Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
286
Views
0
Helpful
3
Replies

Pix 501: Restrict vpn user access to internal lan

ov
Level 1
Level 1

‎01-20-2009 04:29 AM

Users connect to a Pix501, via vpn.

I want to restrict them to only access a webserver internally, via http.

I have read numerous posts on this issue, but none that match the Pix 501 setup we have. (Ver 6.3.5)

My vpn pool: 192.168.200.0 / 24

Internal: 192.168.1.0 / 24

Server to be accessed: 192.168.1.250

All authentication is done locally on the Pix. No AD or Radius integration is planned.

Is it at all possible?

Any help appreciated!

Best regards

Ole Vik

Labels:
0 Helpful
3 Replies 3

JORGE RODRIGUEZ
Level 10
Level 10

‎01-20-2009 10:52 AM

Ole, it all depends , if you want ALL vpn users under your current tunnel group without exeption to access only one destination host 192.168.1.250 on port 80 sure it is posible , you would t need to define it in your nonat access list and crypto acl.

would be something as:

access-list nonat permit ip host 192.168.1.250 192.168.200.0 255.255.255.0

access-list permit tcp host 192.168.1.250 192.168.200.0 255.255.255.0 eq 80

nat (inside) 0 access-list nonat

but if you then need to get more granular such as permiting some users to the whole subnet 192.168.1.0/24 and some just 192.168.1.250 then it can not be possible with 6.3 code, you would need 7.x code above to do per user VPN filters ..

a work around perhaps with 6.3 if the need to restrict access to just one host to certain VPN users but not all I would think of a work around to create another RA tunnel group with restrictions and add users to that new tunnel group , and have a separate VPN tunnel group for accessing all 192.168.1.0/24 network. This way you could have control of users access per tunnel groups.

If you ever think of upgrading your 501 to ASA5505 here is a link on vpn filters.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Regards

Jorge Rodriguez
0 Helpful

ov
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎01-21-2009 06:51 AM

Thank you, i will give this a shot.

0 Helpful

ov
Level 1
Level 1
In response to ov

‎01-27-2009 12:23 AM

This didn't work. When the client connects, the Pix establishes a dynamic ACL, that overrides the one you specified. Any suggestions to why this happens?

0 Helpful
Customers Also Viewed These Support Documents