Re: Pix 501: Restrict vpn user access to internal lan
Ole, it all depends , if you want ALL vpn users under your current tunnel group without exeption to access only one destination host 192.168.1.250 on port 80 sure it is posible , you would t need to define it in your nonat access list and crypto acl.
would be something as:
access-list nonat permit ip host 192.168.1.250 192.168.200.0 255.255.255.0
but if you then need to get more granular such as permiting some users to the whole subnet 192.168.1.0/24 and some just 192.168.1.250 then it can not be possible with 6.3 code, you would need 7.x code above to do per user VPN filters ..
a work around perhaps with 6.3 if the need to restrict access to just one host to certain VPN users but not all I would think of a work around to create another RA tunnel group with restrictions and add users to that new tunnel group , and have a separate VPN tunnel group for accessing all 192.168.1.0/24 network. This way you could have control of users access per tunnel groups.
If you ever think of upgrading your 501 to ASA5505 here is a link on vpn filters.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...