Solved

How do I add a new user to an existing VPN group using the CLI on a Cisco 506E?

Posted on 2010-08-31
8
507 Views
Last Modified: 2012-05-10
I have an existing VPN group with a few users already added by my predecessor where he used only the CLI.  PIX Device Mgr is not an option as we have an older version with the bug that won't load even though logged in, so this has to be done via the SLI.  I'm more than a little rusty with the Cisco CLI commands so if you could lay them out step by step I'd sure appreciate it.

I have a Cisco 506E running Pix Version 6.3(3).

Many thanks in advance
0
Comment
Question by:NJJimInHI
  • 4
  • 4
8 Comments
 

Author Comment

by:NJJimInHI
ID: 33573481
I forgot to note, though it's probably obvious - we do not have a radius server setup on our Win 2003 server (yet).
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33574615
can u show the PIX config

or try  the below command

username <new_user_name> password <new_password_>

0
 

Author Comment

by:NJJimInHI
ID: 33580661
Thanks, I tried <username <new_user_name> password <new_password_> and then wr mem, but no good.  I also need to add this user to our 1 VPN group, yes?  If so, how would I do that?

0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33580723
just show me ur config
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:NJJimInHI
ID: 33581735
Ok, here's our config.  What I need to do is create a second VPN group, then create 2 new VPN users and add them both to the new, second VPN group (without, of course, affecting our existing VPN group and the users assigned to it)

Our config, minus pub IPs, co name, and staff names:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ZqnocywcywusTIFu encrypted
passwd koWJnwNe97TnFs5c encrypted
hostname CoName1
domain-name CoName.hawaii.org
clock timezone HST -10
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name PUBLIC IP CoNamestaff4
object-group network CoNamestaff4
  description castle server
  network-object PUBLIC IP 255.255.255.255
object-group service Alll tcp-udp
  port-object eq pim-auto-rp
  port-object eq echo
  port-object eq discard
  port-object eq kerberos
  port-object eq sunrpc
  port-object eq domain
  port-object eq tacacs
  port-object eq talk
access-list nonat permit ip 192.168.11.0 255.255.255.0 192.168.12.0 255.255.255.
0
access-list nonat permit ip 192.168.11.0 255.255.255.0 192.168.13.0 255.255.255.
0
access-list split permit ip 192.168.11.0 255.255.255.0 192.168.12.0 255.255.255.
0
access-list 101 permit ip 192.168.11.0 255.255.255.0 192.168.13.0 255.255.255.0

access-list outside_cryptomap_21 permit ip interface inside host PUBLIC IP
access-list outside_cryptomap_41 permit ip interface inside host PUBLIC IP
pager lines 24
logging on
logging buffered debugging
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside OUR VPN PUB IP 255.255.255.248
ip address inside 192.168.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.12.1-192.168.12.254
pdm location 192.168.13.0 255.255.255.0 outside
pdm location PUBLIC IP 255.255.255.255 outside
pdm location PDM LOCATION PUB IP #1 255.255.255.255 outside
pdm location PDM LOCATION PUB IP #2 255.255.255.255 outside
pdm group CoNamestaff4 outside
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.11.1 192.168.11.1 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 24.43.228.201 1
timeout xlate 24:00:00
timeout conn 24:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 12:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 24:00:00 absolute uauth 24:00:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
fragment chain 1
sysopt connection tcpmss 1300
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 1 ipsec-isakmp
crypto map mymap 1 match address 101
crypto map mymap 1 set peer PUBLIC IP
crypto map mymap 1 set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address PUBLIC IP netmask 255.255.255.255 no-xauth no-conf
ig-mode
isakmp peer ip PUBLIC IP no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication rsa-sig
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
vpngroup YYYYYY address-pool ippool
vpngroup YYYYYY dns-server 192.168.11.251
vpngroup YYYYYY wins-server 192.168.11.251
vpngroup YYYYYY default-domain CoNamehi
vpngroup YYYYYY split-tunnel split
vpngroup YYYYYY idle-time 1800
vpngroup YYYYYY password ********
telnet timeout 5
ssh PDM LOCATION PUB IP #2 255.255.255.255 outside
ssh timeout 5
management-access inside
console timeout 0
username staff1 password 133aVGxc9fMFodIq encrypted privilege 15
username staff2 password TCiIvK.1pGXBIdyj encrypted privilege 2
username staff3 password px7VhdwDJWQMouTB encrypted privilege 15
username staff4 password uhNWs/HV3GUdCxCj encrypted privilege 2
username staff5 password 4lMuLi3HFTu2yAve encrypted privilege 2
username staff6 password bd5PKYh3LZUQjtcb encrypted privilege 15
username staff7 password q30NoU1q6prsKjjA encrypted privilege 15
username staff8 password CV7OQ9DnCTolX7wf encrypted privilege 15
username staff9 password /ZyxBmPmI3HqWytp encrypted privilege 15
username staff10 password jl6kjaKKWUh7XtNP encrypted privilege 15
username staff11 password nN6KakjfbHLWT3VQ encrypted privilege 15
username staff12 password pEqR6TbYGsFhiFxN encrypted privilege 2
username staff13 password FnJREJql6j5an2L/ encrypted privilege 15
terminal width 80
Cryptochecksum:3a5cd84e0f9d4cc849260756068ee881
0
 
LVL 14

Accepted Solution

by:
anoopkmr earned 500 total points
ID: 33584971
ok u want to create a different vpn group , so try like this

vpngroup <new group name > address-pool ippool
vpngroup <new group name > dns-server 192.168.11.251
vpngroup <new group name >wins-server 192.168.11.251
vpngroup <new group name > default-domain CoNamehi
vpngroup <new group name > split-tunnel split
vpngroup <new group name > idle-time 1800
vpngroup <new group name > password <new password >

then create ne users by

username <new-user> password <new_pass> privilege 15
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33584975
you have to use the newly created group name and password on the client
0
 

Author Closing Comment

by:NJJimInHI
ID: 33590341
Well done.  Thank you very much.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now