dslreports logo
site
spacer

spacer
 
    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»
spc

spacer




how-to block ads



Suggested prerequisite reading:
»Cisco Forum FAQ »Various Site-to-Site IPSec VPN: Cisco, Juniper, Checkpoint, Sonicwall, Zywall

Note:
All of the following sample configurations assume the ASA or PIX Firewall uses static Public IP address. Typically you assign one IP address of the IP block provided by your ISP to the ASA or PIX Firewall Outside interface. Assigning static IP address to VPN Concentrator (the ASA or PIX Firewall in this case) is considered best practice to keep security in place especially when the VPN Concentrator runs Site-to-Site VPN.

Sample Configuration of IPSec VPN Concentrator

When you plan to have a PIX or ASA firewall to act as both firewall and VPN concentrator, following is the sample configuration.

Assumptions:
* The 1st LAN subnet is 192.168.0.0/24 with 192.168.0.1 (the PIX inside interface) as the default gateway
* There is also 10.0.0.0/8 as 2nd LAN subnet, where from PIX or ASA firewall is reachable via 192.168.0.2
* There will be remote users VPN into the PIX using Cisco VPN Client software, creating ESP-based IPSec VPN tunnel
* There are separate subnets for VPN users. In these sample configurations, there are 192.168.1.0/24 for VPN users logged in as Admin and 192.168.2.0/24 for VPN users logged in as Sales.
* Note that you cannot use the same subnet for both LAN and VPN users due to routing consistency
* No default gateway to access the LAN subnet will be received by VPN users once the IPSec VPN tunnel is established; which will set the VPN users' PC to proxy arp to reach the LAN subnet
* There are multiple VPN groups where one is for Admin users and another is for Sales users. This way the PIX or ASA firewall can distinguish between one user and another
* When Admin users wish to VPN in as Admin let's say, then the users must use the appropriate VPN group credential (in this case, the Admin VPN group credential) which include the correct PIX or ASA firewall Public IP address and VPN group password
* As general rule, all settings in PIX or ASA firewall must match all settings in the VPN Client software. Some of those settings are the VPN group credentials, routing, and permitted subnets in the ACL. Any slightest mismatch will cause connection problem.

1. Single VPN User Group without external AAA Server

* The remote users will VPN in using specific Group Authentication credential, which in this sample configuration is Admin as the Group Name and is ******** as the Group Password as indicated on the vpngroup Admin password ******** command
* The VPN users log in as Admin receive IP address within the admin range from 192.168.1.1 to 192.168.1.254 (the 192.168.1.0/24 subnet).
* No external AAA (Authentication, Authorization, and Accounting) server as the TACACS+/RADIUS server
* SSH attempt to the PIX/ASA itself is not authenticated on the OS version 7.0 or above sample configuration and is authenticated locally on the OS version 6.3 sample configuration

PIX Firewall configuration running OS version 6.3

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **** encrypted
passwd **** encrypted
hostname pixfirewall
domain-name yournetwork.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group network VPN-Admin
network-object 192.168.1.0 255.255.255.0
access-list 10 remark Split Tunnel for VPN Admin
access-list 10 permit ip any object-group VPN-Admin
access-list nonat remark No NAT within VPN tunnel
access-list nonat permit ip any object-group VPN-Admin
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 2.2.2.2 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool admin 192.168.1.1-192.168.1.254
pdm history enable
arp timeout 14400
global (outside) 1 2.2.2.3
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
route inside 10.0.0.0 255.0.0.0 192.168.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authorization command LOCAL 
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset10 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set myset20 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset10
crypto dynamic-map dynmap 20 set transform-set myset20
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 30
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup Admin address-pool admin
vpngroup Admin dns-server 192.168.0.2
vpngroup Admin wins-server 192.168.0.3
vpngroup Admin default-domain yournetwork.com
vpngroup Admin split-tunnel 10
vpngroup Admin idle-time 1800
vpngroup Admin password ********
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
username Admin password ***** encrypted privilege 15
terminal width 80
 

ASA/PIX Firewall Sample Configuration running OS version 7.0 or above

ASA Version 7.2(3) 
!
hostname asa
domain-name yournetwork.com
enable password ***** encrypted
names
dns-guard
!
interface FastEthernet0/0
 description Internet
 nameif outside
 security-level 0
 ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/1
 description LAN
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
!
passwd ***** encrypted
ftp mode passive
object-group network VPN-Admin  
network-object 192.168.1.0 255.255.255.0
access-list 10 remark Split Tunnel for VPN Admin  
access-list 10 permit ip any object-group VPN-Admin  
access-list nonat remark No NAT within VPN tunnel  
access-list nonat permit ip any object-group VPN-Admin
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool admin 192.168.1.1-192.168.1.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 2.2.2.3
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1  
route inside 10.0.0.0 255.0.0.0 192.168.0.2 1  
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
service resetoutside
crypto ipsec transform-set myset10 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set myset20 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset10
crypto dynamic-map dynmap 20 set transform-set myset20
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
group-policy Admin internal
group-policy Admin attributes
 dns-server value 192.168.0.2
 wins-server value 192.168.0.3
 vpn-idle-timeout 1440
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 10
 default-domain value yournetwork.com
tunnel-group Admin type ipsec-ra
tunnel-group Admin general-attributes
 address-pool admin
 default-group-policy Admin
tunnel-group Admin ipsec-attributes
 pre-shared-key *
prompt hostname context 
 

2. Multiple VPN User Groups with external AAA Server

* The remote users will VPN in using specific Group Authentication credential, which in this sample configuration is either Admin or Sales
* The VPN users log in as Admin receive IP address within the admin range from 192.168.1.1 to 192.168.1.254 (the 192.168.1.0/24 subnet). Similarly, the VPN users log in as Sales receive IP address within the sales range from 192.168.2.1 to 192.168.2.254 (the 192.168.2.0/24 subnet).
* There is a TACACS+/RADIUS server at 192.168.0.204 to serve the AAA (Authentication, Authorization, and Accounting) functionality for all remote users
Note: check out following FAQ for more info on TACACS and RADIUS
»Cisco Forum FAQ »Secure and Monitor Network Access with AAA (TACACS/RADIUS) and Privilege Level
* The TACACS+ service is used to provide PIX/ASA configuration management access, such as telnet and ssh to the PIX/ASA itself
* The RADIUS service is used to provide production access (the LAN) to remote VPN users
* The aaa authentication match command will authenticate remote user login attempts according to the RADIUS credential that are being used to log in
* The aaa authorization match command will authorize remote user access to only specific subnets according to the authenticated RADIUS credential that are acknowledged
* The aaa accounting match command will record all activities done by all remote users according to their RADIUS credential

PIX Firewall configuration running OS version 6.3

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **** encrypted
passwd **** encrypted
hostname pixfirewall
domain-name yournetwork.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group network VPN-Admin
network-object 192.168.1.0 255.255.255.0
object-group network VPN-Sales
network-object 192.168.2.0 255.255.255.0
object-group network Sales-Network
network-object 10.0.0.0 255.255.254.0
access-list 10 remark Split Tunnel for VPN Admin
access-list 10 permit ip any object-group VPN-Admin
access-list 20 remark Split Tunnel for VPN Sales
access-list 20 permit ip any object-group VPN-Sales
access-list nonat remark No NAT within VPN tunnel
access-list nonat permit ip any object-group VPN-Admin
access-list nonat permit ip any object-group VPN-Sales
access-list admin remark Permitable Subnet for Admin to access
access-list admin permit ip object-group VPN-Admin any
access-list sales remark Permitable Subnet for Sales to access
access-list sales permit ip object-group VPN-Sales object-group Sales-Network
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 2.2.2.2 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool admin 192.168.1.1-192.168.1.254
ip local pool sales 192.168.2.1-192.168.2.254
pdm history enable
arp timeout 14400
global (outside) 1 2.2.2.3
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
route inside 10.0.0.0 255.0.0.0 192.168.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host 192.168.0.204 cisco timeout 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 192.168.0.204 cisco timeout 10
aaa-server LOCAL protocol local
aaa authentication telnet console TACACS+
aaa authentication ssh console TACACS+
aaa authentication enable console TACACS+
aaa authentication match admin inbound RADIUS
aaa authentication match sales inbound RADIUS
aaa authorization command TACACS+
aaa authorization match admin inbound RADIUS
aaa authorization match sales inbound RADIUS
aaa accounting match admin inbound RADIUS
aaa accounting match sales inbound RADIUS
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset10 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set myset20 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset10
crypto dynamic-map dynmap 20 set transform-set myset20
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 30
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Admin address-pool admin
vpngroup Admin dns-server 192.168.0.2
vpngroup Admin wins-server 192.168.0.3
vpngroup Admin default-domain yournetwork.com
vpngroup Admin split-tunnel 10
vpngroup Admin idle-time 1800
vpngroup Admin password ********
vpngroup Sales address-pool sales
vpngroup Sales dns-server 192.168.0.2
vpngroup Sales wins-server 192.168.0.3
vpngroup Sales default-domain yournetwork.com
vpngroup Sales split-tunnel 20
vpngroup Sales idle-time 1800
vpngroup Sales password ********
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
terminal width 80
 

3. Single VPN User Group with external Windows Active Directory Domain Controller Server

* The remote users will VPN in using specific Group Authentication credential, which in this sample configuration is Admin as the Group Name as indicated on the tunnel-group Admin type ipsec-ra command; and is ******** as the Group Password as indicated on the tunnel-group Admin ipsec-attributes pre-shared-key * command
* The VPN users log in as Admin receive IP address within the admin range from 192.168.1.1 to 192.168.1.254 (the 192.168.1.0/24 subnet).
* Starting OS version 7.0, AAA server protocol of NT (Microsoft Windows Active Directory Domain Controller), LDAP (RFC 4510), Kerberos (RFC 4120), and SDI (RSA SecurID) are available as alternatives of TACACS+ and RADIUS
* In this sample configuration, external Microsoft Windows Active Directory Domain Controller server is used primarily to authenticate remote users
* The use of such Microsoft authentication system is defined on the aaa-server NT_DOMAIN command, which include the protocol, Domain Controller name and IP address.
* When the Domain Controller is unavailable or unreachable, local credentials as indicated on the username Admin1 password ***** encrypted privilege 15 and the username Admin2 password ***** encrypted privilege 15 commands are used as failover to authenticate remote users
* This failover mechanism is defined on the tunnel-group Admin general-attributes authentication-server-group NT_DOMAIN LOCAL command
* Similar authentication process for Sales remote user group, however there is no failover to local credentials
* Telnet attempt to the PIX/ASA itself is not authenticated

ASA/PIX Firewall Sample Configuration running OS version 7.0 or above

ASA Version 7.2(3) 
!
hostname asa
domain-name yournetwork.com
enable password ***** encrypted
names
dns-guard
!
interface FastEthernet0/0
 description Internet
 nameif outside
 security-level 0
 ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/1
 description LAN
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
!
passwd ***** encrypted
ftp mode passive
object-group network VPN-Admin  
network-object 192.168.1.0 255.255.255.0
object-group network VPN-Sales  
network-object 192.168.2.0 255.255.255.0
object-group network Sales-Network  
network-object 10.0.0.0 255.255.254.0  
access-list 10 remark Split Tunnel for VPN Admin  
access-list 10 permit ip any object-group VPN-Admin  
access-list 20 remark Split Tunnel for VPN Sales  
access-list 20 permit ip object-group Sales-Network object-group VPN-Sales
access-list nonat remark No NAT within VPN tunnel  
access-list nonat permit ip any object-group VPN-Admin
access-list nonat permit ip any object-group VPN-Sales
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool admin 192.168.1.1-192.168.1.254
ip local pool sales 192.168.2.1-192.168.2.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 2.2.2.3
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1  
route inside 10.0.0.0 255.0.0.0 192.168.0.2 1  
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server NT_DOMAIN protocol nt
aaa-server NT_DOMAIN host 192.168.0.2
 nt-auth-domain-controller DomainController1
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
service resetoutside
crypto ipsec transform-set myset10 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set myset20 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset10
crypto dynamic-map dynmap 20 set transform-set myset20
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
group-policy Admin internal
group-policy Admin attributes
 dns-server value 192.168.0.2
 wins-server value 192.168.0.3
 vpn-idle-timeout 1440
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 10
 default-domain value yournetwork.com
group-policy Sales internal  
group-policy Sales attributes  
 dns-server value 192.168.0.2  
 wins-server value 192.168.0.3  
 vpn-idle-timeout 1440  
 split-tunnel-policy tunnelspecified  
 split-tunnel-network-list value 20
 default-domain value yournetwork.com  
username Admin1 password ***** encrypted privilege 15
username Admin1 attributes
 vpn-group-policy Admin
 group-lock value Admin
username Admin2 password ***** encrypted privilege 15
username Admin2 attributes
 vpn-group-policy Admin
 group-lock value Admin
tunnel-group Admin type ipsec-ra
tunnel-group Admin general-attributes
 address-pool admin
 authentication-server-group NT_DOMAIN LOCAL
 default-group-policy Admin
tunnel-group Admin ipsec-attributes
 pre-shared-key *
tunnel-group Sales type ipsec-ra
tunnel-group Sales general-attributes
 address-pool sales
 authentication-server-group NT_DOMAIN
 default-group-policy Sales
tunnel-group Sales ipsec-attributes
 pre-shared-key *
prompt hostname context 
 

