Re: VPN Groups

ciscopaul · ‎07-13-2005

Hi All,

I have a Cisco Pix 515 and a vpn group setup on it. I was wondering how to setup multiple vpn groups on a pix if possible.

I am running IOS 6.33.

Thanks,

Paul Hong

aacole · ‎07-18-2005

Hi Paul,

Yes you can, just use different names in the VPNGROUP command. The group name has to match the username you configure in the vpn client.

vpngroup VPNUSER1 address-pool VPNUSER

vpngroup VPNUSER1 idle-time 1800

vpngroup VPNUSER1 password user1

vpngroup VPNUSER2 address-pool VPNUSER

vpngroup VPNUSER2 idle-time 1800

vpngroup VPNUSER2 password user2

Hope thats clear enough,

Andy

jackko · ‎07-18-2005

you may further restrict the remote vpn access:

1. apply individual account - all user needs to provide individual username/password as well as the group username/password (i.e. the pcf file)

aaa-server LOCAL protocol local

crypto map mymap client authentication LOCAL

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

username xxx password yyy

2. apply acl - restrict access to particular server(s)

access-l 100 permit ip

vpngroup vpnclient split-tunnel 100

3. disable sysopt connection permit-ipsec - all ipsec traffic will be inspected by checking the inbound acl. typically used when further restriction is required , for example remote vpn users need only access an internal email server.

no sysopt connection permit-ipsec

access-l 110 permit tcp eq 25

access-g 110 in inter outside

ciscopaul · ‎07-19-2005

Thank you Andy,

I am going to try it today and see if it works.

BTW, Whats the maximum number of vpn users this 515 pix can support?

Thanks,

Paul Hong