How to add and remove VPN users from a PIX Firewall
These instructions are based on an existing VPN Group having already been configured.
TELNET to the PIX
telnet PIX_LAN_IPenter telnet password>
pixfirewall> enable
<enter enable password>
pixfirewall#
Check the current configuration by looking at the current running configuration file
pixfirewall# show running-configOn older versions of PIX OS an alternative command is used
pixfirewall# write terminalHit the spacebar to toggle down the configuration until the commands starting vpngroup are seen. e.g.:
vpngroup userA address-pool vpn-client-pool1vpngroup userA dns-server 192.168.1.10
vpngroup userA split-tunnel no_nat
vpngroup userA idle-time 1800
vpngroup userA password h2JkLLdhh
Using the following template in a text editor substitute the new VPN Group name and VPN Group password, also substituting the other values highlighted in bold.
vpngroup USERNAME address-pool POOLNAMEvpngroup USERNAME split-tunnel SPLIT_TUNNEL_ACL
vpngroup USERNAME idle-time 1800
vpngroup USERNAME password PASSWORD
vpngroup USERNAME dns-server DNS_SERVER_IP
vpngroup USERNAME wins-server WINS_SERVER_IP
So to add this new user, copy VPN Group lines for remote12, and add then to the PIX as follows:
pixfirewall# configure terminalpixfirewall(config)# vpngroup remote12 address-pool vpn-client-pool1
pixfirewall(config)# vpngroup remote12 split-tunnel no_nat
pixfirewall(config)# vpngroup remote12 idle-time 1800
pixfirewall(config)# vpngroup remote12 password df4KLw88
pixfirewall(config)# vpngroup remote12 dns-server 192.168.1.10
pixfirewall(config)# vpngroup remote12 wins-server 192.168.1.10
pixfirewall(config)# exit
Check the newly added configuration has been added correctly by looking at the running configuration, using the spacebar again to toggle down the file.
pixfirewall# show running-configTo save the changes use the following command.
pixfirewall# copy running-config startup-configpixfirewall# exit