Notes:

* Since the PIX or ASA firewall acts as both firewall and VPN concentrator, the isakmp nat-traversal is necessary to simultaneously serve VPN users accessing the LAN subnet and to keep LAN subnet machines able to access the Internet

* When the PIX or ASA firewall is dedicated to only serve as VPN Concentrator, then the isakmp nat-traversal, the global 1-nat 1 pair commands might not be necessary

* Remote users can opt to either enable transparent tunneling or not when using the Cisco VPN Client software. When transparent tunneling is enabled, the ESP protocol is encapsulated within UDP (UDP port 4500) by default, which then makes the VPN traffic able to pass through any NAT/PAT device in between. This encapsulation feature is useful when either there is any NAT/PAT device in between or ESP protocol is not permitted to pass through. In addition, this encapsulation feature also enables the remote users to be able to access the LAN and the Internet at the same time.

* As you may notice, configuration with sufficient amount of external authentication servers such as AAA (TACACS+/RADIUS) server and Domain Controller server is more secure and accountable

* When your network currently does not have AAA server, you can setup one for free. Check out this FAQ for details.
»Cisco Forum FAQ »Are there Free TACACS+ or RADIUS authentication software to secure my router?

* If specific remote users must authenticate with specific AAA server, then you can simply modify the AAA command to do so. Following is illustration
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host 192.168.0.203 cisco timeout 10
aaa-server RADIUS-ADMIN protocol radius
aaa-server RADIUS-ADMIN max-failed-attempts 3
aaa-server RADIUS-ADMIN deadtime 10
aaa-server RADIUS-ADMIN (inside) host 192.168.0.204 cisco timeout 10
aaa-server RADIUS-SALES protocol radius
aaa-server RADIUS-SALES max-failed-attempts 3
aaa-server RADIUS-SALES deadtime 10
aaa-server RADIUS-SALES (inside) host 192.168.0.205 cisco timeout 10
aaa-server LOCAL protocol local
aaa authentication telnet console TACACS+
aaa authentication ssh console TACACS+
aaa authentication enable console TACACS+
aaa authentication match admin inbound RADIUS-ADMIN
aaa authentication match sales inbound RADIUS-SALES
aaa authorization command TACACS+
aaa authorization match admin inbound RADIUS-ADMIN
aaa authorization match sales inbound RADIUS-SALES
aaa accounting match admin inbound RADIUS-ADMIN
aaa accounting match sales inbound RADIUS-SALES
 

Sample Configuration of PPTP or L2TP Windows VPN Concentrator and Others
»Cisco Forum FAQ »Configure router and ASA/PIX Firewall to support various VPN technologies

Comparable Sample Configuration
»Cisco Forum FAQ »Configuring Juniper SRX as Internet Firewall and IPSec VPN Concentrator

Expand got feedback?

by Covenant See Profile edited by aryoba See Profile
last modified: 2012-08-02 09:31:08