cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2136
Views
0
Helpful
6
Replies

How to use PIX local database for Authentication

li.simon
Level 1
Level 1

Dear Sir,

I am configuring PIX-to-PIX VPN tunnel using IPSec/IKE and would like to use the PIX local database for authentication, not using external TACACS+ or RADIUS server. Can someone show me what command can be used for PIX local database authentication for PIX-to-PIX VPN tunnel using IPSec? ( just like vpdn command can be used for PPTP or L2TP for PIX local database authenticaion.)

How to configure VPN client in Windows XP to access the remote private network via this PIX-to-PIX VPN tunnel using IPSec?

Thank you very much for your help !

Simon

6 Replies 6

gfullage
Cisco Employee
Cisco Employee

Not sure what you're asking here, cause there is no user authentication in a PIX-to-PIX tunnel.

If you're asking how to set up local user authentication for VPN clients connecting to a PIX with v6.3 code, then use the following commands:

> username password

> crypto map client authentication LOCAL

Thank you very much for your response. My question is trying to use Windows XP VPN client at inside interface of PIX 525 and try to reach our remote office internal network at inside interface of PIX515 via PIX-to-PIX VPN tunnel using local database authentication ( see the config below that I follow the sample config from Cisco). I add your command to my config and got remote computer did not response after I tried to connect. Can you help to check my config what cause the problem? Thank you again. -Simon

access-list 101 permit ip 192.168.100.0 255.255.255.0 172.16.0.0 255.255.0.0

nat (inside) 0 access-list 101

sysopt connection permit-ipsec

crypto ipsec transform-set mstarset esp-des esp-md5-hmac

crypto map mstarmap 1 ipsec-isakmp

crypto map mstarmap 1 match address 101

crypto map mstarmap 1 set peer 192.168.1.52

crypto map mstarmap 1 set transform-set mstarset

crypto map mstarmap interface outside

isakmp enable outside

isakmp key 123546789 address 192.168.1.52 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

username cisco password pixtest

crypto map mstarmap client authentication LOCAL

Still not sure what you're trying to do here. You have a PIX-to-PIX IPSec tunnel, which has nothing to do with user authentication. User authentication, particularly the command I gave you, is for VPN clients connecting into the PIX remotely and accessing internal hosts, it is NOT for a PIX-to-PIX tunnel.

You mention that you are using an XP VPN client on the inside of the PIX, but how are you using this when you already have a PIX-to-PIX tunnel. What are you connecting to and terminating your XP client tunnel on? Whatever this device is is where you need to configure the username authentication stuff.

I am sorry confusing you. So you mean user authentication is not needed for PIX-to-PIX IPSec tunnel? Then let me ask my question in a simple way: How to connect remote office internal network (which is at the inside interface of PIX ) through the PIX-to-PIX tunnel from a XP client at inside interface of local PIX?

For example, there is a server with PCAnywhere Host (IP 192.168.10.10) at remote office and I would like to connect to it using PCAnywhere on my local XP client at 172.16. 100.10. I have PIX-to-PIX tunnel configured on both PIX and I could not connect to the PCAnywhere Host at remote office. Below is the PIX-to-PIX tunnel configuration on one of the PIX ( I did not list the config for firewall part because it is working good). Can you help to check what cause the problem? I really appreciate your help and Thank You Very Much Again.

-Simon

access-list 101 permit ip 192.168.100.0 255.255.255.0 172.16.0.0 255.255.0.0

nat (inside) 0 access-list 101

sysopt connection permit-ipsec

crypto ipsec transform-set mstarset esp-des esp-md5-hmac

crypto map mstarmap 1 ipsec-isakmp

crypto map mstarmap 1 match address 101

crypto map mstarmap 1 set peer 192.168.1.52

crypto map mstarmap 1 set transform-set mstarset

crypto map mstarmap interface outside

isakmp enable outside

isakmp key 123546789 address 192.168.1.52 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

Assuming that routing is configured properly, you should be able to simply connect using the remote hosts IP address. The config you provided seems OK.

Does your local XP machine have a route to the 192.168.10.0 network that points to the inside interface of the PIX? This can either be a default route or a specific route in the hosts routing table.

Similarly, does the remote host have a route to the 172.16.100.0 network that points it to the inside interface of the remote PIX, either via a default route or a specific route?

Are you sure the tunnel is up between these PIX? Can you send a "sho cry ipsec sa" output from either PIX, that'll tell us for sure.

First, I thank you for staying late for answering my question.

The default gateway of my local XP machine is pointed to the inside interface of the local PIX (172.16.1.1), and has default route "route outside 0 0 65.22.112.1 1" configured on local PIX. Same thing configured on remote PIX. I am not sure if I answer your question. If not, please let me know what command you expect to be configured in PIX. I think we are getting close to resolve my problem. Below is the output when I do "sho cry ipsec sa" on one PIX:

pix1# sh cry ipsec sa

interface: outside

Crypto map tag: mwavemap, local addr. 4.67.22.2

local ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)

current_peer: 65.197.235.2

PERMIT, flags={origin_is_acl,}

#pkts encaps: 8, #pkts encrypt: 8, #pkts digest 8

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 2, #recv errors 0

local crypto endpt.: 4.67.22.2, remote crypto endpt.: 65.197.235.2

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 6c711408

inbound esp sas:

spi: 0xd2796a9b(3531172507)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3, crypto map: mwavemap

sa timing: remaining key lifetime (k/sec): (4608000/7807)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x6c711408(1819350024)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 4, crypto map: mwavemap

sa timing: remaining key lifetime (k/sec): (4608000/7798)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

pix1#

Please let me know if the output correct. Thank you again. -Simon