05-29-2008 07:18 AM - edited 03-11-2019 05:51 AM
My vendor wants me to create a client VPN access for them in my ASA to only use groupname/password without being prompted username/password because they have a automated script that runs at night. Can change do I need to made?
ASA 7(2)1
interface ethernet0
ip address 10.10.4.200 255.255.0.0
nameif outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
ip local pool testpool 192.168.0.10-192.168.0.15
username testuser password 12345678 <--Just remove one line??
crypto ipsec transform set FirstSet esp-3des esp-md5-hmac
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
address-pool testpool
tunnel-group testgroup ipsec-attributes
pre-shared-key xxx
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
Solved! Go to Solution.
05-29-2008 09:17 AM
Donald,
You do not need to remove any users from your local users database. Simply do as follows:
go into
tunnel-group testgroup ipsec-attributes
add this bellow statement
isakmp ikev1-user-authentication none
This will allow vpn client connecting to this particular tunnel to only authenticate through the tunnelgroup testgroup 1st authentication window and after that allow the connection in, this command applies for the tunnel itself, so it will apply for any users connecting to this tunnel, if this is not what you are trying to acomplish but for just one user you could create another tunnel group and have two diferent tunnel groups, one that requires user authentication and another tunnel that does not require users authentication.
HTH
-Jorge
05-29-2008 09:17 AM
Donald,
You do not need to remove any users from your local users database. Simply do as follows:
go into
tunnel-group testgroup ipsec-attributes
add this bellow statement
isakmp ikev1-user-authentication none
This will allow vpn client connecting to this particular tunnel to only authenticate through the tunnelgroup testgroup 1st authentication window and after that allow the connection in, this command applies for the tunnel itself, so it will apply for any users connecting to this tunnel, if this is not what you are trying to acomplish but for just one user you could create another tunnel group and have two diferent tunnel groups, one that requires user authentication and another tunnel that does not require users authentication.
HTH
-Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide