PIX with clients VPNing in: Can I restrict access via ACLs?

Answered Question

If I have clients accessing an internal network via VPN tunnels to the PIX, can I restrict what resources they can access by applying ACL's IN the PIX, AFTER the tunnel? I'm looking to allow external customers into the network via PIX VPN but then want to restrict their access.

Thanks for the help!

Mike.

I have this problem too.
0 votes
Correct Answer by 3gleister about 9 years 7 months ago

Mike, by simply creating different VPN groups and applying a different ACL for each group, you can restrict what they access. For example.

access-list vendor1 permit ip host 10.10.10.1 172.16.1.0 255.255.255.0 (172.16.1.0 is the ip local pool network

ip local pool vpnpool 172.16.1.1 172.16.1.254)

This allows vendor 1 to access host 10.10.10.1 only

access-list vendor2 permit ip host 10.10.10.2 172.16.1.0 255.255.255.0

( this allows vendor 2 to access 10.10.10.2 only)

then

vpngroup vendor1 password ******

vpngroup vendor1 split-tunnel vendor1

vpngroup vendor1 address-pool vpnpool

Dont' forget your no-nat ACL which should include both lines from the vendor1 and vendor2 ACL's

access-list nonat permit ip host 10.10.10.1 172.16.1.0 255.255.255.0

access-list nonat permit ip host 10.10.10.2 172.16.1.0 255.255.255.0

nat (inside) 0 access-list nonat

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Vivek Santuka Sat, 03/03/2007 - 07:35

Hi Mike,

We can do that if you are authenticating the clients via a radius server.

Cisco AV pair (026/009/001) can be used and if you are using Cisco ACS then the downloadable ACLs feature can be used.

Regards,

Vivek

Correct Answer
3gleister Sat, 03/03/2007 - 16:42

Mike, by simply creating different VPN groups and applying a different ACL for each group, you can restrict what they access. For example.

access-list vendor1 permit ip host 10.10.10.1 172.16.1.0 255.255.255.0 (172.16.1.0 is the ip local pool network

ip local pool vpnpool 172.16.1.1 172.16.1.254)

This allows vendor 1 to access host 10.10.10.1 only

access-list vendor2 permit ip host 10.10.10.2 172.16.1.0 255.255.255.0

( this allows vendor 2 to access 10.10.10.2 only)

then

vpngroup vendor1 password ******

vpngroup vendor1 split-tunnel vendor1

vpngroup vendor1 address-pool vpnpool

Dont' forget your no-nat ACL which should include both lines from the vendor1 and vendor2 ACL's

access-list nonat permit ip host 10.10.10.1 172.16.1.0 255.255.255.0

access-list nonat permit ip host 10.10.10.2 172.16.1.0 255.255.255.0

nat (inside) 0 access-list nonat

Actions

This Discussion

 

 

Trending Topics - Security & Network