Resolution

In order to configure a new VPN Client group on a PIX Firewall that already contains groups, complete these steps:

1. Remove the crypto map from the the outside interface:
      

   no crypto map map-name interface outside
   

      
2. Create a new IP pool for the new group, or use the current pool: 
   
   ip local pool        pool_name pool_start_address[-pool_end_address]
   
   
3. Create an access-list for the NAT bypass, nat 0. Make sure that the sequence number for this access-list is the same as the previously configured nat 0 access-lists:
      

   access-list acl_no  permit ip source_ip  source_mask destination_ip  destination_mask

      
   
4. Create an access-list for the split tunnel. This access-list must be identical to the nat 0 access-list. This is optional if Intenet access is required:
      

   access-list  102  permit ip source_ip  source_mask destination_ip  destination_mask

      
   
5. Create a new group with these commands.
      

   vpngroup  group_name address-pool pool_name        
   vpngroup  group_name dns-server 192.168.1.x (optional)
   vpngroup  group_name default-domain (optional)
   vpngroup  group_name split-tunnel 102 (optional)
   vpngroup  group_name idle-time 1800
   vpngroup  group_name password preshared_key

      
   
6. Reapply the crypto map to the outside interface.

        crypto map map-name interface outside