04-05-2007 06:35 AM - edited 03-11-2019 02:56 AM
I know that this is a bad idea, but I have a customer that wants upwards of 200+ users put in the config of his PIX for use with VPN. What the customer wants, the customer gets... Unless, is that even possible? I can't find anything to tell me the max number of local users you can have.
Does anyone know what the max number of local users is for a PIX 515e running 7.2?
Thanks!
Solved! Go to Solution.
04-07-2007 08:06 AM
Here is the PIX 7.2 configuration (relevant portion only). To configure IAS, google something like "IAS radius cisco".
the dollar sign ($) indicates variable names/fields (user defined names)
access-list $splittunnel_acl extended permit ip $local_network $vpn_dhcp_network
ip local pool vpn-pool $start_ip-$end_ip
aaa-server RADIUSVPN protocol radius
aaa-server RADIUSVPN host $192.168.x.y
timeout 5
key $shared_radius_key
aaa-server RADIUSVPN host $192.168.x.z (backup IAS server)
timeout 5
key $shared_radius_key
group-policy $group_name internal
group-policy $group_name attributes
wins-server value $192.168.x.x
dns-server value $192.168.x.x $192.168.x.y
vpn-idle-timeout 1440
split-tunnel-policy tunnelspecified
split-tunnel-network-list value $splittunnel_acl
default-domain value $local_domain
backup-servers $backup_vpn_server
crypto ipsec transform-set $transform_name esp-3des esp-sha-hmac
crypto dynamic-map $DYN_MAPNAME 10 set transform-set $transform_name
crypto map VPN 25 ipsec-isakmp dynamic $DYN_MAPNAME
crypto map VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) RADIUS
tunnel-group $group_name type ipsec-ra
tunnel-group $group_name general-attributes
address-pool vpn-pool
authentication-server-group RADIUSVPN
default-group-policy $group_name
tunnel-group $group_name ipsec-attributes
pre-shared-key $psk
----------------
if you have regular crypto tunnels defined, place the dynamic map entry after those, otherwise strange things happen.
04-05-2007 07:26 AM
Hi Paul,
There is no software imposed limit on the number of users in the local database. So, in essence you are limited by the config size (and available space on flash to store the config).
But, we have not tested performance with very large local user databases. However, 200 users should be just fine.
Sincerely,
David.
04-05-2007 09:40 AM
sounds like the customer wants an administrative nightmare (:
I set up AAA/radius authentication for vpn users using microsoft's free IAS (internet authentication server). This way, remote users can use their domain login information to do xauth w/ the vpn client, and when they leave the company, removing/disabling their AD account, disables their vpn access. I've set this up successfully on both the vpn concentrator and PIX 6.3/7.x if you're interested.
04-05-2007 10:29 AM
I'm not sure they want to tie it into AD is the problem. However, I would like to see an example config if you wouldn't mind sharing it. My email is phignutt @ hotmail dot com
Thanks
04-07-2007 08:06 AM
Here is the PIX 7.2 configuration (relevant portion only). To configure IAS, google something like "IAS radius cisco".
the dollar sign ($) indicates variable names/fields (user defined names)
access-list $splittunnel_acl extended permit ip $local_network $vpn_dhcp_network
ip local pool vpn-pool $start_ip-$end_ip
aaa-server RADIUSVPN protocol radius
aaa-server RADIUSVPN host $192.168.x.y
timeout 5
key $shared_radius_key
aaa-server RADIUSVPN host $192.168.x.z (backup IAS server)
timeout 5
key $shared_radius_key
group-policy $group_name internal
group-policy $group_name attributes
wins-server value $192.168.x.x
dns-server value $192.168.x.x $192.168.x.y
vpn-idle-timeout 1440
split-tunnel-policy tunnelspecified
split-tunnel-network-list value $splittunnel_acl
default-domain value $local_domain
backup-servers $backup_vpn_server
crypto ipsec transform-set $transform_name esp-3des esp-sha-hmac
crypto dynamic-map $DYN_MAPNAME 10 set transform-set $transform_name
crypto map VPN 25 ipsec-isakmp dynamic $DYN_MAPNAME
crypto map VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) RADIUS
tunnel-group $group_name type ipsec-ra
tunnel-group $group_name general-attributes
address-pool vpn-pool
authentication-server-group RADIUSVPN
default-group-policy $group_name
tunnel-group $group_name ipsec-attributes
pre-shared-key $psk
----------------
if you have regular crypto tunnels defined, place the dynamic map entry after those, otherwise strange things happen.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide