Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN Client to Pix: How to filter access according to the group

I have 3 profiles (3 vpngroup) defined in the Pix -515 6.2(2)

group1 which can goes everywhere in the internal network (pool /16)

group2 which can only goes to 3 internal servers (pool /16)

How can I do that ?

I've been said I had to disable 'sysopt permit-ipsec' in order to "see" the decrypted packets on the outside interface.

Then I applied some ACLs on the outside interface, in order to allow/permit my vpn clients to go to the inside.

I also had some static:

static (inside, outside) internal_lan internal_lan netmask

This works !!!

But, doing that has a side-effect: the internal_lan cannot go to Internet (with a nat/global) any more...

When I remove the static, the interlan_lan could go to Internet.

I don't know the way to filter access, in accordance to the group belonged. Any idea ?


Re: VPN Client to Pix: How to filter access according to the gro


why not just make a split tunnel network lists and push that to the clients, to make sure that they dont encrypt anything else and send down the tunnel, basically restricting access for them.

If you are not using Split tunnel list, you can still use ACL on the inside interface (inbound or outbound) to restrict access as well.

To avoid NAT for IPSec traffic, you can use nat 0 with an ACL, to select which traffic should or should not get NATed.



CreatePlease to create content