Link to home
Start Free TrialLog in
Avatar of inteq
inteq

asked on

Two VPN Groups on one PIX Interface

HI Experts

I have a client who is using Cisco PIX 506 Firewall everything is working fine,They also have a remote login using the Cisco VPN Client which office users use to their PC's at Office.

Now they want to have a different VPN Group login which they can give to thier customers which should have limited resource access.

HOW THAT CAN BE DONE..??????

Thanks in Advance
Avatar of jjoseph_x
jjoseph_x

No problem, just create another group, one with a different group name.  The important thing will be to make sure that they have a different address-pool, since you'll need to filter their access based on their IP address (using access-lists).

This means that you might need to also remove the line:

sysopt connection permit-ipsec

Which allows ipsec traffic (vpn tunnels) to bypass access lists.

Of course that requires the added pain of explicitly allowing or deny traffic for all vpn clients/tunnels.


Avatar of Tim Holman
What seems to be the problem?  If one group's working, then I imagine you've already tried to add another group - what error messages did you get?  Can we see your config pls?
Avatar of inteq

ASKER

HI EXPERTS

BELOW IS THE PIX CONF FOR YOUR REVIEW TO PROVIDE THE SOLUTION FOR ABOVE MENTIONED PROBLEM.

User Access Verification
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password tU6/rwF306DZsUCT encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX
domain-name abc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list aivpn_splittunnelAcl permit ip 192.168.1.0 255.255.255.0 192.168.17.
0 255.255.255.0
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq domain
access-list inside_access_in permit udp 192.168.1.0 255.255.255.0 any eq domain
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq https
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq pop3
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq smtp
access-list inside_access_in permit icmp 192.168.1.0 255.255.255.0 any echo-repl
y
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq ftp
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq ftp-dat
a
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq telnet
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq 5900
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq 3389
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq 8081
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit ip 192.168.17.0 255.255.255.0 192.168.1.0 2
55.255.255.0
access-list outside_access_in permit tcp any 192.168.1.0 255.255.255.0 eq www
access-list outside_access_in permit tcp any 192.168.1.0 255.255.255.0 eq https
access-list outside_access_in permit tcp any 192.168.1.0 255.255.255.0 eq ftp
access-list outside_access_in permit tcp any 192.168.1.0 255.255.255.0 eq ftp-da
ta
access-list outside_access_in permit tcp any 192.168.1.0 255.255.255.0 eq pop3
access-list outside_access_in permit tcp any 192.168.1.0 255.255.255.0 eq smtp
access-list outside_access_in permit tcp any host 8.85.33.73 eq smtp
access-list outside_access_in permit icmp any host 8.85.33.73 echo-reply
access-list outside_access_in permit tcp any host 8.85.33.73 eq ssh
access-list outside_access_in permit tcp any host 8.85.33.73 eq www
access-list outside_access_in permit tcp any host 8.85.33.73 eq https
access-list outside_access_in permit tcp any host 8.85.33.71 eq www
access-list outside_access_in permit tcp any host 8.85.33.71 eq https
access-list inside_nat0_outbound permit ip any 192.168.17.0 255.255.255.0
access-list outside_cryptomap_dyn1 permit ip any 192.168.17.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 8.85.33.72 255.255.255.240
ip address inside 192.168.1.99 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnai 192.168.17.1-192.168.17.50
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.17.0 255.255.255.0 outside
pdm location 192.168.1.1 255.255.255.255 inside
pdm location 192.168.1.5 255.255.255.255 inside
pdm history enable
arp timeout 18000
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 8.85.33.73 192.168.1.5 netmask 255.255.255.255 0 0
static (inside,outside) 8.85.33.71 192.168.1.101 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 8.85.33.74 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:30:00 udp 0:05:00 rpc 0:15:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:04:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.1 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_dyn1
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1800
vpngroup avpn address-pool vpnai
vpngroup avpn dns-server 192.168.1.1 165.21.83.88
vpngroup avpn default-domain s.a.local
vpngroup avpn split-tunnel aivpn_splittunnelAcl
vpngroup avpn idle-time 7200
vpngroup avpn password ********
vpngroup dns-server idle-time 1800
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 30
console timeout 0
terminal width 80
Cryptochecksum:9fc27cd87df021f2c42687fc31621a18
: end

ASKER CERTIFIED SOLUTION
Avatar of jjoseph_x
jjoseph_x

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial