Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
618
Views
0
Helpful
4
Replies

PIX with multiple VPN groups

tcrellin
Level 1
Level 1

‎09-17-2004 04:08 AM

I have a client who wishes to set up three VPN groups on the PIX and give different access rights to each group. (ie. Group 1 can access server A only, group 2 can access server B only and group 3 can access all resources).

In testing, we have created the tunnels using the VPN wizard in PDM and all works fine when we have a single tunnel with unrestricted access. However as soon as we try to add more vpngroups and add the access restrictions, the whole thing grinds to a halt. IKE mode initialises but the VPN client times out and no IPSEC tunnel is created.

Can anyone suggest possible causes and workarounds?

Labels:
0 Helpful
4 Replies 4

ehirsel
Level 6
Level 6

‎09-19-2004 05:50 PM

I would not use PDM, but rather the pix cli to accomplish what you want.

Try this:

1. turn off the sysopt permit-ipsec by running this command: no sysopt permit-ipsec

2. create three local ip pools on the pix. For example:

ip local pool Group1Pool 192.168.1.1-192.168.1.254

ip local pool Group2Pool 192.168.2.1-192.168.2.254

ip local pool Group3Pool 192.168.3.1-192.168.3-254

3. Then on the pix interface that will terminate the vpn client connections code these acl entries

access-list intf_outside_acl permit ip 192.168.1.0 255.255.255.0 host serverA

access-list intf_outside_acl permit ip 192.168.2.0 255.255.255.0 host serverB

access-list intf_outside_acl permit ip 192.168.3.0 255.255.255.0 10.0.0.0 255.0.0.0

This assumes that your private network is 10/8, and that acl intf_outside_acl is an existing acl that is already applied to the outside interface and that your IPSec clients will terminate on that interface.

The key is to remove the permit-ipsec sysopt command as you want the pix to not allow ipsec traffic to traverse anywhere, instead the interface acl will be applied, and the source ip is what the pix will assign the vpn client depending upon which group they are in. Each vpn group will use only one of the 3 local pools defined above.

Let me know if this helps.

0 Helpful

tcrellin
Level 1
Level 1
In response to ehirsel

‎09-19-2004 11:11 PM

Thanks for the advice. However, all of this is already in place. It is at tunnel creation that the config is failing, not at the access-lists.

0 Helpful

ehirsel
Level 6
Level 6
In response to tcrellin

‎09-21-2004 08:47 AM

Please post the relevant pix config here, and also let me know how the clients are configured. I.E., are the clients using transparent tunneling? Also, run the debug crypto isakmp and debug crypto ipsec commands on the firewall, attempt a connection from the client, and post the debug log messages.

I'll look at them and tell you what I find.

0 Helpful

tcrellin
Level 1
Level 1
In response to tcrellin

‎11-30-2004 04:05 PM

As things happened, I did not get a chance to return to that site and so the matter was resolved by another engineer. I therefore don't have the config, Sorry.

0 Helpful
Customers Also Viewed These Support Documents