Hello David You'll need to make use AAA in your configuration.
Refer to http://www.cisco.com/warp/customer/707/index.shtml ( CCO login required ) ./bosire -- _______________________________________________ +$;%+$;'+$;%+$;'+$;%+$;'+$;%+$;'+$;%+$;'+$;%+$ richard bosire ccn[ap], ccd[ap], ccs[ae] David Tran wrote: > Hi Everyone, > > Perhaps someone in the group can help me with this problem. > I have Cisco Pix515-UR (128MB RAM/16MB Flash) running PIX > code 6.1(1) with Pix Device Manager (PDM) version 1.1(2). This > PIX is connected to my cable modem with STATIC IP address > 129.174.1.13 on the outside interface. The inside interface > (which is my internal network) has an IP of 192.168.1.1 > with a netmask of 255.255.255.0. On the internal network, I have > a BSD box (IP 192.168.1.10), a Linux box (192.168.1.20), a > Solarisx86 (IP 192.168.1.30) and a SCO Unix with IP 192.168.1.40 > > I have successfully implemented VPN connection for remote users > using Cisco VPN client 3.1.1 running on Win98, NT, 2000 and Linux > to connect to the internal network. Once these remote users are > successfully connected, they can access all the devices on the > internal network. > > I have 2 questions: > > 1) Let say that I just want remote users to access just the BSD box > and the Linux box but not the Solaris and SCO, how can I make this > happen? I know how to do that with Checkpoint Secure Remote > (Checkpoint use Encryption domain which specify which devices > remote user is allowed to access). How can I accomplish this > in PIX? For example, I just want remote users to ping the BSD > and Linux boxes but not Solaris and SCO boxes. > > 2) I have 4 different remote users who connect to the internal network > via VPN IPSec connection. All of these users are using the same account > (vpn3000) to connect back to the network. From a Security stand point, this > is > bad practices. How can I assign each of these users different account in > the configuration? Again, I know how to do this with Checkpoint; however, > I don't know how to get it done in PIX. > > Below is the configuration. Please help. thanks. > > PIX Version 6.1(1) > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > enable password OnTrBUG1Tp0edmkr encrypted > passwd 2KFQnbNIdI.2KYOU encrypted > hostname goss-d3-pix515b > domain-name micronetsolution.com > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 1720 > fixup protocol rsh 514 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol sip 5060 > fixup protocol skinny 2000 > names > ! > !--- Access-list to avoid Network Address Translation (NAT) on the IPSec > packets > access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 > 255.255.255.0 > pager lines 24 > interface ethernet0 auto > interface ethernet1 auto > mtu outside 1500 > mtu inside 1500 > ! > !--- IP addresses on the interfaces > ip address outside 129.174.1.13 255.255.240.0 > ip address inside 192.168.1.1 255.255.255.0 > ip audit info action alarm > ip audit attack action alarm > ip local pool ippool 192.168.2.1-192.168.2.254 > no failover > failover timeout 0:00:00 > failover poll 15 > failover ip address outside 0.0.0.0 > failover ip address inside 0.0.0.0 > pdm history enable > arp timeout 14400 > ! > !--- Binding ACL 101 to the NAT statement to avoid NAT on the IPSec packets > nat (inside) 0 access-list 101 > ! > !--- Default route to the Internet > route outside 0.0.0.0 0.0.0.0 129.174.1.1 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 > 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server RADIUS protocol radius > http server enable > http 192.168.1.0 255.255.255.0 inside > no snmp-server location > no snmp-server contact > snmp-server community public > no snmp-server enable traps > floodguard enable > ! > !--- The sysopt command avoids conduit on the IPSec encrypted traffic > sysopt connection permit-ipsec > no sysopt route dnat > ! > !--- Phase 2 encryption type > crypto ipsec transform-set myset esp-des esp-md5-hmac > crypto dynamic-map dynmap 10 set transform-set myset > crypto map mymap 10 ipsec-isakmp dynamic dynmap > ! > !--- Binding the IPSec engine on the outside interface > crypto map mymap interface outside > ! > !--- Enabling ISAKMP key-exchange > isakmp enable outside > isakmp identity address > ! > !--- ISAKMP Policy for 3000 VPN client running 3.0 or higher code > isakmp policy 10 authentication pre-share > isakmp policy 10 encryption des > isakmp policy 10 hash md5 > isakmp policy 10 group 2 > isakmp policy 10 lifetime 86400 > ! > !--- IPSec group configuration for either VPN client > vpngroup vpn3000 address-pool ippool > vpngroup vpn3000 dns-server 192.168.1.10 > vpngroup vpn3000 default-domain micronetsolution.com > vpngroup vpn3000 idle-time 1800 > vpngroup vpn3000 password ******** > telnet timeout 5 > ssh timeout 5 > terminal width 80 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27785&t=27759 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
