https://community.cisco.com/t5/network-security/vpngroups-to-access-different-network-segments/m-p/478123#M1057104 <HTML><HEAD></HEAD><BODY><P>Jackko,</P><P></P><P>I went with your suggestion and it works but not ideal in our situation. I need finer control so it seems Jarle's comments are more suitable to my environment.</P><P>Thank you again.</P><P></P><P></P></BODY></HTML> Thu, 21 Jul 2005 10:31:44 GMT ewong0088 2005-07-21T10:31:44Z https://community.cisco.com/t5/network-security/vpngroups-to-access-different-network-segments/m-p/478118#M1057032 <P>Hi there, </P><P></P><P>I have a PIX515E with 6.3(4) and a vpngroup running on it. This vpngroup is allowed to connect to one of our internal networks only and has been runing great. Now, I need to create another vpngroup so that this second group not only can connect to the same network as group one, but in addition, this group2 needs to be able to connect to additional networks. I just don't know how to handle the nat 0 statement for the second group. (all authentications are thru radius, not included). </P><P></P><P>Here's my set up(some irrelevant info excluded): </P><P></P><P>//Access List 1 </P><P>access-list vpnnonat permit ip 192.168.150.0 255.255.255.0 192.168.140.0 255.255.255.0 </P><P>ip local pool vpool 192.168.140.1-192.168.140.254 </P><P>ip local pool vpool-two 192.168.130.1-192.168.130.254 </P><P></P><P>//Access List 2 </P><P>access-list vnonat2 permit ip 192.168.150.0 255.255.255.0 192.168.130.0 255.255.255.0 </P><P>access-list vnonat2 permit ip 192.168.160.0 255.255.255.0 192.168.130.0 255.255.255.0 </P><P>access-list vnonat2 permit ip 192.168.170.0 255.255.255.0 192.168.130.0 255.255.255.0 </P><P>access-list vnonat2 permit ip 192.168.180.0 255.255.255.0 192.168.130.0 255.255.255.0 </P><P>access-list vnonat2 permit ip 192.168.190.0 255.255.255.0 192.168.130.0 255.255.255.0 </P><P></P><P>nat (inside) 0 access-list vpnnonat </P><P>sysopt connection permit-ipsec </P><P></P><P>isakmp nat-traversal 20 </P><P></P><P>//IPSec group 1 configuration for VPN client </P><P>vpngroup vpn-one address-pool vpool </P><P>vpngroup vpn-one dns-server x.x.x.x </P><P>vpngroup vpn-one default-domain xxx.com </P><P>vpngroup vpn-one split-tunnel vpnnonat </P><P>vpngroup vpn-one idle-time 1800 </P><P>vpngroup vpn-one password xxxxxxx </P><P></P><P>//IPSEC group 2 </P><P>vpngroup vpn-two address-pool vpool-two </P><P>vpngroup vpn-two dns-server x.x.x.x </P><P>vpngroup vpn-two default-domain xxx.com </P><P>vpngroup vpn-two split-tunnel vnonat2 </P><P>vpngroup vpn-two idle-time 1800 </P><P>vpngroup vpn-two password xxxxxxx </P><P></P><P>The problem I am having is that I can&#146;t do nat(inside) 0 access-list TWICE. </P><P>The working config uses: nat (inside) 0 access-list vpnnonat for Group 1 </P><P>How about group 2? When i let it go as is for testing, i.e. with one NAT 0 statement, it allows me to connect and got a correct IP which was 192.168.130.1. Beyond that I seem to stuck. After a few connections, my VPN clients would not connect anymore. It just died. (log said no response from peer). After an hour or so, I can connect again. Sounded like PIX is confused as who is going where and clear itslef out after awhile. </P><P></P><P>Any help or pointer is greatly appreciated. Again, </P><P>all I want to do is to allow 2 different VPN groups to access to our network. Group 1 is limited to 192.168.150 network and Group 2 can connect to 150, 160,170,180 networks </P><P></P> Fri, 21 Feb 2020 08:16:35 GMT https://community.cisco.com/t5/network-security/vpngroups-to-access-different-network-segments/m-p/478118#M1057032 ewong0088 2020-02-21T08:16:35Z https://community.cisco.com/t5/network-security/vpngroups-to-access-different-network-segments/m-p/478119#M1057057 <HTML><HEAD></HEAD><BODY><P>add the following to the existing access-l vpnnonat:</P><P></P><P>access-list vpnnonat permit ip 192.168.150.0 255.255.255.0 192.168.130.0 255.255.255.0</P><P>access-list vpnnonat permit ip 192.168.160.0 255.255.255.0 192.168.130.0 255.255.255.0</P><P>access-list vpnnonat permit ip 192.168.170.0 255.255.255.0 192.168.130.0 255.255.255.0</P><P>access-list vpnnonat permit ip 192.168.180.0 255.255.255.0 192.168.130.0 255.255.255.0</P><P>access-list vpnnonat permit ip 192.168.190.0 255.255.255.0 192.168.130.0 255.255.255.0 </P></BODY></HTML> Tue, 19 Jul 2005 00:03:29 GMT https://community.cisco.com/t5/network-security/vpngroups-to-access-different-network-segments/m-p/478119#M1057057 jackko 2005-07-19T00:03:29Z https://community.cisco.com/t5/network-security/vpngroups-to-access-different-network-segments/m-p/478120#M1057071 <HTML><HEAD></HEAD><BODY><P>i was just wondering how you go with the issue.