03-02-2007 03:02 PM - edited 07-03-2021 01:43 PM
If I have clients accessing an internal network via VPN tunnels to the PIX, can I restrict what resources they can access by applying ACL's IN the PIX, AFTER the tunnel? I'm looking to allow external customers into the network via PIX VPN but then want to restrict their access.
Thanks for the help!
Mike.
Solved! Go to Solution.
03-03-2007 04:42 PM
Mike, by simply creating different VPN groups and applying a different ACL for each group, you can restrict what they access. For example.
access-list vendor1 permit ip host 10.10.10.1 172.16.1.0 255.255.255.0 (172.16.1.0 is the ip local pool network
ip local pool vpnpool 172.16.1.1 172.16.1.254)
This allows vendor 1 to access host 10.10.10.1 only
access-list vendor2 permit ip host 10.10.10.2 172.16.1.0 255.255.255.0
( this allows vendor 2 to access 10.10.10.2 only)
then
vpngroup vendor1 password ******
vpngroup vendor1 split-tunnel vendor1
vpngroup vendor1 address-pool vpnpool
Dont' forget your no-nat ACL which should include both lines from the vendor1 and vendor2 ACL's
access-list nonat permit ip host 10.10.10.1 172.16.1.0 255.255.255.0
access-list nonat permit ip host 10.10.10.2 172.16.1.0 255.255.255.0
nat (inside) 0 access-list nonat
03-03-2007 07:35 AM
Hi Mike,
We can do that if you are authenticating the clients via a radius server.
Cisco AV pair (026/009/001) can be used and if you are using Cisco ACS then the downloadable ACLs feature can be used.
Regards,
Vivek
03-03-2007 04:42 PM
Mike, by simply creating different VPN groups and applying a different ACL for each group, you can restrict what they access. For example.
access-list vendor1 permit ip host 10.10.10.1 172.16.1.0 255.255.255.0 (172.16.1.0 is the ip local pool network
ip local pool vpnpool 172.16.1.1 172.16.1.254)
This allows vendor 1 to access host 10.10.10.1 only
access-list vendor2 permit ip host 10.10.10.2 172.16.1.0 255.255.255.0
( this allows vendor 2 to access 10.10.10.2 only)
then
vpngroup vendor1 password ******
vpngroup vendor1 split-tunnel vendor1
vpngroup vendor1 address-pool vpnpool
Dont' forget your no-nat ACL which should include both lines from the vendor1 and vendor2 ACL's
access-list nonat permit ip host 10.10.10.1 172.16.1.0 255.255.255.0
access-list nonat permit ip host 10.10.10.2 172.16.1.0 255.255.255.0
nat (inside) 0 access-list nonat
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: