PIX 7.2 - Internet for some vpn users only

Unanswered Question
Mar 8th, 2007
User Badges:

Folks


I will upgrade a PIX 6.3 to a PIX 7.2.


Current behavior (with PIX 6.3) is that none of the remote VPN users clients connecting to the PIX can access the internet since split tunneling is disable.


But once the upgrade is completed, the customer requires that a new group of users VPNing the network be able to go back to the internet.


Therefore, I would like to know if it is feasible to have 2 vpn profiles where in profile A, its users vpn the network and only be granted access to the internal LAN (no internet whatsoever) whereas for profile B, its users can access LAN and access internet too.


Your thoughts are more than welcome.


Thanks in advance, JB


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
brugmanjorge Fri, 03/09/2007 - 00:15
User Badges:

Thanks, but what I am looking for is to find a way to block internet to some users VPNing from home, so split-tunnel-policy tunnelall helps to redirect all the traffic to the PIX but, how do I block internet traffic then, given that there will be another group of users that will have internet access when VPNing but accessing the internet from the PIX?


PIX 7.2 will be the version I will work the configuration


Some examples will be more than welcome.


Thanks, JB

acomiskey Fri, 03/09/2007 - 05:43
User Badges:
  • Green, 3000 points or more

That's exactly what I answered. Tunnelall does send everything over the tunnel and therefore not to the internet, unless you are doing outside nat like in the post below. The other group can be set up for split tunnel or public internet on a stick (outside nat).

kaachary Fri, 03/09/2007 - 01:58
User Badges:
  • Cisco Employee,

Hi,


You need to create two groups with separate pools.


One group is allowed to access the internet, because PIX has a natting/patting rule for its pool to go out.


nat (outside) 1

global (outside) i interface


The other group users would not be able to access the Internet as PIX would not have a NAT rule for their pool.


*Please rate if helped.


-Kanishka

brugmanjorge Fri, 03/09/2007 - 08:35
User Badges:

Will do later. I still have not completed this mandate.


Thx

brugmanjorge Tue, 03/13/2007 - 10:51
User Badges:

Just guys to not let you hanging in there, I was able to configure the PIX with 7.2 in order to have 2 profiles and 1 of them to go back out to the internet.


This post gave me a good idea and also found an example on the web site for internet access without split tunneling.



acomiskey Tue, 03/13/2007 - 10:58
User Badges:
  • Green, 3000 points or more

I thought that's what my first post told you. Glad it worked out.

Actions

This Discussion