</P></BODY></HTML> Thu, 21 Jul 2005 04:25:24 GMT https://community.cisco.com/t5/network-security/vpngroups-to-access-different-network-segments/m-p/478120#M1057071 jackko 2005-07-21T04:25:24Z https://community.cisco.com/t5/network-security/vpngroups-to-access-different-network-segments/m-p/478121#M1057085 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>We are using one Global NONAT access-list wich permit all internal ip to the vpn client pool addresses.</P><P></P><P>To Control the VPN Users access, we are using different spilt tunnel access-list for the different VPN groups.</P><P></P><P>We even use the same IP Pool for all vpn groups.... Bit this is not mandatory at all (This is even not always useful, if you use access-list on routers behind your pix, as extra security)</P><P></P><P></P><P>An example config could look like this:</P><P></P><P>access-list NONAT permit ip any 172.28.254.0 255.255.255.0 </P><P>ip local pool VPN-CISCO 172.18.254.1-172.18.254.254</P><P></P><P>vpngroup VPNUSERS1 address-pool VPN-CISCO</P><P>vpngroup VPNUSERS1 dns-server 192.168.1.10</P><P>vpngroup VPNUSERS1 wins-server 192.168.1.20</P><P>vpngroup VPNUSERS1 default-domain corp.local</P><P>vpngroup VPNUSERS1 split-tunnel VPN-VPNUSERS1</P><P>vpngroup VPNUSERS1 split-dns corp.local</P><P>vpngroup VPNUSERS1 idle-time 1800</P><P>vpngroup VPNUSERS1 authentication-server RADIUS</P><P>vpngroup VPNUSERS1 password ***********</P><P></P><P>vpngroup VPNUSERS2 address-pool VPN-CISCO</P><P>vpngroup VPNUSERS2 default-domain corp.local</P><P>vpngroup VPNUSERS2 split-tunnel VPN-VPNUSERS2</P><P>vpngroup VPNUSERS2 idle-time 1800</P><P>vpngroup VPNUSERS2 authentication-server RADIUS</P><P>vpngroup VPNUSERS2 password ***********</P><P></P><P></P><P>access-list VPN-VPNUSERS1 remark ### VPN-Client-Traffic Users 1 ###############################</P><P>access-list VPN-VPNUSERS1 permit ip 192.168.0.0 255.255.0.0 172.18.254.0 255.255.255.0 </P><P></P><P>access-list VPN-VPNUSERS2 remark ### VPN-Client-Traffic Users 2 ###############################</P><P>access-list VPN-VPNUSERS2 permit ip host 192.168.1.10 172.18.254.0 255.255.255.0 </P><P>access-list VPN-VPNUSERS2 permit ip host 192.168.1.20 172.18.254.0 255.255.255.0</P><P></P><P>We are always placing the ip local pool for the VPN Clients in a separate subnet.</P><P></P><P>Hope This helps you </P><P></P><P>Best Regards</P><P></P><P>Jarle Steffensen</P></BODY></HTML> Thu, 21 Jul 2005 07:23:02 GMT https://community.cisco.com/t5/network-security/vpngroups-to-access-different-network-segments/m-p/478121#M1057085 jsteffensen 2005-07-21T07:23:02Z https://community.cisco.com/t5/network-security/vpngroups-to-access-different-network-segments/m-p/478122#M1057096 <HTML><HEAD></HEAD><BODY><P>Thank you for the info. It seems your example is what I need.</P><P></P><P>Again, thank you.</P><P></P><P></P></BODY></HTML> Thu, 21 Jul 2005 10:23:03 GMT https://community.cisco.com/t5/network-security/vpngroups-to-access-different-network-segments/m-p/478122#M1057096 ewong0088 2005-07-21T10:23:03Z https://community.cisco.com/t5/network-security/vpngroups-to-access-different-network-segments/m-p/478123#M1057104 <HTML><HEAD></HEAD><BODY><P>Jackko,</P><P></P><P>I went with your suggestion and it works but not ideal in our situation. I need finer control so it seems Jarle's comments are more suitable to my environment.</P><P>Thank you again.</P><P></P><P></P></BODY></HTML> Thu, 21 Jul 2005 10:31:44 GMT https://community.cisco.com/t5/network-security/vpngroups-to-access-different-network-segments/m-p/478123#M1057104 ewong0088 2005-07-21T10:31:44Z https://community.cisco.com/t5/network-security/vpngroups-to-access-different-network-segments/m-p/478124#M1057109 <HTML><HEAD></HEAD><BODY><P>it's good to hear that you've got the right info.</P><P></P><P>please let me give you one more advice. in the near furture you may need a separate group simply for security reason. e.g. group 1 has access to server 1 whereas group 2 has access to server 2 only.</P><P></P><P>in fact, you may restrict the remote vpn access further by disabling the command "sysopt connection permit-ipsec". nonetheless, for now keep it simple.</P></BODY></HTML> Tue, 26 Jul 2005 03:34:58 GMT https://community.cisco.com/t5/network-security/vpngroups-to-access-different-network-segments/m-p/478124#M1057109 jackko 2005-07-26T03:34:58Z