Resolution
In order to configure a new VPN Client group on a PIX Firewall that already contains groups, complete these steps:
- Remove the crypto map from the the outside interface:
no crypto map map-name interface outside
- Create a new IP pool for the new group, or use the current pool:
ip local pool pool_name pool_start_address[-pool_end_address]
- Create an access-list for the NAT bypass, nat 0. Make sure that the sequence number for this access-list is the same as the previously configured nat 0 access-lists:
access-list acl_no permit ip source_ip source_mask destination_ip destination_mask
- Create an access-list for the split tunnel. This access-list must be identical to the nat 0 access-list. This is optional if Intenet access is required:
access-list 102 permit ip source_ip source_mask destination_ip destination_mask
- Create a new group with these commands.
vpngroup group_name address-pool pool_name
vpngroup group_name dns-server 192.168.1.x (optional)
vpngroup group_name default-domain (optional)
vpngroup group_name split-tunnel 102 (optional)
vpngroup group_name idle-time 1800
vpngroup group_name password preshared_key
- Reapply the crypto map to the outside interface.
crypto map map-name interface outside