I currently have a PIX515E/R and I have a DMZ card that I am about to install. What I would like to do is allow some users to VPN in via the Cisco client to the DMZ and other users to VPN into the DMZ segment using the Cisco Client as well.
Its ok if the people on the inside interface can access the DMZ but I dont want users who VPN into the DMZ segment to be able to reach the inside segment (unless we poke holes.)
1) Can this be done
2) Do I need two external addresses or just one
3) If only one IP then how does it know who is destined for which segment?
4) Are there any examples on how to do this ore what is unique about the config over normal VPN configs?
4. assuming the reason to create 2 groups accessing the dmz is because of different access level. thus with the sample below, vpnclient_grp2 will only have access to 3 dmz servers; whereas vpnclient_grp1 will have access to the entire dmz. both vpnclient groups have no access to the inside.
another point needs to be noticed when designing/creating the vpn client pool. the scheme should never overlap with any scheme that has already been used such as the inside or dmz. e.g if the dmz scheme is 10.1.1.0 then the vpnclient pool shouldn't be 10.1.1.0 but any other private scheme.
access-list 110 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 110 permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 120 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 130 permit ip host 10.1.1.100 192.168.2.0 255.255.255.0
access-list 130 permit ip host 10.1.1.101 192.168.2.0 255.255.255.0
access-list 130 permit ip host 10.1.1.102 192.168.2.0 255.255.255.0
ip address dmz 10.1.1.1 255.255.255.0
ip local pool vpnpool_grp1 192.168.1.101-192.168.1.120
ip local pool vpnpool_grp2 192.168.2.101-192.168.2.120
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...