a user trys to connect using the cisco vpn client, they get prompted for there username and password.
Now I have a new issue. Before I set up the Radius I had set up a vpn tunnel to our sister company. I had the crypto map associated with that tunnel applied to the outside interface. But I had to apply the new crypto map to the outside interface to make radius work. Is there a way I can have more than one applied at a time or a way to combine them?
Below is my current config. I rebooted my pix so the changes I had made would go away so the vpn tunnel to the sister company would be re-established.
Any advice, suggestions, or guidance would be greatly appreciated.
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
hostname mypix
domain-name mypix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol http 80
names
access-list nonat permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list nonat permit ip 192.168.5.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list nonat permit ip 192.168.4.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list split permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list tunnel permit ip 192.168.3.0 255.255.255.0 192.168.77.0 255.255.255.
0
access-list tunnel permit ip 192.168.5.0 255.255.255.0 192.168.77.0 255.255.255.
0
access-list tunnel permit ip 192.168.4.0 255.255.255.0 192.168.77.0 255.255.255.
0
access-list tunnel permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.
0
access-list tunnel permit ip 192.168.0.0 255.255.255.0 192.168.77.0 255.255.255.
0
pager lines 24
logging on
logging timestamp
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside x.x.x.67 255.255.255.240
ip address inside 192.168.3.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.1.1-10.1.1.50
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.3.2 255.255.255.255 inside
pdm location 192.168.4.0 255.255.255.0 inside
pdm location 192.168.5.0 255.255.255.0 inside
pdm location 63.102.156.65 255.255.255.255 inside
pdm location 192.168.3.9 255.255.255.255 inside
pdm location 192.168.3.4 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 192.168.4.0 255.255.255.0 0 0
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
access-group outside in interface outside
route inside 192.168.0.0 255.255.255.0 192.168.3.6 1
route inside 192.168.1.0 255.255.255.0 192.168.3.6 1
route inside 192.168.4.0 255.255.255.0 192.168.3.6 1
route inside 192.168.5.0 255.255.255.0 192.168.3.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set pixtransform esp-3des esp-sha-hmac
crypto ipsec transform-set marinohome esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set marinohome
crypto map testmap 10 ipsec-isakmp
crypto map testmap 10 match address tunnel
crypto map testmap 10 set peer x.x.x.83
crypto map testmap 10 set transform-set pixtransform
crypto map testmap 10 set security-association lifetime seconds 3600 kilobytes 8
192
crypto map testmap 999 ipsec-isakmp dynamic dynmap
crypto map testmap interface outside
crypto map marinohome 10 ipsec-isakmp dynamic dynmap
isakmp enable outside
isakmp key ******** address x.x.x.83 netmask 255.255.255.248
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup xxxxx address-pool ippool
vpngroup xxxxx dns-server 192.168.3.x
vpngroup xxxxx wins-server 192.168.3.x
vpngroup xxxxx default-domain mydomain.com
vpngroup xxxxx split-tunnel split
vpngroup xxxxx idle-time 2000
vpngroup xxxxx password ****************
terminal width 80
In an old post, I inquired about what would be the best way for users to log on to the vpn regarding usernames and passwords. I was concerned since there was one group username and password. It was suggested that I use IAS and Radius. I finally got a chance to implement it last night based on the wonderful advice given here and it worked fine. When a user trys to connect using the cisco vpn client, they get prompted for there username and password.
Now I have a new issue. Before I set up the Radius I had set up a vpn tunnel to our sister company. I had the crypto map associated with that tunnel applied to the outside interface. But I had to apply the new crypto map to the outside interface to make radius work. Is there a way I can have more than one applied at a time or a way to combine them?
Below is my current config. I rebooted my pix so the changes I had made would go away so the vpn tunnel to the sister company would be re-established.
Any advice, suggestions, or guidance would be greatly appreciated.
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
hostname mypix
domain-name mypix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol http 80
names
access-list nonat permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list nonat permit ip 192.168.5.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list nonat permit ip 192.168.4.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list split permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list tunnel permit ip 192.168.3.0 255.255.255.0 192.168.77.0 255.255.255.
0
access-list tunnel permit ip 192.168.5.0 255.255.255.0 192.168.77.0 255.255.255.
0
access-list tunnel permit ip 192.168.4.0 255.255.255.0 192.168.77.0 255.255.255.
0
access-list tunnel permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.
0
access-list tunnel permit ip 192.168.0.0 255.255.255.0 192.168.77.0 255.255.255.
0
pager lines 24
logging on
logging timestamp
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside x.x.x.67 255.255.255.240
ip address inside 192.168.3.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.1.1-10.1.1.50
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.3.2 255.255.255.255 inside
pdm location 192.168.4.0 255.255.255.0 inside
pdm location 192.168.5.0 255.255.255.0 inside
pdm location 63.102.156.65 255.255.255.255 inside
pdm location 192.168.3.9 255.255.255.255 inside
pdm location 192.168.3.4 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 192.168.4.0 255.255.255.0 0 0
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
access-group outside in interface outside
route inside 192.168.0.0 255.255.255.0 192.168.3.6 1
route inside 192.168.1.0 255.255.255.0 192.168.3.6 1
route inside 192.168.4.0 255.255.255.0 192.168.3.6 1
route inside 192.168.5.0 255.255.255.0 192.168.3.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set pixtransform esp-3des esp-sha-hmac
crypto ipsec transform-set marinohome esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set marinohome
crypto map testmap 10 ipsec-isakmp
crypto map testmap 10 match address tunnel
crypto map testmap 10 set peer x.x.x.83
crypto map testmap 10 set transform-set pixtransform
crypto map testmap 10 set security-association lifetime seconds 3600 kilobytes 8
192
crypto map testmap 999 ipsec-isakmp dynamic dynmap
crypto map testmap interface outside
crypto map marinohome 10 ipsec-isakmp dynamic dynmap
isakmp enable outside
isakmp key ******** address x.x.x.83 netmask 255.255.255.248
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup xxxxx address-pool ippool
vpngroup xxxxx dns-server 192.168.3.x
vpngroup xxxxx wins-server 192.168.3.x
vpngroup xxxxx default-domain mydomain.com
vpngroup xxxxx split-tunnel split
vpngroup xxxxx idle-time 2000
vpngroup xxxxx password ****************
terminal width 80
