03-08-2007 04:29 PM - edited 02-21-2020 02:54 PM
Folks
I will upgrade a PIX 6.3 to a PIX 7.2.
Current behavior (with PIX 6.3) is that none of the remote VPN users clients connecting to the PIX can access the internet since split tunneling is disable.
But once the upgrade is completed, the customer requires that a new group of users VPNing the network be able to go back to the internet.
Therefore, I would like to know if it is feasible to have 2 vpn profiles where in profile A, its users vpn the network and only be granted access to the internal LAN (no internet whatsoever) whereas for profile B, its users can access LAN and access internet too.
Your thoughts are more than welcome.
Thanks in advance, JB
03-08-2007 05:19 PM
Sure, you will have a group policy for each tunnel-group, one with split tunnelling and one with tunnel all. Or with version 7 you can do public internet on a stick.
03-09-2007 12:15 AM
Thanks, but what I am looking for is to find a way to block internet to some users VPNing from home, so split-tunnel-policy tunnelall helps to redirect all the traffic to the PIX but, how do I block internet traffic then, given that there will be another group of users that will have internet access when VPNing but accessing the internet from the PIX?
PIX 7.2 will be the version I will work the configuration
Some examples will be more than welcome.
Thanks, JB
03-09-2007 05:43 AM
That's exactly what I answered. Tunnelall does send everything over the tunnel and therefore not to the internet, unless you are doing outside nat like in the post below. The other group can be set up for split tunnel or public internet on a stick (outside nat).
03-09-2007 01:58 AM
Hi,
You need to create two groups with separate pools.
One group is allowed to access the internet, because PIX has a natting/patting rule for its pool to go out.
nat (outside) 1
global (outside) i interface
The other group users would not be able to access the Internet as PIX would not have a NAT rule for their pool.
*Please rate if helped.
-Kanishka
03-09-2007 08:35 AM
Will do later. I still have not completed this mandate.
Thx
03-13-2007 10:51 AM
Just guys to not let you hanging in there, I was able to configure the PIX with 7.2 in order to have 2 profiles and 1 of them to go back out to the internet.
This post gave me a good idea and also found an example on the web site for internet access without split tunneling.
03-13-2007 10:58 AM
I thought that's what my first post told you. Glad it worked out.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: