cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
481
Views
9
Helpful
7
Replies

PIX 7.2 - Internet for some vpn users only

brugmanjorge
Level 1
Level 1

Folks

I will upgrade a PIX 6.3 to a PIX 7.2.

Current behavior (with PIX 6.3) is that none of the remote VPN users clients connecting to the PIX can access the internet since split tunneling is disable.

But once the upgrade is completed, the customer requires that a new group of users VPNing the network be able to go back to the internet.

Therefore, I would like to know if it is feasible to have 2 vpn profiles where in profile A, its users vpn the network and only be granted access to the internal LAN (no internet whatsoever) whereas for profile B, its users can access LAN and access internet too.

Your thoughts are more than welcome.

Thanks in advance, JB

7 Replies 7

acomiskey
Level 10
Level 10

Sure, you will have a group policy for each tunnel-group, one with split tunnelling and one with tunnel all. Or with version 7 you can do public internet on a stick.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

Thanks, but what I am looking for is to find a way to block internet to some users VPNing from home, so split-tunnel-policy tunnelall helps to redirect all the traffic to the PIX but, how do I block internet traffic then, given that there will be another group of users that will have internet access when VPNing but accessing the internet from the PIX?

PIX 7.2 will be the version I will work the configuration

Some examples will be more than welcome.

Thanks, JB

That's exactly what I answered. Tunnelall does send everything over the tunnel and therefore not to the internet, unless you are doing outside nat like in the post below. The other group can be set up for split tunnel or public internet on a stick (outside nat).

kaachary
Cisco Employee
Cisco Employee

Hi,

You need to create two groups with separate pools.

One group is allowed to access the internet, because PIX has a natting/patting rule for its pool to go out.

nat (outside) 1

global (outside) i interface

The other group users would not be able to access the Internet as PIX would not have a NAT rule for their pool.

*Please rate if helped.

-Kanishka

Will do later. I still have not completed this mandate.

Thx

Just guys to not let you hanging in there, I was able to configure the PIX with 7.2 in order to have 2 profiles and 1 of them to go back out to the internet.

This post gave me a good idea and also found an example on the web site for internet access without split tunneling.

I thought that's what my first post told you. Glad it worked out.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: