Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
263
Views
0
Helpful
2
Replies

Access control for different VPN user via PIX Firewall

dhcchan
Level 1
Level 1

‎01-01-2004 07:55 PM - edited ‎02-21-2020 12:58 PM

Hi there,

I got a PIX 501 implemented with IPSec VPN. Our customer would like to grand access control for different VPN users. They would allow a group of users to access DB server, while the other VPN users cannot access. May I ask that is there any method to achieve this goal?

thanks a lot

David

Labels:
0 Helpful
2 Replies 2

sunilyk
Level 1
Level 1

‎01-01-2004 11:57 PM

You can do it as follows:

Make two separate local ip pools.

Add the statements allowing one pool for DB servers and the other denying to DB servers to access-list which is applied to outside interface.

Also remove sysopt statement.

no sysopt connection permit-ipsec

Regards,

0 Helpful

shannong
Level 4
Level 4

‎01-04-2004 08:08 AM

If you're using user authentication via RADIUS/TACACS+, you can use a single VPN group and IP pool and hand out an ACL per-user at the time of authentication.

If you're only using group name/password for VPN access, you'll need to use separate IP pools w/o the use of permit-ipsec as referenced by the other poster. Note that means you'll also need to create entries in your outside ACL for all traffic that should be allowed in from all VPN tunnels.

0 Helpful
Customers Also Viewed These Support Documents