08-08-2006 06:02 PM - edited 02-21-2020 01:06 AM
I have 2 groups of users: Management and Staff
These are the restrictions
Management:- NO access to VPN, Allow Surfing Internet
Staff:- Access to VPN only, no other internet access allowed
Does a Cisco Pix allow me to do that? If so, by what feature? ACL or etc?
08-11-2006 10:43 AM
Split tunneling feature will fulfil your requirement
08-11-2006 12:31 PM
Split-tunneling allows for certain traffic to be routed over the VPN and certain traffic to be routed out an interface unencrypted. This will not overall solve your problem. You would need to still apply ACLs upstream on the PIX to block Internet access for Staff and Management the split-tunnel wouldn't even apply. Static acls isn't scalable.
The feature you want to look at is AAA for Network Access (legacy IOS firewall it was called Auth-Proxy). This can be integrated with your Windows AD or RADIUS, etc. This can be further enhanced with Cisco ACS to use User downloaded acls (which can be specified at a group level).
Here is the link, look for the section Applying AAA for Network Access.
Please rate any helpful posts
Thanks
Fred
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide