https://community.cisco.com/t5/network-security/pix-feature/m-p/571783#M498545 <HTML><HEAD></HEAD><BODY><P>Split tunneling feature will fulfil your requirement</P></BODY></HTML> Fri, 11 Aug 2006 17:43:58 GMT bwalchez 2006-08-11T17:43:58Z https://community.cisco.com/t5/network-security/pix-feature/m-p/571782#M498544 <P>I have 2 groups of users: Management and Staff</P><P></P><P>These are the restrictions</P><P>Management:- NO access to VPN, Allow Surfing Internet</P><P></P><P>Staff:- Access to VPN only, no other internet access allowed</P><P></P><P>Does a Cisco Pix allow me to do that? If so, by what feature? ACL or etc?</P><P></P><P></P> Fri, 21 Feb 2020 09:06:01 GMT https://community.cisco.com/t5/network-security/pix-feature/m-p/571782#M498544 J_Vansen_S 2020-02-21T09:06:01Z https://community.cisco.com/t5/network-security/pix-feature/m-p/571783#M498545 <HTML><HEAD></HEAD><BODY><P>Split tunneling feature will fulfil your requirement</P></BODY></HTML> Fri, 11 Aug 2006 17:43:58 GMT https://community.cisco.com/t5/network-security/pix-feature/m-p/571783#M498545 bwalchez 2006-08-11T17:43:58Z https://community.cisco.com/t5/network-security/pix-feature/m-p/571784#M498546 <HTML><HEAD></HEAD><BODY><P>Split-tunneling allows for certain traffic to be routed over the VPN and certain traffic to be routed out an interface unencrypted. This will not overall solve your problem. You would need to still apply ACLs upstream on the PIX to block Internet access for Staff and Management the split-tunnel wouldn't even apply. Static acls isn't scalable.</P><P></P><P>The feature you want to look at is AAA for Network Access (legacy IOS firewall it was called Auth-Proxy). This can be integrated with your Windows AD or RADIUS, etc. This can be further enhanced with Cisco ACS to use User downloaded acls (which can be specified at a group level).</P><P></P><P>Here is the link, look for the section Applying AAA for Network Access.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/application/pdf/en/us/guest/products/ps6120/c2001/ccmigration_09186a0080641f89.pdf" target="_blank">http://www.cisco.com/application/pdf/en/us/guest/products/ps6120/c2001/ccmigration_09186a0080641f89.pdf</A></P><P></P><P>Please rate any helpful posts</P><P></P><P>Thanks</P><P></P><P>Fred</P></BODY></HTML> Fri, 11 Aug 2006 19:31:35 GMT https://community.cisco.com/t5/network-security/pix-feature/m-p/571784#M498546 fred.s.mollenkopf 2006-08-11T19:31:35Z