Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
335
Views
0
Helpful
2
Replies

PIX with clients VPNing in: Can I restrict access via ACLs?

Go to solution
mmertens
Level 1
Level 1

‎03-02-2007 03:02 PM - edited ‎07-03-2021 01:43 PM

If I have clients accessing an internal network via VPN tunnels to the PIX, can I restrict what resources they can access by applying ACL's IN the PIX, AFTER the tunnel? I'm looking to allow external customers into the network via PIX VPN but then want to restrict their access.

Thanks for the help!

Mike.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
3gleister
Level 1
Level 1

‎03-03-2007 04:42 PM

Mike, by simply creating different VPN groups and applying a different ACL for each group, you can restrict what they access. For example.

access-list vendor1 permit ip host 10.10.10.1 172.16.1.0 255.255.255.0 (172.16.1.0 is the ip local pool network

ip local pool vpnpool 172.16.1.1 172.16.1.254)

This allows vendor 1 to access host 10.10.10.1 only

access-list vendor2 permit ip host 10.10.10.2 172.16.1.0 255.255.255.0

( this allows vendor 2 to access 10.10.10.2 only)

then

vpngroup vendor1 password ******

vpngroup vendor1 split-tunnel vendor1

vpngroup vendor1 address-pool vpnpool

Dont' forget your no-nat ACL which should include both lines from the vendor1 and vendor2 ACL's

access-list nonat permit ip host 10.10.10.1 172.16.1.0 255.255.255.0

access-list nonat permit ip host 10.10.10.2 172.16.1.0 255.255.255.0

nat (inside) 0 access-list nonat

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Vivek Santuka
Cisco Employee
Cisco Employee

‎03-03-2007 07:35 AM

Hi Mike,

We can do that if you are authenticating the clients via a radius server.

Cisco AV pair (026/009/001) can be used and if you are using Cisco ACS then the downloadable ACLs feature can be used.

Regards,

Vivek

0 Helpful

Go to solution
3gleister
Level 1
Level 1

‎03-03-2007 04:42 PM

Mike, by simply creating different VPN groups and applying a different ACL for each group, you can restrict what they access. For example.

access-list vendor1 permit ip host 10.10.10.1 172.16.1.0 255.255.255.0 (172.16.1.0 is the ip local pool network

ip local pool vpnpool 172.16.1.1 172.16.1.254)

This allows vendor 1 to access host 10.10.10.1 only

access-list vendor2 permit ip host 10.10.10.2 172.16.1.0 255.255.255.0

( this allows vendor 2 to access 10.10.10.2 only)

then

vpngroup vendor1 password ******

vpngroup vendor1 split-tunnel vendor1

vpngroup vendor1 address-pool vpnpool

Dont' forget your no-nat ACL which should include both lines from the vendor1 and vendor2 ACL's

access-list nonat permit ip host 10.10.10.1 172.16.1.0 255.255.255.0

access-list nonat permit ip host 10.10.10.2 172.16.1.0 255.255.255.0

nat (inside) 0 access-list nonat

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card