tunnel-group in PIX 515 running 7.x

h.xia · ‎11-01-2006

I tried to configure the PIX for remote access using certificate. According to the document, I need tunnel-group DefaultRAGroup, and it should be pre-configured. However, I don't see it on my configuration. Does it mean that I need to configure this DefaultRAGroup on the PIX manually?

Thanks,

Hang

Fernando_Meza · ‎11-01-2006

Hi .. you don't need to create these groups. They are created by default and even though you can modify it you can't delete them. these are the defaults parameters contained on the default remote access group. If you need to modify any parameters enter the group mode by

tunnel-group tunnel_group_name general-attributes

or

tunnel-group tunnel_group_name ipsec-attributes

"The contents of the default remote-access tunnel group are as follows:

tunnel-group DefaultRAGroup general-attributes

no address-pool

authentication-server-group LOCAL

no authorization-server-group

no accounting-server-group

default-group-policy DfltGrpPolicy

no dhcp-server

no strip-realm

password-management password-expire-in-days 14

no override-account-disable

no strip-group

no authorization-required

authorization-dn-attributes CN OU

tunnel-group DefaultRAGroup ipsec-attributes

no pre-shared-key

peer-id-validate req

no chain

no trust-point

isakmp keepalive threshold 300 retry 2"

I hope it helps .. please rate it if it does !!!

h.xia · ‎11-01-2006

Thanks for confirming that the DefaultRAGroup should be there. However, it does not show on my PIX. Is it possible that I wipe it out when I do "wr erase"?

Thanks,

Hang

Fernando_Meza · ‎11-01-2006

Yes . you might not be able to see it from the configuration however it is there and you can access it and change any attributes you need. The name is the default and it is unique.

DefaultRAGroup

Cheers,