Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Access control for different VPN user via PIX Firewall

Hi there,

I got a PIX 501 implemented with IPSec VPN. Our customer would like to grand access control for different VPN users. They would allow a group of users to access DB server, while the other VPN users cannot access. May I ask that is there any method to achieve this goal?

thanks a lot

David

2 REPLIES
New Member

Re: Access control for different VPN user via PIX Firewall

You can do it as follows:

Make two separate local ip pools.

Add the statements allowing one pool for DB servers and the other denying to DB servers to access-list which is applied to outside interface.

Also remove sysopt statement.

no sysopt connection permit-ipsec

Regards,

Silver

Re: Access control for different VPN user via PIX Firewall

If you're using user authentication via RADIUS/TACACS+, you can use a single VPN group and IP pool and hand out an ACL per-user at the time of authentication.

If you're only using group name/password for VPN access, you'll need to use separate IP pools w/o the use of permit-ipsec as referenced by the other poster. Note that means you'll also need to create entries in your outside ACL for all traffic that should be allowed in from all VPN tunnels.

88
Views
0
Helpful
2
Replies
CreatePlease to create content