03-21-2007 07:33 AM - edited 02-21-2020 02:56 PM
Does anyone know if there is a way to restrict a user to access only a certain number of IP's through PIX when he/she is connecting through a VPN connection setup on the PIX itself ?
03-21-2007 04:10 PM
You need to configure split tunneling for this. Only the ip address defined in split tunnel ACL will be accessible by the vpn client.
E.G. You want to restrict the clients to access an inside server only, say 192.168.1.1, and the client pool is 10.1.1.1-10.1.1.10.
Create an ACL :
access-list split permit ip host 192.168.1.1 10.1.1.0 255.255.255.0
vpngroup
That should do it. To read more about split tunnel :
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#wp1099471
*Please rate if it helped.
-Kanishka
03-22-2007 05:44 AM
You can also remove the "sysopt connection permit-ipsec" line, and define an inbound ACL to your outside interface.
In that ACL, filter out the traffic from the source IP address (client pool)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: