If I have clients accessing an internal network via VPN tunnels to the PIX, can I restrict what resources they can access by applying ACL's IN the PIX, AFTER the tunnel? I'm looking to allow external customers into the network via PIX VPN but then want to restrict their access.
Thanks for the help!
Mike, by simply creating different VPN groups and applying a different ACL for each group, you can restrict what they access. For example.
access-list vendor1 permit ip host 10.10.10.1 172.16.1.0 255.255.255.0 (172.16.1.0 is the ip local pool network
ip local pool vpnpool 172.16.1.1 172.16.1.254)
This allows vendor 1 to access host 10.10.10.1 only
access-list vendor2 permit ip host 10.10.10.2 172.16.1.0 255.255.255.0
( this allows vendor 2 to access 10.10.10.2 only)
vpngroup vendor1 password ******
vpngroup vendor1 split-tunnel vendor1
vpngroup vendor1 address-pool vpnpool
Dont' forget your no-nat ACL which should include both lines from the vendor1 and vendor2 ACL's
access-list nonat permit ip host 10.10.10.1 172.16.1.0 255.255.255.0
access-list nonat permit ip host 10.10.10.2 172.16.1.0 255.255.255.0
nat (inside) 0 access-list nonat