Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN Client to Pix: How to filter access according to the group

I have 3 profiles (3 vpngroup) defined in the Pix -515 6.2(2)

group1 which can goes everywhere in the internal network (pool 10.1.0.0 /16)

group2 which can only goes to 3 internal servers (pool 10.2.0.0 /16)

How can I do that ?

I've been said I had to disable 'sysopt permit-ipsec' in order to "see" the decrypted packets on the outside interface.

Then I applied some ACLs on the outside interface, in order to allow/permit my vpn clients to go to the inside.

I also had some static:

static (inside, outside) internal_lan internal_lan netmask 255.255.255.0

This works !!!

But, doing that has a side-effect: the internal_lan cannot go to Internet (with a nat/global) any more...

When I remove the static, the interlan_lan could go to Internet.

I don't know the way to filter access, in accordance to the group belonged. Any idea ?

1 REPLY
Bronze

Re: VPN Client to Pix: How to filter access according to the gro

hi,

why not just make a split tunnel network lists and push that to the clients, to make sure that they dont encrypt anything else and send down the tunnel, basically restricting access for them.

If you are not using Split tunnel list, you can still use ACL on the inside interface (inbound or outbound) to restrict access as well.

To avoid NAT for IPSec traffic, you can use nat 0 with an ACL, to select which traffic should or should not get NATed.

Thx

Afaq

83
Views
0
Helpful
1
Replies
CreatePlease to create content