×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Access control for different VPN user via PIX Firewall

Unanswered Question
Jan 1st, 2004
User Badges:

Hi there,


I got a PIX 501 implemented with IPSec VPN. Our customer would like to grand access control for different VPN users. They would allow a group of users to access DB server, while the other VPN users cannot access. May I ask that is there any method to achieve this goal?


thanks a lot

David

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sunilyk Thu, 01/01/2004 - 23:57
User Badges:

You can do it as follows:


Make two separate local ip pools.

Add the statements allowing one pool for DB servers and the other denying to DB servers to access-list which is applied to outside interface.



Also remove sysopt statement.


no sysopt connection permit-ipsec


Regards,



shannong Sun, 01/04/2004 - 08:08
User Badges:
  • Silver, 250 points or more

If you're using user authentication via RADIUS/TACACS+, you can use a single VPN group and IP pool and hand out an ACL per-user at the time of authentication.


If you're only using group name/password for VPN access, you'll need to use separate IP pools w/o the use of permit-ipsec as referenced by the other poster. Note that means you'll also need to create entries in your outside ACL for all traffic that should be allowed in from all VPN tunnels.

Actions

This Discussion