Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


How do I add a new user to an existing VPN group using the CLI on a Cisco 506E?

Posted on 2010-08-31
Medium Priority
Last Modified: 2012-05-10
I have an existing VPN group with a few users already added by my predecessor where he used only the CLI.  PIX Device Mgr is not an option as we have an older version with the bug that won't load even though logged in, so this has to be done via the SLI.  I'm more than a little rusty with the Cisco CLI commands so if you could lay them out step by step I'd sure appreciate it.

I have a Cisco 506E running Pix Version 6.3(3).

Many thanks in advance
Question by:NJJimInHI
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4

Author Comment

ID: 33573481
I forgot to note, though it's probably obvious - we do not have a radius server setup on our Win 2003 server (yet).
LVL 14

Expert Comment

ID: 33574615
can u show the PIX config

or try  the below command

username <new_user_name> password <new_password_>


Author Comment

ID: 33580661
Thanks, I tried <username <new_user_name> password <new_password_> and then wr mem, but no good.  I also need to add this user to our 1 VPN group, yes?  If so, how would I do that?

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 14

Expert Comment

ID: 33580723
just show me ur config

Author Comment

ID: 33581735
Ok, here's our config.  What I need to do is create a second VPN group, then create 2 new VPN users and add them both to the new, second VPN group (without, of course, affecting our existing VPN group and the users assigned to it)

Our config, minus pub IPs, co name, and staff names:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ZqnocywcywusTIFu encrypted
passwd koWJnwNe97TnFs5c encrypted
hostname CoName1
clock timezone HST -10
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name PUBLIC IP CoNamestaff4
object-group network CoNamestaff4
  description castle server
  network-object PUBLIC IP
object-group service Alll tcp-udp
  port-object eq pim-auto-rp
  port-object eq echo
  port-object eq discard
  port-object eq kerberos
  port-object eq sunrpc
  port-object eq domain
  port-object eq tacacs
  port-object eq talk
access-list nonat permit ip 255.255.255.
access-list nonat permit ip 255.255.255.
access-list split permit ip 255.255.255.
access-list 101 permit ip

access-list outside_cryptomap_21 permit ip interface inside host PUBLIC IP
access-list outside_cryptomap_41 permit ip interface inside host PUBLIC IP
pager lines 24
logging on
logging buffered debugging
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside OUR VPN PUB IP
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool
pdm location outside
pdm location PUBLIC IP outside
pdm location PDM LOCATION PUB IP #1 outside
pdm location PDM LOCATION PUB IP #2 outside
pdm group CoNamestaff4 outside
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0 0
static (inside,outside) netmask 0 0
route outside 1
timeout xlate 24:00:00
timeout conn 24:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 12:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 24:00:00 absolute uauth 24:00:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
fragment chain 1
sysopt connection tcpmss 1300
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 1 ipsec-isakmp
crypto map mymap 1 match address 101
crypto map mymap 1 set peer PUBLIC IP
crypto map mymap 1 set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address PUBLIC IP netmask no-xauth no-conf
isakmp peer ip PUBLIC IP no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication rsa-sig
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
vpngroup YYYYYY address-pool ippool
vpngroup YYYYYY dns-server
vpngroup YYYYYY wins-server
vpngroup YYYYYY default-domain CoNamehi
vpngroup YYYYYY split-tunnel split
vpngroup YYYYYY idle-time 1800
vpngroup YYYYYY password ********
telnet timeout 5
ssh PDM LOCATION PUB IP #2 outside
ssh timeout 5
management-access inside
console timeout 0
username staff1 password 133aVGxc9fMFodIq encrypted privilege 15
username staff2 password TCiIvK.1pGXBIdyj encrypted privilege 2
username staff3 password px7VhdwDJWQMouTB encrypted privilege 15
username staff4 password uhNWs/HV3GUdCxCj encrypted privilege 2
username staff5 password 4lMuLi3HFTu2yAve encrypted privilege 2
username staff6 password bd5PKYh3LZUQjtcb encrypted privilege 15
username staff7 password q30NoU1q6prsKjjA encrypted privilege 15
username staff8 password CV7OQ9DnCTolX7wf encrypted privilege 15
username staff9 password /ZyxBmPmI3HqWytp encrypted privilege 15
username staff10 password jl6kjaKKWUh7XtNP encrypted privilege 15
username staff11 password nN6KakjfbHLWT3VQ encrypted privilege 15
username staff12 password pEqR6TbYGsFhiFxN encrypted privilege 2
username staff13 password FnJREJql6j5an2L/ encrypted privilege 15
terminal width 80
LVL 14

Accepted Solution

anoopkmr earned 2000 total points
ID: 33584971
ok u want to create a different vpn group , so try like this

vpngroup <new group name > address-pool ippool
vpngroup <new group name > dns-server
vpngroup <new group name >wins-server
vpngroup <new group name > default-domain CoNamehi
vpngroup <new group name > split-tunnel split
vpngroup <new group name > idle-time 1800
vpngroup <new group name > password <new password >

then create ne users by

username <new-user> password <new_pass> privilege 15
LVL 14

Expert Comment

ID: 33584975
you have to use the newly created group name and password on the client

Author Closing Comment

ID: 33590341
Well done.  Thank you very much.

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question