Pix 501: Restrict vpn user access to internal lan

Unanswered Question
Jan 20th, 2009
User Badges:

Users connect to a Pix501, via vpn.

I want to restrict them to only access a webserver internally, via http.

I have read numerous posts on this issue, but none that match the Pix 501 setup we have. (Ver 6.3.5)

My vpn pool: / 24

Internal: / 24

Server to be accessed:

All authentication is done locally on the Pix. No AD or Radius integration is planned.

Is it at all possible?

Any help appreciated!

Best regards

Ole Vik

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Tue, 01/20/2009 - 10:52
User Badges:
  • Green, 3000 points or more

Ole, it all depends , if you want ALL vpn users under your current tunnel group without exeption to access only one destination host on port 80 sure it is posible , you would t need to define it in your nonat access list and crypto acl.

would be something as:

access-list nonat permit ip host

access-list permit tcp host eq 80

nat (inside) 0 access-list nonat

but if you then need to get more granular such as permiting some users to the whole subnet and some just then it can not be possible with 6.3 code, you would need 7.x code above to do per user VPN filters ..

a work around perhaps with 6.3 if the need to restrict access to just one host to certain VPN users but not all I would think of a work around to create another RA tunnel group with restrictions and add users to that new tunnel group , and have a separate VPN tunnel group for accessing all network. This way you could have control of users access per tunnel groups.

If you ever think of upgrading your 501 to ASA5505 here is a link on vpn filters.



ov@ementor.no Tue, 01/27/2009 - 00:23
User Badges:

This didn't work. When the client connects, the Pix establishes a dynamic ACL, that overrides the one you specified. Any suggestions to why this happens?


This Discussion