Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX feature

I have 2 groups of users: Management and Staff

These are the restrictions

Management:- NO access to VPN, Allow Surfing Internet

Staff:- Access to VPN only, no other internet access allowed

Does a Cisco Pix allow me to do that? If so, by what feature? ACL or etc?

New Member

Re: PIX feature

Split tunneling feature will fulfil your requirement

Re: PIX feature

Split-tunneling allows for certain traffic to be routed over the VPN and certain traffic to be routed out an interface unencrypted. This will not overall solve your problem. You would need to still apply ACLs upstream on the PIX to block Internet access for Staff and Management the split-tunnel wouldn't even apply. Static acls isn't scalable.

The feature you want to look at is AAA for Network Access (legacy IOS firewall it was called Auth-Proxy). This can be integrated with your Windows AD or RADIUS, etc. This can be further enhanced with Cisco ACS to use User downloaded acls (which can be specified at a group level).

Here is the link, look for the section Applying AAA for Network Access.

Please rate any helpful posts



CreatePlease login to create content