01-20-2009 04:29 AM
Users connect to a Pix501, via vpn.
I want to restrict them to only access a webserver internally, via http.
I have read numerous posts on this issue, but none that match the Pix 501 setup we have. (Ver 6.3.5)
My vpn pool: 192.168.200.0 / 24
Internal: 192.168.1.0 / 24
Server to be accessed: 192.168.1.250
All authentication is done locally on the Pix. No AD or Radius integration is planned.
Is it at all possible?
Any help appreciated!
Best regards
Ole Vik
01-20-2009 10:52 AM
Ole, it all depends , if you want ALL vpn users under your current tunnel group without exeption to access only one destination host 192.168.1.250 on port 80 sure it is posible , you would t need to define it in your nonat access list and crypto acl.
would be something as:
access-list nonat permit ip host 192.168.1.250 192.168.200.0 255.255.255.0
access-list
nat (inside) 0 access-list nonat
but if you then need to get more granular such as permiting some users to the whole subnet 192.168.1.0/24 and some just 192.168.1.250 then it can not be possible with 6.3 code, you would need 7.x code above to do per user VPN filters ..
a work around perhaps with 6.3 if the need to restrict access to just one host to certain VPN users but not all I would think of a work around to create another RA tunnel group with restrictions and add users to that new tunnel group , and have a separate VPN tunnel group for accessing all 192.168.1.0/24 network. This way you could have control of users access per tunnel groups.
If you ever think of upgrading your 501 to ASA5505 here is a link on vpn filters.
Regards
01-21-2009 06:51 AM
Thank you, i will give this a shot.
01-27-2009 12:23 AM
This didn't work. When the client connects, the Pix establishes a dynamic ACL, that overrides the one you specified. Any suggestions to why this happens?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: