Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
342
Views
0
Helpful
2
Replies

Restrict Access to certain IPs in VPN

vmbhatia2
Level 1
Level 1

‎03-21-2007 07:33 AM - edited ‎02-21-2020 02:56 PM

Does anyone know if there is a way to restrict a user to access only a certain number of IP's through PIX when he/she is connecting through a VPN connection setup on the PIX itself ?

Labels:
0 Helpful
2 Replies 2

kaachary
Cisco Employee
Cisco Employee

‎03-21-2007 04:10 PM

You need to configure split tunneling for this. Only the ip address defined in split tunnel ACL will be accessible by the vpn client.

E.G. You want to restrict the clients to access an inside server only, say 192.168.1.1, and the client pool is 10.1.1.1-10.1.1.10.

Create an ACL :

access-list split permit ip host 192.168.1.1 10.1.1.0 255.255.255.0

vpngroup split-tunnel split

That should do it. To read more about split tunnel :

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#wp1099471

*Please rate if it helped.

-Kanishka

0 Helpful

alexandre.paradis
Level 1
Level 1
In response to kaachary

‎03-22-2007 05:44 AM

You can also remove the "sysopt connection permit-ipsec" line, and define an inbound ACL to your outside interface.

In that ACL, filter out the traffic from the source IP address (client pool)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents