Multiple Client VPN tunnels on a Pix Firewall

rselmi · ‎11-02-2006

One of my customers as a multiple Client VPN tunnels on a Pix Firewall, each tunnel as a restricted access only for some hosts. I would act in such a way that the remote client doesn't have internet and local network access directly while connected in vpn.

How the split tunneling have to be set?

a.kiprawih · ‎11-03-2006

Some examples:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml

HTH

AK

rselmi · ‎11-08-2006

The requirement is to mantain the limited access on assigned resources, from remote vpn clients to local network, but disable the access to internet and networks near vpn clients. In Pix v.6.3.5 is not possible (in my labs) set a split tunnel and reducing internet access.

Example:

-------------------------------

access-list vpn-xx3 permit tcp object-group RDP-Server-xx3 eq 3389 object-group Clients-xx3-vpn

access-list vpn-xx3 permit tcp host 10.11.20.39 object-group Porte-1522-sqlnet object-group Clients-xx3-vpn

access-list vpn-xx3 permit tcp host 10.11.20.20 object-group Porte-1522-sqlnet object-group Clients-xx3-vpn

access-list vpn-xx3 deny ip any any

--------------------------------

reduce the access to resource, but the default gateway is the access router for remote client.

When the split tunnel don't exist the default gateway is the vpn peer.

Is possible the unification of the two feature?